Privacy Policy

Effective Date: 9 April 2026

Version 1.0 — QR Code Distribution Phase

Operated by Bangalore Easycoding LLP

Bangalore Easycoding LLP ("we", "us", "our") operates Passly, a digital loyalty pass platform ("Service") at https://get-passly.com. This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with the EU General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 — and other applicable data protection laws. Effective date: 9 April 2026. This policy applies to: (a) Merchants who subscribe to the Passly dashboard, and (b) Customers who sign up for merchant loyalty passes via QR code or link.

1. Data Controller

Bangalore Easycoding LLP, 235 Binnamangala, 2nd Floor, 13th Cross Road, Indira Nagar 2nd Stage, Indiranagar, Bangalore – 560038, Karnataka, India. Email: legal@get-passly.com. Website: https://get-passly.com We are in the process of appointing a formal EU Representative under Article 27 GDPR. Until that appointment is finalised, EU data subjects should direct all enquiries to legal@get-passly.com.

2. Data We Collect

2.1 From Merchants When a merchant registers on Passly, we collect: Full name and email address (for account authentication and communication) Business name, category, and store location(s) Brand assets: logo, header image, brand colours Subscription and billing information (processed via PCI-compliant third-party providers; Passly does not store card details) Campaign configuration: pass names, reward rules, expiry dates, linked terms Activity logs: stamp events, redemption events, dashboard analytics 2.2 From Customers When a Customer scans a QR code and adds a Wallet Pass, we may collect: Email address — optional, only if the customer provides it for reward reminders or updates A pseudonymous customer identifier linked to the Apple Wallet pass Stamp and redemption event timestamps Marketing opt-in status — only where the customer has given explicit consent We do not collect customer names, phone numbers, payment data, or precise location data unless explicitly provided and separately consented to. 2.3 Technical Data We collect standard technical data including IP addresses, browser type, device type, and session logs for security, fraud prevention, and service operation purposes. This data is processed under our legitimate interest (Art. 6(1)(f) GDPR).

3. Legal Basis for Processing

Purpose Data Category Legal Basis (GDPR Art. 6) Merchant account management Name, email, business details Art. 6(1)(b) — Contract performance Customer loyalty pass issuance Pass ID, stamp & redemption data Art. 6(1)(b) — Contract / Art. 6(1)(f) — Legitimate interest Optional marketing messages Email, opt-in status Art. 6(1)(a) — Explicit consent Platform security & fraud prevention IP address, session logs Art. 6(1)(f) — Legitimate interest Legal & tax compliance Transaction records Art. 6(1)(c) — Legal obligation Account deletion requests Identity verification data Art. 6(1)(c) — Legal obligation

4. Data Storage and International Transfers

All personal data is currently stored on AWS infrastructure in Frankfurt, Germany (EU-Central-1 region). As Passly expands its services globally, personal data may in future be hosted across additional AWS regions outside the EEA. We will only transfer personal data outside the EEA where: The destination country has been deemed adequate by the European Commission (Art. 45 GDPR); or Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46 GDPR); or Another lawful transfer mechanism under Chapter V GDPR applies. All third-party processors used by Passly (e.g. email services, analytics) are bound by Data Processing Agreements (DPAs) conforming to GDPR Article 28. We will update this Privacy Policy before any change to hosting arrangements takes effect.

5. Data Retention

Merchant account data: retained for the duration of the subscription plus 6 years for legal and tax compliance obligations. Customer loyalty pass data: retained while the pass is active; pseudonymous event logs retained for up to 2 years after last activity. Marketing opt-in records: retained until consent is withdrawn or the account is deleted. Technical and security logs: retained for up to 12 months. Deleted account data: see Section 7 (Right to Erasure and Account Deletion).

6. Your Rights Under GDPR (Articles 15–22)

Data subjects located in the EU have the following rights, which may be exercised free of charge by contacting legal@get-passly.com: Right of access (Art. 15): Request a copy of all personal data we hold about you. Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data. Right to erasure / 'Right to be Forgotten' (Art. 17): Request deletion of your personal data. See Section 7 for full account deletion procedure. Right to restriction of processing (Art. 18): Request that we limit how we process your data. Right to data portability (Art. 20): Request your data in a structured, machine-readable format (JSON or CSV). Right to object (Art. 21): Object to processing based on legitimate interests, including profiling. Right to withdraw consent (Art. 7(3)): Where processing relies on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing. Right not to be subject to automated decision-making (Art. 22): Passly does not use fully automated decision-making with legal or similarly significant effects. We will respond to all rights requests within 30 days of receipt. Where requests are complex or numerous, we may extend this period by a further 60 days and will notify you. You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

7. Right to Erasure and Account Deletion

You have the right to request the deletion of your account and personal data at any time ('right to be forgotten') under Article 17 GDPR. 7.1 How to Delete Your Account To request account deletion: Merchants: Submit a deletion request by emailing legal@get-passly.com from the registered email address, with subject line: "Account Deletion Request — [your business name]". Customers: If you provided an email address when signing up for a loyalty pass, email legal@get-passly.com with subject line: "Wallet Pass Data Deletion Request". If you did not provide an email, deletion of pseudonymous pass data may be requested via the merchant whose pass you hold. 7.2 What Happens When You Delete Your Account Upon receiving a verified deletion request, we will: Deactivate the account and all associated Pass Campaigns within 5 business days. Permanently delete all personal data attributable to the account within 30 days, subject to the exceptions listed below. Confirm deletion by email once complete. 7.3 Data We May Retain After Deletion Certain data may be retained after an account deletion request where we are legally required or permitted to do so under Article 17(3) GDPR: Transaction and financial records (e.g. subscription invoices) required for tax compliance under applicable Indian and EU law — retained for up to 6 years. Data required to establish, exercise, or defend legal claims — retained for the duration of the relevant limitation period. Anonymised or aggregated analytics data that cannot be linked back to any individual — may be retained indefinitely. We do not retain personal data beyond what is strictly necessary for the above purposes. Any retained data will be stored securely and access restricted to authorised personnel only.

8. Cookies and Tracking

The Passly merchant dashboard uses strictly necessary cookies for session management and authentication. No third-party advertising or tracking cookies are used. If analytics cookies are introduced in a future version, they will be opt-in only and disclosed via an updated cookie notice prior to deployment.

9. Apple Wallet Integration

Passly generates Apple Wallet passes (.pkpass format) on behalf of merchants. Pass files contain the merchant's name, campaign name, and stamp/reward status. Pass updates are delivered via Apple's push notification service (APNs). No additional personal data is shared with Apple beyond what is contained in the pass fields and what Apple's own terms govern for APNs communications.

10. Children's Data

Passly is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that a child has provided personal data without appropriate consent, we will delete it promptly. If you believe a child's data has been processed unlawfully, please contact legal@get-passly.com.

11. Changes to this Policy

We may update this Privacy Policy from time to time, including to reflect changes to our hosting infrastructure or data transfer arrangements as we expand globally. Merchants will be notified of material changes with at least 14 days' advance notice via email or dashboard notification. The 'Effective Date' at the top of this document reflects the latest revision. Continued use of Passly after the notice period constitutes acceptance of the updated policy.

Bangalore Easycoding LLP · Passly · Version 1.0 · 9 April 2026

legal@get-passly.com · https://get-passly.com · AWS Frankfurt (EU-Central-1)

PASSLY

Merchant Loyalty Pass Program