Privacy Policy

Introduction

At PassMaker ("we," "us," or "our"), we take your privacy seriously. This Privacy Policy explains how we collect, use, and protect your personal information when you use our Mobile Wallet Pass Generator service at passmaker.io.

Our Privacy Commitment: We collect minimal data, delete files automatically, and never sell your information to third parties.

Information We Collect

1. Personal Information

• Email Address: We collect your email address when you sign up. This is used solely for authentication (magic link login) and sending you pass download links.
• Payment Information: Credit card information is processed securely by Stripe. We do not store your credit card details on our servers.

2. Pass Data

• Images (Standard Passes): Photos you upload for standard passes are deleted immediately after pass generation (within seconds).
• Images (Hybrid Passes): Photos for hybrid passes are stored securely for 1 year to enable online viewing with full resolution.
• Pass Information: Text you enter (name, title, descriptions, barcode data) is stored to generate your pass and maintain your pass history.
• Generated Pass Files: Standard pass files are deleted 48 hours after creation. Apple Wallet .pkpass files are permanently deleted from our servers. Google Wallet passes are created on Google's servers and remain there indefinitely - we cannot delete data stored on Google's infrastructure.
• Hybrid Pass Data: Hybrid passes are retained for 1 year. After 1 year, Apple Wallet files are deleted and Google Wallet passes are expired (removed from your wallet).
• Hybrid Pass View Tracking: For hybrid passes, we track view events (IP address, timestamp, user agent) for analytics and abuse detection purposes.

3. Technical Information

• Log Data: Standard server logs (IP address, browser type, access times) for security and troubleshooting.
• Analytics: We use self-hosted Plausible Analytics to collect aggregated, anonymized website statistics (page views, referrers). No personal data is collected, no cookies are used, and all data stays on our servers.
• Cookies: We use minimal cookies for authentication sessions only (JWT tokens).

How We Use Your Information

We use your information exclusively for:

• Authentication: Sending magic link login emails
• Service Delivery: Generating your mobile wallet passes (Apple Wallet and Google Wallet)
• Hybrid Pass Features: Storing and serving full-resolution photos for online viewing (hybrid passes only)
• Communication: Sending pass download links and credit purchase confirmations
• Account Management: Managing your credit balance and pass history
• Payment Processing: Processing credit pack purchases via Stripe
• Analytics & Abuse Prevention: Tracking views on hybrid passes to detect suspicious activity
• Customer Support: Responding to your support requests

We never: Sell your data, share it with third parties for marketing, or use it for purposes beyond operating PassMaker.

Data Retention & Automatic Deletion

We automatically delete data on the following schedule:

Pass metadata (title, type, creation date) is retained in your account history for reference purposes but can be deleted upon request.

Third-Party Services

Services We Use

We use the following trusted third-party services:

• Stripe: Payment processing. View their privacy policy at stripe.com/privacy
• Postal (Email Service): Transactional email delivery (magic links, download links, receipts)
• Google Wallet API: Used to create and manage Google Wallet passes. Pass data is stored on Google's servers and subject to Google's privacy policy. View Google's privacy policy at policies.google.com/privacy
• Infisical: Secure secrets management (certificates and API keys only, no user data)
• Plausible Analytics (Self-Hosted): We use a self-hosted instance of Plausible Analytics at stats.rehosted.us for basic website traffic statistics. Plausible is designed to be privacy-friendly and does not use cookies or collect personal data. It tracks only aggregated page views and referrer information without identifying individual users. All data stays on our own servers. Learn more at plausible.io/privacy-focused-web-analytics

These services are bound by their own privacy policies and security standards. We do not share more information than necessary to provide our service.

Services We Will Never Use

Your Rights

You have the following rights regarding your data:

• Access: Request a copy of all data we have about you
• Correction: Update your email address by contacting support
• Deletion: Request complete account deletion (we will delete all associated data)
• Data Portability: Request an export of your pass history and account data
• Opt-Out: Stop receiving transactional emails (note: this will prevent you from using the service)

To exercise any of these rights, contact us at support@passmaker.io

GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Legal Basis: We process your data based on contractual necessity (to provide the service) and your consent
• Data Controller: reHosted is the data controller for your information
• Right to Lodge a Complaint: You may file a complaint with your local data protection authority
• Data Transfers: Your data is stored on servers in the United States with appropriate safeguards

Security

We take security seriously and implement the following measures:

• Passwordless Authentication: Magic links eliminate password-related security risks
• Encrypted Connections: All data transmitted over HTTPS/TLS
• Secure Storage: Database credentials and API keys stored in Infisical (secrets management)
• Automatic Cleanup: Files deleted automatically to minimize data exposure
• Token Expiration: Short-lived tokens reduce risk of unauthorized access
• Regular Updates: Software dependencies updated regularly for security patches

While we implement strong security measures, no system is 100% secure. We encourage you to use PassMaker responsibly and avoid including sensitive personal information in your passes.

Children's Privacy

PassMaker is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately at support@passmaker.io and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this page indicates when the policy was last revised. Your continued use of PassMaker after policy changes constitutes acceptance of the updated policy.