Terms of Use (Business)
Codemellow UG (haftungsbeschränkt) · Last updated: May 2026
Including Data Processing Agreement (DPA) pursuant to Art. 28 GDPR
Part 1 — Terms of Use
Welcome to Stamps! These Terms of Use govern your access to and use of the Stamps service, operated by Codemellow UG (haftungsbeschränkt) (“we”, “us”). By using Stamps, you agree to these Terms. If you do not agree, please do not use the Service.
1. About Stamps
Stamps is a digital loyalty solution that allows businesses to offer branded stamp cards directly in Apple Wallet and Google Wallet, without requiring customers to download an app. Stamps is provided as a subscription-based software service.
2. Company Information
Codemellow UG (haftungsbeschränkt) · Susannenstraße 21a, 20357 Hamburg, Germany · hey@getstamps.io
3. Eligibility
You must be legally capable of entering into a contract. If using Stamps on behalf of a business, you confirm you are authorised to do so.
4. Account & Access
You are responsible for keeping login credentials secure and for all activity under your account. We may suspend access if we reasonably believe the Service is being misused or these Terms are violated.
5. Subscription, Billing & Cancellation
Stamps is offered on a paid subscription basis
Subscriptions renew automatically unless cancelled
Cancellation takes effect at the end of the current billing period
Payments are non-refundable unless required by law
6. Acceptable Use
You agree not to use the Service for unlawful purposes, interfere with its operation, attempt unauthorised data access, or misuse customer data collected via Stamps. You remain fully responsible for how you use customer data in your own business, including compliance with applicable data protection laws.
7. Push Notifications
Stamps provides a technical feature to trigger push notifications via Wallet card updates. By using this feature, you confirm that:
you have a valid legal basis (e.g. consent or legitimate interest) for sending communications to your customers
the content of notifications is lawful, accurate, and not misleading
you accept full responsibility for all notification content
you will not use this feature for unsolicited commercial messages without prior consent
Stamps acts solely as technical transmitter. You are responsible for compliance with GDPR and UWG. Where required, opt-in wording and consent mechanisms must be implemented before sending marketing communications.
8. Customer Analytics
Stamps provides analytics data including name, email address, and stamp/visit activity in your dashboard. You agree to use this data only for operating your loyalty program and in accordance with applicable data protection law. The Data Processing Agreement in Part 2 governs this processing.
9. Intellectual Property
All rights to the Stamps software, branding, and technology remain with Codemellow UG. You receive a non-exclusive, non-transferable right to use the Service during your subscription.
10. Data Protection
Your use of Stamps includes the mandatory Data Processing Agreement (Part 2 of this document) pursuant to Art. 28 GDPR. By accepting these Terms, you also accept the DPA.
11. Availability & Changes
We aim to keep Stamps available and reliable but do not guarantee uninterrupted operation. We may update features or modify the Service and will notify you of material changes where required.
12. Limitation of Liability
No liability for indirect or consequential damages
No liability for lost revenue, data, or profits
Liability limited to amounts paid in the last 12 months
Nothing limits liability where exclusion is not permitted by law.
13. Priority of Terms
In the event of any conflict between these Terms and other commercial agreements, the data protection provisions of Part 2 (DPA) take precedence with respect to the processing of personal data.
14. Governing Law
German law applies. Jurisdiction: Hamburg, Germany.
15. Changes to These Terms
We may update these Terms from time to time. Material changes will be communicated in advance. Continued use of Stamps means acceptance of the updated Terms.
16. Contact
hey@getstamps.io · Codemellow UG, Susannenstraße 21a, 20357 Hamburg, Germany
Part 2 — Data Processing Agreement (DPA)
Pursuant to Art. 28 GDPR
This Data Processing Agreement forms an integral part of the Terms of Use. It governs the processing of personal data of end users (loyalty card holders) carried out by Stamps on behalf of the business customer in the course of providing the Stamps service. In the event of any conflict, this DPA takes precedence with respect to personal data processing.
By accepting the Terms of Use, the business customer (Controller) confirms having read and accepted this DPA. No separate signature is required.
Article 1 — Definitions
“Controller” — the business (café, shop, or merchant) using Stamps to operate a digital loyalty program for its customers.
“Processor” — Codemellow UG (haftungsbeschränkt), operator of the Stamps platform.
“Data Subjects” — end users (customers) holding a digital stamp card issued by the Controller via Stamps.
“Personal Data” — any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).
“Sub-processor” — any third party engaged by the Processor to carry out processing on behalf of the Controller.
“Instructions” — documented instructions from the Controller, including instructions given via contract, written direction, dashboard configuration, support tickets, or other documented communication.
Article 2 — Subject Matter, Purpose, and Duration
The Processor provides the Controller with a digital loyalty card platform (Stamps) that processes personal data of the Controller’s customers in the course of issuing and managing digital stamp cards in Apple Wallet and Google Wallet, including stamp recording, reward management, analytics, and push notifications.
This DPA is effective for the duration of the contractual relationship and terminates automatically upon termination or expiry of the Terms of Use, subject to Article 11.
Article 3 — Categories of Data and Data Subjects
3.1 Personal data processed
First name and last name
Email address
Phone number (where collected in the end-user flow)
Wallet card identifier
Stamp and reward activity (visit frequency, reward redemptions, current Wallet stamp count)
Timestamp of last activity
Push notification eligibility
Technical operational data (authentication events, device/browser data for security and error analysis)
Authentication identifiers (Apple ID / Google Account / Firebase — processed directly by respective providers)
3.2 Categories of data subjects
Customers of the Controller who have added a digital stamp card to Apple Wallet or Google Wallet; authorised Controller dashboard users and store/staff users.
Article 4 — Instructions and Controller Responsibilities
The Controller is responsible for:
determining the purposes and legal bases for processing under Art. 6 GDPR and communicating these to data subjects
providing data subjects with all required information pursuant to Art. 13 GDPR, including the involvement of Stamps as Processor
ensuring a valid legal basis exists for push notification communications, including obtaining required consent for marketing messages
processing personal data provided by Stamps only for the agreed purposes
notifying Stamps promptly of any changes affecting the lawfulness of processing
Instructions are given via the contractual relationship, dashboard configuration, support tickets, and documented written communication.
Article 5 — Processor Obligations
The Processor undertakes to:
process personal data only on documented instructions from the Controller, unless required to do so by applicable law
ensure that all authorised personnel are bound by confidentiality or a statutory obligation of confidentiality
implement and maintain appropriate technical and organisational measures (see Article 9)
not process Controller data for its own advertising, profiling, or other unrelated purposes
assist the Controller in responding to data subject rights requests under Chapter III GDPR
assist the Controller with obligations under Art. 32–36 GDPR (security, breach notification, DPIA, prior consultation)
delete or return all personal data upon termination and delete existing copies, unless law requires retention
provide all information necessary to demonstrate compliance with Art. 28 GDPR
Article 6 — Sub-processors
The Controller grants general written authorisation for the engagement of sub-processors, subject to the following conditions.
The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of sub-processors, giving the Controller the right to object on legitimate data protection grounds. Notification will be sent to the registered account email address.
The Processor shall impose equivalent data protection obligations on all sub-processors by contract and remains fully liable for their performance.
The following sub-processors are currently authorised:
Sub-Processor | Role | Hosting / Routing | Transfer Mechanism | Note |
|---|---|---|---|---|
Google Cloud Platform (GCP) | Core infrastructure, database, storage | EU – Frankfurt (europe-west3) | EU-US DPF Certified | Primary data residency |
Google Firebase Identity Platform | End-user authentication & identity | EU – Frankfurt | EU-US DPF Certified; SCCs | |
Supabase Inc. | Admin/staff authentication database | EU – Frankfurt (eu-central-1) | SCCs; EU Data Boundary | No end-user PII |
Twilio / SendGrid | Transactional email delivery | EU – Regional routing | EU-US DPF Certified | |
Sentry (Functional Software Inc.) | Error tracking & logging | EU | EU-US DPF Certified | IP & PII auto-scrubbed before storage |
Apple Inc. (APNs) | Push notifications (Apple Wallet / iOS) | US / Global | SCCs | Push token & payload only |
Google LLC (FCM) | Push notifications (Android / Google Wallet) | US / Global | SCCs | Push token & payload only |
Article 7 — International Data Transfers
All primary data processing and storage occurs within the EU (Frankfurt, europe-west3). Where sub-processors transfer data outside the EEA, the Processor ensures appropriate safeguards are in place, including EU-US Data Privacy Framework (DPF) certification, Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, or applicable adequacy decisions. Details per sub-processor are listed in Article 6.
