Privacy Policy

1. Introduction

Punchly ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital loyalty card service.

We are based in the European Union and comply with the General Data Protection Regulation (GDPR).

2. Information We Collect

For Business Owners

• Account information (name, email, password)
• Business information (business name, address, logo)
• Payment information (processed by Stripe, we don't store card details)
• Usage data (login times, features used)

For Customers (End Users)

• Email address (optional, for reminders)
• Stamp and redemption history
• Device information (browser type, for wallet display)

3. How We Use Your Information

• To provide and maintain our service
• To send transactional emails (stamp confirmations, reward reminders)
• To process payments
• To improve our service based on usage patterns
• To prevent fraud and abuse
• To comply with legal obligations

4. Legal Basis for Processing (GDPR)

• Contract: Processing necessary to provide our service
• Consent: Email/SMS reminders (opt-in only)
• Legitimate Interest: Fraud prevention, service improvement
• Legal Obligation: Tax and accounting records

5. Data Sharing

We do not sell your personal data. We share data only with:

• Service Providers: Hosting (EU-based), payment processing (Stripe), email delivery
• Business Owners: Customers' stamp history is visible to the business they visit
• Legal Requirements: When required by law or to protect our rights

6. Data Retention

• Active accounts: Data retained while account is active
• Deleted accounts: Data deleted within 30 days of deletion request
• Financial records: Retained for 7 years as required by law
• Expired stamps: Automatically deleted after 12 months

7. Your Rights (GDPR)

You have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to processing based on legitimate interest
• Withdraw Consent: Unsubscribe from marketing at any time

To exercise these rights, contact us at [email protected].

8. Data Security

We implement appropriate technical and organizational measures including:

• Encryption in transit (TLS 1.3) and at rest
• Regular security audits
• Access controls and authentication
• EU-based data hosting

9. Cookies

We use minimal cookies:

• Essential: Session cookies for login (required)
• Analytics: Privacy-focused analytics (no personal data, no consent required)

We do not use advertising or tracking cookies.

10. International Transfers

Your data is stored in the European Union. We do not transfer data outside the EU/EEA unless necessary for service provision, in which case we use Standard Contractual Clauses.

11. Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this policy periodically. We will notify you of significant changes via email or prominent notice on our website.

13. Contact Us

For privacy-related questions or to exercise your rights:

• Email: [email protected]
• Data Protection Officer: [email protected]

You also have the right to lodge a complaint with your local data protection authority.