California Notice at Collection
California Consumer Privacy Act / CPRA-required Notice at Collection, with categories of personal information, sources, purposes, and recipients.
Effective Date: July 8, 2026
This Notice at Collection is provided by Bailar, Inc., a Delaware corporation (successor by statutory conversion effective May 4, 2026 to Bailar LLC, a Florida limited liability company) (“Bailar,” “we,” “us,” or “our”) to California residents in accordance with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq., the “CCPA”), at or before the point at which we collect personal information from you. This Notice complements, and should be read together with, our Privacy Policy and the Your Privacy Choices page.
1. CATEGORIES OF PERSONAL INFORMATION WE COLLECT, SOURCES, AND PURPOSES
The categories below mirror the CCPA category schema (Cal. Civ. Code § 1798.140(v)).
| CCPA category | Examples | Sources | Business purposes | Third parties we disclose to |
|---|---|---|---|---|
| A. Identifiers | Name, email address, phone number, account identifier, IP address, device identifiers, push-notification token, Stripe customer ID | You (sign-up, profile, payment); your device; OAuth providers (Apple, Google, Kakao) | Operate the Service; authenticate you; deliver push notifications; process payments; security; comply with law | Subprocessors listed at bailar.site/legal/subprocessors |
| B. Customer-records information (Cal. Civ. Code § 1798.80(e)) | Name, phone, billing address (held by Stripe), and limited transaction metadata | You; Stripe (read-back of transaction metadata) | Process payments; provide receipts; comply with tax and financial-record-keeping law | Stripe; tax authorities where required |
| C. Protected classifications (limited) | Age (collected for the 13+ age gate); birth month and year | You | Enforce the 13+ age gate and the 13–17 minor-protection defaults (Privacy Policy § 9) | None; data is used internally for the age gate only |
| D. Commercial information | RSVP history, bookings, tickets, subscription state, purchase history | You; Hosts via the marketplace | Provide the Service; personalize recommendations; security and fraud detection; comply with law | Subprocessors; the Host of an event you attend (limited to data necessary for the Host to deliver the event) |
| E. Biometric information | For instructor applicants, and for payees who choose the optional USDC payout rail (which may include non-instructor studio staff paid through the marketplace): a government-issued photo-ID image and a live-capture selfie used for facial-match identity verification (biometric / special-category data) | You (when you apply to become an instructor, or when you receive a marketplace payout via the USDC rail) | Identity verification; trust and safety; payout / KYC compliance. Not used for advertising or AI training. | Persona and Stripe Identity (identity-verification providers) |
| F. Internet and other electronic-network activity | Pages viewed, app screens viewed, search queries, click and scroll data, time on screen, referring page. On the web, analytics load only after you accept analytics cookies (and never with a GPC signal). In the mobile app, pseudonymous product analytics are collected, except they are not collected at all for devices in the UK, EU, or EEA. | You (your interaction with the Service) | Operate, debug, and improve the Service; measure feature adoption; security | Subprocessors (PostHog, Vercel Analytics, Google Analytics 4) per our consent-gated implementation |
| G. Geolocation data | Precise or approximate location when you grant the location permission; manually-entered city otherwise | Your device; you (manual entry) | Show nearby events and instructors; rank discovery results | Cloudflare (map-tile hosting at tiles.bailar.site) for the limited purpose of rendering maps; Geoapify (primary) and OpenStreetMap Nominatim (fallback), via Bailar’s geo-autocomplete edge function, for city/place search |
| H. Audio, electronic, visual, thermal, olfactory, or similar information | Profile photos, event photos, story-ring videos, audio attachments in messages, uploaded media, and — if you use the optional “What’s playing?” feature — a short microphone clip you initiate to identify music (only audio if you record it intentionally; we do not access your microphone in the background) | You | Display content within the Service; content moderation; safety enforcement; music recognition (for the optional “What’s playing?” feature you initiate) | Subprocessors with operational use restrictions; AudD and Apple (for the “What’s playing?” music match); recipients you choose when posting |
| I. Professional or employment-related information | For Studios, instructors, and other marketplace payees: business name, address, credentials you choose to display, and payout-compliance / KYC information (collected directly by Stripe for Stripe Connect, or by our identity-verification provider for the USDC payout rail) | You (the Studio, instructor, or payee); Stripe | Operate the Studio Service; comply with KYC/AML / tax obligations | Stripe; identity-verification providers; tax authorities where required |
| J. Education information (FERPA-defined) | Not collected | — | — | — |
| K. Inferences (Derived Data) | Dance-style preferences, engagement-pattern signals, risk scores, recommendation ranks | Derived by our automated processing systems from categories A–I | Personalize the Service; operate ranking and recommendations; security and fraud detection | None for sale; used internally only |
| L. Sensitive personal information (Cal. Civ. Code § 1798.140(ae)) | Account credentials (only as needed to log you in); precise geolocation (when you grant the permission); biometric information processed to verify identity (see Category E); content of your messages on Bailar | You | Used only for the purposes permitted under CCPA § 1798.121 (provide the Service and security); we do not infer sensitive characteristics from this data for any other use | None outside operational subprocessors |
2. SALE OR SHARING OF PERSONAL INFORMATION
Bailar does not sell your personal information for monetary consideration. On the bailar.site website, if you accept marketing/advertising cookies, the Pinterest conversion tag and Google AdSense described in our Cookie Policy may involve “sharing” of personal information (such as identifiers and internet-activity data) for cross-context behavioural advertising within the meaning of the CCPA. These tags do not load unless you accept marketing cookies, and they never load when your browser sends a Global Privacy Control (GPC) signal. You may opt out at any time by rejecting marketing cookies, sending a GPC signal, or using the Your Privacy Choices page. The Bailar mobile app does not share personal information for cross-context behavioural advertising.
3. RETENTION
Retention periods are described in Section 6 of the Privacy Policy and in the Data Deletion page. In summary: while your account is active, for as long as needed to provide the Service; after deletion, primary data is removed within thirty (30) days, encrypted disaster-recovery backups are rotated out within ninety (90) days, transaction and tax records are retained for the period required by law (typically up to seven (7) years), aggregated and de-identified data may be retained indefinitely in non-identifying form, and dispute and CSAM records are retained as required by law. The biometric identity-verification data in Category E (government-ID image and selfie facial-match data) is retained for no longer than three (3) years from verification approval and then destroyed, consistent with our published biometric retention schedule under the Illinois Biometric Information Privacy Act (740 ILCS 14/15(a)) and the Texas Capture or Use of Biometric Identifier Act.
4. SENSITIVE-PERSONAL-INFORMATION LIMITATION
The sensitive categories we may collect are those identified in Categories E and L above — biometric facial-match data (for identity verification), precise geolocation, account credentials, and the content of your messages. We use sensitive personal information only for the purposes permitted under CCPA § 1798.121(a) (providing the Service requested by the consumer; security and integrity; resisting fraud; ensuring the physical safety of a natural person; short-term, transient use; performing services on behalf of the consumer; and product quality assurance). Because the biometric facial-match data is collected and used solely to verify identity (a permitted purpose), it is not subject to the right to limit the use of sensitive personal information. We do not use sensitive personal information to infer characteristics about you.
5. YOUR CALIFORNIA RIGHTS AND HOW TO EXERCISE THEM
California residents have the rights to know, access, correct, delete, port, opt out of any sale or sharing, and limit the use of sensitive personal information. The full description and the exercise channels are in Section 8.5 of the Privacy Policy and on the Your Privacy Choices page. We honour Global Privacy Control (GPC) signals as an opt-out of any sale or sharing of personal information for cross-context behavioural advertising.
6. NON-DISCRIMINATION
We will not discriminate against you for exercising your CCPA rights. We do not offer financial incentives in exchange for the collection, sale, sharing, or retention of personal information.
7. CONTACT
To exercise any right under the CCPA or ask a question about this Notice, contact our Privacy Officer:
Paul Plawin, Privacy Officer
Bailar, Inc.
401 Ocean Dr, Suite 404
Miami Beach, FL 33139
United States
privacy@bailar.site