Skip to content

Privacy Policy

Last updated: January 9, 2026

1. Introduction

Punchly (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital loyalty card service.

We are based in the European Union and comply with the General Data Protection Regulation (GDPR).

2. Information We Collect

For Business Owners

  • Account information (name, email, password)
  • Business information (business name, address, logo)
  • Payment information (processed by Stripe, we don't store card details)
  • Usage data (login times, features used)

For Customers (End Users)

  • Email address (optional, for reminders)
  • Stamp and redemption history
  • Device information (browser type, for wallet display)

3. How We Use Your Information

  • To provide and maintain our service
  • To send transactional emails (stamp confirmations, reward reminders)
  • To process payments
  • To improve our service based on usage patterns
  • To prevent fraud and abuse
  • To comply with legal obligations

4. Legal Basis for Processing (GDPR)

  • Contract: Processing necessary to provide our service
  • Consent: Email/SMS reminders (opt-in only)
  • Legitimate Interest: Fraud prevention, service improvement
  • Legal Obligation: Tax and accounting records

5. Data Sharing

We do not sell your personal data. We share data only with:

  • Service Providers: Hosting (EU-based), payment processing (Stripe), email delivery
  • Business Owners: Customers' stamp history is visible to the business they visit
  • Legal Requirements: When required by law or to protect our rights

6. Data Retention

  • Active accounts: Data retained while account is active
  • Deleted accounts: Data deleted within 30 days of deletion request
  • Financial records: Retained for 7 years as required by law
  • Expired stamps: Automatically deleted after 12 months

7. Your Rights (GDPR)

You have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data (“right to be forgotten”)
  • Portability: Receive your data in a machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Object to processing based on legitimate interest
  • Withdraw Consent: Unsubscribe from marketing at any time

To exercise these rights, contact us at [email protected].

8. Data Security

We implement appropriate technical and organizational measures including:

  • Encryption in transit (TLS 1.3) and at rest
  • Regular security audits
  • Access controls and authentication
  • EU-based data hosting

9. Cookies

We use a minimal set of cookies. On your first visit you will see a consent banner that lets you Accept All, Reject All, or Manage Preferences for each category. You can change your choice at any time via the “Cookie Settings” link in the footer.

Essential Cookies (always active)

These are strictly necessary for the website to function and cannot be disabled.

  • punchly_consent — stores your cookie preferences (category choices and timestamp). Expires after 12 months.
  • Session cookies — required for login and security on the admin and wallet apps.

Analytics Cookies (opt-in only)

We use Google Analytics with Google Consent Mode v2 to understand how visitors interact with our marketing website. These cookies are only set after you give explicit consent. IP addresses are anonymized and we do not share data with third parties for advertising.

  • _ga — distinguishes unique visitors. Expires after 2 years.
  • _ga_* — maintains session state. Expires after 2 years.
  • _gid — distinguishes visitors within a 24-hour window. Expires after 24 hours.

Marketing Cookies (opt-in only)

We use Google Ads conversion tracking to measure the effectiveness of our advertising campaigns. These cookies are only set after you give explicit consent. We do not use remarketing, retargeting, or social-media tracking.

  • _gcl_aw — stores the Google Ads click identifier. Expires after 90 days.
  • _gcl_au — used by Google Ads to attribute conversions. Expires after 90 days.

If you reject or withdraw consent for any cookie category, the corresponding cookies are deleted immediately from your browser.

10. International Transfers

Your data is stored in the European Union. We do not transfer data outside the EU/EEA unless necessary for service provision, in which case we use Standard Contractual Clauses.

11. Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this policy periodically. We will notify you of significant changes via email or prominent notice on our website.

13. Contact Us

For privacy-related questions or to exercise your rights:

You also have the right to lodge a complaint with your local data protection authority.