artistryhost

ArtistryHost Privacy Policy

Effective date: June 14, 2026

This Privacy Policy explains how Cork & Candles Franchising LLC, doing business as ArtistryHost ("ArtistryHost," "we," "us"), handles personal information. It applies to our marketing site (artistryhost.com), our booking application, and the booking pages we host for our business customers ("Operators").

1. The two roles we play

ArtistryHost handles personal information in two distinct roles, and your rights depend on which one applies:

  • Operator account data — we are the controller. When an Operator signs up, we decide how we use their account information (to provide, bill, and support the Service). This Policy governs that use.
  • Guest data — we are the processor. When a Guest books with an Operator, we process the Guest's personal data on behalf of, and under the instructions of, the Operator, who is the controller. The Operator's own privacy notice governs that relationship. Our handling is described in Section 9 (our Data Processing terms). Guest requests should generally go to the Operator first; we will assist the Operator in responding.

2. Information we collect

From Operators (and their staff users): name, business name, email, phone, business address, login credentials, subscription/billing details, support communications, and the configuration choices you make in the product.

Guest data we process for Operators: Guest name, email, phone, booking history, party details, notes the Operator records (e.g., dietary or accessibility needs), marketing/SMS opt-in status, and gift-card balances. We process this to deliver the booking, run the Operator's workflows, and send the Operator's confirmations and reminders.

Payments: we do not collect or store full card numbers. Guest payments run through the Operator's own Square account; our subscription billing runs through Stripe. We receive limited transaction metadata (amounts, status, last four digits), not full card data.

Automatically collected: IP address, device/browser type, pages viewed, referring source, and similar technical data, via cookies and similar technologies (Section 7).

3. How we use information

To provide, secure, and improve the Service; to bill and collect subscriptions; to send transactional messages (account, billing, launch, and—where applicable— the Operator's Guest confirmations); to provide support; to detect fraud and abuse; to comply with law; and, for our own marketing of ArtistryHost to prospective Operators, to measure and improve our campaigns (Section 7).

We do not use one Operator's Guest data to benefit another Operator, and we do not sell Guest data. The only exception is the aggregated and de-identified data described in Section 6, which by definition is not Guest data and cannot be linked to any Guest or Operator.

Performance of our contract with the Operator; our legitimate interests in operating, securing, and marketing the Service; consent (for non-essential cookies and certain marketing); and compliance with legal obligations.

5. How we share information

We share personal information only with:

  • Sub-processors that help us run the Service (Section 8), under contracts limiting their use to our instructions.
  • The Operator, for Guest data we process on their behalf.
  • Square and Stripe, to process payments and subscriptions.
  • Authorities, where required by law or to protect rights and safety.
  • A successor, in a merger, financing, or sale of assets, subject to this Policy.

We do not sell personal information for money. However, our use of the Meta Pixel and advertising cookies may constitute "sharing" or a "sale" under CCPA/CPRA even without payment, so we treat it as such and provide a "Your Privacy Choices" opt-out and consent mechanism (see §7 and §11).

6. Aggregated and de-identified data

We may create aggregated and de-identified data from operational and transactional metadata generated through the Service — for example, booking volumes, lead times, party sizes, cancellation and no-show rates, seasonal demand patterns, and average transaction values. We use it to operate, secure, and improve the Service and to produce analytics, benchmarks, and published industry reports (for example, sector-wide trend reports across experience venues such as wineries, candle bars, and pottery studios).

When we do, we apply each of the following safeguards:

  1. Aggregation across many Operators. The data is pooled and stripped of identifiers so that no individual Operator or Guest can be identified or singled out.
  2. Minimum cell size (k-anonymity). We apply a minimum group-size threshold of 30 Operators before publishing any statistic derived from Operator data, so that no single Operator's figures can be reverse-engineered from a published number.
  3. No Operator named. We do not name, label, or otherwise identify any Operator in a published report, and we do not attribute specific figures to any Operator, without that Operator's separate written consent.
  4. No Guest PII. No Guest's personal information is included or exposed.
  5. Public no-re-identification commitment. We publicly commit not to attempt to re-identify the data, to maintain it as deidentified information, and to bind any recipient to the same commitment — consistent with the standard for "deidentified" data under the CCPA/CPRA.

This reconciles with Section 3: aggregated, de-identified data is not Guest data and cannot be traced back to any Operator's business or its Guests, so producing it is not "using one Operator's Guest data to benefit another" and is not a "sale." This mirrors the carve-out in Terms of Service §9.6.

7. Cookies, the Meta Pixel, and analytics

On our marketing site, we use:

  • Essential cookies (to make the site work).
  • The Meta (Facebook) Pixel and Google Analytics to measure traffic and the performance of our ads to prospective Operators.

