P
punchless.cc
My StampsBusiness Login

Privacy Policy

Last updated: May 2026

Summary

Punchless is built on a privacy-first principle: we collect zero personal information from customers. No email addresses, no phone numbers, no names, no device identifiers beyond what is required for WebAuthn passkey authentication. Customer loyalty cards are anonymous and device-bound.

What We Do Not Collect

  • Email addresses
  • Phone numbers
  • Names or personal identifiers
  • Location data
  • Browsing history or analytics tracking
  • Third-party cookies

What We Do Store

  • WebAuthn passkey credentials (cryptographic, not passwords)
  • Stamp card data (business association, stamp count, reward status)
  • Transaction logs (anonymous customer IDs, timestamps, actions)
  • Business account information (email, for business owners only)

How Authentication Works

Customer authentication uses the WebAuthn/FIDO2 standard. When a customer saves a card, their device generates a cryptographic key pair. The private key stays on the device (protected by Face ID, Touch ID, or PIN). The public key is stored on our server. No password is ever created, stored, or transmitted.

Business Accounts

Business owners register with an email address and password for account management and recovery. This information is used solely for authentication and account recovery. Business owner data is separate from customer data and is protected by standard security practices including password hashing and email verification.

Data Security

All data is stored in PostgreSQL with Row Level Security (RLS) policies. Customers can only access their own cards. Businesses can only access their own data. QR codes are server-signed JWT tokens with short expiration. WebAuthn sign counters are verified on each authentication attempt.

Data Deletion

Customers can delete their card at any time using the "Tear Card" option. This permanently removes all associated data from our servers. Business owners can delete their business account and all associated data through the dashboard settings.

Contact

For privacy-related inquiries, please contact us at support@punchless.cc.