Privacy Policy

Last updated: April 15, 2026

Stamp is developed by Piovesanlabs. This policy explains what data the app collects, how it is used, and how it is protected.

Data We Collect

• Account information — your email address and a user ID, collected when you sign in with Apple or Google.
• Activity sessions — session data you create within the app (activity type, start/end time, optional notes), and activity data synced from third-party services you connect (e.g. Strava, Whoop).
• Integration tokens — OAuth access tokens and refresh tokens for third-party services you choose to connect (Strava, Whoop, Google Calendar, Microsoft Outlook). These are stored solely to maintain your connection and are never shared beyond delivering the service.

How We Use Your Data

Your data is used solely to operate Stamp — authenticating you, storing your sessions, and syncing with the third-party services you connect. We do not sell your data, serve ads, or share your data with any third party for marketing purposes.

Outlook Calendar Data

When you connect Outlook Calendar, Stamp requests the Calendars.ReadWrite permission via Microsoft Graph. This permission is used exclusively to create calendar events on your behalf when you complete a timed session in the app. Stamp does not read, modify, or delete any existing calendar events. Outlook calendar data is not used for advertising, analytics, or any purpose beyond creating those session events.

Google Calendar Data

When you connect Google Calendar, Stamp requests the https://www.googleapis.com/auth/calendar.events scope. This scope is used exclusively to create calendar events on your behalf when you complete a timed session in the app. Stamp does not read, modify, or delete any existing calendar events. Google Calendar data is not used for advertising, analytics, or any purpose beyond creating those session events.

Stamp's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Data Protection & Security

We apply the following technical and organisational measures to protect your data:

• Encryption in transit — all communication between the app and our servers uses TLS (HTTPS). No sensitive data is transmitted over unencrypted connections.
• Encryption at rest — your data, including OAuth tokens, is stored in Supabase (PostgreSQL), which encrypts data at rest using AES-256.
• OAuth token security — OAuth access tokens and refresh tokens are stored server-side only. They are never sent to the mobile app and are never logged or exposed in error messages. Tokens are refreshed automatically before expiry and invalidated immediately when you disconnect an integration.
• Access controls — Row-Level Security (RLS) policies in our database ensure each user can only access their own data. Server-side operations use a service role key that is never exposed to clients.
• Minimal data collection — we only request OAuth scopes strictly required to deliver the features you enable. For example, Google Calendar access is only requested if you choose to connect Google Calendar.
• CSRF protection — OAuth flows use one-time, time-limited state tokens to prevent cross-site request forgery attacks.

Third-Party Services

Stamp uses the following services, each governed by their own privacy policies:

• Supabase — authentication and data storage
• Apple Sign In — authentication
• Google — authentication and Google Calendar integration
• Microsoft — Outlook Calendar integration
• Strava — activity data integration
• Whoop — workout and recovery data integration

Data Retention

Your data is retained while your account is active. You can delete your account at any time from within the app (Settings → Delete Account), which permanently and irreversibly removes all your data, including OAuth tokens and session history. OAuth tokens for a specific integration are also deleted immediately when you disconnect that integration.

Contact

For privacy questions or data requests, contact us at piovesan.robert@outlook.com.