Privacy Policy

1. Introduction

SelamPass("we," "us," or "our") operates selampass.com and related services (collectively, the "Platform"). SelamPassis an event marketplace that connects attendees with Ethiopian community event organizers in the Washington DC, Maryland, and Virginia ("DMV") area.

This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you access or use our Platform. By using SelamPass, you agree to the practices described in this policy. If you do not agree, please do not use the Platform.

We are committed to transparency and to safeguarding the privacy of the Ethiopian diaspora community we serve.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use the Platform, you may provide:

• Full name
• Email address
• Phone number
• Age range
• Gender
• Neighborhood or general location within the DMV area
• Interests and preferences related to events and experiences
• Reviews, ratings, and comments you submit
• Any other information you voluntarily provide through forms, support requests, or communications with us

2.2 Information Collected Automatically

When you access the Platform, we automatically collect:

• Device and Browser Information: device type, operating system, browser type and version, screen resolution, and language preferences
• Usage Data: pages visited, features used, search queries, click patterns, time spent on pages, and referring URLs
• Booking History: events booked, booking dates, ticket types, and transaction amounts
• IP Address: used for approximate geolocation (city/region level), security, and fraud prevention
• Cookies and Local Storage: session tokens and UI preferences (see Section 7 below)

2.3 Information from Partners and Third Parties

Event organizers ("Partners") who list events onSelamPass may share information with us related to event attendance, ticket validation, and booking fulfillment. We may also receive information from authentication services if you choose to sign up or log in through a third-party provider in the future.

3. How We Use Your Information

We use the information we collect to:

• Create and manage your account and authenticate your identity
• Process bookings, generate digital QR-code tickets, and facilitate event attendance
• Personalize your experience by recommending events based on your interests, location, and booking history
• Communicate with you about bookings, account updates, and Platform changes
• Send promotional communications about upcoming events and features (you may opt out at any time)
• Provide customer support and respond to your inquiries
• Improve, maintain, and optimize the Platform through analytics and usage patterns
• Detect, prevent, and address fraud, abuse, security incidents, and technical issues
• Comply with legal obligations and enforce our Terms of Service
• Generate aggregate, de-identified analytics to help Partners understand event interest and attendance trends

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

4.1 With Event Partners

When you book an event, we share your name, email address, and booking details with the event organizer so they can fulfill your reservation, validate your ticket, and provide the experience you purchased. Partners are contractually required to use this information only for booking-related purposes.

4.2 With Service Providers

We work with trusted third-party service providers who assist us in operating the Platform:

• Supabase Inc. — database hosting and backend infrastructure (PostgreSQL)
• Vercel Inc. — web hosting and content delivery
• Stripe Inc.— payment processing (when available). Stripe's handling of payment data is governed by Stripe's own privacy policy.

These providers access your data only to perform services on our behalf and are obligated to protect it.

4.3 For Legal Reasons

We may disclose your information if required to do so by law or if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation, subpoena, or court order; (b) protect and defend the rights or property of SelamPass; (c) prevent or investigate possible wrongdoing in connection with the Platform; or (d) protect the personal safety of users or the public.

4.4 Business Transfers

If SelamPass is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Platform before your information is transferred and becomes subject to a different privacy policy.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our services. Specifically:

• Account Data: retained for the duration of your account plus 30 days after deletion request to allow for recovery if needed
• Booking and Transaction Records: retained for 3 years after the event date for tax, accounting, and dispute resolution purposes
• Reviews and User Content: retained until you delete them or request deletion, or until your account is terminated
• Usage and Analytics Data: retained in aggregate, de-identified form indefinitely for product improvement
• Server Logs: retained for up to 90 days for security and debugging purposes

When we no longer need your personal information, we securely delete or de-identify it.

6. Your Privacy Rights

As a Virginia-based company, we honor the rights provided under the Virginia Consumer Data Protection Act (VCDPA) and extend similar rights to all our users regardless of location. You have the right to:

• Access: request a copy of the personal information we hold about you
• Correction: request that we correct inaccurate or incomplete personal information
• Deletion: request that we delete your personal information, subject to certain legal exceptions (e.g., information needed for legal compliance or to complete a transaction)
• Data Portability: request a copy of your personal data in a commonly used, machine-readable format
• Opt-Out of Targeted Advertising: opt out of the processing of your personal data for purposes of targeted advertising. Note that SelamPass does not currently engage in targeted advertising.
• Opt-Out of Profiling: opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. SelamPass does not currently engage in such profiling.
• Non-Discrimination: exercise any of the above rights without receiving discriminatory treatment

7. How to Exercise Your Rights

To exercise any of the rights described above, please contact us at support@selampass.com with the subject line "Privacy Rights Request."

We will verify your identity before processing your request. You may be asked to confirm your email address and provide identifying details that match the information in your account.

We will respond to your request within 45 days of receipt. If we need additional time (up to an additional 45 days), we will notify you of the extension and the reason.

If we decline your request, you may appeal our decision by emailing support@selampass.com with the subject line "Privacy Rights Appeal." We will respond to your appeal within 60 days.

8. Cookies and Tracking Technologies

SelamPass uses the following technologies:

8.1 Authentication Cookie

We set a single HTTP cookie named sp_token to authenticate your session. This cookie:

• Contains a JSON Web Token (JWT) for session verification
• Is configured as HttpOnly (inaccessible to client-side JavaScript), Secure (transmitted only over HTTPS), and SameSite=Strict (sent only to our domain)
• Expires after 3 days, requiring re-authentication
• Is essential for Platform operation and cannot be disabled while using authenticated features

8.2 Local Storage

We use browser localStorage to store UI state under the keys user and partner. This data remains on your device, is not transmitted to our servers, and is used solely to maintain your interface preferences and avoid redundant API calls. You can clear this data at any time through your browser settings.

8.3 Analytics

We may use privacy-respecting analytics tools to understand how visitors interact with the Platform. We do not use invasive third-party tracking pixels, social media trackers, or cross-site advertising cookies.

9. Security Measures

We implement industry-standard technical and organizational measures to protect your personal information, including:

• Password Hashing: all passwords are hashed using bcrypt with a cost factor of 12 rounds before storage. We never store plaintext passwords.
• Encryption in Transit: all data transmitted between your browser and our servers is encrypted using HTTPS/TLS
• Secure Authentication: session tokens are stored in HttpOnly, Secure, SameSite=Strict cookies to prevent cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks
• Rate Limiting: API endpoints are rate-limited to prevent brute-force attacks and abuse
• Input Sanitization: all user inputs are validated and sanitized to prevent SQL injection, XSS, and other injection attacks
• Access Controls: access to personal data is restricted to authorized personnel and systems on a need-to-know basis
• Infrastructure Security: our database is hosted on Supabase with encryption at rest, and our application is deployed on Vercel with enterprise-grade security

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

10. Children's Privacy

SelamPass is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected personal information from a person under 18, we will take steps to delete that information as soon as possible.

If you are a parent or guardian and believe your child has provided personal information to SelamPass, please contact us at support@selampass.com so we can take appropriate action.

11. Third-Party Links

The Platform may contain links to third-party websites, services, or applications that are not operated by SelamPass. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Post a notice on the Platform or send you an email notification if the changes are significant
• Obtain your consent where required by applicable law

Your continued use of the Platform after any changes to this Privacy Policy constitutes your acceptance of the updated terms.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: