MediaPasses
Sign In

Legal

Privacy Policy

Effective: February 15, 2026

Media Passes, LLC ("we," "us," or "our") operates the Media Passes platform at mediapasses.com. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use our website, applications, and related services (the "Service"). This policy applies to all users worldwide, including users in the European Economic Area (EEA) and United Kingdom, and is designed to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

1. Data Controller

Media Passes, LLC is the data controller responsible for processing your personal data. For questions about this policy or to exercise your data rights, contact our designated data protection contact:

Media Passes, LLC
Email: privacy@mediapasses.com

2. Information We Collect

2.1 Information You Provide

When you create an account and use the Service, we collect information you provide directly, including:

  • Account Information: Name, email address, password, phone number, and account type (Media Member, Assignment Editor, or PR Team).
  • Profile Information: Professional bio, profile photo, city, state, country, social media links, and portfolio work samples.
  • Media Professional Details: Outlet name, media types, years of experience, specialties, and beat coverage areas.
  • PR Team Details: Organization name, organization website, title/position, team size, industry focus, and event types managed.
  • Credential Applications: Application materials including cover letters, portfolio links, equipment details, and supplementary information.
  • Communications: Messages sent through the platform and notification preferences.
  • Payment Information: Billing information is collected and processed directly by Stripe, Inc. We do not store credit card numbers, CVVs, or complete payment card details on our servers.

2.2 Information Collected Automatically

When you access the Service, we automatically collect certain technical information, including:

  • Usage Data: Pages visited, features used, actions taken, and timestamps.
  • Device Information: Browser type, operating system, device type, and screen resolution.
  • Network Information: IP address and approximate location (city/region level).
  • Cookies: Essential authentication and session cookies only. See our Cookie Policy for details.

2.3 Information from Third Parties

We receive event data from Ticketmaster (a division of Live Nation Entertainment) and performer data from SeatGeek to power our event discovery and performer directory features. This data relates to public events, performers, and venues, not individual users.

3. Legal Basis for Processing (GDPR)

For users in the EEA and UK, we process personal data under the following legal bases as defined by GDPR Article 6:

  • Performance of Contract (Article 6(1)(b)): Processing necessary to provide the Service you signed up for — including account management, credential applications, and messaging.
  • Legitimate Interests (Article 6(1)(f)): Processing for platform security, fraud prevention, service improvement, and aggregate analytics. We balance our interests against your rights and freedoms.
  • Consent (Article 6(1)(a)): Where required, such as for optional marketing communications. You may withdraw consent at any time.
  • Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable laws, regulations, or legal processes.

4. How We Use Your Information

We use your personal information for the following purposes:

  • Provide the Service: Create and manage your account, process credential applications, facilitate messaging between users, and display your professional profile.
  • Professional Directory: Display your profile in the media directory based on your visibility settings, enabling PR teams to discover qualified media professionals.
  • Event Discovery: Show relevant events based on your interests, location, and professional focus areas.
  • Coverage Previews: When you submit a coverage link, we retrieve publicly available metadata (page title, description, and images) from your linked URL to generate a preview card within the platform. We do not host or store your coverage content — preview cards link directly to your original published work.
  • AI-Assisted Features: Process relevant data through AI technology to provide coverage caption generation, application scoring and ranking, and content suggestions. Data sent to AI providers is limited to what is necessary for the specific feature and is not used for AI model training.
  • Technical Support: Our authorized support personnel may view your account interface to diagnose and resolve technical issues you report. These sessions are read-only, time-limited, and recorded in an audit log. No billing, payment, or subscription actions are performed during these sessions.
  • Transactional Communications: Send emails related to your account activity — application updates, credential confirmations, and security notifications.
  • Security: Detect and prevent fraud, abuse, and unauthorized access.
  • Legal Compliance: Comply with applicable laws, regulations, and legal processes.

5. Data Processors and Third-Party Services

We share personal information with the following categories of service providers (data processors), each of which processes data on our behalf under contractual obligations:

Supabase, Inc.

Authentication, database hosting, and file storage. Data stored in the United States.

SOC 2 Type II certified · supabase.com/security

Vercel, Inc.

Application hosting, edge network delivery, and serverless compute. Data processed globally via edge network.

SOC 2 Type II certified · vercel.com/security

Stripe, Inc.

Payment processing and subscription management. Stripe is the direct processor of all payment card data.

