Privacy policy
VIVIDPARK
PRIVACY POLICY
ICOGON LLC
75 E 3rd St, Sheridan, Wyoming 82801
contact@vividpark.com
Effective Date: April 1, 2026
Section 1 -- Preamble
This Privacy Policy (this "Policy") is issued by ICOGON LLC, a Wyoming limited liability company doing business as VividPark, with its principal place of business at 75 E 3rd St, Sheridan, Wyoming 82801 ("Company," "we," "us," or "our").
This Policy explains what personal information the Company collects about you when you use the VividPark platform, including the Company's website, mobile application, and any related services (collectively, the "Platform"). It explains how that information is used, who it may be shared with, how long it is kept, and what rights you have over it. The Company is committed to handling your personal information responsibly and in accordance with applicable law.
This Policy applies to every person who accesses or uses the Platform in any capacity, whether as a buyer of a parking pass, a commercial seller of a parking pass, or a visitor. It applies regardless of whether you create a registered account or complete a purchase through guest checkout. It does not apply to third-party websites, services, or platforms that may be linked to or from the Platform. Those third parties operate under their own privacy policies, and the Company is not responsible for their data practices.
If you are a resident of California, the California Consumer Privacy Act supplement in Section 10 of this Policy applies to you in addition to the rest of this Policy. If you are habitually resident in a member state of the European Union, the GDPR supplement in Section 11 applies to you. If you are habitually resident in the United Kingdom, the UK GDPR supplement in Section 12 applies to you. Where any of those supplements conflict with another provision of this Policy, the supplement prevails for users to whom it applies.
This Policy should be read alongside the VividPark Terms of Service and, where applicable, the VividPark Seller Agreement. Those documents govern your use of the Platform. This Policy governs the Company's handling of your personal information in connection with that use.
By using the Platform, you confirm that you have read and understood this Policy. If you do not agree with how the Company handles your personal information as described here, you should not use the Platform.
Section 2 -- Definitions
The following terms have specific meanings throughout this Policy. Every term is defined here before it appears in the body of the document. When you see a capitalized word in this Policy, it has the meaning given below.
"Buyer" means any individual who purchases a Pass through the Platform, whether through a registered account or guest checkout.
"Commercial Seller" means a parking operator, facility manager, or professional reseller of parking access who has been approved by the Company to list Passes on the Platform pursuant to the VividPark Seller Agreement. The term includes two categories: Parking Operators, meaning entities that own or manage the parking facility to which a Pass grants access, and Professional Traders, meaning businesses or individuals engaged in the commercial resale of parking access. The Company is not a Commercial Seller.
"Company Listing" means a Pass listed for sale on the Platform by the Company acting as a direct seller in its own right, as distinguished from a Pass listed by a Commercial Seller. Company Listings are identified as such at the listing level on the Platform.
"Controller" means the natural or legal person that determines the purposes and means of processing personal data. This term carries the meaning given to it under the GDPR and UK GDPR where those instruments apply.
"Device Data" means technical information automatically collected about the device you use to access the Platform, including IP address, browser type and version, operating system, device identifiers, and general location inferred from IP address.
"Event" means a live sporting event, concert, festival, exhibition, or other gathering to which a Pass grants or is intended to grant access to associated parking.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, the General Data Protection Regulation, as it applies in member states of the European Union.
"Guest Checkout" means the process by which a Buyer completes a purchase on the Platform without creating a registered account. A Buyer who uses Guest Checkout remains subject to this Policy in the same way as a registered User.
"License Plate Data" means the vehicle license plate number provided by a Buyer before the start of the reservation period associated with a Pass, as required for entry to certain parking facilities.
"Pass" means a digital parking pass listed for sale on the Platform, whether by a Commercial Seller or through a Company Listing, that grants or is intended to grant access to parking at or near a venue hosting an Event.
"Personal Data" and "Personal Information" are used interchangeably in this Policy. Both terms mean any information that identifies, relates to, describes, or is reasonably capable of being associated with a particular individual. Where the GDPR or UK GDPR applies, "Personal Data" carries the specific meaning given to it by those instruments.
"Platform" means the VividPark website, mobile application, and any related services operated by the Company.
"Processing" means any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, transfer, and deletion. "Process" and "Processed" carry the same meaning.
"Seller Account" means the registered account created by a Commercial Seller on the Platform pursuant to the VividPark Seller Agreement.
"Shopify Payments" means the payment processing service provided by Shopify Inc. and its affiliates, which the Company uses to process all payment transactions on the Platform.
"UK GDPR" means the retained version of the GDPR as it forms part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
"User" means any individual who accesses or uses the Platform in any capacity, including as a Buyer, a Commercial Seller, or a visitor. Where a provision of this Policy applies specifically to Buyers or Commercial Sellers, those more specific terms are used.
"User Account" means a registered account created by a User on the Platform.
Section 3 -- What Data We Collect
This section describes every category of Personal Data the Company collects about Users, and explains the source of that data in each case. The Company collects data in three ways: directly from you when you provide it, automatically when you use the Platform, and from third parties involved in operating the Platform.
3.1 Data You Provide Directly
When you create a User Account or Seller Account, the Company collects your full name, email address, and any other information you choose to provide during the registration process. When you complete a purchase as a Buyer, whether through a registered account or Guest Checkout, the Company collects your name, email address, and billing address. When you complete a purchase as a Buyer and a License Plate requirement applies to your reservation, the Company also collects your License Plate Data. License Plate Data is collected before the start of the reservation period, not at the point of purchase, and is used solely to enable access to the parking facility associated with your Pass. It is not used for any marketing or profiling purpose.
When you apply to become a Commercial Seller, the Company collects the information required during the onboarding process, which may include your business name, business address, contact details, and any documentation required to verify your eligibility to list on the Platform. Onboarding communications are handled through onboarding@vividpark.com.
When you contact the Company for any reason, including to raise a dispute, the Company collects the content of your communications and any supporting information you choose to provide. Dispute communications are handled through dispute@vividpark.com.
3.2 Payment Data
All payment transactions on the Platform are processed by Shopify Payments. When you make a purchase, your payment card details, including card number, expiry date, and security code, are entered directly into Shopify Payments' secure environment and are not transmitted to or stored by the Company. The Company receives only a transaction confirmation and limited non-sensitive payment identifiers necessary to record the completed transaction. For further information about how Shopify Payments handles your payment data, please refer to Shopify's privacy policy, which is available on Shopify's website.
3.3 Automatically Collected Data
When you access or use the Platform, the Company and its service providers automatically collect certain Device Data. This includes your IP address, browser type and version, operating system, device type, device identifiers, the pages or screens you view, the links you click, the time and date of your visit, and general location information inferred from your IP address. This data is collected through standard web technologies including cookies, web beacons, and similar tracking tools. The Company's use of those technologies is described in Section 8 of this Policy.
3.4 Analytics Data
The Company uses Shopify's native analytics tools to collect and analyze information about how Users interact with the Platform. No third-party analytics provider is used. All analytics processing is conducted within the Shopify platform environment and is subject to Shopify's privacy practices, which are described in the Shopify Consumer Privacy Policy available at privacy.shopify.com.
3.5 Data Collected Through Guest Checkout
A Buyer who completes a purchase through Guest Checkout provides the same categories of personal information as a registered Buyer, namely name, email address, billing address, and, where applicable, License Plate Data. That information is collected and used by the Company in the same way as information provided by a registered Buyer. The Company uses the email address provided at Guest Checkout to deliver the Pass and to communicate with the Buyer about their order. Guest Checkout data is retained in accordance with Section 7 of this Policy. A Buyer who completes a Guest Checkout does not create a User Account, but the information collected at checkout is still subject to this Policy in full.
3.6 Data About Minors
The Platform is not directed at individuals under the age of 18. The Company does not knowingly collect Personal Data from anyone under 18. If the Company becomes aware that it has collected Personal Data from a minor, it will delete that data promptly. If you believe that the Company may have collected data from a minor, please contact the Company at contact@vividpark.com.
