Privacy Policy
Last Updated: July 2026
1. Introduction
Welcome to StallSync's Privacy Policy. StallSync (“we”, “us”, or “our”) operates the StallSync platform (the “Service”) which connects event hosts with stallholders and food vendors.
This Privacy Policy informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.
2. Data Controller Information
The data controller responsible for your personal data is Muckifoot Studios Ltd, trading as StallSync, registered in England and Wales (Company No. 16838457).
Contact Information:
Company: Muckifoot Studios Ltd (trading as StallSync)
Email: help@stallsync.co.uk
Phone: 01603 336 306
Address: Hardwick House, No. 2 Agricultural Hall Plain, Norwich, Norfolk, NR1 3FS
Company No.: 16838457
3. Information We Collect
3.1 Information You Provide Directly
Account Information:
- Name (individual or business name)
- Email address
- Phone number
- Password (encrypted)
- Account type (Event Host, Stallholder, Food Vendor)
Profile Information:
- Business description and trading name
- Company number (if applicable)
- Profile images, logos, and product photos
- Location/address information and postcode (used for distance-based matching)
- Website and social media links
- Cuisine types (for food vendors)
- Craft categories and subcategories (for stallholders)
- Event history and experience level
Availability & Calendar Data:
- Weekly availability patterns (which days you are available)
- Date overrides (specific dates marked as unavailable)
- Booked event dates
Event Information:
- Event names, descriptions, and dates
- Event locations, venues, and facilities
- Participant and invitation lists
- Event requirements, pricing, and policies
- Stallholder rules and additional terms
- Cancellation and refund policy selections
Contract & Signature Data:
- Digitally signed contracts (including your name, address, and company details)
- Digital signatures captured via on-screen signature pad
- Contract reference numbers and signing timestamps
- Contract status and payment deadlines
Financial Information:
- Stripe Connect account details (for event hosts receiving payments)
- Payment card information (processed and stored by Stripe; we do not store card details)
- Transaction and booking payment history
- Stall pricing information
- Premium subscription and wallet balance (days remaining)
- Referral code redemptions and promo code redemptions
- Payment collection details for self-managed events (event hosts): if you choose to record how vendors should pay you — for example bank account name, sort code and account number, or a PayPal address — StallSync stores these details and shows them only to vendors with a booking on that event. Unlike card payments (which Stripe handles), these details are stored by StallSync. You can update or remove them at any time
Identity Verification Data (Event Hosts):
Hosts who choose to verify their identity for self-managed payment events undergo verification through Stripe Identity. During this process:
- Stripe may collect and process a government-issued identity document and, if applicable, a selfie for biometric comparison. This data is processed by Stripe under Stripe's own privacy policy; StallSync does not receive, store, or have access to the identity document or biometric data
- StallSync stores only: (a) verification status (verified or not verified); and (b) a Stripe-issued reference ID for the verification report
- Verification status is permanent and displayed to vendors as an “ID-verified host” badge on self-managed event invitations
Documentation & Event Passport Data:
- Insurance certificates
- Food hygiene certificates
- Business licenses
- Health and safety documentation
- Gas safety certificates
- Other compliance documents
- Signed document declarations and compliance attestations (vendors): the statement text as it stood when you signed, your digital signature, the signing timestamp, and your IP address and browser details — the same audit-trail pattern used for contract signing
- Guidance acknowledgements (a record that you confirmed reading relevant compliance guidance, with the date)
- Passport share links you create: the link label, expiry, and whether you have revoked it
Network & Connection Data:
- Your vendor network (hosts) or host network (vendors)
- Connection requests sent and received
- CSV-imported email addresses (for host vendor imports)
Engagement & Achievement Data:
- Achievement milestones earned and reward activation status
- Invitation response times (used for the “fast responder” badge)
- Referral activity and referral codes
- Premium time wallet balance and reward history
Communications & Feedback:
- Direct messages between hosts and vendors
- Event Q&A questions and answers
- Post-event feedback (ratings, footfall estimates, written comments)
- Post-event discussion forum contributions
3.2 Information from Third-Party Sources
In some cases, we receive personal data from sources other than the data subject:
Host-Imported Contact Data:
- If you receive a StallSync invitation from a host you know, your email address was provided to us by that host on the basis that you have an existing working relationship. We hold that email address solely to deliver the invitation; if you do not join within 30 days we permanently delete it. You can decline future invitations and have your details suppressed at any time using the link in the invitation email.
- Event hosts who upload vendor contact lists attest at the point of upload that they have an existing working relationship with each person on the list.
3.3 Information We Collect Automatically
Usage Data:
- Pages visited
- Features used
- Click patterns
- Search queries
- Time spent on pages
Device Information:
- IP address
- Browser type and version
- Operating system
- Device type (mobile, desktop)
- Language preferences
- Time zone
Passport Share-Link Visit Data:
When someone opens an Event Passport share link, we record the time of the visit and basic device information (browser user agent). This log exists so the vendor who owns the passport can see when and how often their shared passport has been accessed — it is their reassurance that their data remains under their control. Visitors who open a share link may not be StallSync users; if that is you, this is the only data we collect about you, it is visible only to the vendor whose passport you viewed, and it is not used for any other purpose.
