Privacy Policy

Back to home

This Privacy Policy explains how Stampic ("Stampic", "we", "us", or "our") collects, uses, shares, and protects personal data when you use our website, dashboard, scanner app, wallet passes, and related services (together, the "Service") available at https://stampic.io.

1. Who we are

Stampic is a SaaS platform that lets businesses create and run digital loyalty programs (stamp cards, points, memberships, discounts, coupons, gift certificates) delivered through Apple Wallet and Google Wallet. The data controller is Stampic, Warsaw, Poland. For any privacy matter you can reach us at privacy@stampic.io.

2. Data we collect

2.1 Account data (business users)

  • Name, email address, and password hash (or Google account identifier if you sign in with Google).
  • Profile data such as preferred language, avatar, role, and workspace membership.
  • Business information: company name, address, VAT/tax details, and billing data.

2.2 Data we receive from Google

Stampic uses Google OAuth to let you sign in and to optionally connect your Google Business Profile. The data we receive depends on the scopes you grant:

Sign in with Google — non-sensitive scopes openid, email, profile:

  • Your Google account email address and whether it has been verified.
  • Your display name and profile picture URL.
  • Your Google account unique identifier (sub).

Google Business Profile connection (optional) — sensitive scope https://www.googleapis.com/auth/business.manage:

  • The list of Google Business Profile accounts and locations you manage.
  • Location metadata (business name, address, phone, categories, hours, website, labels, and service areas) for the locations you choose to connect.
  • Reviews and review replies on those locations.
  • Local posts, photos, and Q&A you create or publish through Stampic.
  • Aggregated insights and performance metrics provided by the Business Profile Performance API.
  • OAuth access and refresh tokens (stored encrypted at rest), used only to call Google on your behalf.

We only read or write Google Business Profile data to provide user-facing features you explicitly request — for example, showing your locations in Stampic, syncing loyalty program info, publishing posts or offers that you compose in Stampic, and replying to reviews. You can disconnect at any time from your Stampic account settings, which revokes our tokens; you can also revoke access directly at myaccount.google.com/permissions.

We do not request access to Gmail, Google Drive, Google Calendar, Google Contacts, Google Sheets, or any other Google user data outside the scopes listed above.

2.3 End-customer / cardholder data (data your business collects through Stampic)

When your customers add a loyalty card to their wallet, we process the minimum data needed to deliver the wallet pass and operate the loyalty program on your behalf:

  • Device push token for Apple/Google Wallet pass updates.
  • Optional fields the business chooses to collect on the enrollment form (for example: name, phone, email, birthday).
  • Loyalty activity: stamps, points, visits, redemptions, and timestamps.

For this data, the business using Stampic is the data controller and Stampic acts as a processor under the applicable Data Processing Agreement.

2.4 Usage and technical data

  • Log data: IP address, user agent, pages visited, actions performed, timestamps, error traces.
  • Cookies and similar technologies strictly necessary to operate the Service, plus privacy-respecting analytics.
  • Content you upload (logos, images, branding) used to render wallet passes.

3. How we use data

  • To create and secure your account and authenticate you (including via Google sign-in).
  • To provide, maintain, and improve the Service and its features.
  • To generate, distribute, and update Apple Wallet and Google Wallet passes.
  • To let you manage your Google Business Profile locations from Stampic — for example, viewing locations, syncing loyalty program details, publishing posts and offers, replying to reviews, and displaying performance insights.
  • To send transactional communications (verification emails, password resets, billing notices, service announcements).
  • To provide customer support and respond to your requests.
  • To detect, prevent, and address fraud, abuse, security, and technical issues.
  • To comply with legal obligations and enforce our Terms of Service.

We do not use data obtained through Google APIs to develop, improve, or train generalized machine learning models or AI models.

4. Legal bases (GDPR)

  • Contract — to provide the Service you signed up for.
  • Legitimate interests — to keep the Service secure, prevent abuse, and improve the product.
  • Consent — for optional marketing communications and non-essential cookies, where required.
  • Legal obligation — for accounting, tax, and regulatory requirements.

5. How we share data

We do not sell personal data. We share data only with:

  • Infrastructure and service providers acting as processors on our behalf: cloud hosting, database, email delivery, SMS delivery, error monitoring, and analytics. They process data only under our instructions.
  • Apple and Google — to deliver and update wallet passes on your customers’ devices via Apple Push Notification service (APNs) and the Google Wallet API.
  • Payment processors (e.g., Stripe) when you subscribe to a paid plan.
  • Authorities when required by law, court order, or to protect rights, safety, and property.
  • Acquirers in the event of a merger, acquisition, or sale of assets, under equivalent protections.

6. Google API Services User Data Policy (Limited Use)

Stampic’s use and transfer of information received from Google APIs — including Google Sign-In and the Google Business Profile APIs — adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • We only use Google user data to provide or improve user-facing features that are prominent in the Stampic experience (signing you in, and — if you connect it — managing your Google Business Profile locations, posts, offers, reviews, and insights).
  • We do not transfer Google user data to third parties except as needed to provide or improve those user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
  • We do not use Google user data for serving advertisements of any kind.
  • We do not use Google user data to develop, improve, or train generalized or non-personalized AI or machine learning models.
  • We do not allow humans to read Google user data unless (a) we have your explicit consent for specific data, (b) it is necessary for security purposes such as investigating abuse, (c) it is required to comply with applicable law, or (d) the data has been aggregated and is used for internal operations in accordance with applicable privacy rules.

7. Data retention

  • Account data: for the lifetime of your account plus up to 12 months after deletion, unless a longer period is required by law.
  • Wallet pass and loyalty activity data: while the business program is active, or until the business deletes the data.
  • Google OAuth tokens and cached Google Business Profile data: until you disconnect Google (or revoke access at myaccount.google.com/permissions), after which we delete tokens immediately and cached Business Profile data within 30 days.
  • Billing and tax records: as required by applicable accounting and tax laws (typically 5–10 years).
  • Log data: typically up to 90 days.

8. Security

We use industry-standard safeguards, including TLS encryption in transit, encryption at rest for sensitive fields, hashed passwords, role-based access control, audit logging, and least-privilege access for staff. No method of transmission or storage is 100% secure, but we work continually to protect your data.

9. International transfers

We are based in the EU and prefer EU data centers. Where data is processed outside the EEA, we rely on adequacy decisions or Standard Contractual Clauses approved by the European Commission.

10. Your rights

Depending on your jurisdiction (GDPR/UK GDPR/CCPA), you may have the right to:

  • Access, correct, or delete your personal data.
  • Object to or restrict certain processing.
  • Receive a portable copy of your data.
  • Withdraw consent at any time (without affecting prior processing).
  • Lodge a complaint with your local data protection authority (in Poland: UODO).

You can revoke Stampic’s access to your Google account at any time via https://myaccount.google.com/permissions. To exercise any right, email privacy@stampic.io.

11. Children

The Service is not directed to children under 16, and we do not knowingly collect data from them. If you believe a child has provided us personal data, contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the new version on this page and update the "Last updated" date below. Material changes will be communicated by email or in-product notice.

13. Contact

Privacy questions and requests: privacy@stampic.io
General support: support@stampic.io

Last updated: 2026-04-18