New York Society Balls

Legal

Privacy Policy

What we collect, why we collect it, and what we do with it. Written in plain English, kept as short as the law allows.

This Privacy Policy describes how Play Nice Together, Inc. ("we," "us," or "our") collects, uses, and shares information when you visit newyorksocietyballs.com (the "Site"). By using the Site, you agree to the collection and use of information as described below.

1. Who we are

The Site is operated by Play Nice Together, Inc., a business registered in New York, United States.

2. Information we collect

We collect certain information when you visit the Site, subscribe to our newsletter, or contact us. Each type of collection is described in the subsections below.

2.1 Information collected automatically

When you visit the Site, the following information is collected automatically by us and our third-party service providers:

  • Your IP address (logged in full by our web server, load balancer, and security infrastructure for operational and security purposes; anonymized to the first two octets in our self-hosted Matomo; collected in full by Google Analytics only if you consent to it)
  • Browser type, version, language, and user agent string
  • Operating system and device type
  • Referring URL (the page you came from)
  • Pages visited on the Site, time spent, and clicks
  • Approximate geographic location (typically country and region) derived from IP address
  • Date and time of your visit
  • Cookies and similar tracking technologies (see Section 4; Google Analytics cookies are only set if you consent)

2.2 Information you provide directly

Newsletter subscriptions. If you subscribe to our newsletter, we collect your first name, last name, and email address. This information is sent to MailChimp, our newsletter service provider — see Section 3.3. We do not retain a separate copy in our own systems.

Contact form and email. If you contact us through the contact form or by email, we collect your name, email address, and the contents of the message itself. We retain this correspondence as part of our editorial records — see Section 10.

3. Third-party services

We use the following third-party services on this Site. Each has its own privacy practices, which we encourage you to review.

3.1 Google Analytics (consent required)

If you consent through our cookie banner, we use Google Analytics, a web analytics service provided by Google LLC, to collect aggregate data about how visitors use the Site. Google Analytics uses cookies to track visitor interactions and may transfer this information to servers in the United States. The information collected includes pages viewed, time spent on the Site, and approximate location.

Google Analytics does not load until you accept it. If you decline or do not respond to the cookie banner, Google Analytics will not run on your visit.

You can learn more about Google's privacy practices at policies.google.com/privacy. You can withdraw consent at any time using the "Cookie Preferences" link in our footer, install the Google Analytics Opt-out Browser Add-on, or use your browser's tracking-protection settings.

3.2 Matomo Analytics (runs by default)

We also use Matomo Analytics, a web analytics platform that we self-host on infrastructure under our control. Matomo runs for all visitors and does not require consent. We rely on this configuration on the legitimate interest in understanding how the Site is used, balanced against minimal privacy impact:

  • IP anonymization is enabled. The last two octets of every visitor IP address are masked before logging, so we do not retain full IP addresses through Matomo and cannot uniquely identify individual visitors.
  • Cookies are disabled. Matomo runs in cookieless mode on this Site; no Matomo identifiers are stored on your device.
  • Self-hosted. Matomo data is stored on infrastructure we operate; it is not shared with any third party.
  • No cross-site tracking. Matomo data is scoped to this Site only and is never combined with data from other websites.
  • Do Not Track honored. If your browser sends the Do Not Track signal, Matomo will not collect data about your visit.

Under the European Union's General Data Protection Regulation, this configuration falls under the legitimate interest legal basis (Article 6(1)(f)) and does not require consent. The French data protection authority (CNIL) has specifically identified Matomo with the above safeguards as exempt from consent requirements.

You can opt out of Matomo at any time by enabling Do Not Track in your browser, or by contacting us to request that we exclude your visits.

3.3 MailChimp (newsletter service)

Our newsletter is sent through MailChimp, a service operated by Intuit Inc. When you subscribe, your name and email address are stored on MailChimp's systems. MailChimp processes this information to deliver the newsletter, track delivery and engagement (such as whether the email was opened or a link was clicked), and maintain a record of subscribers and unsubscribes.

MailChimp retains subscriber and unsubscribe records indefinitely unless we explicitly request their deletion. To request that your record be removed from MailChimp as well as from our own systems, write to us through the contact form or email us at the address below.

MailChimp's privacy practices are described at intuit.com/privacy/statement. MailChimp transfers and processes data in the United States.

3.4 OpenStreetMap (map tiles)

Some event pages display a small map showing the venue's location. The map images are served by OpenStreetMap, a community-run mapping project, from their tile servers. When your browser displays one of these maps, it requests the relevant map tiles directly from OpenStreetMap; we do not proxy or intermediate this traffic.

OpenStreetMap may log standard request information (IP address, user agent, the tile requested) for operational and abuse-prevention purposes. They do not run advertising, do not sell data, and retain logs for a limited period. Their privacy practices are described at wiki.osmfoundation.org/wiki/Privacy_Policy.

If you prefer not to make these requests, you can use a content blocker that prevents requests to tile.openstreetmap.org. The map will not display, but the rest of the event page will work normally.

3.5 Server logs and security infrastructure (runs by default)

Our web server (Nginx), load balancer (Amazon Web Services Application Load Balancer), web application firewall (AWS WAF), and self-hosted log aggregation platform (Grafana Loki) automatically log information about every request to the Site as part of their normal operation. This logging is not optional; it is necessary to operate the Site, route traffic correctly, and protect against abuse and attack. Cookie consent does not affect this logging because no cookies are involved.

