Privacy Policy

Fluffy Café Loyalty App — Last updated: June 2025

1. Who We Are

This loyalty application ("App") is operated by Fluffy Cafe-Restaurant, located at Stadsplein 95, Stadshart, 1181 ZM Amstelveen, the Netherlands.

For any privacy-related questions you can reach us at info@fluffycafe.nl.

In this policy, "we", "us" and "our" refer to Fluffy Cafe-Restaurant. "You" and "your" refer to you, the user of the App.

2. Minimum Age

Under Dutch law (implementing the GDPR), persons under the age of 16 may not use digital services that process personal data without verifiable parental consent. You must be at least 16 years old to create an account. If we learn that we have collected data from a child under 16 without proper consent, we will delete that data promptly.

3. What Data We Collect

We only collect data that is necessary to run the loyalty programme.

Category Specific Data When Collected
Account information First name, last name, e-mail address, phone number, date of birth (optional) When you register or update your profile
Authentication data Firebase user ID, login tokens, phone verification status, e-mail verification status When you sign in
Loyalty data Points balance, points history (earned & spent), customer ID (anonymous alias), QR code When you earn or redeem points
Receipt images & OCR text Photos of receipts you upload, extracted text (receipt number, date, total amount) When you submit a receipt for points
Support requests Issue category, description, attached receipt image, incident number When you contact support through the App
Device information Push-notification token (FCM/APNs), device platform (iOS/Android), locale When you enable push notifications
What we do NOT collect: We do not collect your location, contacts, browsing history, advertising identifiers, or any data unrelated to the loyalty programme. We do not use analytics or tracking SDKs.

4. Why We Process Your Data (Legal Bases)

Under the General Data Protection Regulation (GDPR), we need a lawful basis for every processing activity:

Purpose Legal Basis (GDPR)
Creating and managing your loyalty account Performance of a contract (Art. 6(1)(b))
Verifying receipts and awarding points Performance of a contract (Art. 6(1)(b))
Processing point redemptions Performance of a contract (Art. 6(1)(b))
Handling your support requests Performance of a contract (Art. 6(1)(b))
Sending transactional e-mails (e.g. support confirmations) Performance of a contract (Art. 6(1)(b))
Sending push notifications about your points or rewards Your consent (Art. 6(1)(a)) — you can disable these in your device settings at any time
Preventing fraud and duplicate receipt claims Legitimate interest (Art. 6(1)(f))

5. Third-Party Service Providers

We use a limited number of trusted service providers to operate the App. They process data only on our instructions and are bound by data-processing agreements.

Provider Purpose Data Involved Location
Google Cloud Platform / Firebase Authentication, database, file storage, push notifications (FCM) Account data, receipts, points, device tokens EU (europe-west) region*
Google Cloud Vision API Optical character recognition (OCR) on receipt images Receipt images (processed in real time, not stored by Google) EU
Resend Sending transactional e-mails E-mail address, e-mail content USA**

* We configure Google Cloud resources in EU regions. Google may process limited operational metadata outside the EU under their standard data-processing terms and EU Standard Contractual Clauses.
** Resend Inc. is based in the USA. The transfer is safeguarded by EU–US Data Privacy Framework certification and/or Standard Contractual Clauses (Art. 46 GDPR).

We do not sell, rent, or share your personal data with any other third parties.

6. International Data Transfers

Your data is primarily stored in the European Union. Where data is transferred outside the EU/EEA (see Section 5), we ensure appropriate safeguards are in place, such as:

7. How Long We Keep Your Data

Data Type Retention Period
Account & loyalty data (profile, points balance, points history) As long as your account exists. Deleted upon account deletion request.
Receipt images & OCR data 30 days after upload, then automatically deleted
Sales verification records (from our POS system) 30 days, then automatically deleted
Support incident records Up to 12 months after the incident is closed, then deleted
Device / push-notification tokens Until you uninstall the App, revoke permission, or delete your account

8. Your Rights Under the GDPR

As a resident of the Netherlands / EU, you have the following rights regarding your personal data:

To exercise any of these rights, e-mail us at info@fluffycafe.nl. We will respond within 30 days as required by the GDPR.

If you believe we have not handled your request properly, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):

Autoriteit Persoonsgegevens
Website: autoriteitpersoonsgegevens.nl
Phone: +31 (0)88 1805 250

9. Data Security

We take appropriate technical and organisational measures to protect your data, including:

10. Cookies & Tracking

The App does not use cookies, advertising trackers, or analytics SDKs. We do not track your behaviour across other apps or websites.

11. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will notify you through the App (e.g. via an in-app banner or push notification) and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

12. Contact Us

If you have any questions about this privacy policy or how we handle your data, please contact us:

Fluffy Cafe-Restaurant
Stadsplein 95, Stadshart
1181 ZM Amstelveen, the Netherlands

E-mail: info@fluffycafe.nl
Website: http://fluffycafe.nl/