Privacy Policy

1.Introduction

DealSplash LLC ("DealSplash," "we," "us," or "our") is a Tennessee limited liability company with a mailing address at 116 Agnes Rd Ste 200, Knoxville, TN 37919. This Privacy Policy explains how we handle personal information.

This policy applies to your use of DealSplash's websites, marketplace, and related services (the "Services"), including dealsplash.io, the merchant dashboard, the deal editor, and any email or embedded content we send or host on your behalf.

For personal information we collect when you interact with DealSplash, we are the "controller" under EU/UK data protection law and the "business" under California law. When customer information is shared with a merchant through your purchase of a deal, that merchant is an independent controller for their own subsequent use of that information.

Whether you're a customer purchasing deals, a merchant listing deals, or a visitor browsing the site, this policy explains what information we collect and what you can do about it.

The effective date of this policy is the "Last updated" date shown at the top of the page. Material changes are recorded in the changelog at the bottom.

2.Information we collect

We collect information in a few different ways: directly from you when you create an account or make a purchase, automatically when you use the Services, and from third parties that help us run the platform.

2.1 Personal information you provide

You give us information directly when you interact with the Services. This includes:

• Account registration. Your name, email address, and a one-way hash of the password you choose. If you sign up as a merchant, we also collect your business name and any profile details you provide.
• Deal-creation content. If you're a merchant, we collect the text, images, pricing, availability, terms, and other content you add when creating or editing a deal.
• Purchase details. When you buy a deal, we receive the customer name, email address, phone number (if provided), selected deal option, quantity, and order total. Payment card data is processed directly by Stripe and is not stored by DealSplash.
• Support correspondence. Messages you send to us, including any information you include in support emails or reply-threads from order confirmation emails.
• Lead-capture email signups. The email address and any optional context you submit through "notify me" forms on the homepage, About page, publisher page, expired-deal pages, and deal-ended banners.

2.2 Sensitive personal information

DealSplash does not process sensitive personal information as defined under California law (CCPA §1798.140(ae)). We do not collect Social Security numbers, driver's license or government-issued ID numbers, financial account details (payment cards are processed directly by Stripe and not stored by DealSplash), precise geolocation, genetic or biometric data, health information, or the contents of your private communications. Your account password is stored only as a one-way cryptographic hash, which cannot be used to access your account and is not the "password allowing access to an account" referenced in the statute.

2.3 Information we collect automatically

When you visit or interact with the Services, we automatically collect:

• Device information. Browser type and version, operating system, device type, screen size, language preference, and IP address (from which we derive an approximate location — typically city-level, never precise).
• Usage data. Pages you view, deals you open, links you click, time spent on pages, referring URL, and the UTM parameters attached to inbound links.
• Session data. Authenticated session identifiers and, for merchants, autosave and editor activity needed to keep your work-in-progress in sync.
• Server logs. Standard HTTP request logs including timestamp, request path, response status, and user-agent, retained for security, debugging, and abuse monitoring.
• Essential cookies. A small set of cookies required for sign-in, session management, and security. We do not use advertising cookies or third-party tracking cookies.
• Cookieless analytics events. Aggregate pageview and interaction counts used to understand site performance. These events do not set persistent identifiers on your device.

2.4 Information from third parties

Some information reaches us from the services that help us run the platform:

• Stripe. When a merchant connects a Stripe account for payments, Stripe shares identity-verification status, business metadata, and capability flags we need to route payouts and determine when a merchant can accept charges. Stripe handles the underlying KYC/identity data directly.
• HighLevel (GHL). When a merchant connects their HighLevel account, we receive an OAuth access token and location metadata (location ID, business name, timezone) so we can sync customer and order information to the merchant's CRM.
• Enrichment APIs. When a merchant looks up their business during deal creation, we query third-party services (for example, Google Places, Foursquare, and Brandfetch) for non-personal business and brand metadata such as address, hours, logo, and brand colors. We do not receive personal information about non-merchants from these lookups.

