Privacy

Privacy Policy

We respect your privacy. Here's how we collect, use, and protect your data.

Encrypted

All data

You Control

Your visibility

Delete

Anytime

Export

Your data

Quick Navigation

Data We CollectHow We Use DataPublic ProfilesLocation DataDigital StampsNotificationsThird PartiesSecurityYour RightsContact

1. Information We Collect

We collect information you provide directly and some data automatically:

Account Information

  • Email address and password (hashed with bcrypt)
  • Full name and username
  • Profile photo and banner image
  • Bio, location, and social media links
  • Two-factor authentication settings
  • Passkey credentials (for passwordless login)

Event Data

  • Event details (title, description, date, time, type)
  • Venue address and postcode
  • Guest lists and check-in records
  • Venue layouts and seat configurations
  • Custom landing pages and email templates
  • Custom stamp designs
  • Promo codes and ticket tiers

Payment Information

  • Payment details processed securely by Stripe (we don't store card numbers)
  • Bank account details for payouts (encrypted at rest)
  • Transaction history and earnings
  • Subscription status and billing history

Automatically Collected

  • Device type and browser information
  • IP address (for security and fraud detection)
  • Usage patterns and feature interactions
  • Check-in timestamps and locations

2. How We Use Your Information

We use your information to:

  • Provide and improve our services
  • Process payments, subscriptions, and payouts
  • Send ticket confirmations and event updates
  • Generate QR codes for check-in
  • Award digital stamps when you attend events
  • Enable event discovery based on location
  • Display your public profile and stamp collection
  • Generate analytics and insights for hosts
  • Detect and prevent fraud
  • Send notifications based on your preferences
  • Provide customer support

3. Public Profile Data

When you create a public profile, the following may be visible:

  • Username, display name, avatar, and banner
  • Bio and location (if provided)
  • Social media links you add
  • Your stamp collection (if enabled)
  • Event attendance map (if enabled, shows cities only)
  • Follower and following counts
  • Equipped cosmetics and profile theme
  • Statistics (events attended, stamps earned, cities visited)

You Control Your Visibility

  • Toggle stamp collection visibility on/off
  • Hide your event map
  • Enable/disable nearby discovery
  • Disable your public profile entirely
  • All settings available in your profile preferences

4. Location Data

We use location data carefully and transparently:

Event Locations

  • We collect postcodes for event location features
  • General area (e.g., "Camden, London") shown publicly
  • Full address only revealed to confirmed ticket holders
  • Used for "Events Near Me" discovery

Check-in Locations

  • When you check in, the event's city is recorded
  • Used to generate your profile event map
  • Shows city-level pins only, not exact venues

Nearby Discovery

  • Opt-in feature requiring explicit permission
  • Your approximate location is shared only while feature is active
  • Can be disabled at any time

We use postcodes.io API to convert postcodes to coordinates and region names. No location data is sold to third parties.

5. Digital Stamps and Collectibles

When you check in to events, we create stamp records:

  • Event name, type, and city
  • Check-in date and time
  • Rarity level based on event characteristics
  • Custom stamp design data (created by hosts)
  • Your account ID (to link stamp to your profile)

Stamps are visible on your public profile if you have stamps enabled. Each stamp has a shareable link. Disable stamp visibility in your profile settings.

6. Notifications

We collect data to deliver notifications:

  • Email address for email notifications
  • Push tokens for mobile/web push (with permission)
  • Your notification preferences and quiet hours
  • Delivery status for troubleshooting

You Control Notifications

  • Enable/disable each notification channel
  • Set quiet hours when you won't be disturbed
  • Choose digest frequency (daily, weekly, never)
  • Configure per-event-type preferences

7. Information Sharing

We do not sell your personal information. We share data only:

  • Service Providers:
    • Stripe - Payment processing
    • Supabase - Database hosting
    • AWS SES - Email delivery
    • Vercel - Application hosting
    • Resend - Transactional emails
  • Location Services: Postcodes.io for location lookups (postcodes only)
  • Public Display: Data you choose to make public on your profile
  • Event Hosts: Guest information for events you register for
  • Legal Requirements: When required by law or to protect rights
  • Organizations: If you're part of an enterprise organization, admins can see relevant data

8. Data Security

We implement industry-standard security measures:

  • All data encrypted in transit (HTTPS/TLS)
  • Sensitive data encrypted at rest
  • Passwords hashed using bcrypt
  • Two-factor authentication available
  • Passkey support for phishing-resistant login
  • Regular security audits and monitoring
  • Row-level security on database
  • API rate limiting and abuse detection
  • Fraud detection for suspicious activity

9. Your Rights

You have the right to:

  • Access: Request a copy of all your personal data
  • Export: Download your data via account settings (once per 7 days)
  • Correct: Update inaccurate information in your profile
  • Delete: Delete your account and all associated data
  • Object: Opt out of public event discovery
  • Restrict: Hide your profile, stamps, or event map
  • Withdraw Consent: Revoke permissions at any time

Data Export Includes

  • Your profile information
  • All events you've created
  • Guest lists for your events
  • Your stamp collection
  • Analytics and check-in data
  • Notification preferences

10. Data Retention

We retain your data as follows:

  • Account data retained while your account is active
  • After account deletion, data removed within 30 days
  • Some data may be retained for legal compliance
  • Anonymized analytics data may be retained indefinitely
  • Backup data automatically expires after retention period

11. Cookies and Tracking

We use minimal cookies:

  • Essential Cookies: Session management, authentication, CSRF protection
  • Preference Cookies: Theme, language, display settings
  • Seat Hold Session: Temporary cookie for anonymous seat holds

We do not use advertising cookies or third-party tracking. We do not participate in cross-site tracking or sell data to advertisers.

12. Third-Party OAuth

If you authorize third-party applications via OAuth:

  • You control which permissions each app receives
  • Apps can only access data within their granted scopes
  • You can revoke access at any time
  • We log OAuth application activity

13. Children's Privacy

pullup.at is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it promptly.

14. International Data Transfers

Your data may be processed in countries outside your residence. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where required.

15. Contact Us

For privacy-related questions or to exercise your rights:

Email: privacy@pullup.at

Support: support@pullup.at

We aim to respond to all privacy requests within 30 days.

16. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes via email or in-app notification. The "Last updated" date at the bottom indicates when the policy was last revised.

Last updated: March 2026

Terms of ServiceBack to Home