Privacy

Privacy Policy

Last updated: June 2026

This policy applies to the website stempla.at and the Stempla app(iOS and Android). We process personal data exclusively within the limits of the law (GDPR, the Austrian Data Protection Act and TKG 2021).

1. Controller

Raphael Gerhard Bogner (business name: MaYE Media)
Kramlweg 7, 5252 Aspach, Austria
Phone: +43 670 6533244
Email: support@stempla.at

2. Website hosting & server log files

The website is hosted by Hostinger International Ltd. (Cyprus, EU). When the pages are accessed, the server automatically processes server log files (IP address, time, file requested, data volume transferred, browser and operating system information, referrer URL). This ensures trouble-free operation and security. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR). A data processing agreement is in place with Hostinger; EU standard contractual clauses are used for any third-country transfers.

3. Fonts

The fonts used are served locally from our own server. There isno connection to third-party servers (e.g. Google Fonts), and no personal data is transferred to third parties.

4. Cookies & tracking on the website

The website sets no analytics or marketing cookies and includes no tracking. A cookie banner is therefore not required.

5. Contacting us

When you contact us by email, the transmitted data is stored to process your request. The legal basis is Art. 6(1)(b) GDPR (pre-contractual/contractual measures) or (f) (legitimate interest). The data is deleted once it is no longer required, at the latest after six months, unless statutory retention obligations apply.

6. The Stempla app — data we process

Stempla is a digital stamp card. An account is required. We process the following categories:

• Account data: email address and name (customer or business owner) — required for the account.
• Sign-in data: sign-in via email/password or via “Sign in with Apple” or “Google Sign-In” (OAuth). From these sign-in services we receive your name and email address.
• Business data (for business accounts): company name, address, geo-coordinates derived from the address, logo/images and the stamp-card configuration.
• Loyalty & usage data (for customers): collected stamps, rewards, redemptions, joined businesses and related timestamps.
• Optional data (consent): date of birth (for the birthday campaign) and demographic details. These are off by default and only processed after explicit opt-in consent in the optional onboarding step.
• Push token: device token (Firebase Cloud Messaging) for sending push notifications.
• Notification history: stored in-app and push notifications.
• Stored locally on the device: session/auth tokens (in secure storage) and app settings.

7. Device permissions — clarifications

• Camera: used exclusively to scan QR codes.No images are stored or transmitted — processing happens only locally on the device.
• Photos/media library: accessed only when you actively pick a logo/image (upload to Supabase storage).
• No GPS/device location: business addresses are entered manually and converted via geocoding (address → coordinates). The app does not read the device location.

8. Purposes & legal bases

• Performance of contract (Art. 6(1)(b) GDPR): account, digital stamp cards, collecting stamps and redeeming rewards.
• Consent (Art. 6(1)(a) GDPR): push notifications, birthday/marketing campaign and optional demographic data. Consent can be withdrawn at any time with effect for the future.
• Legitimate interest (Art. 6(1)(f) GDPR): app security and fraud/abuse prevention (e.g. protection of stamp tokens).

9. Recipients / processors

To provide the app we use the following service providers:

• Supabase — backend (database, authentication, file storage, edge functions). Data is hosted in the EU West region (Paris, France).
• Google Firebase Cloud Messaging — sending push notifications (device token and message content). Provider: Google. A third-country transfer to the USA may occur (safeguarded by standard contractual clauses and the EU-US Data Privacy Framework).
• Apple — “Sign in with Apple” and the Apple Push Notification service (iOS push).
• Google — “Google Sign-In” (authentication).
• OpenStreetMap / Nominatim — geocoding (address → coordinates) and map tiles. Your IP address is transmitted to the OpenStreetMap Foundation servers.
• SMTP delivery via Hostinger — sending authentication emails (e.g. password reset, confirmation) through Hostinger's email service (EU).
• Hostinger — hosting of app.stempla.at (deep-link and authentication callback pages).
• Apple App Store / Google Play — distribution of the app.

Data processing agreements are in place with these processors where required.

10. Third-country transfers

Database, authentication and file storage are located in the EU. For some services (Firebase Cloud Messaging, Apple, Google), a transfer to the USA may occur. This is safeguarded by EU standard contractual clauses and/or the EU-US Data Privacy Framework.

11. Retention

Account data is stored until the account is deleted; thereafter it is deleted or anonymised. Tokens and logs are kept only as long as necessary for the respective purpose. Contact requests are deleted after six months at the latest, unless statutory retention obligations apply.

12. Account deletion in the app

You can delete your account at any time directly in the app(Settings → Delete account) — for both customer and business accounts. Deletion removes or anonymises the associated personal data.

13. Your rights

You have the rights to access, rectification, erasure, restriction of processing, data portability and objection, as well as the right to withdraw any consent at any time. To exercise these rights, please use the contact details above.

You also have the right to lodge a complaint with the supervisory authority: Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna, phone +43 1 52 152-0,dsb@dsb.gv.at,www.dsb.gv.at.

14. Minors

The app is not specifically directed at children; the age rating in the app stores is set accordingly.

15. Changes to this policy

We reserve the right to amend this privacy policy so that it always complies with current legal requirements. The current version is available on this page.