The logged information includes:

  • Your IP address (full, not anonymized at the log layer)
  • Date and time of the request
  • The URL requested and the HTTP method
  • The HTTP status code returned
  • The size of the response
  • The referring URL, if any
  • Your user agent string
  • TLS connection details (load balancer only)
  • WAF rule evaluation results (security firewall only)

We use these logs solely for:

  • Operating, debugging, and maintaining the Site
  • Detecting and mitigating attacks, abuse, and excessive traffic
  • Investigating security incidents
  • Complying with legal obligations

We do not use these logs for analytics, profiling, marketing, or any purpose unrelated to operations and security. They are not shared with advertising or analytics partners.

Our access logs from AWS Application Load Balancer and AWS WAF are stored in Amazon S3 and automatically deleted after 90 days through an S3 lifecycle policy. Amazon Web Services, our infrastructure provider, processes log data on our behalf under their data processing agreement and stores it in the United States. Nginx access logs from our application servers are forwarded to our self-hosted Grafana Loki log aggregation platform and automatically deleted after 90 days through Loki's retention policy.

The legal basis for this processing is our legitimate interest under Article 6(1)(f) of the GDPR in operating, securing, and maintaining the Site. The privacy impact is balanced against the operational and security necessity, and we have determined the processing is proportionate. Under California law, this processing falls within the security and integrity of services exception and is not a "sale" or "share" of personal information.

4. Cookies and tracking technologies

Cookies are small text files stored on your device by your browser. The cookies and similar technologies used on this Site fall into the following categories:

  • Strictly necessary. Required for the Site to function — for example, the session cookie used by forms. Do not collect personal information and cannot be disabled.
  • Anonymous analytics (Matomo). Our self-hosted Matomo runs in cookieless mode and does not store identifiers on your device. It runs by default on the legitimate-interest basis described in Section 3.2; no consent is required because no cookies are set and no identifiable data is collected.
  • Google Analytics cookies. Set by Google Analytics to measure how the Site is used. Loaded only after you provide consent through our cookie banner.

You can change your cookie preferences at any time by clicking the "Cookie Preferences" link in the Site footer. You can also manage cookies through your browser settings, though some features of the Site may not work correctly without certain cookies.

5. How information is used

We use the information we collect to:

  • Operate, maintain, and improve the Site
  • Send the newsletter to those who have subscribed
  • Respond to inquiries received through the contact form or by email
  • Understand how visitors use the Site
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

6. Information sharing

We do not sell your personal information. We share information only as follows:

  • With service providers who help us operate the Site (such as Amazon Web Services for hosting and infrastructure, Google Analytics, and MailChimp as described in Section 3), under the terms of their respective agreements with us
  • For legal compliance when required by law, court order, or government request
  • To protect the rights and safety of Play Nice Together, Inc., our users, or the public
  • In connection with a business transaction such as a merger, acquisition, or sale of assets, in which case the acquiring entity will be bound by this Privacy Policy

7. Your rights and choices

Depending on your location, you may have certain rights regarding your personal information.

7.1 California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and share
  • Request deletion of your personal information
  • Correct inaccurate personal information
  • Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell or share personal information for cross-context behavioral advertising.
  • Limit the use of sensitive personal information (we do not collect sensitive personal information as defined by the CPRA)
  • Be free from retaliation for exercising these rights

To exercise these rights, contact us. We will respond within 45 days.

7.2 Other US states

Residents of Virginia, Colorado, Connecticut, Utah, and other US states with comprehensive privacy laws may have similar rights. We honor these rights to the extent required by applicable law. Contact us to make a request.

7.3 Visitors from outside the United States

The Site is operated from the United States. If you visit from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country. By using the Site, you consent to this transfer. If you are in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with data protection laws, please contact us for information about exercising your rights, including access, correction, deletion, and objection.

8. Children's privacy

The Site is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it promptly.

9. Data security

We use reasonable administrative, technical, and physical safeguards to protect the information we collect. However, no method of transmission over the internet or electronic storage is fully secure, and we cannot guarantee absolute security.

10. Data retention

AWS Application Load Balancer and AWS WAF logs are stored in Amazon S3 and automatically deleted after 90 days. Nginx access logs are forwarded to our self-hosted Grafana Loki platform and automatically deleted after 90 days. We retain analytics data (Google Analytics and Matomo) for as long as needed to understand site trends, typically up to 26 months.

Newsletter subscriber information is held only by MailChimp; we do not retain a separate copy. MailChimp retains subscriber and unsubscribe records indefinitely unless we explicitly request their deletion — see Section 3.3.

Email correspondence and contact form submissions may be retained indefinitely as part of our editorial records. If you would like a particular message removed, write to us and we will accommodate the request.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date below reflects the most recent change. Material changes will be highlighted on the Site. Your continued use of the Site after changes are posted constitutes your acceptance of the updated policy.

12. Contact

For questions about this Privacy Policy or your personal information, contact us through the contact form or write to Play Nice Together, Inc., PO Box 510, Elmsford, NY 10523.

Last updated May 2026.