This Privacy Policy describes how The Playpen Enterprises LLC collects, uses, discloses, stores, and otherwise processes personal information in connection with theplaypen.com, our related websites and portals, our booking and documentation workflows, our messaging tools, our event and ticketing tools, and our related support and enterprise services.

This Privacy Policy applies when you visit our sites, create an account, request or purchase a booking, sign a waiver or agreement, submit a manifest, apply to list a vessel, apply as a captain or provider, receive a ticket, communicate with us, or otherwise interact with our services.

This Privacy Policy does not replace a separate notice provided for a specific product, enterprise program, document workflow, insurance product, or biometric workflow. If we provide a more specific notice for a particular interaction, that more specific notice controls to the extent of a conflict.

The Platform is hosted in the United States. By using the Platform from outside the United States, you understand and agree that your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your jurisdiction. Your continued use of the Platform constitutes your consent to that transfer and processing.

We collect different categories of information depending on your relationship to the Platform. The chart below summarizes the main personas, the main data categories, and the main reasons we use that data.

We may collect one or more of the following categories of information, depending on the service you use:

• Identifiers and contact information, such as name, email address, mobile number, postal address, social handle, and account username.

• Authentication and account information, such as password credentials, login status, security tokens, and account settings.

• Payment and financial information, such as billing address, partial payment card information where displayed by a processor, payout account details, tax forms, invoice records, credit balances, gift card balances, and transaction history.

• Government-issued identification and verification data, such as driver's license details, passport details, date of birth, entity formation records, and verification results or risk signals from identity vendors.

• Booking and transaction information, such as booking dates, times, departure point, group size, vessel, captain, provider selections, proposal history, organizer notes, cancellation history, and pricing components.

• Trip, event, and safety documentation, such as manifests, waivers, emergency contacts, boarding status, incident reports, inspection records, claims materials, and evidence associated with disputes or casualties.

• Owner, operator, captain, and provider compliance data, such as vessel registration details, insurance certificates, permit details, license details, credential details, boat authorizations, route restrictions, crew data, availability, and rates.

• Corporate and enterprise data, such as company profile information, user roles, approval settings, confidential booking flags, spending history, invoices, purchase orders, and event recap records.

• Communications and support data, such as emails, text messages, in-platform messages, call notes, attachments, customer service tickets, survey responses, and service-recovery records.

• Usage, device, and technical data, such as IP address, browser type, operating system, referral URL, session data, cookie identifiers, mobile device identifiers, crash logs, and page or message interaction data.

• Location and operational context, such as departure point, marina, map selections, weather snapshot, and event or route context tied to a booking or listing.

• Media and content, such as listing photos, guest photos, videos, reviews, testimonials, social content, event pages, and any rights or permissions associated with that content.

Payment data handled by Stripe. Charter and ticket payments are processed by Stripe. Playpen does not store full credit-card numbers, full bank-account numbers, or CVV codes on Playpen-controlled servers. Stripe's handling of your payment data is governed by the Stripe Privacy Policy at stripe.com/privacy.

Identity verification (Stripe Identity). Where identity verification is required, we use document-based verification through Stripe Identity. The verification reviews government-issued identification (driver's license, passport, or equivalent). We do not collect biometric identifiers, facial geometry, fingerprint scans, or other biometric information unless we provide a separate written notice and obtain any consent required by applicable law before doing so.

Waiver and manifest data. When you sign a waiver, manifest acknowledgment, or other electronic document on the Platform, we may capture the signer's typed or drawn signature, the date and time of signing, the device used, the IP address, and — where the signing flow uses location for compliance purposes — the approximate GPS location at signing. We retain a signed copy of each document and the signing metadata as required for safety, compliance, and recordkeeping.

Captain selection evidence. For Mode B2 bareboat bookings, we record the captain options surfaced to the charterer, the charterer's selection path, and the timestamps and identifiers needed to demonstrate compliance with United States Coast Guard NVIC 7-94 bareboat-doctrine requirements. This record is operational compliance evidence and is retained as part of the booking's compliance packet.

Analytics and performance tools. We use Google Analytics 4, Microsoft Clarity, Vercel Speed Insights, and Sentry to measure Platform usage, identify performance regressions, and triage software defects. These tools may set cookies, collect device and browser identifiers, record session interactions, and capture error data. Aggregate metrics from these tools are reviewed by Playpen and the relevant tool provider for the purposes described in this Policy.

