Privacy Policy

1. Who we are

Re(pass) ("Re(pass)," "we," "us," or "our") is a meal membership service that provides members with personalised daily meal picks at partnered fast-casual restaurants across New York City. Our service is operated from New York, NY.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile application, and related services (collectively, the "Service"). Please read this policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy.

If you have questions about anything in this policy, please contact us at repass@repassapp.com.

2. What information we collect

Information you provide directly

• Account information: Your name, email address, and password when you create an account or join our waitlist.
• Dietary profile: Dietary restrictions, food allergies, and preferences you provide so we can personalise your picks (e.g., vegan, gluten-free, halal, nut-free). See Section 5 for how we treat this information.
• Location preferences: Your work neighbourhood or preferred pickup area so we can surface nearby partner restaurants.
• Membership and payment information: Your chosen subscription plan and billing details. Payment card information is processed and stored by our payment processor, Stripe, and is never stored on our servers.
• Notification preferences: The time you want to receive your daily pick notification.
• Communications: Messages you send us via email, our feedback survey, or in-app support.

Information collected automatically

• Usage data: How you interact with the app — screens visited, picks reserved or skipped, swipes used, and time spent in the app.
• Device information: Device type, operating system, and app version, used to ensure the app works correctly on your device.
• Log data: IP address, browser type, and pages visited on our website, collected automatically by our servers.

Information we do not collect

We do not collect your precise GPS location. Neighbourhood-level location is collected only when you provide it manually during onboarding or in settings.

3. How we use your information

We use the information we collect for the following purposes:

• To provide the Service: Processing your membership, sending your daily personalised pick, generating your QR pass for pickup, and tracking swipe usage.
• To personalise your experience: Filtering meal picks to match your dietary profile and neighbourhood so every pick is relevant to you.
• To communicate with you: Sending daily pick notifications, billing receipts, membership updates, and responses to your support requests.
• To improve the Service: Analysing usage patterns in aggregate (never at an individual level that would identify you) to improve the pick algorithm, add partner restaurants, and improve the app.
• To process payments: Billing your chosen plan through Stripe and managing subscription renewals, pauses, and cancellations.
• To comply with legal obligations: Maintaining records required by law and responding to lawful requests from authorities where required.

We do not use your information to serve you targeted advertising, and we do not build advertising profiles.

4. How we share your information

We do not sell your personal information. We share your information only in the following limited circumstances:

• Partner restaurants: When you reserve a daily pick, we share your name and a unique QR code with the relevant partner restaurant for pickup verification. We do not share your dietary profile, email address, or payment information with restaurant partners.
• Service providers: We work with a small number of trusted third-party companies who help us operate the Service. These include Stripe (payment processing), Supabase (database and authentication), and email delivery providers. These companies are contractually prohibited from using your data for any purpose other than providing services to us.
• Legal requirements: We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Re(pass), our users, or the public.
• Business transfers: If Re(pass) is acquired by or merged with another company, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

5. Dietary and health information

Your dietary profile — including allergies, intolerances, and food preferences — may constitute sensitive personal information under applicable privacy laws. We treat this information with heightened care.

• Your dietary profile is used solely to filter and personalise your daily meal picks.
• It is never shared with third parties for marketing, analytics, or any purpose beyond pick personalisation.
• It is never used to make inferences about your health, medical conditions, or any other aspect of your life beyond food preference.
• You can update or delete your dietary profile at any time in your account settings.

6. Cookies and tracking

Our website uses a small number of cookies and similar technologies:

• Essential cookies: Required for the website and app to function. These cannot be disabled.
• Analytics cookies: We use privacy-friendly analytics to understand how visitors use our website in aggregate. We do not use Google Analytics. Analytics data is not linked to individual user profiles.

We do not use advertising cookies, tracking pixels, or third-party retargeting technologies. You can disable non-essential cookies through your browser settings at any time.

7. Data retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

• Active accounts: We retain your data for the duration of your membership.
• Cancelled or deleted accounts: We delete your personal information within 30 days of account deletion, except where we are required to retain it by law (e.g., billing records, which are retained for 7 years for tax compliance).
• Waitlist data: If you joined our waitlist but never activated a membership, we retain your email address until you unsubscribe or request deletion.

Anonymised, aggregated data (e.g., total swipes per restaurant, most popular pick times) that cannot identify you may be retained indefinitely for product improvement purposes.

8. Your rights and choices

Depending on where you are located, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete information.
• Deletion: Request that we delete your personal information. You can initiate account deletion directly in the app under Account → Settings → Delete account.
• Portability: Request that we provide your data in a structured, machine-readable format.
• Opt-out of communications: Unsubscribe from marketing emails at any time using the unsubscribe link in any email we send. Note: transactional emails (receipts, pick notifications) cannot be disabled while your membership is active.
• Withdraw consent: Where we rely on your consent to process information (e.g., dietary profile), you can withdraw consent at any time by deleting that information from your profile.

To exercise any of these rights, contact us at repass@repassapp.com. We will respond within 30 days. We may need to verify your identity before processing certain requests.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what categories of personal information we collect and the right to opt out of the sale of personal information (we do not sell personal information). Contact us to exercise these rights.

9. Children's privacy

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information promptly.

If you believe we may have collected information from a child under 13, please contact us at repass@repassapp.com.

10. Security

We take reasonable technical and organisational measures to protect your personal information against unauthorised access, loss, or misuse. These measures include:

• Encryption of data in transit using TLS (HTTPS).
• Encryption of sensitive data at rest.
• Access controls limiting which team members can access personal data.
• Payment information handled exclusively by Stripe, a PCI-DSS compliant payment processor — we never store card numbers on our servers.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. In the event of a data breach affecting your rights and freedoms, we will notify you as required by applicable law.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Send you an email notification if the changes materially affect your rights.
• Where required by law, request your consent to the updated policy.

We encourage you to review this policy periodically. Your continued use of the Service after changes become effective constitutes your acceptance of the updated policy.

12. Contact us

If you have questions, concerns, or requests relating to this Privacy Policy or how we handle your personal information, please contact us: