Legal

Privacy policy

Last updated: April 2026

Plain language summary

✓We only collect what we need to run your loyalty programme.
✓Your data is stored on servers in the EU (Ireland).
✓We never sell your data. Ever.
✓You can delete your data at any time — we make it easy.
✓We send emails only with your consent.

1. Who we are

Myndel ("we", "us") is a digital loyalty platform operated from Helsinki, Finland. We act as a data controller for shop owner account data, and as a data processor for customer data collected on behalf of shops.

2. What data we collect

2.1 Shop owners

When you create a Myndel account, we collect:

Email address and password (or Google account identifier)
Shop name, tagline, brand colour, logo
Reward programme settings and email templates
Usage data (logins, actions taken in the dashboard)

2.2 Loyalty programme participants

When a customer joins a shop's loyalty programme through Myndel, we collect on behalf of the shop:

First name, last name
Phone number
Email address
Date of birth (optional — only if the shop enables birthday emails)
Consent choices (loyalty emails, marketing emails)
Visit history and stamp records
Email communications sent

This data is collected and stored on behalf of the shop. The shop is the data controller for this data; Myndel is the processor.

2.3 Technical data

We automatically collect limited technical data when you use the platform:

IP address (not stored beyond session)
Browser type and device type
Pages visited within the platform

We do not use third-party analytics trackers or advertising pixels.

3. Legal basis for processing (GDPR)

We process personal data under the following lawful bases:

Contract — processing necessary to provide the Myndel service to shop owners
Consent — loyalty and marketing emails sent to participants, based on explicit opt-in at registration
Legitimate interests — security logging, fraud prevention, and platform improvement
Legal obligation — retaining certain records as required by Finnish and EU law

4. How we use your data

We use the data we collect to:

Operate the Myndel platform and provide the loyalty card service
Send loyalty-related emails (stamp updates, reward alerts, win-back messages) — with consent
Allow shop owners to manage their customer relationships
Improve the platform and fix technical issues
Comply with legal obligations

We do not use your data for advertising, profiling, or automated decision-making that has legal or significant effects.

5. Data sharing

We share data only with the following categories of recipients:

Supabase — our database and authentication provider. Data is stored in their EU (Ireland) region. Supabase is GDPR-compliant and has a Data Processing Agreement in place.
Resend — our email delivery provider. Email content and recipient addresses are shared only to deliver transactional emails. Resend is GDPR-compliant.
Shop owners — shops can see the data of their own customers. They cannot see data from other shops.

We do not sell, rent, or share your data with advertisers or data brokers. Ever.

6. Data storage and security

All data is stored on servers located in the European Union (Ireland). We use industry-standard security measures including:

Encrypted connections (HTTPS/TLS) for all data in transit
Row-level security ensuring shops can only access their own customers' data
Hashed passwords — we never store passwords in plain text
Access controls limiting which team members can access production data

7. Your rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

Right of access — you can request a copy of the data we hold about you
Right to rectification — you can correct inaccurate data
Right to erasure — you can request deletion of your data. For loyalty participants, this can be done directly via the "delete my data" link on your card page or in any email we send you
Right to restrict processing — you can ask us to limit how we use your data
Right to data portability — you can request your data in a machine-readable format
Right to object — you can object to processing based on legitimate interests
Right to withdraw consent — you can unsubscribe from emails at any time using the link in any email

To exercise any of these rights, contact us at hello@myndel.app. We will respond within 30 days.

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi) if you believe your rights have been violated.

8. Cookies

Myndel uses strictly necessary cookies only:

Authentication cookie — keeps shop owners logged in during a session. This is essential for the platform to function and does not require consent under ePrivacy rules.

We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.

9. Data retention

We retain data for the following periods:

Shop owner accounts — retained while the account is active, plus 90 days after deletion to allow account recovery
Customer loyalty data — retained while the shop account is active. Deleted immediately when a customer exercises their right to erasure
Email logs — retained for 12 months for delivery troubleshooting
Technical logs — retained for 30 days

10. Children

Myndel is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to shop owners by email at least 30 days before they take effect. The current version is always available at myndel.app/legal/privacy.

12. Contact

For any privacy-related questions or to exercise your rights:

hello@myndel.app

Myndel · Helsinki, Finland

Finnish Data Protection Ombudsman: tietosuoja.fi

Also see our Terms of Use for the rules governing use of the Myndel platform.