ALMEKO.CLUB

Privacy Policy

ALMEKO.CLUB · Last updated: May 2026

1. Who We Are

This Privacy Policy describes how Almeko Technologies SIA (“we”, “our”, “us”), Reg.Nr. 40203310504, registered in Riga, Latvia, collects, uses, and protects personal data when you use the ALMEKO.CLUB platform (the “Platform”).

We are the data controller for the personal data processed through the Platform. For any privacy-related question or to exercise your rights, contact us atsupport@almeko.club.

2. Legal Framework

We process personal data in compliance with:

  • The EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), which applies to us as a Latvian-established controller and to all users in the European Economic Area;
  • The Latvian Personal Data Processing Law (Fizisko personu datu apstrādes likums), as the national implementing law;
  • The Turkish Personal Data Protection Law (KVKK, Law No. 6698) where we process personal data of users located in Türkiye;
  • Other applicable national data-protection laws where required.

3. Data We Collect

  • Account data: name, email address, password (hashed), city of use.
  • Payment data: processed directly by Stripe; we receive a payment confirmation token and the last 4 digits of the card, never the full card number.
  • Device data: a one-way device fingerprint hash used to bind your pass to your device and prevent QR sharing.
  • Usage data: pass purchase history, QR issue/scan history, partner visit log, IP address, browser/user-agent.
  • Communications: messages you send to support@almeko.club and our responses.

4. Why We Process Your Data (Legal Bases)

  • Performance of contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)): to create your account, issue passes, validate QR scans, and provide customer support.
  • Legal obligation (GDPR Art. 6(1)(c) / KVKK Art. 5(2)(a)): to keep payment and tax records as required by Turkish and EU law.
  • Legitimate interests (GDPR Art. 6(1)(f) / KVKK Art. 5(2)(f)): fraud prevention, security monitoring, and improving the Platform.
  • Consent (GDPR Art. 6(1)(a) / KVKK Art. 5(1)): for optional analytics and marketing communications, which you can withdraw at any time.

5. How Long We Keep Your Data

We retain account and usage data for as long as your account is active. After account closure, transactional records are kept for up to 10 years to meet accounting and tax obligations. Device fingerprints and QR audit logs are kept for 24 months for fraud prevention, then anonymised or deleted.

6. Sharing & International Transfers

We share data only with trusted processors strictly necessary to operate the Platform:

  • Stripe (payment processing) — EU/US, GDPR-compliant Standard Contractual Clauses;
  • Railway (backend hosting) and Vercel (frontend hosting) — EU/US, SCC-protected;
  • Cloudflare R2 (file storage) — EU/US, SCC-protected.

We do not sell personal data. We may disclose data when legally required (court order, law-enforcement request) under the safeguards of GDPR Art. 49 and KVKK Art. 9.

7. Your Rights

Under GDPR and KVKK you have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate data;
  • Erase your data (“right to be forgotten”), subject to legal retention obligations;
  • Restrict or object to processing;
  • Receive your data in a portable, machine-readable format;
  • Withdraw consent at any time, where processing is based on consent;
  • Lodge a complaint with a supervisory authority — our lead authority is the Latvian Data State Inspectorate (Datu valsts inspekcija, dvi.gov.lv). EEA users may also complain to their national DPA; users in Türkiye may complain to the Kişisel Verileri Koruma Kurumu (KVKK Board).

To exercise any of these rights, emailsupport@almeko.club. We respond within 30 days.

8. Cookies

We use strictly necessary cookies for authentication and security (session JWTs, referral attribution). Optional analytics cookies are loaded only with your consent.

9. Security

We apply industry-standard safeguards including TLS encryption in transit, bcrypt password hashing, HMAC-signed QR tokens, and device-bound fraud prevention. No system is perfectly secure; please use a strong, unique password and notify us immediately of any suspected unauthorised access.

10. Changes to This Policy

We may update this Privacy Policy as our practices evolve. Material changes will be notified to registered users by email at least 14 days before they take effect.

11. Contact

Almeko Technologies SIA, Reg.Nr. 40203310504, Riga, Latvia.
Email: support@almeko.club