IOX Privacy Policy

Version 1.1 — effective 2026-05-15 (supersedes v1.0) Applies to iox.llc, auth.iox.llc, every IOX spoke domain listed in Appendix A, and all IOX apps.

Changes from v1.0: expanded §10 (Children) with explicit COPPA parental rights, parent-booking-for-child handling, and minor-account procedures; added §9.4 covering Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other US state privacy laws.

The short version

  • IOX LLC runs a family of booking + ticketing + merchandise platforms tied together by one customer identity. One login, many experiences.
  • We collect the data we need to run that service, keep it secure, process your payments, remember your loyalty points, and show you experiences you'd like.
  • We don't sell your personal information.
  • You can see, correct, export, and delete your data from /account/profile or by emailing support@iox.llc.
  • Under GDPR (EU/UK) and CCPA/CPRA (California) you have additional rights — spelled out in §9.

This Privacy Policy is part of IOX's Terms of Service. If we say something in both, they mean the same thing.

1. Who we are (the controller)

IOX LLC, a Tennessee limited liability company. Contact for privacy questions: support@iox.llc.

For requests under GDPR, CCPA/CPRA, or any other privacy law, email the same address with "Privacy Request" in the subject line.

IOX is the controller of your personal data when you're using iox.llc, auth.iox.llc, or any IOX spoke as a customer. When you transact with a specific tenant, that tenant is a separate controller for the transaction data with them; IOX acts as the tenant's processor on the platform side (see §4).

2. What we collect

2.1 You give us

  • Account info: name, email, phone, password (stored hashed, we never see it), profile photo if you upload one.
  • Identity verification data where required by a spoke's industry (e.g., age-verified admission for certain experiences, digital signatures on waivers the tenant requires). We store only what's required; hashed/redacted where possible.
  • Payment method: card details go directly to Stripe. IOX only sees the last 4 digits, card brand, and expiry.
  • Content you post: reviews, photos of your experience, friend request messages, testimonial text.
  • Friends list and party members: who you add as IOX friends, who you bring on group bookings.
  • Preferences: privacy settings, notification preferences, saved locations.

2.2 We collect automatically when you use IOX

  • Booking/purchase history across every IOX spoke you use.
  • Activity: pages viewed, clicks, searches, time spent, what you added to a cart, what you abandoned.
  • Device + technical info: IP address, browser, operating system, device type, screen size, language, referring page, cookies and local storage.
  • Location data: approximate location from IP (for currency, tax, nearby recommendations). Precise GPS only if you opt in on a specific feature.

2.3 We receive from third parties

  • Spoke operators (tenants): when you book with a tenant, they may share fulfillment data with us (e.g., "Sarah arrived at 7pm") for cross-platform activity features.
  • Social login providers (if you sign in with Google, Apple, etc.): basic profile you authorize them to share.
  • Payment processor: Stripe tells us whether your card was approved, whether a refund posted, whether a dispute was filed.
  • Fraud / security providers: if our anti-fraud or anti-abuse tooling flags you, that flag is attached to your account.

3. How we use your data

We use it for:

  1. Running your account — sign-in, your bookings, your loyalty points, your friends, your profile.
  2. Delivering what you booked or bought — passing the booking to the tenant, showing your QR ticket, letting staff check you in.
  3. Processing payments — through Stripe. Refunds the same way.
  4. The social + discovery features — activity feed, friends, cross-platform recommendations, "your friend went here" nudges (subject to your privacy settings).
  5. Customer support — looking up your booking when you email us, resolving disputes.
  6. Security and fraud prevention — detecting stolen-card purchases, scraping, bot sign-ups, account takeover.
  7. Service improvement — product analytics, A/B testing, performance monitoring. Aggregated and anonymized wherever possible.
  8. Marketing communication — only if you opt in. Transactional emails (receipts, reminders) don't need opt-in; you get them while your account is active.
  9. Legal compliance — tax reporting, subpoenas, law enforcement requests when legally required.

Legal basis under GDPR (if you're in the EU/UK)

  • Contract (Art. 6(1)(b)): we process your data to deliver the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)): security, fraud prevention, service improvement, and platform-level safety.
  • Consent (Art. 6(1)(a)): marketing emails, optional features like precise-location discovery, shared-activity preferences that are broader than the default.
  • Legal obligation (Art. 6(1)(c)): tax, sanctions screening, law enforcement response.

4. When you book with a tenant

When you book or buy from a specific tenant (e.g., Smoky Mountain Escape Games on Skape):

  • We share your name, contact info, and booking details with that tenant so they can deliver the experience.
  • The tenant is a separate controller for the data they use to run their business with you — they may email you, offer you deals, ask for a review.
  • The tenant's emails must include an unsubscribe link; you can also block a tenant's messages from your IOX account.
  • IOX keeps the booking record for cross-platform features (your activity feed, loyalty, social).
  • Other tenants cannot see that you booked with this tenant. Tenants are walled off from each other.

5. Sharing data

We share with:

  • Tenants you booked with. Only the data they need. Not your activity on other spokes.
  • Service providers we rely on to run IOX:
    • Supabase — our database and authentication host (hosted on AWS in the United States).
    • Stripe — payment processing.
    • Vercel — application hosting.
    • Resend — transactional email delivery.
    • Twilio — SMS delivery (phone verification and SMS notifications where applicable).
    • Sentry / observability provider — error monitoring.
    • Each provider is bound by a data processing agreement with us and uses your data only to provide the specific service.
  • Legal and safety: when required by law, subpoena, or court order, or when we have a good-faith belief that disclosure is necessary to prevent fraud, harm, or serious injury.
  • Business transfers: if IOX is sold or merges, your data goes to the acquiring company subject to this policy (or a more protective one). We'll email you before any such transfer takes effect.

We do not sell your personal information. Not to advertisers, not to data brokers, not to anyone. "Sale" here includes the broader definition under CCPA/CPRA.

We do not share your data with tenants other than the tenant you transacted with. Tenants on IOX are walled from each other by default. Cross-tenant signals are only ever anonymized aggregates (e.g., "x% of customers on this spoke book on weekends").

6. International data transfers

  • IOX's primary infrastructure is in the United States.
  • If you are in the EU, UK, or another region with data-protection laws that restrict US transfers, your data is transferred to the US to deliver the service.
  • We rely on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum for these transfers, plus supplementary measures including encryption in transit and at rest.
  • If you want a copy of the SCCs used, email support@iox.llc.

7. How long we keep your data

  • Active accounts: for as long as your IOX account exists.
  • Deleted accounts: profile data is deleted within 30 days of your deletion request. Transactional records (bookings, orders, payments) are retained as long as the tenant and applicable law require — typically 7 years for tax records, longer if a specific legal hold applies.
  • Backups: we keep encrypted backups for 30 days. A deletion request will purge your data from the active system within 30 days and from backups within 60 days.
  • Cookies and analytics logs: up to 24 months.

8. Security

We use:

  • Encryption in transit (TLS 1.2+) on all IOX traffic.
  • Encryption at rest for databases, file storage, backups, and sensitive columns (e.g., Growth Engine Referrer tax IDs) with envelope encryption.
  • Principle of least privilege for staff access; access to production data is logged.
  • MFA required for staff accessing production systems.
  • Regular security reviews of our code, infrastructure, and third-party providers.

No system is perfect. If a security incident affects your data, we'll notify you as required by law (generally within 72 hours of confirming it under GDPR, and consistent with state breach-notification laws) at the email address on file.

9. Your rights

9.1 Everyone

  • See your data: request a copy of what we hold about you.
  • Correct it: update it from /account/profile or ask us to fix it.
  • Export it: download your profile, bookings, loyalty history in a standard format.
  • Delete your account and data: from /account/profile or by email. Transactional records subject to retention policy (§7).
  • Opt out of marketing: unsubscribe link in every marketing email; toggle in /account/profile. (Transactional emails about bookings continue while your account is active.)
  • Adjust privacy settings: control activity visibility, friend-request permissions, cross-platform recommendation presence, party-visibility defaults.

