Privacy Policy 🍦

Scoop Club is a loyalty app for partner ice cream shops. We collect the minimum we need to count your scoops, give you free ones, and keep the system honest. We do not sell your personal data, we do not share it with advertisers, and we do not track you across other apps or sites.

You can delete your account in-app at any time (Profile → Delete account). That removes your sign-in, profile, every photo you've submitted, and your unclaimed free scoops.

When you use the app anonymously

• A randomly-generated visitor ID stored on your device — used to keep your scoops on this phone before you sign in.
• Photos you submit when logging a scoop, plus the GPS coordinates at the moment of capture (used once to verify you're at a partner shop, then stored alongside the photo).
• Marketing source (UTM parameters / referrer) the first time you arrive on our site. Helps us understand which campaigns work. This is stored against your visitor ID and, if you later sign in, against your member account too.

When you sign in

• Your email address (real or Apple Hide-My-Email relay).
• Your name if your sign-in provider gives it to us (Google, Apple) or you provide it on email sign-up.
• Your profile photo if signed in via Google or Apple (used to personalise feed items).
• A push notification token if you grant permission. Used to send transactional alerts (you earned a free scoop, your scoop was redeemed) and, occasionally, important service updates (e.g. material changes to these terms). We do not use push for marketing campaigns.

Each photo you submit is sent to a third-party AI service (currently Google Gemini) which counts the visible scoops. The photo is then stored in your Scoop Club loyalty card and used for fraud detection (we keep the originals so we can verify questionable counts if a shop disputes a redemption).

At the confirm step you decide whether each photo is shared publicly:

• Public — appears in the community feed inside the app, and may also be featured on Scoop Club's own social media channels (e.g. Instagram).
• Private — only used for your loyalty card and fraud detection; never displayed externally.

You can change the share setting on a per-photo basis every time you log a scoop. Photos already submitted as public can be removed on request — see "Contact" below.

We request While Using the App location permission only. The GPS reading happens once when you tap "Use photo" — it's used to verify you're within ~100m of a registered partner shop. We do not track your location in the background or build a movement history.

The only third parties that touch your data:

• Google Gemini — receives the photos you submit, returns a scoop count + a description of what it saw. Bound by Google's API terms; not used to train models.
• Supabase — our cloud database + auth provider. Stores your email, photos, redemption history.
• Vercel — hosts the API and web app.
• Expo — relays push notifications to Apple / Google's push servers.
• Resend — sends transactional email (sign-in codes, "you earned a free scoop" receipts).

We do not sell your data, we do not share it with advertisers, and we do not use it for cross-app tracking.

• Photos & loyalty card data — for as long as your account exists.
• Redemption history — kept indefinitely, but anonymised (your member ID is cleared) when you delete your account. Partner shops rely on aggregate redemption counts for their own accounting.
• Operational logs & error reports — 30 days, then deleted.

Profile tab → Delete account. We will permanently remove:

• Your Supabase Auth identity (sign-in).
• Your profile (email, name).
• Every photo you've submitted (database row + the file).
• Any unclaimed (pending) free scoops.
• Push notification tokens.

If you signed in with Apple, we additionally call appleid.apple.com/auth/revoke so your Apple ID stops being linked to Scoop Club.

Past redemptions stay in our records with your member ID cleared. Partner shops rely on this audit trail to reconcile the free scoops they've served, and we retain it for our own tax and accounting obligations. The remaining row can no longer be linked back to you.

Every photo in the public feed has a flag icon. Tap it, choose a reason (wrong scoop count, inappropriate, other), and the report reaches our moderation team via Telegram. We review within 24 hours and remove violating content.

Scoop Club is not directed at children under 13 and you must be 13 or older to use the app. We don't knowingly collect personal information from anyone under 13.

If we learn that a Scoop Club account belongs to someone under 13, we will stop serving that account and delete the associated data. If you're a parent or guardian and believe your child has signed up, email us at hello@scoopclub.app and we'll delete the account.

Your data is in transit and at rest with industry-standard protections:

• All traffic between the app and our servers is encrypted via HTTPS / TLS 1.2+.
• Photos and account data are stored in Supabase (Postgres + Storage), which encrypts data at rest and provides role-based access control. No app code or third party can read your photos without going through our server.
• Authentication uses Supabase Auth with industry-standard JWT-based sessions; passwords are never stored on our servers (we use Sign in with Apple, Sign in with Google, and one-time email codes — no passwords).

No system is perfectly secure. If you become aware of a vulnerability, please report it to hello@scoopclub.app.

Under the GDPR (and UK GDPR), we process your personal data on these legal bases:

• Contract performance (Art. 6(1)(b)) — to deliver the loyalty programme: counting scoops, issuing free rewards, showing your QR for staff redemption.
• Consent (Art. 6(1)(a)) — for camera and location access, push notifications, and for publishing your photo in the public feed or on our social media. You can withdraw consent at any time in your device settings or by toggling a photo back to private (for new captures) or contacting us (for already-public photos).
• Legitimate interest (Art. 6(1)(f)) — to detect fraud in the loyalty programme, to keep our service running, and to respond to user reports about inappropriate content. These interests don't override your rights to access and erasure.
• Legal obligation (Art. 6(1)(c)) — to retain redemption records for our own tax and accounting compliance.

Depending on where you live (GDPR for EU/UK, CCPA for California, etc.) you may have the right to:

• Access the data we hold about you.
• Correct anything that's wrong.
• Delete your account and associated data (use the in-app button, or contact us).
• Object to how we use your data.
• Lodge a complaint with your local data protection authority.

We respond to verified rights requests within 30 days. Email hello@scoopclub.app.

Questions, complaints, content takedown requests, or rights requests — email hello@scoopclub.app.

When we change anything material we'll update the "Last updated" date above and, if the change affects you in a meaningful way, let you know in-app or by email.