Skip to main content
VIP Passport
VIP Passport
Back to Home

Privacy Policy

Last Revised: February 26, 2026

Effective Date: February 26, 2026

VIP Passport is operated by South Coast Plaza ("SCP," "we," or "us"). This Privacy Policy describes how we collect, use, and protect information about you when you use the VIP Passport application and website (the "Service"). This Privacy Policy, together with our Terms of Use, governs your use of the Service.

Table of Contents

  1. About This Policy
  2. Information We Collect
  3. How We Use Your Information
  4. Cookies and Browser Storage Technologies
  5. Information Sharing and Third-Party Services
  6. AI Concierge and Chat Data
  7. Data Retention
  8. Security
  9. Children's Privacy
  10. California Privacy Rights (CCPA/CPRA)
  11. Do Not Sell or Share My Personal Information
  12. Updating Your Information
  13. Changes to This Policy
  14. Contact Us

1. About This Policy

This Privacy Policy explains how we collect, use, disclose, and retain personal information when you use the Service. We provide this notice so you can make informed decisions about your information. Where required by law, we will obtain your consent before collecting or processing personal information, or rely on another lawful basis as described in this Policy.

2. Information We Collect

We collect the following information when you create an account and use the Service:

Account Information

When you create an account, authentication is handled by our identity provider, Auth0 (operated by Okta, Inc.). We receive and store the following from your account:

  • Full name
  • Email address
  • Profile picture (if provided by your identity provider)
  • Country
  • ZIP/Postal code
  • Account creation and last-updated timestamps

We do not store your password. Your login credentials are managed entirely by Auth0. Please refer to Okta's Privacy Policy for information about how your credentials are handled.

Usage Information

  • Offers you have viewed, activated, or redeemed
  • Offers you have saved to your favorites
  • Date and time of your activities on the Service

AI Concierge Interaction Data

If you choose to use the VIP Concierge (our AI-powered chat assistant), we collect:

  • Messages you send to the AI Concierge
  • AI-generated responses provided to you
  • Which stores, offers, or services the AI referenced in its responses
  • Session identifiers linking messages in a single conversation

Use of the AI Concierge requires your explicit opt-in consent, which you can provide or revoke at any time. See Section 6 for details on how this data is processed and retained.

Coarse Location Data

We collect your ZIP/Postal code, which constitutes coarse geolocation data. We do not collect precise GPS-based geolocation.

Information We Do NOT Collect

  • Precise geolocation data (GPS coordinates)
  • Biometric information
  • Financial or payment information (offers are redeemed at participating retailers)
  • Social Security numbers or government IDs
  • Browsing history outside of the Service
  • Passwords (authentication is handled by our identity provider)

3. How We Use Your Information

We use the information we collect to:

  • Create and manage your account
  • Authenticate your identity when you log in (via Auth0)
  • Provide access to exclusive offers from participating retailers
  • Track which offers you have activated or redeemed
  • Save your preferences and favorite offers
  • Power the AI Concierge chat assistant to answer your questions about South Coast Plaza stores, dining, and offers (via OpenAI)
  • Improve and maintain the Service, including analyzing usage patterns
  • Respond to your inquiries and provide customer support
  • Comply with legal obligations

4. Cookies and Browser Storage Technologies

We use cookies and similar browser storage technologies (collectively, "storage technologies") to operate and improve the Service. We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

Authentication Cookies (Strictly Necessary)

We use cookies set by our authentication provider (Auth0) that are required for you to log in and maintain your session. These cookies are strictly necessary for the Service to function and cannot be disabled while using an account. They do not track your activity across other websites.

Browser Local Storage (Functional)

We use your browser's local storage — a technology similar to cookies but stored entirely on your device — to support functional features. Local storage data is never automatically sent to our servers in HTTP request headers (unlike cookies). The specific items we store are:

  • Display preference (theme setting): Remembers whether you selected light or dark mode. This is an appearance setting stored only on your device.
  • Offer activation countdown: When you activate a time-limited offer, the countdown state is saved locally so it persists if you refresh the page during the activation window. This data is temporary and is automatically cleared when the countdown expires.
  • Saved offers for guest users: If you are not logged in and save an offer to your favorites, the list of favorited offers is stored in your browser's local storage so it persists across page visits. This data contains only publicly available offer details (offer names, descriptions, and store names) and does not contain any personal information, user identifiers, or tracking data. It is stored solely on your device and is never transmitted to our servers. When you create an account and log in, favorites are instead stored securely in our database, and local storage is no longer used for this purpose.
  • Cookie notice dismissal: Remembers that you have acknowledged the cookie notice so it is not shown again.
  • AI Concierge consent: Records whether you have opted in to the AI Concierge feature, so you are not prompted again on each visit.

None of these local storage items contain personal information, and none are used for analytics, advertising, profiling, or any purpose other than providing the specific feature described above.

5. Information Sharing and Third-Party Services

We do not sell or share your personal information for cross-context behavioral advertising. We may disclose your information to the following categories of third parties, solely for the business purposes described below:

  • Auth0 (Okta, Inc.) — Identity Provider: Processes your login credentials and authentication. Auth0 receives your email address, name, and login activity to verify your identity. See Okta's Privacy Policy.
  • OpenAI — AI Chat Processing: If you opt in to the AI Concierge, your chat messages are transmitted to OpenAI for processing. OpenAI generates responses based on your queries. See OpenAI's Privacy Policy.
  • Cloudinary — Image Hosting: Images uploaded by retailers and administrators (logos, offer images) are stored on Cloudinary's servers. End-user personal data is not uploaded to Cloudinary.
  • Hosting Infrastructure: The Service is hosted on cloud infrastructure providers who may process request data (IP addresses, access logs) as part of providing hosting services.
  • Participating retailers: When you activate an offer, the retailer may receive confirmation that you are a valid VIP Passport member.
  • Legal requirements: When required by law, subpoena, or legal process.
  • Protection of rights: To protect the safety, rights, or property of SCP, our users, or others.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred.

