Stomp Loyalty

Effective Date: January 13, 2026
Last Updated: February 13, 2026
Version: 1.0

This Privacy Policy explains how Stomp Loyalty and its affiliated legal entities collect, use, store, share, and protect Personal Information in connection with the Stomp Loyalty platform, including the Consumer Wallet App, the Merchant Admin Console, and related services. We are committed to transparency and to safeguarding the privacy of every individual who interacts with our platform.

Stomp Loyalty does not sell Personal Information. We do not use advertising networks, behavioral advertising, or data brokers. We do not build or share lookalike audiences.

If you have questions about this Privacy Policy, please contact us using the details in Section 28.

Table of Contents

• PART I — GENERAL PROVISIONS
  • 1. Overview and Key Highlights
  • 2. Definitions
• PART II — INDIVIDUALS COVERED
  • 3. Categories of Individuals
• PART III — DATA WE COLLECT
  • 4. Information You Provide Directly
  • 5. Information Generated Through Platform Use
  • 6. Information Collected Automatically
  • 7. Information Received from Third Parties
• PART IV — HOW AND WHY WE USE YOUR DATA
  • 8. Purposes of Processing
  • 9. Legal Bases for Processing
• PART V — HOW WE SHARE AND TRANSFER DATA
  • 10. Data Sharing
  • 11. Sub-Processors and Third-Party Service Providers
  • 12. International Data Transfers
• PART VI — DATA RETENTION AND SECURITY
  • 13. Data Retention
  • 14. Data Security
  • 15. Data Breach Notification
• PART VII — YOUR RIGHTS AND CHOICES
  • 16. Your Privacy Rights
  • 17. Communication Preferences
• PART VIII — COOKIES AND TRACKING
  • 18. Cookies and Tracking Technologies
• PART IX — SPECIAL TOPICS
  • 19. Merchant Responsibilities
  • 20. Mobile Application
  • 21. Automated Decision-Making and Profiling
  • 22. Children’s Privacy
  • 23. Third-Party Links and Integrations
• PART X — REGIONAL ADDENDA
  • 24. Canada Addendum
  • 25. India Addendum
  • 26. United States Addendum
• PART XI — GENERAL
  • 27. Changes to This Privacy Policy
  • 28. Contact Information
  • 29. Version History and Effective Date

PART I — GENERAL PROVISIONS

1. Overview and Key Highlights

1.1 Plain-Language Summary (At-a-Glance Table)

The following table provides a high-level summary of our privacy practices. It is not a substitute for reading the full Privacy Policy but is intended to give you a quick overview.

1.2 About Stomp

Stomp Loyalty (“Stomp,” “we,” “us,” or “our”) is a multi-sided loyalty and payments platform that connects consumers with local merchants. The platform consists of two primary products:

The Consumer Wallet App is a Progressive Web App (PWA) that allows consumers to create an account, discover and join merchant loyalty programs, earn stamps and points through purchases and merchant activity, redeem rewards, save offers to a personal list, and pay bills at participating merchants. The Wallet App may request device location permission to display nearby stores and offers; however, location data is used transiently and is never stored by Stomp. Users must log in and accept the Terms of Service to use the Wallet App — anonymous browsing is not supported. QR codes within the app function only as links to open store pages and are not used for payment initiation.

The Merchant Admin Console enables merchants to manage their loyalty programs (including stamps, points, and rewards), view a member roster with aggregated statistics (such as visit counts and point balances), track payments and commission statuses, configure employee access, and send push notifications or configure automated messaging based on activity filters. Merchants can view birthday month and day only if a consumer has voluntarily provided that information, and only for the purpose of birthday offers. Merchants can see aggregate counts of offer saves and redemptions but cannot see which individual consumer saved a particular offer. Merchants do not have access to full payment card or bank information, individual visit-by-visit logs or timestamps, or the identity of consumers who saved specific offers.

Stomp Loyalty operates through separate legal entities in Canada and India, each serving merchants and consumers in its respective country, as described in Section 1.5 below.

1.3 Scope of This Privacy Policy

This Privacy Policy applies to all Personal Information collected, used, disclosed, or otherwise processed by Stomp Loyalty through the Consumer Wallet App (PWA), the Merchant Admin Console, and any related services, APIs, and support channels operated by Stomp Loyalty Inc. or Stomp Loyalty Private Limited.

This Privacy Policy does not apply to third-party websites, applications, or services linked to or integrated with the Stomp platform, including payment processor portals (Stripe, Razorpay), app stores (Apple App Store, Google Play Store), or any merchant’s own independent websites or applications. Those third parties maintain their own privacy policies, and we encourage you to review them.

This Privacy Policy does not cover information that merchants collect independently outside of the Stomp platform. For information about how a specific merchant handles your data outside of Stomp, please contact the merchant directly.

1.4 Our Role: When Stomp Acts as Data Controller vs. Data Processor

Understanding who is responsible for your Personal Information depends on the context in which it is collected and used.

Stomp as Data Controller (or equivalent term under applicable law). Stomp acts as the data controller when we determine the purposes and means of processing your Personal Information. This includes processing related to account creation and management, platform operations, payment facilitation, analytics (using aggregated, non-personally-identifiable data), security monitoring, legal compliance, and direct communications from Stomp to you (such as service notifications). In India, the equivalent role is that of a “Data Fiduciary” under the Digital Personal Data Protection Act, 2023.

Stomp as Data Processor. In certain limited circumstances, Stomp may process Personal Information on behalf of a merchant pursuant to the merchant’s instructions. For example, when a merchant uses the platform to send push notifications to its loyalty program members, Stomp facilitates delivery as a processor acting on the merchant’s behalf. In such cases, the merchant is the controller, and Stomp processes data in accordance with its agreements with the merchant and this Privacy Policy.

Merchant as Independent Data Controller. Merchants who use the Stomp platform are independent data controllers with respect to the loyalty programs they operate and the consumer data they access through the Merchant Admin Console. Merchants are responsible for their own compliance with applicable privacy laws, including obtaining any required consents and providing any required notices to consumers. See Section 19 for more detail on merchant responsibilities.

1.5 Regions and Legal Entities Covered

Stomp Loyalty operates through separate legal entities in Canada and India:

These two entities are independently incorporated and are not subsidiaries of each other. They share a common brand, platform infrastructure, and operational practices, but each entity is the contracting party and controller/fiduciary in its respective jurisdiction.

The entity that governs the processing of your Personal Information is determined by the country in which you are located. If you are a consumer visiting a merchant in a region other than your home region, the privacy practices of the country you are visiting govern the processing of data generated by that visit; however, your personal profile data remains stored in your home region (see Section 12 for details on international data transfers).

Stomp Loyalty does not currently operate in the United States. A forward-looking United States addendum is included in Part X (Section 26) for future applicability.

2. Definitions

For the purposes of this Privacy Policy, the following terms have the meanings set out below. Where a term defined here has a different or more specific meaning under applicable regional law, the regional definition applies to processing governed by that law (see Part X, Regional Addenda).

“Consent” means a freely given, specific, informed, and unambiguous indication of an individual’s agreement to the processing of their Personal Information, obtained through a clear affirmative action (such as checking an opt-in box or toggling a setting). Where applicable law requires express or explicit consent, that standard applies.

“Consumer” or “Wallet User” means an individual who creates an account on the Stomp Consumer Wallet App (PWA) to participate in merchant loyalty programs, earn stamps or points, redeem rewards, save offers, or make payments through the platform.

“Controller” means the entity that determines the purposes and means of processing Personal Information. In the context of Canadian privacy law, this is the organization responsible for Personal Information under its custody or control. In the context of Indian privacy law, the equivalent term is “Data Fiduciary.”

“Cookies” means small text files or similar technologies (including local storage, session storage, and similar browser-based storage mechanisms) placed on a user’s device by a website or application to store information or facilitate functionality.

“Data Fiduciary” means, under the Digital Personal Data Protection Act, 2023 (India), any person who alone or in conjunction with other persons determines the purpose and means of processing of digital personal data. The term is functionally equivalent to “Controller.”

