Privacy Policy

1. Introduction

Welcome to Stamply.in ("we", "us", or "our"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our loyalty card platform.

Stamply.in is operated by SILYA PRIVATE LIMITED (CIN: U62099PN2026PTC254644), a company incorporated under the Companies Act, 2013, and registered in India.

By using Stamply.in, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Business Information

When you register as a business, we collect:

• Business Details: Business name, category, description
• Contact Information: Email address, phone number, physical address
• Account Credentials: Email address and password (passwords are hashed and never stored in plain text)
• Loyalty Program Settings: Stamp requirements, reward descriptions
• Business Logo: Images you upload for branding

2.2 Customer Information

When customers register with a business, we collect:

• Basic Information: Name, phone number
• Security Information: PIN or security question answers (encrypted)
• Loyalty Data: Stamps collected, rewards earned, redemption history
• Card ID: Unique identifier for each loyalty card

2.3 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent on platform
• Device Information: Browser type, device type, IP address
• Cookies: Session cookies for authentication and user preferences
• Analytics: Aggregated usage statistics

3. How We Use Your Information

We process personal data based on user consent and for the purpose of providing the Service. We use the collected information for:

3.1 Service Provision

• Creating and managing business and customer accounts
• Processing stamp collection and reward redemption
• Generating QR codes for customer registration and stamp requests
• Displaying loyalty cards and program information
• Sending notifications about stamp requests and rewards

3.2 Communication

• Sending account-related emails (verification, password reset)
• Notifying businesses of customer activity
• Providing customer support
• Sending important service updates (with opt-out option)

3.3 Analytics and Improvement

• Analyzing usage patterns to improve the platform
• Providing businesses with customer insights and analytics
• Identifying and fixing technical issues
• Developing new features based on user behavior

3.4 Security and Fraud Prevention

• Protecting against unauthorized access
• Detecting and preventing fraudulent activities
• Enforcing our Terms of Service
• Complying with legal obligations

4. Data Sharing and Disclosure

4.1 Data Controller and Processor Roles

For clarity on legal responsibility:

• Stamply.in acts as a Data Fiduciary (Controller) for business account data — we determine what business data is collected, the purpose for which it is collected, and how it is processed.
• For customer data, businesses act as Data Fiduciaries, and Stamply.in acts as a Data Processor on their behalf — businesses are responsible for the lawful basis on which customer data is collected through their loyalty programmes. Stamply.in processes such data solely to provide the Service.
• Businesses are Data Recipients — they have limited, read-only visibility into loyalty activity for their own customers only. In exceptional cases, a business may submit a formal written request to Stamply.in for access to specific customer data. Such requests will only be considered if the affected customers are notified of the request and its purpose in advance and given an opportunity to object. Stamply.in reserves the sole discretion to approve or decline any such request.
• Supabase is our Sub-Processor — all data is stored exclusively on Supabase's infrastructure. Stamply.in does not operate its own servers. Supabase processes data on our behalf under their Data Processing Agreement.

Customer data is accessible only in relation to the specific business the customer registered with. Businesses can view:

• Customer first names (for identification purposes only)
• A masked phone number showing only the last few digits (e.g. +91 ******7890) — insufficient to identify or contact a specific individual
• Stamp collection and reward history for their business only
• Aggregated customer statistics

4.2 With Service Providers

We share data with trusted third-party service providers:

• Supabase: Database and authentication services
• Vercel: Hosting and deployment
• Email Service Providers: For transactional emails (if applicable)

These providers are contractually obligated to protect your data and use it only for specified purposes.

4.3 Legal Requirements

We may disclose your information if required to:

• Comply with legal obligations, court orders, or government requests
• Enforce our Terms of Service
• Protect our rights, property, or safety
• Investigate potential violations or fraud

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

4.5 Our Current Practices & Commitments

We currently do not:

• Sell your personal information to third parties
• Share customer data between different businesses
• Use your data for targeted advertising. Business names may appear in a masked format on our public website (e.g. as recently joined businesses) solely to showcase platform activity — no personally identifiable information is disclosed in this display
• Share your email with marketing companies

If we ever intend to do any of the above, we will update this Privacy Policy and notify you before making any such change.

5. Data Security

We implement industry-standard security measures:

• Encryption: All data transmitted over HTTPS/TLS
• Password Security: Passwords are hashed and never stored in plain text
• Row-Level Security: Database policies prevent unauthorized data access
• Authentication: Secure session management with HTTP-only cookies
• Regular Updates: We keep our software up to date with security patches
• Access Controls: Limited employee access to personal data

However, no method of transmission over the internet is 100% secure. No system can guarantee absolute security despite reasonable safeguards. While we implement and maintain appropriate technical and organisational measures to protect your data, we cannot guarantee absolute security against all possible threats.

5.1 Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify affected businesses by email within 72 hours of becoming aware of the breach (or as soon as reasonably practicable)
• Display a prominent notice to affected customers directly in their Stamply portal upon their next login
• Report the breach to the relevant data protection authority as required by applicable law
• Provide details of the nature of the breach, data affected, and steps taken to mitigate harm
• Maintain an internal log of all data breaches, whether or not notification is required

6. Data Retention

• Active Accounts: We retain data while your account is active
• Inactive Accounts: For inactive accounts, we may retain, archive, or delete data based on operational and legal requirements
• Deleted Accounts: Deletion is immediate upon request. You may request restoration from a previous backup, but this cannot be guaranteed and may not be provided.
• Legal Compliance: Some data may be retained longer if required by law
• Backups: Database backups are managed by Supabase (our database provider) under their Pro plan, which retains automated daily backups for 7 days. We do not maintain any separate local backup copies. Upon deletion of your data, live records are removed immediately; residual copies in Supabase's automated backups are purged automatically within 7 days.

7. Your Privacy Rights

7.1 Access and Portability

You have the right to:

• Access your personal data
• Request a copy of your data in a portable format
• View all data associated with your account

7.2 Correction and Update

• Update your profile information through your dashboard
• Correct inaccurate information
• Contact us for help with data corrections

7.3 Deletion

Stamply.in places no restrictions on account or data deletion. You are free to delete your data at any time:

• Customers: You can delete your loyalty card and associated personal data directly from your account. You may also email support@stamply.in if you need assistance.
• Businesses: You can delete your account and all associated data directly from your account settings. This also permanently removes all customer data linked to your business.

Deletion of active records is immediate. A residual copy may exist in Supabase's automated daily backups for up to 7 days, after which it is purged automatically. These backup copies are strictly for disaster recovery and are managed solely by Supabase — they are not accessible to us or to users, and do not constitute a restore service. You may request restoration from a previous backup by contacting support@stamply.in, but restoration cannot be guaranteed and may not be provided.

7.4 Object and Restrict

• Object to certain data processing activities
• Restrict how your data is used
• Opt-out of non-essential communications

7.5 How to Exercise Your Rights

To exercise any of these rights, please contact us at support@stamply.in or through your account settings. We will respond within 30 days.

8. Cookies and Tracking

We use cookies for:

• Essential Cookies: Session management and authentication (required)
• Preference Cookies: Language selection, display preferences
• Analytics Cookies: Understanding how users interact with our platform

For more information, see our Cookie Policy.

9. Children's Privacy

Our Service is not intended for children under 18 years of age. In accordance with India's Digital Personal Data Protection Act, 2023 (DPDP Act), individuals under 18 are considered minors and we do not knowingly collect personal information from them without verifiable parental consent. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at support@stamply.in and we will delete it promptly.

10. International Data Transfers

Your information may be transferred to and maintained on servers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ.

Our service providers process data in the following regions:

• Supabase: Servers may be located in the United States or European Union
• Vercel: Global CDN with data centers primarily in the United States

This Service is intended for use in India only. By using our Service, you acknowledge that your data may be processed by these providers in the countries listed above, and that such processing is subject to India's Digital Personal Data Protection Act, 2023. We ensure such transfers comply with applicable Indian laws and appropriate safeguards are in place to protect your data.

11. India — Digital Personal Data Protection Act, 2023 (DPDP Act)

As an Indian platform, Stamply.in complies with India's Digital Personal Data Protection Act, 2023. Under the DPDP Act:

• Stamply.in acts as a Data Fiduciary in relation to business account data it collects and processes
• Businesses using our platform act as Data Fiduciaries in relation to their customers' personal data, for which Stamply.in acts as a Data Processor
• You (as a Data Principal) have the right to access, correct, and erase your personal data
• You have the right to nominate another individual to exercise your data rights in the event of your death or incapacity
• Individuals under 18 years of age are considered minors; we require verifiable parental consent before processing their data
• You may file a complaint with the Data Protection Board of India if you believe your rights have been violated

To exercise any rights under the DPDP Act, contact our Grievance Officer at support@stamply.in.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date

You are advised to review this Privacy Policy periodically for any changes.

13. Contact Us & Grievance Officer

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us:

Grievance Officer (as required under India's IT Rules, 2021 and DPDP Act, 2023):