PRIVACY POLICY OF STAMP CO S.L.
Last updated: [*] May 2026
- Glossary & Definitions
- “GDPR”: Regulation (EU) 2016/679 (General Data Protection Regulation).
- “LOPDGDD”: Spanish Organic Law 3/2018 on Personal Data Protection and guarantee digital rights.
- “PIPL”: Personal Information Protection Law of the People’s Republic of China.
- “DPF”: EU – US Data Privacy Framework.
- “Standard Contractual Clauses” or “SCCs”: European Commission decisions adopting standard contractual clauses for international transfers.
- “Transfer Impact Assessment” or “TIA”: an assessment of risks and measures for transfers to third countries.
- “Services”: those offered by STAMP B.V. or its subsidiaries via https://askforstamp.com and associated domains/applications, including
- Tax Free (VAT exemption at point of sale for non-EU tourists),
- (ii) Chinese Growth Suite (presence and activation on WeChat, Xiaohongshu/RED and Douyin), and
- (iii) Alternative Payments (acceptance of Chinese wallets Alipay+/WeChat Pay in the EU).
- Introduction and scope
This policy explains how we process personal data in relation to the Services. We apply GDPR, the LOPDGDD and other applicable EU data-protection and e-privacy rules. Where we address individuals in China through Chinese platforms, we also apply PIPL as set out in Annex I (PIPL Notice). If you do not agree with this Policy, please do not se the Services.
- Controller and contact details
- Controller: STAMP B.V., Herengracht 420, 1017 BZ Amsterdam, The Netherlands.
- Contact email: [*]
- Website: https://askforstamp.com
- Data Protection Officer (DPO): dpo@askforstamp.com ; postal address: Herengracht, 1017 BZ Amsterdam, The Netherlands.
- Local contact in Spain: Abel Navajas, IH Piamonte, Calle Piamonte 23, 28004 Madrid; [add email]
- Categories of personal data we process
- Data provided by users
- Identification and contact: name, surname, nationality, identity document/passport, date of birth, telephone number, email address.
- Official identification for Tax Free: information required by VAT and customs rules.
- Financial and payment data: tokenised identifiers of the payment instrument handled by PCI-DSS-certified processors; identifiers for international wallets (Alipay+/WeChat Pay); amounts, currency, transaction history, VAT pre-authorisations.
- Travel and customs data: country of residence outside the EU, planned/actual departure date, customs documentation.
- Usage and technical data: device data, advertising ID (where applicable), IP address, activity logs; geolocation only with your consent and revocable at any time.
- Merchant data
- Identification, contact and representation; contractual invoicing and payment data; information on regulatory permissions and adverse-media screening strictly for compliance purposes.
- Data obtained from third parties (Article 14 GDPR)
- From merchants (e.g., to issue Tax Free invoices), from payment service providers, acquiring banks and wallet schemes (e.g., reconciliation/fraud), from public sources and lists for AML/KYC and from social-media platforms when you interact with our content. Where we obtain data indirectly, we will provide you with the information required by Article 14 GDPR unless an exemption applies.
- Automatically collected data and cookies. We use cookies and similar technologies. Non-essential technologies (including analytics and advertising) are activated only with your consent. You can manage your preferences via the banner and settings panel. See the Cookie Policy for the detailed list of technologies, purposes and retention periods.
- Special-category data and Article 10 GDPR data. We do not intentionally collect data with Article 9 GDPR. For the purposes of anti-money laundering and counter-terrorist financing (AML/CFT) and sanctions, we may process data relating to criminal convictions and offenses or related security measures (Article 10 GDPR) where authorised by EU or National law and subject to appropriate safeguards. This processing is limited to compliance purposes and for legally mandated retention periods.
- PURPOSES AND LEGAL BASES OF PROCESSING
We process data for:
- Execution of Tax Free operations and issuance documentation: legal bases Articles 6(1)(b) and 6(1)(c).
- Processing of payments and pre-authorisations: Article 6(1)(b).
- Acceptance of alternative wallets (Alipay+/WeChat Pay): Article 6(1)(b) to execute the transaction requested by the user.
- AML/CFT, tax and customs compliance: Article 6(1)(c).
- Customer care and support: Article 6(1)(b) and, for certain enquiries, 6(1)(f).
- Marketing communications: Article 6(1)(a); “soft opt-in” only for existing customers where permitted by e-privacy rules, with an opt-out available at any time.
- Statistical analysis and service improvement: Article 6(1)(f) limited to aggregated/de-identified data or analytics based on consented cookies; we carry out and document a balancing test.
- Fraud prevention and service security: Article 6(1)(f); Article 6(1)(c) where a specified legal obligation applies.
- Defence of claims and exercise of legal actions: Article 6(1)(f).
Consequences for not providing data: where data are legally and contractually required, or necessary to provide the service (e.g. identity for Tax Free or AML/KYC), failure to provide them may prevent registration, the transaction, or the issuance of a Tax Free invoice.
- RECIPIENTS AND PROCESSORS
- Processors (suppliers): operate under Article 28 GDPR contracts with confidentiality, security, sub-processor control, assistance with rights and deletion upon termination. A current list of key processors is available on request.
