Legal · Last updated 22 May 2026

Privacy Policy

Plain English. No dark patterns. If anything here is unclear, email ops.punchd.cards@gmail.com and we’ll rewrite it.

Who we are

Punchd, based in Surat, India. We build wallet-native loyalty cards for small businesses. The data controller for everything in this policy is Punchd, unless you’re a customer of a merchant using Punchd, in which case the merchant is the controller of your personal data and we are a processor acting on their behalf.

What we collect from merchants

When you sign up to run a loyalty program, we collect: your name, email, business name, phone number, address (optional), and the content you author, your card designs, push notification copy, and the customer records you upload. We also log standard server telemetry (IP, user-agent, timestamps) for security and debugging.

What we collect from cardholders

When you enroll in a merchant’s loyalty program through Punchd, the merchant collects your name and phone number (and optionally email, birthday, anniversary, etc., only what their signup form asks). We store this on their behalf. We also create a unique pass serial and an Apple/Google Wallet pass for your phone.

What we don't do

We don’t sell personal data. We don’t use it to train third-party AI models. We don’t share it across merchants, each merchant only sees their own customer list, never anyone else’s. We don’t track you across the internet.

Push notifications

When a merchant sends a push to your wallet pass, Apple or Google relays the message, we don’t know if you opened it unless you scan the pass at the counter. You can stop messages from any merchant by opening the pass in your wallet, going to the back, and tapping “Stop messages.”

How long we keep it

Customer records stay live while the merchant’s account is active. If you ask the merchant to remove you, your record is deleted within 30 days. Server logs are kept for 90 days. Backups are rolling 30-day. If the merchant cancels Punchd, their data is purged within 60 days of cancellation.

Your rights (DPDP / GDPR)

You can ask the merchant for a copy of the data they hold on you, ask them to correct it, ask them to delete it, or ask them to stop processing it for marketing. The merchant must respond within 30 days. If they don’t, email us at ops.punchd.cards@gmail.com and we’ll escalate.

Data location

Your data is stored and processed on secure, industry-standard cloud infrastructure, with the primary database hosted in India. We use trusted providers for hosting, email, and wallet-pass delivery, and we require each of them to protect your data under appropriate safeguards.

Cookies & analytics

We use first-party session cookies for sign-in. We don’t use Google Analytics, Facebook Pixel, or any third-party tracking pixels. We use Vercel Analytics for aggregate page-view counts, it doesn’t collect personal data and doesn’t set tracking cookies.

Children

Punchd is not directed to children under 13. Merchants must not enroll anyone under 13 in their loyalty program.

Changes to this policy

We’ll post the new version here and bump the “Last updated” date at the top. The current version is always the one on this page, so please check back here for changes.

Contact

ops.punchd.cards@gmail.com · Surat, Gujarat, India.