1. Who we are
Stamp Ltd (UK) is the controller of your personal data. Contact privacy@stamp.foundation for anything data-related, including to exercise your rights.
2. What we collect
Account data (name, @handle, email, password hash, birthday if provided). Content you post (photos, captions, events, RSVPs). Circle relationships. Availability you mark. Device info we need to deliver the app (OS, app version, approximate timezone). Precise location ONLY when you have the "Show location on posts" setting on; used for two things — (a) coordinates attached to posts you actively create, and (b) centring your Stamps map on your current position when you open your profile. Coordinates never leave your circle; no one sees your live position except you.
3. What we do not collect
No advertising identifiers. No third-party trackers. No contact list upload. No microphone, no camera beyond the photos you explicitly pick. No location in the background — the app never asks for your location when the app is closed. No location at all if you leave "Show location on posts" off; the Stamps map simply falls back to the last place you posted from.
4. Legal bases (UK/EU GDPR)
Contract — to deliver the service you signed up for. Legitimate interests — to keep the service running, prevent abuse and improve reliability. Consent — for optional features like location tagging. Legal obligation — where we must comply with law enforcement or regulators.
5. How we use your data
To show your posts to your circle, match you with people you already know, deliver messages, run the word games, detect abuse, and send essential service emails (e.g. sign-in confirmations). We do not offer live chat or personal support.
6. Who we share with (processors)
Supabase (hosting, database, storage). Expo (app delivery and push notifications). Stripe (payments, if you subscribe). Resend or equivalent (transactional email). Sentry or equivalent (error reporting). Each is bound by a data-processing agreement and handles data only on our behalf.
7. International transfers
Some processors are based outside the UK/EU. Where that happens, transfers are protected by Standard Contractual Clauses or an equivalent safeguard.
8. Retention
Account data is kept while your account is active. When you delete your account, everything is removed within 30 days from our primary systems and within 90 days from backups. Anonymised, aggregate analytics may be retained.
9. Your rights
Access, rectify, erase, restrict, object, port, withdraw consent at any time — without affecting past lawful processing. Email privacy@stamp.foundation; we respond within one month. You can also complain to the UK ICO (ico.org.uk) or your local EU data protection authority.
10. Security
We use TLS in transit, encryption at rest for the database, scoped row-level security policies, and rotate keys on a schedule. No system is perfect; we'll notify you promptly of any breach that affects your data.
11. Cookies & similar
The app uses minimal local storage to keep you signed in and remember preferences. No advertising cookies.
12. Children
Stamp is 18+. We do not knowingly collect data from anyone under 18; if you believe we have, email privacy@stamp.foundation and we'll delete it.
13. Changes
Material changes will be notified in-app at least 30 days in advance.