Back

Privacy Policy

Last updated: 18 March 2026

Ambr ("we", "us", "our") operates the Ambr mobile application and website at ambr.so (collectively, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and applicable EU law.

If you have any questions, contact us at ambrcard@gmail.com.

1. Who we are

Ambr is a digital loyalty card platform that allows businesses ("Merchants") to create stamp-based loyalty cards and customers ("Customers") to collect stamps and earn rewards. We act as the data controller for personal data processed through the Service.

2. Data we collect

We collect only the data necessary to provide the Service:

Account data

  • Email address or mobile phone number (you choose one to save your card; we verify it with a one-time code or confirmation)
  • Display name (optional, set by you)
  • Password (email accounts only; stored as a secure one-way hash — we never see it in plain text)

Anonymous use

  • You can collect your first stamp on a card without creating an account. We create a random anonymous identifier in your browser to hold that stamp; it contains no personal data and is deleted if you later sign in to an existing account.

Loyalty activity data

  • Stamp records: which loyalty card you have stamps on, how many stamps you have, and when stamps were added
  • Reward redemption records

Merchant business data

  • Business name and loyalty card configuration (card design, stamp goal, reward description)

Device data

  • Push notification token (if you grant notification permission) — used only to send you stamp confirmations and reward notifications

Usage data

  • We keep minimal first-party product metrics (for example, which in-app prompts are shown or tapped) on our own infrastructure, to understand and improve the Service. We do not use third-party analytics tools and do not track you across third-party sites.

3. Legal basis for processing (GDPR Article 6)

  • Contract performance (Art. 6(1)(b)): Processing your email or phone number, account data, and loyalty activity is necessary to provide the Service you signed up for. This includes sending one-time verification codes by SMS or email when you save your card or sign in.
  • Legitimate interests (Art. 6(1)(f)): We process push notification tokens to send you transactional messages directly related to your use of the Service (e.g. stamp received, reward earned).
  • Consent (Art. 6(1)(a)): Marketing messages from a Merchant (e.g. offers by text or email) are sent only if you explicitly opt in for that specific Merchant, and you may withdraw that consent per Merchant at any time. Push notification permission can likewise be withdrawn via your device settings.

4. How we use your data

  • To authenticate you and maintain your account (including one-time sign-in and verification codes by SMS or email)
  • To record and display your loyalty stamps and rewards
  • To send you push notifications about your stamps and rewards (if you have granted permission)
  • To allow Merchants to verify stamp requests from Customers
  • To send you a Merchant's offers by text or email — only where you have ticked the opt-in for that specific Merchant, and you can withdraw it at any time
  • To respond to your support or feedback submissions

We do not sell, rent, or share your personal data with third parties for marketing purposes. Merchants see your loyalty activity with them and, where you opted in, can message you through the Service — they never receive your password, and they cannot contact you for marketing without your per-Merchant opt-in.

5. Data processors and third parties

We use the following sub-processors to operate the Service:

  • Supabase, Inc. — database, authentication, and storage infrastructure. Data is stored on servers in the EU (AWS eu-central-1). Supabase processes data under a Data Processing Agreement in compliance with GDPR.
  • Twilio Inc. — SMS delivery for one-time verification codes (and Merchant offers where you have opted in). Only your phone number and the message content are shared, at the moment of sending. Twilio processes data under its GDPR Data Processing Addendum.
  • Expo / Expo Push Notification Service — used to deliver push notifications to the Ambr mobile app. Only your device push token and notification content are shared for this purpose.
  • Netlify, Inc. — hosts the Ambr web application. Standard web request logs (IP address, browser type) may be retained briefly for security purposes under Netlify's own privacy policy.

6. Data retention

  • Your account data and loyalty records are retained for as long as your account is active.
  • If you delete your account, all associated personal data (account details, stamps, rewards) is permanently deleted within 30 days.
  • Anonymised aggregate statistics (e.g. total number of stamps issued by a Merchant) may be retained after deletion as they cannot be used to identify you.

7. Your rights (GDPR)

As a data subject in the EU you have the following rights:

  • Right of access: Request a copy of all personal data we hold about you.
  • Right to rectification: Correct inaccurate or incomplete data. You can update your display name and email directly in the app.
  • Right to erasure ("right to be forgotten"): Delete your account and all associated data at any time via Settings → Delete Account in the app, or by emailing us.
  • Right to restriction: Ask us to restrict processing of your data while a complaint is being resolved.
  • Right to data portability: Request a machine-readable copy of your personal data.
  • Right to object: Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email ambrcard@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

8. Data security

All data is transmitted over HTTPS. Passwords are hashed using industry-standard algorithms and are never stored or transmitted in plain text. Access to production data is restricted to authorised personnel. We apply the principle of least privilege to all internal systems.

9. Children

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page and, where required by law, by sending you a notification through the app or by email. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions or requests, contact us at: ambrcard@gmail.com