Política de Privacidad

This Privacy Policy explains how Colkie Technology Inc., a Delaware corporation operating the Walopass platform (“Walopass”, “we”, “us” or “our”), collects, uses, discloses and safeguards information when you use our platform at walopass.com and related services (the “Platform”).

This Policy applies to two categories of users: Creators, who set up Communities and send Notifications, and Members, who join Communities and receive Wallet Passes. By using the Platform, you consent to the practices described in this Policy.

For the purposes of the EU and UK General Data Protection Regulation, Colkie Technology Inc. is the data controller for the personal data we collect directly from Users of walopass.com. Where you interact with the Platform through a Community operated by a Creator who is itself a controller, that Creator is the controller of the personal data it collects from you and you should review its own privacy notice in addition to this one.

Colkie Technology Inc. maintains an establishment in the European Union through its Spanish branch, Colkie Technology Inc Sucursal en España. EU, EEA and United Kingdom data subjects may exercise their rights and contact us through this establishment in addition to the contact details set out in Section 14 below.

We use the personal data we collect to:

• Provide, maintain, secure and improve the Platform.
• Authenticate users and manage accounts.
• Generate and distribute Apple Wallet and Google Wallet passes.
• Deliver Notifications from Creators to their Members.
• Enable demographic targeting (by city, region, gender and age) requested by Creators.
• Process payments and manage subscriptions.
• Communicate with you about your account, service updates and support.
• Detect, prevent and investigate fraud, abuse and security incidents.
• Enforce our Terms of Use and protect against misuse.

We do not sell your personal data and we do not build advertising profiles based on your activity on the Platform.

Where the EU GDPR, UK GDPR or equivalent legislation applies, we rely on the following lawful bases for processing your personal data:

• Performance of a contract — for example, to provide the Platform and operate your account.
• Legitimate interests — for example, to secure and improve the Platform, prevent abuse and operate our business, where those interests are not overridden by your interests or rights.
• Compliance with a legal obligation — for example, tax and financial record-keeping.
• Consent — where we ask for it (for example, to receive certain communications). You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

We share personal data only in the following circumstances:

• Supabase — database and authentication; data hosted in AWS US-East region.
• Amazon Web Services (AWS) — infrastructure, object storage for pass files (S3) and event processing.
• Apple Inc. — Wallet pass distribution and Apple Push Notification service. Device tokens are shared to enable pass delivery and updates.
• Google LLC — Google Wallet pass generation and distribution.
• Stripe— payment processing for Creator subscriptions; subject to Stripe’s own privacy policy.
• Meta Platforms, Inc. — for the Meta Pixel deployed on our marketing website at walopass.com, used to measure and improve our advertising on Meta’s platforms (Facebook and Instagram). Use of the Meta Pixel is described in Section 6 below.
• Email and SMS providers — we may use from time to time to deliver transactional communications.

With Creators, when you are a Member of their Community: Creators may view your Member-level data and export CSV files from the Members dashboard for legitimate Community operations. Creators are independently responsible for handling exported data in compliance with Applicable Law.

We may also share personal data in connection with a planned or actual merger, divestiture, restructuring, reorganisation, dissolution or sale of some or all of our assets; to comply with Applicable Law, regulation, legal process or governmental request; and to protect our rights, property or safety or those of our users.

We retain personal data for as long as your account is active or as needed to provide the Platform:

• Creator accounts — retained until account deletion or subscription termination, plus a thirty (30) day grace period.
• Member records — retained for as long as the associated Community is active.
• Wallet Pass files — retained while the Member’s pass is active.
• Member CSV exports — retained for up to seven (7) days before automatic deletion.
• Notification history — retained for twelve (12) months after sending.
• Payment records — retained as required by tax and financial regulations.

On account deletion we will delete or anonymise your personal data within thirty (30) days, except where retention is required by Applicable Law or for the resolution of disputes.

We implement reasonable technical and organisational measures designed to protect personal data, including:

• Encryption of personal data in transit using TLS/HTTPS.
• Database access protected by Row Level Security policies and role-based access controls.
• Authentication using signed JWT tokens (ES256) and OAuth.
• Payment data handled exclusively through PCI-compliant Stripe infrastructure (no payment card data is stored by us).
• Restricted, audited admin access protected by separate authentication.
• Logging and monitoring of access to production systems.
• Vulnerability management on the application and infrastructure.
• Documented backup and disaster-recovery procedures.

No method of electronic transmission or storage is one hundred per cent secure. While we strive to protect your information, we cannot guarantee absolute security.

Your personal data may be transferred to and processed in countries other than your country of residence, including the United States where our infrastructure providers are located. Where we transfer personal data out of the European Economic Area or the United Kingdom to a country that has not been the subject of an adequacy decision, we rely on (a) the European Union Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and (b) the UK International Data Transfer Addendum to the EU SCCs, in each case completed on customary terms, together with supplementary measures where required.

Members must be at least thirteen (13) years old to register for a Community, or such higher minimum age as Applicable Law requires in the Member’s jurisdiction. For users in the United States, thirteen (13) is the minimum under COPPA. For users in the European Union, United Kingdom and EEA, the minimum age for digital consent varies by country (currently thirteen (13) to sixteen (16)); where local law sets a higher minimum, that higher age applies and parental consent will be required for younger users. We verify age through the date-of-birth field at registration.

If we learn that we have collected personal data from a child below the applicable minimum age without verifiable parental consent, we will delete that information promptly. Creator accounts require Users to be at least eighteen (18) years old. If you are a parent or guardian and believe your child has provided personal data to Walopass, please contact us at privacy@walopass.com.

In the event of a personal data breach affecting your personal data, we will comply with applicable breach-notification laws, including, where applicable, notifying the competent supervisory authority within seventy-two (72) hours after becoming aware of the breach and notifying affected individuals where required.

We may update this Privacy Policy from time to time. We will notify Users of material changes by posting the updated Policy on walopass.com and updating the “Last updated” date at the top. We encourage you to review this Policy periodically.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

• Privacy: privacy@walopass.com
• General inquiries: hello@walopass.com
• Postal (US): Colkie Technology Inc., 251 Little Falls Drive, Wilmington, DE 19808, USA
• European establishment: Colkie Technology Inc Sucursal en España — EU, EEA and UK data subjects may exercise their rights through this establishment in addition to the contacts above.