Privacy Policy

Application: CardFlow

Last updated: 2026-04-09

CardFlow is a digital voucher and store credit platform that allows customers to purchase store-specific credits and use them in-store via QR codes. This Privacy Policy explains how we collect, use, and protect personal data.

For privacy-related questions or requests, contact us at: privacy.cardflow@samtech.dev

1) Who we are

Data Controller: Samtech
Legal entity: Samtech BV
Registered address: Kievitlaan 41, 2520 Ranst
KBO/BCE number: BE 0745.838.344
Country: Belgium (European Union)
Contact email: privacy.cardflow@samtech.dev

2) Scope of this policy

This Privacy Policy applies to the CardFlow mobile application, including any related cashier or administrative tools, and to all services directly linked to the CardFlow platform.

3) Personal data we collect

3.1 Data you provide

Full name
Date of birth
Email address
Phone number

3.2 Data generated through usage

Store credit balance and transaction history
QR code redemption events (time, amount, store)
App diagnostics, crash logs, and basic performance data

3.3 Payment data

Payments are processed by an external payment service provider (such as Mollie). CardFlow does not store full payment card details. We only receive limited payment metadata, such as transaction status, reference identifiers, and amounts.

3.4 Data we do not intentionally collect

Precise location (GPS) data
Sensitive personal data (e.g. health, religion, political opinions)

4) How we use your data

To create and manage user accounts
To maintain store credit balances and process redemptions
To generate secure, time-limited QR codes
To process and confirm payments
To prevent fraud and abuse
To provide customer support
To improve stability, security, and performance of the app

5) Legal basis for processing (GDPR)

We process personal data under the following legal bases:

Contract: to provide the CardFlow service
Legitimate interests: fraud prevention, platform security, and improving service quality, where these interests are not overridden by your rights.
Legal obligation: accounting or regulatory requirements where applicable

6) Data sharing

Participating stores, strictly for processing in-store redemptions
Payment service providers for transaction processing
Technical service providers used to operate the platform
Authorities, if legally required

We do not sell personal data.

7) Data retention

Account data: retained for the duration of the account, plus 90 days after deletion
Transaction and payment data: 7 years (Belgian accounting law)
App diagnostics and crash logs: 90 days

8) Your rights

Under EU data protection law, you have the right to:

Access your personal data
Request correction of inaccurate data
Request deletion of your data, where legally possible
Object to or restrict certain processing
Request data portability

Requests can be made via privacy.cardflow@samtech.dev.

We will respond to all requests within 30 days, as required by GDPR Art. 12.

9) Account deletion

You may request the deletion of your account and all associated personal data by contacting privacy.cardflow@samtech.dev. Requests will be processed within 30 days, subject to legal retention obligations (e.g. transaction records retained for accounting purposes).

10) International data transfers

Some of our technical service providers may be located outside the European Economic Area (EEA). Where this is the case, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, to protect your personal data.

11) Analytics and diagnostics

CardFlow uses third-party crash reporting and performance monitoring tools for crash reporting and performance monitoring. These tools may collect device identifiers and usage data to help us maintain app stability. No advertising or cross-app tracking is performed.

12) Security

We apply appropriate technical and organizational security measures, including encryption in transit, access controls, and monitoring, to protect personal data. No system can be guaranteed 100% secure.

13) Children

CardFlow is not intended for users under the age of 18. We do not knowingly collect personal data from users under 18. If we become aware that such data has been collected, it will be deleted promptly.

14) Changes to this policy

This Privacy Policy may be updated from time to time. Any changes will be published on this page with an updated revision date.

15) Contact

For all privacy, data protection, or GDPR-related inquiries, contact:
privacy.cardflow@samtech.dev

16) Supervisory authority

If you believe your data protection rights have not been respected, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit – GBA/APD) at www.gegevensbeschermingsautoriteit.be.