Fluffy Café Loyalty App — Last updated: June 2025
This loyalty application ("App") is operated by Fluffy Cafe-Restaurant, located at Stadsplein 95, Stadshart, 1181 ZM Amstelveen, the Netherlands.
For any privacy-related questions you can reach us at info@fluffycafe.nl.
In this policy, "we", "us" and "our" refer to Fluffy Cafe-Restaurant. "You" and "your" refer to you, the user of the App.
Under Dutch law (implementing the GDPR), persons under the age of 16 may not use digital services that process personal data without verifiable parental consent. You must be at least 16 years old to create an account. If we learn that we have collected data from a child under 16 without proper consent, we will delete that data promptly.
We only collect data that is necessary to run the loyalty programme.
| Category | Specific Data | When Collected |
|---|---|---|
| Account information | First name, last name, e-mail address, phone number, date of birth (optional) | When you register or update your profile |
| Authentication data | Firebase user ID, login tokens, phone verification status, e-mail verification status | When you sign in |
| Loyalty data | Points balance, points history (earned & spent), customer ID (anonymous alias), QR code | When you earn or redeem points |
| Receipt images & OCR text | Photos of receipts you upload, extracted text (receipt number, date, total amount) | When you submit a receipt for points |
| Support requests | Issue category, description, attached receipt image, incident number | When you contact support through the App |
| Device information | Push-notification token (FCM/APNs), device platform (iOS/Android), locale | When you enable push notifications |
Under the General Data Protection Regulation (GDPR), we need a lawful basis for every processing activity:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Creating and managing your loyalty account | Performance of a contract (Art. 6(1)(b)) |
| Verifying receipts and awarding points | Performance of a contract (Art. 6(1)(b)) |
| Processing point redemptions | Performance of a contract (Art. 6(1)(b)) |
| Handling your support requests | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional e-mails (e.g. support confirmations) | Performance of a contract (Art. 6(1)(b)) |
| Sending push notifications about your points or rewards | Your consent (Art. 6(1)(a)) — you can disable these in your device settings at any time |
| Preventing fraud and duplicate receipt claims | Legitimate interest (Art. 6(1)(f)) |
We use a limited number of trusted service providers to operate the App. They process data only on our instructions and are bound by data-processing agreements.
| Provider | Purpose | Data Involved | Location |
|---|---|---|---|
| Google Cloud Platform / Firebase | Authentication, database, file storage, push notifications (FCM) | Account data, receipts, points, device tokens | EU (europe-west) region* |
| Google Cloud Vision API | Optical character recognition (OCR) on receipt images | Receipt images (processed in real time, not stored by Google) | EU |
| Resend | Sending transactional e-mails | E-mail address, e-mail content | USA** |
* We configure Google Cloud resources in EU regions. Google may
process limited operational metadata outside the EU under their
standard data-processing terms and EU Standard Contractual Clauses.
** Resend Inc. is based in the USA. The transfer is safeguarded by
EU–US Data Privacy Framework certification and/or Standard
Contractual Clauses (Art. 46 GDPR).
We do not sell, rent, or share your personal data with any other third parties.
Your data is primarily stored in the European Union. Where data is transferred outside the EU/EEA (see Section 5), we ensure appropriate safeguards are in place, such as:
| Data Type | Retention Period |
|---|---|
| Account & loyalty data (profile, points balance, points history) | As long as your account exists. Deleted upon account deletion request. |
| Receipt images & OCR data | 30 days after upload, then automatically deleted |
| Sales verification records (from our POS system) | 30 days, then automatically deleted |
| Support incident records | Up to 12 months after the incident is closed, then deleted |
| Device / push-notification tokens | Until you uninstall the App, revoke permission, or delete your account |
As a resident of the Netherlands / EU, you have the following rights regarding your personal data:
To exercise any of these rights, e-mail us at info@fluffycafe.nl. We will respond within 30 days as required by the GDPR.
If you believe we have not handled your request properly, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):
We take appropriate technical and organisational measures to protect your data, including:
The App does not use cookies, advertising trackers, or analytics SDKs. We do not track your behaviour across other apps or websites.
We may update this privacy policy from time to time. When we make material changes, we will notify you through the App (e.g. via an in-app banner or push notification) and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
If you have any questions about this privacy policy or how we handle your data, please contact us: