Stamppi is built to be privacy-respecting by design. This page summarises how we approach data protection under the GDPR — for the people who use Stamppi and the Restaurants who run loyalty programs on it. It complements our full Privacy Policy.
Our commitments
Data minimisation. We collect about as little as a loyalty product can — an email address and loyalty activity, plus any optional profile details (display name, birthday, phone number) a diner chooses to add. No passwords, payment details, or location tracking.
EU data residency. Our primary database is hosted in the European Union (Frankfurt, Germany). Where sub-processors operate outside the EU/EEA, we rely on Standard Contractual Clauses and/or the EU–US Data Privacy Framework.
Privacy by design. A diner’s in-app code is a short-lived, rotating, pseudonymous reference that carries no personal data on its own.
Erasure by anonymisation. When someone deletes their account, we remove the information that identifies them rather than retaining personal data indefinitely.
Your rights as a diner
You can access, correct, export, and delete your data — much of it directly in the app — and you can object to processing or withdraw marketing consent at any time. Full details are in the Privacy Policy. You may also complain to the Finnish Office of the Data Protection Ombudsman.
For Restaurants — data processing
When you run a loyalty program on Stamppi, your customers’ data is processed through our platform. Depending on the arrangement, a Data Processing Agreement (DPA) may be required between us; we can make one available to Restaurant partners. Contact privacy@stamppi.fi.
Sub-processors
We use a small number of vetted providers to run Stamppi:
| Provider | Purpose | Location |
|---|---|---|
| [Supabase] | Database, authentication, hosting | EU (Frankfurt) |
| Vercel | Application hosting / delivery | US company; EU edge regions |
| Resend | Transactional email (incl. contact form) | EU sending (Ireland); US company |
We keep this list current and update it when we add or change providers.
Security measures
Our safeguards include encryption of data in transit; EU-hosted infrastructure; strict server-side access controls (row-level security and least-privilege access); a server-authoritative design in which stamps and rewards are written and verified by our servers, not trusted to a device; scoped, revocable, time-limited credentials for Restaurant terminals; and an append-only audit trail of sensitive actions.
Data breaches
In the event of a personal-data breach likely to result in a risk to people’s rights, we will notify the relevant supervisory authority without undue delay and, where required, within 72 hours, and will inform affected users where the law requires.
Contact
Data-protection enquiries: privacy@stamppi.fi, Faran Services, Finland.