Privacy policy
Effective May 2, 2026.
Cache Flow Capital LLC, doing business as VSync ("VSync," "we," "our," or "us"), takes privacy seriously. This policy explains what personal information we collect, why we collect it, how we use it, who we share it with, and what rights you have over it.
Last updated: May 2, 2026 Effective: May 2, 2026
This policy applies to:
- The VSync web application at vsync.events
- The VSync mobile application for iOS and Android
- Any other VSync product or service that links to this policy
Use of VSync is subject to our Terms of Service and Acceptable Use Policy. This policy does not apply to third-party services you connect to VSync, or to the event data you manage on behalf of your own clients using VSync's tools (that relationship is governed by our Data Processing Agreement).
1. Who we are
Cache Flow Capital LLC (doing business as VSync) is a Florida limited liability company. Under applicable US privacy laws, we are the controller of the personal information we collect about you directly. For personal information you upload to VSync on behalf of your vendors, guests, or clients, we are a service provider/processor acting on your instructions.
Contact: Cache Flow Capital LLC 5645 Coral Ridge Drive, STE 337, Coral Springs, FL 33076 privacy@vsync.events
Where we operate. VSync is a United States–based service intended for business users in the United States. We do not offer or direct the Service to individuals in the European Economic Area, the United Kingdom, or Switzerland, and we do not target those markets. If you access VSync from outside the United States, you do so on your own initiative and are responsible for compliance with your local laws; your information will be processed in the United States.
2. Information we collect
2.1 Information you give us directly
| Category | Examples | Why we need it |
|---|---|---|
| Account information | Name, email address, phone number, role (planner, venue, captain, vendor) | To create and manage your account |
| Business information | Company name, venue name, studio name, business address | To associate your account with your venue or studio |
| Event data | Event names, dates, locations, timelines, floor plans, vendor briefs, run-of-show details, COI documents, messages between event participants | To deliver the core VSync service |
| Payment information | Billing name, billing address, last four digits of payment card | Processed by Stripe; we never see or store full card numbers |
| Communications | Emails and messages you send to our support team | To respond to your requests and improve the service |
| Profile details | Trade/specialty (for vendors), headshot if provided | To personalize your experience and your brief |
2.2 Information we collect automatically
| Category | Examples | Why we collect it |
|---|---|---|
| Usage data | Features used, screens viewed, buttons tapped, timestamps of key actions (milestone marked, brief opened, vendor checked in) | Product analytics, to improve the service |
| Device information | Device model, operating system version, app version | Crash reporting and compatibility |
| Log data | IP address, browser type, referring URL, session duration | Security monitoring, fraud detection |
| Push token | Expo push token or APNs/FCM device token | To deliver push notifications (Ready Signals alerts, message notifications) |
| Crash and performance data | Stack traces, error messages, performance metrics | Crash reporting via Sentry |
2.3 Information we receive from third parties
| Source | Information received | Purpose |
|---|---|---|
| Apple (Sign in with Apple) | Name and email (or Apple private relay address) you choose to share | Account creation |
| Google (Sign in with Google) | Name and email address | Account creation |
| Stripe | Subscription status, billing events, payment method type | Billing and access management |
We do not purchase data from third-party data brokers. We do not receive data from advertising networks. We do not access your device contacts, photos, or calendar unless you explicitly use a feature that requires it.
3. How we use your information
| Purpose | Legal basis (GDPR) | CCPA category |
|---|---|---|
| Providing and operating the VSync service | Contract — necessary to perform the subscription agreement | Service provision |
| Account creation and authentication | Contract | Account management |
| Delivering push notifications (Ready Signals, messages, COI alerts) | Contract / Legitimate interests | Service provision |
| Billing, invoicing, and payment processing | Contract / Legal obligation | Financial information |
| Customer support | Legitimate interests | Service provision |
| Product analytics and improvement | Legitimate interests | Internal research |
| Security monitoring and fraud detection | Legitimate interests / Legal obligation | Security |
| Communicating about material changes to the service | Legitimate interests / Legal obligation | Communications |
| Marketing communications (optional) | Consent — you can opt out at any time | Marketing |
| Complying with legal obligations | Legal obligation | Compliance |
We do not use your personal information for targeted advertising, sale to third parties, or profiling for automated decision-making that produces legal or similarly significant effects on you.
