Privacy Policy

Sunroom is a client portal and workflow platform for creative businesses such as photographers and videographers. Creators use Sunroom to manage projects, invite clients to portals, upload and review media, collect comments, create invoices, connect payments, and send contracts.

We collect personal information in four main ways: information you provide, information generated through use of the Services, information collected automatically, and information from third parties.

2.1 Information You Provide

Account and workspace information may include:

• Name, email address, phone number, password or account authentication information, and account settings.
• Workspace owner identifiers, organization membership, role information, and team settings.
• Studio or business name, business address, contact email, phone number, website, logo, favicon, brand colors, and other branding details.
• Preferences, language, country, time zone, notification choices, and billing plan selections.

Project, client, and workflow information may include:

• Project titles, client names, client email addresses, project contacts, invited portal users, and project notes.
• Shoot dates, due dates, timelines, deliverables, tags, project stages, activity records, and status changes.
• Portal access tokens, session records, invite history, accepted invite timestamps, and related authentication information for client portals.
• Media collections, captions, filenames, file metadata, file sizes, thumbnails, playback URLs, version history, included files, and related project assets.
• Review comments, replies, resolved status, timestamps in media, change numbers, author names, author emails, and attachments or screenshots you provide to support.

Invoice, payment, payout, and subscription information may include:

• Invoice numbers, line items, amounts, taxes, due dates, notes, client billing names and email addresses, payment status, payment links, refunds, failed payments, and related transaction metadata.
• Workspace subscription status, Stripe customer identifiers, subscription identifiers, price identifiers, renewal dates, cancellation status, payment method brand, and last four digits.
• Connected account identifiers, payout readiness, charge and payout capability status, onboarding status, and Stripe requirement or review messages.
• Information required by payment processors for card payments, connected accounts, identity checks, tax reporting, and fraud prevention.

Contract and signature information may include:

• Contract templates, contract titles, contract body content, field schemas, signer roles, signer names, signer email addresses, signing status, sent dates, completion dates, and e-signature provider identifiers.
• Contract event history, webhook payloads, audit records, merge fields, and document metadata needed to create, send, track, or render contracts.

Communications and support information may include:

• Support requests, feedback, emails, chat messages, attachments, complaint details, bug reports, survey responses, and records of communications with us.
• Marketing, waitlist, beta, referral, promotion, event, partnership, press, vendor, and business contact information you choose to provide.
• Job applicant information such as resume, portfolio, work history, references, interview notes, and communications, if you apply for a role.

2.2 Information We Collect Automatically

Device, technical, usage, and location information may include:

• IP address, device type, device identifiers, browser type, browser language, operating system, app or build version, referring and exit pages, date and time of access, log files, crash reports, diagnostic data, and security logs.
• Pages, screens, or features viewed; clicks, taps, scrolls, searches, dashboard activity, creator dashboard activity, project activity, media review activity, invoice and contract activity, login activity, session duration, and error events.
• Approximate location inferred from IP address. Sunroom does not currently require precise device location for core Services.
• Cookies, local storage, SDKs, pixels, tags, web beacons, server logs, and similar technologies used for login, preferences, security, analytics, performance, and product improvement.

2.3 Information From Third Parties

We may receive information about you from:

• Authentication providers, such as WorkOS.
• Payment and financial providers, such as Stripe.
• E-signature providers, such as Documenso.
• Video processing and playback providers, such as Mux.
• Object storage and content delivery providers, including S3-compatible storage providers and Backblaze B2 where configured.
• Email delivery providers, such as Resend.
• Analytics providers, such as PostHog.
• Remote file import providers you connect or authorize, such as Google Drive, Dropbox, or OneDrive.
• Other users, creators, clients, workspace members, vendors, professional advisers, public sources, law enforcement, regulators, courts, and legal requesters.

Depending on how you use the Services, we may process sensitive personal information, including account login information, financial and payment information, tax or identity information handled by our payment partners, contents of communications, contract contents, media or files you upload, and information in support requests, disputes, or legal records.

Media and project content may include images, videos, documents, or comments that reveal sensitive characteristics about you, your clients, event participants, or other individuals. Do not upload, share, or invite access to sensitive information unless you have the rights and permissions needed to do so.

We use sensitive personal information only as reasonably necessary to provide the Services, process payments and payouts, prepare and manage contracts, secure accounts, prevent fraud, provide support, comply with law, enforce our terms, resolve disputes, or with consent where required.

4.1 Provide and Operate the Services

• Create, authenticate, and manage accounts, workspaces, teams, and roles.
• Provide dashboards, projects, client portals, timelines, calendar views, deliverables, brand settings, media galleries, review comments, versions, and file downloads.
• Invite clients, issue portal access links, manage portal sessions, and display information according to portal permissions.
• Create, send, and manage invoices, payments, subscriptions, refunds, failed payment notices, connected accounts, and payouts.
• Create, render, send, and track contracts and e-signature workflows.
• Send transactional emails, account notices, receipts, portal links, invoice notifications, payment notices, contract notices, and support communications.

4.2 Trust, Safety, Security, and Abuse Prevention

• Detect, prevent, and investigate fraud, spam, scraping, unauthorized access, payment abuse, suspicious transactions, security incidents, and misuse of portals or files.
• Enforce our terms, payment rules, usage limits, contract rules, workspace permissions, and other policies.
• Review accounts, projects, files, comments, invoices, contracts, reports, activity, and support records when needed for safety, support, dispute resolution, or legal compliance.

4.3 Analytics and Product Improvement

• Measure traffic, usage, feature adoption, funnel performance, client engagement, errors, and product performance.
• Debug and improve the Services, test new features, maintain service quality, and build aggregate or de-identified insights.
• Understand product activity such as project creation, invoice lifecycle events, contract events, portal invites, media collection creation, review comments, subscription upgrade clicks, and Stripe Connect starts.

4.4 Communications and Marketing

• Respond to inquiries, provide support, send administrative notices, and communicate about accounts, billing, payments, contracts, security, and legal updates.
• Send marketing communications where permitted, manage preferences, understand campaign effectiveness, and maintain suppression lists to honor opt-outs.

4.5 Legal Compliance and Protection

• Comply with laws, regulations, legal process, subpoenas, warrants, court orders, regulator requests, tax obligations, accounting obligations, and payment network requirements.
• Maintain records, conduct audits, cooperate with law enforcement where legally required or appropriate, establish or defend legal claims, and protect rights, safety, property, users, clients, creators, Sunroom, and the public.

5.1 Creators, Clients, and Workspace Members

Depending on the feature, settings, invite status, and user choices, we may disclose or make available project details, client names and emails, workspace branding, portal content, media, files, comments, invoices, payment status, contracts, signing status, and activity to creators, invited clients, and authorized workspace members.

People who receive access to content through a portal or workspace may save, copy, screenshot, download, record, or share information outside Sunroom, even if Sunroom or the creator does not authorize that use.

5.2 Service Providers and Processors

We may disclose personal information to vendors and service providers that help us operate the Services, including:

• Cloud hosting, databases, infrastructure, content delivery, object storage, upload, and download providers.
• Authentication, account management, security, fraud prevention, logging, monitoring, analytics, and customer support providers.
• Payment processors, connected account providers, payout providers, tax compliance providers, subscription billing providers, and financial partners.
• E-signature, contract document, video processing, media playback, email delivery, SMS or push notification, survey, marketing, and product experimentation providers.
• Remote file source providers you authorize, such as Google Drive, Dropbox, and OneDrive.
• Professional advisers, auditors, legal, accounting, tax, compliance, and insurance providers.

5.3 Payment Processors and Financial Partners

Payments, subscriptions, invoice checkout, connected accounts, payouts, refunds, chargebacks, disputes, and related transactions may be processed by third-party payment processors and financial partners. These third parties may collect and process payment, identity, fraud-prevention, tax, and transaction information under their own terms and privacy policies.

5.4 Analytics and Marketing Partners

We may disclose identifiers, device information, usage information, event data, and similar information to analytics and marketing providers to understand usage, improve the Services, and measure our communications. Sunroom does not currently disclose personal information to third-party advertising networks for targeted advertising.

5.5 Legal, Safety, Enforcement, and Business Transfers

We may disclose personal information if we believe disclosure is reasonably necessary to comply with law, respond to lawful requests, protect rights and safety, prevent fraud or abuse, enforce terms, investigate violations, support legal claims or defenses, or complete an actual or proposed merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or transfer of business.

5.6 With Your Direction or Consent

We may disclose personal information when you direct us to do so or consent to the disclosure, including when you connect a third-party account, authorize a remote file import, invite a client, send an invoice, initiate a contract, or request an integration.

5.7 Aggregate or De-identified Information

We may disclose aggregate, anonymized, or de-identified information that cannot reasonably be used to identify you. We will not attempt to re-identify de-identified information except as permitted by law, such as to test our de-identification processes.

