Privacy Policy

Last updated: April 2026

Punchcard (“we”, “our”, “us”) is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data when you use the Punchcard loyalty rewards platform.

1. Information We Collect

We collect the following categories of information:

Account Information (via OAuth)

• Name and email address provided by Apple or Google when you sign in
• OAuth provider identifier (used to link your account securely)
• Profile photo URL (if provided by your OAuth provider)

Location Data

• Approximate location when you use map features to discover nearby venues (not stored persistently)
• Venue check-in records (which venue you scanned a QR code at, and when)

Loyalty Activity

• Loyalty points earned at each venue
• Rewards redeemed, including timestamp and venue
• QR scan history

Device Information (for push notifications)

• Push notification subscription token (if you grant notification permission)
• Browser user-agent for notification delivery compatibility

2. How We Use Your Information

• To operate your Punchcard account and authenticate you securely
• To record and display your loyalty points and rewards across all participating venues
• To enable venue discovery on the map based on your location
• To send push notifications about rewards milestones and venue offers (only if you opt in)
• To provide venue owners with anonymized, aggregate analytics about their loyalty program
• To detect and prevent fraudulent activity in the rewards system
• To improve the Service based on aggregate usage patterns

We do not sell your personal information to third parties. We do not use your data for advertising or behavioral profiling.

3. Third-Party Services

Punchcard relies on the following third-party services to operate. Each service has its own privacy policy that governs their data handling:

Supabase

We use Supabase for authentication and database storage. Your account information, loyalty points, check-in history, and push notification subscriptions are stored in Supabase databases hosted on AWS infrastructure. Supabase is SOC 2 Type II certified. Supabase Privacy Policy →

Google

We use Google for two purposes: (1) OAuth sign-in, which allows you to authenticate using your Google account, and (2) Google Maps API for displaying venue locations. Google may collect usage data in connection with Maps API calls. Google Privacy Policy →

Stripe

Venue owners who subscribe to a paid Punchcard plan are billed through Stripe. If you are a venue owner, your payment card details are handled directly by Stripe — Punchcard never stores or has access to full card numbers. Stripe is PCI-DSS Level 1 certified. Stripe Privacy Policy →

Mapbox

We use Mapbox for interactive map rendering in the venue discovery feature. Mapbox may collect telemetry data related to map interactions. Mapbox Privacy Policy →

4. Data Retention

We retain your account information and loyalty history for as long as your account is active. If you delete your account, we permanently delete your personal data within 30 days, except where we are required to retain it for legal compliance purposes. Push notification subscriptions are deleted immediately upon account deletion or when you revoke notification permission.

5. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Delete your account and associated data at any time from account settings
• Portability: Request an export of your loyalty history in a machine-readable format
• Objection: Object to specific uses of your data

To exercise any of these rights, email us at privacy@punchcard.app. We will respond within 30 days.

6. Children's Privacy

Punchcard is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete that information promptly. If you believe a child under 13 has created a Punchcard account, please contact us at privacy@punchcard.app.

7. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or an in-app notification. The “Last updated” date at the top of this page reflects when the policy was last revised. Continued use of Punchcard after an update constitutes acceptance of the revised policy.

8. Contact Information

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

Email: privacy@punchcard.app