1. Who we are
Faran Services, Finland, is the controller of the personal data described here. For any data-protection question, contact privacy@stamppi.fi.
When you collect stamps at a Restaurant, both Stamppi (which runs the platform) and that Restaurant (which runs its own loyalty program) are involved in processing your data.
2. The data we collect
We built Stamppi to collect as little personal data as possible. We collect:
- Account data — your email address, used for passwordless magic-link sign-in.
- Optional profile details — a display name, birthday, and phone number you may add if you choose. These are blank by default, entirely optional, and you can edit or clear them at any time in your account settings.
- Loyalty activity — the stamps you collect, which Restaurant and location issued them, timestamps, and rewards earned and redeemed.
- Consent records — what you agreed to, when, and the version of the terms in force at the time, including your separate opt-in choices for marketing emails and anonymous usage analytics (both off by default).
- Technical data — limited information needed to run a web app securely, such as device/browser type and session information.
- Contact-form messages — if you contact us through this website, the name, email address, company name, and message you provide, used only to respond to you. Messages are delivered to us by our email provider (see the sub-processor list on the GDPR page).
Your identity in the app is shown to staff as a short-lived, rotating code that contains no personal information on its own. It is a pseudonymous reference only our server can connect back to your account — it is not anonymous, because we can re-link it to you.
We do not collect passwords, payment-card details (you pay the Restaurant directly), location tracking, or special categories of data.
3. Why we use it, and our lawful basis
| Purpose | Lawful basis (GDPR Art. 6) |
|---|---|
| Running your account, stamp cards, and rewards | Performance of a contract — Art. 6(1)(b) |
| Sending sign-in (magic link) emails | Performance of a contract — Art. 6(1)(b) |
| Preventing fraud and abuse; security | Legitimate interests — Art. 6(1)(f) |
| Marketing messages, if any | Consent — Art. 6(1)(a), separate and withdrawable |
| Optional anonymous usage analytics | Consent — Art. 6(1)(a), separate and withdrawable |
| Complying with legal obligations | Legal obligation — Art. 6(1)(c) |
We keep your loyalty consent and your marketing consent separate. You can use the loyalty service without agreeing to marketing.
4. Who we share data with
We do not sell your personal data. We share it only with:
- The Restaurants you visit, limited to the loyalty information needed to run their program.
- Service providers (sub-processors) who help us run the service under contract, listed on our GDPR page.
- Authorities, where required by law.
5. Where your data is stored
Our primary database is hosted in the European Union (Frankfurt, Germany). Some of our service providers (for example, certain hosting and email-delivery functions) are operated by companies based outside the EU/EEA, or may process limited data outside the EU/EEA; where that happens, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and/or the EU–US Data Privacy Framework. The providers we use are listed on our GDPR page.
6. How long we keep it
We keep your account and loyalty data for as long as your account is active. When you delete your account, we anonymise your personal data rather than retaining it — identifying information is removed so remaining records can no longer be connected to you. Deletion requests are honoured after a grace period of 30 days (during which you can cancel), after which your identity is permanently removed.
7. Your rights
Under the GDPR you have the right to access, correct, and erase your data; to restrict or object to processing; to data portability; and to withdraw consent at any time where processing is based on consent.
You can exercise several of these directly in the app — export your data and request deletion from your account settings. For any request, contact privacy@stamppi.fi; we respond within one month. You also have the right to complain to the Finnish supervisory authority, the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), tietosuoja.fi.
8. Automated decision-making
We do not make decisions producing legal or similarly significant effects about you solely by automated means. We do use automated checks for fraud prevention and security.
9. Cookies and local storage
As a web app, Stamppi uses essential browser storage to keep you signed in and run the app. We do not use advertising or third-party tracking cookies.
10. Children
Stamppi is intended for general audiences and is not directed at young children. We do not knowingly collect data from children below the age of digital consent in their country (13 in Finland).
11. Security
We protect your data with measures including EU-hosted infrastructure, encryption in transit, strict server-side access controls, and a design in which sensitive actions are verified by our servers rather than trusted to the device. See our GDPR page for more.
12. Changes to this policy
We may update this policy. When changes are material, we will notify you and, where required, ask you to re-confirm your consent. The date above reflects the current version.
13. Contact
Questions about your data: privacy@stamppi.fi, or Faran Services, Finland.