“Data Principal” means, under the Digital Personal Data Protection Act, 2023 (India), the individual to whom personal data relates. The term is functionally equivalent to the data subject or individual whose Personal Information is processed.

“Data Processor” means, under the Digital Personal Data Protection Act, 2023 (India), any person who processes digital personal data on behalf of a Data Fiduciary. In general privacy terminology, a processor is an entity that processes Personal Information on behalf of and under the instructions of a Controller.

“Device Data” means information about the device used to access the Stomp platform, including device type, operating system and version, browser type and version, screen resolution, language preferences, and unique device identifiers (to the extent collected).

“Home Region” means the geographic region associated with a user’s account, determined at the time of account creation based on the user’s country. For users in Canada, the Home Region corresponds to the GCP us-central1 data center region. For users in India, the Home Region corresponds to the GCP asia-south1 data center region. A user’s personal profile data is stored exclusively in their Home Region.

“Merchant” or “Business” means a business entity or individual that registers for a Stomp Loyalty merchant account and uses the Merchant Admin Console to operate loyalty programs, manage customer relationships, and process payments through the Stomp platform.

“Payment Processor” means a third-party financial services provider that processes payment transactions on behalf of Stomp and merchants. Stomp’s Payment Processors are Stripe (including Stripe Connect) for Canada and Razorpay (including Razorpay Route) for India.

“Personal Information” or “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable individual. This includes, without limitation, name, email address, phone number, device identifiers, and transaction records associated with an identifiable individual. Under Indian law, the equivalent term is “digital personal data” as defined in the Digital Personal Data Protection Act, 2023.

“Processing” means any operation or set of operations performed on Personal Information, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Processor” means an entity that processes Personal Information on behalf of and under the instructions of a Controller. See also “Data Processor” for the Indian law equivalent.

“Region” means a geographic territory corresponding to one of Stomp Loyalty’s operational jurisdictions (currently Canada and India), each served by a distinct legal entity and data storage region.

“Sensitive Personal Information” means categories of Personal Information that are subject to heightened protection under applicable law, such as financial information, biometric data, health data, data revealing racial or ethnic origin, or other categories specified by regional legislation. Stomp’s collection of Sensitive Personal Information is limited to payment metadata and is described in this Privacy Policy.

“Sub-processor” means a third-party service provider engaged by Stomp to process Personal Information on Stomp’s behalf in the course of providing services to Stomp. Sub-processors are subject to contractual data protection obligations.

“Visiting Region” means a region other than the user’s Home Region in which the user engages in a transaction (for example, a Canadian user making a purchase at a merchant in India). When a cross-region transaction occurs, the payment document is stored in the Visiting Region (the merchant’s region), but the user’s personal profile data remains in the Home Region.

PART II — INDIVIDUALS COVERED

3. Categories of Individuals

3.1 Consumers (Wallet Users)

Consumers are individuals who create an account on the Stomp Consumer Wallet App (PWA). By creating an account, a consumer agrees to the Stomp Terms of Service and this Privacy Policy. Consumers use the Wallet App to join merchant loyalty programs, earn stamps and points, redeem rewards, save offers, and pay bills at participating merchants. The Wallet App requires authentication — there is no anonymous browsing mode. All consumers must provide the minimum required registration information to create and maintain an account (see Section 4.1).

3.2 Merchants (Business Account Holders)

Merchants are businesses or individuals who register for a merchant account on the Stomp platform and use the Merchant Admin Console. Merchants provide business registration and verification information, configure loyalty programs, and access aggregated consumer data as described in this Privacy Policy. Merchants are independent data controllers for the loyalty programs they administer and the consumer information they access through the platform. Where a merchant is an individual (such as a sole proprietor), they are also a data subject whose Personal Information Stomp processes.

3.3 Merchant Employees and Authorized Users

Merchant employees and authorized users are individuals who have been granted access to the Merchant Admin Console by a merchant. Access is role-based and is configured by the merchant. Stomp processes limited Personal Information about these individuals (such as login credentials and access roles) to provide and secure access to the platform. The merchant, as the employer or engaging party, is responsible for the lawfulness of granting such access and for notifying its employees and authorized users about the processing of their Personal Information.

3.4 Website and App Visitors

Because the Stomp Consumer Wallet App is a PWA that requires login to use, and because Stomp does not currently operate a public marketing website, lead forms, or public merchant sign-up forms, the concept of unauthenticated “visitors” is limited. However, an individual who navigates to the Wallet App’s login or onboarding screens prior to creating an account may have limited technical data collected automatically (such as IP address and device information) through essential cookies and diagnostic tools. This data is processed in accordance with Sections 6 and 18 of this Privacy Policy.

PART III — DATA WE COLLECT

4. Information You Provide Directly

4.1 Account Registration Data

When you create a Stomp Loyalty account (whether as a consumer or merchant), we collect information necessary to establish and operate your account. For consumers, this includes your display name, email address, and mobile phone number (in E.164 international format). Your email and phone number are verified through our authentication provider (Firebase Authentication), and we store verification status and timestamps. A unique user identifier (UID) is assigned to your account, and your home region and country code are recorded at the time of registration. We also store account creation and update timestamps, onboarding and setup completion timestamps, and a referral code (if you were referred by another user) along with the referrer’s identifier.

For merchants, registration data includes the business information necessary to establish a merchant account on the platform, including business name and any contact information provided during onboarding.

4.2 Profile and Preference Data

Consumers may optionally provide additional profile information, including a profile photo (stored as a URL reference), a birthday (month and day only — we do not collect birth year), and notification and communication preferences (including global consent toggles and per-store notification settings). You may also configure analytics consent and “share profile” consent (which controls whether your profile information is synced to your merchant memberships). These preferences are stored as part of your user profile in your Home Region.

4.3 Business and Merchant Verification Data

Merchants provide business information required for onboarding and payment processing. For Canadian merchants using Stripe Connect, Stomp stores Stripe-generated metadata such as the Stripe account identifier, onboarding status, payout and charge enablement flags, outstanding requirements, and timestamps. For Indian merchants using Razorpay Route, Stomp stores the linked account identifier, onboarding and KYC status flags (not copies of KYC documents such as PAN or Aadhaar), payout enablement, outstanding requirements, commission configuration, and timestamps.

Stomp does not store copies of merchant identity documents. KYC verification is performed by the relevant Payment Processor (Stripe or Razorpay), and Stomp receives and stores only status flags indicating whether verification has been completed.

4.4 Employee and Authorized User Data

When a merchant configures employee or authorized user access to the Merchant Admin Console, Stomp processes the information necessary to create and manage that access, including login credentials (authenticated via Firebase Authentication) and assigned roles/permissions. The merchant is responsible for providing appropriate notice to its employees and authorized users regarding this processing.

4.5 Communications and Support Interactions

If you contact Stomp for customer or merchant support, we collect the information you provide in connection with your inquiry, including the content of your messages, your contact details, and any attachments or supporting documentation you submit. This information is used to respond to your inquiry, resolve issues, and improve our support services.

5. Information Generated Through Platform Use

5.1 Transaction and Loyalty Activity Data (Stamps, Points, Redemptions)

When you participate in merchant loyalty programs through the Stomp platform, we generate and store records of your loyalty activity. This includes stamps earned, points accrued, rewards redeemed, and membership status for each merchant loyalty program you have joined. Merchants can view aggregated statistics about their loyalty program members, including visit counts and point balances, but do not have access to granular individual visit-by-visit logs or timestamps.

When you save an offer to your personal saved-offer list, that information is stored privately. Merchants can see aggregate counts of how many times an offer has been saved or redeemed, but they cannot see which individual consumer saved a particular offer.

5.2 Payment Metadata and Transaction Identifiers

When you make a payment through the Stomp platform, we generate and store payment metadata associated with the transaction. This metadata includes transaction identifiers (such as Stripe PaymentIntent ID, Stripe Charge ID, Razorpay Order ID, and Razorpay Payment ID), the transaction amount (in minor currency units), currency, transaction status, application fee or commission amounts, the associated store identifier, and the consumer’s user identifier. For Indian transactions processed by Razorpay, we may also store the payment method type (such as “UPI” or “CARD”) and, where a card is used, the card brand and last four digits only.

