GDPR Compliance

Last Updated: January 2024

This page provides information about Club Card's compliance with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), United Kingdom, and Switzerland.

1. Data Controller

For the purposes of GDPR, Club Card is the data controller responsible for your personal data. You can contact us regarding data protection matters at:

2. Legal Basis for Processing

We process your personal data under the following legal bases:

Processing Activity	Legal Basis
Storing loyalty cards locally	Consent (by using the App)
Cloud synchronization	Consent (opt-in when signing in)
Analytics and app improvement	Legitimate interest
Advertising (AdMob)	Consent (can be withdrawn)
Customer support	Legitimate interest
Legal compliance	Legal obligation

3. Your Data Protection Rights

Under GDPR, you have the following rights:

3.1 Right to Access (Art. 15 GDPR)

You have the right to obtain:

• Confirmation that we process your personal data
• A copy of your personal data
• Information about how we process your data

How to exercise: Go to Settings → Account → Export My Data in the App, or email flxcodelab@gmail.com.

3.2 Right to Rectification (Art. 16 GDPR)

You have the right to correct inaccurate or incomplete personal data.

How to exercise: Edit your card information directly in the App, or contact us for assistance.

3.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You have the right to request deletion of your personal data when:

• The data is no longer necessary
• You withdraw consent
• You object to processing
• The data was unlawfully processed

How to exercise: Go to Settings → Account → Delete Account in the App. This will permanently delete:

• Your cloud-synced card data
• Your account information
• All associated analytics data

Note: Local data on your device must be deleted by uninstalling the App.

3.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to restrict processing when:

• You contest the accuracy of data
• Processing is unlawful but you prefer restriction to deletion
• We no longer need the data but you need it for legal claims

How to exercise: Contact flxcodelab@gmail.com with your request.

3.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, machine-readable format and transmit it to another service.

How to exercise: Go to Settings → Account → Export My Data to download a JSON file containing all your card data.

3.6 Right to Object (Art. 21 GDPR)

You have the right to object to processing based on legitimate interests, including:

• Analytics: Opt out in Settings → Privacy → Analytics
• Personalized Ads: Opt out in your device settings or in Settings → Privacy → Ad Preferences

3.7 Right Not to be Subject to Automated Decision-Making (Art. 22 GDPR)

Club Card does not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

3.8 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you can withdraw it at any time:

• Cloud Sync: Sign out in Settings → Account
• Camera Access: Revoke in device settings
• Analytics: Disable in Settings → Privacy

Note: Withdrawal does not affect the lawfulness of processing before withdrawal.

4. Data We Collect

4.1 Personal Data

• Account Data (optional): Google email address, profile name
• Loyalty Card Data: Card names, numbers, barcodes, store names, colors
• Device Data: Device ID, OS version, app version
• Usage Data: App interactions, feature usage, crash reports

4.2 Data We DO NOT Collect

• Credit card or payment information
• Government-issued ID numbers
• Precise geolocation data
• Health or biometric data
• Photos or camera images (only barcode metadata)

5. How We Use Your Data

We process personal data for the following purposes:

• Service Provision: Store and display your loyalty cards
• Cloud Synchronization: Sync cards across your devices (opt-in)
• Analytics: Improve app performance and user experience
• Advertising: Display relevant ads to support the free service
• Support: Respond to your inquiries and provide assistance

6. Data Sharing and Transfers

6.1 Third-Party Processors

We share data with the following processors, all of which are GDPR-compliant:

Service	Purpose	Data Transferred	Location
Firebase (Google)	Cloud storage, authentication, analytics	Account email, card data, usage data	EU & US (with SCCs)
Google AdMob	Advertising	Device ID, IP address, usage data	EU & US (with SCCs)

6.2 International Transfers

Your data may be transferred to and processed in countries outside the EEA, including the United States. We ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs): Google/Firebase uses EU-approved SCCs
• Adequacy Decisions: Where available (e.g., UK, Switzerland)
• Data Protection Impact Assessments: Regular assessments of transfer risks

6.3 No Data Sales

We do NOT sell, rent, or trade your personal data to third parties.

7. Data Retention

Data Type	Retention Period
Local card data	Until you delete or uninstall
Cloud-synced data	Until account deletion + 30 days
Analytics data	26 months (Firebase default)
Crash reports	90 days
Support communications	3 years
Legal compliance data	As required by law

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

Technical Measures

• Encryption in Transit: TLS 1.2+ for all network communications
• Encryption at Rest: AES-256 for cloud-stored data
• Secure Authentication: OAuth 2.0 via Google Sign-In
• Access Controls: Role-based access to backend systems
• Regular Security Audits: Quarterly vulnerability assessments

Organizational Measures

• Data minimization principles
• Privacy by design and by default
• Staff training on data protection
• Incident response procedures

9. Data Breach Notification

In the event of a personal data breach:

• We will notify the relevant supervisory authority within 72 hours (if required)
• We will notify affected users without undue delay if there is a high risk to their rights
• Notifications will include: nature of breach, likely consequences, and mitigation measures

10. Children's Privacy

Club Card is not directed at children under 16 (or applicable age of consent in your country). We do not knowingly collect data from children. If we discover such collection, we will delete it immediately.

If you are a parent and believe your child has provided us with personal data, contact flxcodelab@gmail.com.

11. Consent Management

You can manage your consent at any time:

Consent	How to Withdraw
Cloud Sync	Settings → Account → Sign Out
Camera Access	Device Settings → Apps → Club Card → Permissions
Analytics	Settings → Privacy → Disable Analytics
Personalized Ads	Settings → Privacy → Ad Preferences OR Device Settings → Google → Ads

12. Supervisory Authority

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your rights under GDPR.

EU Data Protection Authorities: Find your authority

13. Data Protection Officer (DPO)

For GDPR-related inquiries, contact our Data Protection Officer:

14. How to Exercise Your Rights

Follow these steps to exercise your GDPR rights:

Step 1: Identify Your Request

Determine which right you want to exercise (access, deletion, portability, etc.).

Step 2: Use In-App Tools (Fastest)

• Access/Export Data: Settings → Account → Export My Data
• Delete Account: Settings → Account → Delete Account
• Edit Data: Directly edit cards in the App

Step 3: Contact Us (If Needed)

If in-app tools are insufficient, email flxcodelab@gmail.com with:

• Subject: "GDPR Data Request - [Right Name]"
• Your Google account email (if applicable)
• Description of your request
• Proof of identity (if requested for security)

Step 4: Receive Response

We will respond within 30 days (or 90 days for complex requests, with notice).

15. Updates to This Page

We may update this GDPR compliance page to reflect changes in our practices or legal requirements. Check the "Last Updated" date at the top.

16. Contact Information