Privacy Policy

Last updated: 17 April 2026

ReachPass ("we", "us", or "our") operates the digital wallet pass platform available at reachpass.io. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our services, including Apple Wallet and Google Wallet passes for loyalty programmes, membership cards, store cards, coupons, and event tickets.

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

2. Personal Data We Collect

We may collect and process the following categories of personal data:

• Identity data: full name, email address, phone number.
• Programme data: membership tier, loyalty points balance, store card balance.
• Transaction data: points earned or redeemed, store card top-ups and purchases, offer claims.
• Device data: device push tokens (Apple Push Notification service / Firebase Cloud Messaging) used to deliver pass update notifications.
• Pass data: wallet pass serial numbers and pass type identifiers.
• Usage data: timestamps of pass installations, updates, and interactions.

3. How We Use Your Data

We process your personal data for the following purposes:

• Issuing and updating digital wallet passes on your device.
• Managing loyalty points, membership status, and store card balances.
• Sending pass update push notifications when your pass data changes.
• Processing offers, coupons, and redemptions.
• Sending transactional communications (welcome emails, receipts, reminders).
• Providing analytics and reporting to the business you are a member of.
• Preventing fraud and ensuring security of our platform.

4. Legal Basis for Processing

We process your personal data on the following legal bases under the GDPR:

• Contract performance (Art. 6(1)(b)): processing necessary to provide the wallet pass services you signed up for.
• Legitimate interest (Art. 6(1)(f)): analytics, fraud prevention, and platform security.
• Consent (Art. 6(1)(a)): where you have given consent for specific processing activities, such as marketing communications. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): where processing is required by law.

5. Data Sharing and Sub-processors

We use the following third-party service providers to deliver our platform. Each operates under a data processing agreement consistent with GDPR requirements:

• Platform provider (data processor): WalletPush — provides the underlying wallet pass technology, database hosting, and application infrastructure.
• Database & authentication: Supabase (AWS infrastructure, EU region).
• Application hosting: Vercel — serverless compute for API requests.
• Payment processing: Stripe — handles all card payment data. We never store or process card numbers.
• Email delivery: Resend — transactional email delivery.
• Wallet pass delivery: Apple Inc. (Apple Wallet) and Google LLC (Google Wallet) — for pass installation and push notifications.

We do not sell your personal data to third parties.

6. Data Storage and Location

Your personal data is stored on servers located within the European Union. Our primary database is hosted in London, United Kingdom (AWS eu-west-2 region). Where data is transferred outside the EEA (e.g., to Apple or Google for wallet pass delivery), such transfers are protected by EU Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework.

7. Data Retention

We retain your personal data for as long as your account or membership is active, or as needed to provide you with our services. When data is no longer required, it is anonymised or securely deleted. Transactional records may be retained in anonymised form for ledger integrity and legal compliance purposes.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: request a copy of your personal data.
• Right to rectification: request correction of inaccurate data.
• Right to erasure: request deletion of your personal data ("right to be forgotten").
• Right to data portability: request your data in a structured, machine-readable format.
• Right to restrict processing: request that we limit the processing of your data.
• Right to object: object to processing based on legitimate interests.
• Right to withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, please contact us at admin@reachpass.io. We will respond within 30 days.

9. Cookies

Our platform uses essential cookies required for authentication and session management. We do not use third-party tracking or advertising cookies. Essential cookies cannot be disabled as they are necessary for the platform to function.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Row-level security ensuring strict data isolation between tenants.
• Comprehensive audit logging of all data access and modifications.
• Regular automated backups.

11. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us so we can promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to review this page periodically.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

You also have the right to lodge a complaint with your local data protection supervisory authority.