Stampee Privacy Policy

Welcome to Stampee. We are committed to protecting your personal data and privacy rights. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our electronic membership stamp card wallet service. Stampee is a company registered in Germany and is subject to the EU General Data Protection Regulation (GDPR). We strictly comply with the GDPR and all other applicable data protection regulations.

The data controller is: Stampee Registered in: Germany Website: https://www.stampee.app Contact Email: privacy@stampee.app

Data you provide: - Email address (registration, required) - Password (encrypted, registration, required) - Store name (merchant registration, required for merchants) - Activity information (when merchants create activities) - Notification preferences (optional) Data collected automatically: - Stamp records - Activity participation records - Device information (browser, OS version) - Access logs (IP address, access time) - Cookies and similar technologies Data we do NOT collect: - Phone numbers - Geographic location data - Identity documents - Biometric data

Contract performance (Art. 6(1)(b) GDPR): - Account creation and management - Core services (stamp records, activities, redemption) - Payment processing Legitimate interests (Art. 6(1)(f) GDPR): - Security - Service improvement - Technical maintenance Consent (Art. 6(1)(a) GDPR): - Marketing emails (unsubscribe at any time) - Non-essential cookies

We use the following third-party services: - Supabase: Database and authentication - Stripe: Payment processing - Resend: Email service - Vercel: Web hosting - Google: OAuth authentication We do not sell your personal data or use it for advertising targeting.

Some data may be transferred outside the EU. We protect transfers through Standard Contractual Clauses (SCCs), adequacy decisions, the EU-US Data Privacy Framework, and encryption.

- Account info: Duration of account + 30 days after deletion - Stamp records: Deleted with account - Activity records: 12 months after activity ends - Payment records: 10 years (German tax law) - Access logs: 90 days - Email logs: 12 months

Under GDPR, you have the right to: - Access (Art. 15) - Rectification (Art. 16) - Erasure / Right to be Forgotten (Art. 17) - Restriction of processing (Art. 18) - Data portability (Art. 20) - Object (Art. 21) - Withdraw consent - Lodge a complaint with a supervisory authority Contact privacy@stampee.app to exercise your rights. We will respond within 30 days.

Cookies we use: - Authentication cookies (essential, session duration) - Security cookies (essential, session duration) - Preference cookies (functional, 12 months) We also use localStorage for authentication tokens and user preferences.

Technical measures: - TLS/HTTPS encryption in transit - Database encryption at rest - bcrypt password hashing - Role-based access control - API authentication - Merchants cannot view consumer personal information In case of a data breach, we will notify the relevant supervisory authority within 72 hours.

- Anonymization: Merchants only see anonymized identifiers - Data isolation: Each merchant can only access their own store data - Data minimization: We collect only the minimum necessary data

Our Service is not directed at children under 16. If you discover that a child has provided us with data without consent, contact privacy@stampee.app.

Material changes will be communicated via email or in-app notification in advance. We encourage you to review this policy periodically.

Email: privacy@stampee.app Website: https://www.stampee.app

This Privacy Policy is governed by German law. The GDPR and the German Federal Data Protection Act (BDSG) apply.