Stempel

Legal

Privacy Policy

Last updated: 23 March 2026

1. Who We Are

Stempel is a software service that helps hostel staff digitise guest check-in by scanning passport data pages with a phone camera. The service is operated by [YOUR NAME / COMPANY NAME], located at [YOUR ADDRESS]("we", "us", "our").

For questions about this policy or to exercise your data rights, contact us at [YOUR EMAIL ADDRESS].

2. What Data We Collect

We collect two categories of data:

Account data — when you register, we collect your full name, email address, hostel name, country, and optional phone number. This data is used to operate your account and send service-related communications.

Passport data — when a staff member performs a guest check-in scan, we collect the data displayed on the passport data page: surname, given names, nationality, date of birth, passport number, expiry date, place of birth, issuing country, and a photograph of the scanned page. We also store a staff-entered arrival date and optional notes.

Passport data is considered sensitive personal data under the GDPR. It is collected solely to fulfil the hostel's legal obligation to record guest identity information as required under applicable national registration laws (e.g. the German Bundesmeldegesetz).

3. Legal Basis for Processing

We process your data on the following legal bases under Article 6 and Article 9 of the GDPR:

  • Contract (Art. 6(1)(b)) — account data is processed to provide the service you have subscribed to.
  • Legal obligation (Art. 6(1)(c) / Art. 9(2)(b)) — passport data is processed to assist hostels in meeting their legal obligation to record guest identity under national law.
  • Legitimate interests (Art. 6(1)(f)) — we process minimal technical data (e.g. logs) to maintain the security and integrity of the service.

4. Third Parties We Share Data With

We use the following third-party services to operate Stempel. Each acts as a data processor on our behalf:

Supabase (database & file storage)

Your account data and passport records are stored in a Supabase database hosted in West EU — Ireland. Data never leaves the EU for storage purposes. Supabase Privacy Policy

OpenAI (AI data extraction)

When a passport is scanned, the image is sent to OpenAI's API in the United States for automatic text extraction. OpenAI does not use API-submitted data to train its models and processes data under a Data Processing Agreement. Transfers to the US are covered by Standard Contractual Clauses and the EU–US Data Privacy Framework. OpenAI Privacy Policy

Stripe (payments)

Subscription payments are handled by Stripe. We do not store payment card details. Stripe processes payment data in the US under its own GDPR-compliant terms. Stripe Privacy Policy

Resend (transactional email)

We use Resend to send account-related emails (welcome, password reset). Your email address is shared with Resend for this purpose only. Resend Privacy Policy

We do not sell your data or the data of your guests to any third party.

5. Data Retention

Account data is retained for as long as your subscription is active. If you delete your account, account data is deleted within 30 days.

Passport records and scan images are retained for 3 years from the date of creation to meet typical national guest registration requirements. You may delete individual records at any time from within the app.

6. Data Security

All data is encrypted in transit (TLS) and at rest. Passport scan images are stored in a private storage bucket — they are never publicly accessible. Each user can only access their own records. We use Supabase Row Level Security to enforce this at the database level.

7. Your Rights Under the GDPR

As a data subject in the EU, you have the following rights:

  • Right of access — request a copy of the data we hold about you.
  • Right to rectification — ask us to correct inaccurate data.
  • Right to erasure — request deletion of your data ("right to be forgotten").
  • Right to data portability — receive your data in a machine-readable format (CSV export is available within the app).
  • Right to object — object to processing based on legitimate interests.
  • Right to lodge a complaint — you may file a complaint with your local data protection authority. In Germany, this is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).

To exercise any of these rights, email us at [YOUR EMAIL ADDRESS]. We will respond within 30 days.

8. Cookies

Stempel uses only essential session cookies required for authentication. We do not use tracking, advertising, or analytics cookies.

9. Changes to This Policy

We may update this policy from time to time. When we do, we will update the "last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.