PRIVACY POLICY

Effective Date: 16/01/2026

Last Update: 15/01/2026

1. INTRODUCTION

Welcome to TheStraw (“we”, “us”, “our”, or “Company”). TheStraw is a platform that helps users discover bars and book time-based drink discount slots at participating venues (“Venues”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Services.

By accessing and using TheStraw, you acknowledge that you have read, understood, and agree to this Privacy Policy.

2. INFORMATION WE COLLECT

We collect information you provide directly and information collected automatically.

2.1 Information You Provide Directly

Account Information:

• Full name
• Email address
• Date of birth / legal drinking age confirmation
• Password and login credentials
• Profile picture (optional)

Reservation Information:

• Preferred areas or types of Venues
• Reservation dates and selected slots
• Group size
• Special requests
• Reservation history

Communication:

• Messages to support
• Survey responses
• Photos, ratings, reviews

Additional Information:

• Information about friends you invite or include in a booking (shared only with their consent)
• Social media account information (if you choose to connect your account)
• Location information you authorize us to access (for example, to show nearby bars or available slots)

3. HOW WE USE YOUR INFORMATION

3.1 Service Provision

• Account management
• Processing reservations and discounts
• Customer support
• Transactional communications

3.2 Service Improvement

• User behavior analysis
• Feature development
• Market research
• Performance measurement

3.3 Marketing

• Promotional communications
• Venue Partner offers
• Contests and campaigns
• Personalized content

3.4 Personalization

• Customized experience
• Venue recommendations
• Targeted ads
• Preference memory

3.5 Safety & Compliance

• Fraud prevention
• Enforcing Terms
• Legal compliance
• Dispute resolution

3.6 Analytics

• Usage tracking
• Demographic analysis
• Aggregated reports
• Performance improvement

4. HOW WE SHARE YOUR INFORMATION

We may share your information in the following circumstances:

4.1 With Venue Partners

To facilitate your reservations and discounts, we may share:

• Your name, contact details (email, phone), and group size
• Reservation date, time, and selected slot details
• Special requests or notes you choose to provide
• Relevant visit history (such as previous no-shows or bans)

If you consent to receive marketing communications directly from a Venue Partner, that Venue Partner becomes an independent data controller and is responsible under its own privacy policy.

4.2 With Service Providers and Suppliers

We share information with trusted third-party providers who help us operate our Services, including:

• Email, push notification, and SMS providers
• Analytics and attribution platforms
• Cloud hosting and storage providers
• Customer support and CRM tools
• Marketing and advertising partners

These providers are contractually required to use your data only to provide services to us and maintain appropriate security measures.

4.3 With Business Partners

We may share information with trusted business partners for:

• Delivering personalized content and recommendations
• Co-marketing initiatives (with consent where required)
• Strategic partnerships and joint offerings

Such sharing is governed by written agreements including confidentiality and security obligations.

4.4 With Social Media Platforms

If you share content on social platforms or connect your account, information is governed by their privacy policies.

4.5 Legal Requirements and Protection

We may disclose information when required by law or when necessary to:

• Comply with legal obligations
• Respond to lawful requests
• Enforce our Terms & Conditions
• Prevent fraud or unlawful activity
• Protect safety and rights

4.6 Business Transfers

If TheStraw is involved in a merger or acquisition, your information may be transferred. You will be notified if a new privacy policy applies.

4.7 With Your Consent

We may share information with third parties for purposes not listed above when you explicitly consent.

5. YOUR PRIVACY CHOICES AND RIGHTS

5.1 Access and Control

You have the right to:

• Access your personal information
• Review and update your account information
• Download your data in a portable format (where technically feasible)
• Request a copy of all personal information we hold about you

You can access, update, and manage your information by contacting our privacy team.

5.2 Opt-Out Options

• Marketing Communications: You can unsubscribe from promotional emails by clicking the unsubscribe link in any marketing email or updating your preferences in your account settings.
• Location Services: You can disable location tracking through your device’s privacy settings; this may limit location-based features.
• Cookies: You can control cookie preferences through our Cookie Consent Tool or your browser settings.
• Targeted Advertising: You can opt out of personalized advertising through your device settings or advertising preference centers.

Note: Opting out of certain features may affect the functionality and personalization of our Services.

5.3 Account Closure

You can close your account at any time by:

• Visiting the “Account Settings” section of your profile
• Contacting our customer support team

5.4 Account Deletion

If you want to permanently delete your TheStraw account, you can do so directly in the app or by contacting us using the contact details in Section 14.

To delete your account in the app:

• Open the TheStraw app.
• Go to Settings.
• Tap Account.
• Tap Delete account and confirm the request.

When your deletion request is completed, the following data is removed from our active systems:

• Your profile information.
• Your bookings and booking history stored in the app.
• Your favorites and saved preferences linked to your account.
• Your push notification tokens and account memberships linked to venues.

Some limited data may be retained:

• Records we must keep to comply with legal, tax, accounting, or regulatory obligations.
• Information needed to prevent fraud, enforce our Terms, resolve disputes, or protect safety.
• Backup or security records for the retention periods described in Section 6.

Deletion timing:

Once you confirm deletion in the app, account deletion starts immediately. Some limited retained records may remain for the periods described in Section 6 where required by law or legitimate business needs.

If you manage a business or venue:

If your account is the sole owner of a venue listed on TheStraw, you may need to transfer ownership or remove the venue before your account can be deleted.

5.5 Venue Removal

If you are a venue owner, you can remove your venue from TheStraw at any time through the app. When a venue is removed:

• All future time slots associated with the venue are cancelled.
• All confirmed bookings are automatically cancelled.
• Users with affected bookings receive a notification informing them of the cancellation.
• The venue is no longer visible in search results, favorites, or listings.
• Pending invitations to manage the venue are revoked.

Venue data, including booking records and venue information, may be retained for up to 2 years after removal as described in Section 6, to comply with legal and accounting obligations.

5.6 Cookie Management

Our Cookie Consent Tool allows you to:

• Review all cookies used on our website
• Accept or decline specific categories of cookies
• Adjust your cookie preferences at any time
• Manage cookies through your browser settings

Essential cookies cannot be disabled as they are necessary for proper functioning of our Services.

6. DATA RETENTION

We retain personal data only as long as necessary, including:

• Account information: account duration + 2 years
• Reservation history: account duration + 7 years
• Payment records: as required by law
• Marketing data: until opt-out or max 5 years
• Analytics data: up to 24 months

Once we no longer need your information, we will securely delete or permanently anonymize it, unless we are required to retain it by law.

7. DATA SECURITY

We take the security of your personal information seriously and implement measures to protect your data.

7.1 Security Measures

• Encryption: SSL/TLS encryption for data transmitted between your device and our servers.
• Access Controls: Role-based access so only authorized employees with legitimate business needs can access personal information.
• Firewalls and Intrusion Detection: Technical safeguards to prevent unauthorized access.
• Secure Password Storage: Passwords are hashed using industry-standard algorithms.
• Physical Security: Appropriate physical security measures at data centers and offices.
• Data Protection Protocols: Administrative, technical, and physical safeguards to protect data.

7.2 Third-Party Security

We require all third-party service providers to maintain appropriate security measures and sign data protection agreements ensuring compliance with applicable data protection laws.

7.3 Security Limitations

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security against unauthorized access, loss, misuse, or destruction of information. You use our Services at your own risk. If you believe your account or information has been compromised, please contact us immediately.

8. INTERNATIONAL DATA TRANSFERS

TheStraw may transfer your personal information to countries outside your country of residence, including countries that may not have the same level of data protection as your home country.

8.1 Data Transfer Mechanisms

• Adequacy Decisions: Transferring to countries recognized as having adequate data protection.
• Standard Contractual Clauses: Using European Commission-approved standard contractual clauses.
• Binding Corporate Rules: Using internal rules for transfers within our group (where applicable).
• Your Consent: Obtaining your explicit consent where required.

8.2 GDPR Compliance

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data is protected under the GDPR/UK GDPR and applicable laws, even if transferred outside these regions.

9. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies to enhance your experience, improve our Services, and deliver personalized content and advertising.

9.1 What Are Cookies?

Cookies are small text files stored on your device that contain information about your website or app usage. When you revisit our Services, cookies allow us to recognize your device and provide a more tailored experience.

9.2 Types of Cookies

9.3 Cookie Management

• Use our Cookie Consent Tool to review and adjust your cookie preferences.
• Manage cookies through your browser’s privacy settings.
• Opt out of advertising cookies through industry opt-out services where available.

Disabling certain cookies may restrict access to some features of our Services.

9.4 Similar Technologies

• Pixels and Web Beacons: To track user actions and campaign performance.
• Local Storage: To store preferences and data on your device.
• Device Identifiers: Unique identifiers for mobile devices.

10. CHILDREN’S PRIVACY

11. JURISDICTION-SPECIFIC RIGHTS

Users in the EEA, UK, Switzerland, California, and other regions have additional rights under applicable laws.

12. EXERCISING YOUR RIGHTS

13. THIRD-PARTY LINKS AND SERVICES

14. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email: contact@thestraw.app

Mailing Address: TheStraw

Data Protection Officer (if applicable):

Regulatory Correspondence (if applicable):

We will acknowledge receipt of your request within a reasonable period (typically within 5 business days) and respond fully within the timeframe required by applicable law.

15. CHANGES TO THIS PRIVACY POLICY

16. PRIVACY BY DESIGN

17. DEFINITIONS

• Personal Information: Any information that identifies, relates to, describes, or could reasonably be linked to an identified or identifiable person.
• Processing: Any operation performed on personal data (collecting, storing, using, sharing, etc.).
• Data Controller: The entity determining the purposes and means of personal data processing.
• Data Processor: An entity processing personal data on behalf of a controller.
• Sensitive Information: Personal information defined as sensitive under applicable law (for example certain financial, health, or precise location data).

This Privacy Policy is effective as of 16/02/2026 and was last updated on 15/01/2026.

VERSION HISTORY