AwdaPass Privacy Policy
Last updated: 16 July 2026
AwdaPass (“AwdaPass”, “we”, “us”) is a digital loyalty platform operated by Samy Himri, trading as AwdaPass, based in Australia. AwdaPass lets hospitality venues (cafés, bakeries, restaurants — “Venues”) offer digital loyalty cards that their customers can add to Apple Wallet, Google Wallet or Samsung Wallet.
We take privacy seriously. This policy explains what personal information we collect, why, how we protect it, and the choices you have. We comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth), and we design our systems to be compatible with the EU GDPR and the Saudi PDPL.
This policy covers two situations. Section A applies if you visit our website or use AwdaPass as a Venue (owner or staff). Section B applies if you are a customer of a Venue and hold one of its loyalty cards. Section B data is processed by AwdaPass on behalf of the Venue: the Venue decides how its loyalty program works, and we provide the technology.
Section A — Website visitors and Venue accounts
What we collect. When you create a Venue account: your name, email address, business name, and a password (stored only in encrypted, hashed form). When you set up your loyalty card: your logo, brand colours and program settings. When you add staff members: their name, email and role. When paid subscriptions apply: billing details, which are collected and processed by our payment provider Stripe — we never see or store full card numbers. From website visits: standard technical logs (IP address, browser type, pages viewed) used for security and to keep the service running.
Why. To provide and operate your AwdaPass account; to support you; to bill you where a paid plan applies; to secure the platform (fraud prevention, audit logs); and to send you service messages about your account. We only send marketing about AwdaPass itself with your consent, and you can opt out at any time.
Section B — Customers of Venues (loyalty card holders)
What we collect. When you join a Venue's loyalty program, we collect the minimum needed to run your card: your first name; a verified contact (email address, or mobile number where SMS verification is offered); your birthday only if you choose to provide it; and your consent record (what you agreed to, and when). As you use your card, we record your loyalty activity: stamps or points earned and redeemed, the time and venue of each scan, and rewards received. To keep your pass working, we store a unique card identifier and the technical registration tokens that Apple, Google or Samsung use to update the pass on your device. We do not collect your precise location: if your pass appears on your lock screen near a venue, that logic runs entirely on your phone.
Why. To create and update your loyalty card; to credit your stamps or points when the Venue scans your card; to deliver the rewards and offers of the Venue's program; to send loyalty notifications to your pass on behalf of the Venue (for example, a reminder that a reward is waiting); to prevent fraud (one verified contact = one card per program, scan audit trail); and to comply with our legal obligations.
Who is responsible. The Venue you joined is responsible for its loyalty program and for the messages it sends you. AwdaPass processes your information on the Venue's behalf and never sells it, never uses it to advertise other businesses to you, and never shares it with other Venues. If you have a question about a specific program or want to stop receiving its messages, you can contact the Venue directly, remove the pass from your wallet, or contact us — we will help either way.
Sharing and overseas disclosure
We share personal information only with the service providers that make AwdaPass work, under contracts that restrict what they may do with it:
| Provider | Purpose | Location of data |
|---|---|---|
| Supabase | Database and authentication | Australia (Sydney) |
| Vercel | Website hosting | United States (global network) |
| Railway | Pass-generation service | United States |
| Apple, Google, Samsung | Wallet passes and pass updates on your device | United States / global |
| Twilio | SMS verification codes (where offered) | United States |
| Stripe | Subscription payments (Venues only) | United States |
| Google Workspace | Support email | United States / global |
Your core loyalty data is stored in Australia. Some providers above process limited data in the United States or on global infrastructure; where that happens, we take reasonable steps to ensure your information is handled consistently with the Australian Privacy Principles. We do not sell personal information to anyone. We may disclose information if required by law, or to protect the safety and rights of our users.
Security
Every Venue's data is isolated at the database level (row-level security), so one Venue can never access another Venue's customers. All data is encrypted in transit. Loyalty card QR codes contain signed, non-guessable tokens — never raw identifiers. Every scan is logged with a timestamp and the staff account that performed it. Access to production systems is limited and secrets are stored in secure vaults. No system is perfectly secure, but if a data breach occurs that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme.
Retention and deletion
We keep personal information while your account or loyalty card is active, and for a reasonable period afterwards to meet legal, accounting and fraud-prevention obligations, after which it is deleted or de-identified. If you remove a pass from your wallet, we stop sending updates to that device. You can request deletion of your data at any time (see below); Venues can request deletion of their entire account and customer base.
Your rights
You may ask us at any time to access the personal information we hold about you, correct it if it is inaccurate, delete it, or provide it to you in a portable format. Contact us at support@awdapass.com — we respond within 30 days and the service is free. If you are a customer of a Venue, we may coordinate with that Venue to fulfil your request. We will verify your identity before acting on any request.
Cookies
Our website uses only essential cookies, needed to keep you signed in, remember your language, and protect against attacks. We do not use advertising cookies or third-party ad trackers.
Children
AwdaPass is not directed at children. Venue accounts are for businesses. If you are under 15, please ask a parent or guardian before joining a loyalty program. If we learn that we hold a child's information collected without appropriate consent, we will delete it.
Complaints
If you believe we have mishandled your personal information, contact us at support@awdapass.com and we will investigate and respond within 30 days. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.
Changes to this policy
We may update this policy as our service evolves. The “Last updated” date at the top always reflects the current version, and we will notify Venues of any significant change.
Contact
AwdaPass — operated by Samy Himri, trading as AwdaPass
Email: support@awdapass.com
Website: awdapass.com