← Back

Privacy Policy

Last Updated: July 2026

1. Introduction

Welcome to StallSync's Privacy Policy. StallSync (“we”, “us”, or “our”) operates the StallSync platform (the “Service”) which connects event hosts with stallholders and food vendors.

This Privacy Policy informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.

2. Data Controller Information

The data controller responsible for your personal data is Muckifoot Studios Ltd, trading as StallSync, registered in England and Wales (Company No. 16838457).

Contact Information:

Company: Muckifoot Studios Ltd (trading as StallSync)

Email: help@stallsync.co.uk

Phone: 01603 336 306

Address: Hardwick House, No. 2 Agricultural Hall Plain, Norwich, Norfolk, NR1 3FS

Company No.: 16838457

3. Information We Collect

3.1 Information You Provide Directly

Account Information:

  • Name (individual or business name)
  • Email address
  • Phone number
  • Password (encrypted)
  • Account type (Event Host, Stallholder, Food Vendor)

Profile Information:

  • Business description and trading name
  • Company number (if applicable)
  • Profile images, logos, and product photos
  • Location/address information and postcode (used for distance-based matching)
  • Website and social media links
  • Cuisine types (for food vendors)
  • Craft categories and subcategories (for stallholders)
  • Event history and experience level

Availability & Calendar Data:

  • Weekly availability patterns (which days you are available)
  • Date overrides (specific dates marked as unavailable)
  • Booked event dates

Event Information:

  • Event names, descriptions, and dates
  • Event locations, venues, and facilities
  • Participant and invitation lists
  • Event requirements, pricing, and policies
  • Stallholder rules and additional terms
  • Cancellation and refund policy selections

Contract & Signature Data:

  • Digitally signed contracts (including your name, address, and company details)
  • Digital signatures captured via on-screen signature pad
  • Contract reference numbers and signing timestamps
  • Contract status and payment deadlines

Financial Information:

  • Stripe Connect account details (for event hosts receiving payments)
  • Payment card information (processed and stored by Stripe; we do not store card details)
  • Transaction and booking payment history
  • Stall pricing information
  • Premium subscription and wallet balance (days remaining)
  • Referral code redemptions and promo code redemptions
  • Payment collection details for self-managed events (event hosts): if you choose to record how vendors should pay you — for example bank account name, sort code and account number, or a PayPal address — StallSync stores these details and shows them only to vendors with a booking on that event. Unlike card payments (which Stripe handles), these details are stored by StallSync. You can update or remove them at any time

Identity Verification Data (Event Hosts):

Hosts who choose to verify their identity for self-managed payment events undergo verification through Stripe Identity. During this process:

  • Stripe may collect and process a government-issued identity document and, if applicable, a selfie for biometric comparison. This data is processed by Stripe under Stripe's own privacy policy; StallSync does not receive, store, or have access to the identity document or biometric data
  • StallSync stores only: (a) verification status (verified or not verified); and (b) a Stripe-issued reference ID for the verification report
  • Verification status is permanent and displayed to vendors as an “ID-verified host” badge on self-managed event invitations

Documentation & Event Passport Data:

  • Insurance certificates
  • Food hygiene certificates
  • Business licenses
  • Health and safety documentation
  • Gas safety certificates
  • Other compliance documents
  • Signed document declarations and compliance attestations (vendors): the statement text as it stood when you signed, your digital signature, the signing timestamp, and your IP address and browser details — the same audit-trail pattern used for contract signing
  • Guidance acknowledgements (a record that you confirmed reading relevant compliance guidance, with the date)
  • Passport share links you create: the link label, expiry, and whether you have revoked it

Network & Connection Data:

  • Your vendor network (hosts) or host network (vendors)
  • Connection requests sent and received
  • CSV-imported email addresses (for host vendor imports)

Engagement & Achievement Data:

  • Achievement milestones earned and reward activation status
  • Invitation response times (used for the “fast responder” badge)
  • Referral activity and referral codes
  • Premium time wallet balance and reward history

Communications & Feedback:

  • Direct messages between hosts and vendors
  • Event Q&A questions and answers
  • Post-event feedback (ratings, footfall estimates, written comments)
  • Post-event discussion forum contributions

3.2 Information from Third-Party Sources

In some cases, we receive personal data from sources other than the data subject:

Host-Imported Contact Data:

  • If you receive a StallSync invitation from a host you know, your email address was provided to us by that host on the basis that you have an existing working relationship. We hold that email address solely to deliver the invitation; if you do not join within 30 days we permanently delete it. You can decline future invitations and have your details suppressed at any time using the link in the invitation email.
  • Event hosts who upload vendor contact lists attest at the point of upload that they have an existing working relationship with each person on the list.