9.2 EU / UK residents (GDPR + UK GDPR)

In addition to the above:

  • Right to restriction — pause our processing while we work through a dispute.
  • Right to object — object to processing based on legitimate interests; we'll stop unless we have compelling grounds.
  • Right to data portability — get your data in a machine-readable format.
  • Right to withdraw consent — any time, for consent-based processing (marketing, etc.).
  • Right to lodge a complaint — with your national data-protection authority. You can find yours at edpb.europa.eu.
  • Automated decision-making: we don't make purely automated decisions that have legal or similarly significant effects on you.

9.3 California residents (CCPA / CPRA)

In addition to everyone's rights:

  • Right to know categories and specific pieces of personal information collected, used, disclosed, and sold/shared.
  • Right to delete (subject to statutory exceptions like tax retention).
  • Right to correct inaccurate information.
  • Right to opt out of sale / sharing — as stated above we don't sell or share (as the term is defined under CPRA) your personal information, so this is not applicable. We still honor opt-out signals like Global Privacy Control.
  • Right to limit use of sensitive personal information — we use SPI only for the purposes disclosed; you can ask us to limit further.
  • Right against discrimination for exercising rights — we never penalize you for any privacy request.

9.4 Other US state residents

The following US states have enacted comprehensive privacy laws giving residents similar rights — to know, access, correct, delete, obtain a portable copy, and opt out of targeted advertising or any "sale" of personal information. IOX honors these rights for residents of:

  • Virginia — Consumer Data Protection Act (CDPA)
  • Colorado — Colorado Privacy Act (CPA)
  • Connecticut — Data Privacy Act (CTDPA)
  • Utah — Consumer Privacy Act (UCPA)
  • Texas — Data Privacy and Security Act (TDPSA)
  • Oregon — Consumer Privacy Act
  • Montana — Consumer Data Privacy Act
  • Tennessee — Information Protection Act
  • Delaware, Iowa, New Hampshire, New Jersey, Minnesota, Maryland, Indiana, Rhode Island, Kentucky, and Nebraska — to the extent each state's comprehensive privacy law is in effect at the time of your request.

To exercise these rights, email support@iox.llc with "Privacy Request" and your state of residence in the subject. We respond within the timeframe required by your state's law (typically 45 days, with a 45-day extension for complex requests). The first request in any 12-month period is free; we may charge a reasonable fee for excessive or repetitive requests.

We do not "sell" or "share" personal information for cross-context behavioral advertising under any of these laws. We honor Global Privacy Control as a universal opt-out signal where applicable.

9.5 How to exercise rights

Email support@iox.llc with your request. Include your account email and enough info to verify identity. We respond within 30 days (45 for complex requests, with notice to you). No charge for the first request in a 12-month period.

10. Children

IOX is not directed to children under 13 and we do not intentionally collect personal information from children under 13. The service is intended for adults and minors aged 13 and older.

10.1 If a child under 13 has used IOX

If you are a parent or legal guardian and you believe a child under 13 has created an IOX account or had their personal information collected by IOX without your knowledge, email support@iox.llc with "Child Privacy Request" in the subject. We will:

  • Verify the request (we may ask for proof the account belongs to your child or that you have parental authority).
  • Delete the account and all personal information we hold about that child within 30 days of verification.
  • Refuse any further collection of that child's personal information unless and until you provide verifiable parental consent.

10.2 Parents booking experiences for children

Adult IOX account holders frequently book experiences that their own children will attend (a parent buys a 7D Dark Ride pass for an 8-year-old, an escape room for a 10-year-old's birthday party, etc.). When a parent supplies a child's information to IOX or to a tenant for fulfillment purposes — the child's first name on the booking, an allergy or accessibility note, a waiver entry on behalf of a minor — we treat that information as the parent's choice to disclose, not as direct collection from a child.

The parent (account holder) remains responsible for:

  • The accuracy of the child's information supplied.
  • Communicating any relevant terms or privacy notices to the child as appropriate for the child's age.
  • Acting on the child's behalf for any privacy request relating to that child's information.

