strike scfPassport
Log inGet your Passport

Privacy Policy

Last updated: 12 June 2026

1. Who we are

Strike Passport (“we”, “us”) operates a platform that lets businesses create, manage, and share structured business profiles and documents. This policy explains what personal data we process, why, and the choices you have.

2. Data we collect

  • Account data: name, email address, and a hashed password when you register.
  • Company data: the business identity and operational information you add to a Passport, and the documents you upload.
  • Usage data: events such as passport views, document downloads, and share link activity. Viewer IP addresses are stored only as truncated one-way hashes used for analytics and abuse prevention.
  • Billing data: subscription status and plan. Card details are collected and stored by Stripe, our payment processor — they never touch our servers.
  • Inbound requests: name, email, and message when someone contacts a company through its passport page or contacts us through the site.

3. How we use data

  • To provide the Service: storing, displaying, and sharing what you choose to share.
  • To operate verification reviews you request.
  • To compute completeness and trust scores for your company.
  • To process subscriptions and prevent fraud and abuse.
  • To provide companies analytics about views of their own Passport.
  • To comply with legal obligations.

We do not sell personal data. We do not use your documents to train models.

4. Sharing and processors

Documents and profile data are shared only as directed by the company that owns them — via public passport pages and share links the company controls. We use a small set of processors to run the Service: cloud hosting (Vercel), database and file storage (Supabase), payments (Stripe), and transactional email (Resend). Each processes data only to provide their service to us.

5. Retention

Account and company data are retained while the account is active. Deleted documents are removed from all user-facing surfaces immediately; audit history is retained for integrity purposes. After account deletion, we remove personal data within 90 days except where retention is legally required.

6. Security

Documents are stored in private buckets accessible only through short-lived signed URLs. Access is governed by role-based permissions and strict tenant isolation. Passwords are hashed with bcrypt. Transport is encrypted with TLS.

7. Your rights

Depending on your jurisdiction (including under GDPR and similar laws), you may have rights to access, correct, export, restrict, or delete your personal data, and to object to certain processing. To exercise these rights, contact us through the contact page. You may also lodge a complaint with your local data protection authority.

8. International transfers

Our processors may store data in the European Union and the United States. Where data is transferred internationally, we rely on appropriate safeguards such as standard contractual clauses implemented by our processors.

9. Changes

We will post any changes to this policy on this page and, for material changes, notify account holders by email or in-product notice before they take effect.