Privacy Policy

SECTION 17 — PRIVACY AND DATA

17.1 Privacy Policy

Your use of the Platform is also governed by Rondi's Privacy Policy, available at rondi.io/privacy and incorporated into these Terms by reference. The Privacy Policy describes what data we collect, how we use it, how we protect it, and your rights regarding that data.

17.2 Nationwide Privacy Rights

Regardless of the state in which you reside, Rondi extends the following privacy rights to all U.S. users:

(a) Right to Know / Access: You may request a copy of the personal information Rondi holds about you; (b) Right to Correct: You may request correction of inaccurate personal information; (c) Right to Delete: You may request deletion of your personal information, subject to legal retention requirements and ongoing transaction obligations; (d) Right to Data Portability: You may request a machine-readable copy of personal information you provided; (e) Right to Opt Out of Targeted Advertising: You may opt out of the use of your personal information for targeted advertising; (f) Right to Opt Out of Sale: Rondi does not sell personal information to third parties. If this changes, you will be provided a clear opt-out mechanism; (g) Right to Opt Out of Profiling: You may opt out of automated profiling used to make decisions that produce legal or similarly significant effects concerning you; (h) Right to Non-Discrimination: Exercising any privacy right will not result in denial of access to the Platform or adverse treatment.

To exercise any of these rights, submit a request at rondi.io/privacy-request or email privacy@rondi.io. Rondi will respond within 45 calendar days (extendable by an additional 45 days with notice). Opt-out requests related to automated profiling and targeted advertising will be processed within 15 business days, consistent with New Jersey law.

17.3 Global Privacy Control

Rondi honors opt-out signals transmitted through browser or device Global Privacy Control (GPC) settings. Rondi will treat a valid GPC signal as an opt-out from targeted advertising and data sharing for advertising purposes, effective as of the date of the signal's receipt.

17.4 Data Breach Notification

In the event of a data breach affecting your personal information, Rondi will notify affected users as required by applicable law. For New Jersey residents, notification will be provided within 30 days of determining a breach occurred (or within 7 days if Rondi qualifies as a social media platform under N.J. Stat. Ann. § 56:8-161). For California residents, notification will comply with the California Consumer Privacy Act timeline.

17.5 New Jersey-Specific Obligations

Rondi complies with the New Jersey Data Privacy Act (NJDPA, effective January 15, 2025). Sensitive data — including precise geolocation, biometric identifiers, financial account information, and personal data of minors — is processed only with your affirmative opt-in consent. You may withdraw consent at any time through your account settings or by contacting privacy@rondi.io.

17.6 California Users

California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). See Exhibit A for the California Privacy Rights Notice.

17.7 Illinois, Texas, and Washington Users — Biometric Data

If you are located in Illinois, Texas, or Washington and Rondi processes any biometric data derived from your use of the Platform (including, if applicable, facial geometry from uploaded photos), you have specific rights under the Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CUBI), and Washington My Health Data Act. See Exhibit B for the Biometric Data Consent and Rights Notice.

EXHIBIT A — CALIFORNIA PRIVACY RIGHTS NOTICE

Effective Date: [DATE] Applicable to California Residents Only

This California Privacy Rights Notice supplements the Rondi Privacy Policy and these Terms for California residents, pursuant to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) (collectively, "CCPA").

A.1 Categories of Personal Information Collected

In the preceding 12 months, Rondi has collected the following categories of personal information from California consumers, as defined by CCPA:

| Category | Examples | Collected | |---|---|---| | Identifiers | Name, email, phone, device ID, IP address | Yes | | Personal Records (Cal. Civ. Code § 1798.80) | Payment information, government ID (for Stripe KYC) | Yes (via Stripe) | | Protected Characteristics | Age (for eligibility), not otherwise collected | Limited | | Commercial Information | Transaction history, ticket purchases, booking records | Yes | | Internet/Electronic Activity | Browsing history on Platform, search queries, interactions | Yes | | Geolocation Data | Approximate location (for event discovery); precise (with consent) | Yes | | Visual/Audio Data | Photos and videos you upload | Yes | | Professional Information | Vendor service descriptions and credentials | Yes (Vendors only) | | Inferences | Preferences inferred from Platform activity for recommendations | Yes | | Sensitive Personal Information | Precise geolocation, financial account data, biometric data (see Exhibit B) | With Consent |

A.2 Purposes for Collection

Personal information is collected for the following business purposes: operating and improving the Platform; processing transactions and payments; personalizing your experience; sending service communications and marketing (with opt-out available); complying with legal obligations; preventing fraud and maintaining Platform safety; and providing AI-powered features.

