Privacy & GDPR

What we collect

Marbs is designed to work without personal data by default. A guest who scans a QR code and adds a wallet pass is enrolled using an anonymous identifier tied to their device wallet account. No name, email address, or phone number is required to join.

If a venue owner or guest voluntarily provides contact details (for example, when messaging us on WhatsApp or during a guided setup call), we store only what is necessary to provide the service and respond to enquiries.

We collect standard server logs (IP address, request timestamps, user-agent strings) for security monitoring, retained only as long as needed for that purpose.

How we use it

Data collected is used solely to operate the Marbs loyalty platform: issuing and updating wallet passes, processing point transactions, sending wallet push notifications that venue owners have authorised, and providing venue owners with aggregated guest intelligence (visit frequency, tier distribution, redemption rates). We do not use your data for advertising. We do not sell it. We do not share it with third parties except the infrastructure providers required to run the service (Amazon Web Services for hosting, Supabase for the database, and our wallet-pass provider with Apple and Google for pass delivery).

GDPR and your rights

If you are based in the European Economic Area, you have the right to access, correct, or erase the data we hold about you; the right to restrict or object to processing; and the right to data portability. Because most passes use anonymous identifiers, exercising these rights may require you to provide enough information for us to locate your record (for example, the venue name and approximate date of enrolment).

To make a request, email hello@marbs.club with the subject line "GDPR Request". We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority in your country of residence.

Cookies and tracking

We set a small number of strictly functional cookies. None of them are used for analytics, advertising, or cross-site tracking, and we do not run any third-party analytics scripts or advertising pixels.

marbs_lang (marketing site) -- remembers your language preference. Contains no personal data.

Sign-in session cookie (venue staff and owners) -- set by our authentication layer (better-auth) when a venue owner or cashier signs in to the management dashboard. It is strictly necessary to maintain the authenticated session and expires when you sign out or the session lapses. It contains no tracking data.

marbs_member (guest identity, HttpOnly) -- set when a guest scans their wallet pass and accesses social features of the platform. It establishes an anonymous device identity so that features such as gifting and the leaderboard work correctly within a session. It is HttpOnly (not accessible to JavaScript), contains no name, email address, or advertising identifiers, and is not used for any tracking purpose beyond maintaining that anonymous identity.

Where your data is stored

All data is stored in the European Union. Our production database runs on Supabase in Frankfurt, Germany (AWS eu-central-1), and our application servers run in an EU AWS region. We do not store personal data outside the EEA as a matter of course.

Wallet pass delivery involves Apple and Google as data processors (they receive the pass payload to display in Apple Wallet or Google Wallet). Where this involves a transfer of data outside the EEA, it is done under appropriate safeguards, including standard contractual clauses, as required by GDPR Chapter V.

Changes to this policy

We may update this privacy policy from time to time. When we do, we will revise the "Last updated" date shown at the top of this page. Material changes will be highlighted so they are easy to spot. Continued use of the platform after a change is posted means you have seen the updated policy. If you have questions about any change, email hello@marbs.club.

Contact

For any privacy question, data request, or concern, contact us at hello@marbs.club. We aim to respond within two business days.