DE EN

Privacy Policy

Last updated: 27 May 2026
  1. § 1

    Controller

    Controller within the meaning of the GDPR: Treuly [legal company name] [address] [postal code, city] Germany

    Data protection contact: support@treuly.de · Phone: +49 170 5922001

  2. § 2

    What data we collect

    We only collect what Treuly needs to work: the shop owner's email address (authentication), details about the shop and the stamp card (display and configuration), and stamp timestamps (reward logic).

    For your customers' stamp cards we use an anonymous pass identifier. End customers do not need to register with Treuly and are not personally identified by us.

    No profiling, no sale of data to third parties, no advertising trackers on treuly.de.

  3. § 3

    Legal bases

    Processing takes place on the basis of Art. 6 (1) (b) GDPR (performance of a contract) to provide the service, Art. 6 (1) (c) GDPR (legal obligation) for retention requirements, and Art. 6 (1) (f) GDPR (legitimate interest) for operational security (e.g. log files).

  4. § 4

    Payment processing via Stripe

    For payment processing we use Stripe Payments Europe Ltd. (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland) as a data processor under Art. 28 GDPR. Treuly remains the contracting party and the issuer of invoices (merchant of record); Stripe is not a contracting party of the customer.

    The following data is transferred to Stripe during a payment: email address, billing address, name, and — for B2B purchases — optionally the VAT identification number. Payment data (credit card details, SEPA mandate data, etc.) is collected directly in Stripe's PCI-DSS Level 1 certified payment widget and never touches our servers.

    Stripe processes this data on the basis of the data processing agreement (DPA) required at contract signing, available at https://stripe.com/legal/dpa.

    Invoice data is retained for 10 years under § 257 HGB (German Commercial Code). Upon deletion of the Treuly account, we anonymize the associated Stripe customer profile (name, email); the invoice history is retained for commercial and tax-law reasons.

    Payments via the App Store (Apple) are handled by Apple Distribution International Ltd.; their terms apply.

  5. § 5

    Service providers (processors)

    We use the following providers to operate Treuly:

    • Website and API hosting: Render Services, Inc. (Frankfurt / EU region) • Database: Supabase, Inc. (EU region) • Authentication and account management: Clerk, Inc. (USA) • Payment processing: Stripe Payments Europe Ltd. (Dublin, Ireland) • Apple Wallet / push notifications: Apple Distribution International Ltd. (Ireland) • Google Wallet: Google Ireland Limited (Ireland)

    Transfers to third countries (USA) take place on the basis of Standard Contractual Clauses under Art. 46 GDPR or, where certified, an adequacy decision (EU–US Data Privacy Framework).

  6. § 6

    Your rights

    Under the GDPR you have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21). Send requests informally to support@treuly.de.

    Competent supervisory authority: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany.

  7. § 7

    Retention

    We only retain personal data for as long as it is needed to provide the service or to meet statutory retention obligations (e.g. § 147 AO, § 257 HGB). After you delete your account, content is removed within 30 days; invoice and billing data is retained for 10 years under § 257 HGB, and the associated Stripe profile is anonymized (Art. 17 (3) (b) GDPR).