3.3 Information We Collect Automatically

Usage Data:

  • Pages visited
  • Features used
  • Click patterns
  • Search queries
  • Time spent on pages

Device Information:

  • IP address
  • Browser type and version
  • Operating system
  • Device type (mobile, desktop)
  • Language preferences
  • Time zone

Passport Share-Link Visit Data:

When someone opens an Event Passport share link, we record the time of the visit and basic device information (browser user agent). This log exists so the vendor who owns the passport can see when and how often their shared passport has been accessed — it is their reassurance that their data remains under their control. Visitors who open a share link may not be StallSync users; if that is you, this is the only data we collect about you, it is visible only to the vendor whose passport you viewed, and it is not used for any other purpose.

4. How We Use Your Information

To Provide Our Service:

  • Create and manage your account
  • Connect event hosts with suitable vendors via our matching algorithm
  • Generate and manage digital contracts between hosts and vendors
  • Process booking payments via Stripe
  • Send booking confirmations, reminders, and invitation notifications
  • Calculate distances between vendors and event venues for matching
  • Manage your availability calendar and prevent double-bookings
  • Manage your premium subscription wallet and time balance
  • Store and display your Event Passport, generate share pages and Passport PDFs at your request, and record share-link visits so you can monitor who has accessed your shared passport
  • Show host payment collection details to vendors booked on self-managed events

Matching Algorithm & Automated Processing:

  • Your location, craft category, availability, insurance status, and profile completion are used by our matching algorithm to rank vendor suitability for events
  • Your invitation response times are used to calculate a “fast responder” badge visible to hosts; this badge may be gained or lost based on recent response patterns
  • Matching results are influenced by your subscription tier (free users have a limited search radius and planning horizon)
  • No decisions with legal or significant effects are made solely by automated processing; hosts always make the final decision on who to invite

Achievements & Engagement:

  • Track your platform activity to award achievement milestones (e.g. events hosted, feedback submitted, invitations responded to quickly)
  • Calculate and display premium day rewards earned through achievements, referrals, and promo codes

To Improve Our Service:

  • Analyse usage patterns and platform performance
  • Develop new features
  • Optimise matching algorithms
  • Diagnose and fix bugs and technical issues (via error tracking)

To Communicate With You:

  • Send transactional emails (bookings, payments, invitations, contract signing)
  • Real-time platform notifications (invitations, messages, achievements)
  • Marketing communications (with consent)
  • Service updates and announcements
  • Customer support

5. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

Contract Performance: Account creation, booking processing, payment handling
Legitimate Interests: Service improvements, fraud prevention, analytics
Legal Compliance: Tax reporting, anti-money laundering checks, court orders
Consent: Marketing communications, non-essential cookies

6. How We Share Your Information

6.1 With Other Users

Event Hosts can see:

  • Stallholder business names and descriptions
  • Contact information (after booking)
  • Insurance and compliance status
  • Availability
  • Reviews and ratings

Stallholders can see:

  • Event details and requirements
  • Event host contact information
  • Other participants (after booking)
  • Venue information
  • Host payment collection details — bank transfer details or PayPal address, where the host has recorded them for a self-managed event (visible only after booking on that event)

6.2 With Service Providers

We share data with the following third-party service providers who process data on our behalf:

Stripe: Payment processing (Stripe Connect), identity verification for self-managed event hosts (Stripe Identity), and Stripe Connect onboarding. Stripe Identity may process biometric data (selfie comparison) under Stripe's privacy policy; StallSync does not receive or store this data.
Supabase: Database hosting, user authentication, file storage, and real-time notifications
Vercel: Website hosting and deployment analytics
Resend: Transactional email delivery (booking confirmations, invitations, etc.)
Google Analytics: Usage analytics (only with your cookie consent)
Microsoft Clarity: Behaviour analytics, heatmaps, and session recordings (only with your cookie consent)
Sentry: Error tracking and performance monitoring (captures technical error data, not personal information)

6.3 When You Share Your Event Passport

Your Event Passport (compliance documents, signed declarations and attestations, and their expiry dates) is disclosed to others only through actions you take:

  • Creating a share link: anyone holding the link can view your full passport and download its documents until the link expires or you revoke it. Share links do not require a StallSync account, so the audience is whoever you (or someone you gave the link to) shares it with
  • Downloading a Passport PDF: the PDF contains your passport summary and a link back to the live version. Once downloaded or printed, copies are outside StallSync's control
  • Accepting a host's passport invitation: this grants that host ongoing access to view your passport on the platform. You can revoke a host's access at any time from your Passport tab
  • Booking an event: hosts of events you are booked on can view your compliance documents as part of the existing booking flow

Every share link is individually revocable, and each link records a view log (see Section 3.3) so you can monitor access. Compliance status (for example, “insurance on file, valid to March 2027” — without documents or detail) may appear on your public vendor profile page as a badge.

7. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

Account data
Duration of account plus 30 days
Transaction & payment records
7 years (UK tax compliance)
Signed contracts & digital signatures
7 years after event date (legal/financial records)
Messages & event Q&A
2 years after last activity
Post-event feedback & ratings
Duration of account (forms part of reputation history)
Compliance documents (Event Passport contents)
Duration of account — your passport is a repository you maintain; you can delete or replace documents at any time
Signed declarations & attestations
7 years after signing (legal records, same as contracts)
Passport share links & view logs
2 years after the link is revoked or expires
Payment collection details (self-managed events)
Retained with the event record; the host can update or remove them at any time
Achievement & referral records
Duration of account
Network & connection data
Duration of account
Analytics data
2 years
Error tracking logs (Sentry)
90 days

When you delete your account, personal data is anonymised in accordance with GDPR. Financial and legal records (transactions, signed contracts) are retained in anonymised form for the periods above, as required by UK law.

8. Your Data Rights

Access Rights

Request a copy of the personal data we hold about you

Correction Rights

Update your information through account settings or contact us

Deletion Rights

Request deletion of your account and personal data

Portability Rights

Request your data in a structured, machine-readable format

Objection Rights

Object to marketing communications or certain processing activities

Restriction Rights

Request we limit processing of your data in certain circumstances

Right to Withdraw Consent

Where we process your data based on consent (e.g. marketing communications, non-essential cookies), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before you withdrew. You can withdraw consent by updating your notification preferences in Settings, clicking “unsubscribe” in any marketing email, or contacting us directly.

Right to Object to Profiling

Our matching algorithm profiles vendors based on location, craft category, availability, and other factors to rank suitability for events. While hosts always make the final decision (this is not solely automated decision-making under Article 22), you have the right to object to this profiling under Article 21(1). To opt out, enable “Pause Matching” in your Settings; this removes you from matching results. You can still search for and apply to events manually via public event pages.

9. International Data Transfers

Some of our third-party service providers process personal data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place in accordance with UK GDPR Articles 44–49.

Transfers and Safeguards

Stripe (Payment processing), United States. Safeguard: UK International Data Transfer Agreement (UK IDTA) incorporated into Stripe's Data Processing Agreement.
Supabase (Database, auth, storage), United Kingdom (AWS London, eu-west-2). Your data in Supabase is hosted in the UK and is not transferred internationally by this provider.
Vercel (Website hosting), United States. Safeguard: UK IDTA / EU SCCs with UK Addendum per Vercel's Data Processing Addendum.
Resend (Email delivery), United States. Safeguard: EU SCCs with UK Addendum per Resend's Data Processing Agreement.
Google Analytics (Usage analytics), United States. Safeguard: EU SCCs with UK Addendum per Google's Data Processing Terms. Only active with your cookie consent.
Microsoft Clarity (Behaviour analytics), United States. Safeguard: EU SCCs with UK Addendum per Microsoft's Data Protection Addendum. Only active with your cookie consent.
Sentry (Error tracking), United States. Safeguard: EU SCCs with UK Addendum per Sentry's Data Processing Addendum. Processes technical error data only, not personal information.

You can request a copy of the relevant safeguard documentation by contacting us at help@stallsync.co.uk.

10. Data Security

Technical Measures

  • Encryption of data in transit (HTTPS)
  • Encryption of sensitive data at rest
  • Secure password hashing
  • Regular security audits
  • Access controls and authentication

Data Breach Procedures

In case of a personal data breach, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms (Article 33)
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34)
  • Take immediate steps to contain and mitigate the breach
  • Document the incident, our assessment of risk, and our response

11. Children's Privacy

StallSync is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If we discover we have collected data from a child, we will delete it immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Email notification
  • Platform notification
  • Prominent notice on our website

13. Contact Us

For privacy-related questions or to exercise your data rights:

Company: Muckifoot Studios Ltd (trading as StallSync)

Email: help@stallsync.co.uk

Phone: 01603 336 306

Address: Hardwick House, No. 2 Agricultural Hall Plain, Norwich, Norfolk, NR1 3FS

Our ICO registration number is ZC133137.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection: ico.org.uk.

© 2026 Muckifoot Studios Ltd. All rights reserved.
Trading as StallSync.