NFA Pass

Privacy Policy

Last updated: 2026-05-24

1. What we collect

To generate your Apple Wallet pass, we collect:

  • The NFA item details you enter (owner name, optional trust name, make, model, serial, caliber, form references, notes).
  • The ATF document file you upload — only if you choose the "Upload" storage option. If you pick "Link to my own URL" or "Skip," we never see the file.
  • Standard request metadata (IP address, timestamps) for security and abuse prevention.

We do not collect an email address. The pass is delivered as a download link on the success page.

2. How we use it

  • Generate your signed .pkpass file.
  • Host your uploaded document at a private, random URL embedded on the back of the pass (Upload mode only).
  • Detect abuse and enforce rate limits.

We do not sell or share your data with third parties. We do not run advertising trackers.

3. How long we keep it

  • Uploaded document: retained for 90 days (Upload mode only), then automatically deleted unless you delete sooner.
  • Generated pass file (.pkpass): retained for 1 hour to serve the download link, then automatically deleted.
  • Audit logs: 30 days. IDs are stored as one-way hashes.

4. Where data lives

Documents are stored encrypted at rest in a Cloudflare R2 bucket (AES-256, server-side managed keys), accessed only through short-lived signed URLs over TLS 1.2+. Bucket access is restricted to the service's application credentials.

5. Your rights

You can request deletion of your stored document at any time by emailing privacy@nfapass.com with the document reference shown on your success page. California residents (CCPA/CPRA) and EU/UK residents (GDPR) have additional rights including access, deletion, correction, and the right to opt out of any future marketing communications. We do not use your data for marketing.

6. Security incident reporting

If we discover a security incident affecting your data, we will notify affected users within 72 hours where practicable.

7. Children

This service is intended for adults eligible to possess NFA-regulated items. We do not knowingly collect data from minors.

8. Contact

privacy@nfapass.com