HomeFeaturesFor merchantsPricingAboutJournalContact
Book a demoSign in to portal
Appearance
Questions? Call 07447 476948
or email hello@stempy.co.uk
Legal

Privacy Policy

This policy explains what personal data Stempy collects, why we collect it, how we keep it safe, and the choices you have. We wrote it in plain English so it is genuinely readable. If anything is unclear, email us.

Last updated: 12 April 2026Effective: 1 May 2026Version 3.1

Who we are

If you are a customer of a shop that uses Stempy, the shop is the controller of your loyalty data and Stempy acts as their processor. For data we collect directly (for example when you book a demo), Stempy is the controller.

What we collect

We only collect information that helps us run the service. The categories are:

Merchant account data

  • Business name, address, VAT number, and billing details
  • Owner and staff names, email addresses, and phone numbers
  • Login credentials (passwords are stored as salted bcrypt hashes, never in plain text)

Customer loyalty data

  • First name and email address, if the customer chooses to provide them
  • A unique wallet pass identifier, issued by Apple Wallet or Google Wallet
  • Stamp history, reward redemptions, and visit timestamps
  • Approximate location at the moment of a stamp (to prevent fraud)

Technical data

  • Browser type, device type, operating system, and IP address
  • Pages visited on our website and how long you spent on each
  • Error reports, to help us fix bugs

How we use it

We use personal data to run the service, keep it safe, and improve it. Concretely, that means:

  • Issuing and updating wallet passes, and delivering push notifications
  • Processing payments and sending invoices
  • Answering support requests and sharing product updates
  • Detecting fraud, abuse, and suspicious stamping patterns
  • Measuring which features are useful, so we can build the right things next
We do not sell your dataStempy has never sold personal data and never will. We do not share customer data with advertisers, data brokers, or third party marketers.

Lawful basis for processing

Under UK GDPR and the EU GDPR, we rely on one of the following lawful bases for each purpose:

  • Contract: processing we need to do to deliver the service you signed up for
  • Legitimate interest: running the service safely, preventing fraud, and improving the product
  • Consent: marketing emails, analytics cookies, and anything optional. You can withdraw consent at any time
  • Legal obligation: accounting records, tax filings, and responses to lawful requests

Sharing and processors

We share personal data only with the vendors we need to run Stempy. Each is under a written data processing agreement and each is vetted for security. The core list is:

  • Amazon Web Services (Ireland): infrastructure hosting
  • Stripe (UK): payments and billing
  • Postmark (USA): transactional email, under Standard Contractual Clauses
  • Apple and Google: wallet pass delivery and push notifications
  • Plausible (EU): privacy friendly website analytics, no cookies

We will share data with the police, regulators, or courts when we are legally required to. We publish the number of requests we receive each year in our transparency report.

How long we keep it

We hold on to data only as long as we need to. The default retention periods are:

  • Active merchant accounts: while the account is open, plus six years for tax records
  • Closed merchant accounts: deleted within 90 days, except billing records
  • Customer loyalty data: deleted within 30 days of a merchant closing their account, or sooner on request
  • Website analytics: aggregated and anonymised after 14 months
  • Support conversations: two years, then deleted

Your rights

You have the right to access, correct, export, or delete the personal data we hold about you. You can also object to processing, ask us to restrict it, or withdraw consent. To exercise any of these rights, email privacy@stempy.co.uk and we will respond within 30 days.

If you are unhappy with how we handled your request, you can complain to the UK Information Commissioner's Office at ico.org.uk.

Security

We take security seriously. We run Stempy on encrypted infrastructure, enforce multi factor authentication for all staff, log every access to production, and audit our code through third party security reviews twice a year. Passwords are hashed with bcrypt. Payment card data never touches our servers; Stripe handles it end to end.

If we ever experience a personal data breach that is likely to affect your rights, we will notify you and the ICO within 72 hours, as the law requires.

Cookies

The Stempy website uses a small number of cookies. Essential cookies keep you signed in and remember your theme preference. We also use Plausible Analytics, which does not set any cookies or collect personal data. We do not use advertising trackers.

You can clear cookies at any time using your browser settings.

Children

Stempy is built for businesses and their customers. It is not directed at children under 16. We do not knowingly collect personal data from children. If you are a parent and believe your child has given us data, email us and we will delete it.

Changes to this policy

When we make meaningful changes to this policy, we will email every merchant at least 30 days before the change takes effect. Minor clarifications are published here with an updated version number.

Contact

Questions, requests, or complaints? Get in touch: