Privacy Policy

Business account data: When you register a business account, we store your email address, first and last name, optional avatar, timezone, and your role within your business. For your business profile we store the business name, slug, optional logo, email, phone, website, and the language used for customer communications. For team members we store the user, business, and role assignment. Billing data: When you subscribe to a paid plan, we store your subscription plan, status, current billing period, trial end date, and Stripe customer and subscription identifiers. Payment card details are processed and stored by Stripe; we never see or store full card numbers. Loyalty program data: We store the loyalty programs you configure, including program name, reward description, stamps required, colors, stamp design, optional background image and banner, welcome and location-based notification messages, your business latitude/longitude (when you enable location notifications), Google map and reviews links, the Google Wallet class identifier, and which customer fields you choose to collect or require. End customer data: When a customer enrolls in one of your loyalty programs, we store their email address and any of the following fields you have chosen to collect: first name, last name, phone number, birthday. We also store the loyalty cards they hold, including current stamps, total stamps earned, total rewards redeemed, enrollment date, last stamp timestamp, card status, wallet type (Apple or Google), and individual stamp transactions and reward records (earned, redeemed, expired). Wallet pass device data: When a customer adds a pass to Apple Wallet or Google Wallet, the wallet platform registers their device with us. We store the device library identifier and a push token that lets us update the pass and send notifications. We do not receive the customer's phone number, Apple ID, or Google account. Notifications and in-app messages: We store notifications sent through your programs (title, message, type, target, send time, recipient count) and in-app notifications shown to you in the dashboard. Usage data: We use Vercel Analytics, which collects aggregated, privacy-friendly metrics (such as page views, referrer, country, device type) without using cookies or persistent identifiers. Server logs may temporarily record IP addresses and request metadata for security and debugging. Cookies: We use only the cookies strictly necessary to run the Service: authentication and session cookies set by Supabase, and small cookies that remember your theme and language preference. We do not use advertising or third-party tracking cookies.

We use the information we collect to: - Provide, maintain, secure, and improve the Service - Authenticate you and protect your account - Process subscriptions, payments, and invoices through Stripe - Create and update digital loyalty cards, including issuing and updating Apple Wallet and Google Wallet passes - Track stamps and rewards and present analytics to the business owner - Send transactional emails (account verification, team invitations, billing notices) via our email provider - Deliver notifications to customers through Apple Push Notification service and Google Wallet when triggered by your program (welcome message, stamp updates, reward earned, or, on Apple Wallet, when a customer is near your configured business location) - Detect, prevent, and respond to fraud, abuse, and security incidents - Comply with legal obligations and enforce our Terms

We process personal data under the EU and Greek implementation of the GDPR on the following grounds: - Contract performance: to provide the Service to business users and to operate loyalty cards on their behalf. - Legitimate interests: to keep the Service secure, prevent fraud, debug errors, and improve features. We balance these interests against your rights. - Consent: for any optional communications and for any data field a customer chooses to provide beyond the minimum required to issue a card. - Legal obligation: to retain billing records and respond to lawful requests.

We do not sell personal data. We share data only with the following categories of recipients, strictly as needed to operate the Service: - Supabase: database and authentication hosting. - Vercel: application hosting and Vercel Analytics. - Stripe: subscription billing and payment processing. - Apple (Apple Push Notification service / PassKit Web Service): issuing and updating Apple Wallet passes and delivering pass notifications. - Google (Google Wallet API): issuing and updating Google Wallet passes. - Resend: sending transactional emails. - Authorities: when required by a binding legal request, court order, or to protect rights, safety, or the integrity of the Service. - Successors: in the event of a merger, acquisition, or sale of assets, in which case the new entity will be bound by an equivalent privacy policy.

We retain personal data for as long as your account is active. When you delete your business account, or when a customer asks to be removed from a loyalty program, we delete the associated personal data within 90 days, except where we must retain limited records to meet legal, accounting, or tax obligations (in which case we restrict their use to those purposes). If a business subscription is terminated, all associated end customer records, loyalty cards, stamp transactions, rewards, and wallet pass registrations are deleted within 90 days. Server logs and analytics events are kept only as long as needed for security and product analytics, typically no more than 90 days.

Under the GDPR you have the right to: - Access: request a copy of the personal data we hold about you. - Rectification: ask us to correct inaccurate or incomplete data. - Erasure: ask us to delete your personal data ("right to be forgotten"). - Restriction: ask us to limit how we use your data. - Portability: receive your data in a structured, machine-readable format. - Objection: object to processing based on our legitimate interests. - Withdraw consent: where processing is based on consent, you may withdraw it at any time. - Lodge a complaint: with the Hellenic Data Protection Authority (www.dpa.gr) or your local supervisory authority. End customers should contact the business that issued their loyalty card first, since that business controls the program. We will assist business users in responding to such requests. To exercise any right directly with us, email info@habulo.com.

We use only strictly necessary cookies: authentication and session cookies (Supabase), and small preference cookies for theme and language. We use Vercel Analytics, which is cookieless and does not track individuals across sites. We do not run third-party advertising or behavioral tracking.

Some of our service providers (Supabase, Vercel, Stripe, Apple, Google, Resend) may process data on infrastructure located outside the European Economic Area, including in the United States. When data leaves the EEA we rely on transfer mechanisms approved under the GDPR, such as the European Commission's Standard Contractual Clauses and the EU–U.S. Data Privacy Framework where applicable.

We protect personal data using TLS encryption in transit, encryption at rest on managed databases, row-level security for access control, scoped service credentials, and review of dependencies and infrastructure changes. No system is perfectly secure; if we become aware of a breach affecting your personal data we will notify you and the competent authority as required by law.

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact info@habulo.com and we will delete it.

We may update this Privacy Policy from time to time. When changes are material we will notify you by email or through the Service before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

If you registered for a digital loyalty card from a business that uses Habulo, this section summarizes how your data is handled in plain language. Who you are dealing with: The business that owns the loyalty program is the primary owner of your data: they decide what to collect (e.g. name, email, phone, birthday) and how to communicate with you. Habulo runs the technical platform and acts as their processor. What we store about you: Your email address (required), plus any of the optional fields the business asks for (first name, last name, phone, birthday). We store your loyalty card with the business, your current and total stamps, rewards you've earned or redeemed, and the date and timestamps of those events. If you add the card to Apple Wallet or Google Wallet, the wallet platform tells us your device's pass identifier and a push token so we can update the card and send notifications. We never see your Apple ID, Google account, or phone number from the wallet. Why we hold your data: To run the loyalty program you signed up for: issuing your card, tracking stamps, delivering rewards, and (if you opted in) sending notifications about new stamps, ready rewards, or offers from the business. Who sees your data: The business that issued the card sees it. Our hosting and infrastructure providers (Supabase, Vercel, Apple, Google, Resend) process it strictly to operate the Service. We do not sell your data and we do not share it with advertisers. Your choices: You can ask the business to remove your loyalty card at any time, which deletes the data associated with it within 90 days. You can disable notifications at any time from your wallet pass settings. You can ask us directly to access, correct, or delete your personal data by emailing info@habulo.com. You can lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr). Age: You must be at least 16 to register on your own. If you are under 16, ask a parent or guardian to register for you.

If you have any questions about this Privacy Policy or our data practices, contact: Habulo Email: info@habulo.com