2.5 Information from non-account-holders

You do not need to create a DealSplash account to submit information to us. We collect email addresses submitted through lead-capture forms on the homepage, About page, publisher page, expired-deal and not-found pages, and deal-ended banners, along with source metadata such as the referring URL and any UTM parameters on the link you arrived from. We use this information only to send the alerts you requested and to understand where interest in DealSplash is coming from.

3.How we use information

DealSplash uses the information described in Section 2 for the following purposes:

• Operate the marketplace and provide the Services.
• Process purchases, payouts, refunds, and redemptions.
• Onboard merchants and enable the integrations they authorize.
• Detect, prevent, and respond to fraud, abuse, and security incidents.
• Communicate with you — including service, transactional, and marketing emails, and, in the future, SMS or push notifications with your consent.
• Comply with law, respond to legal process, and enforce our Terms.
• Research, develop, test, and improve our products and services.
• De-identify or aggregate information for any business purpose, without further notice or opt-out.
• Any other purpose disclosed to you at the time of collection or with your consent.

DealSplash may send marketing communications about new deals, merchant-specific offers, and product updates. You may opt out at any time via the unsubscribe link in any marketing email or by emailing privacy@dealsplash.io.

4.How we share information

DealSplash shares personal information only in the circumstances described in this section.

4.1 Service providers

We share personal information with a limited set of service providers that process it on our behalf to operate the Services. The table below is the authoritative list of these providers.

Where personal information of individuals in the EU, UK, or other regions with cross-border transfer requirements is processed by these providers, additional safeguards are in place, including Data Processing Agreements and Standard Contractual Clauses where applicable.

We may engage additional service providers from time to time. Material additions to our service-provider set (a new provider that receives significant volumes of personal information) will be reflected in an update to this policy.

4.2 Enrichment and operational services

We also use operational and enrichment services in connection with the deal-creation and merchant-onboarding workflows — including business-discovery APIs, brand and logo lookup services, content-moderation tools, and AI content-generation providers. These services process non-personal information (such as business names, domains, and merchant-provided deal descriptions) on a query-response basis and do not receive your personal information.

4.3 Data shared with merchants

When you purchase a deal, we share purchase information with the merchant so they can fulfill your redemption — including your name, email, the deal and pricing option you selected, your unique redemption code, and the purchase amount.

Some merchants authorize integration with their own HighLevel / GoHighLevel CRM accounts. When a merchant has connected GHL, we sync your purchase data — including your contact information, a structured note containing purchase details and redemption code, an opportunity record in the merchant's pipeline, and an inbound conversation message — into that merchant's own GHL location. For a merchant-facing technical overview of what gets synced and when, see /integrations/ghl.

Once data is shared with a merchant, the merchant becomes an independent controller and processor for their own subsequent use (including follow-up marketing, retention, or other processing in the merchant's own GHL instance or elsewhere). Please contact the merchant directly with questions about their handling of your data, or consult their privacy policy.

You have the right to request that we stop sharing your future purchase data with a particular merchant's CRM, though we will still fulfill existing purchases.

4.4 Legal, government, and business transfers

We may share personal information when we believe in good faith that disclosure is required or reasonably necessary to comply with a law, regulation, subpoena, court order, or other valid legal process, or to respond to a request from a government or law-enforcement authority. We may also share information where we believe it is necessary to investigate, prevent, or respond to suspected fraud, abuse, security incidents, violations of our Terms, or threats to the rights, property, or safety of DealSplash, our users, or the public.

If DealSplash is involved in a reorganization, merger, acquisition, financing, bankruptcy, or sale of all or substantially all of our assets, personal information may be transferred to the successor or acquiring entity as part of that transaction. We will notify you of any such transfer and of any material changes to how your information is handled as a result.

5.Cookies and similar technologies

DealSplash currently uses only essential cookies — small files set by our own domain that are required for the Services to function. These include:

• Authentication session. Keeps you signed in across pages.
• CSRF (cross-site request forgery) token. Prevents unauthorized requests from other sites.
• Preferences. Remembers lightweight UI preferences, such as layout choices.

