Privacy notice

Passes 360 is operated by Passes 360 Ltd ("we", "us", or "our"), a company registered in England and Wales. Our registered address and company number will be shown here once finalised.

We are the data controller for the personal information described in this notice. If you have questions, you can reach our data protection contact at privacy@passes360.co.uk.

We collect information in the following categories.

Account information

• Your name and email address when you create an account
• A securely hashed version of your password (we never store passwords in plain text)
• Optional profile details if you choose to add them

Event and ticket information

• Tickets and passes you buy or save
• Events you create or manage if you are an organiser
• Attendee information you provide at checkout (name, email, optional fields you choose)

Technical information

• IP address and approximate location derived from it
• Browser type, device, and operating system
• Pages visited, time spent, and referring page
• Errors logged when something goes wrong

Communication information

If you contact us through our forms, support channels, or by email, we keep a record of the message and our reply.

We use your information to:

• Provide and operate the platform — including issuing passes, processing checkouts, and running event-day check-in
• Communicate with you about your account, tickets, and the events you've signed up for
• Improve the product through aggregated analytics and bug reports
• Detect and prevent fraud, abuse, and misuse
• Comply with our legal obligations
• Respond to your support requests

Under the UK GDPR we rely on the following lawful bases (Article 6):

• Contract — to provide the services you've signed up for
• Legitimate interests — to improve the product, secure our systems, and prevent fraud
• Consent — for any optional communications you've opted into; you can withdraw at any time
• Legal obligation — where we must keep records for tax, accounting, or law-enforcement purposes

We share information only with carefully selected processors who help us run the service. Each processor is bound by a data-processing agreement that meets UK GDPR Article 28 requirements.

• Vercel Inc. — application hosting (United States, with appropriate safeguards)
• Prisma Data Inc. — database infrastructure (European Union)
• Resend Inc. — transactional email delivery (United States, with appropriate safeguards)
• Stripe Payments UK Ltd — payment processing (when paid checkouts go live)

We share information with event organisers when you buy or save a ticket to their event — they need it to admit you on the day. We never sell your data.

We may disclose information to law-enforcement agencies if compelled by a valid court order or where required by law.

Data primarily stays within the UK and EU. Where data is transferred to processors outside the UK (notably the United States), we rely on the UK Government's adequacy regulations, the UK International Data Transfer Agreement, or Standard Contractual Clauses, supplemented by additional safeguards such as encryption in transit and at rest.

We keep personal information for only as long as we need it for the purpose it was collected, plus any retention period required by law.

• Account information — for the lifetime of your account, then up to 24 months after closure
• Tickets and orders — 7 years after the event date for accounting and tax compliance
• Support correspondence — up to 24 months
• Technical logs — up to 90 days

You have the following rights under the UK GDPR. To exercise any of them, email privacy@passes360.co.uk.

• Right of access — request a copy of the information we hold about you
• Right to rectification — ask us to correct anything that's inaccurate
• Right to erasure — ask us to delete your data, subject to legal retention obligations
• Right to data portability — receive your data in a portable format
• Right to restrict processing — ask us to pause certain types of processing
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — for processing we rely on consent for

If you're unhappy with how we've handled your data you can complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

We use a small number of strictly-necessary and functional cookies. We do not currently use analytics, advertising, or tracking cookies. See our cookies notice for the full list.

Passes 360 is not intended for children under 16. We don't knowingly collect personal information from anyone under 16. If you believe a child has given us their data, contact us and we'll delete it.

We take reasonable technical and organisational measures to protect your data. This includes encryption in transit (TLS 1.2+) and at rest, access controls, audit logging, and regular review of our security practices. No system is perfectly secure, and we'll notify you and the ICO without undue delay in the event of a personal data breach that's likely to result in a risk to your rights.

We may update this notice from time to time. The "Last updated" date at the top of the page tells you when. For material changes we'll notify registered users by email at least 14 days before the change takes effect.

Email privacy@passes360.co.uk for any privacy-related question. We aim to respond within 5 working days. For complaints you're not satisfied with, you can contact the ICO at ico.org.uk.