Legal / Privacy Policy

Privacy Policy

Effective Date: June 7, 2026

Last Updated: June 7, 2026

Ovation Entertainment Solutions, LLC ("Company," "we," "us," or "our") operates Ovation OS, a software-as-a-service platform for event production and equipment rental management. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use our marketing website at ovation-os.com, our application at ovation-os.com, and our related services (collectively, the "Services").

By accessing or using our Services, you agree to this Privacy Policy. If you do not agree with our practices, please do not use our Services.

1. Information We Collect

1.1 Information You Provide

We collect information you provide directly to us, including:

  • Account Information: Name, email address, phone number, company name, job title, and password when you create an account.
  • Billing Information: Billing address and tax identification numbers, and payment card details processed through our payment processor (Stripe). We do not store full payment card numbers.
  • Business Data: Information about your operations that you input into the platform, including equipment and inventory, jobs and projects, venues and locations, schedules, quotes, and invoices.
  • Information About Your Clients and Contacts: Names, email addresses, phone numbers, addresses, and notes about your customers, leads, and their contacts that you add to the platform.
  • Crew and HR Information: Information about your employees and contractors, such as names, contact details, job titles, pay rates, availability, time entries, leave requests, emergency contacts, and dates of birth. We do not collect Social Security numbers, tax identification numbers, W-9 forms, or bank account details for your crew; where required, those are handled by a third-party payroll provider.
  • Documents and Files: Files you upload, which may include contracts, signed documents, receipts, and photos.
  • Electronic Signature Data: When documents are signed through the platform, we record the name, email address, timestamp, and IP address of each signer as evidence of the signature.
  • Communications: Messages, feedback, and correspondence you send to us or through the platform.
  • Support Requests: Information provided when you contact customer support or submit a bug report or feature request.

1.2 Information Collected Automatically

When you use our Services, we automatically collect:

  • Usage Data: Pages visited, features used, actions taken, time spent, and interaction patterns.
  • Device Information: IP address, browser type, operating system, device identifiers, and screen resolution.
  • Log Data: Access times, error logs, referring URLs, and activity records. For security and accountability, our audit logs record the IP address and browser user agent associated with actions taken in your account.
  • Location and Time-Clock Data: If you or your workspace enable mobile or time-clock features, we may collect geolocation (GPS coordinates and accuracy) and a photo captured at clock-in or clock-out, along with device information. Workspaces control whether these features are enabled, including geofencing. Biometric unlock on mobile devices is handled entirely on your device; we do not receive or store biometric data.
  • Cookies and Local Storage: We use first-party cookies and local storage to maintain sessions and remember preferences. See Section 12.
  • Error Monitoring and Diagnostics: Our error-monitoring and logging provider (Better Stack) may capture diagnostic information, including IP addresses and technical details about errors, to help us diagnose problems.

1.3 Information from Third Parties

We may receive information from:

  • Connected Services: Data from services you choose to connect to Ovation OS, such as Google Drive, Microsoft OneDrive, and Stripe.
  • Authentication Providers: If you use single sign-on (SSO) or social login, we receive basic profile information from your identity provider.
  • Background-Check Provider: If you initiate a background check on a crew member or contractor, we receive the status and results of that check from our screening provider.
  • Business Partners: Referral information from partners who recommend our Services.

2. How We Use Your Information

We use collected information for the following purposes:

2.1 Providing and Improving Services

  • Operating, maintaining, and improving our platform
  • Processing transactions and sending related information
  • Providing customer support and responding to inquiries
  • Developing new features and services
  • Powering AI-assisted features to help automate your workflows

2.2 Communications

  • Sending service-related notices (e.g., account verification, security alerts, billing)
  • Sending marketing communications (with your consent where required)
  • Responding to your comments, questions, and requests

2.3 Security and Compliance

  • Detecting, preventing, and addressing fraud, abuse, and security issues
  • Complying with legal obligations
  • Enforcing our Terms of Service
  • Maintaining audit logs for accountability and compliance

2.4 Analytics and Research

  • Analyzing usage patterns within our own systems to improve the user experience
  • Conducting research and analysis on platform performance
  • Generating aggregated, anonymized insights about industry trends

We do not use third-party analytics or advertising providers for these purposes.