Section 4 -- How We Use Your Data
This section explains the purposes for which the Company uses the Personal Data it collects. For Users in the EU and UK, the lawful basis for each processing activity is addressed in the GDPR and UK GDPR supplements in Sections 11 and 12. For California residents, the corresponding CCPA disclosures are in Section 10.
4.1 Account Creation and Management
The Company uses the name and email address you provide when creating a User Account or Seller Account to set up and maintain your account, to authenticate your identity when you log in, and to communicate with you about your account. For Commercial Sellers, the Company also uses onboarding information to verify eligibility, to administer the Seller Agreement, and to manage the seller relationship throughout its duration.
4.2 Order Processing and Pass Delivery
The Company uses your name, email address, billing address, and transaction data to process your purchase, confirm your order, and deliver your Pass to you by email. Where you purchase within 24 hours of the Event start time, the Company uses your contact details to deliver the Pass as soon as payment is verified and the sale is processed. The Company also uses your email address to send you order confirmations, delivery notifications, and any other communications directly related to your purchase.
4.3 License Plate Verification
The Company uses your License Plate Data solely to enable access to the parking facility associated with your Pass and to communicate that data to the relevant parking operator where required for entry. License Plate Data is not used for any marketing purpose and is not combined with other data to build a profile of you.
4.4 Payment Processing
All payment transactions on the Platform are processed by Shopify Payments. The Company shares transaction data with Shopify Payments for the purpose of processing your payment and maintaining a record of completed transactions. Where a Commercial Seller is due a payout, the Company uses transaction and account data to calculate, verify, and administer that payout in accordance with the Seller Agreement. Currency conversion for non-USD transactions is handled automatically through Shopify. Payouts to Commercial Sellers are made in USD regardless of the currency in which the original transaction was completed.
4.5 Fraud Prevention and Platform Security
The Company uses Personal Data, including Device Data, transaction data, and account information, to detect, investigate, and prevent fraudulent transactions, unauthorized access, and other conduct that violates the Company's terms or applicable law. This includes automated review of transaction patterns and account activity conducted through Shopify's native fraud detection tools. Where the Company identifies conduct that may constitute fraud, it may use relevant data to support a clawback of funds, account suspension, or referral to law enforcement in accordance with the Seller Agreement and Terms of Service.
4.6 Dispute Resolution
When a dispute is raised through dispute@vividpark.com, the Company uses the information provided by the parties involved, together with relevant transaction and account data held by the Company, to investigate and resolve the dispute. Data collected in connection with a dispute may be retained for longer than the standard retention periods set out in Section 7 where it is necessary to do so for legal or compliance purposes.
4.7 Customer Support
The Company uses your contact details and any information you provide when you get in touch to respond to your queries, complaints, or requests. Communications sent to contact@vividpark.com are handled in this way.
4.8 Platform Analytics and Improvement
The Company uses Device Data and usage information collected through Shopify's native analytics tools to understand how Users interact with the Platform, to identify and fix technical issues, to improve the Platform's features and performance, and to inform decisions about the Platform's development. No third-party analytics provider is used. All analytics processing is conducted within the Shopify platform environment and is subject to Shopify's privacy practices, which are described in the Shopify Consumer Privacy Policy available at privacy.shopify.com.
4.9 Marketing Communications
Where you have given your consent, or where the Company has another lawful basis to do so, the Company may use your email address to send you marketing communications about the Platform, including information about new features, upcoming events, and promotions. Marketing emails are sent through Shopify's native email tools. Every marketing email includes a clear and simple option to unsubscribe. If you unsubscribe, the Company will stop sending marketing emails to you promptly. The Company does not sell your Personal Data to third parties for their own marketing purposes.
4.10 Legal Compliance
The Company uses Personal Data where it is necessary to comply with a legal obligation, to respond to a lawful request from a court, regulator, or law enforcement authority, or to establish, exercise, or defend a legal claim. This basis for processing applies regardless of the other purposes described in this section.
4.11 EU Consumer Pricing
For Users accessing the Platform from within the European Union, all prices are displayed tax-inclusive in accordance with applicable EU consumer law. The Company uses location information inferred from your IP address or, where available, your account settings to determine which pricing display applies to you.
Open Items
Attorney review -- Section 4.9: For EU and UK Users, email marketing to individuals is governed by PECR in the UK and the ePrivacy Directive in the EU, both of which generally require prior consent. The soft opt-in exemption may apply where a User has previously purchased through the Platform. Counsel should confirm the lawful basis for marketing to EU and UK Users before launch.
Section 5 -- How We Share Your Data
This section explains the circumstances in which the Company shares your Personal Data with third parties. The Company does not sell your Personal Data to third parties. The Company does not share your Personal Data with third parties for their own independent marketing purposes.
5.1 Shopify
The Platform is hosted and operated on Shopify's infrastructure. Information you submit through the Platform is transmitted to and processed by Shopify in order to provide the Services to you. This includes transaction data, account data, Device Data, and usage information. Shopify processes this data both as a service provider acting on the Company's behalf and, in certain circumstances, as an independent data controller in connection with Shopify's own platform-level services. Where Shopify acts as an independent controller, Shopify's own privacy practices apply. For further information about how Shopify handles your Personal Data, including how to exercise any rights you may have in connection with Shopify's processing, please visit the Shopify Consumer Privacy Policy at privacy.shopify.com.
5.2 Shopify Payments
Payment transactions on the Platform are processed by Shopify Payments. When you make a purchase, your payment details are transmitted directly to Shopify Payments' secure processing environment. Shopify Payments is responsible for the security and handling of your payment card data. The Company receives only a transaction confirmation and the limited non-sensitive payment identifiers necessary to record and administer the completed transaction. Shopify Payments may share transaction data with card networks, issuing banks, and other financial institutions as necessary to complete and verify your payment.
5.3 Parking Operators
Where a Pass requires License Plate Data for entry to a parking facility, the Company shares your License Plate Data with the relevant Parking Operator solely for the purpose of enabling your access to that facility. License Plate Data is shared with no other party and for no other purpose.
5.4 Commercial Sellers
Where you purchase a Pass listed by a Commercial Seller, the Company may share with that Commercial Seller the transaction information necessary for the Commercial Seller to fulfill its obligations under the Seller Agreement, including confirmation that a sale has been completed. The Company does not share your payment card details with Commercial Sellers. Where you purchase a Pass through a Company Listing, no third-party seller is involved and no transaction data is shared on that basis.
5.5 Legal Obligations and Law Enforcement
The Company may disclose your Personal Data to a court, regulator, law enforcement authority, or other government body where it is required to do so by law, where it is necessary to comply with a legal obligation, or where disclosure is necessary to establish, exercise, or defend a legal claim. Where permitted by law, the Company will notify you of any such disclosure request before complying with it.
5.6 Fraud Prevention and Enforcement
The Company may share Personal Data with third parties, including law enforcement agencies and fraud prevention services, where it is necessary to detect, investigate, or prevent fraud, unauthorized access, or other conduct that violates the Company's terms or applicable law. This includes sharing data in connection with a chargeback investigation or a clawback of funds under the Seller Agreement.
5.7 Business Transfers
If the Company is involved in a merger, acquisition, sale of assets, restructuring, or similar transaction, your Personal Data may be transferred to the acquiring entity or successor as part of that transaction. Where such a transfer occurs, the Company will take reasonable steps to ensure that your Personal Data continues to be handled in accordance with this Policy. Where required by applicable law, the Company will notify you of any such transfer.
5.8 Your Direction
The Company may share your Personal Data with a third party where you have expressly directed it to do so, or where your use of a feature of the Platform involves disclosure to a third party and you have been informed of that disclosure before using the feature.
5.9 International Transfers
The Company is incorporated in Wyoming and operates in the United States, European Union, and United Kingdom. Your Personal Data may be transferred to and processed in countries other than the country in which you reside, including the United States, where data protection laws may differ from those in your home jurisdiction. Where the Company transfers Personal Data originating from the European Economic Area or the United Kingdom to a country that has not been determined to provide an adequate level of protection, it will rely on recognized transfer mechanisms, including the European Commission's Standard Contractual Clauses or the equivalent mechanism recognized by the relevant UK authority, to ensure that your Personal Data receives an appropriate level of protection. For further information about the transfer mechanisms the Company relies on, please contact the Company at contact@vividpark.com.
Open Items
Attorney review -- Section 5.1: Counsel should confirm that Shopify's use of data collected through the Platform in connection with its broader merchant network does not constitute a sale or share under the CCPA, and that a formal data processing agreement with Shopify is in place or not required.
Attorney review -- Section 5.9: Counsel should confirm that the Standard Contractual Clauses and UK International Data Transfer Agreements are executed and in place before this Policy is published.
Section 6 -- User Rights and Choices
This section explains the rights you have over your Personal Data and how to exercise them. The rights available to you depend on where you live. Rights specific to California residents are set out in Section 10. Rights specific to EU residents are set out in Section 11. Rights specific to UK residents are set out in Section 12. The rights described in this section apply to all Users regardless of location, subject to applicable law.
6.1 Right to Access
You have the right to request access to the Personal Data the Company holds about you. This includes the right to know what categories of Personal Data the Company holds, the purposes for which it is used, and, where applicable, the specific pieces of Personal Data held about you. To make an access request, please contact the Company at contact@vividpark.com.
6.2 Right to Correction
You have the right to request that the Company correct any Personal Data it holds about you that is inaccurate or incomplete. If you have a User Account or Seller Account, you may also be able to correct certain information directly through your account settings. Where you request a correction that the Company is unable to make, the Company will explain why.
6.3 Right to Deletion
You have the right to request that the Company delete Personal Data it holds about you. The Company will honor deletion requests subject to its legal obligations and legitimate operational needs. In particular, the Company may retain certain data after a deletion request where it is required to do so by law, where the data is necessary to resolve a pending dispute or enforce an existing agreement, or where retention is otherwise permitted by applicable law. Where the Company retains data following a deletion request, it will explain the basis for doing so.
6.4 Right to Portability
Where applicable law provides for it, you have the right to receive a copy of the Personal Data you have provided to the Company in a structured, commonly used, and machine-readable format, and to request that the Company transmit that data to another organization where technically feasible.
6.5 Right to Object and Right to Restrict Processing
You have the right to object to the Company's processing of your Personal Data in certain circumstances, including where processing is based on the Company's legitimate interests. You also have the right to request that the Company restrict its processing of your Personal Data in certain circumstances, for example where you contest the accuracy of the data or where you have objected to processing and a determination of whether the Company's legitimate interests override your objection is pending. Where the Company restricts processing at your request, it will inform you before lifting that restriction.
6.6 Withdrawal of Consent
Where the Company relies on your consent as the basis for processing your Personal Data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of any processing carried out before the withdrawal. To withdraw consent, please contact the Company at contact@vividpark.com or use the unsubscribe option in any marketing email sent to you.
6.7 Marketing Opt-Out
You may opt out of receiving marketing communications from the Company at any time by clicking the unsubscribe link in any marketing email or by contacting the Company at contact@vividpark.com. If you opt out, the Company will stop sending marketing communications to you promptly. Opting out of marketing communications does not affect the Company's ability to send you transactional communications directly related to your account or a purchase you have made, such as order confirmations and Pass delivery emails.
6.8 Cookie and Tracking Preferences
You may manage your cookie and tracking preferences through your browser settings or, where available, through the cookie preference tool on the Platform. Further information about the Company's use of cookies and similar technologies is set out in Section 8 of this Policy. Please note that disabling certain cookies may affect the functionality of the Platform.
6.9 Guest Checkout Users
If you completed a purchase through Guest Checkout and did not create a User Account, you may still exercise any of the rights described in this section by contacting the Company at contact@vividpark.com. The Company will verify your identity using the information provided at checkout before processing your request.
6.10 Authorized Agents
Where applicable law permits, you may designate an authorized agent to submit a rights request on your behalf. The Company may require the agent to provide proof of authorization and may require you to verify your identity directly with the Company before processing a request submitted by an agent.
6.11 How to Submit a Request
To exercise any of the rights described in this section, please contact the Company by email at contact@vividpark.com or by post at ICOGON LLC, 75 E 3rd St, Sheridan, Wyoming 82801. The Company will respond to your request within the timeframe required by applicable law. The Company will not discriminate against you for exercising any of your rights under this Policy.
6.12 Complaints
If you are dissatisfied with the Company's response to a rights request or have concerns about how the Company handles your Personal Data, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction. For California residents, the relevant authority is the California Privacy Protection Agency. For EU residents, the relevant authority is the data protection supervisory authority in the EU member state where you habitually reside, work, or where the alleged infringement occurred. For UK residents, the relevant authority is the Information Commissioner's Office. Contact details for each authority are available on their respective websites. The Company encourages you to contact it directly in the first instance so that it has the opportunity to address your concerns before you escalate to a supervisory authority.
Section 7 -- Data Retention
This section explains how long the Company keeps your Personal Data and the principles it applies when determining retention periods. The Company retains Personal Data only for as long as is necessary to fulfil the purpose for which it was collected, to comply with its legal obligations, and to resolve disputes or enforce its agreements. When Personal Data is no longer needed, the Company deletes or anonymizes it in a manner appropriate to its sensitivity.
7.1 Account Data
Personal Data associated with a User Account or Seller Account is retained for as long as the account remains active. If you close your account, or if the Company terminates your account in accordance with the Terms of Service or Seller Agreement, the Company will retain your account data for a period of three years following closure or termination. This retention period allows the Company to resolve any disputes arising from activity on the account, to comply with legal obligations, and to detect and prevent fraud. After that period, account data that is no longer required for any of those purposes will be deleted or anonymized.
7.2 Transaction Data
Records of completed transactions, including purchase confirmations, payout records, and Pass delivery records, are retained for a period of seven years from the date of the transaction. This period reflects the Company's obligation to maintain accurate financial records and its need to retain data in connection with potential disputes, chargebacks, or fraud investigations. Where a transaction is the subject of an active dispute or legal claim, the relevant records will be retained until that dispute or claim is fully resolved, regardless of the standard retention period.
7.3 License Plate Data
License Plate Data is retained for a period of 60 days following the conclusion of the Event to which the associated Pass relates. After that period, License Plate Data is deleted. License Plate Data is not retained beyond what is necessary to fulfill its operational purpose and to allow for the resolution of any access-related dispute arising from the Event.
7.4 Guest Checkout Data
Personal Data collected at Guest Checkout, including name, email address, and billing address, is retained for the same period as transaction data under Section 7.2. The absence of a registered account does not shorten the applicable retention period, as the data is necessary to maintain a record of the transaction and to support the Buyer's rights in connection with that transaction, including any dispute or refund request.
7.5 Dispute and Legal Hold Data
Where Personal Data is collected or retained in connection with a dispute raised through dispute@vividpark.com, or where the Company places a legal hold on data in anticipation of or in connection with litigation, regulatory inquiry, or law enforcement request, that data will be retained for as long as the dispute, proceeding, or inquiry remains active and for a further period of two years following its conclusion. This retention period allows the Company to maintain a complete record of the matter and to defend itself against any related claim that may arise after the matter is formally closed.
7.6 Communications Data
The content of communications sent to the Company through contact@vividpark.com, dispute@vividpark.com, or onboarding@vividpark.com is retained for a period of two years from the date of the communication. Where a communication forms part of a dispute or legal matter, the retention period in Section 7.5 applies instead.
7.7 Device and Usage Data
Device Data and usage information collected through Shopify's native analytics tools is retained in accordance with Shopify's own data retention practices. The Company does not independently control the retention period for this data beyond what Shopify's platform permits. For further information about Shopify's retention practices, please visit the Shopify Consumer Privacy Policy at privacy.shopify.com.
7.8 Marketing Data
Where you have consented to receive marketing communications, the Company retains the Personal Data used to send those communications, including your email address and marketing preferences, until you withdraw your consent or opt out. Following an opt-out or withdrawal of consent, the Company will retain a suppression record of your email address indefinitely to ensure that you are not inadvertently contacted again. That suppression record contains only the minimum information necessary to give effect to your opt-out and is not used for any other purpose.
7.9 Data of Minors
If the Company becomes aware that it has collected Personal Data from a person under the age of 18, that data will be deleted promptly and in any event within 30 days of becoming aware of the collection. No retention period applies to data collected from minors beyond what is strictly necessary to effect its deletion.
7.10 Deletion and Anonymization
When a retention period expires, the Company will either delete the relevant Personal Data permanently or anonymize it so that it can no longer be linked to you. Anonymized data may be retained indefinitely for analytical or operational purposes, as it no longer constitutes Personal Data. The Company takes reasonable technical and organizational measures to ensure that deletion and anonymization are carried out securely and completely.
Open Items
Attorney review -- All retention periods in Section 7 are recommended values and should be confirmed by counsel before this Policy is published. In particular: transaction data at seven years (IRS/financial record-keeping), account data at three years (Wyoming limitation period), License Plate Data at 60 days (operational only), dispute data at two years post-conclusion, communications at two years, and suppression list indefinite.
Attorney review -- Section 7.7: Shopify controls retention of Device Data. Counsel should confirm this is consistent with the GDPR storage limitation principle under Article 5(1)(e) and whether a data processing agreement with Shopify addressing retention is required.
Section 8 -- Cookies and Tracking Technologies
This section explains what cookies and similar tracking technologies are, how the Company uses them on the Platform, and what choices you have. A cookie is a small text file placed on your device when you visit a website. Cookies and similar technologies allow a website to recognize your device, remember your preferences, and collect information about how you use the site. Some of these technologies are essential to the Platform's operation. Others are used to improve your experience or to understand how the Platform is being used.
8.1 Technologies the Company Uses
The Platform uses the following types of tracking technologies, all of which are deployed through Shopify's native infrastructure.
Cookies are small text files stored on your device by your browser. The Platform uses cookies to maintain your session while you are logged in, to remember items you have viewed or added to your order, and to support the Platform's core functionality.
Web beacons are small transparent image files embedded in web pages or emails. The Platform uses web beacons to confirm whether emails sent to you, including order confirmations and Pass delivery emails, have been opened and whether links within them have been clicked. This information is used for operational purposes, such as confirming that a Pass delivery email has been received, and is not used for advertising profiling.
Local storage is a browser-based mechanism that allows certain information to be stored on your device for the duration of your session or beyond it. The Platform may use local storage to retain session state and preference information.
8.2 Categories of Cookies
The cookies used on the Platform fall into the following categories.
Strictly necessary cookies are essential to the operation of the Platform. They enable core functions such as session management, secure login, and checkout processing. These cookies cannot be disabled without materially impairing the Platform's functionality. They are placed on your device on the basis of the Company's legitimate interest in operating a functional and secure platform, and in certain jurisdictions on the basis of technical necessity. Your consent is not required for strictly necessary cookies under applicable law.
Functional cookies allow the Platform to remember choices you have made, such as your language preference or whether you have previously accepted this Policy, and to provide enhanced features as a result. These cookies are not essential but improve your experience of the Platform.
Analytics cookies collect information about how you use the Platform, including which pages you visit, how long you spend on them, and any errors you encounter. This information is collected and processed through Shopify's native analytics tools and is used by the Company to understand Platform usage and to improve its features and performance. No third-party analytics provider places cookies on the Platform.
8.3 Cookies Set by Shopify
Because the Platform is built on and hosted by Shopify, Shopify sets certain cookies on the Platform independently in connection with its own platform-level services, including fraud detection, payment processing, and Shopify's broader merchant network analytics. The Company does not control the cookies Shopify sets in its capacity as an independent data controller. For a full list of cookies set by Shopify and information about how to manage them, please visit the Shopify Consumer Privacy Policy at privacy.shopify.com and the Shopify Privacy Portal at privacy.shopify.com/en.
8.4 Cookie Consent
Where applicable law requires the Company to obtain your consent before placing non-essential cookies on your device, the Company will do so. Consent is obtained through the cookie consent banner built into the Platform's Shopify-powered interface, which is presented to you when you first access the Platform. You may withdraw your consent or change your cookie preferences at any time by adjusting your settings through that banner or through your browser settings as described in Section 8.5. Withdrawing consent will not affect any processing that took place while your consent was in effect.
For Users in the European Union, the Company's use of non-essential cookies is subject to the requirements of the ePrivacy Directive as implemented in the relevant member state. For Users in the United Kingdom, the Company's use of non-essential cookies is subject to the Privacy and Electronic Communications Regulations 2003. Strictly necessary cookies are exempt from the consent requirement under both frameworks.
8.5 Managing Cookies Through Your Browser
You can control and manage cookies through your browser settings. Most browsers allow you to refuse new cookies, delete existing cookies, and set preferences for certain websites. The steps for doing this vary by browser. Please refer to your browser's help documentation for instructions. Please note that refusing or deleting cookies may affect the availability and functionality of certain features of the Platform, including the ability to complete a purchase.
8.6 Do Not Track
Some browsers offer a Do Not Track setting that sends a signal to websites requesting that your browsing activity not be tracked. Because there is no agreed industry standard for responding to Do Not Track signals, the Platform does not currently respond to them. Users who wish to limit tracking should manage their preferences through the cookie consent mechanism described in Section 8.4 or through their browser settings as described in Section 8.5. The Platform does, however, recognize and respond to the Global Privacy Control opt-out signal where required by applicable law, including for California residents under the CCPA. Where the Platform receives a Global Privacy Control signal from your browser, it will treat that signal as a request to opt out of the sale or sharing of your Personal Data to the extent required by applicable law.
Open Items
Attorney review -- Section 8.4: Shopify's native cookie consent banner does not offer granular consent by cookie category. Counsel should confirm whether this is acceptable for MVP launch given the EU and UK user base, and whether a more capable consent management platform will be required before full commercial launch in those jurisdictions. This is a meaningful compliance risk.
Section 9 -- Data Security
This section explains the measures the Company takes to protect your Personal Data and what you should know about the limits of those measures.
9.1 Security Measures
The Company takes reasonable and appropriate technical and organizational measures to protect your Personal Data against unauthorized access, accidental loss, destruction, alteration, or disclosure. These measures include the following. All data transmitted between your device and the Platform is encrypted in transit using industry-standard Transport Layer Security protocols. Payment data is handled exclusively within Shopify Payments' Payment Card Industry Data Security Standard compliant environment, which is certified to the highest level of PCI DSS compliance available. The Company does not store payment card data on its own systems. Access to Personal Data held by the Company is restricted to personnel and service providers who need it to perform their functions, and is subject to confidentiality obligations. The Platform's infrastructure is hosted by Shopify, which maintains its own security program covering the physical and technical security of the systems on which the Platform operates. For further information about Shopify's security practices, please visit Shopify's security documentation at shopify.com/security.
9.2 Limits of Security
No security measure is perfect or impenetrable. The Company cannot guarantee that your Personal Data will never be subject to unauthorized access or disclosure. The transmission of data over the internet carries inherent risks that are outside the Company's control. You are responsible for keeping your account credentials, including your password, confidential and for not sharing them with any other person. If you believe your account has been compromised, please contact the Company immediately at contact@vividpark.com.
