SadaKart ("SadaKart," "we," "us," or "our") provides a loyalty and wallet pass platform for businesses ("Companies") and their end customers ("Customers"). This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our websites, APIs, dashboards, mobile wallet integrations, and related services (the "Services").

This Policy applies to information processed when Companies use our business tools and when Customers enroll in a loyalty program, install or use a digital pass, or interact with QR onboarding or scanning flows operated by a Company using SadaKart.

Depending on the context, SadaKart may act as a data controller (for example, for account administration, billing, security, and our own marketing) or as a processor or service provider processing personal information on behalf of a Company (for example, Customer loyalty data managed through the Company's program). Companies that use SadaKart to process Customer data are responsible for providing their own privacy notices to Customers and for obtaining any required consents. Where applicable data protection laws distinguish "controllers" and "processors," Companies are typically the controller for Customer relationship data, and SadaKart processes such data under the Company's instructions to deliver the Services, subject to this Policy and our agreement with the Company.

3.1 Information Companies Provide. We may collect: business and account identifiers (e.g., company name, slug, contact email, phone); postal address fields (e.g., street, city, state, postal code, country); authentication credentials (processed to secure accounts); branding and program configuration (e.g., logos, pass colors, descriptions, stamp names, icon URLs, loyalty rules); billing and subscription data (e.g., Stripe customer and subscription identifiers, plan name, payment status, billing dates); usage and program statistics (e.g., customer counts, check-ins, stamps earned or redeemed, notifications sent); and communications you send to us (support tickets, feedback).

3.2 Information Customers Provide or Generate. When Customers join a program or use a pass, we may collect: name, phone number, email address; optional date of birth; a customer or member code used for scanning; loyalty state (e.g., stamp counts, awards); transaction or event records tied to the program; preferred or used wallet platforms (e.g., Apple Wallet, Google Wallet, SadaWallet); optional branch or home-branch association; and device-related data needed for wallet services (see below).

3.3 Automatically Collected Technical Data. We may collect IP addresses, approximate location derived from IP or Company-provided address processing, timestamps, user agents, API request metadata, error logs, and security signals (e.g., rate limit events). Our API infrastructure may use standard security technologies (HTTPS, headers, CORS rules) as described in our technical documentation.

3.4 Information from Third Parties. We receive payment and subscription status from payment processors (e.g., Stripe), and may receive address or mapping data when Companies use geocoding features (e.g., Google Maps API).

To deliver and update digital passes, we process data required by Apple Wallet, Google Wallet, and related systems, which may include: pass serial numbers; authentication data associated with passes; device library identifiers; push tokens for Apple Push Notification service (APNs) or similar channels; Google Wallet object identifiers and update messages; and for SadaWallet or similar apps, device identifiers and Firebase Cloud Messaging (FCM) tokens. This processing is necessary to register devices, deliver silent or user-visible updates, and maintain pass integrity.

We use personal information to: provide, operate, and improve the Services; authenticate users and prevent fraud or abuse; process payments and manage subscriptions; generate analytics and statistics (including aggregated or de-identified insights); send service-related emails and notifications; enforce our Terms of Service, including investigating misuse such as improper use of QR codes across branches or circumvention of plan limits; comply with legal obligations; and conduct marketing and promotional activities, including use of Company names and logos as described in our Terms of Service and Section 7 below.

Subject to applicable law and our agreements with Companies, we may use Company names, logos, and public-facing branding for SadaKart's commercial marketing, case studies, website content, social media, investor materials, and statistical or industry reporting. We may combine usage data into anonymized or aggregated formats that do not identify individuals. Companies should refer to the Terms of Service for the publicity license and any opt-out mechanisms we may offer.

We may share information with: (a) service providers and subprocessors who assist us (e.g., payment processing, cloud hosting, email delivery, wallet APIs, maps, push notification infrastructure); (b) Companies, regarding their own programs and Customers as enabled by the Services; (c) professional advisors (lawyers, accountants) under confidentiality; (d) law enforcement or regulators when required by law or to protect rights and safety; (e) acquirers in a merger or asset sale, subject to appropriate safeguards; and (f) with your direction or consent. We do not sell personal information to data brokers for their independent marketing purposes. Aggregated or de-identified data may be shared for analytics and business purposes.

The Services depend on third-party platforms, which may process personal information under their own policies. Non-exhaustive examples include: Stripe (payments); Apple (PassKit, APNs); Google (Google Wallet, Maps); Amazon Web Services or similar cloud storage (e.g., for logos and assets); MongoDB or other database hosting; SMTP/email providers; Firebase/FCM for mobile push. We encourage you to review their privacy notices. SadaKart is not responsible for third-party practices beyond our contractual commitments.

We retain information for as long as necessary to provide the Services, comply with law, resolve disputes, and enforce agreements. Company account data may be retained for the life of the subscription and a reasonable period thereafter for backups, billing records, and legal compliance. Customer data may be retained while the Company remains a customer and as needed after termination for the same purposes. Loyalty and transaction records may be retained in aggregated or pseudonymous form for analytics. Retention periods may vary by data category and legal requirements.

We implement technical and organizational measures appropriate to the risk, such as encryption in transit (HTTPS), access controls, rate limiting on sensitive endpoints, security headers, and monitoring. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

Our API-first backend may not set browser cookies directly. Websites, dashboards, or marketing sites operated by SadaKart or Companies may use cookies, local storage, or analytics tools; those experiences should provide their own cookie notices. This Policy governs personal information we process through the Services as described herein.

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or object to certain processing, or to data portability. Customers should first contact the Company operating the loyalty program. Companies may manage certain Customer data through dashboard tools where available. To exercise rights with SadaKart directly, contact us at the address below. We may verify requests and deny requests that are unlawful, excessive, or jeopardize others' rights or service security.

We may process and store information in countries other than your own, including where our service providers operate. Where required, we implement appropriate safeguards (such as standard contractual clauses) for cross-border transfers.

The Services are not directed to children under 16 (or the age required by local law). We do not knowingly collect personal information from children. If you believe we have collected such information, contact us for deletion.

We may update this Policy from time to time. We will post the revised Policy and update the "Last updated" date. Where required by law, we will provide additional notice. Continued use of the Services after the effective date constitutes acceptance unless applicable law requires express consent for material changes.

For privacy-related questions, requests, or complaints, contact SadaKart at: [email protected]. Postal address: Stefana Batorego 18 / 108, 02-591 Warszawa, Poland.