10.3 Minors aged 13 to 17

US law on online services for teenagers varies by state, and additional rules apply in some states (California's AADC, Connecticut, Maryland, and others). IOX applies the stricter standard where it applies to the user, and:

  • We will not knowingly use a minor's data for behaviorally targeted advertising while the user is under 18.
  • A parent or legal guardian who wishes to review, restrict, or delete a minor's IOX information can email support@iox.llc with "Minor Account Request" in the subject. We will verify the request before acting.
  • Where a spoke industry imposes age restrictions on the experience itself (e.g., alcohol-served experiences are 21+ in the US), the tenant operating the venue enforces those restrictions at point of admission. IOX's platform does not constitute age verification for the underlying activity.

10.4 Parents' COPPA rights

Even though IOX is not directed to children under 13, where we have actual knowledge of a child's personal information in our system, the child's parent or guardian has the right under the Children's Online Privacy Protection Act (COPPA) to:

  • Review the personal information IOX holds about their child.
  • Refuse to permit further collection or use of that information.
  • Delete the information.

To exercise these rights, email support@iox.llc with "COPPA Request" in the subject and supply: your name, your relationship to the child, the child's name and any identifying information we'd need to find them in our system, and a reasonable way for us to verify your identity (a copy of an ID we can cross-check against the account, a brief video call, or another method we agree to).

We do not condition a child's participation in any activity on the disclosure of more personal information than is reasonably necessary.

11. Cookies and similar tech

We use cookies and local storage for:

  • Essential — session, authentication, cart, load balancing. These can't be turned off; the product won't work without them.
  • Preferences — remembering your language, currency, recent searches.
  • Analytics — anonymized usage data to improve the product.
  • Security — fraud prevention, bot detection.

We don't use third-party advertising cookies. We don't share cookie data with ad networks.

You can control cookies in your browser. Disabling essentials will break sign-in and booking.

12. Do-Not-Track and Global Privacy Control

We honor Global Privacy Control signals as an opt-out of any "sale" or "sharing" of personal information (again, we don't sell or share, but we process the signal consistently).

We don't act on browser-level DNT signals since there's no industry consensus on what they require. GPC is our preferred signal.

13. Third-party links

IOX sites may link to third-party sites (tenant social media, press articles, etc.). Their privacy practices are their own. Read their policies before sharing data with them.

14. Accessibility

We work to make IOX accessible per WCAG 2.1 AA. If you can't exercise a privacy right because of an accessibility issue, email support@iox.llc and we'll help.

15. Changes to this policy

If we change this policy in a way that materially reduces your privacy rights, we'll email account holders at least 30 days before the change takes effect. Minor clarifications we can update any time; the current version always lives at iox.llc/privacy with a revision date.

Historical versions are available at iox.llc/privacy/archive.

16. Contact

General privacy questions: support@iox.llc Legal process / subpoenas: support@iox.llc (we'll route to counsel) Mailing address: IOX LLC, Tennessee, USA (specific address available on written request)

Appendix — IOX domains covered by this policy

IOX Hub:

Spokes (each has two IOX-owned domains):

  • Skape: skapetickets.com · ioxskape.com
  • Blade: bladetickets.com · ioxblade.com
  • Stage: ioxstage.com · ioxstage.com
  • Wedge: wedgetickets.com · ioxwedge.com
  • Lane: lanetickets.com · ioxlane.com
  • Gear: geartickets.com · ioxgear.com
  • Screen: screentickets.com · ioxscreen.com
  • Stall: stalltickets.com · ioxstall.com
  • Fame: fametickets.com · ioxfame.com
  • Drift: drifttickets.com · ioxdrift.com
  • Diving: divingtickets.com · ioxdiving.com
  • Bungee: bungeetickets.com · ioxbungee.com
  • Trail: trailtickets.com · ioxtrail.com
  • Sailing: sailingtickets.com · ioxsailing.com
  • Rage: ragetickets.com · ioxrage.com
  • Raft: rafttickets.com · ioxraft.com
  • Plate: platetickets.com · ioxplate.com
  • Grit: grittickets.com · ioxgrit.com
  • Remix: remixtickets.com · ioxremix.com

New spokes launched during your account's life are automatically covered by this same policy.

Version 1.0 · effective 2026-04-21 · questions to support@iox.llc.

Questions about this document? Email support@iox.llc.