9.3 Data Breaches
In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, the Company will notify the relevant supervisory authority and, where required by applicable law, affected Users, within the timeframes prescribed by law. For EU Users, the applicable timeframe under the GDPR is 72 hours from the Company becoming aware of the breach where notification to the supervisory authority is required. For UK Users, the same 72-hour timeframe applies under the UK GDPR. For California residents, notification will be provided in accordance with the California data breach notification requirements set out in California Civil Code section 1798.82. The Company will take prompt steps to investigate and contain any breach and to mitigate its effects on affected Users.
9.4 Third-Party Security
Where the Company shares your Personal Data with third parties, including Shopify and Shopify Payments, it takes reasonable steps to ensure that those parties maintain appropriate security standards. However, the Company is not responsible for the security practices of third parties acting as independent data controllers, including Shopify in its capacity as described in Section 5.1. You should review the privacy and security policies of those third parties directly.
9.5 Your Role in Security
You play an important role in keeping your Personal Data secure. You should use a strong and unique password for your User Account or Seller Account, avoid accessing your account over unsecured public networks, log out of your account when using a shared device, and contact the Company promptly if you suspect any unauthorized use of your account. The Company will never ask you to provide your password by email or through any channel other than the Platform's secure login interface.
Open Items
Attorney review -- Section 9.3: The 72-hour GDPR/UK GDPR breach notification window is very tight for an MVP-stage business without a dedicated data protection function. Counsel should advise on whether a documented incident response procedure is required before launch.
Attorney review -- Section 9.3: Counsel should assess whether the Company is required to appoint a Data Protection Officer under Article 37 of the GDPR given the nature and scale of its processing activities.
Section 10 -- California Consumer Privacy Act Supplement
This supplement applies to individuals who are residents of the State of California. It is provided in addition to the rest of this Policy and, where it conflicts with any other provision of this Policy, this supplement prevails for California residents. The rights and disclosures in this supplement are provided in accordance with the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020, together referred to in this supplement as the CCPA.
10.1 Scope
This supplement applies to Personal Information the Company collects about California residents in the course of operating the Platform, whether as a Buyer, a Commercial Seller, or a visitor. The term Personal Information in this supplement has the meaning given to it by the CCPA, which is broader than the common law definition and includes any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
10.2 Categories of Personal Information Collected
In the preceding twelve months, the Company has collected the following categories of Personal Information about California residents, as those categories are defined under the CCPA.
Identifiers, including name, email address, billing address, and IP address. This category is collected from all Users who create an account, complete a purchase, or access the Platform.
Commercial information, including records of Passes purchased, transaction history, and payout records. This category is collected from Buyers and Commercial Sellers.
Financial information, including payment card details processed through Shopify Payments and transaction confirmation data retained by the Company. Payment card details are handled by Shopify Payments and are not stored by the Company.
Internet or other electronic network activity information, including Device Data and usage information collected through Shopify's native infrastructure.
Geolocation data, limited to general location inferred from IP address. The Company does not collect precise geolocation data.
Vehicle information, specifically License Plate Data collected from Buyers before the start of a reservation period where a License Plate requirement applies.
Communications data, including the content of messages sent to the Company through its contact, dispute, and onboarding email addresses.
Inferences drawn from the above categories to the extent Shopify's platform generates inferences about User preferences or behavior in connection with its analytics and fraud detection tools.
10.3 Purposes for Which Personal Information Is Collected and Used
The Company collects and uses each category of Personal Information described in Section 10.2 for the purposes set out in Section 4 of this Policy. Those purposes include account management, order processing, Pass delivery, payment processing, fraud prevention, dispute resolution, customer support, platform analytics, marketing where consent has been given or another lawful basis applies, and legal compliance.
10.4 Categories of Personal Information Disclosed for a Business Purpose
In the preceding twelve months, the Company has disclosed the following categories of Personal Information to third parties for a business purpose, as that term is defined under the CCPA.
Identifiers and commercial information have been disclosed to Shopify in connection with the operation of the Platform and to Shopify Payments in connection with payment processing.
License Plate Data has been disclosed to Parking Operators where required to enable access to a parking facility.
Transaction information has been disclosed to Commercial Sellers to the limited extent described in Section 5.4.
Identifiers and communications data have been disclosed to law enforcement or other authorities where required by law or in connection with fraud prevention, as described in Sections 5.5 and 5.6.
10.5 Sale and Sharing of Personal Information
The Company does not sell your Personal Information to third parties for monetary or other valuable consideration. The Company does not share your Personal Information with third parties for cross-context behavioral advertising purposes, as that term is defined under the CCPA. Because the Company does not sell or share Personal Information in those ways, no opt-out mechanism for sale or sharing is required. If the Company's practices change, this Policy will be updated accordingly and you will be notified as required by law.
10.6 Sensitive Personal Information
The CCPA recognizes certain categories of Personal Information as sensitive personal information and imposes additional requirements on their use. The Company collects the following categories of information that may qualify as sensitive personal information under the CCPA: financial account and payment card information processed through Shopify Payments, and License Plate Data. The Company uses sensitive personal information only for the purposes set out in this Policy and does not use it for purposes that would require the Company to offer a right to limit its use under the CCPA. If the Company's use of sensitive personal information changes in a way that requires an opt-out mechanism, this Policy will be updated accordingly.
10.7 Your Rights as a California Resident
As a California resident, you have the following rights under the CCPA in addition to the rights described in Section 6 of this Policy.
Right to Know. You have the right to request that the Company disclose the categories and specific pieces of Personal Information it has collected about you, the categories of sources from which that information was collected, the business or commercial purposes for which it was collected, and the categories of third parties with whom it has been shared. The disclosures in Sections 10.2 through 10.5 of this supplement are intended to satisfy the Company's obligation to provide this information at a general level. You may submit a request for specific information about you by contacting the Company as described in Section 10.9.
Right to Delete. You have the right to request that the Company delete Personal Information it has collected from you, subject to certain exceptions permitted by the CCPA, including where retention is necessary to complete a transaction, to detect security incidents, to comply with a legal obligation, or to exercise or defend legal claims.
Right to Correct. You have the right to request that the Company correct inaccurate Personal Information it maintains about you.
Right to Opt Out of Sale or Sharing. As stated in Section 10.5, the Company does not sell or share Personal Information as those terms are defined under the CCPA. This right is therefore not applicable to the Company's current practices.
Right to Limit Use of Sensitive Personal Information. As stated in Section 10.6, the Company does not use sensitive personal information for purposes that require an opt-out mechanism under the CCPA. This right is therefore not applicable to the Company's current practices.
Right to Non-Discrimination. The Company will not discriminate against you for exercising any of your rights under the CCPA. This means the Company will not deny you access to the Platform, charge you a different price, or provide you with a different level of service because you have exercised a CCPA right.
10.8 Shine the Light
California Civil Code section 1798.83, known as the Shine the Light law, permits California residents to request information about the disclosure of Personal Information to third parties for those third parties' direct marketing purposes. As stated in Section 10.5, the Company does not disclose Personal Information to third parties for their own direct marketing purposes. California residents who wish to confirm this or make a request under the Shine the Light law may contact the Company as described in Section 10.9.
10.9 How to Submit a CCPA Request
To exercise any of the rights described in this supplement, please contact the Company by email at contact@vividpark.com or by post at ICOGON LLC, 75 E 3rd St, Sheridan, Wyoming 82801. Please identify yourself as a California resident and describe the right you wish to exercise. The Company will verify your identity before processing your request, which may involve asking you to confirm information the Company already holds about you. The Company will respond to verified requests within 45 days of receipt. Where the Company requires additional time, it will notify you within the initial 45-day period and may extend its response by a further 45 days where necessary. The Company will not charge a fee for processing a request unless the request is manifestly unfounded or excessive, in which case the Company will notify you of any fee before proceeding.
