PRIVACY POLICY

Punchable for Business
Last Updated: February 12, 2026

Introduction

Welcome to Punchable ("we," "our," or "us"). Punchable is a business tool that enables business owners to create digital loyalty programs and promotional coupons for Apple Wallet and Google Wallet.

This Privacy Policy explains:

  • What information we collect
  • How we use your information
  • Your rights and choices
  • How we protect your data

Who This Policy Applies To:

  • Business owners who use Punchable (our direct customers)
  • End customers who participate in loyalty programs created by businesses using Punchable

Contact Us:

1. Information We Collect

1.1 Business Account Information

When you create a Punchable business account, we collect:

Account Credentials:

  • Email address (for login and account communications)
  • Password (encrypted and stored securely)
  • Business owner name

Business Profile Information:

  • Business name
  • Business address (street, city, state/province, postal code, country)
  • Phone number
  • Website URL (optional)
  • Business hours
  • Social media handles (Instagram, TikTok) - optional
  • Business logo image (if you choose to upload one)

Payment Information:

  • Subscription data is processed by Apple App Store
  • We do not store credit card or payment details
  • We receive only confirmation of active subscription status

1.2 Loyalty Program & Promotion Data

When you create loyalty programs and coupons, we collect:

Program Configuration:

  • Loyalty program names and descriptions
  • Promotion titles and descriptions
  • Discount amounts and percentages
  • Terms and conditions you set for promotions
  • Coupon redemption limits and expiration dates
  • Stamp/punch card configurations
  • Points-based reward rules
  • Pass designs, colors, and branding elements

Redemption Data:

  • Timestamps of when passes are created
  • Redemption history (when stamps/punches are added)
  • Coupon usage statistics
  • Pass distribution metrics

1.3 End Customer Information (Collected on Your Behalf)

When customers join your loyalty program, we collect only the information you choose to collect:

Optional Customer Data:

  • Email address (only if customer opts in to receive emails)
  • Loyalty program participation (which program they joined)
  • Redemption history (stamps earned, rewards redeemed)
  • Email marketing preferences (opted in or opted out)
  • Timestamps of redemptions

Important: We do NOT collect customer names, phone numbers, addresses, or any other personal information unless you configure your program to request it. Email addresses are only collected with explicit customer consent.

1.4 Automatically Collected Information

Usage Analytics:

  • How you use the app (features accessed, frequency of use)
  • Device information (iOS version, device model)
  • App version
  • Crash reports and error logs
  • Session duration and frequency

We do NOT collect:

  • Precise location data
  • Browsing history
  • Search history
  • Any information unrelated to providing the Punchable service

2. How We Use Your Information

2.1 To Provide the Punchable Service

We use your business information to:

  • Create and maintain your Punchable account
  • Generate digital wallet passes (Apple Wallet and Google Wallet)
  • Display your business information on loyalty passes
  • Enable barcode scanning and redemption tracking
  • Provide analytics and reporting on your programs
  • Process your subscription through Apple App Store
  • Provide customer support

2.2 For Customer Communications (On Your Behalf)

With your direction, we use customer data to:

  • Deliver loyalty passes to customers via email (using Resend)
  • Send promotional emails to opted-in customers (only when you initiate them)
  • Send pass update notifications (when you update a program)
  • Process loyalty redemptions

Important: YOU control when and how customer emails are sent. We only send emails at your direction.

2.3 For Service Improvement

We use aggregated, anonymized data to:

  • Improve app features and user experience
  • Identify and fix bugs
  • Understand usage patterns
  • Develop new features

2.4 For Legal Compliance

We may use information to:

  • Comply with legal obligations
  • Respond to legal requests (subpoenas, court orders)
  • Enforce our Terms of Service
  • Protect rights, property, and safety

3. How We Share Your Information

3.1 Service Providers

We share data with trusted third-party service providers who help us operate Punchable:

Cloud Infrastructure:

  • Supabase (Database and authentication) — Purpose: Secure data storage, user authentication. Data shared: All business account data, loyalty program data, customer data. Location: Hosted on AWS infrastructure (US and EU regions available). Privacy Policy

Email Delivery:

  • Resend (Email service) — Purpose: Deliver loyalty passes and promotional emails to customers. Data shared: Customer email addresses, email content you create. Privacy Policy

Wallet Services:

  • Apple PassKit API — Purpose: Generate and deliver passes to Apple Wallet. Data shared: Pass content (business name, logo, program details, barcodes). Apple does not receive customer email addresses.
  • Google Pay API — Purpose: Generate and deliver passes to Google Wallet. Data shared: Pass content (business name, logo, program details, barcodes). Google does not receive customer email addresses.

Payment Processing:

  • Apple App Store — Purpose: Process subscription payments. Data shared: Apple manages all payment information. We receive only subscription status (active/expired).