4. Who we share your information with
We share personal information only as described here. We never sell it.
4.1 Within VSync events
VSync is a shared platform. When you participate in an event, other participants can see certain information about you based on your role:
- Your name and role are visible to all participants on the event.
- Your vendor brief is visible to the planner and venue who created the event.
- Your messages are visible only to the participants in that specific thread.
- Your personal phone number and personal email address are never visible to other participants. All communication goes through VSync.
- Your COI documents are visible to the planner and venue on the event, not to other vendors.
4.2 Service providers (processors)
| Processor | Purpose | Location | Data shared |
|---|---|---|---|
| Amazon Web Services | Hosting, storage, database infrastructure | United States | All event and account data |
| Supabase, Inc. | Authentication, database, real-time API | United States | Account data, session tokens, authentication records |
| Stripe | Payment processing | United States | Billing information, subscription status |
| Resend | Transactional email delivery (invitations, reminders, notifications) | United States | Name, email address, message content |
| OpenAI | AI-assisted extraction of uploaded documents (COIs, run-of-show) | United States | Contents of documents you upload for processing. Inputs are not retained by OpenAI or used to train its models. |
| Vercel | Application hosting, CDN, and edge delivery | United States | IP address, request metadata |
| Google / Google Cloud | Sign in with Google (OAuth identity) and DNS | United States | Name, email address, request metadata |
| Apple Push Notification Service | iOS push notifications | United States | Push token, notification payload |
| Firebase Cloud Messaging | Android push notifications | United States | Push token, notification payload |
| Sentry | Crash and error reporting | United States | Stack traces, device info, anonymized user ID |
| PostHog | Product analytics | United States / EU | Usage events, anonymized user ID |
We do not allow any processor to use your data for any purpose other than providing services to us. The full sub-processor list is maintained at vsync.events/legal/sub-processors.
4.3 Legal requirements
We may disclose personal information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of VSync, our users, or the public. We will notify affected users of any such disclosure to the extent permitted by law.
4.4 Business transfers
If VSync is acquired, merged, or undergoes a change of control, personal information may be transferred to the acquiring entity. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.
5. Data retention
| Data type | Retention period | Reason |
|---|---|---|
| Account information | Duration of account + 90 days after deletion | Recovery window; then purged |
| Event data | Duration of account + 90 days | Recovery window; then purged |
| Event messages | Duration of account + 90 days; threads auto-close 30 days after event end | Thread closure policy |
| COI documents | Duration of account + 90 days | Recovery window |
| Payment and billing records | 7 years | Legal and tax obligations |
| Audit logs (event change history) | Lifetime of the event + 90 days | Security and compliance |
| Crash and analytics data | 12 months rolling | Product improvement; then aggregated/anonymized |
| Marketing consent records | Until consent withdrawn + 3 years | Compliance documentation |
After the retention period expires, data is permanently deleted from active systems within 30 days and from backup systems within 90 days thereafter.
6. Per-event messaging and thread closure
VSync's per-event messaging feature routes all communication between planners and vendors through the app. Threads are automatically closed (read-only) 30 days after an event's end date. After the thread closure date, no new messages can be sent, but existing messages remain readable within the VSync app until your account is deleted.
Your personal phone number is never shared with other participants on an event, and vendors cannot contact you outside the platform after the event has concluded.
7. Security
- Encryption in transit: All data transmitted between your device and VSync servers is encrypted via TLS 1.2 or higher.
- Encryption at rest: Data stored on AWS is encrypted at rest using AES-256.
- Access control: Role-based access within events ensures vendors see only their own data.
