GDPR & Data Protection

Privacy by design, hosted in the EU.

Last updated: July 18, 2026

Stamppi is built to be privacy-respecting by design. This page summarises how we approach data protection under the GDPR — for the people who use Stamppi and the Restaurants who run loyalty programs on it. It complements our full Privacy Policy.

Our commitments

Data minimisation. We collect about as little as a loyalty product can — an email address and loyalty activity, plus any optional profile details (display name, birthday, phone number) a diner chooses to add. No passwords, payment details, or location tracking.

EU data residency. Our primary database is hosted in the European Union (Frankfurt, Germany). Where sub-processors operate outside the EU/EEA, we rely on Standard Contractual Clauses and/or the EU–US Data Privacy Framework.

Privacy by design. A diner’s in-app code is a short-lived, rotating, pseudonymous reference that carries no personal data on its own.

Erasure by anonymisation. When someone deletes their account, we remove the information that identifies them rather than retaining personal data indefinitely.

Your rights as a diner

You can access, correct, export, and delete your data — much of it directly in the app — and you can object to processing or withdraw marketing consent at any time. Full details are in the Privacy Policy. You may also complain to the Finnish Office of the Data Protection Ombudsman.

For Restaurants — data processing

When you run a loyalty program on Stamppi, your customers’ data is processed through our platform. Depending on the arrangement, a Data Processing Agreement (DPA) may be required between us; we can make one available to Restaurant partners. Contact privacy@stamppi.fi.

Sub-processors

We use a small number of vetted providers to run Stamppi:

ProviderPurposeLocation
[Supabase]Database, authentication, hostingEU (Frankfurt)
VercelApplication hosting / deliveryUS company; EU edge regions
ResendTransactional email (incl. contact form)EU sending (Ireland); US company

We keep this list current and update it when we add or change providers.

Security measures

Our safeguards include encryption of data in transit; EU-hosted infrastructure; strict server-side access controls (row-level security and least-privilege access); a server-authoritative design in which stamps and rewards are written and verified by our servers, not trusted to a device; scoped, revocable, time-limited credentials for Restaurant terminals; and an append-only audit trail of sensitive actions.

Data breaches

In the event of a personal-data breach likely to result in a risk to people’s rights, we will notify the relevant supervisory authority without undue delay and, where required, within 72 hours, and will inform affected users where the law requires.

Contact

Data-protection enquiries: privacy@stamppi.fi, Faran Services, Finland.