Effective Date: March 1, 2025

GDPR Compliance Policy

This GDPR Policy supplements our Privacy Policy and applies specifically to users located in the European Economic Area (EEA), the United Kingdom, and jurisdictions with similar data protection requirements.

1. Lawful Basis for Processing

We only process your personal data when we have a legal basis to do so under Article 6 of the GDPR:

  • Consent: When you explicitly opt-in to the “Virtual Barker” (Location Services) or marketing emails.

  • Contractual Necessity: To provide the loyalty services you signed up for (e.g., tracking your stamps).

  • Legitimate Interests: To improve our AI algorithms, prevent fraud (OCR receipt verification), and secure our platform.

2. Data Subject Rights

Under the GDPR, you have the following rights regarding your data:

  • Right to Access (Article 15): You can request a copy of the personal data we hold about you.

  • Right to Rectification (Article 16): You can ask us to correct inaccurate or incomplete information.

  • Right to Erasure (Article 17): Also known as the “Right to be Forgotten.” You can request that we delete your data (this will result in the loss of your loyalty stamps).

  • Right to Data Portability (Article 20): You can request your data in a structured, machine-readable format to move it to another service.

  • Right to Object (Article 21): You can object to the processing of your data for direct marketing or based on legitimate interests.

3. Special Category: Real-Time Location Data

The Virtual Barker relies on high-precision location data.

  • Privacy by Design: We do not store a persistent history of your movements. Our AI processes location “events” in real-time to determine if you are near a Merchant and then discards the raw coordinates unless a transaction is initiated.

  • Granular Consent: You can withdraw your location consent at any time via your browser or device settings.

4. AI Transparency (Automated Decision Making)

Our Agentic AI makes automated decisions about which notifications to send you.

  • No Legal Effect: These decisions do not have “legal or similarly significant effects” (Article 22); they are purely for marketing and rewards.

  • Logic Involved: The AI uses your proximity to a shop and your past loyalty history to suggest relevant rewards.

5. International Data Transfers

As a Canadian company (FilCan Technologies LLC) operating globally:

  • Adequacy: The EU recognizes Canada’s PIPEDA as providing “adequate protection,” meaning data transfers from the EU to our Canadian headquarters are legally permitted.

  • Standard Contractual Clauses (SCCs): For data processed in the GCC or stored on global cloud servers (e.g., AWS/Google Cloud), we use SCCs to ensure your data remains protected to EU standards.

6. Data Retention

We retain your personal data only as long as your account is active or as needed to provide you with services. If your account is inactive for 24 months, we will anonymize or delete your data unless a legal obligation requires us to keep it.

7. Data Protection Officer (DPO)

We have appointed a Data Privacy Lead to oversee our GDPR compliance. Contact: privacy@stampablelabs.io