StampoolBack to Home

Privacy Policy

Last updated: April 5, 2026

1. Introduction

Stampool Inc. ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use the Stampool platform. We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Ontario privacy regulations.

2. Information We Collect

Merchant Information

  • Business name, address, and contact details
  • Email address and account credentials
  • Payment and billing information (processed by Stripe)
  • Business category and operating hours

Customer Information

  • Phone number (stored as a one-way cryptographic hash)
  • Stamp collection history per merchant
  • Reward redemption records

Automatically Collected

  • Device type and browser information
  • Timestamps of NFC tap interactions
  • IP address (for rate limiting and fraud prevention only)

3. How We Use Your Information

  • To operate and maintain the loyalty stamp service
  • To process stamp collections and reward redemptions
  • To send reward notifications via SMS (Twilio)
  • To process merchant subscription payments (Stripe)
  • To prevent fraud and enforce rate limits
  • To improve the Service based on aggregate usage patterns

4. Data Protection

  • Customer phone numbers are stored as HMAC-SHA256 hashes and cannot be reversed.
  • All data is hosted on Supabase infrastructure in Canada (Canada Central region).
  • NFC stamp URLs use server-side challenge tokens and cannot be replayed.
  • Row-Level Security (RLS) ensures merchants can only access their own data.
  • All connections use TLS encryption in transit.

5. Third-Party Services

We use the following third-party services to operate the platform:

  • Supabase — Database hosting and authentication (Canada)
  • Stripe — Payment processing (PCI DSS compliant)
  • Twilio — SMS delivery for OTP codes and reward notifications
  • Vercel — Application hosting

Each provider processes data under their own privacy policies and applicable data processing agreements.

6. Data Retention

  • Active merchant data is retained for the duration of the subscription.
  • Customer stamp data is retained while the associated merchant account is active.
  • Upon account termination, data is deleted within 90 days.
  • Anonymized aggregate analytics may be retained indefinitely.

7. Your Rights

Under PIPEDA, you have the right to:

  • Access your personal information held by us
  • Request correction of inaccurate information
  • Withdraw consent for data processing
  • Request deletion of your data
  • File a complaint with the Office of the Privacy Commissioner of Canada

8. Cookies

Stampool uses essential cookies for authentication and session management only. We do not use advertising or tracking cookies. No consent banner is required as we only use strictly necessary cookies.

9. Children

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us for removal.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active merchants via email at least 30 days in advance. The "Last updated" date at the top indicates the most recent revision.

11. Contact

For privacy-related questions or data requests, contact us at privacy@stampool.com.