Global Privacy Notice

1.1 Stampier is the entity responsible for collecting, using, and protecting your personal information/personal data when you use our loyalty program platform and services (the "Services").

1.2 Legal Roles:

• EU/UK: We are the "data controller" under GDPR and UK GDPR
• USA: We are a "business" under California CCPA/CPRA and similar state laws
• Canada: We are an "organization" under PIPEDA
• Australia: We are an "APP entity" under the Privacy Act 1988
• New Zealand: We are an "agency" under the Privacy Act 2020
• India: We are a "data fiduciary" under DPDPA 2023

1.3 EU & UK Representatives (GDPR Article 27):

Terminology Note: We use "personal information" and "personal data" interchangeably throughout this Notice. Both terms refer to information about an identified or identifiable individual.

2.1 We collect the following categories of personal information:

2.2 Business Customer Data (B2B Processing):

If you are a business user, you may upload personal information of your end-user customers to our platform. In these cases:

• You act as the data controller/business/organization
• We act as the data processor/service provider
• Our obligations are detailed in our Data Processing Agreement (DPA), which includes EU Standard Contractual Clauses and UK IDTA

3.1 We use your personal information for the following purposes:

4.1 We may share your personal information with the following categories of recipients:

4.2 Service Provider Obligations:

All third-party service providers we engage are contractually required to:

• Process personal information only on our documented instructions
• Implement appropriate security measures
• Comply with applicable data protection laws (GDPR, UK GDPR, PIPEDA, CCPA, etc.)
• Execute written data processing agreements with us
• Notify us of any data breaches without undue delay
• Not use your data for their own purposes

5.1 Transfer Safeguards:

When we transfer personal information across borders, we ensure adequate protection through the following mechanisms:

5.2 Data Storage Location:

5.3 Limited Third-Country Processing:

• Finland (EU) - Primary data storage and application hosting
• United States - Limited transfers for payment processing (Stripe) with EU SCCs protection
• India - Company operations and support (no personal data storage)
• Other Locations - Only as disclosed with appropriate safeguards

5.4 Requesting Transfer Documentation:

You may request copies of the safeguards we have in place for international transfers by contacting privacy@stampier.co. We will provide appropriate documentation, which may be redacted to protect confidential business information.

6.1 We implement industry-standard technical and organizational security measures to protect your personal information:

6.2 Your Security Responsibilities:

• Keep your password confidential and secure
• Do not share your account credentials
• Log out after using shared devices
• Report suspicious activity immediately
• Keep your contact information up to date

7.1 We retain your personal information only as long as necessary for the purposes outlined in this Notice and to comply with legal obligations.

7.2 Account Deletion:

When you close your account or request deletion:

• Active account data will be deleted or anonymized within 90 days
• Backup copies will be removed in accordance with our backup rotation schedule (maximum 180 days)
• Financial records will be retained for 7 years as legally required
• Anonymized analytics data may be retained indefinitely

7.3 Exceptions:

We may retain certain information longer when required by law or legitimate business purposes, including:

• Fraud prevention and security purposes
• Resolving disputes or enforcing agreements
• Complying with legal obligations (tax, audit, regulatory)
• Responding to legal claims or investigations

8.1 Under GDPR and UK GDPR, we must have a valid legal basis to process your personal data. We rely on the following:

8.2 Legitimate Interests:

Where we process your data based on legitimate interests, we have balanced our interests against your rights. Our legitimate interests include:

• Operating and improving our platform
• Ensuring network and information security
• Preventing fraud and abuse
• Understanding customer needs and preferences
• Direct marketing to existing customers (soft opt-in)

You have the right to object to processing based on legitimate interests. Contact privacy@stampier.co to exercise this right.

9.1 EU and UK residents have the following rights regarding their personal data:

9.2 How to Exercise Your Rights:

To exercise any of these rights, email us at privacy@stampier.co with:

• Your full name and email address
• The specific right you wish to exercise
• Any relevant details or information
• Proof of identity (if requested for security)

Response Time: We will respond within 1 month of receiving your request. This may be extended by 2 additional months for complex requests.

Free of Charge: Requests are free. We may charge a reasonable fee for manifestly unfounded or excessive requests.

