Privacy Policy

Passo ApS Last updated: 30 March 2026

---

1. Who We Are

Passo ApS ("Passo", "we", "us") is a members club that offers digital restaurant and bar Passes in Copenhagen. When you buy a Pass, you receive a voucher code by email and redeem it at the partner venue.

Data Controller: Passo ApS CVR: 36890843 Nordre Fasanvej 7, 2000 Frederiksberg, Denmark Email: hello@passo.club Website: passo.club

If you have questions about how we handle your personal data, contact us at hello@passo.club.

---

2. What Data We Collect

We collect the following categories of personal data:

| Category | Examples | When | |----------|----------|------|
| Identity data | Name | At checkout |
| Contact data | Email address | At checkout |
| Transaction data | Order details, voucher codes, redemption history | When you purchase or redeem a Pass |
| Payment data | Card type, last four digits | At checkout (processed by Shopify Payments -- we do not store full card numbers) |
| Usage data | Pages visited, browser type, device info | When you browse our site (only if you give cookie consent) |

We do not collect sensitive personal data (special categories under GDPR Art. 9).

---

3. How and Why We Use Your Data

We process your personal data for specific purposes, each with a legal basis under GDPR Article 6:

Contract performance (Art. 6(1)(b))

- Processing your order and payment
• Creating and delivering your voucher code by email
• Managing voucher redemption at partner venues
• Providing customer support related to your purchases

Legitimate interest (Art. 6(1)(f))

- Preventing fraud and abuse of voucher codes
• Improving our service based on aggregated usage patterns
• Ensuring the security and stability of our platform

Consent (Art. 6(1)(a))

- Sending marketing emails (e.g., weekly Pass drops, newsletters)
• Setting non-essential cookies and tracking browsing behavior

You can withdraw consent at any time. See Section 7 for details.

---

4. Who We Share Your Data With

We do not sell your personal data. We share it only with the following service providers ("processors") who help us run our service:

| Processor | Role | Location | Safeguard | |-----------|------|----------|-----------|
| Shopify | E-commerce platform, checkout, payment processing | Ireland / Canada | EU Standard Contractual Clauses; Shopify's Data Processing Addendum |
| Supabase (hosted on AWS) | Database hosting | EU (Frankfurt, Germany) | Data stays within EU/EEA |
| Resend | Transactional email delivery (order confirmations, voucher codes) | United States | EU-US Data Privacy Framework |
| Vercel | Web application hosting | United States | EU-US Data Privacy Framework |

We have data processing agreements in place with all processors.

---

5. International Transfers

Your data is primarily stored within the EU/EEA. Where data is transferred to the United States (Resend, Vercel), these transfers are covered by the EU-US Data Privacy Framework, which the European Commission has recognised as providing adequate data protection (adequacy decision of 10 July 2023).

For transfers to Canada (Shopify), Canada has an existing adequacy decision from the European Commission. Shopify also relies on Standard Contractual Clauses.

---

6. How Long We Keep Your Data

We retain your personal data only as long as necessary for the purposes described above:

| Data type | Retention period | |-----------|-----------------|
| Active voucher data (codes, redemption records) | Until 12 months after voucher expiry or redemption, then anonymised |
| Webhook and system logs | 90 days, then permanently deleted |
| Account and order data | Until you request deletion |
| Marketing consent records | Until you withdraw consent |

When data is no longer needed, we either delete it or anonymise it so it can no longer be linked to you.

---

7. Your Rights

Under GDPR, you have the following rights regarding your personal data:

- Access -- Request a copy of the personal data we hold about you.
• Rectification -- Ask us to correct inaccurate or incomplete data.
• Erasure -- Ask us to delete your personal data where there is no compelling reason for us to keep it.
• Restriction -- Ask us to temporarily limit how we use your data.
• Data portability -- Receive your data in a structured, commonly used, machine-readable format.
• Objection -- Object to processing based on legitimate interest. We will stop unless we can demonstrate compelling legitimate grounds.
• Withdraw consent -- Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, email us at hello@passo.club. We will respond within 30 days.

To unsubscribe from marketing emails, click the unsubscribe link at the bottom of any email, or contact us at hello@passo.club.

---

8. Complaints

If you believe we have not handled your data properly, you have the right to lodge a complaint with the Danish Data Protection Agency:

Datatilsynet Carl Jacobsens Vej 35 2500 Valby, Denmark Website: datatilsynet.dk Email: dt@datatilsynet.dk

---

9. Cookies

Our website uses cookies. Essential cookies are required for the site to function (e.g., shopping cart, checkout). We only set non-essential cookies (analytics, marketing) if you give your consent through our cookie banner.

You can change your cookie preferences at any time through your browser settings or our cookie consent tool on the website.

---

10. Is Providing Your Data Required?

When you place an order, providing your name and email address is a contractual requirement -- we need it to process your purchase and deliver your voucher code. If you do not provide this data, we cannot fulfil your order.

For marketing emails and cookies, providing data is entirely voluntary and based on your consent.

---

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you.

---

12. Children

Our service is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@passo.club and we will delete it.

---

13. Changes to This Policy

We may update this privacy policy from time to time. When we make significant changes, we will notify you by email or through a notice on our website. The "last updated" date at the top of this page shows when the policy was last revised.

---

14. Contact Us

If you have any questions about this privacy policy or how we handle your personal data:

Email: hello@passo.club Address: Passo ApS, Nordre Fasanvej 7, 2000 Frederiksberg, Denmark CVR: 36890843