Privacy Policy

Last updated: 20 February 2026

PassportAlert is an independent third-party tool operated by Scalar Studio. It is not affiliated with, endorsed by, or connected to His Majesty's Passport Office (HMPO) or the UK Government.

1. Who we are

PassportAlert ("the App") is operated by Scalar Studio ("we", "us", "our"). We are the data controller responsible for your personal data.

If you have questions about this policy or your data, contact us at privacy@passportalert.co.uk.

2. What data we collect

Data	Purpose	Legal basis
Email address	Account creation, login, email notifications	Contract / Consent
Password	Authentication (stored as a bcrypt hash — we never see or store your plain-text password)	Contract
Device push token	Sending push notifications to your device	Consent
Notification preferences	Filtering which alerts you receive (offices, dates, service types, quiet hours)	Contract
Notification history	Showing you a log of alerts we sent	Legitimate interest
Purchase records	Verifying your unlock status	Contract

3. What we do not collect

We do not collect your name (it is optional and never required).
We do not collect your location or GPS data.
We do not read your contacts, photos, or files.
We do not track you across other apps or websites.
We do not sell your personal data to anyone.

4. How we use your data

We use your data solely to provide the PassportAlert service:

Authenticate you and maintain your account.
Send you notifications about passport appointment availability based on your chosen preferences.
Process and verify your purchase (one-time unlock).
Maintain a notification history so you can review past alerts.
Monitor service health and fix bugs.

5. Third-party services

We share the minimum data necessary with the following service providers to operate the App:

Service	Purpose	Data shared
Expo (Expo Push Service)	Delivering push notifications	Device push token, notification content
Resend	Delivering email notifications	Email address, message content
RevenueCat	In-app purchase processing	Anonymous user ID, purchase status
Supabase	Database hosting	All account data (encrypted at rest)
Google Play / Apple App Store	App distribution and payment processing	As per their respective privacy policies

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

6. Data retention

Account data: Retained while your account is active. Deleted when you delete your account.
Notification history: Retained for up to 90 days, then automatically purged.
Push tokens: Deleted when you sign out, delete your account, or uninstall the App.

7. Your rights (UK GDPR)

Under UK data protection law, you have the right to:

Access your personal data — request a copy of the data we hold about you.
Rectification — correct inaccurate data (you can update your email in the App).
Erasure — delete your account and all associated data (available in Settings > Delete Account).
Data portability — request your data in a machine-readable format.
Withdraw consent — disable notifications or delete your account at any time.
Lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data has been mishandled.

To exercise any of these rights, email privacy@passportalert.co.uk. We will respond to all valid requests within 30 days.

8. International data transfers

Some of our third-party service providers (Expo, Resend, RevenueCat) are based in the United States. Where your data is transferred outside the UK, we ensure appropriate safeguards are in place, such as the provider's adherence to standard contractual clauses or equivalent protections recognised under UK data protection law.

9. Cookies and local storage

The App does not use cookies. It uses device-local secure storage (Expo SecureStore) to store your authentication tokens. This data never leaves your device except as part of authenticated API requests. No tracking cookies or advertising identifiers are used.

10. Security

We take reasonable measures to protect your data:

Passwords are hashed with bcrypt and never stored in plain text.
All data in transit is encrypted via HTTPS/TLS.
Database connections are encrypted and access is restricted to our application servers.
Authentication uses short-lived JWT access tokens with refresh token rotation.

11. Children

PassportAlert is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. We will notify you of material changes via the App or email. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact

Scalar Studio
Email: privacy@passportalert.co.uk
Website: passportalert.co.uk