6. AI Concierge and Chat Data

The VIP Concierge is an AI-powered chat assistant that can help you discover stores, dining, offers, and services at South Coast Plaza. Use of this feature is entirely optional and requires your explicit consent before any data is collected.

How It Works

  • When you send a message, it is transmitted to OpenAI's API to generate a response.
  • Your messages and the AI's responses are stored in our database, linked to your user account.
  • We may analyze conversation patterns in aggregate to improve the service (e.g., understanding common questions).
  • Your chat data is not used for advertising, sold to third parties, or used to build marketing profiles.

Data Retention and Deletion

  • AI Concierge conversation data is automatically purged after 90 days.
  • You can delete all your chat history at any time from your Profile settings.
  • Revoking your AI Concierge consent prevents future data collection but does not automatically delete existing data — use the delete function in your Profile to remove it.

Your Control

You can manage your AI Concierge consent and delete your chat data from your Profile > Data & Privacy settings at any time.

7. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes described in this Policy. Specific retention periods are as follows:

  • Account information: Retained while your account is active. Upon account deletion, all personal data is permanently removed within 30 days.
  • Offer usage history: Retained while your account is active and deleted when your account is deleted.
  • Favorites: Retained while your account is active and deleted when your account is deleted.
  • AI Concierge conversations: Automatically purged after 90 days. You may also manually delete this data at any time.
  • Authentication sessions: Expire based on session duration settings and are removed upon account deletion.
  • Audit logs: Retained for up to 12 months for security and compliance purposes.

8. Security

We use reasonable administrative, physical, and electronic security measures to protect your personal information, including:

  • Authentication is handled by Auth0, an industry-leading identity platform that manages credential security, including password hashing and encryption.
  • All data transmitted between your browser and the Service is encrypted using TLS (HTTPS).
  • Session tokens are cryptographically signed (JWT) and rotated regularly.
  • Rate limiting and security headers are enforced to protect against common web attacks.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

9. Children's Privacy

The Service is not directed toward children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are under 13, you are not permitted to create an account or submit any personal information. If you are between 13 and 17 years of age, you represent that you have permission from a parent or guardian to use the Service. If we learn that we have collected personal information from a child under 13, we will delete that information promptly. Please contact us at info@southcoastplaza.com if you believe we have inadvertently collected information from a child under 13.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA") provides you with specific rights regarding your personal information.

Your Rights

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions. You can also delete your account directly from your Profile settings.
  • Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
  • Right to Opt-Out of Sale or Sharing: We do not sell your personal information or share it for cross-context behavioral advertising.
  • Right to Limit Use of Sensitive Personal Information: We do not collect categories of information classified as "sensitive personal information" under CPRA (such as Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, or biometric data). The personal information we collect — including your name, email, and ZIP code — falls under standard personal information categories, not the sensitive category.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

  • Identifiers: Name, email address, account ID — collected directly from you and from Auth0; used for account management and authentication.
  • Commercial information: Records of offers viewed, activated, or redeemed; favorite offers — collected from your activity on the Service; used to provide and improve the offer experience.
  • Internet or electronic network activity: Interactions with the Service, session data, AI Concierge conversations — collected from your use of the Service; used to provide features and improve the Service.
  • Geolocation data (coarse): ZIP/Postal code — collected directly from you; used to customize your experience.
  • Inferences: The AI Concierge may draw inferences about your shopping preferences based on your questions — generated from your AI Concierge conversations; used to provide relevant recommendations within the chat.

Sources of Personal Information

We collect personal information from: (a) directly from you when you create an account or use the Service; (b) from Auth0 when you authenticate; and (c) automatically through your interactions with the Service and AI Concierge.

Exercising Your Rights

To exercise your CCPA/CPRA rights, you may:

  • Email us at info@southcoastplaza.com
  • Call us at 1-800-782-8888
  • Use the self-service tools in your Profile settings to export your data, delete your chat history, or delete your account

We will respond to verifiable consumer requests within 45 days. You may make a request up to twice in a 12-month period. We may need to verify your identity before processing your request.

11. Do Not Sell or Share My Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

If you have any concerns about how your data is used, please contact us at info@southcoastplaza.com or call 1-800-782-8888.

12. Updating Your Information

You may update your account information at any time by logging into your account and accessing your profile settings. From your Profile, you can also:

  • Export a copy of all your personal data (JSON format)
  • Delete your AI Concierge chat history
  • Delete your account entirely, which permanently removes all your personal data

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make changes, we will update the "Last Revised" date at the top of this page. For material changes that significantly affect how we handle your personal information, we will provide prominent notice (such as a banner on the Service or an email to your account). We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Contact Us

If you have any questions or concerns regarding this Privacy Policy, please contact us:

South Coast Plaza

3333 Bristol Street, Costa Mesa, CA 92626

Email: info@southcoastplaza.com

Phone: 1-800-782-8888

View Terms of UseReturn to Home
Privacy Policy - VIP Passport