Privacy Policy

1. Introduction

Piotr Boroń, an individual conducting unregistered business activity under Article 5 of the Polish Entrepreneurs' Law of 6 March 2018 (ustawa z dnia 6 marca 2018 r. - Prawo przedsiębiorców), with a registered address at al. Solidarności 68/121, 00-240 Warsaw, Poland, European Union ("we", "us", "our"), operates the Stampling mobile application ("App", "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, with whom we share it, how long we keep it, and what rights you have under the General Data Protection Regulation (GDPR) and Polish law.

By using Stampling, you acknowledge this Privacy Policy. If you disagree, please stop using the App.

This Privacy Policy is designed to align with Apple's App Store Privacy ("Nutrition Label") disclosures and Google Play's Data Safety form so you can verify our store-listing answers against this document.

2. Data Controller

The data controller responsible for your personal data is:

Piotr Boroń
Individual conducting unregistered business activity under Article 5 of the Polish Entrepreneurs' Law of 6 March 2018
al. Solidarności 68/121
00-240 Warsaw
Poland, European Union
Email: support@stampling.app

We do not currently have a statutory obligation to designate a Data Protection Officer. You can reach us about any privacy matter at the email above.

3. Data We Collect

3.1 Account data

You can use most of the App without an account. An account is required only for the optional pairing/cloud sync features. When you create an account we collect:

• Email address— obtained via email/password sign-up, or returned by Sign in with Apple or Sign in with Google when you choose to share it. Sign in with Apple's "Hide My Email" relay addresses are accepted.
• Authenticated user ID — a unique identifier generated by our authentication provider (Supabase) the first time you sign in.
• Display name— chosen by you within the App (default: "Stamp Collector"). Up to 24 characters.
• Avatar selection — a non-photo, in-app illustrated avatar identifier you choose. We do not collect a profile photo.

We do not collect your full legal name, date of birth, phone number, government ID, gender, race, religion, sexual orientation, political opinions, biometric identifiers, or any other special-category data.

3.2 Content you create

• Photos you take or import to create stamps, including any metadata (e.g. EXIF) that remains embedded in the image file. We do not strip or analyse EXIF and we do not request location permissions, so geolocation EXIF (if present in your source image) is preserved as-is. Photos are stored on your device. They are uploaded to our cloud only when you explicitly enable the paired sync feature for the album that contains them.
• Captions attached to stamps (optional text, max 2,000 characters).
• Album names and cover styling preferences (textures, gradients, fonts).
• Tags and like flags you apply to stamps.

Cloud-synced photos are stored in a pair-scoped Supabase Storage bucket under SHA-256-derived object names. They are transmitted over TLS and protected by Supabase's server-side security controls and storage encryption at rest. They are not end-to-end encrypted: the Service and our infrastructure providers process them as needed to operate sync. To respect Supabase's per-object size limits, large photos may be transcoded to an optimised JPEG copy for upload; the original file remains on your device and is not modified. Within the App, synced albums are intended to be visible only to you and your paired partner; database row-level security on our backend enforces this.

The pair is also subject to a per-pair cloud storage cap (currently 5 GB shared across both members). Reaching the cap blocks new uploads but never deletes content.

3.3 Pairing data

When you use the pairing feature we additionally process:

• Partner's user ID and your shared pair ID.
• Membership status (pending / approved) of each member of the pair.
• Recovery hash — a bcrypt hash of a recovery secret you set, stored on our server. We never store or have access to your plaintext recovery secret. The plaintext secret is generated on-device, shown to you once, and is your responsibility to keep.
• Invite codes, single-use invite tokens, and their expiry timestamps.
• Display profiles: when you (or someone trying to join your pair) requests pairing, the App publishes your chosen display name to the pair's members so the inviter can see who is asking to join. Pending join requests therefore make your display name visible to the inviter for that pair only, even before approval.
• Pair teardown state: leaving a pair dissolves the shared cloud scope for both members and removes pair-scoped cloud content where backend cleanup succeeds; local private albums on each device are not affected.

3.4 Subscription and entitlement data

• Subscription status (free / Pro / lifetime), the associated product identifier, and renewal/expiry timestamps, synced from RevenueCat into our backend.
• Couples Unlockstate — i.e. whether your paired partner currently has an active Pro entitlement — so the App can extend Pro benefits to you and apply the 30-day "read-only grace" rules described in our Terms of Service.
• We do not process or store payment-card or banking details. All billing is handled by the Apple App Store or Google Play.

3.5 Local-only data (does not leave the device unless paired)

The following data is computed and persisted entirely on your device by default, and is sent to our servers only if and to the extent it is part of a shared album you have actively chosen to sync:

• Streak counts, daily-prompt history, weekly progress, badge progress, and stamp statistics.
• Notification preferences and reminder time.
• Camera, photo-quality, and selfie-mirror preferences.
• Trash (recently-deleted stamps) and per-collection ordering.
• Your auto-share-all-albums preference (a local toggle that, when on, marks each new private album as shared with your pair the moment you create it; the photos themselves only leave your device once sync runs).

3.6 Diagnostic data (Sentry)

When configured, Sentry receives crash reports, performance traces, and error logs that include:

• Device type, OS version, App version and build number.
• Stack traces, navigation breadcrumbs, and a pseudonymous user ID derived from your authenticated user ID (set only when you are signed in).
• Network failure metadata (status codes, endpoint paths) and the area of the App that triggered the error.

We configure Sentry not to send Personally Identifying Information by default (sendDefaultPii: false semantics). We use this data solely for diagnosing and fixing bugs and performance issues. The Sentry SDK respects your network availability — diagnostic data may be delayed until the device is online.

3.7 Data we do NOT collect

• Precise or approximate location — the App does not request any location permission and does not query the device for location.
• Contacts.
• Microphone or voice data. Camera audio recording is explicitly disabled.
• Health, fitness, financial, sensor, or browsing data.
• Biometric data — Face ID / Touch ID handshakes happen at the OS level; we never receive biometric templates.
• Behavioural / product analytics. We do not embed Mixpanel, Amplitude, Firebase Analytics, Google Analytics, Meta SDK, or any similar analytics SDK.
• Advertising identifiers (IDFA / AAID) — we do not request them and the App does not show any third-party ads.
• Cross-app or cross-website tracking.

The App does not "track" you in the sense defined by Apple's App Tracking Transparency framework. We do not display the ATT prompt because it is not required.

4. Legal Basis for Processing (GDPR Art. 6)

5. How We Use Your Data

We use your personal data to:

1. Provide and maintain the Service, including pair-scoped cloud sync between you and your one chosen partner.
2. Authenticate you and secure your account.
3. Enforce subscription entitlements (free vs. Pro limits, Couples Unlock, the 30-day cloud-lapse grace policy).
4. Diagnose and fix crashes, errors, and performance regressions (via Sentry).
5. Investigate reports of abuse, illegal content, or violations of our Terms.
6. Respond to support and data-subject requests.
7. Comply with legal obligations and lawful demands from competent authorities.

We do not use your data to:

• Train AI/ML models. We do not use Your Content to train, fine-tune, or evaluate AI/ML models, and we do not allow our processors to do so.
• Build advertising, marketing, or behavioural profiles of you.
• Sell or rent your data.
• Make automated decisions that produce legal or similarly significant effects on you.

6. Data Sharing and Third Parties

We share personal data only as follows:

6.1 Supabase (Supabase, Inc., USA)

Our backend platform. Supabase stores your account credentials, pairing state, subscription/entitlement state, display profiles, and cloud-synced stamp content. Our Supabase project is hosted in the EU region by default; transfers outside the EU/EEA (e.g. to support staff in the US) are safeguarded by Standard Contractual Clauses (SCCs) and the EU–US Data Privacy Framework where applicable.

Privacy: https://supabase.com/privacy

6.2 RevenueCat (RevenueCat, Inc., USA)

Manages the subscription lifecycle and purchase verification. Receives your authenticated user ID, the original transaction identifiers from Apple/Google, and subscription event metadata. SCCs apply to international transfers.

Privacy: https://www.revenuecat.com/privacy

6.3 Sentry (Functional Software, Inc., USA)

Crash and error reporting. Receives device/OS/App version, stack traces, navigation breadcrumbs, network-error metadata, and a pseudonymous user ID. SCCs apply to international transfers.

Privacy: https://sentry.io/privacy/

6.4 Apple and Google (authentication, stores, and payments)

• Sign in with Apple and Sign in with Google pass an identity token to Supabase so we can create or unlock your account. We never receive your Apple/Google password.
• The Apple App Store and Google Play process all payments and provide subscription management. We do not receive payment-card data; we only receive purchase identifiers and entitlement signals via RevenueCat.
• Each is subject to its own privacy policy:
  • https://www.apple.com/legal/privacy/
  • https://policies.google.com/privacy

6.5 Your paired partner

If you enable pairing and share an album:

• Your partner can see the album name, the photos and stamps in it, captions, tags, like flags, cover styling, and your display name.
• Your partner cannot see your email, your authentication provider, your subscription history, your private albums, or any data you have not explicitly shared.
• During an open invite, your display name and the existence of your pending join request are visible to the other member of the pair you are trying to join.

Pairing is designed for one trusted person, not public posting. There is no public feed, no follower mechanic, and no algorithmic distribution of your content.

6.6 Legal and safety disclosures

We may disclose your data if required by law, court order, or competent authority, or where we reasonably believe disclosure is necessary to (a) comply with legal process, (b) protect the rights, property, or safety of our users, our staff, or the public, (c) detect, prevent, or otherwise address fraud, security, or technical issues, or (d) enforce our Terms.

