Privacy Policy
Effective Date: 09/17/2025
Last Updated: 09/17/2025
1) Overview & Scope
WonderWalled ("we," "our," "us") respects your privacy and is committed to protecting the personal information we process in connection with our in‑person services (the café and play areas), our website, online booking platform, memberships, and events in the United States. This Privacy Policy explains what data we collect, how we use it, the choices you have, and your rights under applicable law, including the Colorado Privacy Act (CPA), and, where applicable, the California Consumer Privacy Act (CCPA/CPRA) and the Children’s Online Privacy Protection Act (COPPA). This policy is not legal advice and may be updated from time to time.
2) Key Definitions
• "Personal Information" (PI): Information that identifies, relates to, or can reasonably be linked with an individual (e.g., name, email).
• "Child" or "Children": Individuals under 13 years old (COPPA). For safety notes, we also reference minors under 18 where relevant.
• "Processing": Any operation performed on data (collection, storage, use, disclosure, deletion).
3) Information We Collect
We collect information directly from you, automatically when you use our website, and from service providers we use to run our business.
3.1) Information You Provide
• Parent/Guardian & Adult Guests: name, email, phone, postal address, account/login details, membership details.
• Child Participants: first name, last name (optional), age, allergy or dietary notes, emergency contact, and party guest lists when supplied by parents/guardians.
• Transactions: payment method (processed by third‑party processors), purchase history, booking details and waivers.
• Communications: inquiries, feedback, photos/videos you submit or consent to, and marketing preferences.
• Event/Party Planning: party time, package selections, headcount, special requests.
3.2) Information Collected Automatically (Online)
• Device & Usage: IP address, browser type, pages visited, time on site, and referrer.
• Cookies/Similar Tech: session cookies, preference cookies, analytics cookies, and (if enabled) advertising cookies. See Cookies section for details and choices.
3.3) Information from Third Parties
• Payment processors (e.g., Stripe/Square) provide payment confirmations and limited card metadata (we do not store full card numbers).
• Booking, scheduling, and email tools (e.g., booking apps, email marketing platforms) provide reservation status and communication metrics.
4) How We Use Personal Information
• Provide Services: manage bookings, memberships, admissions, check‑ins, and party/event operations.
• Safety: maintain allergy notes and emergency contacts; verify waivers and supervise capacity limits.
• Payments: process transactions via PCI‑compliant providers.
• Communications: send confirmations, reminders, service messages, and (with consent/opt‑in) promotions.
• Improvements: analyze usage to improve facilities, staffing, safety, and website performance.
• Legal/Compliance: maintain records, respond to lawful requests, enforce our policies.
5) Legal Bases & Your Rights (Colorado Privacy Act; CPRA where applicable)
We act as a "controller" under the Colorado Privacy Act (CPA) when we determine the purposes and means of processing. Depending on context, our legal bases include consent (e.g., for marketing and children’s data), performance of a contract (e.g., bookings, memberships), legitimate interests (e.g., security, service improvements), and compliance with law.
Your rights may include:
• Access: request a copy of personal information we maintain about you.
• Correction: request correction of inaccurate information.
• Deletion: request deletion of personal information (subject to certain exceptions).
• Portability: receive certain information in a portable format.
• Opt‑Out: of targeted advertising, sale/sharing of personal information (we do not sell PI in the traditional sense), and certain profiling.
• Appeal: if we decline your request, you may appeal and we will explain our reasoning and further options.
Submit requests to: [privacy@[domain].com] or [web form URL]. We will verify your identity before fulfilling requests.
6) Children’s Privacy (COPPA)
We collect information about children only from parents/guardians or with verifiable parental consent when necessary for safety and event administration. We do not knowingly permit children under 13 to create online accounts or submit personal information without parental involvement. Parents/guardians may review, delete, or refuse further collection or use of their child’s information by contacting us at [privacy@[domain].com].
7) Photos, Video, and On‑Site Cameras
• Event Photography: We may offer optional photography during parties or events with explicit parental consent. Consent can be withdrawn at any time.
• Marketing Photos: We will only use identifiable images of children in marketing with written parental consent.