Stomp does not store full payment card numbers, CVVs, magnetic stripe data, full bank account details, or any data that would bring Stomp within the scope of full PCI-DSS cardholder data storage requirements. Full payment credentials are collected, processed, and stored exclusively by our Payment Processors (Stripe for Canada, Razorpay for India) in accordance with their own privacy policies and PCI-DSS compliance programs.

5.3 Refund and Dispute Records

If a refund is issued or a payment dispute arises, we store metadata related to that event, including the refund amount, status updates, and timestamps. This information is linked to the original transaction record.

5.4 Provider References (Stripe Connect, Razorpay)

For merchants onboarded through Stripe Connect (Canada) or Razorpay Route (India), we store provider-assigned identifiers and status metadata as described in Section 4.3. This information is used to manage merchant onboarding, enable payments and payouts, track commission configurations, and facilitate reconciliation. Stomp stores the following categories of provider reference data:

Canada (Stripe Connect):

India (Razorpay Route):

6. Information Collected Automatically

6.1 Device and Browser Information

When you access the Stomp platform, we may automatically collect Device Data, including your device type, operating system and version, browser type and version, screen resolution, and language preferences. This information is collected to ensure proper rendering and functionality of the platform and for diagnostic purposes.

6.2 IP Address and Approximate Geolocation

Your IP address may be collected automatically when you interact with the platform. IP addresses may be used for security purposes (such as detecting unauthorized access), for approximate geolocation (at the city or region level, not precise location), and for diagnostic and troubleshooting purposes. The Stomp Wallet App may request your device location permission to display nearby stores and offers. If you grant this permission, location data is used transiently to serve relevant results and is not stored by Stomp on its servers.

6.3 App Usage and Interaction Data

Stomp uses Plausible Analytics, a privacy-first analytics service, to collect aggregated, anonymized usage data such as page views and session counts. Plausible Analytics does not use personal-data cookies and does not track individual users across sessions. Stomp does not use Google Analytics or any advertising tracking technology. We do not use advertising tracking or track you across other companies’ sites. Within Stomp, we may record in-product events needed to operate features (e.g., joining a store, earning points) and for security/diagnostics.

6.4 Log and Diagnostic Data (Sentry)

Stomp uses Sentry for crash reporting and error monitoring. These tools may automatically collect diagnostic data when the app encounters an error, including crash logs, stack traces, device state at the time of the error, and limited device identifiers. This data is used solely for the purpose of identifying, diagnosing, and fixing software defects and is not used for marketing, advertising, or profiling.

6.5 Cookies and Similar Technologies (detailed in Section 18)

Stomp’s use of cookies and similar technologies is described in detail in Section 18. In summary, Stomp uses essential cookies for authentication and session management, and uses Plausible Analytics, which does not rely on personal-data cookies for analytics. Stomp does not use advertising cookies, third-party tracking cookies, or behavioral tracking technologies.

7. Information Received from Third Parties

7.1 Payment Processors (Stripe Connect, Razorpay)

Stomp receives transaction metadata from its Payment Processors following the completion of a payment, refund, or other financial event. This includes transaction identifiers, amounts, statuses, timestamps, and (for Razorpay) payment method type and card brand/last four digits. Stomp does not receive full card numbers, CVVs, or bank account details from its Payment Processors.

7.2 Authentication and Identity Providers (Firebase Authentication)

Stomp uses Firebase Authentication for user account creation and login. Firebase Authentication provides Stomp with the user’s UID, email verification status, and phone verification status. OTP-based SMS verification is used solely for identity verification purposes and is not used for marketing.

7.3 Fraud Prevention and Risk-Scoring Services

As of the date of this Privacy Policy, Stomp does not use independent third-party fraud prevention or risk-scoring services. Payment-level fraud detection is handled by Stomp’s Payment Processors (Stripe and Razorpay) in accordance with their own policies and procedures. Should Stomp engage such services in the future, this Privacy Policy will be updated accordingly.

PART IV — HOW AND WHY WE USE YOUR DATA

8. Purposes of Processing

8.1 Providing and Operating the Platform

We process Personal Information to provide, maintain, and operate the Stomp platform, including creating and managing consumer and merchant accounts, authenticating users, displaying store and loyalty program information, enabling consumers to join loyalty programs, facilitating communication between consumers and merchants through the platform, and ensuring the technical availability and performance of the platform.

8.2 Processing Payments and Merchant Settlements

We process payment metadata and transaction identifiers to facilitate payments between consumers and merchants, calculate and apply commissions, enable merchant payouts, and maintain transaction records for reconciliation, accounting, and dispute resolution purposes. Full payment processing is performed by our Payment Processors (Stripe for Canada, Razorpay for India). Stomp stores only the payment metadata described in Section 5.2 and does not process or store full payment credentials.

8.3 Delivering Loyalty, Stamp, and Rewards Services

We process loyalty activity data to enable consumers to earn stamps and points, track reward progress, redeem rewards, and view their loyalty history. We process this data to provide merchants with aggregated member statistics, including visit counts and point balances, to help them manage their loyalty programs. We also process saved-offer data to allow consumers to maintain personal lists of saved offers; however, merchants only see aggregate save and redemption counts and cannot identify individual consumers who saved a specific offer.

8.4 Customer and Merchant Support

We process Personal Information provided in connection with support inquiries to respond to questions, troubleshoot issues, and resolve complaints. This may include reviewing account information, transaction records, and communication history to provide effective support.

8.5 Platform Improvement, Analytics, and Product Development

We use aggregated, non-personally-identifiable data for internal analytics, product development, and platform improvement. Our analytics infrastructure uses Plausible Analytics (which does not use personal-data cookies and does not collect PII) and BigQuery for internal analysis. We use BigQuery for internal analytics. Where feasible we aggregate and minimize identifiers. We do not use BigQuery for advertising or cross-site tracking.

8.6 Security, Fraud Detection, and Abuse Prevention

We process Personal Information, including IP addresses, device information, and access logs, to detect and prevent unauthorized access, fraud, abuse, and other security threats to the platform and its users. This includes monitoring for suspicious activity, enforcing our Terms of Service, and maintaining the integrity of accounts and transactions.

8.7 Legal and Regulatory Compliance

We process Personal Information as necessary to comply with applicable laws, regulations, and legal processes, including tax and financial reporting obligations, responding to lawful requests from government authorities, and maintaining records as required by applicable retention requirements.

8.8 Marketing and Promotional Communications

Stomp may send marketing or promotional communications only where we have obtained your prior opt-in consent. You may withdraw your consent at any time by adjusting your notification preferences within the Wallet App or by contacting us (see Section 28). Stomp does not use advertising networks, behavioral advertising, ad targeting technologies, or data brokers.

Merchants may use the Stomp platform to send push notifications to their loyalty program members. These notifications are subject to the consumer’s opt-in consent and can be managed through global and per-store notification toggles within the Wallet App. Merchants are responsible for ensuring their use of push notifications complies with applicable laws, including any requirements for consent or opt-out.

9. Legal Bases for Processing

9.1 Performance of a Contract

We process Personal Information where it is necessary to perform our contractual obligations to you under the Stomp Terms of Service, including creating and maintaining your account, providing platform services, processing transactions, and delivering loyalty program functionality.

9.2 Legitimate Interests (with Balancing-Test Summary)

Where permitted by applicable law, we process Personal Information based on our legitimate interests, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include maintaining the security and integrity of the platform, preventing fraud and abuse, improving platform functionality and user experience through aggregated analytics, and administering business operations (such as internal reporting and reconciliation). We conduct balancing assessments to ensure that our legitimate interests do not disproportionately impact your privacy. In jurisdictions where legitimate interests is not recognized as a standalone legal basis (such as, to the extent applicable, under India’s Digital Personal Data Protection Act, 2023), we rely on other appropriate legal bases, including consent and contractual necessity.

