Legal
Privacy Policy
Last updated: 13 April 2026
This Privacy Policy explains how BackdoorVIP (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use our Platform — including our website, app, booking system, QR-based entry services, and any related communications.
By creating an account, browsing venues, making a booking, or otherwise using BackdoorVIP, you acknowledge the practices described in this policy.
1. Who We Are
BackdoorVIP operates a platform that allows guests to browse venues, request entry to guest lists, purchase queue-skip upgrades, and check in via QR-based entry. We act as the data controller for the personal data described in this policy.
2. Data We Collect
2.1 Information you provide
- Name and email address
- Phone number (optional but used by venue door teams)
- Date of birth, where required for age-restricted venues
- Account login details (password, optional 2FA secret)
- Booking details (chosen venue, date, party size, plus-ones)
- Optional social handles (Instagram, TikTok)
2.2 Booking and usage data
- QR code generation and scan events
- Door check-in timestamps and rejection grounds (where recorded by venue staff)
- Loyalty point activity per venue
- Premium membership status and renewal dates
2.3 Technical data
- IP address (from Cloudflare edge headers)
- Browser, device type, and approximate location
- Session activity, including last-seen timestamps
2.4 Payment data
Payments are processed entirely by our third-party payment provider (Stripe). We do not store full card numbers, CVV codes, or any data covered by PCI DSS. We retain only the Stripe session and payment-intent identifiers needed to reconcile your bookings, refunds, and membership purchases.
3. How We Use Your Data
- To create and manage your account
- To process bookings and generate QR codes
- To facilitate venue entry, guest lists, and check-in
- To send booking confirmations, status updates, and refund notifications
- To enforce capacity limits, surge pricing, and last-entry cut-offs
- To prevent fraud, abuse, and platform misuse
- To improve our platform, fix bugs, and analyse usage patterns
4. Legal Basis (UK GDPR)
- Contract: processing necessary to provide bookings, payments, and check-in services you have requested.
- Legitimate interest: fraud prevention, platform security, service improvement, and venue operations.
- Legal obligation: tax records, payment reconciliation, and compliance with applicable law.
- Consent: any optional marketing communications, where required.
5. Sharing Your Data
We may share your personal data with:
- Venues — for guest list management, door check-in, and rejection / refund handling.
- Payment processors — Stripe, for queue-skip and premium membership payments and refunds.
- Infrastructure providers — Cloudflare (hosting, edge network, D1 database, R2 storage).
- Legal authorities — where required by law, court order, or regulatory request.
We do not sell personal data to third parties.
6. Payments & Card Security
All card payments are processed via Stripe. Card numbers, expiry dates, and CVV codes are entered directly into Stripe-hosted checkout pages and never touch our servers. Stripe is responsible for PCI DSS compliance and end-to-end card security.
We retain only a record of the booking, the amount, the Stripe session ID, and (where applicable) the payment-intent ID needed to issue automatic refunds — for example, when a venue rejects you at the door or you do not get scanned in within 72 hours of your booking date.
7. Data Retention
We retain your data only for as long as is necessary for:
- Providing and improving the service you've requested
- Complying with our legal, tax, and accounting obligations
- Detecting and preventing fraud or platform misuse
- Defending against potential legal claims
When personal data is no longer needed, it is deleted or anonymised.
8. Your Rights
Under UK data-protection law, you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate or incomplete data
- Request erasure of your data, subject to legal retention exceptions
- Object to certain types of processing
- Request data portability in a structured, machine-readable format
- Withdraw consent for any consent-based processing at any time
- Lodge a complaint with the Information Commissioner’s Office (ICO)
9. Cookies & Tracking
We use cookies and similar technologies to keep you signed in, remember your preferences, and understand how the platform is used. Strictly necessary cookies are required for the service to function. Non-essential cookies (analytics or marketing) require your consent under UK law and can be declined or withdrawn at any time.
10. Data Security
We implement appropriate technical and organisational measures to protect personal data, including encrypted hosting on Cloudflare's network, encrypted databases, hashed passwords, optional two-factor authentication for accounts, role-based access controls, and audit logging of administrative actions.
No system can guarantee absolute security; you remain responsible for keeping your account credentials confidential.
11. International Transfers
Some of our infrastructure providers (notably Cloudflare and Stripe) operate globally. Where personal data is transferred outside the United Kingdom, appropriate safeguards — such as the UK’s International Data Transfer Agreement or the EU Standard Contractual Clauses — are in place.
12. Age Restrictions
Our services are intended for adults aged 18 or over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us so we can remove it.
13. Changes To This Policy
We may update this Privacy Policy from time to time to reflect changes in the platform, our practices, or applicable law. The “Last updated” date at the top reflects the most recent change. Continued use of the platform after an update constitutes acceptance of the updated policy.