10.1 You have the right to lodge a complaint with a data protection supervisory authority.

Before lodging a complaint: We encourage you to contact us first at privacy@stampier.co so we can try to resolve your concerns directly.

11.1 Applicable Laws:

This section applies to residents of states with comprehensive privacy laws, including:

• California: California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
• Virginia: Virginia Consumer Data Protection Act (VCDPA)
• Colorado: Colorado Privacy Act (CPA)
• Connecticut: Connecticut Data Privacy Act (CTDPA)
• Utah: Utah Consumer Privacy Act (UCPA)
• Other States: Laws enacted after this Notice's effective date

11.2 Your Privacy Rights:

11.3 How to Exercise Your Rights:

Submit a request by:

• Email: privacy@stampier.co
• Subject Line: "Privacy Rights Request - [State]"

Response Time: We will respond within 45 days (California, Virginia, Colorado, Connecticut, Utah). May be extended by 45 additional days with notice.

Verification: We will verify your identity before fulfilling requests. You may be asked to provide:

• Your name and email address associated with your account
• Recent account activity details
• Government-issued ID (for sensitive requests)

Authorized Agents: California residents may designate an authorized agent to make requests on your behalf. The agent must provide written authorization or power of attorney.

12.1 Categories of Personal Information Collected (Last 12 Months):

12.2 "Shine the Light" Law (California Civil Code § 1798.83):

California residents may request information about disclosures of personal information to third parties for direct marketing purposes. Since we do not share personal information for third-party direct marketing, this does not apply.

12.3 California Financial Incentive Notice:

We do not offer financial incentives or price differences related to the collection, retention, or sale of personal information.

13.1 The Personal Information Protection and Electronic Documents Act (PIPEDA) grants Canadian residents the following rights:

13.2 Consent Under PIPEDA:

We obtain your consent before or when we collect, use, or disclose your personal information, except where permitted by law. Consent may be:

• Express consent: You explicitly agree (e.g., checking a box, signing a form)
• Implied consent: Your consent is inferred from your actions (e.g., providing information for account creation)

The form of consent depends on the sensitivity of the information and your reasonable expectations.

13.3 How to Exercise Your Rights:

Contact us at:

• Email: privacy@stampier.co
• Subject Line: "PIPEDA Privacy Request"

We will respond within 30 days of receiving your request.

14.1 If you believe we have not complied with PIPEDA, you may file a complaint with the Office of the Privacy Commissioner of Canada.

We encourage you to contact us first at privacy@stampier.co so we can address your concerns directly.

15.1 The Privacy Act 1988 (Australia) and Australian Privacy Principles (APPs) grant Australian residents the following rights:

15.2 How to Exercise Your Rights:

Contact us at privacy@stampier.co with "Australian Privacy Request" in the subject line. We will respond within 30 days.

15.3 Complaints to OAIC:

16.1 The Privacy Act 2020 (New Zealand) grants New Zealand residents the following rights:

16.2 How to Exercise Your Rights:

Contact us at privacy@stampier.co with "New Zealand Privacy Request" in the subject line. We will respond within 20 working days.

16.3 Complaints to Privacy Commissioner:

17.1 The Digital Personal Data Protection Act, 2023 (DPDPA) grants Indian residents (Data Principals) the following rights:

17.2 Consent Under DPDPA:

We obtain your free, specific, informed, and unambiguous consent before processing your personal data, except where permitted by law. You may withdraw consent at any time.

17.3 How to Exercise Your Rights:

Contact our Data Protection Officer at:

• Email: dpo@stampier.co
• Privacy Inquiries: privacy@stampier.co
• Subject Line: "DPDPA Rights Request"

We will respond within the timeframes specified by DPDPA rules (to be finalized by the Data Protection Board).

18.1 The Data Protection Board of India is the regulatory authority for DPDPA compliance.

18.2 IT Act 2000 Compliance:

We comply with the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

• We implement reasonable security practices to protect personal data
• We obtain consent before collecting sensitive personal data or information
• We do not publish or disclose sensitive personal data without consent
• We comply with data breach notification requirements

18.3 Grievance Officer:

Our designated Grievance Officer for India is available at:

• Name: [Grievance Officer Name - To Be Appointed]
• Email: dpo@stampier.co

Grievances will be acknowledged within 24 hours and resolved within 30 days.