Analytics (Optional):

  • We may use analytics services to understand app usage
  • Only anonymized, aggregated data is shared
  • No personally identifiable information is included

3.2 Legal Requirements

We may disclose information if required by law:

  • To comply with legal process (court orders, subpoenas)
  • To protect our rights or property
  • To prevent fraud or security issues
  • To protect public safety

3.3 Business Transfers

If Punchable is acquired or merged with another company, your data may be transferred to the new owner. We will notify you before your data is transferred and becomes subject to a different privacy policy.

3.4 With Your Consent

We may share information in other circumstances with your explicit consent.

3.5 What We Do NOT Do

We do NOT:

  • Sell your business or customer data to anyone
  • Share data with advertisers or marketing companies
  • Use customer data for our own marketing purposes
  • Share your data with other Punchable users
  • Access your data except for support requests or legal requirements

4. Data Retention

4.1 Active Accounts

While your subscription is active:

  • We retain all business and customer data indefinitely
  • You can delete loyalty programs and customer data at any time
  • Deleted data is permanently removed within 30 days

4.2 After Subscription Ends

When your subscription ends or is cancelled:

  • Business data: Retained for 30 days to allow reactivation
  • Customer data: Retained for 30 days to allow data export
  • After 30 days: All data is permanently deleted from active systems
  • Passes in customer wallets: Continue to exist but cannot be updated

4.3 Backups

Deleted data may remain in encrypted backups for up to 90 days before permanent deletion across all systems.

4.4 Legal Retention

We may retain certain data longer if required by law:

  • Financial records (taxes, subscriptions): 7 years
  • Legal dispute records: As required by ongoing litigation

5. Data Security

5.1 Security Measures

We implement industry-standard security practices:

Encryption:

  • All data transmitted over HTTPS/TLS encryption
  • Data encrypted at rest in Supabase databases
  • Passwords hashed using industry-standard algorithms

Access Controls:

  • Limited employee access to production data
  • Role-based access controls
  • Two-factor authentication available for accounts
  • Regular security audits

Infrastructure Security:

  • Secure cloud hosting with Supabase (AWS infrastructure)
  • Automated security patches
  • Regular backups
  • DDoS protection

5.2 Limitations

While we use reasonable security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

Your Responsibilities:

  • Keep your password secure
  • Don't share account credentials
  • Log out on shared devices
  • Report security concerns immediately

6. Your Rights and Choices

6.1 Business Owner Rights

You have the right to:

  • Access: View all data we have about your business — Go to Settings → Account to view your business information. Contact support@punchable.app to request a full data export.
  • Correct: Update incorrect business information — Edit your business profile in Settings → Business Profile. Contact support if you need assistance.
  • Delete: Request deletion of your account and all data — Go to Settings → Account → Delete Account. Or contact support@punchable.app. All data will be permanently deleted within 30 days.
  • Export: Download your business and customer data — Go to Settings → Export Data. Receive a JSON/CSV file with all your data. Or contact support@punchable.app.
  • Portability: Receive your data in a machine-readable format — Use the Export Data feature. Supports JSON and CSV formats.
  • Opt-out of Marketing: Unsubscribe from promotional emails — Click unsubscribe in any marketing email. Note: You'll still receive important service emails (billing, security, etc.).

6.2 Customer Rights (End Users of Loyalty Programs)

Your customers have rights regarding data you collect through Punchable:

As a business owner, you are responsible for:

  • Honoring customer requests to access their data
  • Deleting customer data upon request
  • Providing customers their loyalty history upon request
  • Honoring email unsubscribe requests immediately

Customers can:

  • Unsubscribe from emails using the link in every email
  • Request data deletion by contacting you (the business owner)
  • Remove passes from their wallet at any time

Punchable's role:

  • We provide tools for you to manage customer data
  • We honor deletion requests you make through the app
  • We ensure unsubscribe links work properly
  • Ultimate responsibility for customer data is with you (the business owner)

7. Children's Privacy

Punchable is a business tool intended for users 18 years or older. We do not knowingly collect information from anyone under 18.

If we discover we have inadvertently collected data from someone under 18, we will delete it immediately.

Note: Customer loyalty program participants may include minors, but this data is collected and controlled by the business owner (you), not by Punchable directly.

8. International Data Transfers

8.1 Data Storage Locations

Your data is stored on Supabase infrastructure, which uses AWS data centers. Supabase offers both:

  • US region (default): Data stored in United States
  • EU region (available on request): Data stored in European Union

8.2 Cross-Border Transfers

If you are located outside the United States and use the US region, your information will be transferred to, stored, and processed in the United States.

If you are located outside the European Union and use the EU region, your information will be transferred to, stored, and processed in the EU.

By using Punchable, you consent to the transfer of your data to these locations.

8.3 Safeguards

All international data transfers are protected by:

  • Standard Contractual Clauses (where applicable)
  • Encryption in transit and at rest
  • GDPR-compliant data processing agreements
  • Regular security audits

9. Region-Specific Privacy Rights

9.1 European Economic Area (EEA), UK, and Switzerland - GDPR Rights

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Your Rights:

  1. Right to Access: Obtain confirmation that we process your data and receive a copy
  2. Right to Rectification: Correct inaccurate or incomplete data
  3. Right to Erasure ("Right to be Forgotten"): Request deletion of your data
  4. Right to Restriction: Limit how we process your data in certain circumstances
  5. Right to Data Portability: Receive your data in a structured, machine-readable format
  6. Right to Object: Object to processing based on legitimate interests
  7. Right to Withdraw Consent: Withdraw consent at any time (doesn't affect prior processing)
  8. Right to Lodge a Complaint: File a complaint with your local data protection authority

Legal Basis for Processing: We process your data based on Contract Performance, Legitimate Interests, Consent, and Legal Obligations.

Data Protection Contact: Email: privacy@punchable.app

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority. Find your authority at: https://edpb.europa.eu/about-edpb/board/members_en

9.2 California Residents - CCPA/CPRA Rights

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Key rights include Right to Know, Right to Delete, Right to Correct, Right to Opt-Out (not applicable - we don't sell data), Right to Limit Use of Sensitive Personal Information (not applicable), and Right to Non-Discrimination.

How to Exercise Your Rights: Email: privacy@punchable.app or use In-app: Settings → Privacy → Data Request

Response Time: We will respond within 45 days of receiving your request.

9.3 Other Jurisdictions

If you are located in other jurisdictions with specific privacy laws (Canada, Australia, Brazil, etc.), you may have additional rights. Contact privacy@punchable.app for information specific to your region.

10. Email Marketing & Customer Consent

10.1 For Business Owners (You)

Service Emails (You Cannot Opt Out): Account notifications, subscription billing and renewals, security alerts, important service updates, legal notices.

Marketing Emails (You Can Opt Out): Feature announcements, tips and best practices, promotional offers, product updates. Unsubscribe from marketing emails by clicking "Unsubscribe" in any promotional email.

10.2 For End Customers (Loyalty Program Participants)

Your Responsibilities as a Business Owner: When collecting customer emails for loyalty programs, you must obtain explicit consent (checkbox unchecked by default, clear language), provide unsubscribe option in every email, and comply with anti-spam laws (CAN-SPAM, GDPR, CASL).

Punchable's Role: We provide compliant tools (opt-in checkboxes, unsubscribe links), process unsubscribe requests automatically, and monitor for spam complaints.

11. Data Controller and Processor Relationship

11.1 For Your Business Data

Punchable is the Data Controller: We determine how your account and business data is processed. We are responsible for compliance with privacy laws. You are the data subject.

11.2 For Customer Data (Loyalty Program Participants)

You (Business Owner) are the Data Controller: You determine what customer data to collect, decide when to send emails, and are responsible for GDPR/CCPA compliance.

Punchable is the Data Processor: We process customer data on your behalf, follow your instructions, and provide tools for compliance.

Data Processing Agreement: By using Punchable, you agree to our Data Processing Addendum, which governs how we process customer data on your behalf.

12. Cookies and Tracking Technologies

Our website (punchable.app) may use cookies for essential functionality, analytics, and performance improvements. You can control cookies through browser settings. The Punchable iOS app does not use cookies but may use local storage for app settings and session tokens for authentication.

13. Third-Party Links

Punchable may contain links to third-party websites (e.g., your business website, social media profiles). We are not responsible for the privacy practices of these sites. We encourage you to read their privacy policies.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you via email, in-app notification, update to "Last Updated" date, and prominent notice on our website. For significant changes, we will provide at least 30 days' notice before the new policy takes effect. Your continued use of Punchable after changes take effect constitutes acceptance of the updated policy.

15. Contact Us

General Inquiries: Email: support@punchable.app | Website: https://punchable.app

Privacy-Specific Inquiries: Email: privacy@punchable.app

Response Time: We aim to respond to all privacy inquiries within 5-7 business days.

16. Summary of Key Points

What we collect: Business profile information, loyalty program configurations and redemption data, customer emails (only with explicit opt-in).

How we use it: Provide Punchable services, generate wallet passes, send emails on your behalf, analytics and improvements.

Who we share with: Supabase, Resend, Apple & Google. We do NOT sell data to anyone.

Your rights: Access, correct, delete, or export your data. Opt out of marketing emails. GDPR and CCPA rights (if applicable).

Contact us: support@punchable.app or privacy@punchable.app

By using Punchable, you acknowledge that you have read and understood this Privacy Policy.

Last Updated: February 12, 2026