Privacy Policy

Graveyard Shift is a business-to-business (B2B) software-as-a-service (SaaS) platform. Our direct customers are haunted attraction operators and event organizations ("Customers" or "Organizations") who subscribe to the platform to manage their workforce. Employees, scare actors, volunteers, and other staff members who are invited to use the platform by their Organization are referred to as "End Users."

This creates two distinct data relationships: TicketDawg's relationship with Customers, and Customers' relationship with their End Users. Customers are independently responsible for their own privacy obligations toward their End Users; TicketDawg processes End User data on behalf of the Customer as a service provider.

TicketDawg, LLC is the legal entity responsible for operating the Graveyard Shift platform. We are based in the United States. Our platform is hosted on Google Cloud Platform (GCP) infrastructure. All data is stored and processed within the United States.

Our platform is accessible via subdomains in the format [your-organization].graveyardshift.ticketdawg.com. Each Organization operates within its own isolated tenant environment.

We collect information in two primary ways: information provided directly by Customers and End Users, and information generated automatically through use of the platform.

3.1 Information Provided by Organizations (Customers)

• ▪Organization name, billing address, and contact information
• ▪Payment information (processed by Authorize.net; TicketDawg does not store raw card data)
• ▪Subscription tier and account configuration settings
• ▪Area, position, and event data configured by administrators
• ▪Schedule and staffing assignments

3.2 Information Provided by End Users

3.3 Automatically Collected Information

• ▪Log data including IP addresses, browser type, pages visited, and timestamps
• ▪Device information (operating system, screen resolution)
• ▪Session tokens and authentication activity
• ▪Time clock check-in and check-out records (where enabled)
• ▪Message delivery status for SMS and email communications

We use the information we collect for the following purposes:

Platform Operations

• ▪Providing access to and operating the Graveyard Shift scheduling platform
• ▪Authenticating users and maintaining session security
• ▪Generating and displaying schedules, rosters, and assignments
• ▪Processing availability submissions and time clock events
• ▪Sending SMS and email notifications related to scheduling (see Section 7)

Customer Support

• ▪Diagnosing technical issues and resolving support requests
• ▪Allowing authorized TicketDawg staff to access tenant environments for support purposes, with appropriate access controls

Business Operations

• ▪Processing subscription payments through Authorize.net
• ▪Communicating with Customer account contacts about their subscription
• ▪Improving platform features and performance based on aggregate, anonymized usage patterns

We do not share personal information with third parties except in the following limited circumstances:

5.1 Service Providers

We engage a small number of trusted service providers who process data solely on our behalf to operate the platform:

All service providers are contractually bound to use data only for the purposes for which it was shared and to maintain appropriate security measures.

5.2 Within Your Organization

End User information — including schedules, availability, contact details, and role assignments — is visible to administrators and managers within your Organization as configured by your Organization. Medical information is restricted to administrators only and is never visible to fellow employees.

5.3 Legal Requirements

We may disclose information if required to do so by law, court order, subpoena, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of TicketDawg, our Customers, or others.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of TicketDawg's assets, Customer and End User data may be transferred to the acquiring entity. We will provide reasonable notice to Customers before such a transfer occurs, and the data will remain subject to privacy commitments no less protective than this policy.

End Users may optionally provide medical information — such as allergies, physical limitations, or relevant health conditions — to help their Organization keep them safe during events. This information is:

• ▪Stored in a dedicated, isolated database field separate from general profile data
• ▪Accessible only to Organization administrators (not managers or fellow employees)
• ▪Never included in exported schedules, rosters, or communications
• ▪Never shared with TicketDawg's support staff except when explicitly required to diagnose a technical issue at the request of the Customer
• ▪Retained only for as long as the End User's account is active with that Organization

Providing medical information is entirely voluntary. Declining to provide it will not affect an End User's ability to use the platform or be assigned to shifts.