We do not sell your personal data and we do not share it for cross-context behavioural advertising.

6.7 Business transfers

If we are involved in a merger, acquisition, or asset sale, we will provide notice and ensure your personal data continues to be protected at least to the same standard as this Privacy Policy before any transfer.

7. Data Retention

Backup copies are deleted on the rolling backup retention schedule of the relevant processor (typically 30-90 days).

8. Data Security

We implement appropriate technical and organisational measures, including:

• Transport encryption. All communication between the App and our backend uses TLS 1.2+.
• Storage encryption. Supabase encrypts data at rest.
• Row-Level Security. Our database enforces strict per-row policies so a user can read only their own data and the pair-scoped data they are entitled to.
• Per-pair object scoping. Cloud photos live under <pair_id>/<sha>.jpg paths in a private bucket and are downloaded via short-lived signed URLs.
• Hashed secrets. Account passwords are hashed by Supabase Auth (bcrypt). Pairing recovery secrets are stored as bcrypt hashes; the plaintext is generated on-device and never sent to our servers.
• Secure token storage. Authentication tokens are kept in Expo SecureStore (iOS Keychain / Android Keystore), never in plain text or AsyncStorage.
• Server-issued, time-limited URLs for image downloads (60-second signed URLs).
• Principle of least privilege on our service accounts.

No security measure is 100% infallible. In the event of a personal data breach affecting your rights and freedoms, we will notify the Polish Data Protection Authority (UODO) within 72 hours and affected users without undue delay, as required by GDPR Art. 33-34.

9. International Data Transfers

Where personal data is processed outside the EU/EEA by Supabase, Sentry, RevenueCat, Apple, Google, or their subprocessors, transfers are safeguarded by:

• Standard Contractual Clauses (SCCs) adopted by the European Commission;
• The EU-US Data Privacy Framework where the recipient is certified;
• And, where applicable, supplemental technical and organisational measures.

You may request information about the safeguards in place by contacting us at support@stampling.app.

10. Your Rights Under GDPR

If you are in the European Union, the European Economic Area, the United Kingdom, or another jurisdiction with similar law, you have the following rights regarding your personal data:

To exercise your rights, contact us at support@stampling.app. We will respond within 30 days (extendable by a further 60 days for complex requests, per GDPR Art. 12). We may ask you to verify your identity before processing the request, especially for access, portability, and erasure.

The App also offers self-service deletion at any time:

• Settings → Danger Zone → Delete account wipes server-side data and clears the device.
• Couples Home → Leave pair dissolves the shared cloud scope for both members.
• Reset App clears all local data on this device.

These flows work even if you have lost access to your subscription, your network is intermittent, or our support inbox is delayed.

Polish Data Protection Authority (UODO):
Urząd Ochrony Danych Osobowych
ul. Stawki 2, 00-193 Warsaw, Poland
Website: https://uodo.gov.pl

11. California Residents (CCPA/CPRA)

If you are a California resident, you have the additional rights to know, delete, correct, limit the use of sensitive personal information, and opt out of "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioural advertising. You can exercise your rights using the same channels as in Section 10.

12. Children's Privacy

Stampling is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected such data, we will delete it promptly. If you believe a child has provided us with personal data, contact support@stampling.app.

13. Local Storage and Device Data

A large portion of Stampling's functionality works entirely on your device using local SQLite storage. Photos, stamps, albums, badges, streak data, and statistics stored locally are not transmitted to our servers unless you actively enable the pairing/sync feature on the album that contains them. Uninstalling, resetting, or deleting the account from within the App removes the corresponding device-side data.

14. Permissions Used by the App

The App requests the following platform permissions on a just-in-time basis and only for the stated purpose:

The App explicitly does not request: location, microphone, audio recording, video recording, contacts, calendar, body sensors, files outside of selected media, or any tracking permission.

15. Push and Local Notifications

Stampling sends only local notifications scheduled by the App on your device (e.g. the optional daily stamp reminder). They are scheduled and delivered entirely on-device by the operating system and do not involve transmitting data to our servers. We do not operate a push notification server. You can disable notifications at any time from within the App (Settings → Daily Reminder) or in your device Settings.

16. Marketing

We do not run in-app advertising. We do not currently send marketing emails. If we ever do, it will only be on the basis of your prior, freely given consent, with an unsubscribe link in every email and the right to withdraw at any time.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. We will notify you of material changes via the App or by email at least 30 days before the change takes effect, where required. The latest version is always available within the App and at the link in the App Store / Google Play listing.

18. Contact Us

For privacy-related questions, data subject requests, or concerns:

Piotr Boroń
Individual conducting unregistered business activity under Article 5 of the Polish Entrepreneurs' Law of 6 March 2018
al. Solidarności 68/121
00-240 Warsaw
Poland, European Union
Email: support@stampling.app

We aim to respond to all enquiries within 30 days.