We collect personal information directly from you, automatically from your device or browser, from organizers or booking holders who add you to a booking or event, from owners, operators, captains, providers, enterprise clients, payment processors, identity or fraud vendors, insurers and insurance partners, analytics providers, advertising partners, social sign-in providers, and public or governmental sources where appropriate for compliance or fraud prevention.

We use personal information to operate and improve the Platform, including to create and administer accounts; process bookings, proposals, ticket orders, and payments; facilitate charter documentation, manifests, waivers, check-in, and boarding; verify identities and credentials; manage listings and applications; match captains or providers to bookings; provide support; prevent fraud; monitor safety and compliance; send confirmations, reminders, and alerts; market and measure our services where permitted; perform analytics; enforce agreements and policies; and comply with law, court orders, insurance requirements, tax requirements, and regulatory obligations.

We disclose personal information only as reasonably necessary for the purposes described in this Privacy Policy, as authorized by you, or as otherwise required or permitted by law.

We may disclose your information to the following categories of recipients:

• owners, operators, captains, crew, and service providers involved in a booking, event, or support issue

• organizers, corporate administrators, and hosts who are authorized to manage a booking, event, attendee list, or enterprise account

• payment processors, banking providers, invoicing and accounting providers, and fraud or risk vendors

• identity verification vendors, credential-review vendors, and document-storage or workflow providers

• insurance carriers, insurance partners, claims administrators, and brokers or review personnel involved in an insurance workflow

• cloud hosting providers, analytics providers, security providers, communications providers, map providers, and other technology vendors that support our services

• legal, accounting, tax, and professional advisers, auditors, and financing counterparties bound by confidentiality or legal obligations

• government agencies, regulators, law enforcement, harbor or marina authorities, courts, and insurers where required or appropriate for safety, incident response, fraud prevention, permit or boarding issues, or compliance with law

• an acquirer, investor, or successor in connection with a financing, merger, restructuring, sale of assets, or similar corporate transaction, subject to appropriate confidentiality protections where feasible

The principal third-party service providers we use to operate the Platform include the following. Each is bound by its own privacy notice and any applicable data-processing terms with Playpen:

• Stripe — payment processing, payouts (Stripe Connect), and document-based identity verification (Stripe Identity);
• Resend — transactional email delivery;
• Twilio — SMS and voice notifications;
• Cloudflare R2 — object storage for uploaded documents, photos, signatures, and policy-rendered files;
• Google Analytics — aggregate Platform usage analytics;
• Microsoft Clarity — session-level usage analytics, including heatmaps and recordings;
• Vercel — hosting, deployment, and Real User Monitoring via Vercel Speed Insights;
• Sentry — error and exception monitoring;
• Buoy and other insurance partners — supplemental trip-protection workflows where the renter purchases coverage or where coverage is otherwise arranged for a booking;
• Rewardful and other referral or affiliate-tracking partners — Partner Program attribution where applicable.

We and our service providers may use cookies, pixels, tags, SDKs, local storage, and similar technologies to remember your settings, understand how users interact with our sites and messages, maintain session integrity, measure advertising performance, attribute referrals, improve content, and help prevent abuse.

You can usually manage cookies through your browser settings. Some site functions may not work properly if certain cookies are disabled. If we offer a cookie preference tool or consent banner for a particular site or device, your choices there will apply as described in that tool.

At launch, the Platform does not use advertising cookies, third-party advertising identifiers, or behavioral-advertising profile cookies. We use only essential cookies (session, authentication, security) and analytics cookies described in Section 3. If we later introduce advertising cookies, we will update this Privacy Policy and provide a cookie preference or consent tool where applicable law requires it.

We use contact information to send operational communications such as booking confirmations, waiver reminders, manifest reminders, payment reminders, safety alerts, changes to a trip, customer service messages, and other service-related notices. We may also send marketing communications where permitted by law or where you have opted in.

You can opt out of marketing emails by using the unsubscribe method in the message. You can opt out of marketing text messages by following the instructions in the message, such as replying STOP where supported. Opting out of marketing does not prevent us from sending operational messages that are necessary to service a booking or comply with law.

We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, the applicable agreement or policy, and our legal, tax, accounting, safety, and dispute-resolution obligations.

As a general rule, we retain signed charter agreements, waivers, manifests, and related compliance records for at least seven years from the relevant trip or event, and longer if there is an unresolved claim, dispute, incident, legal hold, or regulatory matter. We may retain payout, tax, and accounting records for at least the period required by law. We may retain deidentified or aggregated information for longer where permitted by law.

