← Back to home

Privacy Policy

Last updated: 27 February 2026

Stampd is a digital loyalty card service operated by Tideshift Ventures, LLC, 131 Continental Dr, Suite 305, Newark, DE 19713, United States ("we", "us", "our"). This policy explains what data we collect, why, and how we protect it.

1. Data We Collect

Business owners (merchants)

• Account info — email address, business name, password (hashed with Argon2)
• Brand assets — logo image, brand color, reward description
• Payment info — processed by Stripe; we store only your Stripe customer ID, not card details

Customers (cardholders)

• Loyalty pass data — a unique barcode value, stamp count, and redemption count
• Device identifiers — Apple Wallet device library ID and push token (for pass updates only)

All visitors

• Analytics — anonymous page views and events via self-hosted Umami (no cookies, no personal data)
• Server logs — IP address, request path, timestamp (retained for security, rotated automatically)

2. How We Use Your Data

• Provide and operate the loyalty card service
• Process payments via Stripe
• Issue digital passes to Apple Wallet and Google Wallet
• Send pass updates (stamp counts, redemptions) to wallet apps
• Protect against abuse (rate limiting, fraud detection)

3. Legal Basis for Processing (GDPR Art. 6)

• Contract performance (Art. 6(1)(b)) — processing your account data and loyalty card data is necessary to provide the service
• Legitimate interest (Art. 6(1)(f)) — server logs and security measures to protect against abuse
• Consent (Art. 6(1)(a)) — where applicable, such as optional analytics

4. Third-Party Services

• Stripe — payment processing (Stripe Privacy Policy)
• Apple Wallet — pass delivery and updates (Apple Privacy Policy)
• Google Wallet — pass delivery and updates (Google Privacy Policy)

We do not sell, rent, or share your personal data with any other third parties.

5. Data Storage & Security

• Data is stored on servers in the EU (Hetzner, Germany)
• All connections are encrypted via HTTPS/TLS
• Passwords are hashed with Argon2 (never stored in plaintext)
• Database backups are encrypted and replicated off-site

6. Data Retention

• Business accounts — retained while your account is active; deleted upon request
• Customer passes — retained while the associated business account is active
• Server logs — automatically rotated (typically 14 days)

7. Your Rights (GDPR)

If you are in the EU/EEA, you have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Object to or restrict processing
• Lodge a complaint with your local data protection supervisory authority

To exercise these rights, email privacy@stampd.shop.

8. Cookies

We use a single essential cookie (token) for authentication. It is HTTP-only, secure, and not used for tracking. We do not use advertising or third-party tracking cookies.

9. Changes

We may update this policy from time to time. Changes will be posted on this page with an updated date.

10. Contact

For privacy questions, email privacy@stampd.shop.