Privacy Policy

Who We Are

SeatFound ("we," "us," or "our") is an event seating service operated at seatfound.com. We help event organizers create branded seating lookup pages for their guests. Our contact email is hello@seatfound.com.

Information We Collect

From event organizers (account holders):

• Email address and password (used to create and access your account)
• Guest lists you upload — names and table assignments
• Event details — event name, date, branding assets (logo, colors, images)
• Payment information — processed securely by Stripe; we never see or store your full card number
• Google Sheet or Excel URLs if you use live data sync

From guests using the seating lookup page:

• We do not require guests to create an account or provide any personal information
• Guests type their name into a search field — this is not stored or logged by us

Automatically collected:

• Standard web server logs (IP address, browser type, pages visited) for security and performance purposes

How We Use Your Information

• To provide, operate, and maintain the SeatFound service
• To process payments and manage your subscription or per-event purchase
• To send transactional emails (receipts, account notices) — we do not send marketing emails without your consent
• To display your event's seating information to guests via your unique event URL
• To improve and troubleshoot the service

Third-Party Services

We use the following trusted third-party services to operate SeatFound:

• Supabase — database and user authentication. Your account data and guest lists are stored on Supabase servers. Supabase Privacy Policy
• Stripe — payment processing. All payment data is handled directly by Stripe and subject to their privacy policy. Stripe Privacy Policy
• Netlify — website hosting and serverless functions. Netlify Privacy Policy
• Google Fonts — font loading on the seating page. Google may log font requests. Google Privacy Policy
• Google Sheets — if you choose to connect a Google Sheet, requests are made to Google Sheets APIs on your behalf to retrieve your guest list. Google Privacy Policy
• Microsoft Corporation — if you choose to connect a Microsoft 365 account, SeatFound uses the Microsoft Graph API to read Excel files you authorize. SeatFound acts as a registered OAuth application and accesses only the specific files you select. Microsoft OAuth credentials (access and refresh tokens) are stored encrypted at rest in our database and are used solely to sync your designated guest list. Microsoft is an independent sub-processor of your data under this integration. You may disconnect your Microsoft account at any time from your dashboard, which immediately revokes SeatFound's access. Microsoft Privacy Statement
• Google Gemini AI — if you use the AI theme generator, your brand description or uploaded images are sent to Google's Gemini API to generate a color theme

We do not sell your data to any third party.

Guest Data

Guest lists (names and table numbers) are uploaded by event organizers, either directly via CSV upload or synced from a connected Google Sheet or Microsoft Excel file. This data is stored solely to power the seating lookup experience for that event. We treat this data as confidential and do not use it for any other purpose.

All guest list data is encrypted at rest using AES-256-GCM before being written to our database. It is decrypted server-side only at the moment a guest lookup is performed.

Event organizers are the data controllers for their guest lists. SeatFound acts as a data processor. Organizers are responsible for ensuring they have appropriate authorization to upload, sync, and display their guest list data.

Guest data is automatically removed when an event expires or is deleted. Microsoft OAuth credentials associated with your account are permanently deleted when you disconnect your Microsoft 365 connection or delete your SeatFound account.

Sub-Processors

SeatFound engages the following sub-processors to deliver the service. Each is bound by data protection obligations consistent with applicable law:

• Supabase, Inc. — database, authentication, and encrypted data storage (USA, SOC 2 Type II)
• Netlify, Inc. — website hosting and serverless compute (USA, SOC 2 Type II)
• Stripe, Inc. — payment processing (USA, PCI DSS Level 1)
• Microsoft Corporation — Microsoft Graph API and OneDrive/SharePoint file access, when you connect a Microsoft 365 account (USA, SOC 2 Type II, ISO 27001)
• Google LLC — Google Sheets API (when connected), Google Fonts, and Google Gemini AI (when AI theme generation is used) (USA)

We do not sell your data to any third party and do not engage sub-processors beyond those listed above without updating this policy.

Data Retention

• Account data is retained for as long as your account is active
• Event and guest data is retained until the event expires or you delete it
• Microsoft OAuth credentials are deleted immediately when you disconnect your Microsoft 365 account or delete your SeatFound account
• Payment records are retained as required by law (typically 7 years)
• You may request deletion of your account and all associated data at any time by emailing hello@seatfound.com. We will action deletion requests within 30 days.

Your Rights (GDPR & CCPA)

If you are located in the European Economic Area or California, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your personal data ("right to be forgotten")
• Portability — request your data in a portable format
• Objection — object to certain types of processing

To exercise any of these rights, email us at hello@seatfound.com. We will respond within 30 days.

Cookies

SeatFound uses minimal cookies. We use a session cookie to keep you logged in to your account. We do not use advertising or tracking cookies. No third-party analytics tools (such as Google Analytics) are currently active on this site.

Security

We use industry-standard security practices including HTTPS encryption, secure authentication via Supabase, and payment processing via Stripe's PCI-compliant infrastructure.

Guest list data is encrypted at rest using AES-256-GCM — the same standard used by financial institutions — with a unique random initialization vector per encryption. Guest data is only decrypted server-side at the moment a guest page is requested, and is never stored in plaintext.

Microsoft OAuth credentials (access tokens and refresh tokens) are encrypted at rest using the same AES-256-GCM standard before being stored in our database. Encryption keys are stored exclusively in our server environment and are never exposed to the browser or included in source code.

No method of transmission over the internet is 100% secure; we cannot guarantee absolute security but take reasonable precautions to protect your data.

Children's Privacy

SeatFound is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us personal data, contact us at hello@seatfound.com and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page with a revised "Last updated" date. Continued use of SeatFound after changes constitutes acceptance of the updated policy.

Contact

Questions about this policy or your data? Email us at hello@seatfound.com.