Specific retention rules we apply:

• signed waivers, passenger manifests, captain selection evidence logs, and inspection records — at least seven years from the trip or event date;
• financial records (charter payments, payouts, refunds, tax forms) — at least seven years for tax and regulatory compliance;
• booking and reservation records — at least seven years;
• captain credential and compliance records — for the duration of active captain status plus three years following deactivation, subject to longer retention where required by maritime safety law;
• Google Analytics aggregate data — twenty-six months (Google Analytics 4 default retention);
• Microsoft Clarity session recordings — thirty days (Clarity default retention);
• Sentry error events — typically ninety days, or as configured;
• general account data — retained until you request account deletion, after which a ninety-day grace period applies before permanent removal, subject to retention obligations above and to applicable legal holds.

We use administrative, technical, and physical safeguards that are designed to protect personal information against unauthorized access, acquisition, destruction, use, modification, or disclosure. No system is perfectly secure, and we cannot guarantee absolute security.

We also require certain service providers and counterparties that receive personal information from us to implement reasonable security measures appropriate to the information involved and the services they provide.

At launch, we do not intend to collect biometric identifiers or biometric information, such as facial geometry or fingerprint scans, unless we first provide a separate written notice and obtain any legally required consent. If we later offer a biometric or selfie-based verification feature, that feature will be governed by a separate biometric notice, retention schedule, and consent flow where required by law.

Where identity verification relies on government-issued identification images or numbers without biometric capture, those materials are handled under this Privacy Policy and any specific verification notice provided in the relevant workflow.

Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14). Playpen does not collect, use, store, sell, or disclose biometric identifiers or biometric information as defined in BIPA, including facial geometry, fingerprint scans, voiceprints, retina or iris scans, or hand-geometry scans. Identity verification on the Platform is document-based and reviews government-issued identification only. If we later introduce a feature that would collect biometric information within the meaning of BIPA, that feature will be governed by a separate written biometric notice, retention schedule, and consent flow as required by BIPA.

ESIGN Act and Illinois UETA. Electronic signatures captured on the Platform are governed by the federal Electronic Signatures in Global and National Commerce Act (ESIGN Act, 15 U.S.C. § 7001 et seq.) and the Illinois Uniform Electronic Transactions Act (UETA), enacted as Public Act 102-0038. Signature metadata captured during signing — including signature image or typed signature, timestamp, IP address, and device — is retained as part of the signed document's audit record.

Our Platform is not directed to children for independent account use. The primary charterer or account holder generally must be an adult who meets the eligibility rules in the applicable agreement or workflow.

We may receive information about minors when a parent, guardian, organizer, or booking holder adds a minor to a booking, waiver, manifest, or event. We use that information only for the specific trip, event, or documentation purpose for which it was provided, subject to applicable law and our retention obligations.

Account-eligibility ages. The Platform requires a primary charterer or booking holder to be at least twenty-one years old. Captain accounts and supply-side accounts (owners, providers, organizers, partners) require account holders to be at least eighteen years old. Minor passengers may be included on a charter with parent or guardian consent captured through the applicable waiver flow.

Subject to applicable law, you may request access to certain information we hold about you, request corrections, update your account profile, request deletion of information that we no longer need, or object to certain marketing uses. We may need to verify your identity before fulfilling a request.

We may deny or limit a request where the law allows or requires us to keep data for safety, fraud prevention, tax, accounting, legal, insurance, incident, or documentation reasons, or where the request would adversely affect the rights or safety of another person.

Corporate confidentiality controls. For bookings, accounts, or events designated as corporate, enterprise, invite-only, or otherwise confidential, enhanced privacy controls are available, including marketing-suppression flags, restricted access within Playpen, suppression of public reviews or galleries, suppression of social-share or testimonial prompts, and any additional written limitations agreed for the specific account or booking. Confidentiality flags do not relieve any party of safety, manifest, waiver, regulatory, or legal-process obligations.

The Platform may integrate with or link to third-party services, including payment processors, identity providers, insurers, analytics tools, messaging tools, map tools, enterprise tools, social media services, and partner event pages. Their privacy practices are governed by their own notices and terms.

We may update this Privacy Policy from time to time. If we make a material change, we may post the revised version on the Platform, update the "Draft Date" or "Last Updated" line, or provide another form of notice as appropriate.

For privacy questions, requests, or complaints, contact us through the privacy contact channel identified on the Platform or in the relevant enterprise agreement. Routine support issues should be directed to the support channels identified on the Platform.