← Back to PassportAlert

Privacy Policy

Last updated: 20 February 2026

PassportAlert is an independent third-party tool operated by Scalar Studio. It is not affiliated with, endorsed by, or connected to His Majesty's Passport Office (HMPO) or the UK Government.

1. Who we are

PassportAlert ("the App") is operated by Scalar Studio ("we", "us", "our"). We are the data controller responsible for your personal data.

If you have questions about this policy or your data, contact us at privacy@passportalert.co.uk.

2. What data we collect

DataPurposeLegal basis
Email addressAccount creation, login, email notificationsContract / Consent
PasswordAuthentication (stored as a bcrypt hash — we never see or store your plain-text password)Contract
Device push tokenSending push notifications to your deviceConsent
Notification preferencesFiltering which alerts you receive (offices, dates, service types, quiet hours)Contract
Notification historyShowing you a log of alerts we sentLegitimate interest
Purchase recordsVerifying your unlock statusContract

3. What we do not collect

  • We do not collect your name (it is optional and never required).
  • We do not collect your location or GPS data.
  • We do not read your contacts, photos, or files.
  • We do not track you across other apps or websites.
  • We do not sell your personal data to anyone.

4. How we use your data

We use your data solely to provide the PassportAlert service:

  • Authenticate you and maintain your account.
  • Send you notifications about passport appointment availability based on your chosen preferences.
  • Process and verify your purchase (one-time unlock).
  • Maintain a notification history so you can review past alerts.
  • Monitor service health and fix bugs.

5. Third-party services

We share the minimum data necessary with the following service providers to operate the App:

ServicePurposeData shared
Expo (Expo Push Service)Delivering push notificationsDevice push token, notification content
ResendDelivering email notificationsEmail address, message content
RevenueCatIn-app purchase processingAnonymous user ID, purchase status
StripeWeb payment processingEmail address, payment details
SupabaseDatabase hostingAll account data (encrypted at rest)
Google Play / Apple App StoreApp distribution and payment processingAs per their respective privacy policies

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

6. Data retention

  • Account data: Retained while your account is active. Deleted when you delete your account.
  • Notification history: Retained for up to 90 days, then automatically purged.
  • Push tokens: Deleted when you sign out, delete your account, or uninstall the App.

7. Your rights (UK GDPR)

Under UK data protection law, you have the right to:

  • Access your personal data — request a copy of the data we hold about you.
  • Rectification — correct inaccurate data (you can update your email in the App).
  • Erasure — delete your account and all associated data (available in Settings > Delete Account).
  • Data portability — request your data in a machine-readable format.
  • Withdraw consent — disable notifications or delete your account at any time.
  • Lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data has been mishandled.

To exercise any of these rights, email privacy@passportalert.co.uk. We will respond to all valid requests within 30 days.

8. International data transfers

Some of our third-party service providers (Expo, Resend, RevenueCat) are based in the United States. Where your data is transferred outside the UK, we ensure appropriate safeguards are in place, such as the provider's adherence to standard contractual clauses or equivalent protections recognised under UK data protection law.

9. Cookies and local storage

The web app uses httpOnly cookies solely for authentication (session tokens). No tracking cookies or advertising identifiers are used. The mobile app uses device-local secure storage (Expo SecureStore) to store authentication tokens.

10. Security

We take reasonable measures to protect your data:

  • Passwords are hashed with bcrypt and never stored in plain text.
  • All data in transit is encrypted via HTTPS/TLS.
  • Database connections are encrypted and access is restricted to our application servers.
  • Authentication uses short-lived JWT access tokens with refresh token rotation.

11. Children

PassportAlert is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. We will notify you of material changes via the App or email. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact

Scalar Studio
Email: privacy@passportalert.co.uk
Website: www.passportalert.co.uk