Privacy Policy
Effective Date: May 10, 2026 · Last Updated: May 10, 2026
This Privacy Policy (the “Policy”) describes how Game Command LLC, a Nebraska limited liability company doing business as 402sites (“Penned,” “we,” “our,” or “us”), collects, uses, discloses, and otherwise processes personal information in connection with the Penned platform, the websites located at pennedhq.com and any subdomain thereof, the applications and application programming interfaces made available by us, and any related products, features, and services (collectively, the “Service”).
This Policy is incorporated by reference into our Terms of Service and uses the capitalized terms defined therein. By accessing or using the Service, you acknowledge that you have read and understood this Policy.
Contents
- Scope and Roles
- Categories of Personal Information
- How We Collect Personal Information
- How We Use Personal Information
- Legal Bases (EEA / UK)
- Disclosures and Service Providers
- Cross-Tenant and Federation Data Flows
- Communications: SMS, Email, Calendar
- Cookies and Similar Technologies
- Data Retention
- Data Security
- International Transfers
- Your Rights
- California Privacy Rights (CCPA / CPRA)
- Other U.S. State Rights
- EEA, UK, and Swiss Rights
- Children and Minors
- Do Not Track
- Third-Party Sites and Services
- Changes to This Policy
- Contact and Data Protection Inquiries
1. Scope and Roles
This Policy applies to personal information we collect from or about (a) visitors to our websites; (b) prospective and current Tenants and the personnel of Tenants; (c) Pros operating Pro Accounts; (d) Customers booking or attending appointments; and (e) other individuals who interact with us in connection with the Service.
For purposes of applicable data-protection laws:
- With respect to personal information we collect directly from visitors, prospective and current account holders, Pros operating Pro Accounts, and Customers operating Customer Accounts, Game Command LLC acts as a controller (or, under United States state privacy laws, a “business”).
- With respect to Tenant Data — personal information that a Tenant uploads, generates, or causes to be processed within its workspace, including personal information of Customers and Pros to the extent that information is processed within and on behalf of a Tenant’s workspace — Game Command LLC acts as a processor (or, under United States state privacy laws, a “service provider”) acting on the Tenant’s documented instructions. Tenants are independently responsible for providing notice to and obtaining any required consents from individuals whose personal information they cause us to process. Inquiries from such individuals regarding Tenant Data should be directed to the relevant Tenant.
2. Categories of Personal Information
The categories of personal information we may collect, depending on how you interact with the Service, include:
- Identifiers and contact data — name, email address, mobile telephone number, postal address, business name, account credentials, account identifiers, and IP address.
- Professional or account data — for Pros, service categories, professional bio, licensure information voluntarily provided, hours of availability, calendar entries, and customer-relationship indicators; for Tenants, business name, business address, hours, services offered, staff roster, and tax identifiers required for billing.
- Booking and transaction data — appointment date, time, service, location, party size, notes voluntarily provided by Customers, no-show or cancellation indicators, deposits, and amounts charged.
- Payment data — the last four digits of a payment card, card brand, billing ZIP, and processor tokens. Full payment-card numbers and similar sensitive payment credentials are collected and handled by our payment processor (Stripe) and are not stored on our systems.
- Communications data — the content and metadata of SMS messages, emails, and in-Service messages sent through or facilitated by the Service, including delivery status.
- Device and usage data — browser type, operating system, device identifiers, language, time zone, pages viewed, features used, referring and exit pages, click and tap events, error logs, and approximate location derived from IP address.
- Cookies and similar technologies — first-party session cookies and limited preference cookies as described in Section 9.
- User Content — text, images, files, and other content you submit to the Service, which may include personal information by virtue of what you choose to submit.
- Inferred data — technical inferences from the foregoing for purposes of fraud prevention, capacity planning, and quality of service.
We do not knowingly collect Social Security numbers, driver’s license numbers, passport numbers, precise geolocation, genetic or biometric identifiers, health-care or medical-treatment records, immigration status, or information about a known child under the age of thirteen. Tenants are contractually prohibited from uploading sensitive personal information of any of those categories to the Service except as expressly required for the Service.