Graveyard Shift sends automated SMS text messages and emails to End Users on behalf of their Organization. These communications are strictly operational in nature and may include:

• ▪Schedule publication and assignment notifications
• ▪Shift reminders and time clock alerts
• ▪Availability request reminders
• ▪Account-related messages (password resets, email verification)
• ▪Direct messages sent by Organization administrators or managers

Consent

By registering for a Graveyard Shift account and providing a phone number, End Users consent to receive SMS messages from their Organization via the Graveyard Shift platform. Standard message and data rates may apply depending on your mobile carrier.

Opting Out

End Users may opt out of SMS notifications by replying STOP to any SMS message. Opting out of SMS will not affect your ability to receive email notifications or to use the platform. Email notification preferences can be managed within your account settings.

Note: Opting out of operational messages (e.g., schedule notifications) may affect your Organization's ability to communicate with you about your shifts.

Message Retention

Message logs, including delivery status and timestamps, are retained within the platform for operational and troubleshooting purposes. The content of individual messages sent via the platform's in-app messaging system is stored for the duration of the Organization's active subscription.

We retain data for as long as it is necessary to provide the platform and fulfill the purposes described in this policy.

When data is deleted, it is permanently removed from our active systems. Residual copies in encrypted backups are overwritten within standard backup rotation cycles.

We take the security of your data seriously and implement technical and organizational measures designed to protect it against unauthorized access, alteration, disclosure, or destruction. These measures include:

• ▪All data transmitted between your browser and our servers is encrypted via TLS (HTTPS)
• ▪Passwords are hashed using bcrypt with appropriate salt rounds and are never stored in plain text
• ▪Multi-tenant architecture enforces strict data isolation between Organizations at the database query level
• ▪Access to production systems is limited to authorized TicketDawg personnel
• ▪Session tokens are cryptographically signed and expire after periods of inactivity
• ▪Medical information is stored in dedicated, isolated database fields with additional access controls
• ▪Platform infrastructure is hosted on Google Cloud Platform, which maintains SOC 2 and ISO 27001 certifications

No system is completely secure. While we work diligently to protect your data, we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify affected Customers and End Users as required by applicable law.

Depending on your role, you have the following rights with respect to your personal information:

End Users

• ▪Access: You may view your own profile information at any time within the platform.
• ▪Correction: You may update your personal information through your account settings, or by requesting an update from your Organization administrator.
• ▪Deletion: You may request deletion of your account and personal information by contacting your Organization administrator. Note that some information (such as historical schedule records) may be retained by the Organization per their own record-keeping obligations.
• ▪Medical information: You may add, update, or request removal of your medical information at any time by contacting your Organization administrator or TicketDawg support.
• ▪SMS opt-out: Reply STOP to any SMS to opt out of text message notifications.

Organization Administrators (Customers)

• ▪Data export: Customers may request an export of their Organization's data by contacting TicketDawg support.
• ▪Account deletion: Customers may request deletion of their Organization account and associated data by providing written notice to TicketDawg. Data will be purged within 90 days of subscription termination.
• ▪Correction: Customers may update Organization account information through their admin settings or by contacting support.

To exercise any of these rights, please contact us at the information provided in Section 13. We will respond to verified requests within a reasonable timeframe, generally within 30 days.

Graveyard Shift is a professional workforce management platform intended for use by adults. We do not knowingly collect personal information from individuals under the age of 13. If an Organization seeks to onboard employees who are minors (under 18), the Organization is solely responsible for obtaining any required parental or guardian consents in accordance with applicable law.

If we become aware that we have inadvertently collected personal information from a child under 13 without appropriate consent, we will take steps to delete that information promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, platform features, or legal requirements. When we make material changes, we will:

• ▪Update the "Last Updated" date at the top of this page
• ▪Send an email notification to the primary contact on file for each Customer Organization
• ▪Display a prominent notice within the platform for a period of at least 30 days

Continued use of the Graveyard Shift platform after notice of material changes constitutes acceptance of the revised policy. If you disagree with a change, you may discontinue use and request deletion of your account.

For non-material changes (such as clarifications, grammar corrections, or updates to contact information), we will update the "Last Updated" date without additional notification.

If you have questions about this Privacy Policy, wish to exercise your data rights, or want to report a privacy concern, please reach out to us: