Privacy Policy
At Mepass, we believe transparency is non-negotiable. This policy explains what data we collect, why we collect it, and exactly how it is used across all our platforms.
Effective Date: 1 May 2026
1. Overview
This Privacy Policy applies to all products and services operated by Mepass ("Mepass", "we", "our", or "us"), including:
- Mepass Website — mepass.in and all subdomains
- Mepass Mobile App — iOS and Android applications
- Event Ticketing Platform — ticket discovery, purchase, and management
- Event Manager SaaS — tools for organisers to manage events and attendees
- Brand Activation & Sponsorship Platform — tools for brands and sponsors
- Creator Campaign Platform — influencer and creator collaboration tools
By using any Mepass platform, you agree to the practices described in this Privacy Policy.
2. Who We Are
Mepass is the data controller responsible for your personal information. We are registered in India and operate as India's ticketing marketplace, event SaaS provider, and brand activation platform for the live events industry.
DATA CONTROLLER
For users in the European Union or EEA, Mepass acts as the data controller under the General Data Protection Regulation (GDPR). For users in India, we comply with the Information Technology Act, 2000, its rules, and the Digital Personal Data Protection Act, 2023 (DPDP Act).
3. Data We Collect
We collect only what is necessary to provide our services. Here is a complete breakdown by category:
A. INFORMATION YOU PROVIDE DIRECTLY
| DATA TYPE | EXAMPLES | WHEN COLLECTED |
|---|---|---|
| Identity | Full name, date of birth, gender | Registration, ticket purchase |
| Contact | Email address, phone number | Account creation, checkout |
| Payment | Card details (tokenised), UPI ID, billing address | Ticket or service purchase |
| Profile | Profile photo, preferences, event interests | Account settings |
| Business Info | Company name, GST number, event details | Organiser / brand onboarding |
| Creator Info | Social handles, audience metrics, content samples | Creator platform onboarding |
| Communications | Support messages, feedback, survey responses | Customer support interactions |
B. INFORMATION COLLECTED AUTOMATICALLY
| DATA TYPE | DETAILS |
|---|---|
| Device Data | Device type, OS, browser, screen resolution, unique device identifiers |
| Usage Data | Pages visited, features used, time on page, click paths, session duration |
| Location Data | City/region-level location (derived from IP); precise GPS only with explicit consent |
| Transaction Data | Tickets purchased, events attended, promo codes used, referral sources |
| Log Data | IP address, timestamps, error logs, access records |
C. INFORMATION FROM THIRD PARTIES
- Social login providers (Google, Facebook) — name, email, profile photo
- Payment processors — transaction status and reference IDs (not full card numbers)
- Event organisers — attendee data shared for event management purposes
- Analytics partners — aggregated audience and behaviour data
4. How We Use Your Data
We use your personal data only for legitimate purposes with an appropriate legal basis under applicable law.
| PURPOSE | LEGAL BASIS (GDPR) | LEGAL BASIS (DPDP) |
|---|---|---|
| Create and manage your account | Contract | Consent / Contract |
| Process ticket purchases and payments | Contract | Contract |
| Send booking confirmations and e-tickets | Contract | Contract |
| Provide event organiser SaaS tools | Contract | Contract |
| Enable brand/sponsorship activations | Contract / Legitimate Interest | Consent |
| Creator campaign tracking and payouts | Contract | Consent |
| Send marketing communications | Consent | Consent |
| Personalise your event recommendations | Legitimate Interest | Consent |
| Fraud prevention and security | Legitimate Interest | Legitimate Use |
| Comply with legal obligations | Legal Obligation | Legal Obligation |
| Improve platform and services | Legitimate Interest | Legitimate Use |
| Resolve disputes and enforce terms | Legal Obligation | Legal Obligation |
We never sell your personal data to third parties.
5. Data Sharing
We share your data only in the following circumstances:
SERVICE PROVIDERS & PARTNERS
- Payment Gateways — Razorpay, Stripe, or similar processors to handle transactions securely
- Cloud Infrastructure — Hosting and storage providers (data stored in India or GDPR-compliant regions)
- Communication Tools — Email and SMS providers for transactional and marketing messages
- Analytics Platforms — Aggregated, anonymised usage data for platform improvement
- Event Organisers — Attendee name and contact details shared for event check-in and management only
- Brand Partners (with consent) — Sponsor visibility data shared in aggregated, non-identifiable form
LEGAL REQUIREMENTS
We may disclose your data if required by law, court order, or government authority, or if necessary to protect the rights, property, or safety of Mepass, our users, or the public.