9.3 Consent (Where Required by Law)

We obtain your consent before processing Personal Information where consent is required by applicable law. This includes processing for marketing and promotional communications, push notifications (opt-in, with global and per-store toggles), optional profile information (such as birthday month/day), optional analytics data collection, and the “share profile” feature (syncing profile data to merchant memberships). You may withdraw your consent at any time through the methods described in Section 16.6. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9.4 Legal and Regulatory Obligations

We process Personal Information where it is necessary to comply with a legal obligation to which Stomp is subject, including tax and financial reporting, anti-money laundering and counter-terrorism financing obligations, responding to lawful orders or requests from courts, regulators, or government authorities, and maintaining records as required by applicable data retention laws.

PART V — HOW WE SHARE AND TRANSFER DATA

10. Data Sharing

Stomp does not sell Personal Information. We do not disclose Personal Information to data brokers, advertising networks, or any third party for behavioral advertising, ad targeting, or the creation of lookalike audiences.

We share Personal Information only in the limited circumstances described below.

With Communications Providers (Twilio Verify)

We use Twilio Verify to send and verify one-time passcodes (OTP) for phone verification and account security. When you use phone verification, we share your phone number and verification-related information required to deliver and verify the OTP. Twilio processes this information to provide verification services and may process data in multiple locations depending on its infrastructure and the services used.

With Hosting and Deployment Providers (Vercel and Firebase Hosting)

Our web applications may be hosted and delivered through providers such as Vercel (Merchant Admin Console) and Firebase Hosting (Wallet App). These providers may automatically process technical information such as IP address, request metadata (headers), device/browser information, and security telemetry to deliver the service, maintain reliability, and protect against abuse. These providers do not receive your full payment credentials; payment credentials are collected and processed directly by our Payment Processors as described in this Policy.

10.1 With Merchants (Consumer-to-Merchant Data Flow)

When a consumer joins a merchant’s loyalty program through the Stomp platform, the merchant receives access to limited consumer information through the Merchant Admin Console. This information includes the consumer’s display name, membership status, aggregated visit counts, point balances, and birthday month/day (only if the consumer has voluntarily provided this information and only for the purpose of birthday-related offers). Merchants can view aggregate statistics on offer saves and redemptions but cannot see the identity of individual consumers who saved a specific offer. Merchants do not have access to the consumer’s full payment card or bank details, individual visit-by-visit logs or timestamps, or saved-offer identity information. Merchant access to consumer data is subject to the confidentiality and acceptable use obligations described in Section 19.

10.2 With Payment Processors (Stripe Connect, Razorpay)

We share the information necessary to process payments with our Payment Processors. For Canadian transactions, Stripe (including Stripe Connect) receives payment details directly from the consumer’s device during the payment flow. For Indian transactions, Razorpay (including Razorpay Route) receives payment details in the same manner. Stomp transmits to its Payment Processors only the information required to initiate, track, and reconcile transactions (such as transaction amounts, currency, and merchant identifiers). Full payment credentials (card numbers, CVVs, bank details) are collected and processed directly by the Payment Processor and are not transmitted through or stored by Stomp.

10.3 With Cloud and Infrastructure Providers (Google Cloud Platform)

Stomp’s platform infrastructure is hosted on Google Cloud Platform (GCP). GCP provides cloud computing, storage, and networking services that involve the processing of Personal Information stored on Stomp’s behalf. GCP processes data in accordance with its Data Processing Addendum and applicable certifications. User data is stored in region-specific GCP data centers as described in Section 12.

10.4 With Analytics Providers (Plausible Analytics)

Stomp uses Plausible Analytics for website and app analytics. Plausible is designed to avoid user profiling and cross-site tracking and does not use personal-data cookies. Depending on configuration, Plausible may process limited technical data (e.g., IP address and user agent) transiently to produce aggregate statistics and prevent abuse. Plausible processes only aggregated, anonymized usage metrics. For more information, see Plausible Analytics’ privacy policy.

10.5 With App-Services Providers (Firebase Suite)

Stomp uses Google Firebase for authentication (Firebase Authentication), push notification delivery (Firebase Cloud Messaging). These services process limited Personal Information (such as email, phone number, device tokens, and crash diagnostic data) as necessary to provide their respective functions. Firebase services are subject to Google’s data processing terms and applicable certifications.

10.6 With Corporate Affiliates (Canada and India Entities)

Stomp Loyalty Inc. (Canada) and Stomp Loyalty Private Limited (India) are eparate legal entities that share a common brand and platform. These entities may share aggregated, anonymized operational data (such as aggregated reporting on platform performance) for legitimate business purposes. Raw Personal Information is not shared between the two entities except where required for controlled cross-region support or reconciliation, and any such access is subject to strict access controls and contractual safeguards.

10.7 For Legal and Regulatory Purposes

We may disclose Personal Information to courts, regulatory authorities, law enforcement agencies, or other government bodies where we are required to do so by applicable law, regulation, legal process, or enforceable governmental request; where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Stomp, our users, or the public; or where disclosure is necessary to enforce our Terms of Service or investigate potential violations.

10.8 In Connection with Business Transfers, Mergers, or Restructuring

If Stomp Loyalty Inc. or Stomp Loyalty Private Limited is involved in a merger, acquisition, reorganization, sale of assets, or bankruptcy, your Personal Information may be transferred as part of that transaction. In such an event, we will provide notice (to the extent required by applicable law) before your Personal Information is transferred and becomes subject to a different privacy policy. Any successor entity will be required to honor the commitments made in this Privacy Policy or to obtain your consent for any material changes.

11. Sub-Processors and Third-Party Service Providers

11.1 List of Key Sub-Processors and Their Roles

The following table lists Stomp’s key sub-processors as of the date of this Privacy Policy. This list may be updated from time to time in accordance with Section 11.3.

11.2 Data Processing Agreements

Stomp maintains Data Processing Agreements (DPAs) or equivalent contractual arrangements with each sub-processor that processes Personal Information on Stomp’s behalf. These agreements require sub-processors to process Personal Information only in accordance with Stomp’s documented instructions, implement appropriate technical and organizational security measures, assist Stomp in responding to data subject rights requests (where applicable), notify Stomp of security incidents, and delete or return Personal Information upon termination of the engagement, subject to applicable legal retention requirements.

11.3 Sub-Processor Change Notification Process

Stomp reserves the right to engage new sub-processors or replace existing sub-processors. When Stomp engages a new sub-processor that will process Personal Information, we will update the sub-processor list in this Privacy Policy and, where required by applicable law or contract, provide advance notice to affected merchants through the Merchant Admin Console or by email. Merchants who have entered into Data Processing Agreements with Stomp may have additional contractual rights regarding sub-processor changes as specified in those agreements.

12. International Data Transfers

12.1 Where Your Data Is Stored and Processed

Stomp uses a region-aware architecture to store user data in the user’s Home Region. Canadian users’ data is stored in GCP’s us-central1 region. Indian users’ data is stored in GCP’s asia-south1 region. Your personal profile data is stored exclusively in your Home Region and is not replicated or copied to other regions.

12.2 Storage by Transaction Region (Canada vs. India)

When a user completes a transaction with a merchant located in the user’s Home Region, the transaction record (payment metadata) is stored in that same region alongside the user’s profile.

When a user completes a transaction with a merchant located in a different region (a cross-region transaction), the payment document is stored in the merchant’s region (the Visiting Region). This payment document contains the store identifier (storeId) and the user’s unique identifier (userId), but it does not contain the user’s personal profile data (such as name, email, phone, or birthday). The userId alone is not sufficient to identify the user in the Visiting Region because the user’s personal profile data remains in the Home Region, and access to the Home Region’s data is subject to strict access controls. Identity resolution, if needed for purposes such as reconciliation or support, requires controlled, authorized access to the user’s Home Region.

12.3 Transfer Safeguards and Contractual Mechanisms

When Personal Information is transferred across borders — whether through cross-region transactions, cloud infrastructure processing, or sub-processor access — Stomp implements appropriate safeguards to protect your data, including contractual protections through Data Processing Agreements with sub-processors and affiliates that include data protection obligations, confidentiality requirements, and security commitments; technical controls such as encryption in transit (TLS) and at rest, region isolation, and role-based access controls that limit access to Personal Information on a need-to-know basis; and organizational measures including access audits, least-privilege principles, and documented procedures for cross-region data access. Stomp also ensures compliance with any additional transfer mechanisms required by applicable law, including those described in the Regional Addenda (Part X).

12.4 Region-Specific Transfer Requirements

Additional transfer requirements under Canadian law (including PIPEDA and Quebec’s Law 25) and Indian law (including the Digital Personal Data Protection Act, 2023) are addressed in the Canada Addendum (Section 24) and India Addendum (Section 25), respectively.

PART VI — DATA RETENTION AND SECURITY

13. Data Retention

13.1 General Retention Principles

Stomp retains Personal Information only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal and regulatory obligations, to resolve disputes, and to enforce our agreements. When Personal Information is no longer required for any of these purposes, it is deleted or anonymized in accordance with our retention schedule. Anonymized data that can no longer be associated with an identifiable individual may be retained indefinitely for analytics and product improvement purposes.

13.2 Retention Schedule by Data Category

13.3 Payment and Financial Record Retention

Payment metadata and financial transaction records are retained for a minimum of eight (8) years from the date of the transaction to comply with applicable tax, financial reporting, anti-money laundering, and accounting regulations in Canada and India. This retention period applies to all transaction metadata described in Section 5.2, regardless of whether the associated user account remains active.

13.4 Account Closure and Data Deletion Process

You may request the deletion of your account at any time by contacting us using the methods described in Section 16.7. Upon receiving a verified deletion request, Stomp will delete or anonymize your Personal Information in accordance with the retention schedule in Section 13.2, subject to any legal or regulatory obligations that require continued retention (such as financial record-keeping requirements). Deletion of your account will result in the loss of loyalty stamps, points, and unredeemed rewards associated with your account.

13.5 Inactive Account Policy

An account is considered inactive if the user has not logged in or performed any activity on the platform for a continuous period. Stomp applies the following inactive account policy: after two (2) years of continuous inactivity, the account is generally soft-deleted. Soft deletion means the account is deactivated and the user’s data is no longer accessible through the platform, but the data is retained in a recoverable state for an additional period. After three (3) years of continuous inactivity (one year after soft deletion), the account and all associated Personal Information are generally deleted, except for data subject to longer retention periods under applicable law (such as financial records retained for 8 years).

Before soft-deleting an account, Stomp will make reasonable efforts to notify the user at the email address or phone number associated with the account, where feasible.

13.6 Legal Holds and Regulatory Retention Obligations

Notwithstanding the retention periods described above, Stomp may retain Personal Information for longer periods where required by a legal hold, regulatory investigation, pending or anticipated litigation, audit, or other legal process. In such cases, the data will be retained for the duration of the hold or process and will be deleted or anonymized once the hold is lifted and the applicable retention period has expired.

14. Data Security

14.1 Technical Safeguards (Encryption, Network Security, Monitoring)

Stomp implements reasonable technical measures designed to protect Personal Information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption at rest for all data stored in Google Cloud Platform databases (Firestore) and storage services, using Google-managed encryption keys; encryption in transit using Transport Layer Security (TLS) for all communications between client devices and Stomp’s servers, and between Stomp’s servers and third-party services; network security controls, including firewall rules, VPC configurations, and Google Cloud’s built-in DDoS protection; monitoring and logging of system access and activity for security incident detection and investigation; and region-isolated data storage. Your Firestore profile is stored in your home region. Some supporting services (e.g., Authentication, Messaging, Crash/Error reporting) may process data in other locations operated by our vendors.

14.2 Organizational Safeguards (Access Controls, Staff Training, Policies)

Stomp implements organizational measures to complement its technical safeguards. These measures include role-based access controls (RBAC) enforced through Google Cloud IAM, ensuring that personnel access only the data necessary for their authorized role; the principle of least privilege applied to all internal access to production systems and databases; internal policies and procedures for data handling, incident response, and access management; and security awareness and data protection training for personnel with access to Personal Information.

14.3 Payment Data Handling and PCI-DSS Compliance

Stomp does not store, process, or transmit full payment card numbers, CVVs, magnetic stripe data, or other cardholder data that would bring Stomp within the scope of full PCI-DSS cardholder data storage requirements. All payment card processing is handled directly by Stomp’s Payment Processors (Stripe for Canada, Razorpay for India), each of which maintains its own PCI-DSS compliance. Stomp stores only payment metadata and transaction identifiers, as described in Section 5.2.

14.4 Vendor and Sub-Processor Security Requirements

Stomp requires its sub-processors and key vendors to maintain appropriate technical and organizational security measures. These requirements are established through Data Processing Agreements (DPAs) or equivalent contractual terms, vendor security assessments, and ongoing monitoring of sub-processor compliance and incident disclosures. Stomp selects sub-processors that maintain recognized security certifications (such as SOC 2 or ISO 27001) where available and appropriate.

15. Data Breach Notification

15.1 Breach Detection and Internal Response

Stomp maintains an internal incident response plan for the detection, investigation, and management of personal data breaches. Upon detecting a suspected or confirmed breach involving Personal Information, Stomp’s incident response team will investigate the scope and impact, contain the breach, assess the risk to affected individuals, and document the incident and response actions taken.

15.2 Notification to Regulators

Where a personal data breach is likely to result in a risk to the rights and freedoms of affected individuals, Stomp will notify the appropriate data protection authority or regulator as required by applicable law. Notification timelines and procedures vary by jurisdiction and are detailed in Section 15.4 below.

15.3 Notification to Affected Individuals

Where a personal data breach is likely to result in a high risk to the rights and freedoms of affected individuals, or where notification is otherwise required by applicable law, Stomp will notify affected individuals without undue delay, using the contact information on file (such as email or in-app notification). The notification will describe the nature of the breach, the types of data affected (to the extent known), the measures taken or proposed to address the breach, and how to contact Stomp for further information.

15.4 Region-Specific Notification Timelines

In Canada, Stomp will report breaches to the Office of the Privacy Commissioner of Canada (OPC) and notify affected individuals as required by PIPEDA’s breach notification provisions and, where applicable, Quebec’s Law 25. In India, Stomp will notify the Data Protection Board of India and affected individuals as required by the Digital Personal Data Protection Act, 2023 and its implementing rules. In all jurisdictions, Stomp will comply with applicable notification timelines. Where a specific statutory timeline applies, Stomp will use reasonable efforts to meet or exceed that timeline.

PART VII — YOUR RIGHTS AND CHOICES

16. Your Privacy Rights

Depending on your jurisdiction, you may have some or all of the following rights with respect to your Personal Information. Region-specific rights and any additional rights under local law are described in the Regional Addenda (Part X).

16.1 Right of Access

You have the right to request confirmation of whether Stomp processes your Personal Information and, if so, to obtain a copy of the Personal Information we hold about you.

16.2 Right to Correction

You have the right to request that Stomp correct any inaccurate or incomplete Personal Information we hold about you. You can also update much of your profile information directly through the Wallet App or Merchant Admin Console.

16.3 Right to Deletion or Erasure

You have the right to request the deletion of your Personal Information, subject to certain exceptions (such as where we are required by law to retain data, or where the data is necessary for the performance of a contract). Deletion of your account will result in the loss of loyalty stamps, points, and unredeemed rewards. Financial records may be retained for up to eight (8) years as described in Section 13.3.

16.4 Right to Data Portability

Where applicable under your jurisdiction’s laws, you have the right to receive your Personal Information in a structured, commonly used, and machine-readable format, and to have that information transmitted to another controller where technically feasible.

16.5 Right to Object to or Restrict Processing

Where applicable under your jurisdiction’s laws, you have the right to object to certain types of processing (such as processing based on legitimate interests) or to request that we restrict the processing of your Personal Information in certain circumstances.

16.6 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw consent at any time. You may do so by adjusting your preferences in the Wallet App (for notification, analytics, and share-profile consents), contacting us using the methods described in Section 16.7, or following the opt-out instructions provided in any marketing communication. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.

16.7 How to Exercise Your Rights (Request Channels)

You may exercise your privacy rights by contacting us through any of the following channels:

When submitting a request, please include sufficient information to verify your identity and to allow us to locate your account (such as your registered email address or phone number). We may ask you to verify your identity before processing your request, particularly for access and deletion requests.

16.8 Identity Verification and Response Timelines

Stomp will verify the identity of any individual submitting a privacy rights request before fulfilling the request. Verification methods may include confirming information associated with your account or requesting additional identifying information.

Region-specific rights are detailed in the Regional Addenda (Part IX).

17. Communication Preferences

17.1 Marketing and Promotional Communications (Opt-Out)

Stomp sends marketing or promotional communications only where you have provided prior opt-in consent. You may withdraw your consent at any time by adjusting your notification preferences within the Wallet App, by following the opt-out instructions included in any promotional communication, or by contacting us at privacy@stomployalty.com. Even after opting out of marketing communications, you will continue to receive transactional and service messages as described in Section 17.3.

17.2 Push Notifications

Push notifications from Stomp and from merchants are delivered through Firebase Cloud Messaging (FCM) and require your opt-in consent. The Wallet App provides granular controls, including a global notification toggle that enables or disables all push notifications and per-store notification toggles that allow you to enable or disable notifications from individual merchants. You may adjust these settings at any time within the Wallet App.

17.3 Transactional and Service Messages

Stomp may send you transactional and service-related messages that are necessary for the operation of your account and the provision of our services. These messages include account verification and security notifications (including OTP via SMS, which is used solely for verification and not for marketing), transaction confirmations and receipts, important updates about your account or the platform (such as changes to Terms of Service or this Privacy Policy), and responses to your support inquiries. You cannot opt out of transactional and service messages while your account remains active, as they are essential to the provision of the service.

PART VIII — COOKIES AND TRACKING

18. Cookies and Tracking Technologies

18.1 Our Approach to Tracking (Plausible Analytics — No Personal-Data Cookies)

We use Plausible for privacy-first analytics. It does not use cookies for analytics and we configure it to avoid collecting direct identifiers. It processes limited technical information (such as IP and user-agent) only to produce aggregated statistics and does not build user profiles or track you across sites.

18.2 Essential and Functional Cookies

Stomp uses essential cookies and similar browser-based storage technologies (such as session storage and local storage) that are strictly necessary for the functioning of the platform. These include authentication cookies and tokens used to maintain your logged-in session and to verify your identity across page loads, session management data used to maintain application state during your use of the Wallet App or Merchant Admin Console, and security cookies used to prevent cross-site request forgery and other security threats. Essential cookies cannot be disabled without impairing the functionality of the platform.

18.3 Third-Party Cookies and Embeds (If Any)

As of the date of this Privacy Policy, Stomp does not embed third-party content that sets tracking cookies (such as social media widgets, video embeds, or advertising pixels). If this changes in the future, this section will be updated to describe the nature and purpose of any third-party cookies or embeds.

Firebase services (Authentication, Cloud Messaging) may use cookies or similar technologies for their operational purposes (such as session management and device identification for push notifications). These are functional in nature and are not used for advertising or cross-site tracking.

18.4 Managing Your Cookie Preferences

You can manage cookies through your browser or device settings. Most browsers allow you to block or delete cookies, restrict cookies to specific websites, or receive a warning before a cookie is set. Please note that blocking essential cookies may prevent you from using the Stomp platform. Because Stomp does not use analytics cookies that collect Personal Information, there is no separate cookie consent banner or preference center for analytics cookies. For information about managing cookies in your browser, consult your browser’s help documentation.

18.5 Do-Not-Track Signals

Some browsers transmit “Do-Not-Track” (DNT) signals to websites. There is currently no industry-standard protocol for how websites should respond to DNT signals. Because Stomp does not engage in cross-site tracking, behavioral advertising, or personal-data analytics tracking, our practices are substantively consistent with the intent of DNT signals, regardless of whether a DNT signal is received. To the extent any applicable law specifically requires a response to DNT or similar signals, Stomp will comply with such requirements.

PART IX — SPECIAL TOPICS

19. Merchant Responsibilities

19.1 Merchant as Independent Data Controller

Each merchant that uses the Stomp platform is an independent data controller (or data fiduciary, under Indian law) with respect to the Personal Information of consumers who participate in that merchant’s loyalty program and the consumer data the merchant accesses through the Merchant Admin Console. Stomp is not responsible for the privacy practices of merchants. Merchants independently determine how they use the consumer data they access through the platform (within the boundaries of the platform’s technical capabilities and their contractual obligations to Stomp).

19.2 Obligations Toward Consumers Under Applicable Law

Merchants are responsible for complying with all applicable privacy and data protection laws in connection with their use of consumer data accessed through the Stomp platform. This includes, without limitation, providing clear and adequate privacy notices to consumers about how their data will be used in connection with the merchant’s loyalty program, obtaining any consents required by law for the processing of consumer data (including, where applicable, consent for marketing communications), responding to consumer rights requests (such as access, correction, and deletion requests) in a timely manner and in compliance with applicable law, and ensuring that any marketing communications sent through the platform (such as push notifications) comply with applicable anti-spam and marketing consent requirements.

19.3 Employee Account Administration and Access

Merchants are responsible for managing employee and authorized user access to the Merchant Admin Console, including assigning appropriate roles and permissions, promptly revoking access when an employee or authorized user no longer requires it, and providing appropriate notice to employees and authorized users about the processing of their Personal Information in connection with their access to the platform.

19.4 Confidentiality and Acceptable Use of Platform Data

Merchants must treat all consumer data accessed through the Stomp platform as confidential. Merchants may use such data only for legitimate business purposes directly related to the operation of their loyalty program and their relationship with consumers on the Stomp platform. Merchants may not export, scrape, or copy consumer data from the platform for use outside the platform, except as expressly permitted by Stomp in writing. Merchants may not sell, rent, lease, or otherwise commercially exploit consumer data obtained through the platform. Merchants may not use consumer data to discriminate against consumers or for any purpose that is unlawful, deceptive, or harmful.

19.5 Consequences of Misuse

Misuse of consumer data or the Stomp platform by a merchant may result in suspension or termination of the merchant’s Stomp account, reporting to applicable data protection authorities or law enforcement, and legal action, including claims for damages, injunctive relief, and indemnification. Stomp reserves the right to audit merchants’ use of platform data for compliance with this Privacy Policy and the Stomp Terms of Service.

20. Mobile Application

20.1 Mobile-Specific Data Collection (Permissions, Device Identifiers)

The Stomp Consumer Wallet App is a Progressive Web App (PWA) that operates within a mobile browser. As a PWA, it may request certain device permissions, including location permission (to display nearby stores and offers — location data is used transiently and is not stored), notification permission (to deliver push notifications via Firebase Cloud Messaging), and camera permission (if applicable, for scanning QR codes that function as links to open store pages). You can manage these permissions at any time through your device’s settings. Revoking a permission may affect the availability of features that depend on it.

20.2 Push Notifications and In-App Messaging (Firebase Cloud Messaging)

Push notifications are delivered through Firebase Cloud Messaging (FCM). When you opt in to receive push notifications, an FCM token is generated and stored in your user profile. This token is used solely for the purpose of delivering notifications and is deleted when you revoke notification permission or when your account is deleted. You have granular control over notifications through a global toggle and per-store toggles within the Wallet App. Merchants may send push notifications to their loyalty program members through the Merchant Admin Console, and may configure automated push messaging based on activity filters and rules. All such notifications are subject to your opt-in consent and your notification preferences.

20.3 Crash and Performance Reporting (Sentry)

The Wallet App uses Sentry for error monitoring and may collect similar diagnostic data. This information is used solely for the purpose of identifying and resolving software defects and improving app stability. It is not used for marketing, advertising, or profiling.

20.4 App Store and Platform-Specific Requirements (Apple, Google)

To the extent that the Stomp Wallet App is listed on or accessed through app stores or browser-based distribution platforms (such as Google Play or the Apple App Store), those platforms may collect information about your device and app usage in accordance with their own privacy policies. Stomp does not control and is not responsible for the data practices of these platforms. We encourage you to review the privacy policies of any app store or platform you use.

21. Automated Decision-Making and Profiling

21.1 Whether and How Automated Decisions Are Made

Stomp does not use artificial intelligence, machine learning, or algorithmic scoring to make decisions that produce legal effects or similarly significant effects on individuals. Stomp does not engage in AI-based profiling, algorithmic fraud scoring, or automatic account blocking.

Stomp does use limited automation in the following contexts: merchants may configure automated push messaging rules based on activity filters (such as sending a notification to members who have reached a certain number of visits or who have not visited in a certain period), and the platform may prompt consumers to leave reviews based on predefined triggers. These automated processes facilitate communication and engagement but do not involve profiling, scoring, or decisions that restrict access to services or produce legal effects.

21.2 Your Rights Regarding Automated Decisions

Because Stomp does not make automated decisions that produce legal effects or similarly significant effects on individuals, the right not to be subject to solely automated decision-making (as recognized under certain laws) is not currently applicable. If Stomp introduces automated decision-making with significant effects in the future, this Privacy Policy will be updated, and any required rights and safeguards will be implemented in accordance with applicable law.

22. Children’s Privacy

The Stomp platform is not directed at children and is not designed to attract children. Stomp imposes the following minimum age requirements:

Children / Age Requirement

Our Services are intended for individuals aged 18 or older. We do not knowingly collect Personal Information from anyone under 18. If you believe a minor has provided us Personal Information, please contact us and we will take appropriate steps to delete it. The optional birthday field captures month and day only (not birth year) and is used for the purpose of birthday offers.

If we become aware that we have collected Personal Information from an individual below the applicable minimum age without verifiable parental or guardian consent (where such consent is required by law), we will take steps to delete that information promptly. If you believe that a child has provided us with Personal Information, please contact us at privacy@stomployalty.com ** so that we can investigate and take appropriate action.

23. Third-Party Links and Integrations

The Stomp platform may contain links to third-party websites, applications, or services, such as payment processor portals (Stripe, Razorpay), app store listings, or merchant websites. Stomp is not responsible for the privacy practices, content, or security of any third-party website, application, or service. We encourage you to review the privacy policies of any third-party service before providing your Personal Information.

Stomp integrates with third-party services (such as Stripe, Razorpay, Firebase, Plausible Analytics, and Sentry) as described in this Privacy Policy. The data shared with these integrations is limited to what is necessary for the specific function they perform, and is governed by Data Processing Agreements or equivalent contractual terms.

PART X — REGIONAL ADDENDA

The following regional addenda supplement the general provisions of this Privacy Policy with jurisdiction-specific requirements. In the event of a conflict between a regional addendum and the general provisions, the regional addendum prevails for processing governed by the laws of that region.

24. Canada Addendum

This Canada Addendum applies to the processing of Personal Information of individuals in Canada by Stomp Loyalty Inc. and supplements the general provisions of this Privacy Policy.

24.1 PIPEDA Compliance

Stomp Loyalty Inc. complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and its ten fair information principles. The following summarizes how Stomp applies these principles:

Accountability. Stomp Loyalty Inc. is accountable for the Personal Information under its control. Stomp has designated a Privacy Officer responsible for compliance with PIPEDA and this Privacy Policy. The Privacy Officer’s contact information is provided in Section 28.

Identifying Purposes. Stomp identifies the purposes for which Personal Information is collected at or before the time of collection. The purposes of processing are described in Section 8 of this Privacy Policy.

Consent. Stomp obtains meaningful consent for the collection, use, and disclosure of Personal Information, except where permitted by law without consent. Consent is obtained in a form appropriate to the sensitivity of the information and the reasonable expectations of the individual. Implied consent is relied upon where the purposes are obvious and the individual voluntarily provides the information. Express consent is obtained for sensitive information and for marketing communications. Individuals may withdraw consent at any time, subject to legal or contractual restrictions, by contacting Stomp as described in Section 16.7.

Limiting Collection. Stomp collects only the Personal Information necessary for the identified purposes and collects information by fair and lawful means.

Limiting Use, Disclosure, and Retention. Personal Information is used and disclosed only for the purposes for which it was collected or for purposes that are consistent with and reasonably related to those purposes, unless additional consent is obtained. Personal Information is retained only as long as necessary for the identified purposes or as required by law, in accordance with the retention schedule in Section 13.2.

Accuracy. Stomp takes reasonable steps to ensure that Personal Information is accurate, complete, and up-to-date for the purposes for which it is used. Individuals may request correction of inaccurate information as described in Section 16.2.

Safeguards. Stomp protects Personal Information with appropriate security safeguards, as described in Section 14.

Openness. This Privacy Policy is publicly available and describes Stomp’s policies and practices with respect to Personal Information.

Individual Access. Individuals have the right to access their Personal Information held by Stomp and to challenge its accuracy, as described in Sections 16.1 and 16.2.

Challenging Compliance. Individuals may challenge Stomp’s compliance with PIPEDA by contacting the Privacy Officer (see Section 28). If the complaint is not resolved satisfactorily, individuals may file a complaint with the Office of the Privacy Commissioner of Canada (see Section 24.5).

24.2 Quebec — Act Respecting the Protection of Personal Information in the Private Sector (Law 25)

For individuals in Quebec, the Act Respecting the Protection of Personal Information in the Private Sector (as amended by Law 25) applies. In addition to the rights described elsewhere in this Privacy Policy, Quebec residents may have the following additional rights and protections.

Privacy Impact Assessments. Stomp conducts privacy impact assessments for projects involving the collection, use, or disclosure of Personal Information where required under Law 25, including when Personal Information may be communicated outside Quebec.

Consent. Stomp obtains express consent for the collection and use of sensitive Personal Information, and clear and free consent for other categories of Personal Information, in compliance with Law 25.

Right to Data Portability. Quebec residents have the right to receive their Personal Information in a structured, commonly used technological format and to have it transferred to another organization, where technically feasible.

Right to De-indexation. Quebec residents have the right to request that Stomp cease disseminating their Personal Information or de-index any hyperlink attached to their name that provides access to information, where certain conditions are met under Law 25.

Automated Decision-Making. If Stomp were to make decisions based exclusively on automated processing, Quebec residents would have the right to be informed of such processing, to submit observations, and to request a review of the decision by a person with authority. As described in Section 21, Stomp does not currently make such decisions.

Cross-Border Transfers. Before transferring Personal Information of Quebec residents outside Quebec, Stomp conducts a privacy impact assessment and ensures that the receiving jurisdiction provides adequate protection or that contractual safeguards are in place, in compliance with Law 25.

Breach Notification. Stomp will report confidentiality incidents involving Personal Information of Quebec residents to the Commission d’accès à l’information (CAI) and notify affected individuals as required by Law 25.

24.3 CASL — Canada’s Anti-Spam Legislation

Stomp complies with Canada’s Anti-Spam Legislation (CASL) with respect to commercial electronic messages. Stomp sends commercial electronic messages (such as marketing or promotional push notifications) only where the recipient has provided prior express consent (opt-in). Each commercial electronic message identifies Stomp as the sender and includes a mechanism to withdraw consent (unsubscribe). OTP-based SMS is used solely for account verification and does not constitute a commercial electronic message. Transactional and service messages (such as transaction confirmations and account security alerts) are exempt from CASL consent requirements as they fall within recognized exceptions.

24.4 Canada-Specific Rights Summary

24.5 Complaints to the Office of the Privacy Commissioner of Canada

If you are not satisfied with Stomp’s response to your privacy complaint, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC):

• Website: www.priv.gc.ca
• Toll-free: 1-800-282-1376

For Quebec residents, complaints may also be filed with the Commission d’accès à l’information du Québec (CAI):

• Website: www.cai.gouv.qc.ca

25. India Addendum

This India Addendum applies to the processing of digital personal data of individuals in India by Stomp Loyalty Private Limited and supplements the general provisions of this Privacy Policy.

25.1 Digital Personal Data Protection Act, 2023 (DPDPA)

Stomp Loyalty Private Limited acts as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDPA) with respect to the digital personal data of Data Principals in India. Stomp processes digital personal data in accordance with the DPDPA and its implementing rules, as they come into force from time to time.

Lawful Purpose. Stomp processes digital personal data only for lawful purposes, including for the performance of contracts with Data Principals, compliance with legal obligations, and purposes for which the Data Principal has given consent.

Consent. Stomp obtains free, specific, informed, unconditional, and unambiguous consent from Data Principals before processing their digital personal data, except where processing is permitted without consent under the DPDPA (such as for the performance of a contract or compliance with a legal obligation). Consent is obtained through a clear and plain-language notice that specifies the personal data to be collected, the purpose of processing, and the manner in which the Data Principal may exercise their rights, including the right to withdraw consent and file a complaint with the Data Protection Board of India.

Notice. Before or at the time of collecting digital personal data, Stomp provides a notice to the Data Principal that describes the personal data being collected, the purpose of processing, and the Data Principal’s rights under the DPDPA.

25.2 Information Technology Act, 2000 and SPDI Rules (to the Extent Still in Force)

To the extent that the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) remain in force, Stomp Loyalty Private Limited complies with their requirements. Stomp implements reasonable security practices and procedures (as described in Section 14) for the protection of sensitive personal data or information, including financial information (payment metadata) and passwords. Stomp has a comprehensive documented information security program and maintains reasonable security practices consistent with industry standards.

25.3 Data Principal Rights Under the DPDPA

Data Principals in India have the following rights under the DPDPA:

25.4 Consent and the Consent Manager Framework

To the extent that the DPDPA and its implementing rules establish a Consent Manager framework, Stomp will comply with applicable requirements, including registering with or integrating with designated Consent Managers as required. As of the date of this Privacy Policy, Stomp manages consent directly through the Wallet App’s consent and preference settings. If a Consent Manager framework is established and made mandatory, Stomp will update its consent mechanisms accordingly and update this Privacy Policy.

25.5 Right to Nominate

Under the DPDPA, Data Principals have the right to nominate another individual to exercise their rights in the event of the Data Principal’s death or incapacity. To register a nominee, please contact the Grievance Officer using the details in Section 28. Stomp will process nomination requests in accordance with the DPDPA and its implementing rules.

25.6 Grievance Officer Details and Escalation Process

In accordance with the DPDPA and the Information Technology Act, 2000 (to the extent applicable), Stomp Loyalty Private Limited has designated a Grievance Officer for India:

• Name: Sarthak Garg
• Email: privacy@stomployalty.com
• Phone: +16048683974

The Grievance Officer will acknowledge receipt of your complaint or request within the timeframe prescribed by applicable law and will endeavor to resolve your complaint as required under the DPDPA and its implementing rules. If you are not satisfied with the resolution provided by the Grievance Officer, you may file a complaint with the Data Protection Board of India through the mechanisms established under the DPDPA.

26. United States Addendum

26.1 Applicability Statement

As of the effective date of this Privacy Policy, Stomp Loyalty does not currently operate in the United States and does not knowingly collect, use, or disclose Personal Information of residents of the United States. This United States Addendum is included as a forward-looking template and will be activated and updated if and when Stomp Loyalty commences operations in the United States or becomes subject to U.S. state privacy laws.

If this addendum becomes applicable, Stomp Loyalty will update this Privacy Policy to include the name and contact information of the U.S. legal entity, specific state-by-state disclosures as required by law, and any additional rights or obligations imposed by applicable state privacy legislation.

26.2 State-Specific Privacy Rights (CCPA / CPRA and Other State Laws, If Applicable)

If and when Stomp becomes subject to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), or other state privacy laws (such as those enacted in Virginia, Colorado, Connecticut, Utah, and other states), Stomp will provide residents of those states with the rights required under applicable law, which may include the right to know what Personal Information is collected, used, and disclosed; the right to delete Personal Information; the right to correct inaccurate Personal Information; the right to opt out of the sale or sharing of Personal Information (Stomp does not sell or share Personal Information for targeted advertising — see Section 26.4); the right to limit the use of Sensitive Personal Information; and the right to non-discrimination for exercising privacy rights.

This section will be completed if and when Stomp Loyalty becomes subject to applicable U.S. state privacy laws.

26.3 Categories of Personal Information Disclosed (CCPA Disclosures, If Applicable)

When this addendum is activated, Stomp will disclose the categories of Personal Information collected, the sources of collection, the business purposes for collection, and the categories of third parties to whom Personal Information is disclosed.

As a preview based on Stomp’s current data practices, the following table identifies the categories of Personal Information that Stomp would disclose to service providers in the ordinary course of its operations. Stomp does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising or targeted advertising purposes.

26.4 “Do Not Sell or Share” Disclosure

Stomp Loyalty does not sell Personal Information, as defined under the CCPA/CPRA or any other applicable law. Stomp does not share Personal Information for cross-context behavioral advertising or targeted advertising. Stomp does not use advertising networks, data brokers, or lookalike audience tools. Because Stomp does not sell or share Personal Information, there is no need for a “Do Not Sell or Share My Personal Information” opt-out link; however, if required by applicable law upon commencement of U.S. operations, Stomp will implement such a mechanism and update this Privacy Policy accordingly.

PART XI — GENERAL

27. Changes to This Privacy Policy

27.1 How We Notify You of Changes

Stomp may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make changes, we will update the “Last Updated” date at the top of this Privacy Policy and, for material changes, take additional steps to notify you.

27.2 Material vs. Non-Material Changes

For material changes — meaning changes that significantly affect the way we collect, use, or disclose your Personal Information or that materially reduce your rights under this Privacy Policy — Stomp will provide prominent notice before the changes take effect. This notice may be provided through an in-app notification in the Wallet App or Merchant Admin Console, an email to the address associated with your account, or a prominent notice on the platform’s login or onboarding screens.

For non-material changes — such as typographical corrections, formatting updates, or clarifications that do not alter the substance of our data practices — updating the “Last Updated” date at the top of this Privacy Policy will constitute sufficient notice.

27.3 Continued Use After Changes

Your continued use of the Stomp platform after the effective date of any changes to this Privacy Policy constitutes your acknowledgment of the updated policy. Where applicable law requires us to obtain your consent for material changes, we will do so before the changes take effect. If you do not agree with the updated Privacy Policy, you may discontinue your use of the platform and request deletion of your account as described in Section 13.4.

28. Contact Information

28.1 Canada Entity Contact

Stomp Loyalty Inc. Email: contact@stomployalty.com Phone: +16048683974

28.2 India Entity Contact

Stomp Loyalty Private Limited Email: contact@stomployalty.com Phone: +16048683974

28.3 Data Protection Officer / Grievance Officer (India)

Privacy Officer (Canada): Name: Sarthak Garg Email: privacy@stomployalty.com

Grievance Officer (India): Name: Sarthak Garg Email: privacy@stomployalty.com Phone: +16048683974

28.4 How to Submit a Privacy Request, Complaint, or Inquiry

You may submit a privacy request, complaint, or inquiry through any of the following channels:

• Email: privacy@stomployalty.com

Please include sufficient information to verify your identity and describe your request or concern. Stomp will acknowledge receipt of your request and respond within the timelines described in Section 16.8 and the applicable Regional Addendum.

29. Version History and Effective Date

© 2026 Stomp Loyalty Inc. and Stomp Loyalty Private Limited. All rights reserved.

This Privacy Policy is provided in English. In the event of any conflict between translated versions and the English version, the English version shall prevail.