Sunroom is built for collaborative client work. Your privacy depends in part on how creators configure projects, whom they invite, what files they upload, and how clients use portal access.

6.1 Portal Access

Sunroom project portals are currently designed for invited email access. Invited clients may receive magic links or other access methods that let them view project content, invoices, contracts, media, files, and timelines configured by the creator.

6.2 Media, Comments, and Files

Photos, videos, deliverables, brand assets, documents, and comments may be processed to provide upload, storage, display, versioning, playback, review, download, delivery, support, moderation, security, and legal compliance features.

6.3 Deletion of Content

Deleting content or closing an account may not immediately remove:

• Copies already viewed, downloaded, saved, recorded, or shared by others.
• Records needed for safety, security, dispute resolution, legal compliance, accounting, tax, payment processing, fraud prevention, audits, or enforcement.
• Backup copies retained for a limited period.
• Content or records retained under legal hold, lawful request, or provider retention rules.

We may use automated systems, rules, analytics, or similar technologies to support authentication, portal access, upload processing, media playback and thumbnails, fraud detection, abuse prevention, account security, payment workflows, product analytics, error detection, and feature recommendations.

Sunroom does not intend to make decisions with legal or similarly significant effects based solely on automated processing unless permitted by law and accompanied by required notices and safeguards. Where required by law, you may have the right to object to, appeal, or request human review of certain automated decisions.

We and our service providers may use cookies, local storage, SDKs, pixels, tags, web beacons, server logs, and similar technologies for essential operations, preferences, analytics, security, product improvement, and communications measurement.

You can control cookies and tracking through your browser settings, device settings, app settings, unsubscribe links, and any available preference tools. Disabling cookies or tracking may affect functionality.

Some browsers offer a "Do Not Track" signal. There is no uniform industry standard for responding to Do Not Track signals. Sunroom does not currently use third-party advertising networks for targeted advertising. If that changes, we will provide any legally required opt-out mechanisms.

We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, maintain accounts, process payments, support projects, comply with law, resolve disputes, enforce agreements, protect safety, and maintain security.

When personal information is no longer needed, we may delete, de-identify, aggregate, or anonymize it.

We use reasonable administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, loss, misuse, alteration, and disclosure. Safeguards may include encryption in transit, access controls, authentication controls, logging, monitoring, vendor review, security reviews, fraud-prevention tools, incident response processes, and employee or contractor access restrictions.

No method of transmission or storage is completely secure. You are responsible for maintaining the confidentiality of your login credentials, protecting portal links, and using secure devices and networks. If we determine that a security incident requires notification under applicable law, we will notify affected individuals, regulators, or other parties as required.

11.1 Account, Workspace, and Portal Controls

Creators may be able to access, update, or delete certain account, workspace, project, portal, invoice, contract, media, and branding information through the dashboard. Clients may be able to access certain portal information through the portal access flow or by contacting the creator who invited them.

11.2 Marketing Communications

You may opt out of marketing emails by using the unsubscribe link in the email or by contacting us. You may still receive non-marketing messages, such as account, transaction, security, legal, support, invoice, contract, payment, and service-related notices.

11.3 Payment Information

Payment information may be stored and processed by third-party payment processors. You may need to manage or delete payment methods, connected account information, or payout details through the relevant payment processor, account settings, or support process.

11.4 Privacy Rights Requests

Depending on applicable law, you may have the right to confirm whether we process your personal information, access personal information, receive a portable copy, correct inaccurate information, delete personal information, restrict processing, object to processing, withdraw consent, opt out of sale, sharing, or targeted advertising, opt out of certain profiling or automated decision-making, limit use or disclosure of sensitive personal information, appeal a denied request, or lodge a complaint with a regulator.

To submit a request, contact us using the methods in Section 19. We may need to verify your identity before completing certain requests. We may deny or limit requests where permitted by law, including where we cannot verify your identity, the request is excessive or unfounded, the information is exempt, retention is legally required, or deletion would interfere with safety, security, legal claims, payments, fraud prevention, tax obligations, or the rights of others.

11.5 Authorized Agents and Appeals

Where applicable, you may authorize another person to submit a privacy request on your behalf. We may require proof of authorization, identity verification, and direct confirmation that you authorized the request, unless prohibited by law. If we deny your privacy request and applicable law gives you a right to appeal, you may appeal by replying to our decision or contacting us using the methods in Section 19.

This section applies to residents of U.S. states with consumer privacy laws that apply to Sunroom, which may include California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia, and other states as laws become effective.

12.1 Sale, Sharing, and Targeted Advertising

Sunroom does not disclose personal information to third parties in exchange for money. Sunroom does not currently use third-party advertising networks for targeted advertising, and does not currently disclose personal information in a way we understand to be a "sale," "sharing," or "targeted advertising" under U.S. state privacy laws. If that changes, we will update this Privacy Policy and provide required opt-out mechanisms.

12.2 Sensitive Personal Information

We use and disclose sensitive personal information only for purposes permitted by applicable law, including to provide the Services, secure accounts, process payments and payouts, manage contracts, prevent fraud, comply with law, and protect users, clients, creators, and Sunroom.

12.3 Non-Discrimination

We will not unlawfully discriminate against you for exercising privacy rights. We will not deny services, charge different prices, or provide a different level of service because you exercised your rights, except where permitted by law or where the personal information is necessary to provide the requested service.

12.4 Financial Incentives

Sunroom does not currently offer a loyalty, rewards, discount, or financial incentive program in exchange for personal information. If we offer such a program, we will provide any notice and consent required by law.

12.5 California Shine the Light and Nevada Rights

California residents may request information about certain disclosures of personal information to third parties for their direct marketing purposes. Nevada residents may submit a request directing us not to sell certain covered information as defined under Nevada law. To submit either request, contact us using the methods in Section 19.

In the preceding 12 months, Sunroom may have collected the categories listed in Section 12 and disclosed them for business purposes to the recipients listed in Section 12.

California residents may have the right to know what personal information we collect, use, disclose, sell, or share; access personal information; delete personal information; correct inaccurate personal information; opt out of sale or sharing; limit use and disclosure of sensitive personal information; receive information about data practices; and not be discriminated against for exercising rights.

Submit requests using the methods in Section 19. California residents may use an authorized agent to submit requests. We may require proof of authorization and may ask you to verify your identity directly with us.

14.1 Controller

The controller of your personal data is Sunroom. Contact details are listed in Section 19. Where required, Sunroom will identify any EU representative, UK representative, or Data Protection Officer through a supplemental notice or updated contact information.

14.2 Legal Bases for Processing

You may withdraw consent at any time where processing is based on consent. Withdrawal does not affect processing that occurred before withdrawal.

14.3 Special-Category Data

If you choose to provide project content, media, comments, files, contracts, profile information, or support information that reveals special-category data, we process that information to provide the Services, display or transmit the content according to your choices and permissions, support the project workflow, maintain safety, and comply with law.

14.4 International Transfers

Sunroom is based in the United States, and your personal data may be processed in the United States and other countries that may not provide the same level of data protection as your home jurisdiction. Where required, we use appropriate safeguards for international transfers, such as adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Addendum or similar mechanisms, contractual safeguards, technical safeguards, organizational safeguards, or other lawful transfer mechanisms.

14.5 Your Rights

Subject to legal limits, you may have the right to access, correct, delete, restrict, object, port, withdraw consent, object to direct marketing, object to certain automated decision-making, or lodge a complaint with a supervisory authority. To exercise rights, use the methods in Section 19.

The Services are not directed to children under 13, and Sunroom does not knowingly collect personal information directly from children under 13. Account holders must be old enough to enter into a binding agreement with Sunroom.

Because Sunroom is used by creative businesses, creators may upload project media or files that include minors, such as family, school, wedding, event, or portrait photography. Creators are responsible for having the rights, consents, notices, and permissions needed to upload, process, invite access to, and share that content through Sunroom.

If you believe a child has provided personal information directly to Sunroom without appropriate consent, contact us using the methods in Section 19.

The Services may contain links to or integrations with third-party services, including authentication providers, payment processors, app stores, analytics providers, e-signature providers, video processors, object storage providers, file import providers, email providers, creator tools, communication providers, linked websites, and other resources.

Third-party services are governed by their own terms and privacy policies. We are not responsible for the privacy, security, or content practices of third parties.