- Authorities and third parties by law: tax and customs administrations, competent authorities, courts and law-enforcement bodies where legally appropriate.
- Corporate transactions: disclosures in accordance with the law in cases of reorganisation/sale.
- Joint controllership in targeted advertising: when we define audience parameters with platforms, we and the platform may be joint controllers for that specific activity; the platforms remain an independent controller for its further processing.
- INTERNATIONAL TRANSFERS
- General rule: we use the European Commission’s SCCs when the recipient is in a third country without an adequacy decision and we implement supplementary measures where necessary. We conduct and document TIAs and periodic reviews.
- United States: where the provider is certified under the DPF, we rely on that certification; otherwise, we use SCCs plus additional measures.
- China (PRC): as there is no adequacy decision, we generally use SCCs with additional technical and organisational measures. Exceptionally, where the SCC cannot be used and a transfer is strictly necessary to perform a contract at the data subject’s request, we may apply Article 49 (1)(b) GDPR in a restricted, case-by-case manner. You may request a copy or summary of the transfer safeguards at [add email].
- RETENTION PERIODS.
We retain data for as long as necessary for the purposes and thereafter keep them blocked for applicable limitation periods. In particular:
- AML/KYC and legal obligations: for the periods required by applicable law.
- Security logs and fraud-risk signals: for a period, proportionate to detection needs and chargeback windows, after which they are deleted or irreversibly anonymised.
- Marketing profiles: deleted upon withdrawal of consent; suppression lists are retained solely to honour opt-outs.
- RIGHTS OF DATA SUBJECTS
You may exercise rights of access, rectification, erasure, restriction, portability and objection and withdraw consent at any time.
- Procedure and verification: we will verify your identity before responding.
- Time limits: we will respond within one month of receipt; this may be extended by up to two further months for complexity, informing you of the reasons.
- Manifestly unfounded or excessive requests: we may refuse or charge a reasonable fee, providing reasons.
- Supervisory authorities: you may lodge a complaint with your local supervisory authority in the EEA. In Spain: AEPD.
- INFORMATION SECURITY (ARTICLE 32 GDPR)
We apply encryption in transit and at rest, access controls and MFA, key management, segregation of duties, a secure software development lifecycle, vulnerability management, periodic penetration testing, business continuity and third-party risk management. We maintain incident-response plans and notify personal-data breaches to authorities and affected individuals where required.
- COOKIES AND SIMILAR TECHNOLOGIES
Non-essential technologies require prior consent. The banner presents “Accept” and “Reject” options on an equal basis and granular controls. See the Cookie Policy for the full list of cookies/technologies, provider, purpose and retention.
- MINORS
The Services are not directed to individuals under 18. For Tax Free transactions involving minors travelling with an adult, the responsible adult must provide the minor’s data and confirm they have authority to do so.
- AUTOMATED DECISION-MAKING AND PROFILING
We use automated systems for fraud prevention and transaction risk assessment, analysing signals such as device identifiers, IP reputation, transaction velocity, geolocation (if consented), chargeback history and merchant risk indicators. Where an assessment could significantly affect you (e.g. declining a transaction), you have the right to obtain human intervention, express your point of view, and contest the decision. We also carry out marketing segmentation to personalise content; this does not produce legal or similarly significant effects and is based on your consent where tracking is involved.
- CHANGES TO THIS POLICY
We may update this Policy to reflect legal, technical or operational changes. We will provide reasonable advance notice where changes are significant.
- CONTACT
- Controller: STAMP B.V., Herengracht 420, 1017 BZ Amsterdam, The Netherlands.
- Email: [help@askforstamp.com]
- DPO: [dpo@askforstamp.com]
- Local contact (Spain): Abel Navajas, IH Piamonte, C/ Piamonte 23, 28004, Madrid; [email]
ANNEX I – NOTICE FOR INDIVIDUALS LOCATED IN THE PEOPLE’S REPUBLIC OF CHINA (PIPL)
Scope. This Annex applies when we process personal information of individuals located in the PRC in connection with our Chinese Growth Suite or other PRC-facing activities.
Identity and contact of the personal-information processor STAMP B.V., Herengracht 420, 1017 BZ Amsterdam, The Netherlands; [email]
PRC representative. We have designated the following representative for personal-information protection matters in the PRC [Name of PRC Representative, PRC EMAIL/TELEPHONE]. The name and contact method may be updated in this Policy or via notice on our channels.
Categories, purposes and legal basis. We process the data you provide on Chinese platforms (identification, contact) and interaction data with our content, for marketing and responding to your requests. We rely on your consent under the PIPL, which you may withdraw at any time.
Cross-border transfers from the PRC. Where we export your personal information outside the PRC, we comply with applicable outbound transfer mechanisms (e.g., PRC Standard Contract or certification) and obtain your separate consent after informing you of the overseas recipient’s identity and contact details, purposes, scope of processing and how to exercise your rights.
Your rights under the PIPL. You may request access, copy, correction, supplementation, deletion, and withdraw your consent. To exercise these rights, contact our PRC representative or [email: help@askforstamp.com]
Complaints. You may address queries or complaints to our PRC representative; we will endeavour to resolve them promptly.
End of document