3. How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

3.1 Service Providers and Sub-processors

We share information with third-party vendors who process data on our behalf to operate the Services. Our current sub-processors include:

  • Hosting and infrastructure: Google Cloud Platform and Vercel (application hosting, United States) and Supabase (database, authentication, and file storage).
  • Payments: Stripe (subscription billing and, where you enable it, collecting payments from your own customers).
  • Email: Resend (sending and receiving email on your behalf, including invoices, quotes, and notifications).
  • Webhooks: Svix (delivering event notifications to endpoints you configure).
  • AI providers: Anthropic (primary), and Google and OpenAI for certain features such as semantic search. See Section 13.
  • Error monitoring and logging: Better Stack (error, performance, and diagnostic log data, which may include IP addresses).
  • Push notifications: Expo (mobile push delivery).
  • Geolocation: Radar (address geocoding and geofencing).
  • Electronic signatures: OvationSign, our document-signing service, which is based on Documenso.
  • Background checks: backgroundchecks.com / ClearChecks (only when you initiate a screening).
  • Payroll: Remote.com (only when you enable payroll features).
  • Connected cloud storage: Google Drive and Microsoft OneDrive (only when you connect them).
  • Mobile wallet passes: PassSlot (generating crew credential passes).

These providers are contractually obligated to use your information only as necessary to provide services to us. A current list of sub-processors is available on request.

We do not use third-party advertising networks or behavioral-advertising cookies, and we do not track you across unaffiliated websites for advertising purposes. We do set authentication cookies across our own domains and the custom and portal domains you configure (for example, a client portal at portal.yourcompany.com) so that you and your users stay signed in. See Section 12.

3.2 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your personal information.

3.3 Legal Requirements

We may disclose information if required to do so by law or in response to valid legal requests, including:

  • Subpoenas, court orders, or legal process
  • Requests from law enforcement or government agencies
  • Protecting rights, property, or safety of the Company, our users, or others

3.4 With Your Consent

We may share information with third parties when you give us explicit consent to do so.

3.5 Aggregated or De-identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you.

4. Business Data and Data Processing Roles

Ovation OS is a business-to-business service. Much of the information in your workspace is data you provide about other people, such as your clients and their contacts, and your employees and contractors. For this information, you (our customer) are the controller and we act as a processor on your behalf, handling it according to your instructions and our customer agreement, including any Data Processing Addendum.

You are responsible for providing any required notices to, and obtaining any required consents from, the individuals whose information you add to the platform, including for sensitive activities such as background checks, time-clock location tracking, and electronic signatures.

For your own account information and our marketing relationship with you, we act as the controller.

5. Data Retention

We retain your information for as long as necessary to:

  • Provide our Services to you
  • Comply with legal obligations (e.g., tax and accounting requirements)
  • Resolve disputes and enforce agreements
  • Maintain backups for disaster recovery purposes

When you close your account or request deletion, we will delete or anonymize your personal information within 90 days, except where retention is required by law or for legitimate business purposes (such as audit logs and tax and accounting records).

Business data (equipment records, client information, invoices, and similar) that you input into the platform is retained according to your subscription agreement. You may export your data at any time.

6. Data Security

6.1 Technical and Organizational Measures

We implement appropriate technical and organizational measures to protect your information, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Authentication requirements, including optional multi-factor authentication
  • Tenant isolation and row-level security in our database
  • Audit logging of account activity
  • Background checks on our employees
  • Incident response procedures

6.2 Access Controls and Permissions

Ovation OS uses a multi-tenant, role-based access control (RBAC) model so that information is only accessible to authorized users:

  • Tenant hierarchy: Data is organized under Organizations (the top-level tenant) and Workspaces (sub-tenants within an Organization). Each Workspace's data is isolated from other Workspaces and Organizations, except where applicable with OvationSync.
  • Roles: Access is granted through organization owners and members, workspace members, and teams or groups, each with defined roles.
  • Granular permissions: Permissions are defined per resource and per action (for example, viewing, creating, editing, or deleting a specific type of record) and are granted to the users and groups that need them.
  • Group inheritance: Users may inherit permissions from the teams or groups to which they belong.
  • API keys: Programmatic access uses API keys that carry only the permissions you assign, can be restricted by origin or IP address, and can be revoked at any time.
  • Enforcement: Permission checks are enforced on protected operations, and access is recorded in our audit logs.

