Legal

Privacy Policy

Last updated: 4 June 2026

This Privacy Policy explains how The Magic Stamp (“MagicStamp”, “we”, “us”, or “our”) collects, uses, shares, and protects your information when you use the The Magic Stamp consumer app, the The Magic Stamp Merchant app, and our websites (together, the “Services”). It is designed to comply with India’s Digital Personal Data Protection Act, 2023 (the “DPDP Act”).

By creating an account or using the Services, you agree to this Policy. If you do not agree, please do not use the Services.

1. Who we are

The Services are operated by The Magic Stamp. For any privacy questions or to exercise your rights, contact us at support@magicstamp.in. As a Data Fiduciary under the DPDP Act, we determine how and why your personal data is processed.

2. Information we collect

We collect only what we need to run a loyalty program:

Information you give us

  • Account details — your name, email address, and password (stored only as a secure hash). Consumers also provide their city and state, and may optionally add a date of birth (used only for birthday bonus stamps) and a referral code.
  • Merchant details — for shop owners: brand name, business category, shop locations and addresses, logo, and staff names with a secure PIN (stored only as a hash).
  • Loyalty activity — the cards you join, stamps you earn, rewards you unlock and redeem, the purchase (bill) amount recorded at the time of a stamp, your favourites, and any feedback rating or comment you submit to a shop.
  • Communications — messages you send us (for example, a demo request or support email).

Information we collect automatically

  • Approximate location — when you use “shops near you” / “offers near you”, with your permission we use your device’s GPS location to show nearby merchants. You can turn this off in your device settings.
  • Device & push tokens — a push-notification token, device platform (Android/iOS), and app version, so we can send the alerts you opt into (e.g. “your reward is ready”).
  • Usage & diagnostics — basic log data and error reports to keep the Services secure, reliable, and free of abuse.

Payment information (merchants)

Merchant subscription payments are processed by our payment gateway, Razorpay. We do not collect or store your full card or UPI details — those go directly to Razorpay. We retain only the payment amount, status, and gateway reference IDs needed for billing records.

3. How we use your information

  • To create and manage your account and loyalty cards.
  • To award stamps, generate rewards, and let merchants validate and redeem them.
  • To show shops, offers, and leaderboards near you.
  • To send service notifications you’ve enabled (reward ready, near a reward, offers, birthday/streak bonuses, referrals).
  • To process merchant subscriptions and keep billing records.
  • To prevent fraud and abuse (e.g. single-use QR codes, daily stamp limits, optional geofencing).
  • To provide support and respond to your requests.
  • To comply with legal obligations.

We process your personal data on the basis of the consent you give at sign-up (terms, privacy, and data-use consent), and for legitimate uses permitted under the DPDP Act (such as providing the service you requested and preventing fraud). You can withdraw consent at any time (see “Your rights” below); withdrawal does not affect processing already carried out.

5. How we share information

We do not sell your personal data. We share it only as follows:

  • With merchants you interact with — when you join a shop’s card or earn a stamp, that merchant can see your loyalty activity with their business (such as your name, stamps, rewards, recorded purchase amounts, and visit dates). Merchants only ever see their own customers — never your activity at other shops.
  • With service providers (Data Processors) who run our infrastructure on our behalf, under contract: Supabase(database & authentication hosting), Razorpay (payments), push-notification delivery (Firebase Cloud Messaging / Expo), our email provider (sign-up OTP and notices), and Google Maps (map display).
  • For legal reasons — if required by law, regulation, or valid legal process, or to protect the rights, safety, and security of our users and the Services.
  • In a business transfer — if we are involved in a merger, acquisition, or sale of assets, subject to this Policy.

6. Leaderboards and public displays

Community leaderboards show masked names (not your full name or contact details) alongside ranks. Your individual contact information is never shown publicly.

7. Data retention

We keep your personal data for as long as your account is active and as needed to provide the Services. When you delete your account, we delete or anonymise your personal data within a reasonable period, except where we must retain certain records (e.g. payment/transaction records) to meet legal, accounting, or fraud-prevention obligations.

8. Your rights

Under the DPDP Act, you have the right to:

  • Access a summary of the personal data we hold about you.
  • Correct or complete inaccurate or incomplete data.
  • Erase your data by deleting your account.
  • Withdraw consent for processing at any time.
  • Grievance redressal — raise a complaint with our Grievance Officer.
  • Nominate another individual to exercise your rights in the event of death or incapacity.

You can export your data and delete your account directly from the app (Profile & Settings). You can also email support@magicstamp.in and we will respond as required by law.

9. How we protect your data

We use industry-standard safeguards: encrypted connections (HTTPS), hashed passwords and staff PINs, single-use short-lived codes for stamps and rewards, access controls, rate limiting, and restricted server access. No method of transmission or storage is 100% secure, but we work to protect your information and will notify you and the authorities of a data breach as required by law.

10. Children

The Services are intended for users aged 18 and over. We do not knowingly collect personal data from children without verifiable parental or guardian consent as required by the DPDP Act. If you believe a child has provided us data, contact us and we will delete it.

11. International transfers

Your data is primarily stored and processed in India. Where a service provider processes data outside India, we take steps to ensure it is handled consistently with this Policy and applicable law.

12. Changes to this Policy

We may update this Policy from time to time. We will revise the “Last updated” date above and, for significant changes, provide a more prominent notice. Your continued use of the Services after an update means you accept the revised Policy.

13. Contact us & Grievance Officer

For questions or to exercise your rights, contact us at support@magicstamp.in.

Grievance Officer: Grievance Officer, support@magicstamp.in
The Magic Stamp, India.