Privacy Policy

1. Introduction

PassLoop ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital wallet pass creation service and website located at passloop.dev (the "Service").

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

2. Information We Collect

2.1 Personal Information

We may collect personal information that you voluntarily provide to us, including:

• Name and contact information (email address)
• Account credentials (username, password)
• Payment information (processed through Stripe)
• Profile information you choose to provide
• Communications with our support team

2.2 Usage Data

We automatically collect certain information when you use our Service:

• Device information (IP address, browser type, operating system)
• Usage patterns and preferences
• Log data (access times, pages viewed, errors encountered)
• Pass creation and usage statistics
• Location data (if you enable location-based features)

2.3 Pass Content

We collect and store the content you create using our Service, including:

• Digital pass designs and templates
• Images, logos, and other media files you upload
• Text content and pass metadata
• Location information for location-based passes

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide, operate, and maintain our Service
• Process transactions and manage subscriptions
• Create and deliver digital wallet passes
• Send notifications related to your passes and account
• Provide customer support and respond to inquiries
• Improve and develop our Service
• Detect and prevent fraud and security threats
• Comply with legal obligations
• Send marketing communications (with your consent)

4. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following circumstances:

4.1 Service Providers

• Stripe: For payment processing and subscription management
• Google Wallet API: For creating and managing Google Wallet passes
• Apple PassKit: For creating and managing Apple Wallet passes
• Cloud hosting providers: For data storage and service delivery
• Sentry: For error monitoring and application performance

4.2 Legal Requirements

We may disclose your information if required by law or in response to valid requests by public authorities.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

• Encryption of data in transit and at rest
• Secure authentication and access controls
• Regular security assessments and updates
• Secure hosting infrastructure
• Employee training on data protection

However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

6. Data Retention and Account Deletion

We retain your personal information for as long as necessary to:

• Provide our Service to you
• Comply with legal obligations
• Resolve disputes and enforce our agreements
• Improve our Service (in anonymized form)

6.1 Account Deletion Process (30-Day Grace Period)

We have implemented a secure account deletion process to protect your data while allowing for security review and fraud prevention:

What Data Is Deleted:

After the 30-day period, the following data is permanently removed from our systems:

• User account and credentials
• All wallet passes and configurations
• Uploaded certificates (Apple/Google)
• Pass history and download records
• Merchant locations and scanner pairings
• Validation tokens and redemption logs
• Subscription usage logs
• Email change and password reset requests

Cancelling Account Deletion:

You have 30 days to cancel the deletion request by contacting our support team at support@passloop.dev. We will verify your identity and reactivate your account with all your data restored.

How to Request Account Deletion:

1. Log in to your PassLoop account
2. Go to Account Settings
3. Scroll to the "Danger Zone" section
4. Click "Delete Account"
5. Confirm the deletion and optionally provide a reason
6. You will be immediately logged out

7. Your Rights and Choices (GDPR Compliance)

Depending on your location, you may have the following rights regarding your personal information:

• Right to be informed: This privacy policy explains how we use your data
• Right of access: Request a copy of your personal information through your account dashboard
• Right to rectification: Update or correct inaccurate information in your account settings
• Right to erasure: Request deletion of your personal information (30-day process as detailed above)
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing of your personal information
• Right to restriction: Request restriction of processing by temporarily disabling your account
• Right to withdraw consent: Withdraw consent for marketing communications and analytics tracking

To exercise these rights, please contact us at support@passloop.dev or use the account settings in your dashboard.

7.1 Right to Erasure (GDPR Article 17)

For immediate deletion requests (e.g., legal requirements), please contact our support team. We can expedite the deletion process for valid GDPR "right to be forgotten" requests, bypassing the standard 30-day retention period where legally required.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our Service:

8.1 Essential Cookies

• Authentication tokens (JWT in localStorage) for secure login
• Session management and security
• Remember your preferences and settings

8.2 Analytics Cookies (Optional - Requires Consent)

• Google Analytics 4: Usage patterns and service improvement
• Facebook Pixel: Conversion tracking (only with your consent)

Our EU Consent Manager allows you to control analytics preferences. You can:

• Accept or reject analytics cookies via the consent banner
• Change your preferences at any time in account settings
• Revoke consent which clears all analytics cookies

You can also control cookies through your browser settings, but disabling essential cookies may affect the functionality of our Service.

9. Third-Party Services

Our Service integrates with third-party services. These services have their own privacy policies that govern how they handle your information:

• Apple Wallet: Apple Privacy Policy
• Google Wallet: Google Privacy Policy
• Stripe (Payment Processing): Stripe Privacy Policy
• Brevo/Sendinblue (Transactional Emails): Brevo Privacy Policy
• Sentry (Error Tracking): Sentry Privacy Policy

We have data processing agreements with these services and they process data on our behalf in accordance with GDPR requirements.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure that such transfers are conducted in accordance with applicable data protection laws and provide appropriate safeguards for your personal information.

11. Children's Privacy

Our Service is not intended for children under the age of 16 (in accordance with GDPR Article 8). We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take immediate steps to delete such information.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@passloop.dev.

12. Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will:

• Notify you within 72 hours as required by GDPR Article 33
• Provide details about the nature of the breach
• Explain the potential consequences and our response measures
• Notify relevant supervisory authorities as required by law

13. Automated Cleanup and Data Management

We run automated processes to maintain data integrity and comply with our retention policies:

• Daily cleanup job to permanently delete accounts after their 30-day retention period
• All deletions are logged for audit purposes
• Database backups are overwritten according to our 90-day backup retention policy
• No identifying information remains in our systems after backup expiration

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date at the top of this policy
• Sending an email notification for significant changes
• Displaying an in-app notification on your next login

Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy.

15. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

We will respond to your inquiry within 30 days. For urgent privacy matters, please mark your email as "URGENT: Privacy Request".