What we keep,
and what we don't.

Merchant Line LLC (“Merchant Line LLC,” “we,” “us,” or “our”) operates outdoor entertainment events and ticketed experiences in Texas — marketed under the Aura Creative World brand — including locations at Houston Discovery Green, Gruene Crawfish Festival, Gruene Mini Golf, San Antonio Mini Golf, and seasonal Austin venues. (“Merchant Line LLC” is the legal entity; “Merchant Line” on its own refers to our point-of-sale app.)

This Privacy Policy explains what information we collect when you purchase tickets, food, merchandise, or other goods and services from us — whether online or in person at one of our events — how we use that information, and the choices you have about it.

This policy applies to:

• Ticket and product purchases made through our website
• In-person purchases processed on iPads using our Merchant Line point-of-sale application
• Email receipts and customer communications we send you
• Any other interactions you have with our staff or systems where we collect personal information

It does not apply to the privacy practices of third-party services that we may link to or use to process your transactions; those services have their own privacy policies, summarized in Section 5 below.

Merchant Line LLC (operating events under the Aura Creative World brand)
Texas, United States
Privacy contact: privacy@getmerchantline.com

We are an entertainment business. We are not a data broker, do not sell personal information for advertising purposes, and do not operate any advertising network.

We collect only what is necessary to sell you tickets and products, deliver receipts, and run our business. The categories below are exhaustive — if it's not listed here, we don't collect it.

3.1 Information you provide directly

Category	When we collect it	Examples
Email address	Optional, when you request an emailed receipt at point of sale	customer@example.com
Name	Optional, when you provide it at point of sale (e.g., for a printed receipt or named ticket)	First and last name
Card details	When you tap, insert, or swipe your card on our Stripe payment reader	See Section 4 — these never reach our servers

You are not required to provide an email or name to make a purchase. Both fields are optional and exist solely to help us send you a receipt or label a ticket.

3.2 Information we collect automatically during a purchase

Category	Purpose
Transaction details — items purchased, prices, taxes, service charges, tips, total amount, timestamp, venue/location	Record of sale, refund handling, daily reporting, tax compliance
Payment confirmation data from Stripe — payment_intent_id, last four digits of the card, card brand, success/failure status	Linking a charge to an order so we can refund correctly
Order number	Unique identifier we generate for each transaction
Staff and station identifiers	Internal records: which staff member processed the sale, which iPad

3.3 Information we do not collect

To be unambiguous about what we don't have:

• Full card numbers, CVC codes, or PIN entries. These are captured directly by Stripe's encrypted card reader and transmitted to Stripe — they never touch the Merchant Line app or our backend. Our app operates within PCI DSS SAQ-A scope (the smallest scope for merchants that fully outsource card handling).
• Your physical address, phone number, date of birth, government ID, social security number, or any biometric identifier. We don't ask for these.
• Your location at any time other than during the purchase. The Merchant Line staff iPad uses your nearby Bluetooth devices solely to discover the Stripe card reader; this requires Apple's standard location permission on the staff device. Your iPhone or other devices are not tracked.
• Browsing history, advertising identifiers, or behavior across other apps or websites. We do not track you across the web. Our app's privacy manifest (PrivacyInfo.xcprivacy) declares NSPrivacyTracking: false.
• Information about children. We do not knowingly collect personal information from children under 13. See Section 10.

When you pay with a credit or debit card at one of our venues:

1. You tap, insert, or swipe your card on a Stripe-manufactured payment terminal (Stripe M2 reader).
2. The reader encrypts your card data on the device and transmits it directly to Stripe — our systems never see your card number, expiration date, CVC, or PIN.
3. Stripe processes the payment and returns to us only a confirmation: a transaction ID, the last four digits of the card, the card brand (Visa, Mastercard, etc.), and the amount.
4. We store that confirmation alongside your order so we can issue refunds or look up your transaction if you ask.

Because we never touch raw card data, Merchant Line operates within the PCI DSS SAQ-A compliance scope — the smallest scope for any card-accepting merchant. Stripe is responsible for the security of card data in transit and at rest. Stripe's privacy policy is at stripe.com/privacy.

If you pay with cash or another non-card method (where supported), we record only the order details described in Section 3.2 — no payment-card information of any kind.

We share the limited information described above only with the third-party service providers that help us run our business. These providers act as our data processors — they handle data on our behalf and are contractually limited to using it for the purposes we hire them for. We do not sell your information, rent it, or share it with advertisers or data brokers.

Recipient	Information shared	Purpose	Privacy policy
Stripe, Inc.	Card data (direct from terminal), transaction amount, order metadata	Payment processing	stripe.com/privacy
Resend, Inc.	Your email address and order details — only if you request an emailed receipt	Sending the receipt email you asked for	resend.com/legal/privacy-policy
Supabase, Inc.	Order records, transaction history, our internal staff session data	Cloud database and authentication infrastructure	supabase.com/privacy
Apple, Inc.	App diagnostic information (only when you opt in via iOS Settings)	Standard iOS crash reporting if you've enabled it on your device for our app	Not applicable — your data, your device

We may also share information in the following narrow circumstances:

• Legal compliance: if compelled by a valid legal request (subpoena, court order, or law enforcement request) we have reviewed for legitimacy
• Tax and accounting: with our accountants and tax authorities for required business reporting
• Business transfers: in the event of a merger, acquisition, or sale of Merchant Line LLC's assets — your data would transfer to the successor subject to this policy or one with equivalent protections
• Your consent: when you've explicitly asked us to share information with a specific party

We do not have any data-sharing arrangements with advertising networks, social media platforms, analytics brokers, or any other third party not listed above.

We use the information we collect for these purposes — and only these:

1. Process your purchase (charge your card, generate an order, give you a ticket if applicable)
2. Send you a receipt — only if you provided an email and asked for one
3. Refund or adjust your transaction if you request it or if we identify an error
4. Daily and periodic accounting — totaling revenue, taxes, and service charges per location and date
5. Compliance with tax law and business recordkeeping — Texas requires retention of sales records
6. Investigate fraud or disputes — for example, responding to a chargeback inquiry from your bank
7. Improve our business operations — analyzing aggregated, non-identifying patterns (e.g., “what time of day are sales highest at Gruene”) to plan staffing

We do not use your information for:

• Marketing emails to you unless you separately opt in
• Personalized advertising
• Sharing with social media platforms
• Profiling, scoring, or any automated decision-making that produces legal or similarly significant effects
• Training machine learning models

We retain different categories of data for different periods, based on legal and operational needs:

Category	Retention period	Why
Transaction records (order, items, amounts, last-four card digits)	7 years	Texas tax records retention requirements
Customer email and name (when provided)	7 years	Same — receipts and refund lookups are tied to the order
Staff session data (login tokens, station bindings)	24 hours for active sessions; expired sessions retained for 30 days for audit	Operational
Stripe payment intents and refund records	Indefinitely, per Stripe's own retention	Required for chargeback dispute defense

When the retention period expires, we delete or anonymize the data. “Anonymize” means we strip any field that could identify you (email, name) while keeping aggregate transaction totals for historical accounting.

If you want your specific data deleted before the retention period expires, see Section 9 for how to request that.

We use commercially reasonable security measures:

• In-transit encryption: all data between your iPad/our servers and our cloud providers uses TLS 1.2 or higher.
• At-rest encryption: Supabase and Stripe encrypt stored data; Merchant Line stores any session tokens in the iOS Keychain on the staff device (hardware-backed, device-locked).
• Authentication: staff log in to Merchant Line with PINs that are bcrypt-hashed; raw PINs are never stored. Refund authorization above a configured limit requires a manager-PIN-minted, single-use HMAC-signed token.
• Authorization: staff and manager roles have different permissions on what data they can read or modify. Vendor accounts can read only their own data.
• PCI-DSS SAQ-A: because we never touch raw card data, we operate within the smallest PCI scope — Stripe carries the certified compliance burden.
• Audits: Supabase row-level security and edge functions enforce access control at the database layer. Manager-override actions are logged.

No system is perfectly secure. If we discover a data breach that affects you, we will notify you and the appropriate authorities as required by Texas law (which generally requires notification within 60 days) and any other applicable jurisdiction.

Depending on where you live, you have specific rights regarding your personal information. We honor these rights for all customers, regardless of state of residence, to the extent practicable:

9.1 General rights (available to all customers)

• Access — request a copy of the personal information we have about you
• Correction — ask us to fix inaccurate information
• Deletion — ask us to delete your information, subject to the retention requirements in Section 7 (we cannot delete tax records required by law)
• Opt-out of email receipts — simply don't provide an email; or contact us to suppress future receipts

To exercise any of these rights, email us at privacy@getmerchantline.com with the subject “Privacy Request” and include:

• The email address or order number associated with your purchase
• The right you wish to exercise
• A copy or photo of the order receipt if you have one (helps us locate the record)

We will respond within 45 days. We may extend this by an additional 45 days for complex requests; we will tell you if so.

