passdeck passdeck Back to home
DE EN
Privacy

Privacy Policy

Last updated: July 2026

This privacy policy applies to the Passdeck app (iOS), the website passdeck.app, and the web-card service at passdeck.me. Passdeck is a product of Altinum Technologies e.U. The applicable law is the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).


1Controller

The controller under the GDPR is:

Altinum Technologies® e.U.
Alexander Fuchs, MSc
Dorf 12a, 6352 Ellmau, Austria

Email: contact@altinum.tech
Phone: +43 5358 43990
Commercial register: FN 370339 t, Landesgericht Innsbruck
VAT ID: ATU65278512

2Our principle

Passdeck is built privacy-first. No account, no sign-up, no tracking, no ads. The passes you create live on your device and are backed up to your personal iCloud, which we cannot access. On our servers we store only what you actively choose to share (a web card), and even that only for a limited time and deletable by you at any moment.

3Using the app

No sign-up is required to use the app. The details you enter for your pass (for example name, title, company, and contact details) are stored on your device.

Backup in your iCloud. So that your cards survive a lost phone or an accidental app deletion, the app additionally backs them up to the key-value storage of your personal iCloud (Apple iCloud Key-Value Storage). This backup lives exclusively in your Apple account; neither we nor any third party can access it. Apple is your provider for iCloud storage (Apple Media & iCloud terms). If you use "Delete all my data", this backup is removed as well. Legal basis: Art. 6(1)(b) GDPR (providing the backup and restore function).

Pass creation (signing). To produce the signed Wallet file (.pkpass), the pass data you enter is sent to our signing service, processed there to build the pass, and not stored afterwards. The service is stateless. Legal basis: Art. 6(1)(b) GDPR (providing the function you requested).

Abuse protection (Apple App Attest). So that our signing service is only used by the genuine, unmodified app, we use Apple App Attest. This verifies a device-bound attestation token issued by Apple. It contains nothing that identifies you to us. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protection against abuse and in rate limiting).

Device identity (ownerKey). To manage and delete shared web cards without an account, the app generates a random key stored locally in your Apple device's iCloud Keychain. Our servers permanently store only a cryptographic hash of this key — never the key itself and no information about you as a person. When restoring or deleting your shared cards, the app proves ownership with the key; the transmission is encrypted.

4In-app purchase (Passdeck Premium)

The one-time Premium purchase is handled by Apple (StoreKit / App Store). The payment and its payment data are processed by Apple, not us. We only receive a cryptographically signed proof of purchase to confirm the unlock. No credit-card or payment data is transmitted to us. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

5Shared web cards (passdeck.me)

Only if you actively share a card as a web link are its contents stored on our server, so that recipients can open it at passdeck.me/c/…

Legal basis: Art. 6(1)(a) GDPR (consent). You actively confirm sharing before the first upload and can withdraw it at any time by deleting the card.

6Hosting and server logs

The signing service, the web-card service, and the website are operated at Host Europe GmbH, Hansestraße 111, 51149 Köln, Germany. The servers are located in the European Union. A data-processing agreement under Art. 28 GDPR is in place with the host.

When our servers are accessed, server logs are generated for technical reasons (e.g. IP address, timestamp, requested resource) for security, abuse prevention, and error diagnosis. They are deleted after at most 14 days as a rule, unless a specific security incident requires longer retention. Legal basis: Art. 6(1)(f) GDPR.

7Error monitoring

To keep the services stable, we collect technical error reports via a monitoring instance we run ourselves (GlitchTip, no third-party service). The app also transmits an error report (error message, device model, iOS and app version) to this instance when a technical error occurs. No pass contents, no contact details, and no user identifiers are transmitted. Error reports are deleted automatically after 90 days at the latest. Legal basis: Art. 6(1)(f) GDPR.

8Websites (passdeck.app and passdeck.me)

When our web pages are accessed, the server logs described in section 6 are generated. We set no cookies and use no tracking or analytics tools and no ad networks — including on the shared card pages. Fonts are served locally; no external font services are embedded. Because no cookies are set at all, no cookie consent is required under section 165(3) of the Austrian Telecommunications Act (TKG 2021).

9Disclosure to third parties

We do not sell data and do not pass it on for advertising. Data is only transmitted to:

10Processing outside the EU

We ourselves do not transfer any data to the USA or other third countries. All services we operate (signing, web cards, website) run at our host within the EU. We use no US analytics, cloud, or advertising services.

The only point of contact with a US company arises from using the Apple ecosystem itself, which underlies every iPhone app: App Store, in-app purchase, iCloud Keychain, and App Attest. Where Apple processes personal data in this context, in particular when handling the in-app purchase payment, this may also take place in the USA. Apple acts as an independent controller and bases transfers to the USA on its certification under the EU-US Data Privacy Framework and on the EU Standard Contractual Clauses. The key stored in the iCloud Keychain is additionally end-to-end encrypted; Apple cannot read it. We ourselves transmit no payment or profile data to Apple.

11No automated decision-making

No automated decision-making, including profiling within the meaning of Art. 22 GDPR, takes place.

12Your rights

Under the GDPR you have the rights to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21). You can withdraw any consent you have given at any time with effect for the future.

Providing your data is neither legally nor contractually required. Without the pass details (at least the name), however, no pass can be created, and without actively sharing, no web card is published.

Because we keep no accounts and do not know you as a person, you can remove your shared web cards directly in the app via “Delete all my data”. For any other request, reach us at contact@altinum.tech.

You also have the right to lodge a complaint with a supervisory authority, in Austria the Data Protection Authority (dsb.gv.at).

13External destinations of your QR code

If you point your QR code at an external destination (for example your LinkedIn profile or a custom URL), that destination's own privacy terms apply. The destination may analyse visits on its own. We have no influence over this.

14Contact

For privacy questions, reach us at:
Altinum Technologies e.U.
contact@altinum.tech · +43 5358 43990