3. How We Collect Personal Information
We collect personal information from the following sources:
- Directly from you, when you create an account, complete a form, book or manage an appointment, communicate with us, or otherwise interact with the Service.
- From your device, automatically when you access the Service, through server logs, cookies, and similar technologies.
- From Tenants and Pros, when a Tenant adds a Pro to its workspace, or when a Tenant or Pro books or records an appointment on behalf of a Customer.
- From service providers, including payment processors, messaging providers, and calendar providers, in connection with their performance of services for us.
- From public sources, in limited cases (for example, public business directories used to verify Tenant information).
4. How We Use Personal Information
We use personal information for the following purposes:
- to provide, maintain, and operate the Service, including authenticating accounts, managing Bookings, processing payments, delivering communications, federating availability across associated Tenants where enabled, and operating cross-Tenant features as described in Section 7;
- to communicate with you about your account, Bookings, transactional matters, technical notices, security alerts, and support inquiries;
- to send service-related and, with appropriate consent, marketing communications about the Service, in each case subject to your right to opt out of marketing communications;
- to monitor and analyze trends, usage, and activities of the Service for the purposes of maintenance, improvement, and capacity planning;
- to detect, investigate, prevent, and address fraud, abuse, security incidents, and violations of our Terms or applicable law;
- to comply with legal obligations, respond to lawful requests from public authorities, and enforce our rights and the rights of others; and
- for any other purpose described to you at the point of collection or to which you have consented.
5. Legal Bases (EEA / UK)
To the extent the General Data Protection Regulation (Regulation (EU) 2016/679) or the United Kingdom General Data Protection Regulation applies to our processing of your personal data, we rely on the following legal bases:
- Performance of a contract (Article 6(1)(b)) — to provide the Service you have requested and to administer your account.
- Legitimate interests (Article 6(1)(f)) — to operate, secure, and improve the Service, to prevent fraud and abuse, and to communicate with you regarding the Service, where such interests are not overridden by your rights and interests.
- Compliance with a legal obligation (Article 6(1)(c)) — to meet our tax, accounting, and other legal obligations.
- Consent (Article 6(1)(a)) — for marketing communications where consent is required and for certain cookies and similar technologies. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal.
6. Disclosures and Service Providers
We do not sell personal information for monetary consideration. We disclose personal information in the following circumstances:
- To Tenants and Pros, as the Service requires. Booking information is shared with the relevant Tenant and the relevant Pro to provide the appointment.
- To service providers that perform services on our behalf, subject to written agreements limiting their use of personal information to the purposes for which we engage them and requiring appropriate confidentiality and security obligations. Our principal service providers include:
| Provider | Function | Categories Processed |
|---|---|---|
| Stripe, Inc. | Payment processing for Tenant subscriptions and, where enabled, Booking payments | Identifiers, payment tokens, transaction data |
| Twilio Inc. | Outbound and inbound SMS delivery | Mobile telephone numbers, message content and metadata |
| Google LLC | Transactional and account email delivery (Gmail / Google Workspace SMTP); calendar synchronization (Google Calendar) where enabled | Email addresses, message content, calendar event data |
| OVH SAS / OVHcloud US, LLC | Infrastructure and hosting | All categories of personal information processed on the Service, in transit and at rest |
| Cloudflare, Inc. | Content delivery, DNS, and security services | IP address, request metadata, in-transit content |
- To other Users, as expressly required to operate cross-Tenant features described in Section 7 and, in the case of public profile fields you elect to publish, as visible to anyone who accesses the Service.
- In connection with a corporate transaction, including any merger, sale of assets, financing, due diligence, reorganization, bankruptcy, receivership, or similar transaction. We will require any successor to honor this Policy with respect to personal information transferred to it.
- To comply with law or protect rights, when we believe in good faith that disclosure is required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Penned, our Users, or others, including in connection with investigating or preventing fraud, abuse, or violations of our Terms.
- With your consent, when you direct us to disclose your personal information to a third party.
7. Cross-Tenant and Federation Data Flows
The Service includes features that, by design, span more than one Tenant. The following disclosures describe those flows so that Users may make informed decisions before enabling such features:
- Calendar federation. When a Pro is associated with more than one Tenant and chooses to enable federation, the Service surfaces the Pro’s busy windows (date and time) across associated Tenants for the purpose of preventing double-booking. The content of appointments is not shared across Tenants; only the fact of unavailability for a given block of time is.
- Portable Pro identity. A Pro Account’s public profile fields (for example, professional name, photograph, biography, service categories) are visible to Customers and Tenants of any Tenant workspace in which the Pro is active. The Pro’s customer relationships, as marked by the Pro, persist across Tenants when the Pro associates with a new Tenant or dissociates from an existing Tenant.
- Customer Accounts. A Customer Account is a unified consumer identity that may book across Tenants. A Customer’s booking history is visible to the Customer; each Tenant sees only Booking records that occurred within its own workspace, except where the Customer expressly directs otherwise.
- Cross-Tenant referrals. When a Tenant or Pro initiates a referral of a Customer to another Tenant or Pro, the Service transmits the minimum data necessary (typically the Customer’s name, contact information, requested service, and any notes voluntarily provided by the Customer) to the receiving Tenant or Pro.
- Network discovery. Where discovery features are made available, public profile fields elected by Tenants and Pros are surfaced to Customers and prospective Customers as part of the Service’s discovery surfaces.
Each cross-Tenant flow described above is enabled only as required to provide the feature and is described to Tenants and Pros at the point of activation. A Tenant or Pro may restrict, disable, or modify cross-Tenant features within the workspace settings where such controls are made available.
8. Communications: SMS, Email, Calendar
SMS. By providing your mobile telephone number and booking or requesting an appointment, you consent to receive SMS text messages from us and from Tenants and Pros with whom you have a Booking relationship, including appointment confirmations, reminders, schedule changes, follow-ups, and related transactional messages, in accordance with the Telephone Consumer Protection Act. Standard message and data rates may apply. Message frequency varies. You may reply STOP to opt out of non-transactional SMS communications. Opting out of transactional appointment messages may impair your ability to receive appointment information.
Email. We send transactional and account-related emails to the address associated with your account. Commercial email communications include a functioning unsubscribe mechanism and are sent in compliance with the CAN-SPAM Act. Transactional appointment and account emails are not subject to commercial opt-out and will continue while you maintain an account or a pending Booking.
Calendar synchronization. Where you enable Google Calendar synchronization, the Service reads and writes calendar event data to the Google account you authorize, solely for the purposes you direct (such as creating, updating, or removing appointment events). You may revoke that authorization at any time within your Google account security settings.
9. Cookies and Similar Technologies
We use first-party cookies and similar technologies to operate the Service. These include:
- Strictly necessary cookies required for authentication, session management, security, and load balancing. These cookies cannot be disabled without impairing the Service.
- Preference cookies that remember user-interface choices.
- Analytics signals derived from server logs and limited first-party measurement to understand aggregate usage and improve the Service. We do not currently embed third-party advertising trackers on the Service.
Most browsers allow you to control cookies through their settings. If you reject strictly necessary cookies, portions of the Service may not function.
10. Data Retention
We retain personal information for as long as is necessary to provide the Service, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Specifically:
- Account records are retained for the life of the account.
- Booking and transaction records are retained for the period required by tax, accounting, and consumer-protection law, and in any event for not less than four (4) years from the date of the transaction.
- Communications logs (SMS delivery metadata, email delivery metadata, in-Service messages) are retained for up to twenty-four (24) months unless a longer period is required by law or necessary to investigate abuse, fraud, or security incidents.
- Server access and security logs are retained for up to twelve (12) months.
- Where you delete or close an account, we will, for a period of thirty (30) days, retain the underlying account data in a recoverable form to permit data export and account restoration, after which the data is deleted or anonymized, subject to ordinary-course backup expiration and to any retention required by law.
Tenant Data is retained on behalf of the Tenant for the duration of the Tenant Account and the export window described above; the Tenant remains the controller of that data and may instruct us to delete it on a more accelerated basis subject to law.
11. Data Security
We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These safeguards include encryption of data in transit, hashing of account passwords using industry-standard algorithms, access controls based on the principle of least privilege, isolation of Tenant workspaces at the application layer, and ongoing monitoring of the Service. No method of transmission or storage is one-hundred percent secure, and we cannot guarantee the absolute security of personal information.
12. International Transfers
The Service is hosted in the United States. If you access or use the Service from outside the United States, you understand and agree that your personal information will be transferred to, processed, and stored in the United States, where data-protection laws may differ from those of your jurisdiction. Where we transfer personal data of individuals in the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on appropriate safeguards, including, where applicable, the Standard Contractual Clauses adopted by the European Commission and the United Kingdom Information Commissioner’s Office. You may request a copy of the relevant safeguards by contacting us at the address in Section 21.
13. Your Rights
Depending on your jurisdiction and your relationship with us, you may have rights with respect to your personal information, including the rights to access, correct, delete, port, restrict or object to certain processing, withdraw consent, and lodge a complaint with a supervisory authority. The following sections describe specific U.S. state and European rights.
To exercise any right granted to you under applicable law, please contact us at [email protected]. We will verify your request using reasonable means, including verification of your control of an email address or mobile telephone number associated with your account. We do not discriminate against you for exercising a right granted under applicable law.
If you are a Customer of a Tenant and your request concerns Tenant Data, we will refer your request to the relevant Tenant, which is the controller of that data.
14. California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the “CCPA”), including:
- the right to know what categories and specific pieces of personal information we have collected, the categories of sources, the business or commercial purposes for which we collected the information, and the categories of third parties with whom we disclosed it;
- the right to delete personal information, subject to certain exceptions;
- the right to correct inaccurate personal information;
- the right to opt out of the sale or sharing of personal information; and
- the right to limit the use of sensitive personal information.
The categories of personal information we have collected, the sources from which we collected it, the purposes for which we collected it, and the categories of third parties with whom we disclosed it are set forth in Sections 2, 3, 4, and 6 of this Policy, respectively. You may submit a request to exercise your CCPA rights to [email protected]. You may also designate an authorized agent to submit a request on your behalf, in which case we will require reasonable proof that the agent is authorized to act on your behalf.
15. Other U.S. State Rights
Residents of certain U.S. states, including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive consumer-privacy laws, may have rights similar to those described in Section 14, including the rights to confirm processing and access, to correct inaccurate personal information, to delete personal information, to obtain a portable copy of personal information, and to opt out of targeted advertising, sale of personal data, or profiling in furtherance of decisions producing legal or similarly significant effects. We do not engage in the activities for which an opt-out is available under those laws. To exercise other rights, please contact us at [email protected].
16. EEA, UK, and Swiss Rights
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights with respect to personal data we process about you as a controller: access, rectification, erasure, restriction of processing, objection to processing, portability, and, where processing is based on consent, withdrawal of consent. You also have the right to lodge a complaint with a supervisory authority in the jurisdiction of your habitual residence, place of work, or alleged infringement. Our contact details and the legal bases for our processing are set forth in Sections 5 and 21.
17. Children and Minors
The Service is not directed to, and we do not knowingly collect personal information directly from, children under the age of thirteen. If we learn that we have collected personal information from a child under thirteen without verifiable parental consent, we will take reasonable steps to delete that information. A parent or legal guardian who has reason to believe their child has provided personal information without their consent may contact us at [email protected]. Tenant Accounts and Pro Accounts are restricted to individuals who are at least eighteen years of age, as set forth in our Terms.
18. Do Not Track
Our Service does not currently respond to “Do Not Track” signals or similar mechanisms because no consistent industry standard has been adopted. We do not track Users across third-party websites for advertising purposes.
19. Third-Party Sites and Services
The Service may contain links to, or interoperate with, websites and services operated by third parties. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of any third-party website or service before providing personal information to it.
20. Changes to This Policy
We may update this Policy from time to time. The “Last Updated” date at the top of this page indicates when this Policy was last revised. Material changes will be communicated by notice within the Service or by email at least fifteen (15) days before they take effect, except where a shorter period is necessary to comply with law or to address a security or operational risk. Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the revised Policy.
21. Contact and Data Protection Inquiries
For questions about this Policy or to exercise any privacy right described herein, please contact:
Game Command LLC
Attn: Privacy — Penned
PO Box 21674
Lincoln, Nebraska 68542
Email: [email protected]