Privacy Policy

Last updated: May 26, 2026

This Privacy Policy explains how Zachary Lockhart Consulting, LLC ("PickupVB", "we", "us") collects, uses, and shares information when you use the PickupVBwebsite and related services (the "Service"). Capitalized terms not defined here have the meanings given in our Terms of Service.

1. Information we collect

Information you provide

Account information: email address, display name, password (stored hashed by our auth provider), and an optional avatar image.
Profile information: any details you choose to add, such as bio, skill level, location, or social links.
Event content: events you create or RSVP to, messages you send, comments, and ratings.
Payment information: when you buy a Pro Subscription, pay for an event, or receive payouts as a Host, payment details are collected and stored by Stripe. We receive a customer/subscription identifier, the last four digits of your card, and billing metadata, but we do not see or store full card numbers.
Support communications: messages you send to support and any information you include in them.

Information collected automatically

Device and log data: IP address, browser type, operating system, referring URL, pages viewed, and timestamps.
Cookies and similar technologies: session cookies for authentication, preference cookies (e.g. theme), and limited analytics. See Section 5.
Approximate location:derived from your IP address or, if you grant permission, your device's geolocation, to surface nearby events.
Error telemetry: we use Sentry to capture errors that occur in the Service. This includes the URL, a stack trace, and your user identifier; we do not include passwords, payment data, or message contents.

Information from third parties

Payment processor: Stripe shares limited transaction and account-status information with us so we can show your subscription and payout state.
Anti-abuse: Cloudflare Turnstile returns a verdict (human / bot) when you submit certain forms; we do not receive raw browser fingerprints.

2. How we use information

To create and operate your Account and provide the Service.
To show you relevant events and let other users find events you host or attend (per the visibility settings you choose).
To process payments, payouts, and subscription billing.
To send transactional emails (account, event, payment notifications) and, with your consent where required, product updates.
To protect the Service from fraud, abuse, and unauthorized access, including by using IP and account signals to detect suspicious activity.
To analyze and improve the Service in aggregate, non-identifying form.
To comply with legal obligations and enforce our Terms.

3. Legal bases for processing (EEA/UK users)

Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases: (a) contract, to provide the Service you requested; (b)legitimate interests, to operate, secure, and improve the Service; (c)consent, for optional analytics cookies and marketing emails; and (d) legal obligation, where required by law. You may withdraw consent at any time.

4. How we share information

With other users: your public profile and event activity are visible to other users as permitted by your settings.
With Hosts and Attendees: when you RSVP to or host an event, the other party may see your display name, avatar, and roster status; Hosts may see attendee contact info needed to run the event.
With service providers (subprocessors): we share information with vendors who help us run the Service:
- Supabase (managed Postgres, authentication)
- Vercel (hosting, edge compute)
- PostHog (product analytics — server-side capture and browser SDK)
- Stripe (payments, payouts, billing portal)
- Resend (transactional email)
- Sentry (error monitoring)
- Cloudflare Turnstile (bot protection)
These providers are bound by contract to use your information only to provide services to us.
For legal reasons: we may disclose information when required by law, subpoena, or court order, or when we believe disclosure is necessary to protect rights, property, or safety.
In a business transfer: if Zachary Lockhart Consulting, LLC is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction; we will give notice before information becomes subject to a different privacy policy.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under California law.

5. Cookies and tracking

We use first-party cookies for authentication, security (CSRF protection), and saving preferences (e.g. theme). We use PostHog for first-party, aggregate product analytics. Some PostHog events are captured server-side (e.g. account creation, RSVP, checkout); others are captured in your browser by the PostHog browser SDK once you have accepted analytics consent — the SDK records page views, anonymous click activity, and performance metrics so we can understand how the Service is used. We do not enable session replay. PostHog distinct ids for signed-in users are derived from a salted hash of your account id; the raw id never leaves our servers.

The first time you visit the Service you'll see a consent banner with two choices: Accept (first-party analytics on) or Decline(analytics suppressed at the server adapter). Your choice is stored in a pickupvb_consent cookie for 180 days; you can change it at any time by clearing site cookies, and we honor the Global Privacy Control (GPC) signal as a default-deny for analytics until you explicitly accept.

You can also disable cookies in your browser settings, but the Service may not function properly without authentication cookies.

6. Data retention

We retain account information for as long as your Account is active. When you delete your Account we delete or anonymize your personal information within 30 days, except where we are required to retain it for legal, accounting, tax, fraud-prevention, or dispute purposes (for example, payment records retained by Stripe as required by financial regulations). Server log data is retained for up to 90 days for security purposes.

Beyond Account deletion, the Service applies the following automated retention windows to operational and messaging data. These windows run as scheduled jobs in our database and purge eligible rows daily:

Notification delivery records(the rendered email / SMS body and the delivery address for messages we sent on your or another user's behalf): purged 90 days after successful delivery, or 30 days after a permanent delivery failure.
In-app notifications in your inbox: purged 30 days after you read them, or 180 days after they were created if still unread.
Marketing attribution data (the referral source captured when you first arrived on the site): purged 24 months after capture.
Server logs: retained for up to 90 days for security and abuse investigation.

Groups, teams, and broadcasts you delete from the Serviceare removed from public view immediately, but a tombstone row is retained so historical records (past events hosted by a deleted group, tournament results for a deleted team, the audit log of broadcasts you sent) remain attributable. Tombstones are deleted on Account deletion under the 30-day window above. The deleted entity's URL slug stays reserved.

7. Security

We use industry-standard technical and organizational measures to protect your information, including TLS for data in transit, encryption at rest for the database, password hashing, row-level access controls, and least-privilege service credentials. No system is 100% secure; if you believe your Account has been compromised, contact support@pickupvb.com immediately.

8. International data transfers

We operate from the United States and our subprocessors may process information in the United States or other countries. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. We rely on appropriate safeguards (such as the EU Standard Contractual Clauses) where required.

9. Your privacy rights

Subject to applicable law, you have the right to:

Access the personal information we hold about you.
Correct inaccurate information.
Delete your information (subject to retention exceptions in Section 6).
Receive a copy of your information in a portable format.
Object to or restrict certain processing.
Withdraw consent where processing is based on consent.
Lodge a complaint with a supervisory authority.

Most rights can be exercised from your profile settings. For other requests, email privacy@pickupvb.com. We will respond within the timeframes required by applicable law (typically 30 days). We may need to verify your identity before fulfilling a request.

California residents (CCPA / CPRA)

California residents have the rights described above and the right to be free from discrimination for exercising them. The categories of personal information we have collected in the past 12 months map to the "identifiers", "commercial information", "internet or other electronic network activity information", and "geolocation data" categories under the CCPA. We do not sell or share personal information for cross-context behavioral advertising.

10. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact privacy@pickupvb.com and we will delete it.

11. Do Not Track

The Service does not respond to "Do Not Track" browser signals because no common industry standard for them has been adopted. We do honor the Global Privacy Control (GPC) signal where required by law.

12. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes we will notify you (for example, by email or an in-app notice) and update the "Last updated" date above. Continued use of the Service after the effective date constitutes acceptance.

13. Contact

Privacy questions or requests: privacy@pickupvb.com. General support: support@pickupvb.com.

Zachary Lockhart Consulting, LLC