Enterprise-grade compliance,
built into every feature.

EU General Data Protection Regulation

Lawful basis: Guest data is collected under explicit, informed consent presented at portal login.

Data minimization: We collect only name, email, and optional birthday — nothing beyond what's declared.

Right to erasure: Guests can request deletion via the venue or directly. Operators can delete guest records from the CRM.

Data portability: Full guest data export available in CSV format from the dashboard.

DPA available: We provide signed Data Processing Agreements for all paying customers on request.

Data residency: All EU customer data is stored on EU-region Supabase infrastructure (Frankfurt, Germany).

Breach notification: We commit to notifying affected operators within 72 hours of any confirmed data breach.

California Consumer Privacy Act

Disclosure: Our privacy policy clearly discloses what data is collected and why.

Do-not-sell: We do not sell guest personal information to third parties. Ever.

Right to know: Guests may request a copy of all data held about them.

Right to delete: Deletion requests are honored within 45 days.

Non-discrimination: Guests who exercise CCPA rights are not penalized.

Opt-out mechanism: Marketing consent is optional and can be withdrawn at any time.

CAN-SPAM Act (Email Marketing)

Sender identification: Every campaign shows a clear "From" name and email address.

Honest subject lines: No deceptive subject lines are permitted in the platform.

Physical address: All campaigns include a valid postal address in the footer.

Unsubscribe mechanism: One-click unsubscribe is included in every automated and manual email.

Opt-out honored within 10 days: Our system processes unsubscribes immediately.

No third-party list selling: Guest email lists are never shared or sold.

Web Content Accessibility Guidelines

Perceivable: All content has sufficient color contrast ratios (minimum 4.5:1 for normal text).

Operable: Full keyboard navigation supported across all portal and dashboard screens.

Understandable: Forms include clear labels, error messages, and instruction text.

Robust: Semantic HTML and ARIA attributes ensure compatibility with assistive technologies.

Screen reader tested: Portals are tested with VoiceOver (macOS/iOS) and NVDA (Windows).

Focus management: Visible focus indicators on all interactive elements.

Information Security Management

Encryption in transit: All data transmitted over TLS 1.2+ (HTTPS enforced everywhere).

Encryption at rest: All database records encrypted at rest via AES-256.

Access controls: Role-based access control, principle of least privilege enforced.

API key management: Per-organization API keys with rotation capability.

Audit logging: All admin actions, API calls, and data access events are logged.

Dependency management: Regular vulnerability scanning of npm dependencies via automated CI.

Incident response: Documented incident response plan with defined RTO/RPO targets.

Payment Card Data Standards

No cardholder data: VoqadoWiFi never processes, stores, or transmits payment card data.

Network segmentation: Guest WiFi networks are logically segmented from POS and payment networks.

Zero PCI scope: Our platform creates zero new PCI obligations for your venue.

Venue billing: Our own billing uses Stripe, a PCI DSS Level 1 certified payment processor.

Network isolation: We recommend (and document) guest WiFi VLAN isolation from internal networks.