Privacy Policy
Effective Date: June 16, 2026 Last Updated: June 16, 2026
ScoopPass ("we," "us," or "our"), operated by RonDaVu Bakery LLC, respects your privacy. This Privacy Policy explains what information we collect, how we use it, and the choices you have. It applies to the ScoopPass platform at scooppass.netlify.app and any associated services.
1. What We Collect
From Vendors
When you create a vendor account, we collect:
- Business name, contact email, phone number
- Login email and an encrypted password (we never see your plain-text password)
- Business logo, brand color, welcome message (if uploaded)
- Stripe Connect account ID (for payouts) — Stripe stores your full banking and identity information; we do not
- Event details, menu items, prices, and order history you create
From Parents and Guests
When you place an order, we collect:
- Your name and email address
- Your child's or recipient's name (for school events)
- Menu items selected and total amount paid
- Payment information — entered directly with Stripe; we receive only a transaction ID, the last four digits of the card, and the card brand
- Email opt-in preference
Automatically
When you use the Service, we may collect:
- Browser type, device type, and operating system
- IP address (used for rate-limiting and basic fraud prevention)
- Pages viewed and actions taken on the platform
- Cookies and similar tracking (see Section 6)
2. How We Use Information
We use the information we collect to:
- Process orders and route payments through Stripe
- Send order confirmations and event reminders to parents
- Provide vendor dashboards, reporting, and customer support
- Authenticate vendor logins and protect against unauthorized access
- Send platform updates, security notices, and (if you opt in) newsletters
- Improve the Service, troubleshoot bugs, and analyze usage patterns
- Comply with legal obligations (tax reporting, lawful requests, etc.)
We do not sell or rent personal information to advertisers or third-party marketers.
3. Children's Information
ScoopPass is used by parents to purchase items for their children, including at school events. We collect a child's name — provided by the parent — solely to coordinate order pickup with the vendor at the event.
- We do not knowingly create accounts for children under 13.
- We do not market to children.
- A parent may request deletion of their child's information at any time by emailing us (see Section 10).
4. Who We Share Information With
We share information only with parties necessary to operate the Service:
| Recipient | What They Receive | Why |
|---|---|---|
| Vendor (the business hosting the event) | Parent name, email, student name, order details | So the vendor can prepare and deliver the order |
| Stripe, Inc. | Payment details, name, email, billing address | To process the payment |
| Supabase, Inc. (our database host) | All account and order data | To store the data securely |
| Netlify, Inc. (our hosting provider) | Server logs, IP addresses | To serve the website |
| Resend / SendGrid (transactional email — when enabled) | Email addresses, order confirmations | To deliver email |
| Legal authorities | Information lawfully requested | To comply with subpoenas, court orders, or applicable law |
We may also share aggregated, de-identified statistics (e.g., "ScoopPass served 12,000 orders this year") publicly. This data cannot be used to identify any individual.
5. How We Protect Information
- All traffic to and from the Service is encrypted in transit (TLS / HTTPS).
- Passwords are hashed with industry-standard algorithms (handled by Supabase Auth).
- Payment data is tokenized and stored by Stripe (PCI-DSS Level 1 compliant); we never store full card numbers.
- Database access is restricted by row-level security policies that prevent vendors from viewing other vendors' data.
No system is 100% secure. In the unlikely event of a breach affecting your personal information, we will notify you and applicable regulators as required by law.
6. Cookies
ScoopPass uses a small number of cookies and similar technologies:
- Authentication cookies to keep vendors logged in
- Session cookies to remember items in your order during checkout
- Stripe uses its own cookies to detect fraud during payment
We do not use third-party advertising cookies, retargeting pixels, or social media trackers.
7. Your Rights and Choices
Depending on where you live, you may have the right to:
- Access the personal information we hold about you
- Correct information that is inaccurate
- Delete your information (subject to legal recordkeeping requirements)
- Export your information in a portable format
- Opt out of marketing emails at any time (unsubscribe link in every email)
- Withdraw consent for processing where we relied on consent
To exercise any of these rights, email us (see Section 10). We will respond within 30 days.
California Residents (CCPA)
California residents have the rights above and the right not to be discriminated against for exercising them. We do not "sell" personal information as defined under CCPA.
EU / UK Residents (GDPR)
If you are in the EU or UK, our legal basis for processing your information is one of: performance of a contract (orders), legitimate interest (fraud prevention, platform analytics), legal obligation (tax records), or consent (marketing emails).
8. Data Retention
We retain personal information only as long as we need it:
- Vendor account data: until you close your account, then 30 days for backups
- Order data: 7 years (required for tax recordkeeping)
- Server logs: 90 days
- Marketing email lists: until you unsubscribe
9. International Transfers
ScoopPass is operated from the United States, and our service providers (Supabase, Stripe, Netlify) primarily store data in the U.S. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S.
10. Contact and Requests
For privacy questions, data requests, or to exercise your rights:
RonDaVu Bakery LLC North Prairie, Wisconsin Privacy contact email: rondavubakery@gmail.com (dedicated address forthcoming)
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced on the Service and via email at least 30 days before taking effect.