Article 8 — Data Minimisation, Tracking & Retention
The Processor adheres to the principle of data minimisation (Art. 5(1)(c) GDPR) and processes only what is necessary to operate the Service.
Stamps does not deploy Meta pixels, external advertising trackers, or unrelated behavioural tracking in the end-user flow. Analytics and error tracking tools are configured to minimise PII collection.
End-user accounts that remain completely inactive for 24 months are automatically flagged for deletion or irreversible anonymisation (Art. 5(1)(e) GDPR — storage limitation).
Deleted user data is purged from production immediately. In automated daily backups (stored in Frankfurt, 30-day lifecycle), deleted data is placed “beyond use” and ages out naturally. Suppression scripts ensure deleted users are not re-imported during disaster recovery rollbacks.
Article 9 — Technical and Organisational Measures (TOMs)
Area | Measures |
|---|---|
Encryption | AES-256 encryption at rest for all databases and storage buckets. TLS 1.2/1.3 for all data in transit. |
Access Control | Production access limited to three authorised senior engineers via RBAC, least privilege, mandatory MFA, and access logging. |
Endpoint Security | Engineering endpoints secured via MDM, mandatory full-disk encryption, and anti-malware. |
Tenant Isolation | Multi-tenant data separation: records partitioned by unique Project IDs. Tenant isolation cryptographically enforced at API middleware and ORM layer. |
Logging & Telemetry | Logging for operations, security, and error analysis. PII minimised in logs. Sentry Data Scrubbing rules automatically mask IP addresses and PII before storage. |
Backup & Recovery | Daily automated backups stored in Frankfurt, 30-day lifecycle. Deleted user data not restored to production; suppression scripts prevent re-import during disaster recovery. |
Confidentiality | All personnel with data access bound to confidentiality. |
Availability | GCP infrastructure, daily backups, and recovery processes ensure service resilience. |
Incident Management | Controller notified within 24 hours of a confirmed or suspected personal data breach. |
Privacy Operations | Internal privacy contact designated. Record of Processing Activities maintained per Art. 30(2) GDPR. |
Article 10 — Personal Data Breaches
In the event of a confirmed or suspected personal data breach affecting data processed under this DPA, the Processor shall notify the Controller’s designated privacy contact without undue delay and within a maximum of 24 hours of becoming aware. This ensures the Controller can comfortably meet its 72-hour reporting obligation under Art. 33 GDPR.
Notification will include, to the extent available: the nature of the incident, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
Article 11 — Data Subject Rights (DSAR)
The Processor shall assist the Controller in fulfilling data subject rights (access, rectification, erasure, restriction, portability, objection). Verified requests forwarded by the Controller are processed within a maximum SLA of 14 calendar days. Data exports are provided in standard formats (JSON or CSV) where technically possible.
A GDPR webhook API for automated programmatic handling is planned for the product roadmap.
Article 12 — Deletion and Return of Data
Upon termination, the Processor shall, at the Controller’s choice, delete or return all personal data and delete existing copies, unless applicable law requires retention. Deletion requests: hey@getstamps.io
Article 13 — Audit Rights
The Controller has the right to carry out audits or commission an auditor to verify compliance with this DPA, with reasonable prior written notice during normal business hours. Audit costs are borne by the Controller. Audits are conducted with respect for confidentiality of other clients and operational security.
Note: Stamps does not currently hold ISO 27001 or SOC 2 certification as an early-stage company. The Processor commits to full cooperation with audits and to providing all relevant documentation upon request.
Article 14 — Governing Law & Contact
This DPA is governed by the laws of the Federal Republic of Germany. Jurisdiction: Hamburg, Germany.
Privacy contact: hey@getstamps.io · Codemellow UG (haftungsbeschränkt), Susannenstraße 21a, 20357 Hamburg
By using the Stamps service, the Controller confirms having read, understood, and accepted both Part 1 (Terms of Use) and Part 2 (Data Processing Agreement).