- Vulnerability management: We conduct periodic security assessments and maintain a responsible disclosure process.
No system is perfectly secure. If you believe your VSync account has been compromised, contact security@vsync.events immediately.
Data breach notification: In the event of a data breach affecting your personal information, we will notify you and, where required, the relevant authority, without undue delay and within the timeframes required by applicable law.
8. International data transfers
VSync is based in, operated from, and intended for use in the United States, and all personal information is stored and processed in the United States. We do not offer or direct the Service to individuals in the European Economic Area, the United Kingdom, or Switzerland (see "Where we operate" in Section 1).
If you choose to access VSync from outside the United States, you understand that your information will be processed in the United States, where data-protection laws may differ from those of your country.
9. Your rights
To exercise any of these rights, email privacy@vsync.events with the subject line "Privacy Request — [Right]." We will respond within 30 days.
Rights available to everyone
| Right | What it means |
|---|---|
| Access | Request a copy of the personal information we hold about you |
| Correction | Ask us to correct inaccurate or incomplete information |
| Deletion | Ask us to delete your personal information, subject to retention obligations |
| Data portability | Receive your data in a structured, machine-readable format |
| Withdraw consent | Where processing is based on consent, withdraw it at any time |
Additional rights for EU/UK residents (GDPR / UK GDPR)
| Right | What it means |
|---|---|
| Restrict processing | Ask us to limit how we use your data in certain circumstances |
| Object to processing | Object to processing based on legitimate interests |
| Lodge a complaint | File a complaint with your national supervisory authority |
Additional rights for California residents (CCPA/CPRA)
| Right | What it means |
|---|---|
| Know | Request the categories and specific pieces of personal information collected, sources, purposes, and third parties |
| Opt out of sale/sharing | We do not sell or share personal information for cross-context behavioral advertising. You may still submit a Do Not Sell or Share request to privacy@vsync.events. |
| Limit sensitive personal information | Request that we limit use of your sensitive personal information to purposes necessary to provide the service |
| Non-discrimination | We will not discriminate against you for exercising any CCPA right |
| Opt-out confirmed | If you submit a Do Not Sell or Share request, we will provide visible confirmation it has been honored within 15 business days |
Rights for residents of other US states
Virginia (VCDPA), Colorado (ColoPA), Connecticut (CDPA), Texas (TDPSA), and residents of the 20+ other US states with comprehensive privacy laws as of 2026 have rights to access, correct, delete, obtain a portable copy of, and opt out of the sale or targeted advertising use of their personal information. Contact privacy@vsync.events to exercise any right. If we deny your request, you may appeal by emailing with the subject "Privacy Request Appeal."
10. Children
VSync is not directed at children under 13 years of age. We do not knowingly collect personal information from anyone under 13. If you believe we have collected information from a child under 13, contact privacy@vsync.events.
11. Cookies and tracking technologies
| Type | Purpose | Can you opt out? |
|---|---|---|
| Strictly necessary | Session management, authentication, security | No — required for the service to function |
| Functional | Remembering your preferences | Yes — browser settings |
| Analytics | Aggregate product usage via PostHog | Yes — email privacy@vsync.events or use browser Do Not Track |
| Advertising cookies | We do not use advertising or retargeting cookies | N/A |
The VSync mobile app does not use browser cookies. It uses a device identifier (Expo push token) solely for push notifications.
12. Sign in with Apple and Google
When you use Sign in with Apple, Apple may provide us with your name and email (or a private relay address). We store only what you share and do not request access to any other Apple services. When you use Sign in with Google, Google provides your name and email. We do not request access to Gmail, Drive, Calendar, or any other Google service.
13. Changes to this policy
We review this policy at least once every 12 months. If we make a material change, we will notify you by email and with an in-app notice at least 30 days before the change takes effect.
14. Contact us
Email: privacy@vsync.events Post: Cache Flow Capital LLC, 5645 Coral Ridge Drive, STE 337, Coral Springs, FL 33076 Response time: Within 30 days of receipt