We use privacy-respecting, cookieless analytics to understand aggregate site usage. These tools do not use tracking cookies and do not enable cross-site tracking.

We may in the future introduce additional cookies, pixels, web beacons, or similar technologies for analytics, personalization, marketing, or other purposes. If we do, we will update this policy and provide any required consent mechanism at that time.

Most browsers let you block or clear cookies through their settings; note that blocking essential cookies may break core Services such as signing in.

6.Your choices

Account settings. You can update or delete your email address, name, and account at any time from your account settings. Account deletion is subject to the retention rules described in Section 9 — some information must be kept for legal, tax, or fraud-prevention reasons even after you delete your account.

Marketing opt-out. You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by emailing privacy@dealsplash.io. Even if you opt out of marketing, we may still send service and transactional communications related to your account or purchases.

SMS and push notifications. We do not currently send marketing SMS messages or push notifications. If we introduce these channels in the future, we will obtain any required consent at the time of enrollment (including TCPA and carrier A2P compliance for SMS) and you will be able to opt out at any time.

If you decline to provide information. Some information is required to provide the Services (for example, an email address to create an account). If you decline to provide required information, you may be unable to use all or part of the Services.

7.Your rights

The rights available to you depend on where you live. The subsections below describe the specific rights that apply to California residents, residents of other US states with comprehensive privacy laws, and residents of the EU and UK.

7.1 Your California Privacy Rights

California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). These include:

• Right to know what personal information we collect, use, share, or disclose about you (access)
• Right to delete personal information we have collected about you
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information
• Right to limit the use and disclosure of sensitive personal information
• Right to non-discrimination for exercising your rights
• Right to authorize an agent to submit requests on your behalf
• Right to access information about, opt out of, and appeal significant automated decision-making

DealSplash does not sell personal information for money and does not share personal information for cross-context behavioral advertising. Because we do not sell or share your personal information, there is no opt-out to exercise, and browser-transmitted opt-out preference signals (such as the Global Privacy Control, or "GPC") have no effect on our processing. If our business practices ever change in a way that triggers a sale or share under California law, we will update this policy and provide the required opt-out mechanism.

DealSplash does not process sensitive personal information as defined under California law (see Section 2.2). Because we do not process SPI, the right to limit use of sensitive personal information does not apply to your information. If our processing practices ever change in a way that triggers SPI under California law, we will update this policy and provide the required limit mechanism.

DealSplash does not today use automated systems to make significant legal or similarly significant decisions about users without meaningful human involvement (see Section 8). If we introduce such systems in the future, we will provide the pre-use notice, access, opt-out, and appeal rights required by California regulations at that time.

To exercise your California privacy rights, email privacy@dealsplash.io with the subject line Privacy Rights Request. We may ask you to verify your identity before fulfilling certain requests. We will respond within 45 days of receiving a verifiable request and may extend this period by an additional 45 days when reasonably necessary, in which case we will notify you within the initial response window.

7.2 Rights under other US state privacy laws

Residents of several other US states have similar privacy rights under state comprehensive privacy laws.

These rights are available to residents of Tennessee, Virginia, Colorado, Connecticut, Utah, Iowa, Texas, Oregon, Montana, Delaware, New Jersey, New Hampshire, Maryland, Minnesota, Rhode Island, Indiana, and Kentucky.

The rights common to these laws include the right to access your personal information, the right to correct inaccurate information, the right to delete your information, the right to opt out of targeted advertising, and the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.

DealSplash does not process sensitive personal information (see Section 2.2), so opt-in consent for SPI processing is not required for your information.

DealSplash does not today conduct profiling in furtherance of decisions that produce legal or similarly significant effects about you (see Section 8).

If we decline your rights request, you may appeal our decision. We will respond to your appeal within the time required by applicable law (generally 45 to 60 days).

7.3 Rights under GDPR (EU / UK residents)

Residents of the EU and the UK have specific rights under the General Data Protection Regulation (GDPR) and UK GDPR.

Controller identity and contact. DealSplash LLC is the controller of your personal data; you can contact us at privacy@dealsplash.io.