4. How We Use Your Information
To Provide Our Service:
- Create and manage your account
- Connect event hosts with suitable vendors via our matching algorithm
- Generate and manage digital contracts between hosts and vendors
- Process booking payments via Stripe
- Send booking confirmations, reminders, and invitation notifications
- Calculate distances between vendors and event venues for matching
- Manage your availability calendar and prevent double-bookings
- Manage your premium subscription wallet and time balance
- Store and display your Event Passport, generate share pages and Passport PDFs at your request, and record share-link visits so you can monitor who has accessed your shared passport
- Show host payment collection details to vendors booked on self-managed events
Matching Algorithm & Automated Processing:
- Your location, craft category, availability, insurance status, and profile completion are used by our matching algorithm to rank vendor suitability for events
- Your invitation response times are used to calculate a “fast responder” badge visible to hosts; this badge may be gained or lost based on recent response patterns
- Matching results are influenced by your subscription tier (free users have a limited search radius and planning horizon)
- No decisions with legal or significant effects are made solely by automated processing; hosts always make the final decision on who to invite
Achievements & Engagement:
- Track your platform activity to award achievement milestones (e.g. events hosted, feedback submitted, invitations responded to quickly)
- Calculate and display premium day rewards earned through achievements, referrals, and promo codes
To Improve Our Service:
- Analyse usage patterns and platform performance
- Develop new features
- Optimise matching algorithms
- Diagnose and fix bugs and technical issues (via error tracking)
To Communicate With You:
- Send transactional emails (bookings, payments, invitations, contract signing)
- Real-time platform notifications (invitations, messages, achievements)
- Marketing communications (with consent)
- Service updates and announcements
- Customer support
5. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
6. How We Share Your Information
6.1 With Other Users
Event Hosts can see:
- Stallholder business names and descriptions
- Contact information (after booking)
- Insurance and compliance status
- Availability
- Reviews and ratings
Stallholders can see:
- Event details and requirements
- Event host contact information
- Other participants (after booking)
- Venue information
- Host payment collection details — bank transfer details or PayPal address, where the host has recorded them for a self-managed event (visible only after booking on that event)
6.2 With Service Providers
We share data with the following third-party service providers who process data on our behalf:
6.3 When You Share Your Event Passport
Your Event Passport (compliance documents, signed declarations and attestations, and their expiry dates) is disclosed to others only through actions you take:
- Creating a share link: anyone holding the link can view your full passport and download its documents until the link expires or you revoke it. Share links do not require a StallSync account, so the audience is whoever you (or someone you gave the link to) shares it with
- Downloading a Passport PDF: the PDF contains your passport summary and a link back to the live version. Once downloaded or printed, copies are outside StallSync's control
- Accepting a host's passport invitation: this grants that host ongoing access to view your passport on the platform. You can revoke a host's access at any time from your Passport tab
- Booking an event: hosts of events you are booked on can view your compliance documents as part of the existing booking flow
Every share link is individually revocable, and each link records a view log (see Section 3.3) so you can monitor access. Compliance status (for example, “insurance on file, valid to March 2027” — without documents or detail) may appear on your public vendor profile page as a badge.
7. Data Retention
We retain your personal data for as long as necessary to provide our services and comply with legal obligations:
When you delete your account, personal data is anonymised in accordance with GDPR. Financial and legal records (transactions, signed contracts) are retained in anonymised form for the periods above, as required by UK law.
8. Your Data Rights
Access Rights
Request a copy of the personal data we hold about you
Correction Rights
Update your information through account settings or contact us
Deletion Rights
Request deletion of your account and personal data
Portability Rights
Request your data in a structured, machine-readable format
Objection Rights
Object to marketing communications or certain processing activities
Restriction Rights
Request we limit processing of your data in certain circumstances
Right to Withdraw Consent
Where we process your data based on consent (e.g. marketing communications, non-essential cookies), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before you withdrew. You can withdraw consent by updating your notification preferences in Settings, clicking “unsubscribe” in any marketing email, or contacting us directly.
Right to Object to Profiling
Our matching algorithm profiles vendors based on location, craft category, availability, and other factors to rank suitability for events. While hosts always make the final decision (this is not solely automated decision-making under Article 22), you have the right to object to this profiling under Article 21(1). To opt out, enable “Pause Matching” in your Settings; this removes you from matching results. You can still search for and apply to events manually via public event pages.
9. International Data Transfers
Some of our third-party service providers process personal data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place in accordance with UK GDPR Articles 44–49.
Transfers and Safeguards
You can request a copy of the relevant safeguard documentation by contacting us at help@stallsync.co.uk.
10. Data Security
Technical Measures
- Encryption of data in transit (HTTPS)
- Encryption of sensitive data at rest
- Secure password hashing
- Regular security audits
- Access controls and authentication
Data Breach Procedures
In case of a personal data breach, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms (Article 33)
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34)
- Take immediate steps to contain and mitigate the breach
- Document the incident, our assessment of risk, and our response
11. Children's Privacy
StallSync is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If we discover we have collected data from a child, we will delete it immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by:
- Email notification
- Platform notification
- Prominent notice on our website
13. Contact Us
For privacy-related questions or to exercise your data rights:
Company: Muckifoot Studios Ltd (trading as StallSync)
Email: help@stallsync.co.uk
Phone: 01603 336 306
Address: Hardwick House, No. 2 Agricultural Hall Plain, Norwich, Norfolk, NR1 3FS
Our ICO registration number is ZC133137.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection: ico.org.uk.
Trading as StallSync.