These set cookies and may share limited event data (e.g., page views, "Lead," "Contact") with Meta and Google. Under the CCPA/CPRA this may be "sharing" / "sale," so we provide a "Your Privacy Choices" opt-out (§11). Where consent is required, these technologies load only after you consent.

On booking pages, the Operator may configure their own pixels and analytics; those are the Operator's responsibility and governed by the Operator's notice.

8. Sub-processors

We use reputable third-party service providers ("sub-processors") to operate the Service. Each is bound by contract to use personal information only to provide services to us and consistent with this Policy. We use sub-processors in the following categories:

  • Cloud hosting and database infrastructure — to run and store the application (Operator and Guest records, technical and request data).
  • Payment processing — Guest payments through the Operator's own Square account, and our subscription billing.
  • Transactional email and SMS delivery — confirmations, reminders, and notifications (Operator and Guest contact details and message content).
  • Background job processing — scheduled tasks such as reminders and holds (booking metadata).
  • Product analytics and AI-assisted features — to operate and improve the Service.
  • Marketing-site analytics and advertising measurement — to measure our own marketing to prospective Operators (marketing-site events only).

We maintain a current list of the specific sub-processors we use and will provide it on request, and we give notice of material changes (see §9).

9. Processing on behalf of Operators (our Data Processing terms / DPA)

This section functions as our Data Processing Agreement and forms part of the Terms of Service. If you require a separately signed data processing agreement (for example, for a procurement or RFP process), contact legal@artistryhost.com.

For Guest personal data, the Operator is the controller and ArtistryHost is the processor. We will:

  1. Process only on documented instructions — to provide the Service, as configured by the Operator, and as required by law.
  2. Purpose limitation — not use Guest data for our own purposes, not sell it, and not share it across Operators. The sole exception is the creation and use of aggregated and de-identified data under Section 6, which is not Guest personal data and cannot be linked to any Guest or Operator.
  3. Confidentiality — bind personnel with access to confidentiality obligations.
  4. Security — maintain technical and organizational measures appropriate to the risk (Section 10).
  5. Sub-processors — use only sub-processors of the kinds described in Section 8 under equivalent obligations, and give notice of material changes. If you do not wish to continue with a new sub-processor, you may cancel the Service; we do not provide a separate objection right.
  6. Data-subject requests — assist the Operator in responding to Guest access, deletion, and similar requests.
  7. Breach notification — notify the Operator without undue delay, and within 72 hours of becoming aware of a personal-data breach affecting their Guest data.
  8. Deletion / return — Guest and booking data is exportable at any time while the account is active; on termination, access is revoked and we delete or return Guest data per Section 12 and the Terms.
  9. International transfers — where applicable, rely on Standard Contractual Clauses or another lawful mechanism.

10. Security

We use encryption in transit and at rest, access controls, least-privilege practices, and regular review. No system is perfectly secure, and we cannot guarantee absolute security, but we work to protect the information we hold and to notify affected parties as required by law.

11. Your privacy rights

California (CCPA/CPRA)

California residents may request to know/access, correct, and delete personal information, and to opt out of "sharing"/"sale." Because our marketing pixels may be "sharing," you can opt out at any time using the "Your Privacy Choices" link in our website footer. We will not discriminate against you for exercising these rights. For Guest data, requests should go to the relevant Operator; we will assist them.

Other US states

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have comparable rights to access, correct, delete, and opt out of targeted advertising.

EEA / UK (where GDPR applies)

Rights to access, rectify, erase, restrict, port, and object, and to withdraw consent and complain to a supervisory authority.

To exercise rights, contact legal@artistryhost.com. We will verify your identity and respond within the time the law requires (e.g., 45 days under CCPA, one month under GDPR).

12. Data retention

We keep Operator account data while the account is active and as needed for legal, tax, and dispute purposes. Guest data is retained per the Operator's instructions and our Terms. The Operator may export Guest and booking data at any time while the account is active; on termination, access is revoked and we delete or de-identify the data on our standard schedule, subject to legal holds. If the account is reinstated, access is restored.

13. Children's data

The Service is for businesses, not for children. We do not knowingly collect personal information from children under 13 for our own purposes. Guest records may include minors who an adult books into an experience; that data is the Operator's responsibility as controller, and the Operator is responsible for any applicable parental-consent requirements.

14. International users

We operate from the United States, and information we process is handled in the US and the regions our sub-processors use. If you access the Service from outside the US, you understand your information will be processed in the US.

15. Changes to this Policy

We may update this Policy. For material changes we will post the new effective date and, where appropriate, give additional notice. Continued use after the effective date is acceptance.

16. Contact

Cork & Candles Franchising LLC d/b/a ArtistryHost · 255 Main Street, Suite 150, King of Prussia, PA 19406 · legal@artistryhost.com