Privacy Policy

We collect information you provide directly and some data automatically:

We use your information to:

• Provide and improve our services
• Process payments, subscriptions, and payouts
• Send ticket confirmations and event updates
• Generate QR codes for check-in
• Award digital stamps when you attend events
• Enable event discovery based on location
• Display your public profile and stamp collection
• Generate analytics and insights for hosts
• Detect and prevent fraud
• Send notifications based on your preferences
• Provide customer support

When you create a public profile, the following may be visible:

• Username, display name, avatar, and banner
• Bio and location (if provided)
• Social media links you add
• Your stamp collection (if enabled)
• Event attendance map (if enabled, shows cities only)
• Follower and following counts
• Equipped cosmetics and profile theme
• Statistics (events attended, stamps earned, cities visited)

We use location data carefully and transparently:

We use postcodes.io API to convert postcodes to coordinates and region names. No location data is sold to third parties.

We automatically translate event descriptions for international users:

• We detect the language of event descriptions
• Content is translated to your browser's preferred language
• Translation is performed by third-party AI services
• Original text is always available
• We do not store translated versions permanently

We provide accommodation recommendations via Stay22:

• Event location coordinates are shared with Stay22 to show nearby hotels
• If you click on accommodation links, you are directed to third-party booking sites
• We do not receive or store your accommodation booking details
• Stay22 and accommodation providers have their own privacy policies
• pullup.at may receive affiliate commission from bookings

When you check in to events, we create stamp records:

• Event name, type, and city
• Check-in date and time
• Rarity level based on event characteristics
• Custom stamp design data (created by hosts)
• Your account ID (to link stamp to your profile)

Stamps are visible on your public profile if you have stamps enabled. Each stamp has a shareable link. Disable stamp visibility in your profile settings.

To provide Pullup Status rewards, we track your booking activity:

• Number of qualifying bookings (tickets purchased for £5 or more)
• Your current Pullup Status tier (Member, Insider, or Elite)
• Discounts applied to your purchases through the rewards program
• Early access usage for events with Pullup Status benefits

Your Pullup Status is visible on your public profile as a badge. Booking counts are private and not shared with hosts or other users. Hosts only see anonymized discount redemption statistics.

We collect data to deliver notifications:

• Email address for email notifications
• Push tokens for mobile/web push (with permission)
• Your notification preferences and quiet hours
• Delivery status for troubleshooting

We do not sell your personal information. We share data only:

• Service Providers:
  • Stripe - Payment processing
  • Supabase - Database hosting
  • AWS SES - Email delivery
  • Vercel - Application hosting
  • Resend - Transactional emails
• Location Services: Postcodes.io, ipapi.co, OpenStreetMap Nominatim
• Accommodation: Stay22 for hotel recommendations (receives event coordinates)
• Translation: AI services for automatic translation of event descriptions
• Public Display: Data you choose to make public on your profile
• Event Hosts: Guest information for events you register for
• Legal Requirements: When required by law or to protect rights
• Organizations: If you're part of an enterprise organization, admins can see relevant data

We implement industry-standard security measures:

• All data encrypted in transit (HTTPS/TLS)
• Sensitive data encrypted at rest
• Passwords hashed using bcrypt
• Two-factor authentication available
• Passkey support for phishing-resistant login
• Regular security audits and monitoring
• Row-level security on database
• API rate limiting and abuse detection
• Fraud detection for suspicious activity

You have the right to:

• Access: Request a copy of all your personal data
• Export: Download your data via account settings (once per 7 days)
• Correct: Update inaccurate information in your profile
• Delete: Delete your account and all associated data
• Object: Opt out of public event discovery
• Restrict: Hide your profile, stamps, or event map
• Withdraw Consent: Revoke permissions at any time

We retain your data as follows:

• Account data retained while your account is active
• After account deletion, data removed within 30 days
• Some data may be retained for legal compliance
• Anonymized analytics data may be retained indefinitely
• Backup data automatically expires after retention period

We use the following types of cookies:

• Essential Cookies: Session management, authentication, CSRF protection, consent preferences
• Preference Cookies: Theme, language, display settings
• Seat Hold Session: Temporary cookie for anonymous seat holds
• Advertising Cookies: If you consent, Google AdSense may use cookies to show personalized ads

You control your cookie preferences through our consent banner. You can change your preferences at any time.

We use Google AdSense to display advertisements on pullup.at. This helps support our platform and keep many features free.

If you authorize third-party applications via OAuth:

• You control which permissions each app receives
• Apps can only access data within their granted scopes
• You can revoke access at any time
• We log OAuth application activity

pullup.at is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it promptly.

Your data may be processed in countries outside your residence. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where required.

For privacy-related questions or to exercise your rights:

We aim to respond to all privacy requests within 30 days.

We may update this privacy policy from time to time. We will notify you of significant changes via email or in-app notification. The "Last updated" date at the bottom indicates when the policy was last revised.