Legal
Privacy Policy
Effective date: June 24, 2026 · tulum-rsvp.com
1. Who we are
Tulum·rsvp (“we”, “us”, “our”) operates the platform at tulum-rsvp.com. The platform enables venue operators to collect RSVPs, track marketing attribution, sell tickets, and run branded guest loyalty programs with Apple and Google Wallet passes.
This Privacy Policy describes how we collect, use, and protect personal data. It applies to everyone who uses our platform — both venue operators who hold accounts and guests who interact with operator-branded RSVP or loyalty pages.
For guests: when you RSVP to an event or join a loyalty program on a venue's page, the venue operator is the data controller for your information. We act as a data processor on their behalf, subject to this policy.
Contact: contact@tulum-rsvp.com
2. Data we collect
From venue operators
- Name and email address (via Clerk authentication)
- Billing information — processed by Stripe; we never receive or store raw card numbers
- Venue details: name, URL slug, branding (logo, colors, fonts), and event configuration
- Stripe Connect account data for venues collecting paid ticket revenue
- Platform usage data (pages visited, features used, dashboard interactions)
From guests
- Name, email address, and phone number — submitted on RSVP or loyalty join forms
- Custom fields defined by the venue operator (e.g., dietary preferences, table size, VIP code)
- IP address — hashed with SHA-256 before storage; the raw IP is never saved
- Approximate location (city and country), derived from the IP hash via an in-process geolocation library
- Device type, operating system, and browser, parsed from the browser's User-Agent string
- Attendance data: check-in timestamps and attended/absent status
- Loyalty data: stamp history, coin balance, tier level (Explorer → Legend), promo completions, and reward codes
- Apple Wallet push tokens and device IDs (registered when a guest adds a wallet pass to their device)
3. How we use your data
For operators
- Provide, maintain, and improve the platform
- Process subscription billing and paid event transactions
- Send transactional communications (billing receipts, account notices)
- Generate per-channel analytics dashboards
For guests
- Deliver QR code confirmation emails after RSVP or ticket purchase
- Generate and update Apple Wallet and Google Wallet loyalty passes
- Send background push notifications to update wallet passes after each stamp (APNs)
- Provide venue operators with attendance and channel attribution analytics
- Maintain your cross-venue loyalty identity (keyed by email), coin balance, and tier
4. Legal basis for processing (GDPR)
Where the GDPR applies, we rely on the following legal bases:
- Contract performance — processing necessary to operate your account, bill your subscription, or fulfil your RSVP
- Legitimate interests — security monitoring, analytics, platform improvement, and fraud prevention
- Consent — optional marketing emails (where separately obtained)
- Legal obligation — retaining billing records as required by applicable tax law
5. Third-party services and sub-processors
We share personal data only with service providers necessary to operate the platform:
| Service | Purpose | Location |
|---|
| Supabase | Database and file storage | United States |
| Clerk | User authentication and session management | United States |
| Stripe | Payment processing and subscription billing | United States |
| Resend | Transactional email delivery | United States |
| Vercel | Application hosting and edge delivery | United States |
| Apple Inc. | Apple Wallet pass delivery and APNs push notifications | United States |
| Google LLC | Google Wallet pass delivery | United States |
We do not sell, rent, or trade personal data to any third party for advertising or marketing purposes.
6. Cookies
We use cookies strictly necessary for authentication and session management, set by Clerk. We do not use advertising cookies, tracking pixels, or behavioral analytics from third-party ad networks. No third-party advertiser receives data from cookies set on tulum-rsvp.com.
7. Data retention
- Operator account data — retained while the account is active and for 30 days following a deletion request
- Guest RSVP and loyalty data — retained until the venue operator requests deletion or closes their account
- Hashed IP and geo/device data — retained for up to 24 months for analytics purposes
- Stripe billing records — retained per Stripe's policies and applicable tax law
- Apple Wallet device tokens — retained until the device deregisters from the pass or the loyalty card is deleted
8. Your rights
GDPR — European Union and UK
- Access a copy of your personal data
- Correct inaccurate or incomplete data
- Request erasure (“right to be forgotten”)
- Object to processing or request restriction
- Receive your data in a portable format
- Lodge a complaint with your supervisory authority
CCPA / CPRA — California residents
- Know what personal information we collect and how it is used
- Request deletion of your personal information
- Opt out of the sale of personal information — we do not sell personal information
- Non-discrimination for exercising your rights
LFPDPPP — Derechos ARCO (Mexico)
- Acceso — obtener información sobre los datos personales que conservamos
- Rectificación — corregir datos inexactos o incompletos
- Cancelación — solicitar la eliminación de sus datos personales
- Oposición — oponerse al tratamiento de sus datos en determinadas circunstancias
To exercise any of these rights, email us at contact@tulum-rsvp.com. We will respond within 30 days.
9. Security
- IP addresses are hashed with SHA-256 before storage — raw IPs are never retained
- Data is encrypted in transit (TLS) and at rest (Supabase, Vercel)
- Authentication tokens and QR payloads are signed with HMAC-SHA256
- Clerk manages all credential storage and authentication flows
- Stripe handles all payment card data under PCI DSS compliance
10. International data transfers
Our sub-processors are primarily based in the United States. Data transferred outside Mexico is protected by the contractual safeguards and data processing terms of each sub-processor (Supabase, Clerk, Stripe, Resend, Vercel, Apple, Google). Where required, we rely on standard contractual clauses or equivalent mechanisms.
11. Children
Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided data to us, please contact us and we will delete it promptly.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to registered operators at least 14 days before taking effect, and noted with an updated effective date at the top of this page. Continued use of the platform after the effective date constitutes acceptance of the revised policy.
13. Contact
Tulum·rsvp
Tulum, Quintana Roo, México
contact@tulum-rsvp.com
This document was prepared as a starting point and does not constitute legal advice. Consult a qualified attorney for advice specific to your jurisdiction and business.