stamp
Back to homepage

Privacy Policy

Last updated: 31 May 2026

This policy is written by the Stamp team in plain English. Questions about your data: privacy@stamp.foundation.

1. Who we are

Stamp Social Ltd (Company No. 17188757, trading as Stamp Foundation) is the controller of your personal data. Our registered office is 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. We are registered with the UK Information Commissioner's Office under the Data Protection Act 2018 (registration ZC142084).

Because Stamp Social Ltd is established in the United Kingdom and processes UK personal data from the UK, we are not required to appoint a UK Article 27 representative. For users in the EEA, we currently rely on the same UK establishment; if our processing of EEA personal data triggers Article 27 of the EU GDPR in future, we will appoint an EU representative and name them here.

We have not appointed a Data Protection Officer because our processing does not meet the criteria in UK GDPR Article 37. The named contact for all data-protection matters, including subject-access requests and complaints, is our Data Protection Lead at privacy@stamp.foundation. We respond within one calendar month.

2. What we collect

Account data (name, @handle, email, password hash, birthday if provided). Content you post (photos, captions, events, RSVPs). Circle relationships. Availability you mark. Device info we need to deliver the app (OS, app version, approximate timezone). A place name ONLY when you choose to type one onto a post (optional); it is attached to that post and shown to your circle so it can appear on your Stamps map. We never read your device location or GPS, the place is the one you type, not where your phone is. Places never leave your circle.

If you submit your email through the "Notify me at launch" form on stamp.foundation, we store only your email address, the referring page (so we can tell whether you arrived from YouTube, social media, press or directly), your browser user-agent string and the timestamp. We use this to send you one email when the iOS and Android apps go live (and a final email if you ask to unsubscribe). The launch-notify list is held in our Supabase database and is not shared with any third party.

3. What we do not collect

No advertising identifiers. No third-party trackers. No contact list upload. Microphone is used ONLY when you tap the voice-note record button in chat or accept a voice or video call; we do not record in the background. Camera is used ONLY for photos you explicitly pick AND for video calls when you switch the camera on; we never access it in the background. We never read your device location or GPS, at all, foreground or background; the app has no access to where your phone is and never asks for it. The only "location" in Stamp is a place name you choose to type onto a post; leave it blank and the post simply has no place. Your Stamps map is built only from places you typed.

We do not seek special-category personal data (information about your health, race, ethnic origin, religion, political opinions, trade-union membership, genetic or biometric identifiers, sex life, or sexual orientation) as defined in Article 9 of the UK GDPR. Please do not share such data through Stamp. If you choose to include it in a post or message, we will process it only as part of that content within your circle; we do not analyse or infer special-category data from anything you share.

4. Legal bases (UK/EU GDPR)

Contract, to deliver the service you signed up for. Legitimate interests, to keep the service running, prevent abuse and improve reliability. Consent, for optional features like location tagging. Legal obligation, where we must comply with law enforcement or regulators.

5. How we use your data

To show your posts to your circle, match you with people you already know, deliver messages, run the word games, detect abuse, and send essential service emails (e.g. sign-in confirmations). We do not offer live chat or personal support. Launch-notify emails are used solely to tell you when the app goes live and to honour any unsubscribe request; they are never used for marketing, never enriched against third-party data, and never sold or shared.

6. Who we share with (processors)

Supabase (hosting, database, storage). Expo (app delivery and push notifications, including Apple Push Notification service and Firebase Cloud Messaging for delivery to your device). Apple and Google (billing and subscription management on their respective platforms; they act as the merchant of record for in-app purchases). Resend or equivalent (transactional email). Sentry or equivalent (error reporting). Sightengine (automated image moderation; photos you upload are scanned for safety; images are not retained by Sightengine). Klipy (animated GIF search results when you use the GIF picker; your search query is sent to Klipy, who may log it under their own policy). Open Library, Google Books and TVMaze (book and TV cover lookups when you add a Love; we send only the title and author you typed). Cloudflare (CDN for the foundation site; TURN relay for voice and video calls when peer-to-peer connection fails; call media is encrypted end-to-end using DTLS-SRTP with keys negotiated directly between the devices on the call, so the relay carries opaque bytes only). Each processor is bound by a data-processing agreement and handles data only on our behalf, except Klipy, which acts as an independent controller for its own search-query logs.

7. International transfers

Some processors are based outside the UK and the EEA. Where that happens, transfers are protected by the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses with the UK addendum, or an equivalent safeguard recognised by the ICO, together with additional technical and contractual measures where the destination country warrants them.

The destination countries by processor are: Supabase (United States, with data hosted in the EU or UK region where supported); Expo (United States); Apple (United States, for App Store and iOS in-app purchase); Google (United States, for Play Store, Google Play Billing, and Firebase Cloud Messaging); Resend (United States); Sentry (United States, EU region available); Sightengine (France, within the EEA, so no transfer mechanism required); Klipy (United States); Open Library (United States); Google Books (United States); TVMaze (United States); Cloudflare (United States, with edge nodes globally for CDN and TURN relay); Google Workspace (United States, for our staff email). UK-based processors (such as Stripe Payments UK Ltd, used only for Stripe Identity in our future charity-representative verification flow, and any UK tree-planting partner) are UK domestic and need no transfer mechanism.

A Transfer Risk Assessment is documented internally for each non-UK transfer, covering lawful-access exposure, encryption in transit and at rest, and contractual remedies. We can share the relevant assessment on request at privacy@stamp.foundation.

8. Retention

We keep each category of data only for as long as we need it, then delete it. The table below sets out the period for every category we process.

  • Account data (name, @handle, email, password hash, optional birthday): kept while your account is active; on deletion, removed immediately from primary systems and within 7 days from backups.
  • Posts, messages, voice notes, photos, events, RSVPs: same as account data; removed immediately on account deletion, within 7 days from backups.
  • Sentry crash logs: 90 days, then automatically purged by Sentry.
  • Sightengine moderation scans: 30 days at most; Sightengine does not retain the image itself.
  • Klipy GIF search queries: not retained by Stamp; Klipy may log queries under their own policy.
  • TURN relay media (Cloudflare): not stored; relayed packets pass through in real time and are not recorded.
  • Authentication and security logs (sign-in events, rate-limit events, admin actions): 90 days.
  • Subject-access and erasure correspondence: 1 year, so we have a record of how we handled your request.
  • Email correspondence with support addresses: up to 3 years, then archived or deleted.
  • Launch-notify email list (stamp.foundation form): deleted within 30 days of the launch broadcast, unless you explicitly opt into further updates inside that email; unsubscribe requests honoured immediately, row removed within 7 days.
  • Tax and financial records: 6 years, as required by HMRC.
  • Anonymised, aggregate analytics: indefinitely (no personal data).

9. Your rights

Access, rectify, erase, restrict, object, port, withdraw consent at any time, without affecting past lawful processing. Email privacy@stamp.foundation; we respond within one month. You can also complain to the UK ICO (ico.org.uk) or your local EU data protection authority.

10. Law enforcement and legal requests

We disclose personal data to law enforcement, regulators, or other public authorities only where we are required to by valid UK legal process, such as a court order, warrant, or formally issued statutory request that meets the relevant legal standard. We do not share data voluntarily, and we do not respond to informal requests.

When we receive a valid request, we limit our response to the narrowest scope that the request demands. We will notify the affected user where we are lawfully able to do so. We cannot disclose the content of end-to-end encrypted messages or end-to-end encrypted call media, because we do not hold the encryption keys; only the metadata that allows the service to function (for example, sender and recipient identifiers, timestamps, IP addresses tied to a session) is available to us, and only that metadata can be produced.

Requests should be sent to privacy@stamp.foundation.

11. Automated decision-making

We do not carry out automated decision-making that produces legal effects or similarly significant effects on you, as set out in Article 22 of the UK GDPR. We do not profile members for advertising, content recommendation, or feed ranking; the Stamp feed is chronological and is not algorithmically curated.

12. Record of processing activities

We maintain a written record of our processing activities under Article 30 of the UK GDPR. It sets out the categories of data we process, the purposes, the recipients, the international transfers, the retention periods, and the security measures we have in place. We make this record available to the ICO on request, and we can share relevant extracts with you on request at privacy@stamp.foundation.

13. Personal-data breaches

We monitor for incidents that affect personal data. If a breach is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office within 72 hours of becoming aware of it, as required by Article 33 of the UK GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34, and tell you what happened, the likely consequences, and the steps we are taking.

14. Transparency reporting

We commit to publishing our first transparency report within 12 months of public launch. It will cover the number of law-enforcement and government requests we have received, the number we have complied with, and the categories of data disclosed, alongside a summary of any material privacy incidents during the period.

15. Change of control

If Stamp Social Ltd is ever sold, merged, or restructured, your personal data may transfer to the acquirer or to a successor entity as part of that transaction. We will notify you in advance through the app and by email, so you can review the new arrangement and delete your account before the transfer if you choose. Your rights under the UK GDPR continue to apply to the acquirer in the same way they apply to us.

16. Security

We use TLS in transit, encryption at rest for the database, scoped row-level security policies, and rotate keys on a schedule. Your private communications are end-to-end encrypted: one-to-one and group messages, and the photos, voice notes and videos you share in them, are sealed on your device, addressed to the specific devices in the conversation, and unreadable on our servers. A small lock icon appears next to encrypted messages. Voice and video calls use end-to-end encrypted media (DTLS-SRTP), the signalling that sets up a call passes through Supabase (encrypted in transit), and the media itself is encrypted with keys negotiated directly between the devices on the call. Posts, events, profile fields and the feed are intentionally not end-to-end encrypted because they are meant to be visible to your circle, they are protected by TLS in transit, AES-256 at rest, and row-level security policies.

17. Cookies & similar

The app uses minimal local storage to keep you signed in and remember preferences. No advertising cookies. Sentry sets a per-session correlation identifier in app storage so crash reports can be linked across the same session; this is not used for advertising or analytics. The website (stamp.foundation) stores only a single theme preference in your browser's localStorage to remember whether you chose light or dark; it sets no analytics cookies, no advertising cookies, and no third-party trackers. Some product pages (such as the Inkwell pages) count anonymous, aggregate visits and funnel events on our own first-party systems so we can see which of our messages resonate; this counting uses no cookies, no identifier that follows you between visits, and records no personal data, no name and no IP address.

18. Children

Stamp is 18+. We do not knowingly collect data from anyone under 18; if you believe we have, email privacy@stamp.foundation and we'll delete it.

19. Changes

Material changes will be notified in-app at least 30 days in advance.

20. Contact

privacy@stamp.foundation

21. Company details

Stamp Social Ltd, Company No. 17188757, registered office 71-75 Shelton Street, Covent Garden, London WC2H 9JQ. Registered with the ICO (ZC142084) under the Data Protection Act 2018.