• Security Cameras (if implemented): We may use on‑site CCTV for safety and security (no cameras in restrooms or private areas). Recordings are retained for a limited period and accessed only by authorized personnel.
8) How We Share Information
We do not sell personal information. We may share information with:
• Service Providers/Processors: payment processors, booking and email platforms, analytics, web hosting, and customer support tools bound by contracts.
• Legal/Compliance: law enforcement or regulators when required.
• Business Transfers: in the event of a merger, acquisition, or asset transfer, subject to this Policy’s protections.
9) Data Security
We implement reasonable administrative, technical, and physical safeguards, including encryption in transit, least‑privilege access controls, employee training, and vendor due diligence. No method of transmission over the Internet or electronic storage is 100% secure; we cannot guarantee absolute security.
10) Data Retention
We retain personal information only as long as necessary for the purposes described and to comply with legal, accounting, or reporting obligations. Typical retention periods are summarized below.
| Category | Typical Retention
| Bookings & Membership Records | Up to 3 years after last activity
| Transaction/Tax Records | 7 years (legal/accounting)
| Allergy/Emergency Info | Deleted/updated after the event or membership ends
| CCTV (if used) | 7–30 days unless needed for investigation
| Marketing Preferences & Email Lists | Until you opt out or request deletion
| Customer Support Communications | Up to 2 years after resolution
11) Cookies & Online Tracking
We use cookies and similar technologies to operate our website, remember preferences, measure performance, and (if enabled) deliver relevant ads. You can control cookies via your browser settings or our cookie banner (where provided). Disabling cookies may affect site functionality.
| Cookie Type | Purpose
| Strictly Necessary | Site operation, bookings, security
| Preferences | Remember settings like location and language
| Analytics | Understand usage to improve services
| Advertising (optional) | Deliver and measure ads; you can opt‑out
Do Not Track: Our site does not respond to Do Not Track signals. We honor applicable opt‑out rights under CPA/CPRA for targeted advertising.
12) International Visitors & Data Transfers
We are based in the United States. If you access our services from outside the U.S., your information may be transferred to and processed in the U.S. We apply appropriate safeguards when transferring data and process information as described in this Policy.
13) Your Choices & Controls
• Marketing: You may opt out of promotional emails via the unsubscribe link or by contacting us.
• Cookies: Manage cookies through your browser or our cookie tool.
• Accounts: Update or delete your account information by emailing us.
• Children’s Data: Parents may review or delete their child’s information at any time.
14) Submitting Requests & Appeals (CPA/CPRA)
To exercise your rights, contact us at [privacy@[domain].com] or [mailing address]. Include your name, contact details, and the nature of your request. We will verify your identity and respond within the timeframe required by law. If we deny your request, you may submit an appeal by replying to our response and indicating "Appeal" in the subject line. We will provide a written explanation of our decision and how you may contact the Colorado Attorney General if you remain unsatisfied.
15) Third‑Party Links & Services
Our website and emails may link to third‑party sites or services (e.g., social networks, booking tools). We are not responsible for their privacy practices. Please review their policies before providing information.
16) Changes to this Policy
We may update this Privacy Policy to reflect changes to our practices or for legal, technical, or operational reasons. We will post the updated version with a new "Last Updated" date. Material changes will be highlighted or otherwise communicated as appropriate.
17) Contact Us
Controller: [Play Café Name]
Address: [Street, City, State, ZIP]
Email: [privacy@[domain].com]
Phone: [###‑###‑####]
Appendix A – Common Service Providers (Examples)
• Payment Processing: Stripe, Square – process payments securely; we do not store full card details.
• Bookings/Events: [Booking Platform Name] – manage reservations and reminders.
• Email & Marketing: Mailchimp/Klaviyo – send newsletters and confirmations.
• Analytics: Google Analytics – analyze website traffic and usage trends.
• Cloud/Hosting: [Hosting Provider] – host website and databases.
Appendix B – Data Map & Retention Summary
This appendix summarizes what we collect, where it’s stored, and how long we keep it. For detailed, current inventories and vendor lists, contact us at the email above.