Privacy Policy

How Sunbeam Café handles your data.

⚠ The business operating this loyalty program has not yet completed its data controller disclosures. Please contact them directly with any questions before sharing personal data.

Data controller

Sunbeam Café

1. Who we are

Sunbeam Café is the data controller for the personal data collected through this loyalty program. We are responsible for how your data is used and protected, in line with the EU General Data Protection Regulation (GDPR) and Romanian Law 190/2018.

2. What we collect

Name (or an alias you choose) — to recognize you at the counter.
Email address or phone number (optional) — only if you provide them, used to send you reward notifications and to recover your account if your phone is lost.
Stamp history — when you visited, how many stamps you collected, which rewards you redeemed.
Technical data — a session cookie for keeping you signed in, and a language preference cookie. We do not use marketing or tracking cookies.

3. Why we collect it

We collect this data for one purpose: to run the loyalty program — issuing stamps, redeeming rewards, and notifying you when a reward is ready. The legal basis is the performance of the loyalty contract you enter into when you scan our QR code (GDPR Art. 6(1)(b)), plus your consent for any optional communications (Art. 6(1)(a)).

4. Who has access

Us. Our admin and staff users see your name and stamp history when serving you.
Webbership SRL (our software provider) acts as a data processor under a data processing agreement. They host the platform infrastructure on our behalf and do not use your data for their own purposes.
Apple and Google — if you add your loyalty card to Apple Wallet or Google Wallet, the card data is stored on your device by those platforms under their own privacy terms.
Email service provider (Resend) — if you provide an email address, transactional emails are delivered through Resend Inc.

5. How long we keep it

Your account and stamp history are kept while you remain an active member. If you ask to be deleted, or if you have had no activity for 24 months, we delete your personal data. Aggregated, non-identifiable statistics may be kept longer for business reporting.

6. Your rights

Under GDPR you have the right to:

Access the data we hold about you.
Correct inaccurate or incomplete data.
Have your data deleted ("right to be forgotten").
Export your data in a portable format (CSV).
Object to processing or withdraw consent for optional uses.
File a complaint with the Romanian Data Protection Authority (ANSPDCP, dataprotection.ro).

To exercise any of these rights, write to our contact email. We respond within 30 days.

7. Cookies

We use two functional cookies, both first-party:

wb_member — keeps you signed in. Required for the service to work.
wb_lang — remembers your preferred language. Optional.

We do not use third-party tracking, advertising, or analytics cookies on the member-facing pages.

8. Changes

If we update this policy, the "last updated" date below changes and members are notified by email (if they provided one) for material changes.

For program terms, see our Terms of Service.