BUSINESS TRANSFERS
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. You will be notified in advance of any such transfer and your choices will be respected.
6. Data Retention
We retain your personal data only as long as necessary for the purposes outlined in this policy, or as required by applicable law.
| DATA CATEGORY | DETAILS |
|---|---|
| Account data | Duration of account + 2 years after deletion request |
| Transaction records | 7 years (GST and financial compliance) |
| Event attendance data | 3 years from event date |
| Marketing preferences | Until opt-out or account deletion |
| Creator campaign data | Duration of campaign + 1 year |
| Support communications | 3 years from last interaction |
| Log and security data | 12 months rolling |
After the retention period expires, data is securely deleted or anonymised so it can no longer be linked to you.
7. Your Rights
Depending on your location, you have the following rights over your personal data. We honor all valid requests within 30 days.
✦ ACCESS
Request a copy of all personal data we hold about you.
✦ CORRECTION
Request correction of inaccurate or incomplete data.
✦ DELETION
Request deletion of your personal data ("Right to be Forgotten"). Subject to legal retention obligations.
✦ PORTABILITY
Receive your data in a structured, machine-readable format.
✦ WITHDRAW CONSENT
Withdraw consent for marketing or non-essential data processing at any time.
✦ OBJECT
Object to processing based on legitimate interest, including profiling.
✦ RESTRICT PROCESSING
Request that we limit how we use your data in certain circumstances.
✦ GRIEVANCE REDRESSAL
Under DPDP Act 2023, raise a grievance with our designated Data Protection Officer.
If you are in the EU/EEA and believe we have not addressed your concern, you have the right to lodge a complaint with your local Data Protection Authority (DPA).
8. Cookies & Tracking
We use cookies and similar technologies to operate our platform, remember your preferences, and understand how users interact with our services.
Required for core functions — login sessions, payment security, cart management. Cannot be disabled.
Help us understand usage patterns and improve the platform. Anonymised. Disabled if you opt out.
Used to deliver relevant ads and measure campaign performance. Requires your consent.
Remember your settings, language, and display preferences across sessions.
You can manage cookie preferences through your browser settings or our cookie banner on first visit. Note that disabling essential cookies may affect platform functionality.
9. Data Security
We implement industry-standard technical and organisational security measures to protect your personal data against unauthorised access, loss, alteration, or disclosure.
- TLS/SSL encryption for all data in transit
- AES-256 encryption for sensitive data at rest
- Payment data tokenisation via PCI-DSS compliant processors
- Role-based access controls — data accessible only to authorised personnel
- Regular security audits and vulnerability assessments
- Incident response plan with mandatory breach notification within 72 hours (GDPR) and as required under DPDP Act
No system is 100% secure. If you discover a security vulnerability, please report it responsibly to support@mepass.in.
10. Children's Privacy
Mepass services are not directed at individuals under the age of 18 years. We do not knowingly collect personal data from minors.
If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at support@mepass.in. We will promptly delete such data upon verification.
For events that permit entry to minors, parental consent and guardian supervision requirements will be communicated separately at the time of ticket purchase.
11. International Data Transfers
Mepass is headquartered in India. If you access our services from outside India, your data may be transferred to and processed in India or other countries where our service providers operate.
For users in the European Economic Area (EEA), we ensure that any transfer of your personal data to countries outside the EEA is protected by appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Data Processing Agreements with all sub-processors
Under India's DPDP Act 2023, cross-border data transfers are conducted in accordance with government-notified provisions and restrictions.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please reach out to us:
| support@mepass.in | |
| Website | mepass.in |
| Phone | +91 72289 30704 |
Subject Line for Privacy Requests
Please use: "Privacy Request — [Your Name]"
We respond to all privacy-related requests within 30 days of receipt. For GDPR requests, the response period is 30 days extendable to 90 days for complex requests.
POLICY UPDATES
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent notice on our platform at least 14 days before the changes take effect. The "Last Updated" date at the top of this page reflects the most recent revision.