9.2 Texas residents (Texas Data Privacy and Security Act)

If you reside in Texas, the Texas Data Privacy and Security Act may give you additional rights, including the right to know whether we process your personal data, the right to obtain a copy of it, and the right to delete it. To exercise these rights, contact us as described in Section 9.1.

We are a small business and may qualify for the TDPSA's small-business exception; we honor the substance of these rights regardless. If we deny a request in whole or in part, we will explain why and how you can appeal that decision to the Texas Attorney General's office.

9.3 California residents (CCPA / CPRA)

If you reside in California, the California Consumer Privacy Act gives you:

• The right to know what categories of personal information we collect and the purposes for which we use it (this entire policy is your notice)
• The right to know what categories of personal information we sell or share — we do not sell or share your personal information in the sense the CCPA defines those terms
• The right to delete your personal information
• The right to correct inaccurate personal information
• The right not to be discriminated against for exercising any of these rights

We do not have any “Do Not Sell or Share My Personal Information” link because we do not sell or share personal information for cross-context behavioral advertising.

To exercise your California rights, contact us as described in Section 9.1. You may also have an authorized agent make a request on your behalf, provided you have given them written permission and we can verify both of you.

9.4 Other U.S. state residents

Similar privacy laws are in effect in Colorado, Connecticut, Utah, Virginia, and several other states. We honor equivalent rights for residents of any state that grants them. Contact us using the same process in Section 9.1.

9.5 European Union / United Kingdom

We do not operate in the EU or UK, do not market to EU/UK residents, and do not knowingly process EU/UK personal data. If you are an EU or UK resident and believe we hold personal information about you, please contact us and we will work with you in good faith to address your request.

Our events are family-friendly and children attend, but Merchant Line does not collect personal information from anyone under 13 years old. The only information we collect from a purchase is what the purchasing adult provides — an optional email and name. If we learn we have inadvertently collected information from a child under 13 (for example, if an adult-purchased ticket later turns out to use a child's email), we will delete that information promptly upon request.

If you believe we have inadvertently collected information about a child under 13, please contact us at privacy@getmerchantline.com and we will delete it.

The Merchant Line iPad app does not use cookies or any tracking technologies. Our customer-facing website (if any) may use a minimal set of cookies for session management; if it does, a separate cookie notice on the website discloses them. We do not use any analytics or advertising trackers (no Google Analytics, no Facebook Pixel, no advertising SDKs of any kind).

This policy and our app do not link to third-party websites in a way that would expose your data to them. If we add such links in the future, this policy will be updated.

We may update this policy from time to time — for example, if we add a new feature that collects different information, or if a new law requires us to add disclosures. When we make a material change, we will:

1. Update the “Last Updated” date at the top of this document
2. Post a notice on our website's privacy page for at least 30 days before the change takes effect
3. If you have provided an email address for receipts within the past year, send a one-time notification of the material change

Non-material changes (clarifications, typo fixes, contact-information updates) take effect immediately on posting.

To exercise any privacy right described in Section 9, or to ask any other privacy-related question, contact us:

For questions about a specific transaction (refunds, receipts, etc.) that are not privacy-rights requests, please contact our customer support team at support@getmerchantline.com, or visit our Support page.

For questions about Stripe's handling of your payment data specifically, see Stripe's privacy policy at stripe.com/privacy or contact them directly through that page.

• Personal information — any information that identifies you or could reasonably be linked to you, including your name, email address, or transaction history tied to either.
• Sale of personal information — exchanging personal information for money or other valuable consideration with a third party for that third party's own use. We do not do this.
• Sharing of personal information — disclosing personal information to a third party for cross-context behavioral advertising. We do not do this.
• Data processor — a service provider that handles personal information on our behalf, under contract, and only for the purposes we direct.
• PCI DSS SAQ-A — the smallest Payment Card Industry compliance scope, available only to merchants who never directly handle card data.

This Privacy Policy was drafted on May 12, 2026. The version published at our website may be updated; the published version controls in case of any discrepancy.