Privacy Policy

The Services provide AI-assisted party planning, venue recommendations, and related features. We strive to provide helpful and accurate information, but the Services are provided "AS IS" and "AS AVAILABLE" without warranties of any kind.

This Privacy Policy applies to information we collect when you use our website, mobile applications, and other online products and services that link to this Privacy Policy (collectively, the "Services"), or when you otherwise interact with us.

This Privacy Policy does not apply to third-party websites, products, or services, even if they are linked from our Services. Please review the privacy policies of any third-party services you access.

The Services are not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are under 13, please do not use the Services or provide any information to us.

Age verification at signup.Before you can finish creating an account, we ask for your date of birth. We use that information only to enforce the eligibility rules in this section and to comply with the U.S. Children's Online Privacy Protection Act (COPPA). If the date you provide indicates you are under 13, your account is automatically rejected and any information already entered (such as your email address and any failed signup attempts) is deleted from our systems.

If you are between 13 and 17 years of age, you may only use the Services with the consent and supervision of a parent or legal guardian who agrees to be bound by our Terms of Use. As part of the age-verification step, users 13 to 17 must confirm that a parent or legal guardian has reviewed this Privacy Policy. We do not separately collect a parent's contact information at signup; we rely on this self-attestation, and you represent and warrant that the attestation is truthful.

We retain the date of birth, the country you select at signup, and (for users 13 to 17) the timestamp of the parental-supervision confirmation as compliance evidence. The date of birth is treated as sensitive personal information and is not exposed in our public APIs.

If we learn that we have collected personal information from a child under 13, we will take steps to delete such information as quickly as possible. If you believe we may have collected information from a child under 13, please contact us at privacy@cheerfully.ai.

We collect information in several ways, as described in the following subsections.

We use the information we collect to:

1. Provide and Improve Services: Operate, maintain, and enhance our Services, including AI-powered venue recommendations and party planning features.
2. Personalize Your Experience: Tailor content and recommendations based on your preferences and usage patterns.
3. Process Transactions: Process payments, send transaction notifications, and manage your account.
4. Communicate With You: Send service-related communications, respond to your inquiries, and provide customer support.
5. Marketing: Send promotional communications about products, services, and events (with your consent where required).
6. Safety and Security: Detect, prevent, and address fraud, abuse, and security issues.
7. Legal Compliance: Comply with applicable laws, regulations, and legal processes.

Our Services use artificial intelligence and machine learning technologies. This section describes how we process content in connection with these features.

We do not sell your personal information. We may share your information in the following circumstances:

We use cookies, web beacons, SDKs, and similar technologies to collect information about your interactions with our Services. These technologies help us:

• Remember your preferences and settings
• Authenticate users and prevent fraud
• Analyze usage patterns and improve our Services
• Deliver relevant content and measure its effectiveness

We group cookies and tracking technologies into four categories: strictly necessary, functional, analytics, and marketing. Strictly necessary cookies are always on (without them, the site can't authenticate you or remember your consent decision). The other three categories are off until you opt in. You can review and change your choices any time at /privacy/preferences. We honor the Global Privacy Control (Sec-GPC) header — when your browser sends it, we set analytics and marketing to off automatically, even before you interact with the banner.

You have several choices regarding your information:

• Account Information: You can review and update your account information through your account settings.
• Marketing Communications: You can opt out of promotional emails by following the unsubscribe instructions in those messages. Note that you may still receive service-related communications.
• Cookies and tracking: Manage which cookie categories load (functional, analytics, marketing) at /privacy/preferences. The same page is also linked from the footer as “Do Not Sell or Share My Personal Information.”
• Global Privacy Control: If your browser sends the Sec-GPC signal we treat it as an opt-out of analytics and marketing without requiring a banner click.
• Download my data:Signed-in users can request a ZIP archive of their account data — profile, parties, invitations, planning sessions, chat, payments, media — by clicking “Download my data” in account settings. We'll email a 6-digit verification code to confirm the request, then assemble the archive and email a private download link valid for 7 days. We rate-limit data-export requests to one per 24 hours.
• Delete your account (with a 14-day cooling-off period): Signed-in users can schedule their account for permanent deletion from account settings. We email a 6-digit code to confirm, then schedule the cascade for 14 days later and send you a confirmation with a one-click cancel link. You can cancel any time within the 14 days from the same settings page; once the grace window elapses your account and all associated data are permanently removed.
• Privacy rights request form: Submit access, deletion, portability, correction, opt-out of sale or share, and limit-sensitive-PI requests at /privacy/rights-request. Every request is verified by emailing a single-use link to the address you supply — your request is not escalated to our privacy team until you click that link, which short- circuits drive-by impersonation. We respond within 30 days (the shortest of the GDPR / CCPA / state-law SLAs we're subject to); complex requests can extend up to 90 days under those laws and we'll tell you when that applies. Email-only is the v1 verification standard; for higher-risk request types we may ask for additional identity proof.
• Data Deletion (alternative channel): You can also email privacy@cheerfully.ai directly. The in-product flows above are the recommended channels — they give you a tracking reference and a faster turnaround — but the email alternative satisfies the CCPA §1798.130(a)(1)(A) “two designated methods” requirement.

We retain your information for as long as your account is active or as needed to provide you with our Services. We may also retain information as required by law, to resolve disputes, enforce our agreements, and for legitimate business purposes.

When we no longer need to retain your information, we will securely delete or anonymize it. The retention period may vary depending on the context and our legal obligations.

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption, access controls, structured server-side logs with automatic PII redaction, regular security assessments, and a published security disclosure file at /.well-known/security.txt.

Data Protection Impact Assessment.We have conducted a Data Protection Impact Assessment under GDPR Article 35 covering our processing of children’s data, AI-driven recommendations, geolocation, and the embedded widget’s third-party-site footprint. The DPIA is reviewed at least annually and on any material change to the processing operations described in this policy.

Your information may be transferred to, stored, and processed in the United States and other countries where we or our service providers operate. These countries may have different data protection laws than your country of residence.

By using our Services, you consent to the transfer of your information to the United States and other countries. We take steps to ensure that your information receives an adequate level of protection in the jurisdictions in which we process it.

EU / UK Article 27 Representative.Under GDPR Article 27 and UK GDPR §27, we are designating an in-region representative authorised to receive correspondence from EU / UK data subjects and supervisory authorities. The designation is currently in progress, with a target completion date of June 10, 2026. The representative’s name and contact details will appear in this section and on /legal/contacts §4 once the engagement is finalised. In the meantime, EU and UK data subjects may direct GDPR / UK GDPR rights requests to dpo@cheerfully.ai or via the verified form at /privacy/rights-request; we respond directly as the controller within Art. 12(3)’s 30-day window.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on our website and updating the "Last Updated" date at the top of this page.

We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your information. Your continued use of the Services after any changes indicates your acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us. Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec Law 25, we have designated an individual accountable for our compliance with applicable privacy laws.