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Your Rights and Choices

7.1 Access and Portability

You have the right to access and receive a copy of your personal information. You can export your data directly from the platform or request a copy by contacting us.

7.2 Correction

You can update or correct your account information at any time through your account settings. If you need assistance, contact us.

7.3 Deletion

You may request deletion of your personal information by contacting us. We will delete your information unless we have a legal obligation or legitimate business need to retain it.

7.4 Objection and Restriction

You may object to or request restriction of certain processing activities, including direct marketing communications.

7.5 Marketing Communications

You may opt out of marketing communications by clicking the unsubscribe link in any email or by adjusting your account preferences. Note that you will continue to receive transactional communications related to your account.

7.6 Cookie Preferences

You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect functionality.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our servers and service providers are located.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions where applicable
  • Your explicit consent where appropriate

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request information about the categories and specific pieces of personal information we have collected.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out: We do not sell personal information. If this changes, you will have the right to opt out.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at privacy@ovation-os.com.

10. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

  • Right of Access: Obtain confirmation of processing and access to your data.
  • Right to Rectification: Correct inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your data in certain circumstances.
  • Right to Restriction: Restrict processing in certain circumstances.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

Our legal bases for processing include:

  • Contract performance (to provide the Services)
  • Legitimate interests (security, improvement, and analytics)
  • Legal compliance
  • Consent (marketing)

You may lodge a complaint with your local data protection authority if you believe we have violated your rights.

11. Children's Privacy

Our Services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will delete that information promptly. If you believe we have collected information from a child, please contact us.

12. Cookies and Tracking Technologies

We use first-party cookies and similar technologies. We do not use third-party advertising cookies, and we do not track you across unaffiliated websites for advertising or behavioral profiling.

  • Essential cookies: Authentication and session cookies that keep you signed in and maintain security. The Services will not function properly without these.
  • Cross-domain authentication: To keep you and your users signed in as you move between our domains and any custom or portal domains you configure (for example, a client portal at portal.yourcompany.com), we set authentication cookies on those domains. These are used solely to maintain your session, not for advertising.
  • Functional cookies and local storage: Remember preferences such as your active workspace, theme, and sign-in method.
  • Error monitoring and diagnostics: Our monitoring provider (Better Stack) sets technologies that help us diagnose errors and may capture diagnostic information, including IP addresses and technical details about the state of the application when an error occurred.

You can manage or block cookies through your browser settings, but blocking essential cookies may prevent you from using the Services.

13. AI-Powered Features

Our platform includes AI-powered features (the "AI Assistant") that help automate tasks and surface insights. When you use these features:

  • Your prompts and relevant workspace context, which may include business data such as client, lead, crew, project, scheduling, and financial records, and the contents of documents you ask the assistant to process, are sent to our AI providers to generate a response.
  • Our primary AI provider is Anthropic. Certain features also use Google and OpenAI (for example, to power semantic search).
  • We do not use your data to train AI models.
  • AI interactions, including your prompts, the responses generated, and related results, are stored in your workspace so that you can revisit past conversations and for quality assurance and troubleshooting. Workspace administrators may share conversations with other members of the same workspace.
  • You can disable AI features in your workspace settings.

14. Third-Party Links and Services

Our Services may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:

  • Posting a notice on our website
  • Sending an email to account holders
  • Displaying an in-app notification

Your continued use of our Services after the effective date of changes constitutes acceptance of the updated Privacy Policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Ovation Entertainment Solutions, LLC

Email: privacy@ovation-os.com

Website: https://ovation-os.com

Application: ovation-os.com

For GDPR-related inquiries, you may also contact our Data Protection Officer at dpo@ovation-os.com.

We will respond to your request within 30 days, or sooner as required by applicable law.