Purposes and legal basis. We process your personal data under the following Article 6 legal bases: contract performance (providing the Services you request), legitimate interests (security, fraud prevention, product development), consent (marketing emails, and any future SMS or push notifications), and compliance with legal obligations.

Your rights. Under the GDPR and UK GDPR you have the right to:

• Access the personal data we hold about you
• Request rectification of inaccurate personal data
• Request erasure of your personal data
• Request restriction of processing
• Receive your personal data in a portable format (data portability)
• Object to processing, including direct marketing
• Withdraw consent at any time where processing is based on consent

Automated decision-making. You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects; see Section 8 for DealSplash's current-state declaration.

Right to lodge a complaint. You have the right to lodge a complaint with your local data protection supervisory authority. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk. EU residents can locate their national authority via the European Data Protection Board member list at edpb.europa.eu.

International transfers. For information about cross-border transfers of your personal data (including Standard Contractual Clauses and the UK International Data Transfer Addendum), see Section 11.

8.Automated decision-making and AI

DealSplash does not today use automated systems to make significant legal or similarly significant decisions about you without meaningful human involvement. This includes decisions about your access to the Services, the price you pay, whether your purchase completes, or whether your merchant account is approved. All such decisions involve a person in the process.

For transparency, we do use routine operational automation that does not rise to the level of significant-decision ADMT:

• Rate limiting and basic security checks. Protect the Services against abuse.
• Spam and abuse detection. Filter malicious or unwanted content and behavior.
• Aggregate analytics. Help us understand product usage at a non-individual level.
• Merchant-side AI content generation. Helps merchants draft deal descriptions, promo headlines, and business descriptions. These tools do not process customer personal information in their prompts.

If DealSplash in the future introduces automated systems that make significant legal or similarly significant decisions about you without meaningful human involvement, we will provide the pre-use notice, access, opt-out, and appeal rights required by applicable law (including California's Automated Decision-Making Technology regulations) at that time.

You may contact privacy@dealsplash.io to request human review of any decision you believe has affected you meaningfully, regardless of whether our current systems formally trigger ADMT rights.

9.Data retention

We retain personal information for as long as we need it for the purposes described in this policy and as required by law. The table below sets out the general retention ceilings by category.

We may retain information beyond the ceilings above in the following circumstances:

• We retain information longer as needed to respond to legal process, law enforcement requests, or to preserve evidence in accordance with applicable law.
• We retain information longer where reasonably necessary to assert, exercise, or defend legal claims.
• We retain information longer where necessary to investigate potential fraud, abuse, or security incidents.
• We may retain information longer where we determine in good faith that continued retention is necessary for the legitimate operation of our business, consistent with applicable law.
• The periods above are maximum ceilings. We may delete information sooner when we no longer have a legitimate business or legal reason to retain it.

Payment records retained by Stripe are governed by Stripe's own retention policies, which may exceed the periods above for anti-money-laundering and audit compliance.

10.Data security

DealSplash protects personal information with layered controls. Traffic between your browser, our services, and our processors is encrypted in transit using TLS. Personal information at rest is encrypted in our production database and in our object-storage bucket for media uploads. We apply the principle of least privilege to employee access, gate administrative actions behind role-based access control, and log access for security and audit purposes.

We do not store full credit or debit card numbers. Payment card details are processed and stored by Stripe, which maintains PCI DSS Level 1 certification.

If we become aware of a security incident that materially affects your personal information, we will notify you within the time required by applicable law.

Please use a strong unique password and be cautious about phishing emails that claim to come from DealSplash.

No method of transmission over the internet or method of electronic storage is 100% secure. We use commercially reasonable safeguards to protect your information and continuously work to improve them, but we cannot guarantee absolute security.

11.International transfers

DealSplash is a United States company. Our primary infrastructure providers — Vercel (application hosting), Neon (managed Postgres), and Cloudflare (network and object storage) — host our production systems in US regions. When you use DealSplash from outside the United States, your personal information is transferred to, stored in, and processed in the US.

When we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK International Data Transfer Addendum. These terms are included in our Data Processing Agreements with our primary processors.

Our primary processors with cross-border transfer mechanisms include:

• Stripe — payment processing
• Vercel — application hosting
• Neon — managed database
• Cloudflare — network and object storage
• Resend — transactional email
• Sentry — error monitoring
• Cloudinary — media storage and delivery

The Data Processing Agreements we have in place with these vendors incorporate the SCCs and, where applicable, the UK International Data Transfer Addendum.

For data transfers to countries not subject to an EU Commission adequacy decision, we rely on SCCs and supplementary measures as required.

To request a copy of our standard cross-border transfer documentation, email privacy@dealsplash.io.

12.Children Under 13

DealSplash's Services are not directed to children under 13. We do not knowingly collect personal information from children under 13, including the additional categories covered by the FTC's amended COPPA rule (such as biometric identifiers and government-issued identification numbers).

We do not collect, use, or disclose personal information from children for targeted advertising or for third-party disclosure.

For visitors in the European Economic Area or the United Kingdom, our Services are not directed to children under 16. We do not knowingly process personal information from children under 16 without verifiable parental authorization.

If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact privacy@dealsplash.io with the subject line Request for Child Data Deletion. We will verify the request and promptly delete the information from our active systems, subject to the retention reservations described in Section 9.

13.Changes to this policy

We may update this policy from time to time. For material changes — changes that expand our use or sharing of your personal information in ways that materially affect your rights — we will provide reasonable notice before the changes take effect. Notice may be provided through a prominent notice on the Services, by email where practicable, in-app notification, or another method we reasonably determine is appropriate under the circumstances.

We will reflect minor updates — such as clarifications, typo fixes, or non-material edits — in the changelog below without individual notice.

Your continued use of the Services after the effective date of an update constitutes acceptance of the updated policy.

See the changelog at the bottom of this page for a summary of all changes, including the date of each revision.

14.Contact us

Email: privacy@dealsplash.io

Mailing address: DealSplash LLC 116 Agnes Rd Ste 200 Knoxville, TN 37919

To submit a privacy rights request, email privacy@dealsplash.io with the subject line Privacy Rights Request. Include the right you wish to exercise, your account email (if any), and the state or country of your residence. We may ask you to verify your identity before fulfilling certain requests.

We will respond within 45 days of receiving a verifiable request. We may extend this period by an additional 45 days when reasonably necessary, in which case we will notify you of the extension within the initial response period.

You may designate an authorized agent to submit requests on your behalf, subject to identity verification.

We may designate additional methods for submitting rights requests on our website from time to time.

15.Definitions

• Automated decision-making — The use of automated systems to make decisions about you without meaningful human involvement.
• Controller — Under EU and UK data protection law, the entity that determines the purposes and means of processing personal information.
• Customer — An individual who purchases a deal through the DealSplash marketplace.
• Deal — A product, service, or offer listed by a merchant on the DealSplash marketplace.
• DealSplash, we, us, our — DealSplash LLC.
• Merchant — A business or individual listing deals on the DealSplash marketplace.
• Personal information / Personal data — Any information that identifies, relates to, describes, or could reasonably be linked to an identified or identifiable individual. Includes "personal information" as defined by CCPA/CPRA and "personal data" as defined by the GDPR.
• Processor — Under EU and UK data protection law, the entity that processes personal information on behalf of a controller.
• Purchase — A customer's transaction to buy a deal through DealSplash.
• Redemption — A customer's act of using a purchased deal with the merchant.
• Sale / Share — As defined in CCPA/CPRA. DealSplash's position on both is stated in Section 7.1.
• Sensitive personal information (SPI) — As defined in CCPA §1798.140(ae). DealSplash's position is stated in Section 2.2.
• Service provider — A third party that processes personal information on behalf of DealSplash under contractual safeguards.
• Services — DealSplash's websites, marketplace platform, and related offerings.
• You, your — The individual reading this policy, whether a customer, merchant, or site visitor.