This section explains how Sunroom accesses, uses, stores, shares, retains, and deletes information received from Google APIs when a user chooses to connect a Google account or import from Google Drive. Sunroom's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

17.1 Google Data Accessed

Sunroom accesses Google user data only after a user authorizes the applicable Google OAuth flow. Depending on the feature used, this may include:

• Google Calendar sync: the user's Google account identifier and email address, OAuth access and refresh tokens, and permission to create, update, and delete Sunroom-managed events on the user's primary Google Calendar.
• Google Calendar event data created by Sunroom: project timeline event title, date and time, location, notes, project name, portal calendar link, Google event identifiers, sync status, and sync error metadata.
• Google Drive import: metadata for files the user browses or selects through the Google Drive picker or remote file importer, such as file names, file type, file size, source account context, and provider file identifiers.
• Google Drive file contents only for files the user explicitly selects for import into a Sunroom project, media library, asset collection, or deliverable workflow.

17.2 Google Data Usage

Sunroom uses Google user data only to provide user-facing features that the user chooses:

• For Google Calendar sync, Sunroom creates and updates calendar events that mirror project timeline items, includes project details in those events, tracks the Google event identifiers needed to keep events in sync, and deletes Sunroom-managed events when timeline items are removed or when the user disconnects and chooses to remove synced events.
• For Google Drive import, Sunroom lets the user browse Google Drive, select specific files, transfer those selected files into Sunroom storage, and attach them to the relevant project, media, asset, or deliverable workflow.
• Sunroom does not use Google user data for advertising, retargeting, personalized ads, credit-worthiness, lending, selling data, or training generalized AI models.
• Sunroom does not allow employees, contractors, or service providers to read Google user data unless necessary to provide support requested by the user, investigate security or abuse issues, comply with law, or operate the Services using aggregated or de-identified information.

17.3 Google Data Sharing

Sunroom does not sell Google user data. Sunroom shares Google user data only as needed to provide the features the user requested, with the user's direction or consent, for security and abuse prevention, to comply with law, or as otherwise permitted by the Google API Services User Data Policy. This may include sharing with:

• Cloud hosting, database, object storage, upload, and content delivery providers that process selected Google Drive files, Google Calendar sync records, and related metadata for Sunroom.
• Google, when Sunroom uses Google APIs to authenticate the user, retrieve authorized account information, transfer selected Drive files, and create, update, or delete Sunroom-managed calendar events.
• Authorized creators, clients, and workspace members when a user imports a Google Drive file into a Sunroom workspace or project area that those users are permitted to access.
• Professional advisers, law enforcement, courts, regulators, or other parties when disclosure is required or appropriate for legal compliance, safety, security, fraud prevention, or enforcement.

17.4 Google Data Storage and Protection

Sunroom stores Google OAuth tokens for Calendar sync in encrypted form and uses them only to maintain the calendar connection selected by the user. Google Drive OAuth sessions for remote file import are handled by Sunroom's upload companion service and are used to complete the selected file transfer. Selected Google Drive files are stored in Sunroom's configured object storage after import, subject to the same project and workspace permissions as other uploaded files.

Sunroom uses safeguards designed to protect Google user data, including HTTPS encryption in transit, encryption or provider security controls for data at rest where supported, token encryption for stored Calendar credentials, access controls, authentication checks, logging, monitoring, vendor controls, security reviews, and restrictions on employee or contractor access.

17.5 Google Data Retention and Deletion

Sunroom retains Google user data only as long as reasonably necessary to provide the selected integration, comply with legal obligations, resolve disputes, maintain security, prevent abuse, or enforce agreements.

• Google Calendar connection records and encrypted tokens are retained while the user keeps Calendar sync connected. When a user disconnects Calendar sync, Sunroom deletes the stored connection and tokens. If the user chooses to remove synced events, Sunroom also attempts to delete the Sunroom-managed events from the user's Google Calendar.
• Google Calendar event mapping records are retained while needed to keep Sunroom-managed events in sync and are deleted when the related calendar connection or mapped timeline event is removed, subject to backups, logs, legal holds, and security needs.
• Imported Google Drive files are retained like other uploaded Sunroom files until deleted by an authorized user or no longer needed, subject to backups, legal holds, disputes, security needs, and compliance obligations.
• Users can request deletion of Google user data by disconnecting Calendar sync, deleting imported files where product controls are available, or contacting Sunroom using the methods in Section 19.

We may update this Privacy Policy from time to time. If we make changes, we will update the "Last Updated" date above. If we make material changes, we may provide additional notice, such as by email, in-app notice, website notice, or another legally required method. Your continued use of the Services after an updated Privacy Policy becomes effective means you acknowledge the updated Privacy Policy, to the extent permitted by law.

For questions, requests, or concerns about this Privacy Policy or Sunroom's privacy practices, contact us through your Sunroom account or at: