Effective: 2026-06-29. Last updated: 2026-06-29.
This Privacy Policy (the "Policy") explains how Warden Systems LLC (the "Company," "we," "us," or "our") processes Personal Data that we collect from you (the "Subscriber") as a Controller.
1. Definitions
(a) "Controller" means the natural or legal person, public authority, agency, or other body, which alone or jointly with others, determines the purposes and means of processing Personal Data.
(b) "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(c) "Service(s)" means Warden Systems LLC operates CommunityWarden, a platform licensed to business improvement districts (BIDs), Main Street associations, chambers of commerce, and downtown business districts. CommunityWarden provides each partner district with a branded resident-and-visitor mobile app and supporting tools, including: a community-events guide and ticketing; a shared directory of member businesses and local non-profits, with self-managed listings; volunteer projects and shift sign-up; badge and passport gamification tied to participating locations and events; and pooled, de-identified district foot-traffic and buyer-behavior analytics that help the partner organization secure grants and sponsorships. During active community events, the app awards badges and unlocks event content when a registered user arrives at a participating business or event location.
- (i) "Subscriber" means the natural or legal person who has subscribed to the Service(s) by agreeing to the Terms.
- (ii) "Terms" means the binding contract between the Company and Subscriber that governs the Subscriber's access and use of the Service(s).
2. Data collection
The Subscriber directly provides the Company with most of the data we collect. The Company collects Personal Data from the Subscriber from the following sources. The personal data is collected directly from the user and their device — no third-party data brokers or purchased data. Specifically:
- Information you provide directly — account email address and chosen display name (at signup); photos you take as part of an event challenge (stored locally on your device only).
- Information from your device automatically — approximate (coarse) location; precise (fine) location, foreground only and only when discovery mode is on; OS-provided device identifier (Android App Set ID / iOS IDFV); crash and diagnostic data (OS version, app version, anonymized stack traces).
- Information from your activity in the app — events registered for, badges earned, ticket purchases, and event/mystery progress.
3. Processing of personal data
(a) The Company processes the Subscriber's Personal Data to operate and deliver the platform's features: authenticate accounts and deliver password resets; recognize when a user arrives at a participating business or event location to award badges and unlock event content; surface nearby events and listings; show progress on event leaderboards; enable business and non-profit members to manage their own listings and event promotions; let residents sign up for volunteer projects and shifts; sync experience state to the user's account; prevent abuse; diagnose bugs; and communicate with users about events they have registered for. Location data is used solely to deliver in-event experiences and to produce anonymized, aggregate views of how a downtown district flows — never to profile individuals, serve advertising, or infer sensitive attributes.
(b) The Company will generally collect Personal Data from Subscribers only where it needs to create a contract with the Subscriber, where the processing is in the Company's legitimate interests and not overridden by the Subscriber's data protection interests or fundamental rights and freedoms, or where the Company has the Subscriber's consent. In some cases, the Company may also have a legal obligation to collect Personal Data from the Subscriber.
(c) If the Company processes Personal Data with the Subscriber's consent, the Subscriber may withdraw their consent at any time.
4. Sharing of personal data
(a) The Company shares the Subscriber's Personal Data only with the service providers (data processors) necessary to operate and deliver the Service(s), under contracts that limit their use of the data to providing the service. The Company does not sell Personal Data and does not share it for cross-context behavioral advertising.
(b) The Company does not share Personal Data with advertising networks, data brokers, or credit reference agencies.
(c) Warden Systems LLC does not sell personal information and does not share it for cross-context behavioral advertising. The platform uses no third-party advertising, analytics, attribution, or profiling SDKs. Personal data is disclosed only to service providers acting as data processors, strictly to operate the platform and under contracts limiting use of the data to providing the service:
- Amazon Web Services, Inc. — cloud hosting for the application, database, and backups, and transactional email delivery (Amazon SES);
- Cloudflare, Inc. — edge networking, DNS, and secure connectivity;
- Resend (Resend Labs, Inc.) — transactional email (password resets, event confirmations).
The pooled foot-traffic and buyer-behavior analytics provided to a partner district (BID, Main Street association, or chamber) are aggregated and de-identified before disclosure — they are not personal data and cannot reasonably be used to identify an individual. The Company may also disclose personal data where required by law or to respond to a legal hold or active fraud investigation.
5. Retention of personal data
(a) Company retains the Personal Data when an ongoing legitimate business requires retention of such Personal Data.
(b) In the absence of a need to retain Personal Data, the Company will either delete or aggregate it. If this is not possible, the Company will securely store your Personal Data and isolate it from any further processing until it is deleted.
6. Security of personal data
The Company uses appropriate technical and organizational measures to protect the Personal Data it collects and processes. These measures are designed to provide a high level of security appropriate to the risk of processing the Subscriber's Personal Data. If you are a Subscriber and have any concerns about the security of your Personal Data, please contact us immediately.
7. Modification
The Company keeps this Policy under regular review and may update this webpage at any time. This Policy may be amended at any time, and the Subscriber shall be notified only if there are material changes to this Policy.
8. Contact details
If you have any concerns about this Policy, please get in touch with us at [email protected].
9. Your rights
You may, at any time:
- Access — request a copy of the information we hold about you.
- Correct — ask us to correct inaccurate information.
- Delete — ask us to delete information we hold about you, subject to any legal hold or retention obligation.
- Portability — request your data in a portable, machine-readable format where applicable.
- Withdraw consent — for any processing based on your consent.
- Opt out of sale or sharing — we do not sell or share personal information for advertising, but this right is honored on request as a matter of policy.
Email [email protected] with your request. We respond within one (1) business day. We will honor deletion requests on the same business day unless a legal hold applies, in which case we will tell you what is being held and why. We do not discriminate against users who exercise privacy rights.
10. Children
CommunityWarden is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided information to us, contact [email protected] and we will delete it.
11. Security safeguards
We protect personal information with reasonable administrative, technical, and physical safeguards, including:
- Transport-Layer Security (TLS) for all data in transit between your device and our infrastructure.
- Encrypted backups (AES-256 at rest).
- Role-based access control for our internal systems, with access limited to personnel who need it for their work.
- Logging and review of access to systems holding personal information.
No system is perfectly secure. If we discover a breach affecting your personal information, we will notify you and the appropriate regulators consistent with applicable law.
12. Governing law
This Policy is governed by the laws of the State of Washington, United States, without regard to conflict-of-laws principles. Any dispute arising from this Policy is subject to the exclusive jurisdiction of the state and federal courts located in Clark County, Washington.
13. International users
Our infrastructure is located in the United States. If you access our products from outside the United States, your information will be transferred to and processed in the United States. We honor access and deletion requests from users in all jurisdictions on the same terms as any other user.