PCI DSS Level 1 · SOC 2 Type II certified · stripe.com/privacy

Postmark (ActiveCampaign, LLC)

Transactional email delivery for account verification, password resets, and credential notifications.

SOC 2 Type II certified · postmarkapp.com/privacy

Ticketmaster (Live Nation Entertainment)

Event data provider for event discovery. We receive public event information; no user data is shared with Ticketmaster.

SeatGeek, Inc.

Performer and event data provider for performer discovery and recommendations. We receive public performer and event information; no user data is shared with SeatGeek.

Anthropic, PBC

AI language model provider powering coverage caption generation, credential application scoring, and content assistance features. When you use AI-assisted features, relevant context (such as event details, coverage URLs, or application information) is sent to Anthropic's API for processing. Anthropic does not use data submitted through its commercial API to train AI models.

SOC 2 Type II certified · anthropic.com/policies/privacy

We do not sell, rent, or share your personal information with advertisers, data brokers, or any third parties for their own marketing purposes.

6. Information Sharing and Disclosure

  • With Other Users: Your profile information is visible to other authenticated users based on your account type and privacy settings. Credential applications are shared with the relevant PR team or event organizer.
  • Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request, or to protect our rights, your safety, or the safety of others.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change.

7. International Data Transfers

The Service is operated from the United States. If you are located in the EEA, UK, or elsewhere outside the United States, your personal data will be transferred to and processed in the United States. We ensure appropriate safeguards are in place for international transfers, including:

  • Using service providers that maintain SOC 2 Type II compliance and implement appropriate technical safeguards
  • Contractual data processing agreements with all service providers
  • Encryption of data in transit (TLS 1.2+) and at rest

By creating an account, you acknowledge that your data will be processed in the United States. EEA and UK users retain all rights under GDPR regardless of where data is processed.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption: All data is encrypted in transit using TLS/SSL. Sensitive data is encrypted at rest.
  • Authentication: Passwords are hashed using bcrypt. Sessions are managed with short-lived JWT tokens and secure HTTP-only cookies.
  • Access Control: Row Level Security (RLS) policies enforce data isolation at the database level. Administrative access requires verified admin role.
  • Security Headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, and other headers protect against common web attacks.
  • Payment Security: All payment data is handled directly by Stripe (PCI DSS Level 1 compliant). We never store credit card numbers on our servers.
  • Infrastructure Security: Our infrastructure providers — Supabase, Vercel, Stripe, and Postmark — each maintain SOC 2 Type II certification, providing independently audited security controls for physical security, network protection, access management, and incident response.

No method of transmission over the internet is 100% secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security.

9. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you the Service. Upon account deletion:

  • Personal profile data, messages, and connected accounts are deleted immediately.
  • Credential application records may be retained for up to 3 years in anonymized form for audit and dispute resolution purposes.
  • Billing records are retained as required by tax and accounting laws (typically 7 years).
  • Server logs containing IP addresses are automatically purged after 90 days.

10. Your Rights

You have the following rights regarding your personal information. These rights apply to all users; additional protections apply to users in the EEA, UK, and California.

10.1 Rights for All Users

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request deletion of your account and personal data.
  • Data Export: Download your data in a structured, machine-readable JSON format from Settings → Account.
  • Opt-Out: Unsubscribe from non-essential emails via the unsubscribe link or your notification settings.

10.2 Additional Rights for EEA and UK Users (GDPR)

  • Right to Restrict Processing (Article 18): Request that we restrict processing of your data in certain circumstances.
  • Right to Data Portability (Article 20): Receive your data in a structured, commonly used format. Available via the data export feature in your account settings.
  • Right to Object (Article 21): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to Withdraw Consent (Article 7): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

10.3 California Privacy Rights (CCPA/CPRA)

California residents have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. We do not use or share personal information for cross-context behavioral advertising. To exercise your CCPA rights, contact us at privacy@mediapasses.com.

10.4 How to Exercise Your Rights

You can exercise your data rights in two ways:

  • Self-Service: Use the data export and account deletion features in Settings → Account.
  • Contact Us: Email privacy@mediapasses.com. We will verify your identity and respond within 30 days (or sooner as required by applicable law).

11. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will delete that information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on this page and updating the effective date. For significant changes that affect your rights, we will provide notice via email or a prominent notice on the Service.

13. Contact Us

If you have questions or concerns about this Privacy Policy, your personal data, or wish to exercise your rights, contact us at:

Media Passes, LLC
Email: privacy@mediapasses.com
General inquiries: hello@mediapasses.com