10.10 Authorized Agents
You may designate an authorized agent to submit a CCPA request on your behalf. The Company will require the agent to provide written proof of your authorization and may require you to verify your identity directly with the Company before processing the request.
10.11 Annual Updates
The CCPA requires the Company to update the disclosures in this supplement at least once every twelve months. This supplement was last updated on April 1, 2026.
Open Items
Attorney review -- Section 10.5: Counsel should confirm that Shopify's use of data collected through the Platform in connection with its broader merchant network does not constitute a sale or share under the CCPA.
Attorney review -- Section 10.6: Counsel should confirm that License Plate Data qualifies as sensitive personal information under the CCPA and that the Company's current use falls within purposes that do not require an opt-out mechanism.
Section 11 -- GDPR Supplement for EU Users
This supplement applies to individuals who are habitually resident in a member state of the European Union. It is provided in addition to the rest of this Policy and, where it conflicts with any other provision of this Policy, this supplement prevails for EU residents. The rights and disclosures in this supplement are provided in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, the General Data Protection Regulation, referred to in this supplement as the GDPR.
11.1 Data Controller
For the purposes of the GDPR, the data controller in respect of your Personal Data is ICOGON LLC, a Wyoming limited liability company doing business as VividPark, with its principal place of business at 75 E 3rd St, Sheridan, Wyoming 82801. The Company can be contacted at contact@vividpark.com.
The Company is a data controller established outside the European Union. Under Article 27 of the GDPR, controllers not established in the EU that are subject to the GDPR by virtue of Article 3(2) are required to designate a representative in the EU. The Company's EU representative is [EU REPRESENTATIVE -- TO BE APPOINTED BEFORE EU LAUNCH]. EU residents may contact the EU representative directly in addition to contacting the Company at contact@vividpark.com.
11.2 Territorial Scope
The GDPR applies to the Company's processing of Personal Data about EU residents where that processing relates to the offering of goods or services to those individuals, or to the monitoring of their behavior within the European Union, regardless of whether the processing takes place within the EU. The Company offers the Platform to EU residents and processes their Personal Data in connection with that offering. The GDPR therefore applies to those processing activities.
11.3 Lawful Basis for Processing
The GDPR requires the Company to identify a lawful basis for each activity involving the processing of your Personal Data. The following sets out each processing activity, the lawful basis the Company relies on, and a brief explanation of why that basis applies.
Account creation and management. Lawful basis: Performance of a contract. The Company processes your name and email address to create and maintain your account because doing so is necessary to provide you with access to the Platform and to perform its obligations to you.
Order processing and Pass delivery. Lawful basis: Performance of a contract. The Company processes your name, email address, billing address, and transaction data because doing so is necessary to complete your purchase and deliver your Pass.
License Plate verification. Lawful basis: Performance of a contract. The Company processes your License Plate Data because doing so is necessary to fulfill the parking reservation you have purchased, specifically to enable your access to the relevant parking facility.
Payment processing via Shopify Payments. Lawful basis: Performance of a contract. The Company shares transaction data with Shopify Payments because doing so is necessary to process your payment and complete the transaction.
Fraud prevention and platform security. Lawful basis: Legitimate interests. The Company has a legitimate interest in detecting and preventing fraud, protecting the integrity of the Platform, and protecting other Users from harm. That interest is not overridden by your interests or fundamental rights given that fraud prevention processing is targeted, proportionate, and conducted using the minimum data necessary.
Dispute resolution. Lawful basis: Legitimate interests and legal obligation. The Company has a legitimate interest in resolving disputes arising from Platform transactions, and may also be subject to legal obligations that require it to retain and process data in connection with certain disputes.
Customer support. Lawful basis: Legitimate interests. The Company has a legitimate interest in responding to queries and complaints from Users and in maintaining effective customer support.
Platform analytics and improvement. Lawful basis: Legitimate interests. The Company has a legitimate interest in understanding how the Platform is used and in improving its features and performance. Analytics processing is conducted through Shopify's native tools and is limited to aggregate and pseudonymous data where possible.
Marketing communications. Lawful basis: Consent. Where the Company sends marketing emails to EU residents, it does so on the basis of your prior consent, obtained in accordance with the ePrivacy Directive as implemented in the relevant member state. You may withdraw your consent at any time as described in Section 6.6.
Legal compliance. Lawful basis: Legal obligation. The Company processes Personal Data where it is required to do so by applicable law, including in response to lawful requests from courts, regulators, or law enforcement authorities.
Business transfers. Lawful basis: Legitimate interests. The Company has a legitimate interest in being able to carry out corporate transactions, including mergers and acquisitions, that may involve the transfer of Personal Data to a successor entity.
11.4 Your Rights Under the GDPR
As an EU resident, you have the following rights in relation to your Personal Data under the GDPR. These rights are in addition to the general rights described in Section 6 of this Policy.
Right of access. Under Article 15 of the GDPR, you have the right to obtain confirmation of whether the Company processes Personal Data about you and, if so, to receive a copy of that data together with information about the purposes of processing, the categories of data concerned, the recipients or categories of recipients, the retention period, and the existence of any automated decision-making.
Right to rectification. Under Article 16 of the GDPR, you have the right to require the Company to correct inaccurate Personal Data about you without undue delay, and to have incomplete Personal Data completed.
Right to erasure. Under Article 17 of the GDPR, you have the right to require the Company to erase your Personal Data without undue delay where one of the grounds specified in that Article applies, including where the data is no longer necessary for the purpose for which it was collected, where you withdraw consent and there is no other lawful basis for processing, or where you object to processing based on legitimate interests and the Company has no overriding legitimate grounds.
Right to restriction of processing. Under Article 18 of the GDPR, you have the right to require the Company to restrict its processing of your Personal Data in certain circumstances, including where you contest the accuracy of the data, where processing is unlawful and you oppose erasure, or where the Company no longer needs the data but you require it for the establishment, exercise, or defense of legal claims.
Right to data portability. Under Article 20 of the GDPR, you have the right to receive the Personal Data you have provided to the Company in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where processing is based on consent or on the performance of a contract and is carried out by automated means.
Right to object. Under Article 21 of the GDPR, you have the right to object at any time to the processing of your Personal Data where that processing is based on the Company's legitimate interests. Where you object, the Company will cease processing unless it can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defense of legal claims. You have an unconditional right to object to processing for direct marketing purposes, and the Company will cease such processing immediately upon receiving your objection.
Right to withdraw consent. Where the Company relies on your consent as the lawful basis for processing, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
Right to lodge a complaint. You have the right to lodge a complaint with the data protection supervisory authority in the EU member state where you habitually reside, where you work, or where the alleged infringement of the GDPR occurred. A list of EU supervisory authorities and their contact details is available at edpb.europa.eu. The Company encourages you to contact it directly in the first instance so that it has the opportunity to address your concerns before you escalate to a supervisory authority.
11.5 Automated Decision-Making and Profiling
The Company uses Shopify's native fraud detection tools, which may involve automated analysis of transaction data to identify potentially fraudulent activity. Where that analysis results in an automated decision that produces a legal or similarly significant effect on you, such as the withholding of a payout or the suspension of an account, you have the right under Article 22 of the GDPR to request human review of that decision, to express your point of view, and to contest the decision. To request a human review, please contact the Company at contact@vividpark.com. The Company does not otherwise use automated decision-making or profiling that produces legal or similarly significant effects.
11.6 International Transfers
The Company is incorporated and operates in the United States. When the Company processes Personal Data about EU residents, that data is transferred to and processed in the United States, which the European Commission has not determined to provide an adequate level of data protection. The Company relies on the European Commission's Standard Contractual Clauses as the legal mechanism for transferring Personal Data from the European Economic Area to the United States. Copies of the relevant Standard Contractual Clauses are available on request by contacting the Company at contact@vividpark.com. Where Shopify transfers Personal Data in connection with its own processing activities, Shopify is responsible for ensuring that those transfers are made in accordance with applicable law.
11.7 Retention
The Company retains Personal Data about EU residents in accordance with the retention periods set out in Section 7 of this Policy. Those periods have been determined with reference to the purpose limitation and storage limitation principles in Article 5 of the GDPR. Personal Data is not retained for longer than is necessary for the purposes for which it was collected, subject to the legal and operational grounds for extended retention described in Section 7.
11.8 Contact and Complaints
To exercise any of the rights described in this supplement or to raise a concern about the Company's data practices, please contact the Company by email at contact@vividpark.com or by post at ICOGON LLC, 75 E 3rd St, Sheridan, Wyoming 82801. The Company will respond to requests within one month of receipt in accordance with Article 12 of the GDPR. Where the Company requires additional time to respond, it will notify you within the initial one-month period and may extend its response by a further two months where the complexity or number of requests justifies it.
Open Items
OPEN PLACEHOLDER -- Section 11.1: EU Representative under Article 27 GDPR must be appointed and named before the Platform is made available to EU users. This is a mandatory legal requirement. Recommended providers include DataRep, VeraSafe, and GDPR Local.
Attorney review -- Section 11.3: Counsel should confirm each legitimate interests basis and ensure a documented Legitimate Interests Assessment is conducted for each before this Policy is published.
Attorney review -- Section 11.5: Counsel should confirm whether Shopify's fraud detection outputs meet the Article 22 threshold of legal or similarly significant effect and whether the current human review process is sufficient.
Attorney review -- Section 11.6: Counsel should confirm that Standard Contractual Clauses are executed and in place before this Policy is published.
Section 12 -- UK GDPR Supplement for UK Users
This supplement applies to individuals who are habitually resident in the United Kingdom. It is provided in addition to the rest of this Policy and, where it conflicts with any other provision of this Policy, this supplement prevails for UK residents. The rights and disclosures in this supplement are provided in accordance with the retained version of the General Data Protection Regulation as it forms part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, referred to in this supplement as the UK GDPR, together with the Data Protection Act 2018.
12.1 Data Controller
For the purposes of the UK GDPR, the data controller in respect of your Personal Data is ICOGON LLC, a Wyoming limited liability company doing business as VividPark, with its principal place of business at 75 E 3rd St, Sheridan, Wyoming 82801. The Company can be contacted at contact@vividpark.com.
The Company is a data controller established outside the United Kingdom. Under Article 27 of the UK GDPR, controllers not established in the UK that are subject to the UK GDPR by virtue of Article 3(2) are required to designate a representative in the United Kingdom. The Company's UK representative is [UK REPRESENTATIVE -- TO BE APPOINTED BEFORE UK LAUNCH]. UK residents may contact the UK representative directly in addition to contacting the Company at contact@vividpark.com.
12.2 Territorial Scope
The UK GDPR applies to the Company's processing of Personal Data about UK residents where that processing relates to the offering of goods or services to those individuals, or to the monitoring of their behavior within the United Kingdom, regardless of whether the processing takes place within the UK. The Company offers the Platform to UK residents and processes their Personal Data in connection with that offering. The UK GDPR therefore applies to those processing activities.
12.3 Lawful Basis for Processing
The UK GDPR requires the Company to identify a lawful basis for each activity involving the processing of your Personal Data. The lawful bases available under the UK GDPR mirror those under the EU GDPR and the Company relies on the same bases for UK residents as it does for EU residents. Those bases are set out in full in Section 11.3 of this Policy and apply equally to UK residents, with references to the GDPR read as references to the UK GDPR where the context requires.
12.4 Your Rights Under the UK GDPR
As a UK resident, you have the following rights in relation to your Personal Data under the UK GDPR and the Data Protection Act 2018. These rights mirror those available to EU residents under the GDPR and are in addition to the general rights described in Section 6 of this Policy.
Right of access. Under Article 15 of the UK GDPR, you have the right to obtain confirmation of whether the Company processes Personal Data about you and, if so, to receive a copy of that data together with information about the purposes of processing, the categories of data concerned, the recipients or categories of recipients, the retention period, and the existence of any automated decision-making. The Company will respond to access requests within one month of receipt. No fee is charged for a subject access request unless the request is manifestly unfounded or excessive.
Right to rectification. Under Article 16 of the UK GDPR, you have the right to require the Company to correct inaccurate Personal Data about you without undue delay, and to have incomplete Personal Data completed.
Right to erasure. Under Article 17 of the UK GDPR, you have the right to require the Company to erase your Personal Data without undue delay where one of the grounds specified in that Article applies, including where the data is no longer necessary for the purpose for which it was collected, where you withdraw consent and there is no other lawful basis for processing, or where you object to processing based on legitimate interests and the Company has no overriding legitimate grounds.
Right to restriction of processing. Under Article 18 of the UK GDPR, you have the right to require the Company to restrict its processing of your Personal Data in certain circumstances, including where you contest the accuracy of the data, where processing is unlawful and you oppose erasure, or where the Company no longer needs the data but you require it for the establishment, exercise, or defense of legal claims.
Right to data portability. Under Article 20 of the UK GDPR, you have the right to receive the Personal Data you have provided to the Company in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where processing is based on consent or on the performance of a contract and is carried out by automated means.
Right to object. Under Article 21 of the UK GDPR, you have the right to object at any time to the processing of your Personal Data where that processing is based on the Company's legitimate interests. Where you object, the Company will cease processing unless it can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defense of legal claims. You have an unconditional right to object to processing for direct marketing purposes, and the Company will cease such processing immediately upon receiving your objection.
Right to withdraw consent. Where the Company relies on your consent as the lawful basis for processing, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
Right to lodge a complaint with the ICO. You have the right to lodge a complaint with the Information Commissioner's Office, which is the supervisory authority responsible for data protection in the United Kingdom. The ICO can be contacted at ico.org.uk, by telephone on 0303 123 1113, or by post at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. The Company encourages you to contact it directly in the first instance so that it has the opportunity to address your concerns before you escalate to the ICO.
12.5 Automated Decision-Making and Profiling
The Company uses Shopify's native fraud detection tools, which may involve automated analysis of transaction data to identify potentially fraudulent activity. Where that analysis results in an automated decision that produces a legal or similarly significant effect on you, such as the withholding of a payout or the suspension of an account, you have the right under Article 22 of the UK GDPR to request human review of that decision, to express your point of view, and to contest the decision. To request a human review, please contact the Company at contact@vividpark.com. The Company does not otherwise use automated decision-making or profiling that produces legal or similarly significant effects.
12.6 International Transfers
The Company is incorporated and operates in the United States. When the Company processes Personal Data about UK residents, that data is transferred to and processed in the United States. The UK has not made an adequacy regulation in respect of the United States as a whole, meaning that transfers of Personal Data from the UK to the United States require an appropriate safeguard under Article 46 of the UK GDPR. The Company relies on the International Data Transfer Agreement issued by the Information Commissioner's Office, or where applicable the International Data Transfer Addendum to the European Commission's Standard Contractual Clauses, as the legal mechanism for transferring Personal Data from the United Kingdom to the United States. Copies of the relevant transfer documents are available on request by contacting the Company at contact@vividpark.com. Where Shopify transfers Personal Data in connection with its own processing activities, Shopify is responsible for ensuring that those transfers are made in accordance with applicable law.
12.7 Retention
The Company retains Personal Data about UK residents in accordance with the retention periods set out in Section 7 of this Policy. Those periods have been determined with reference to the purpose limitation and storage limitation principles in Article 5 of the UK GDPR. Personal Data is not retained for longer than is necessary for the purposes for which it was collected, subject to the legal and operational grounds for extended retention described in Section 7.
