Privacy Policy

PassFirst ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect your information when you use passfirst.ie. We are the data controller for the purposes of the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

Account Information When you register, we collect your name, email address, and profile picture via your chosen sign-in method (Google, Apple, or Facebook). This is handled by Clerk (our authentication provider). Purchase Data When you make a purchase, Stripe processes your payment. We store a record of which test centres you have unlocked, linked to your account ID. We do not store your card details — these are held by Stripe. Usage Data We may collect limited technical data about how you use the Service, including pages visited and features used, to improve the Service. Cached Data We cache map preview images in our database (Convex) to minimise API usage. This data is linked to route IDs, not to individual users.

We process your personal data on the following legal bases: • Account creation and authentication — Contractual necessity • Processing and recording purchases — Contractual necessity • Delivering purchased content across devices — Contractual necessity • Improving the Service — Legitimate interest • Compliance with legal obligations — Legal obligation

We use your data to: • Create and manage your account • Verify and record purchases • Restore access to purchased content across sessions and devices • Respond to your queries or support requests • Improve and maintain the Service We do not sell your personal data to third parties. We do not use your data for automated profiling or decision-making that produces legal or significant effects.

We share data with the following third-party processors, each acting under their own privacy policies: • Clerk — Authentication (clerk.com/privacy) • Stripe — Payment processing (stripe.com/privacy) • Convex — Data storage (convex.dev/privacy) • Google — Maps and navigation (policies.google.com/privacy) • Vercel — Hosting (vercel.com/legal/privacy-policy) • YouTube (Google) — Tutorial videos (policies.google.com/privacy) All third-party processors are required to handle your data in accordance with GDPR.

We retain your data for as long as your account is active. If you delete your account: • Your account data is deleted from Clerk • Your payment records are deleted from Convex • Any data held by Stripe is subject to Stripe's own retention policies (typically required for financial compliance)

Under GDPR, you have the following rights: • Right of access — you can request a copy of the personal data we hold about you • Right to rectification — you can request correction of inaccurate data • Right to erasure — you can request deletion of your data (available directly via your Profile page) • Right to restriction — you can request we limit how we process your data • Right to data portability — you can request your data in a machine-readable format • Right to object — you can object to processing based on legitimate interest • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time To exercise any of these rights, contact us at bryappdev@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with the Data Protection Commission (DPC) at dataprotection.ie if you believe we have not handled your data lawfully.

We implement appropriate technical and organisational measures to protect your personal data, including: • Encrypted data transmission (HTTPS/SSL) • Secure third-party authentication (Clerk) • Payment data handled exclusively by PCI-DSS compliant Stripe • Access controls limiting who can access stored data No method of transmission or storage is 100% secure. If you become aware of any security issue, please notify us immediately.

PassFirst uses cookies and local storage for: • Authentication session management (Clerk) • Storing your preferences (e.g. selected test centre) • Analytics (if enabled) You can manage cookies via your browser settings. Disabling cookies may affect some functionality, including sign-in.

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

Our third-party processors may transfer data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Service. The updated policy will be effective from the date posted.

If you have any questions about this Privacy Policy or how we handle your data, please contact: PassFirst Email: bryappdev@gmail.com Website: passfirst.ie