Privacy Policy

PelagoPass ("we," "our," or "us") operates the digital business card platform at pelagopass.com. We are the data controller for personal data collected through this service.

For any privacy-related questions, contact us at support@pelagopass.com.

We collect the following categories of personal data:

• Account data — your email address, name, and password (stored as a hashed credential) when you register.
• Card content — any information you choose to put on your digital Cards: name, job title, phone number, links, photos, and custom fields.
• Scan analytics — when someone views your Card, we log a timestamp and, where permitted by the viewer's browser, an approximate location (country/city level). No personally identifying data about viewers is stored.
• Payment data — billing name, email, and payment method details. Full card numbers are handled and stored by Stripe — we only hold a Stripe customer ID.
• Charity preference — your chosen charity for Premium donations.
• Usage data — standard server logs (IP address, browser type, pages visited, timestamps) for security and debugging purposes.
• Cookies & local storage — see our Cookie Policy.

We use your data to:

• Provide, maintain, and improve the PelagoPass service.
• Authenticate you and secure your account.
• Process subscription payments and issue receipts.
• Deliver scan analytics to Premium subscribers.
• Process charity contributions on your behalf.
• Send transactional emails (account confirmations, billing receipts, important updates).
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations.

We do not sell your personal data to third parties, and we do not use it for advertising.

Where the UK GDPR or EU GDPR applies, we rely on the following legal bases:

• Contract — processing necessary to deliver the service you signed up for.
• Legitimate interests — security monitoring, fraud prevention, service improvement.
• Legal obligation — compliance with applicable laws.
• Consent — non-essential cookies (you may withdraw consent at any time).

We share data with the following processors, each bound by data processing agreements:

• Supabase — stores account data, card content, and analytics. Data is hosted in the EU (Frankfurt). Privacy policy: supabase.com/privacy
• Stripe — processes payments. Data may be transferred to the US under Standard Contractual Clauses. Privacy policy: stripe.com/privacy
• Vercel — hosts the application and processes server logs. Privacy policy: vercel.com/legal/privacy-policy

We retain your personal data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law (e.g., financial records for 7 years under UK tax law).

Scan analytics are retained for 24 months and then automatically purged.

Depending on your jurisdiction, you may have the right to:

• Access — request a copy of your personal data.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data ("right to be forgotten").
• Portability — receive your data in a machine-readable format.
• Restriction — ask us to limit how we process your data.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — for any processing based on consent.

To exercise any of these rights, email us at support@pelagopass.com. We will respond within 30 days. UK/EU users may also lodge a complaint with the ICO (ico.org.uk) or their local supervisory authority.

We implement industry-standard security measures including TLS encryption in transit, hashed passwords, row-level security in Supabase, and restricted access to production systems. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

PelagoPass is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it promptly.

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice at least 7 days before taking effect. The "Last updated" date at the top of this page will always reflect the most recent revision.