Privacy Policy

1. Who we are

Masonic Passport is a meeting management platform built for Masonic lodges and similar membership-based organisations. Lodge administrators use it to manage meetings, invitations, attendance, supper bookings, and dues. Members and guests use it to RSVP, pay for suppers, and receive reminders.

2. What data we collect

2.1 Information you provide directly

• Account information: Name, email address, and (optionally) phone number, when you sign up or accept an invitation
• Lodge information: For administrators — lodge name, address, organisation type, default meeting details, payment methods enabled, and annual dues amounts
• Membership information: Your role within a lodge (member or administrator), your title, and your join date
• Meeting activity: RSVPs you make, guests you invite, supper preferences, and minutes content (administrators only)
• Communications: Messages you send to support, content of email exchanges with us
• Payment information: We do not collect or store payment card details. All card payments are handled by Stripe (see Section 5). We store the amount, date, lodge, and a reference identifier from Stripe for record-keeping. For cash and bank transfer payments recorded by your administrator, we store the amount and date only

2.2 Information collected automatically

• Usage data: Pages visited, features used, errors encountered — used to improve the service
• Device information: Browser, operating system, screen size, device type — used to serve the right layout
• Approximate location: Inferred from your IP address at city or region level only. Never precise GPS
• Cookies and local storage: To keep you signed in and remember your preferences. See Section 9

2.3 Information from third parties

• Stripe: When you pay by card, Stripe confirms the payment, the amount, the last 4 digits of the card (for receipts), and the country of issue. We never see the full card number
• SendGrid (Twilio): When we send you an email, SendGrid tells us whether it was delivered, bounced, or marked as spam. This helps us protect email reputation so emails actually reach you

3. How we use your data

We use your information to:

• Provide the service: send invitations, process RSVPs, deliver reminders, take supper and dues payments, show your lodge who’s coming
• Authenticate you: send magic-link sign-in emails so you can access your account
• Communicate with you: receipts, reminders, cancellation notices, and account updates
• Improve the service: understand which features are used, fix bugs, plan future improvements
• Comply with legal obligations: tax records, accounting requirements, lawful requests
• Protect users and the service: detect and prevent abuse, fraud, and security incidents

We do not use your data for advertising. We do not sell your data. We never rent or trade your data with anyone.

4. Legal basis for processing

We process your data on these legal bases:

• Contract: To deliver the service you signed up for (e.g. your email to send you a magic link)
• Legitimate interests: To run and improve our business — service improvements, fraud prevention, basic analytics
• Consent: For things like push notifications and optional emails — you can withdraw consent at any time
• Legal obligation: For tax records, accounting, and lawful regulatory or law-enforcement requests

5. Who we share your data with

We use a small number of trusted service providers to operate the platform. Each processes data only on our behalf and only for the contracted purpose. We do not share your data with anyone else for marketing, advertising, or commercial purposes.

Card data goes directly to Stripe — it never touches our servers. Stripe is PCI DSS Level 1 certified.

We may share data when legally required (court order, regulatory request) or when necessary to protect our legal rights, your safety, or the safety of others. If this happens we’ll let you know unless legally prohibited from doing so.

6. International data transfers

Some of our service providers (Stripe, SendGrid, Vercel, Neon) operate global infrastructure with data centres in the United States and Europe. When your data is transferred internationally, we rely on safeguards such as:

• Standard contractual clauses approved by relevant authorities
• Service-provider certifications under recognised data protection frameworks (e.g. EU-US Data Privacy Framework, ISO 27001)
• Your explicit consent, where required by law

7. How long we keep your data

• Active account data: While your lodge has an active account
• Payment and financial records: At least 7 years, to meet tax and accounting obligations
• Email logs (delivery, bounces): 90 days
• Backups: Up to 30 days after data is deleted
• Inactive accounts: If your lodge stops using Masonic Passport, we retain data for up to 12 months in case you return, then delete it

You can request earlier deletion — see Section 8.

8. Your rights

Depending on where you live, you may have the following rights. To exercise any of these, email support@masonicpassport.org — we aim to respond within 30 days.

• Access: Receive a copy of the data we hold about you
• Correction: Fix incorrect or incomplete data
• Deletion: Ask us to delete your data (we’ll do so unless we have a legal obligation to keep it, e.g. financial records)
• Restriction: Ask us to limit how we use your data
• Portability: Get your data in a machine-readable format you can take elsewhere
• Objection: Object to specific types of processing
• Withdraw consent: At any time, for anything based on consent. The unsubscribe link in our emails works without contacting us
• Complaint: Lodge a complaint with your local privacy regulator (see Section 13)

9. Cookies and local storage

We use:

• Essential cookies: To keep you signed in and to protect against forgery (CSRF). The service does not work without these
• Local storage: To remember preferences (e.g. notification settings, the “Maybe later” dismissal of the install prompt, your last-used filters)

We do not use:

• Advertising cookies
• Tracking pixels for marketing
• Third-party analytics that identify individuals — we use only aggregated server-side measurement

10. Security

We take security seriously:

• All data is transmitted over HTTPS (TLS 1.2+)
• Sign-in uses magic links — there are no passwords for us to lose or for attackers to phish
• Database backups are encrypted at rest
• Access by our service providers is restricted and audited
• We follow industry standards (OWASP Top 10, secure coding practices)
• Stripe handles all payment-card data; we have no access to it

No system is perfectly secure. If we discover a security incident affecting your personal data, we will notify you and the relevant authorities within 72 hours of discovery, in line with applicable privacy laws.

11. Children’s data

Masonic Passport is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will:

• Update the “Last updated” date at the top of this page
• Notify account holders by email if the changes are material (for example, if we add a new third-party processor or expand how we use your data)
• Post the updated version at masonicpassport.org/privacy

Continued use of the service after changes are posted means you accept the updated policy.

13. Contact us

For any privacy questions, requests, or concerns:

Email: support@masonicpassport.org

If you are not satisfied with our response, you can lodge a complaint with:

• Australia: Office of the Australian Information Commissioner — oaic.gov.au
• United Kingdom: Information Commissioner’s Office — ico.org.uk
• European Union: Your country’s data protection authority
• Other jurisdictions: Your local privacy regulator