Privacy Policy
This Privacy Policy describes how PlayaCMS (“we”, “our”, “the Service”) collects, uses, and protects personal data when you or your camp uses the PlayaCMS platform at playacms.com and camp-specific subdomains or custom domains.
1. Who we are
PlayaCMS is a camp management platform operated from Switzerland. If you have questions about this policy or how we handle your data, contact us at privacy@playacms.com.
2. What data we collect
Data from camp admins and members
- Account information: first name, last name, email, phone number
- Authentication: magic-link login tokens (short-lived)
- Profile: photos you upload, Burning Man–related details (Playa name, past burn experience)
- Role data: membership in one or more camps, permissions within those camps
Data from applicants (prospective camp members)
When someone submits an application to a camp on PlayaCMS, we collect and store the following on behalf of that camp:
- Name, Playa name (optional), email, phone number
- A photo (required for identification by the camp)
- Location, past burn experience, skills, optional notes, motivation, referral source
- Application status, booking, and meeting records
Data from Google Calendar integrations
When a camp admin connects a Google account to enable meeting scheduling, we store:
- The Google account email address
- OAuth access and refresh tokens for the connected Google account, used to create calendar events on behalf of the camp
- The list of calendar events that PlayaCMS has created (not events created outside PlayaCMS)
Technical data
- Session cookies (authentication, CSRF protection)
- IP address and user agent (recorded in server logs)
- Error reports sent to our error-monitoring service
3. How we use this data
We use personal data to operate the PlayaCMS service (accounts, application processing, meeting scheduling, camp administration); to deliver transactional emails (magic-link logins, application notifications, meeting invitations, acceptance and rejection notifications); to create Google Calendar events and Google Meet links when a camp’s meeting flow is used; and to detect and respond to technical issues via server logs and error monitoring.
Legal bases under the GDPR
- Contract performance (Art. 6(1)(b))— account management, application processing, meeting scheduling.
- Legitimate interests (Art. 6(1)(f))— security, fraud prevention, error monitoring, product improvement, balanced against your interests and rights.
- Consent (Art. 6(1)(a))— where required (e.g., optional analytics or marketing communications — none currently).
4. Google API Services disclosure
PlayaCMS’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Scopes we request
https://www.googleapis.com/auth/calendar.app.created— to create a dedicated PlayaCMS calendar inside the connected Google account and manage only the events PlayaCMS places on it.openid,https://www.googleapis.com/auth/userinfo.email, andhttps://www.googleapis.com/auth/userinfo.profile— to identify which Google account a camp admin has just connected, so it can be displayed in the admin settings.
What we access
We can read and write only the dedicated PlayaCMS calendar we create in the connected account. We cannot access the user’s primary calendar, any existing secondary calendars, or any events we did not create.
What we do NOT do
- We do not read, collect, or store calendar events that PlayaCMS did not create.
- We do not transfer Google user data to third parties except as necessary to provide the PlayaCMS service, to comply with applicable law, or as part of a merger, acquisition, or sale of assets.
- We do not use Google user data for advertising or ad targeting.
- We do not use Google user data to train any machine-learning or AI model.
- We do not allow humans to read Google user data except (a) with the user’s affirmative consent, (b) for security or legal compliance, or (c) when the data has been aggregated and anonymized.
Revocation
A camp admin may disconnect Google Calendar at any time from the PlayaCMS admin settings. Users may also revoke access directly at myaccount.google.com/permissions. On disconnection, PlayaCMS deletes the stored OAuth tokens. Already-created calendar events remain on the Google calendar and can be managed via Google Calendar directly.
5. Who we share data with
We share personal data only with the following processors, each of whom is contractually bound to handle data consistent with this policy:
| Processor | Purpose | Jurisdiction |
|---|---|---|
| Vercel Inc. | Application hosting, analytics | USA |
| Neon Inc. | Database hosting | USA / EU |
| Resend Inc. | Transactional email delivery | USA |
| Functional Software, Inc. (Sentry) | Error monitoring | USA / EU |
| Google LLC | OAuth and Calendar API (only when a camp enables the Google Calendar integration) | USA |
We do not sell personal data. We share data with public authorities only when required by law.
6. International transfers
Several of our processors are based outside Switzerland and the EEA. For such transfers, we rely on Standard Contractual Clauses (SCCs) and, where applicable, the Swiss–U.S. Data Privacy Framework.
7. Retention
| Data | Retention period |
|---|---|
| Account data | Until the account is deleted, or 24 months after last login |
| Application data | Retained by the camp for record-keeping; applicants may request deletion |
| Google OAuth tokens | Until the admin disconnects the integration |
| Server logs | 30 days |
| Error reports | 90 days |
8. Your rights
Depending on your location, you have the right to access the personal data we hold about you, correct inaccurate data, delete your data (“right to be forgotten”), restrict processing, receive your data in a portable format, and object to processing based on legitimate interests. To exercise these rights, email privacy@playacms.com.
You may also lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland, or with your local EU/EEA data protection authority.
9. Security
We use industry-standard measures: TLS for data in transit, encrypted database backups, restricted staff access, error monitoring with PII redaction, and regular dependency updates. No method of transmission or storage is 100% secure, but we take reasonable steps to protect your data.
10. Cookies and similar technologies
- Essential cookies for session authentication and CSRF protection. These cannot be disabled without breaking the service.
- No advertising or tracking cookies.
11. Children
PlayaCMS is not directed at children under 18. We do not knowingly collect data from minors.
12. Changes to this policy
We may update this policy occasionally. For material changes, we will notify registered users by email at least 30 days before the changes take effect. The “last updated” date above reflects the most recent revision.
13. Contact
PlayaCMS — privacy@playacms.com