Privacy Policy

Mempass Ltd (“Mempass,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, applications, and services (collectively, the “Services”).

Mempass Ltd is the data controller for personal data collected through our marketing site and business-user accounts. For members (end users) enrolled in a loyalty or membership programme run by one of our business customers, that business is the data controller and Mempass acts as a data processor on their behalf.

Registered address: 31 Endura House, New Road, Rainham RM13 8TW, United Kingdom. Company registration is currently in progress; the company number will be added here once issued by Companies House.

By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this policy, please do not access or use our Services.

Personal Information

When you create an account or use our Services, we may collect:

• Name, email address, and contact information
• Authentication identifiers used to sign you in (handled by our auth provider, Clerk)
• Billing information and payment details (handled by Stripe — we never see full card numbers)
• Business and programme information you choose to provide
• Member data you upload to run your programmes (names, emails, membership status, check-in history)

Usage Information

We automatically collect certain information when you use our Services:

• Device information (browser type, operating system, device identifiers)
• Log data (IP address, access times, pages viewed)
• Usage patterns and feature interactions (via PostHog, EU region)
• Authentication and check-in activity
• Error diagnostics and performance traces (via Sentry, EU region)

We rely on the following lawful bases under Article 6 of the UK GDPR:

• Contract: to provide the Services you or your business have signed up for, including processing payments and issuing digital passes.
• Legitimate interests: to secure our Services, prevent fraud, measure product performance, and communicate with customers about their account. You can object to processing based on legitimate interests at any time.
• Legal obligation: to meet our accounting, tax, and other legal requirements.
• Consent: for any optional marketing communications. You can withdraw consent at any time.

We use the information we collect to:

• Provide, maintain, and improve our Services
• Process transactions and manage your account
• Send you technical notices, updates, and support messages
• Respond to your comments, questions, and customer service requests
• Monitor and analyze trends, usage, and activities
• Detect, investigate, and prevent fraudulent or unauthorized activity
• Personalize and improve your experience

We take the security of your personal data seriously and apply commercially reasonable technical and organisational measures to protect it. These include:

• Encryption in transit (TLS) for all traffic between your browser and our Services
• Encryption at rest for our managed database and file storage, provided by our infrastructure partners
• Delegated authentication and credential storage via Clerk — we do not store raw passwords
• Payment card data handled exclusively by Stripe (PCI DSS Level 1) — we never receive or store full card numbers
• Principle of least privilege for internal access to production systems
• Centralised error monitoring and audit logging

No method of transmission over the Internet or electronic storage is 100% secure. While we work to protect your information, we cannot guarantee absolute security.

We do not sell your personal information. We share data with the following categories of recipients, strictly as needed to operate the Services:

Sub-processors we currently use:

• Clerk — authentication and user identity management
• Stripe — subscription billing and Connect payouts
• Vercel — web application hosting and edge delivery
• Railway — API and database hosting
• Vercel Blob — image and file storage (logos, pass artwork)
• Resend — transactional email delivery
• Apple — Apple Wallet pass distribution and updates
• Google — Google Wallet pass distribution and updates
• Sentry (EU region) — error monitoring and performance diagnostics
• PostHog (EU region) — product analytics

We may also disclose information:

• Business transfers: In connection with a merger, acquisition, or sale of assets
• Legal requirements: When required by law or to respond to legal process
• Protection: To protect the rights, property, or safety of Mempass, our users, or the public
• Consent: With your explicit consent or at your direction

Some sub-processors are based outside the UK. Where data is transferred internationally, we rely on appropriate safeguards such as the UK International Data Transfer Addendum or adequacy decisions.

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal information
• Portability: Request a machine-readable copy of your data
• Opt-out: Opt out of marketing communications at any time
• Withdraw consent: Withdraw previously given consent for data processing

To exercise any of these rights, please contact us at aishebby@crowdcue.app. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk if you believe we have mishandled your personal data.

We use cookies and similar tracking technologies to collect and track information about your activity on our Services. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, some features of our Services may not function properly without cookies.

We retain your personal information for as long as your account is active or as needed to provide you with our Services. We may also retain and use your information to comply with legal obligations, resolve disputes, and enforce our agreements. When a business customer closes their account, we delete or anonymise member data within a reasonable period, unless we are required to retain it for legal or accounting reasons.

Our Services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information.

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the “Last updated” date. You are advised to review this policy periodically for any changes.

If you have any questions about this Privacy Policy, please contact us:

• Email: aishebby@crowdcue.app
• Address: 31 Endura House, New Road, Rainham RM13 8TW, United Kingdom