← Back

Privacy Policy

Last Updated: May 2026

1. Introduction

Welcome to StallSync's Privacy Policy. StallSync (“we”, “us”, or “our”) operates the StallSync platform (the “Service”) which connects event hosts with stallholders and food vendors.

This Privacy Policy informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.

2. Data Controller Information

The data controller responsible for your personal data is Muckifoot Studios Ltd, trading as StallSync, registered in England and Wales (Company No. 16838457).

Contact Information:

Company: Muckifoot Studios Ltd (trading as StallSync)

Email: help@stallsync.co.uk

Phone: 01603 336 306

Address: Hardwick House, No. 2 Agricultural Hall Plain, Norwich, Norfolk, NR1 3FS

Company No.: 16838457

3. Information We Collect

3.1 Information You Provide Directly

Account Information:

  • Name (individual or business name)
  • Email address
  • Phone number
  • Password (encrypted)
  • Account type (Event Host, Stallholder, Food Vendor)

Profile Information:

  • Business description and trading name
  • Company number (if applicable)
  • Profile images, logos, and product photos
  • Location/address information and postcode (used for distance-based matching)
  • Website and social media links
  • Cuisine types (for food vendors)
  • Craft categories and subcategories (for stallholders)
  • Event history and experience level

Availability & Calendar Data:

  • Weekly availability patterns (which days you are available)
  • Date overrides (specific dates marked as unavailable)
  • Booked event dates

Event Information:

  • Event names, descriptions, and dates
  • Event locations, venues, and facilities
  • Participant and invitation lists
  • Event requirements, pricing, and policies
  • Stallholder rules and additional terms
  • Cancellation and refund policy selections

Contract & Signature Data:

  • Digitally signed contracts (including your name, address, and company details)
  • Digital signatures captured via on-screen signature pad
  • Contract reference numbers and signing timestamps
  • Contract status and payment deadlines

Financial Information:

  • Stripe Connect account details (for event hosts receiving payments)
  • Payment card information (processed and stored by Stripe — we do not store card details)
  • Transaction and booking payment history
  • Stall pricing information
  • Premium subscription and wallet balance (days remaining)
  • Referral code redemptions and promo code redemptions

Documentation:

  • Insurance certificates
  • Food hygiene certificates
  • Business licenses
  • Health and safety documentation
  • Gas safety certificates
  • Other compliance documents

Network & Connection Data:

  • Your vendor network (hosts) or host network (vendors)
  • Connection requests sent and received
  • CSV-imported email addresses (for host vendor imports)

Engagement & Achievement Data:

  • Achievement milestones earned and reward activation status
  • Invitation response times (used for the “fast responder” badge)
  • Referral activity and referral codes
  • Premium time wallet balance and reward history

Communications & Feedback:

  • Direct messages between hosts and vendors
  • Event Q&A questions and answers
  • Post-event feedback (ratings, footfall estimates, written comments)
  • Post-event discussion forum contributions

3.2 Information from Third-Party Sources

In some cases, we receive personal data from sources other than the data subject:

Host-Imported Contact Data:

  • If you receive a StallSync invitation from a host you know, your email address was provided to us by that host on the basis that you have an existing working relationship. We hold that email address solely to deliver the invitation; if you do not join within 30 days we permanently delete it. You can decline future invitations and have your details suppressed at any time using the link in the invitation email.
  • Event hosts who upload vendor contact lists attest at the point of upload that they have an existing working relationship with each person on the list.

3.3 Information We Collect Automatically

Usage Data:

  • Pages visited
  • Features used
  • Click patterns
  • Search queries
  • Time spent on pages

Device Information:

  • IP address
  • Browser type and version
  • Operating system
  • Device type (mobile, desktop)
  • Language preferences
  • Time zone

4. How We Use Your Information

To Provide Our Service:

  • Create and manage your account
  • Connect event hosts with suitable vendors via our matching algorithm
  • Generate and manage digital contracts between hosts and vendors
  • Process booking payments via Stripe
  • Send booking confirmations, reminders, and invitation notifications
  • Calculate distances between vendors and event venues for matching
  • Manage your availability calendar and prevent double-bookings
  • Manage your premium subscription wallet and time balance

Matching Algorithm & Automated Processing:

  • Your location, craft category, availability, insurance status, and profile completion are used by our matching algorithm to rank vendor suitability for events
  • Your invitation response times are used to calculate a “fast responder” badge visible to hosts — this badge may be gained or lost based on recent response patterns
  • Matching results are influenced by your subscription tier (free users have a limited search radius and planning horizon)
  • No decisions with legal or significant effects are made solely by automated processing — hosts always make the final decision on who to invite

Achievements & Engagement:

  • Track your platform activity to award achievement milestones (e.g. events hosted, feedback submitted, invitations responded to quickly)
  • Calculate and display premium day rewards earned through achievements, referrals, and promo codes

To Improve Our Service:

  • Analyse usage patterns and platform performance
  • Develop new features
  • Optimise matching algorithms
  • Diagnose and fix bugs and technical issues (via error tracking)

To Communicate With You:

  • Send transactional emails (bookings, payments, invitations, contract signing)
  • Real-time platform notifications (invitations, messages, achievements)
  • Marketing communications (with consent)
  • Service updates and announcements
  • Customer support

5. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

Contract Performance: Account creation, booking processing, payment handling
Legitimate Interests: Service improvements, fraud prevention, analytics
Legal Compliance: Tax reporting, anti-money laundering checks, court orders
Consent: Marketing communications, non-essential cookies

6. How We Share Your Information

6.1 With Other Users

Event Hosts can see:

  • Stallholder business names and descriptions
  • Contact information (after booking)
  • Insurance and compliance status
  • Availability
  • Reviews and ratings

Stallholders can see:

  • Event details and requirements
  • Event host contact information
  • Other participants (after booking)
  • Venue information

6.2 With Service Providers

We share data with the following third-party service providers who process data on our behalf:

Stripe: Payment processing and identity verification (for Stripe Connect onboarding)
Supabase: Database hosting, user authentication, file storage, and real-time notifications
Vercel: Website hosting and deployment analytics
Resend: Transactional email delivery (booking confirmations, invitations, etc.)
Google Analytics: Usage analytics (only with your cookie consent)
Microsoft Clarity: Behaviour analytics, heatmaps, and session recordings (only with your cookie consent)
Sentry: Error tracking and performance monitoring (captures technical error data, not personal information)

7. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

Account data
Duration of account plus 30 days
Transaction & payment records
7 years (UK tax compliance)
Signed contracts & digital signatures
7 years after event date (legal/financial records)
Messages & event Q&A
2 years after last activity
Post-event feedback & ratings
Duration of account (forms part of reputation history)
Compliance documents (insurance, certificates)
12 months after event date or document expiry
Achievement & referral records
Duration of account
Network & connection data
Duration of account
Analytics data
2 years
Error tracking logs (Sentry)
90 days

When you delete your account, personal data is anonymised in accordance with GDPR. Financial and legal records (transactions, signed contracts) are retained in anonymised form for the periods above, as required by UK law.

8. Your Data Rights

Access Rights

Request a copy of the personal data we hold about you

Correction Rights

Update your information through account settings or contact us

Deletion Rights

Request deletion of your account and personal data

Portability Rights

Request your data in a structured, machine-readable format

Objection Rights

Object to marketing communications or certain processing activities

Restriction Rights

Request we limit processing of your data in certain circumstances

Right to Withdraw Consent

Where we process your data based on consent (e.g. marketing communications, non-essential cookies), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before you withdrew. You can withdraw consent by updating your notification preferences in Settings, clicking “unsubscribe” in any marketing email, or contacting us directly.

Right to Object to Profiling

Our matching algorithm profiles vendors based on location, craft category, availability, and other factors to rank suitability for events. While hosts always make the final decision (this is not solely automated decision-making under Article 22), you have the right to object to this profiling under Article 21(1). To opt out, enable “Pause Matching” in your Settings — this removes you from matching results. You can still search for and apply to events manually via public event pages.

9. International Data Transfers

Some of our third-party service providers process personal data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place in accordance with UK GDPR Articles 44–49.

Transfers and Safeguards

Stripe (Payment processing) — United States. Safeguard: UK International Data Transfer Agreement (UK IDTA) incorporated into Stripe's Data Processing Agreement.
Supabase (Database, auth, storage) — United States (AWS us-east-1). Safeguard: UK IDTA / EU Standard Contractual Clauses with UK Addendum, as set out in Supabase's Data Processing Addendum.
Vercel (Website hosting) — United States. Safeguard: UK IDTA / EU SCCs with UK Addendum per Vercel's Data Processing Addendum.
Resend (Email delivery) — United States. Safeguard: EU SCCs with UK Addendum per Resend's Data Processing Agreement.
Google Analytics (Usage analytics) — United States. Safeguard: EU SCCs with UK Addendum per Google's Data Processing Terms. Only active with your cookie consent.
Microsoft Clarity (Behaviour analytics) — United States. Safeguard: EU SCCs with UK Addendum per Microsoft's Data Protection Addendum. Only active with your cookie consent.
Sentry (Error tracking) — United States. Safeguard: EU SCCs with UK Addendum per Sentry's Data Processing Addendum. Processes technical error data only, not personal information.

You can request a copy of the relevant safeguard documentation by contacting us at help@stallsync.co.uk.

10. Data Security

Technical Measures

  • Encryption of data in transit (HTTPS)
  • Encryption of sensitive data at rest
  • Secure password hashing
  • Regular security audits
  • Access controls and authentication

Data Breach Procedures

In case of a personal data breach, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms (Article 33)
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34)
  • Take immediate steps to contain and mitigate the breach
  • Document the incident, our assessment of risk, and our response

11. Children's Privacy

StallSync is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If we discover we have collected data from a child, we will delete it immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Email notification
  • Platform notification
  • Prominent notice on our website

13. Contact Us

For privacy-related questions or to exercise your data rights:

Company: Muckifoot Studios Ltd (trading as StallSync)

Email: help@stallsync.co.uk

Phone: 01603 336 306

Address: Hardwick House, No. 2 Agricultural Hall Plain, Norwich, Norfolk, NR1 3FS

Our ICO registration number is ZC133137.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection: ico.org.uk.

© 2026 Muckifoot Studios Ltd. All rights reserved.
Trading as StallSync.