Privacy policy

Last updated: April 2026

Stamped is a digital coffee loyalty app. Customers collect stamps from participating cafes; cafe owners and their baristas manage loyalty cards, stamp scans, and reward redemptions. This Privacy Policy explains what we collect, why, and what you can do about it. Questions? Email hello@umair.au.

Who we are

Stamped is operated by the publisher of the app. We are the data controller for the information described below. For any privacy request (access, correction, deletion, export), contact hello@umair.au.

What we collect

  • Account — your email address (used to sign in via one-time code) and, optionally, a display name and avatar you choose to add to your profile.
  • Role — whether you are signed in as a customer, a cafe barista, or a cafe brand owner. Baristas and owners are linked to the cafes / brand they work for.
  • Loyalty activity — the loyalty cards on your phone, the stamps you earn, and the rewards you redeem. Each stamp event records which cafe issued it, which barista stamped it, and when.
  • Camera — used only when you scan a cafe QR code to start collecting stamps, or when a barista scans a customer QR code to add a stamp. We do not store or upload photos, videos, or frames. The camera is only active while the scanner screen is open.
  • Device — basic technical data required to run the app (app version, operating system, language). We do not embed third-party analytics or advertising SDKs in Stamped.

How we use your data

We use the information above to: sign you in, issue and update your loyalty cards, process stamp scans and reward redemptions, show cafe owners aggregate analytics for the cafes they own, respond to support requests, and keep the service secure.

We do not sell your personal information, and we do not use it for advertising.

Who sees your data

You see your own loyalty cards, stamp history, and profile.

Baristas at a cafe you have visited see the stamp events they scan for you at that cafe and, for the current session, your display name and avatar.

Cafe owners see aggregate analytics for their brand and cafes — for example scans per day, top cafes, and recent redemptions — together with the limited customer information required to issue rewards (cafe + timestamp). Owners do not receive a customer list outside of their own loyalty activity.

We use Supabase (hosting, authentication, and database) as a data processor. Supabase processes data under our instructions. No other third parties receive your loyalty data.

Retention

We keep your account data while your account is active. Stamp and redemption history is kept for as long as the associated loyalty card is active so you can see your progress and use rewards. When you delete your account, we remove or anonymise personal identifiers; aggregate counts retained for cafe analytics no longer identify you.

Account deletion (in-app)

From Profile you can delete your Stamped account immediately after you confirm — there is no email-only or “contact support to delete” step.

Removed in full: your sign-in identity, profile row, loyalty card instances, saved customer QR tokens, staff assignments at cafes, brand membership rows, barista invites you created as inviter, and brands you own only when those brands have no remaining cafes, staff, customer cards, or stamp history on their card templates.

Kept without identifying you: append-only stamp and redemption rows stay in the database so cup counts and rewards redeemed remain accurate for cafes; your customer and barista foreign keys on those rows are cleared. Where your name used to appear in barista activity, the app shows “Deleted user”.

Security

We use industry-standard encryption in transit and at rest. Access to customer-identifying data is limited by role-level rules in our database. QR codes used for stamping and redemption are short-lived one-time tokens.

Your rights

You can delete your own account from the Profile tab (customers and brand owners) when the app is connected to our live servers — see Account deletion above. You can also request access, correction, export, or help with deletion by emailing hello@umair.au. Sign out is available from Profile at any time. Depending on where you live, you may have additional rights under local law (for example the EU GDPR, UK GDPR, or Australian Privacy Act).

Children

Stamped is not directed at children under 13 and we do not knowingly collect personal information from children.

Changes

We may update this Privacy Policy to reflect changes in the app or the law. The “Last updated” date above changes whenever we publish an update. Material changes will be announced in-app before they take effect.

Contact

Privacy questions or requests: hello@umair.au.