A.3 Disclosure of Personal Information

Rondi discloses personal information to: service providers (including Stripe, Cloudflare, Resend, Anthropic, Sentry) under written contracts prohibiting independent use; Vendors and Organizers as necessary to complete transactions you initiate; and government authorities pursuant to lawful process.

Rondi does not sell your personal information to third parties. Rondi does not share personal information with third parties for cross-context behavioral advertising purposes without your opt-in consent.

A.4 Your California Rights

As a California resident, you have the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information collected, sources, purposes, and third parties with whom information is shared.
• Right to Delete: Request deletion of personal information, subject to legal exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt Out of Sale/Sharing: Rondi does not sell or share personal information. This right is preserved for your protection.
• Right to Limit Use of Sensitive Personal Information: Request that Rondi limit its use of sensitive personal information to purposes necessary to perform the services you request.
• Right to Non-Discrimination: Exercising your CCPA rights will not result in denial of goods or services or different pricing.

A.5 How to Exercise California Rights

Submit a verifiable consumer request at rondi.io/privacy-request or email privacy@rondi.io. Rondi will respond within 45 calendar days (extendable to 90 days with notice). You may designate an authorized agent to submit requests on your behalf with written authorization.

A.6 California "Shine the Light" Law

California Civil Code § 1798.83 allows California residents to request information about disclosure of personal information to third parties for direct marketing purposes in the prior calendar year. Rondi does not disclose personal information to third parties for their direct marketing purposes. To submit such a request, email privacy@rondi.io.

A.7 Do Not Track

Rondi does not currently respond to Do Not Track signals from browsers. Rondi does honor Global Privacy Control (GPC) signals as described in Section 17.3.

EXHIBIT B — BIOMETRIC DATA CONSENT NOTICE

Applicable to Users Located in Illinois, Texas, and Washington

B.1 Scope

This notice applies if you are located in Illinois, Texas, or Washington and Rondi processes any biometric identifier or biometric information derived from your use of the Platform ("Biometric Data"), including facial geometry scans or facial recognition templates that may be generated from photos or videos you upload.

At the time of these Terms, Rondi does not perform facial recognition or collect biometric identifiers from uploaded content. This Exhibit applies prospectively and will govern any biometric data processing Rondi introduces in the future.

B.2 What Constitutes Biometric Data

For purposes of this Exhibit: Illinois (BIPA, 740 ILCS 14/1): "biometric identifier" means retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, or other biometric identifiers. Texas (CUBI, Tex. Bus. & Com. Code § 503.001): "biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry. Washington (My Health Data Act and Wash. Rev. Code § 19.375): similar scope covering biometric data and sensitive health data.

B.3 Consent Requirement

Before collecting any Biometric Data from Illinois, Texas, or Washington users, Rondi will:

(a) Provide a separate, written disclosure stating the specific biometric data being collected, the purpose for collection, and the duration of collection and storage; (b) Obtain your written, affirmative consent (separate from general Terms acceptance) before collection begins; (c) Provide a mechanism for you to withdraw consent at any time through your account settings.

General acceptance of these Terms does not constitute consent to biometric data collection. If Rondi introduces biometric features, you will be presented with a separate consent prompt.

B.4 Retention and Destruction

Biometric data, if collected, will be retained only as long as necessary for the stated collection purpose, or as required by law, but in no event longer than 3 years from the date of collection or your last interaction with the Platform, whichever comes first. Upon expiration of the retention period, Biometric Data will be permanently destroyed using industry-standard methods.

B.5 No Sale of Biometric Data

Rondi will not sell, lease, trade, profit from, or otherwise provide any Biometric Data to a third party.

B.6 Security

Biometric Data will be stored with the same standard of care as other confidential and sensitive data using a reasonable security standard consistent with the applicable state biometric privacy statute.

B.7 Contact

For questions about biometric data processing, contact privacy@rondi.io.

*These Terms were last updated on [DATE]. Prior versions are available upon request.*

*Rondi, Inc. | [Address] | [City, NJ ZIP] | legal@rondi.io*

> LEGAL NOTICE: These Terms of Service have been drafted to address the legal requirements of a social event marketplace operating in the United States as of the date of publication. This document does not constitute legal advice. Rondi, Inc. should have this document reviewed and approved by qualified legal counsel licensed in New Jersey before deployment. Laws change frequently. This document should be reviewed at least annually and updated as required.