Marckoy Industries LLC ("we", "us", "our") operates the PassThru platform (passthru.dev). This policy describes how we collect, use, and protect your information.
1. Information We Collect
1.1 Tenant Account Information
When you create a PassThru account, we collect:
- Name (business name)
- Email address (for account communication)
- Google account profile (name, email, profile picture — via Google OIDC sign-in)
1.2 API Key
We generate a unique API key for your account. We store only a SHA-256 hash of this key — we cannot retrieve your raw API key after initial issuance.
1.3 Pass Data
When you create passes through our API, we store pass content (fields, descriptions, colors, barcode data), serial numbers, and pass metadata.
Important: You control what data you include in your passes. We do not require or request end-user personal information. If you include personal data in pass fields, you are the data controller for that information.
1.4 Device Registration Data
When an end-user adds a pass to Apple Wallet, Apple's protocol sends us a device library identifier and a push token. We do not receive the end-user's name, email, phone number, Apple ID, or any other personal information through this process.
1.5 Usage Data
We collect aggregated, non-identifying usage metrics: number of passes created, API call counts, and error rates.
2. How We Use Your Information
We use collected information to:
- Provide and operate the PassThru platform
- Authenticate your account and API access
- Generate, sign, and deliver Apple Wallet passes on your behalf
- Send push notifications to update passes on end-user devices
- Enforce plan limits and usage tracking
- Communicate service updates, security notices, and billing information
We do not sell your data, use it for advertising, share pass data between tenants, or access the content of your passes except as needed to provide the service.
3. Data Storage and Security
All data is stored in Microsoft Azure (East US region):
- Pass and account data: Azure Cosmos DB (encrypted at rest, AES-256)
- Signing certificates: Azure Key Vault (HSM-backed, FIPS 140-2 Level 2)
- All data stores are behind private endpoints with no public internet access
See our Security White Paper for full technical details.
4. Data Sharing
We share data only with the following service providers:
| Third Party | Purpose |
|---|---|
| Microsoft Azure | Backend hosting (Functions, Cosmos DB, Key Vault, API Management) |
| Azure OpenAI | AI-powered analytics & onboarding (your data stays in your Azure tenant region — Microsoft does not retain or use prompts for training) |
| Apple (APNs) | Push notifications to your customers' devices when passes update |
| Stripe | Payment processing (subscriptions). They store cardholder data, not us. |
| Firebase/Google | Authentication for the dashboard |
| Cloudflare | Pages hosting (passthru.dev, app.passthru.dev), DNS, bot protection (Turnstile) |
We do not share, sell, or rent your data to any other parties.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Tenant account data | Until you delete your account |
| Pass data | Until you delete the pass or your account |
| Device registrations | Until the device unregisters or pass is deleted |
| API keys (hashed) | Until rotated or account deleted |
| Usage logs | 90 days |
6. Your Rights
You may at any time access your account data, update your information, delete your passes, rotate your API key, or close your account.
EU Residents (GDPR)
You additionally have the right to data portability, correction, deletion ("right to be forgotten"), objection to processing, and lodging a complaint with your local data protection authority.
California Residents (CCPA)
If applicable, you have the right to know what personal information we collect, request deletion, opt out of sale (we do not sell personal information), and non-discrimination for exercising rights.
7. Data Processing Agreement
For business and enterprise customers requiring a DPA under GDPR, a standard Data Processing Agreement is available upon request. Contact support@passthru.dev.
8. Cookies
The PassThru dashboard uses authentication cookies (session management) and Cloudflare Turnstile cookies (bot detection). We do not use advertising, tracking, or analytics cookies.
9. Children's Privacy
PassThru is a B2B service. We do not knowingly collect information from children under 13.
10. Changes to This Policy
We will notify affected tenants via email before any material changes take effect.
11. Contact
Marckoy Industries LLC
Email: support@passthru.dev
Website: passthru.dev