Privacy Policy

Choploop ("we", "us", "our") operates the digital loyalty platform available at choploop.app. We act as the data controller for merchant account data and as a data processor for customer stamp data collected on behalf of merchants.

From merchants (account holders):

• Email address and password (hashed)
• Business name and branding assets (logo, colors)
• Billing information processed by Stripe — we never store card numbers
• Usage data: shop visits, redemptions, dashboard activity

From customers (loyalty card users):

• A randomly generated device token stored locally on their device
• Browser fingerprint (hashed, non-reversible) for fraud prevention
• Phone number and first name — only if voluntarily provided to save stamps
• Visit timestamps and stamp counts per shop

We do not sell your personal data. We do not use customer stamp data for advertising.

• To provide and maintain the Service
• To process payments and manage subscriptions
• To send transactional emails (account confirmation, billing receipts)
• To prevent fraud and abuse (rotating QR verification)
• To generate anonymized analytics for merchants (visit heatmaps, customer counts)
• To improve and develop the platform

• Contract performance — providing the Service you signed up for
• Legitimate interests — fraud prevention, platform security, analytics
• Consent — when customers voluntarily link their phone number
• Legal obligation — tax records, regulatory compliance

We use a minimal number of cookies. We do not use advertising, tracking, or third-party analytics cookies.

• Session cookie — keeps you signed in to the merchant dashboard (essential)
• Device token — stored in localStorage on customer devices, not a tracking cookie

We share data with the following third parties solely to operate the Service:

• Stripe — payment processing (their privacy policy applies to card data)
• Amazon Web Services (AWS) — cloud hosting and file storage (EU region)

As an EU resident, you have the right to access, correct, delete, port, object to, or restrict the processing of your personal data.

To exercise any of these rights, contact us at privacy@choploop.app. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (in France: the CNIL at cnil.fr).

We retain merchant account data for the duration of your account and up to 3 years after closure for legal and tax purposes. Customer stamp data is retained for the lifetime of the associated merchant shop. You may request deletion at any time.

We implement industry-standard security measures including HTTPS encryption, hashed passwords (bcrypt), rotating QR tokens, and access controls. No system is completely secure; we encourage you to use a strong, unique password.

The Service is not directed at individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on the Service. Continued use after the effective date constitutes acceptance.

For privacy-related questions or to exercise your rights, contact us at privacy@choploop.app.