Privacy Policy

1. Introduction

GessPass ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our B2B SaaS platform.

This policy applies to: Business owners, promoters, staff members, administrators, and guests using our platform.

2. Information We Collect

2.1 Personal Information

When you create an account or use our Service, we collect:

• Account Information: Username, email address, password (encrypted), phone number
• Business Information: Business name, address, contact details, industry type
• Profile Data: Bio, location, social media links, years of experience (for promoters)
• Billing Information: Payment method details (processed securely by Stripe)

2.2 Automatically Collected Information

• Usage Data: Pass creation, distribution, and redemption activity
• Analytics: Platform interactions, feature usage, conversion rates
• Device Information: IP address, browser type, device ID, operating system
• Session Data: Login timestamps, session duration, portal access patterns
• QR Code Activity: Scan timestamps, verification events, redemption location

2.3 Guest Data (Anonymous)

For guests claiming promotional passes, we collect minimal data:

• Anonymous guest identifier (no email or name required)
• Pass claim timestamps
• QR code verification events
• Optional: Shared pass activity (viral distribution tracking)

2.4 Communications Data

• In-app messages between businesses and promoters
• Image attachments shared through messaging
• Support ticket submissions and responses
• Email and SMS notification preferences

3. How We Use Your Information

3.1 Service Delivery

• Creating and managing your account
• Processing pass creation, distribution, and redemption
• Managing subscriptions and processing payments via Stripe
• Facilitating communication between businesses and promoters
• Sending transactional notifications (pass expiry, redemptions, account alerts)

3.2 Analytics & Improvements

• Tracking platform performance and usage patterns
• Calculating conversion rates and ROI metrics
• Identifying feature adoption and user engagement
• Improving user experience and platform functionality

3.3 Fraud Detection & Security

• Monitoring for suspicious activity and fraudulent transactions
• Risk scoring and fraud pattern detection
• Audit logging for security and compliance
• Error tracking and performance monitoring via Sentry

3.4 Communications

• Sending email notifications via SendGrid
• Delivering SMS marketing and alerts via Twilio
• Providing customer support through our ticketing system
• Sending platform updates and feature announcements

4. Third-Party Service Providers

We share data with trusted third-party processors who help us operate our platform:

4.1 Payment Processing

• Stripe: Handles all payment processing, subscription billing, and payment method storage. See Stripe's Privacy Policy

4.2 Communication Services

• SendGrid: Email delivery for notifications and transactional messages. See SendGrid Privacy Policy
• Twilio: SMS messaging for promoter engagement and urgent alerts. See Twilio Privacy Policy

4.3 Error Monitoring & Performance

• Sentry: Real-time error tracking and performance monitoring. See Sentry Privacy Policy

4.4 Hosting & Infrastructure

• Replit: Platform hosting and deployment. See Replit Privacy Policy
• Neon (PostgreSQL): Database hosting and management. See Neon Privacy Policy

5. Data Retention

• Active Accounts: Data retained while your account is active
• Cancelled Subscriptions: Business data retained for 90 days post-cancellation
• Analytics Data: Aggregated analytics retained for 2 years
• Audit Logs: Security and fraud logs retained for 7 years (compliance requirement)
• Billing Records: Transaction history retained per tax and legal requirements
• Guest Data: Anonymous claim data retained for 1 year for analytics

6. Your Privacy Rights

6.1 GDPR Rights (EU/UK Residents)

If you are located in the European Economic Area or United Kingdom, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Data Portability: Receive your data in a machine-readable format
• Object: Object to certain processing activities
• Restrict Processing: Limit how we use your data
• Withdraw Consent: Revoke consent for data processing

6.2 CCPA/CPRA Rights (California Residents)

California residents have the right to:

• Know what personal information we collect and how it's used
• Request deletion of your personal information
• Opt-out of the sale of personal data (we do not sell your data)
• Non-discrimination for exercising your privacy rights
• Correct inaccurate personal information

6.3 Other State Privacy Laws

Residents of Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, and Kentucky have similar rights under their respective state privacy laws.

6.4 How to Exercise Your Rights

To exercise any of these rights, contact us at: privacy@gesspass.com

We will respond to verified requests within 30 days.

7. Cookies & Tracking

7.1 Essential Cookies

• Session cookies for authentication (required for platform functionality)
• CSRF tokens for security protection

7.2 Analytics Cookies

• Usage tracking for platform improvements
• Feature adoption metrics
• Performance monitoring

7.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may limit platform functionality.

8. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data transmitted via HTTPS/TLS
• Password Security: Passwords hashed using bcrypt
• Access Controls: Role-based permissions and portal separation
• Database Security: Encrypted connections and access logging
• Regular Audits: Comprehensive audit trail system
• Monitoring: Real-time error and fraud detection

Note: While we use reasonable measures to protect your data, no method of transmission over the Internet is 100% secure.

9. Children's Privacy

GessPass is a B2B platform intended for business use. We do not knowingly collect information from individuals under 18 years of age. If we discover we have collected data from a minor, we will delete it promptly.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure adequate protections are in place for international transfers, including:

• Standard Contractual Clauses (SCCs) for EU data transfers
• Data Processing Agreements with all third-party processors
• Compliance with applicable data protection frameworks

11. Business Transfers

If GessPass is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your information becomes subject to a different privacy policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of material changes via:

• Email notification to your registered address
• In-app notification banner
• Updated "Last Modified" date on this page

Continued use of the platform after changes constitutes acceptance of the updated policy.

13. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your data:

Privacy Team: privacy@gesspass.com
General Support: support@gesspass.com
Website: https://gesspass.com