12.8 Registration with the ICO
Organizations that process Personal Data in the UK are generally required to pay a data protection fee to the ICO unless an exemption applies. As the Company processes Personal Data about UK residents, it may be required to register with the ICO and pay the applicable fee. This obligation applies regardless of whether the Company is established in the UK.
12.9 Contact and Complaints
To exercise any of the rights described in this supplement or to raise a concern about the Company's data practices, please contact the Company by email at contact@vividpark.com or by post at ICOGON LLC, 75 E 3rd St, Sheridan, Wyoming 82801. The Company will respond to requests within one month of receipt in accordance with Article 12 of the UK GDPR. Where the Company requires additional time to respond, it will notify you within the initial one-month period and may extend its response by a further two months where the complexity or number of requests justifies it.
Open Items
OPEN PLACEHOLDER -- Section 12.1: UK Representative under Article 27 UK GDPR must be appointed and named before the Platform is made available to UK users. This is a mandatory legal requirement. Many providers offer combined EU and UK representative services as a bundle.
Attorney review -- Section 12.6: Counsel should confirm that the IDTA and/or IDTA Addendum are executed and in place before this Policy is published.
Attorney review -- Section 12.8: Counsel should confirm whether the Company is required to register with the ICO and pay the data protection fee before UK launch.
Attorney review -- General: Counsel should confirm whether the same individual or organization may serve as both EU and UK representative, which would simplify the compliance structure.
Section 13 -- Miscellaneous Provisions
13.1 Governing Law
This Policy is governed by and construed in accordance with the laws of the State of Wyoming, United States, without regard to its conflict of law principles. Where applicable law requires that a specific jurisdiction's data protection law governs the processing of Personal Data about residents of that jurisdiction, including the GDPR for EU residents, the UK GDPR for UK residents, and the CCPA for California residents, those laws apply to the processing activities described in the relevant supplements in Sections 10, 11, and 12 of this Policy. Wyoming law governs all matters not addressed by those jurisdiction-specific supplements.
13.2 Relationship to Other VividPark Documents
This Policy forms part of the suite of legal documents governing your use of the Platform. It should be read alongside the VividPark Terms of Service and, where applicable, the VividPark Seller Agreement. In the event of a conflict between this Policy and either of those documents on a matter relating to the collection, processing, or disclosure of Personal Data, this Policy controls. In the event of a conflict between this Policy and a jurisdiction-specific supplement contained within it, the supplement controls for users to whom it applies.
13.3 Changes to This Policy
The Company reserves the right to update or modify this Policy at any time to reflect changes in its data practices, changes in applicable law, or for other operational or regulatory reasons. When the Company makes a material change to this Policy, it will post the revised Policy on the Platform with an updated effective date and will provide notice to affected Users as required by applicable law. For EU and UK residents, material changes that affect the lawful basis for processing or that introduce new processing activities will be communicated directly by email where the Company holds a current email address for you. Your continued use of the Platform after a revised Policy is posted constitutes your acceptance of the revised Policy. If you do not agree to the revised Policy, you must stop using the Platform.
13.4 Severability
If any provision of this Policy is found by a court or regulatory authority of competent jurisdiction to be invalid, unlawful, or unenforceable, that provision will be limited or eliminated to the minimum extent necessary so that the remainder of the Policy continues in full force and effect. The invalidity or unenforceability of any provision will not affect the validity or enforceability of any other provision.
13.5 No Waiver
The Company's failure to enforce any provision of this Policy on any occasion does not constitute a waiver of its right to enforce that provision on any future occasion. A waiver is only effective if made in writing by an authorized representative of the Company.
13.6 Language
This Policy is written in English. If it is translated into any other language for the convenience of Users in a particular jurisdiction, the English version prevails in the event of any inconsistency or conflict between versions.
13.7 Entire Agreement on Privacy
This Policy, together with the jurisdiction-specific supplements in Sections 10, 11, and 12, constitutes the entire statement of the Company's privacy practices in relation to the Platform. It supersedes all prior privacy notices, statements, or representations made by the Company in relation to the Platform. No representation about the Company's data practices that is not contained in this Policy or the documents incorporated into it by reference should be relied upon.
13.8 Contact
For any questions about this Policy, to exercise any of the rights described in it, or to raise any concern about the Company's data practices, please contact the Company using the details below.
ICOGON LLC, doing business as VividPark
75 E 3rd St, Sheridan, Wyoming 82801
contact@vividpark.com
For dispute-related matters, please use dispute@vividpark.com. For Commercial Seller onboarding matters, please use onboarding@vividpark.com.
For EU residents, the Company's designated EU representative can be contacted at [EU REPRESENTATIVE -- TO BE APPOINTED BEFORE EU LAUNCH].
For UK residents, the Company's designated UK representative can be contacted at [UK REPRESENTATIVE -- TO BE APPOINTED BEFORE UK LAUNCH].
For matters relating to Shopify's processing of your Personal Data in its capacity as an independent data controller, please visit privacy.shopify.com.
Appendix -- Open Items for Completion
The following items must be resolved before this Policy is finalized and published. All items flagged for attorney review throughout the drafting process are consolidated here.
Mandatory placeholders (must be filled before launch)
[EU REPRESENTATIVE] -- Sections 11.1 and 13.8. Mandatory under Article 27 GDPR. Must be appointed before the Platform is made available to EU users. Recommended providers: DataRep, VeraSafe, GDPR Local.
[UK REPRESENTATIVE] -- Sections 12.1 and 13.8. Mandatory under Article 27 UK GDPR. Must be appointed before the Platform is made available to UK users. Many providers offer combined EU and UK representative services.
Attorney review items
Section 1 -- Counsel should confirm whether a standalone GDPR-facing privacy notice is also required for EU compliance purposes in addition to this unified document.
Section 4.9 -- Counsel should confirm the lawful basis for marketing communications to EU and UK Users, particularly in respect of the soft opt-in exemption under PECR and the ePrivacy Directive.
Section 5.1 -- Counsel should confirm that Shopify's merchant network data use does not constitute a sale or share under the CCPA, and whether a formal data processing agreement with Shopify is required.
Section 5.9 -- Counsel should confirm that Standard Contractual Clauses (EEA) and the IDTA or IDTA Addendum (UK) are executed and in place before this Policy is published.
Section 7 -- All retention periods are recommended values. Counsel should confirm each period before publication, particularly transaction data at seven years and account data at three years.
Section 7.7 -- Counsel should confirm that deferring to Shopify's retention practices for Device Data is consistent with the GDPR storage limitation principle under Article 5(1)(e).
Section 8.4 -- Counsel should confirm whether Shopify's native cookie consent banner is sufficient for MVP launch in the EU and UK, or whether a more capable consent management platform is required.
Section 9.3 -- Counsel should advise on whether a documented incident response procedure is required before launch given the 72-hour GDPR and UK GDPR breach notification window.
Section 9.3 -- Counsel should assess whether the Company is required to appoint a Data Protection Officer under Article 37 of the GDPR.
Section 10.5 -- Counsel should confirm that Shopify's merchant network data use does not constitute a sale or share under the CCPA.
Section 10.6 -- Counsel should confirm that License Plate Data qualifies as sensitive personal information under the CCPA and that current usage does not require an opt-out mechanism.
Section 11.3 -- Counsel should confirm each legitimate interests basis and ensure a documented Legitimate Interests Assessment is conducted for each.
Section 11.5 / 12.5 -- Counsel should confirm whether Shopify's fraud detection outputs meet the Article 22 GDPR / UK GDPR threshold and whether the current human review process is sufficient.
Section 12.8 -- Counsel should confirm whether the Company is required to register with the ICO and pay the data protection fee before UK launch.
Sections 11 and 12 -- Counsel should confirm whether the same individual or organization may serve as both EU and UK representative.
This document was drafted section by section and reviewed incrementally. It reflects stated business intent and standard marketplace practice only. It does not constitute legal advice. ICOGON LLC should have this Policy reviewed by qualified legal counsel before it is put into use.