Privacy policy

As of: May 2026

This privacy policy describes which personal data we process within the WafyCard platform ("WafyCard"), what we use it for, who we share it with, and which rights you have as a data subject.

1. Controller

ALGEBRA Engineering & Consulting GmbH

Schönbühlstr. 4, 70188 Stuttgart, Germany

Phone: +49 711 390 146 56

Email: info@algebra-ec.de

Managing director: Ali Aşkar

Commercial register: HRB 774950, Stuttgart District Court

2. What WafyCard does (purpose)

WafyCard is a customer retention platform for restaurants. Guests of a participating restaurant can store a digital loyalty card in Apple Wallet, Google Wallet or a web app, collect stamps/points and receive offers from their restaurant directly on their phone.

3. Which data we process

Depending on usage, we process:

Sign-up / profile data: first name, last name, email address, optionally birthday and city.
Wallet & pass data: a unique pass serial number and a device push token, so Apple Wallet / Google Wallet can update the card.
Behavioural data: number of visits, redeemed coupons, timestamps, amounts booked — as far as the operator of the relevant restaurant captures them.
Push receipts: pseudonymous statistics about whether a push was sent, delivered, opened or led to a coupon redemption.
Consents: every granted or revoked consent for marketing push, email, profiling or delivery tracking is logged with a timestamp in an audit-proof way.
Server logs: IP address, user agent, timestamp — for abuse prevention and stored for 7 days.

4. Legal bases

Performance of a contract (Art. 6(1)(b) GDPR) — for setting up and managing your WafyCard card.
Consent (Art. 6(1)(a) GDPR) — for marketing push, newsletter, profiling-based recommendations. You can revoke your consent any time under "My data".
Legitimate interests (Art. 6(1)(f) GDPR) — for abuse prevention (rate limits, audit logs).

5. Recipients / processors

We only share your data as far as it is necessary to deliver the service. Current recipients:

Hetzner Online GmbH (Gunzenhausen, DE) — hosting of the platform and database.
Vercel Inc. (San Francisco, USA) — hosting of the web apps. Data transfer based on EU-US Data Privacy Framework + Standard Contractual Clauses.
Apple Inc. (Cupertino, USA) — Apple Wallet PassKit Web Service + APNs push delivery. Standard Contractual Clauses.
Google Ireland Ltd. (Dublin, IE) — Google Wallet loyalty passes and Web Push delivery. EU establishment.
Anthropic PBC (San Francisco, USA) — generation of campaign text suggestions for restaurant operators. We transmit only aggregated segment counts, never emails, names or IDs. Standard Contractual Clauses.
Stripe Payments Europe Ltd. (Dublin, IE) — billing of the restaurant operators. Non-restaurant guests are not processed here.

6. Third-country transfers

Some recipients are based outside the EU/EEA (USA). Transfers take place under the EU-US Data Privacy Framework and/or Standard Contractual Clauses pursuant to Art. 46(2) GDPR. We continuously review the adequacy of these safeguards.

7. Storage duration

Active cards: as long as you participate.
After a deletion request: immediate soft-delete (no more marketing), full deletion of personal fields after 30 days.
Server logs: 7 days.
Consent audit log: up to 3 years after end of contract for proof obligations.

8. Your rights

Under GDPR you have the right to:

Access your stored data (Art. 15)
Rectification (Art. 16)
Erasure (Art. 17)
Restriction of processing (Art. 18)
Data portability (Art. 20)
Object to processing based on legitimate interests (Art. 21)
Withdraw granted consents — the lawfulness of processing up to that point remains unaffected

Most of these rights you can exercise directly under "My data": view your profile, toggle consents, download a JSON export or have your account deleted.

9. Right to lodge a complaint

If you believe a processing operation violates GDPR, you can lodge a complaint with a supervisory authority — e.g. the Baden-Württemberg State Commissioner for Data Protection and Freedom of Information, Postfach 10 29 32, 70025 Stuttgart.

10. Privacy contact

For all data-protection matters reach us at info@algebra-ec.de — please write "Privacy / WafyCard" in the subject line.

11. Changes

We may amend this privacy policy when technical processing, recipients or legal bases change. The current version is always available here.