Digital Stamp Card & GDPR
You want to use a digital stamp card but are unsure whether it's GDPR-compliant? Understandable. As a business owner, you want customer loyalty — but not at the expense of data protection. This guide answers every question you have about data protection and digital stamp cards. Clear, honest, without legal jargon.
TL;DR
Stempely is GDPR-compliant. No names, no emails, no phone numbers. Customers remain anonymous. Servers in Germany. No data sharing with third parties.
Ironically, handwritten customer lists next to the cash register are the real GDPR risk — more on that below.
Business owners binding customers in a GDPR-compliant way
"We previously had a handwritten customer list next to the till. When I found out that could be a GDPR problem, I immediately switched to Stempely. Now everything is anonymous and still effective."
M. B.
Bakery owner, Stuttgart
"My accountant asked me whether my stamp cards were GDPR-compliant. With Stempely I could show right away: no personal data, servers in Germany. Case closed."
T. K.
Café owner, Hamburg
"Push notifications were the sticking point for me. With Stempely everything runs via opt-in and anonymous IDs. My lawyer gave the green light — no concerns."
S. R.
Hair salon owner, Munich
Understanding Data Protection
What does a digital stamp card store?
The most important question first: what data actually ends up on the server when a customer uses your stamp card?
With Stempely the answer is: as little as possible. When a customer scans your QR code, the following happens:
Anonymous device ID
A randomly generated ID that cannot be traced back to a person
Stamp count
How many stamps the customer has collected
Reward status
Whether a reward can be redeemed or has already been redeemed
Last visit
When the last stamp was scanned — as a date, without time tracking
Name or real name
Not collected — Stempely never asks for it
Email address
Not collected — no account required
Phone number
Not collected — push runs via anonymous device ID
Location data
No GPS tracking, no geofencing, no movement profiles
In summary: Stempely knows that "Device #A7x9" has 7 stamps at your business. Stempely does not know that the device belongs to Lisa Müller, 34 years old, living at Hauptstraße 12. And that is exactly the point.
Is Stempely GDPR-compliant?
Yes — and not because we have a 40-page privacy policy, but because the system is built from the ground up so that it does not need any personal data.
The GDPR applies when personal data is processed — i.e. data that can be attributed to a specific person. Since Stempely works exclusively with anonymous device IDs and stores no identifying information, the vast majority of GDPR requirements do not apply.
0
personal data points per customer
DE/EU
server location — data does not leave the EU
0
third parties with access to customer data
What Stempely specifically does for GDPR compliance:
- Privacy by Design: The system collects no personal data from the outset
- Data minimisation: Only the data technically required for the stamp card
- Servers in Germany/EU: No data transfer to third countries
- No data sharing: Neither to advertising partners nor to data brokers
- Opt-in for push: Notifications only with the customer's active consent
- No tracking: No cookies, no fingerprinting, no movement profiles
Do customers need to give consent?
This is the question that unsettles business owners the most. The short answer: No, no separate consent declaration is required.
Why? Because the GDPR only requires consent when personal data is processed. Since Stempely does not collect such data, the consent obligation does not apply.
What does happen is an active action by the customer: they download the app, scan the QR code and consciously decide to participate in your loyalty programme. This is not passive data collection — it is a voluntary, informed decision.
Comparison: Consent
Classic newsletter system
Email address required. Double opt-in mandatory. Consent declaration to be documented. Right to withdraw to be explained. Retention obligations to be observed.
Stempely stamp card
No email. No account. No double opt-in. The customer scans, collects stamps, redeems rewards. Done. No consent declaration required.
Where is the data stored?
All Stempely data is stored on servers in Germany and the EU. There is no data transfer to the USA or other third countries.
Why this matters: Since the Schrems II ruling by the ECJ, data transfers to the USA are legally problematic. Many SaaS tools use AWS, Google Cloud or Azure with US data centres — creating a compliance risk for their customers. Stempely bypasses this problem entirely.
Stempely
- Servers in Germany/EU
- No data transfer to third countries
- GDPR-compliant infrastructure
- Data stays in the EU
Many other tools
- Servers in the USA (AWS, Google Cloud)
- Data transfer to third countries
- Schrems II risk
- Additional contractual clauses required
Are paper stamp cards better from a data protection perspective?
Many people think so — but the opposite is true.
A paper stamp card in itself is data-protection-neutral. It contains no personal data. The problem lies elsewhere: in the practices that develop around it.
What many businesses do on the side (and are not allowed to do):
- Keep handwritten customer lists with names and phone numbers
- Store customer data in unsecured Excel spreadsheets on a laptop
- Collect business cards and use them for marketing without consent
- Create WhatsApp groups with customer numbers
All of these are processing of personal data — and therefore subject to GDPR. You need a legal basis, a record of processing activities, a privacy policy and the documented consent of each individual customer.
With Stempely none of that happens — no name, no number, no list. The app makes the handwritten customer list superfluous and thus eliminates the biggest GDPR risk in the shop.
Push notifications and data protection
Push notifications are one of the biggest advantages of a digital stamp card: you can bring back inactive customers, launch flash promotions or remind customers that they are close to their reward. But are push notifications actually GDPR-compliant?
Yes — when implemented correctly. And with Stempely that is exactly the case.
Opt-in via the operating system
When a customer installs the app, iOS or Android explicitly asks: "Can this app send you notifications?" Push notifications are only activated on "Yes".
Anonymous delivery
The push notification is sent to an anonymous device ID. Stempely knows neither the name nor the email of the recipient. It is technically impossible to attribute the message to a person.
Deactivatable at any time
The customer can deactivate push notifications at any time in the system settings — without deleting the app, without contacting you. Full control with the customer.
Comparison with email marketing: For a newsletter you need the customer's email address, a double-opt-in confirmation, documented consent and a functioning unsubscribe option. With Stempely push you need: none of that. The customer decides via the system setting — and you send to an anonymous ID.
To check off
Checklist: GDPR-compliant customer loyalty
7 points you should check as a business owner — whether you use Stempely or not.
No handwritten customer lists
If you collect names and phone numbers on paper, you need a legal basis and the documented consent of each customer.
No unsecured Excel spreadsheets
Customer data in an Excel file on a laptop? Without encryption and access control that is a GDPR violation.
No WhatsApp marketing without consent
WhatsApp groups or broadcast lists with customers are unlawful without documented consent — and WhatsApp itself is problematic from a data protection perspective.
Display privacy policy in the shop
If you process personal data (e.g. for a newsletter), a privacy policy must be available.
Maintain a record of processing activities
Every company must document what data it processes. With Stempely the entry is minimal, since no personal customer data is collected.
Push notifications only with opt-in
Notifications to customers may only be sent if the customer has actively agreed. With Stempely the operating system handles this automatically.
Store data on EU servers
If you use digital tools, make sure the data stays in the EU. Stempely stores everything in Germany — no third-country transfer.
No contract · No credit card · Set up in 5 minutes
Data protection meets customer loyalty
GDPR-compliant and still full oversight
Anonymous data does not mean less insight. You see stamps, rewards and activity — without ever knowing a name.
1.281
Total customers
6.316
Total stamps
3.114
Redeemed rewards
Live
Stamps today
Real production data. All customers anonymous — no names, no emails, no phone numbers visible.
Choose your plan
Start free and upgrade as your business grows.
Basic
- Up to 50 stamp cards
- Digital loyalty card
- QR code scanner
- Basic statistics
- Customer management
- Configurable stamp card
- Contactless stamps (NFC)
- Send offers & reminders
Business
- Unlimited stamp cards
- All Basic features
- QR code with logo
- Advanced statistics
- CSV export
- Automatic reminders
- Contactless stamps (NFC)
- Send offers & reminders
Premium
- All Business features
- Contactless stamps (NFC)
- 2x NFC tags included
- Send offers & reminders
- Multi-location
- Multiple stamp cards
- Priority support
- Custom app
Enterprise
On request
- Custom app with your branding
- Custom logo & design
- Custom logic & workflows
- Unlimited locations
- Dedicated account manager
- Custom integrations
- Everything from Premium
- Unlimited scalability
All prices exclude applicable VAT.
8 frequently asked questions: Digital stamp card & GDPR
What personal data does Stempely store?
Stempely stores no personal data such as names, email addresses or phone numbers. Customers are identified exclusively via an anonymous device ID. As a business owner you only see: stamp count, reward status and last visit — without knowing exactly who the person is.
Do I need a consent declaration from my customers?
Since Stempely does not process personal data, no separate consent declaration is required. Downloading the app and scanning the QR code is an active, voluntary action by the customer. No cookies are set and no tracking is carried out.
Where is Stempely data stored?
All data is stored on servers in Germany and the EU. Stempely does not use US cloud services where a transfer of data to third countries could take place. The data does not leave the EU.
Are paper stamp cards harmless from a data protection perspective?
No, on the contrary. Many businesses keep handwritten customer lists with names and phone numbers on the side — this is processing of personal data and requires a legal basis under GDPR. Paper stamp cards themselves are data-protection-neutral, but the surrounding practice often is not.
Does Stempely share data with third parties?
No. Stempely does not sell, share or transfer customer data to third parties. Your business data and the anonymised stamp data belong to you. There are no advertising partners, no data brokers and no tracking by third-party providers.
How do push notifications work in a data-protection-compliant way?
Push notifications are only sent if the customer has actively allowed them in the app (opt-in via the operating system). The message is sent to an anonymous device ID — Stempely knows neither the name nor the email of the recipient. Customers can deactivate notifications at any time in the system settings.
Do I as a business owner need to maintain a record of processing activities?
In principle yes — every company must maintain a record of processing activities pursuant to Art. 30 GDPR. However, since Stempely does not process personal customer data, the entry is minimal. Processing is limited to anonymous stamp data and your own business data (login, email).
Can I use Stempely without customers installing an app?
No, the app is required — but that is exactly what makes it privacy-friendly. There is no web tracker, no cookies, no hidden profiling. The customer actively decides whether they want to participate. No account required, no personal data, no email address.
"My accountant gave the green light — no personal data, servers in Germany. Case closed."
— T. K., Café owner, Hamburg
Bind customers in a GDPR-compliant way. Starting today.
No personal data, no consent declarations, no customer lists on paper. Your digital loyalty programme is live in 5 minutes.
The free plan stays free — no expiry date, no tricks.
Start now — no contract, no credit cardPermanently free · GDPR-compliant · Servers in Germany
Also available directly as an app