Privacy Policy

This Privacy Policy (the “Policy”) describes how The Fringe (“The Fringe,” “we,” “us,” “our”) collects, uses, discloses, retains, and protects personal information in connection with the website at alleymap.com, any related mobile applications, APIs, emails, and other services (collectively, the “Service”).

Your use of the Service is also governed by our Terms of Service, which are incorporated by reference. Capitalized terms not defined here have the meanings given in the Terms.

We collect only what is reasonably necessary to operate and improve the Service. The categories below describe what we may collect; whether we actually collect a given category depends on how you use the Service.

We use the categories of information described above for the following purposes:

• To provide, operate, and maintain the Service and core features (sign-in, saving events, matching, filtering).
• To personalize content, including recommendations based on your stated preferences.
• To respond to support requests, feedback, copyright notices, and legal inquiries.
• To detect, prevent, and respond to abuse, fraud, security incidents, and violations of our Terms.
• To improve the Service through aggregate, de-identified analysis of usage patterns. We do not build individual behavioral profiles.
• To communicate with you about the Service, including important administrative notices (e.g., security alerts, policy changes). Marketing emails are opt-in only.
• To comply with legal obligations, enforce our Terms, and establish, exercise, or defend legal claims.

Under applicable privacy laws such as the GDPR and equivalent frameworks, our lawful bases for processing are (a) performance of a contract (providing the Service you requested), (b) your consent where required (optional profile fields, marketing emails), (c) our legitimate interests (securing the Service, preventing abuse, product improvement), and (d) compliance with legal obligations.

We share personal information only in the limited circumstances listed below. We do not, and will not, sell, rent, lease, or trade your personal information for advertising or marketing purposes.

We and our service providers are based in the United States. If you access the Service from outside the United States, your information will be transferred to, processed in, and stored in the United States and possibly other jurisdictions, which may have data-protection laws that differ from those in your country. Where required (e.g., under GDPR), we rely on Standard Contractual Clauses or equivalent legal mechanisms for cross-border transfers.

• Account data: retained while your account is active. Deleted within 30 days after you delete your account, except where continued retention is required for legal, security, or fraud-prevention purposes.
• Saved events and preferences: retained with your account; removed when the account is deleted.
• Server logs: purged by Vercel on a rolling basis, typically within 30 days.
• Support correspondence: retained for up to 3 years to maintain a support history and resolve disputes.
• Backups: encrypted backups are rotated on a regular cycle and purged within 90 days.

We implement commercially reasonable technical and organizational measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include: HTTPS/TLS for all data in transit, encrypted storage at rest, row-level-security policies in our database, the principle of least privilege for staff and vendor access, periodic credential rotation, and logging of administrative actions.

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. You are responsible for safeguarding your password (if you set one) and the email account you sign in with, since anyone with access to that inbox can request a magic-link sign-in. If you believe your account or email has been compromised, contact us immediately.

In the event of a breach that compromises your personal information, we will notify you and the applicable regulators as promptly as reasonably possible, and no later than required by applicable law (including, where applicable, within 72 hours of becoming aware under GDPR Article 33 and on an “expedient and without unreasonable delay” basis under the New York SHIELD Act). Notifications will be sent via the email on file and, where appropriate, posted publicly on the Service.

Depending on where you live, you may have the following rights over your personal information:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to correct inaccurate or incomplete information.
• Deletion — ask us to delete your account and associated information.
• Portability — receive your data in a structured, machine-readable format (JSON).
• Restriction / objection — ask us to restrict or object to certain processing.
• Opt-out of marketing — unsubscribe from marketing email at any time.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time (without affecting the lawfulness of prior processing).
• Complaint — lodge a complaint with your local data-protection authority.

To exercise any of these rights, email contact.alleymap@gmail.com. We will respond within 30 days and may ask you to verify your identity before acting on sensitive requests. We will not discriminate against you for exercising any right granted by law.

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, California residents have the rights described above, plus the right to know the categories of personal information collected, the categories of sources, the business purposes for collecting, and the categories of third parties with whom information is shared.

We do not sell or share personal information for cross-context behavioral advertising, as those terms are defined by the CCPA/CPRA.We do not knowingly sell or share the personal information of any consumer under 16 years of age. You do not need to submit a “Do Not Sell My Personal Information” request, because there is no sale or sharing to opt out of.

California residents may designate an authorized agent to submit requests on their behalf. The agent must provide proof of authorization.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the controller of your personal information is The Fringe. Our lawful bases for processing are described above under “How we use your information.”

You have the rights described above, including the right to lodge a complaint with your local supervisory authority. For residents of the UK, the Information Commissioner's Office (ICO) is the relevant authority.

We do not rely on automated decision-making with legal or similarly significant effects (GDPR Article 22). Recommendations are advisory and based on preferences you explicitly set.

The Service is not directed to children under 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe that we have collected personal information from a child, contact us at contact.alleymap@gmail.com and we will delete it promptly.

We use a small number of strictly necessary and functional cookies and storage mechanisms, described below. We do not use advertising cookies, pixels, beacons, or other cross-site trackers.

• Session cookie (Supabase Auth): keeps you signed in. Expires on sign-out or session expiry. Strictly necessary.
• Cookie-consent localStorage value: remembers whether you've accepted or declined our welcome message. Not a cookie, and not transmitted to our servers.
• Local-cache entries: your saved-event IDs and recent filter selections are cached in localStorage for performance.
• Cloudflare Turnstile: runs a short-lived challenge to detect bots on our signup form. See Cloudflare's privacy documentation for details.

Browsers that send a Do Not Track or Global Privacy Control signal are honored: since we do not sell, share, or track across sites, no additional action is required to respect those signals.

We may update this Policy from time to time. When we make material changes (for example, adding a new vendor, changing retention periods, or adding a new category of data), we will update the effective date above and notify registered users in-product or by email before the changes take effect, where reasonably practicable. Your continued use of the Service after the effective date of an updated Policy constitutes your acceptance.