Legal
Privacy Policy
Last updated: 21 June 2026
Cloak ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what personal information we collect, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This policy applies to all users of the Cloak platform, including guests who obtain a digital cloakroom pass and venue operators and staff who manage cloakroom operations.
1. Who we are
Cloak is a digital cloakroom management platform operated by Cloak Group Limited, a company incorporated in England and Wales (Companies House number 14766375) ("the Company"). We act as a data controller in respect of personal data collected through our platform.
If you have any questions about this policy or how we handle your data, please contact us at: support@cloakqr.com
2. What personal data we collect
Guests (people obtaining a cloakroom pass)
- Name
- Mobile phone number
- Items deposited (type and quantity)
- QR code and text fallback code associated with your pass
- Timestamp and location of check-in at the venue
Venue operators and staff
- Name and email address
- Venue name, address, and contact details
- Role within the platform (manager or staff)
- Login activity and session information
- Operational data generated through the dashboard (ticket volumes, peak hours, item types)
Automatically collected data
- IP address and device/browser type when you access our platform
- Session authentication tokens (strictly necessary for you to remain logged in)
3. How we use your personal data
Guests
- To provide the cloakroom pass service — processing your check-in, generating your QR pass, and enabling staff to return your items (lawful basis: contract performance, UK GDPR Art. 6(1)(b))
- To send your pass via SMS — delivering your digital pass to your mobile device (lawful basis: contract performance, UK GDPR Art. 6(1)(b))
- To maintain an audit trail — keeping a record of item deposits and returns to resolve any disputes (lawful basis: legitimate interests, UK GDPR Art. 6(1)(f))
Venue operators and staff
- To provide the platform — account creation, authentication, and access to venue management tools (lawful basis: contract performance, UK GDPR Art. 6(1)(b))
- To provide analytics — generating operational insights such as hourly ticket volumes and item-type breakdowns (lawful basis: contract performance, UK GDPR Art. 6(1)(b))
- To communicate with you — sending service notifications, onboarding information, and support responses (lawful basis: legitimate interests, UK GDPR Art. 6(1)(f))
4. How long we keep your data
- Guest pass data— retained for as long as necessary to provide the service, resolve disputes, and meet our legal obligations. You may request erasure at any time (see “Your rights” below).
- Venue account data — retained for the duration of the venue's account, and for 12 months after account closure, after which it is deleted.
- Authentication session data — deleted on logout or expiry, whichever is sooner.
5. Who we share your data with
We do not sell your personal data. We share data only with the following third-party processors, each bound by appropriate data processing agreements:
- Supabase — our database and authentication infrastructure provider. Data is stored within the European Economic Area (EEA).
- Resend — used to send transactional emails to venue operators.
- Apple Inc. and Google LLC — when a guest adds their pass to Apple Wallet or Google Wallet, the pass data is transmitted to and stored by Apple or Google under their respective privacy policies.
- Stripe — payment processing for venue subscriptions, if applicable. Stripe handles payment card data under PCI DSS compliance; we do not store card details.
We may also disclose data where required by law, court order, or to protect the rights or safety of our users or the public.
6. International transfers
Where any of our processors transfer data outside the UK or EEA, we ensure appropriate safeguards are in place — such as the UK International Data Transfer Agreement (IDTA) or equivalent standard contractual clauses — in accordance with UK GDPR Chapter V.
7. Your rights
Under UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate or incomplete data
- Erasure — ask us to delete your data where there is no lawful basis for continued processing
- Restriction — ask us to limit how we use your data in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
To exercise any of these rights, email us at support@cloakqr.com. We will respond within one calendar month.
8. Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113
We would, however, appreciate the chance to address your concerns before you contact the ICO.
9. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the "last updated" date at the top of this page. For significant changes, we will notify venue operators by email. We encourage you to review this policy periodically.
