Privacy Policy  
Last updated: May 1, 2026  
This Privacy Policy explains how TopSoft UG, Johann-Landefeldt 109, 14089 Berlin, Germany ("Punch Cards",  
"we", "us", or "our") collects, uses, stores, and protects personal data when you use the Punch Cards mobile  
application, website, and related services available at punch-card-app.com (together, the "Service").  
This Privacy Policy applies to Service Providers, Customers, website visitors, and other users of the Service.  
1. Data controller  
The data controller for the Service is:  
TopSoft UG  
Johann-Landefeldt 109  
14089 Berlin  
Germany  
Email: [email protected]  
Website: punch-card-app.com  
2. What Punch Cards does  
Punch Cards provides a digital punch card and stamp card system for service providers and their  
customers.  
Service Providers can create and manage digital cards to track prepaid lessons, meetings, sessions, or  
similar services. Customers can use the Service to view and track their remaining lessons, meetings,  
sessions, or other units recorded by their Service Provider.  
Punch Cards is a software platform only. We do not provide the actual lessons, meetings, sessions,  
appointments, or services recorded in the app.  
3. Personal data we collect  
Depending on how you use the Service, we may collect and process the following types of personal data.  
3.1 Account data  
When you create or use an account, we may process:  
• name;  
• email address;  
1
• login details or authentication identifiers;  
• account type, such as Service Provider or Customer;  
• app settings and account preferences;  
• subscription status for Service Provider accounts.  
3.2 Service Provider data  
If you use Punch Cards as a Service Provider, we may process:  
• business name;  
• business logo;  
• business contact details;  
• subscription plan and billing status;  
• customer records created by you;  
• punch card details, including card balances, sessions, stamps, or similar tracking information.  
3.3 Customer data added by Service Providers  
Service Providers may add customer information to the Service, including:  
• customer name;  
• customer account or profile information;  
• punch card balances;  
• number of prepaid lessons, meetings, sessions, or other units;  
• records of added, used, or remaining sessions.  
Service Providers are responsible for ensuring that they have the necessary legal basis, permission, and  
authority to enter Customer data into the Service.  
3.4 Customer account data  
If you use Punch Cards as a Customer, we may process:  
• your name;  
• email address or login identifier;  
• punch cards connected to you;  
• card balances and session history shown to you by your Service Provider;  
• account settings and app activity.  
3.5 Payment and subscription data  
Paid subscriptions for Service Providers are handled through Apple App Store or Google Play.  
We do not directly collect or store full payment card details. Apple or Google process payments according to  
their own terms and privacy policies.  
2
We may receive limited subscription-related information, such as:  
• subscription status;  
• plan type;  
• billing period;  
• renewal or cancellation status;  
• transaction identifiers or receipts needed to verify purchases.  
3.6 Technical and usage data  
When you use the Service, we may automatically collect technical and usage data, such as:  
• IP address;  
• device type;  
• operating system;  
• app version;  
• browser type;  
• approximate location based on IP address;  
• log files;  
• crash reports;  
• date and time of access;  
• pages or app screens viewed;  
• actions taken inside the app.  
This information helps us operate, secure, troubleshoot, and improve the Service.  
3.7 Support and communication data  
If you contact us, we may process:  
• your name;  
• email address;  
• message content;  
• attachments or screenshots you send us;  
• support history;  
• any other information you choose to provide.  
4. Special categories of personal data  
Punch Cards is not designed for storing sensitive personal data, such as health data, religious beliefs,  
political opinions, biometric data, sexual orientation, or similar special categories of data.  
Users and Service Providers must not enter sensitive personal data into the Service unless they have a valid  
legal basis and are legally permitted to do so.  
3
If a Service Provider uses Punch Cards in a context involving children, tutoring, coaching, health, sport,  
education, or similar services, the Service Provider remains responsible for ensuring that the data entered  
into the Service is appropriate and lawful.  
5. Children and minors  
Business accounts may only be created by individuals who are at least 18 years old.  
Customers under the age of 18 may use the customer side of the Service only with permission from a  
parent or legal guardian.  
If a Service Provider uses Punch Cards to track lessons, meetings, or sessions for minors, the Service  
Provider is responsible for obtaining any required permission from the parent or legal guardian and for  
complying with applicable laws.  
We do not knowingly collect personal data directly from children without appropriate permission. If you  
believe that a child has provided us with personal data without proper permission, please contact us at  
[email protected].  
6. How we use personal data  
We process personal data for the following purposes:  
• to provide and operate the Service;  
• to create and manage user accounts;  
• to allow Service Providers to create and manage punch cards;  
• to allow Customers to view and track their punch cards;  
• to verify subscriptions and paid plan access;  
• to provide customer support;  
• to respond to questions, requests, and legal inquiries;  
• to maintain the security and stability of the Service;  
• to prevent misuse, fraud, and unauthorized access;  
• to analyze and improve the Service;  
• to comply with legal obligations;  
• to enforce our Terms and Conditions.  
7. Legal bases for processing  
Where the General Data Protection Regulation (GDPR) applies, we rely on the following legal bases:  
7.1 Contract performance  
We process personal data where necessary to provide the Service, create accounts, manage subscriptions,  
and make app features available.  
4
7.2 Legitimate interests  
We process personal data where necessary for our legitimate interests, such as securing the Service,  
preventing misuse, improving the app, handling support requests, and maintaining business records,  
provided that your interests and fundamental rights do not override those interests.  
7.3 Legal obligations  
We process personal data where necessary to comply with legal obligations, such as tax, accounting,  
consumer protection, and regulatory requirements.  
7.4 Consent  
Where required, we process personal data based on your consent, for example for certain cookies,  
analytics, marketing communications, or optional permissions. You may withdraw consent at any time.  
8. Role of Service Providers  
Service Providers may enter and manage Customer data in the Service.  
For Customer data entered by a Service Provider, the Service Provider may act as the data controller, and  
Punch Cards may act as a data processor, depending on the specific use case and applicable data protection  
law.  
Service Providers are responsible for:  
• informing their Customers about how their personal data is used;  
• obtaining any required consent or other legal basis;  
• ensuring that Customer data entered into Punch Cards is accurate and lawful;  
• responding to Customer requests relating to their own services and records;  
• complying with applicable privacy and data protection laws.  
Where required, we may offer a separate Data Processing Agreement for Service Providers.  
9. Sharing personal data  
We do not sell personal data.  
We may share personal data with the following categories of recipients where necessary:  
• hosting and infrastructure providers;  
• app store providers, such as Apple and Google;  
• payment and subscription verification providers;  
• analytics and crash reporting providers;  
• email and communication service providers;  
• customer support tools;  
5
• legal, tax, accounting, or professional advisers;  
• authorities, courts, or regulators where required by law;  
• buyers, successors, or advisers in connection with a merger, acquisition, restructuring, or sale of  
business assets.  
All third-party providers may only access personal data where necessary for the relevant purpose and must  
process it in accordance with applicable data protection requirements.  
10. Third-party services  
The Service uses or may use the following third-party services to operate the app, website, and related  
features:  
Apple App Store for iOS distribution, subscriptions, and in-app purchase management;  
Google Play for Android distribution, subscriptions, and in-app purchase management;  
Apple OAuth Platform for Apple sign-in and authentication;  
Google OAuth Platform for Google sign-in and authentication;  
Apple Push Notification service for push notifications on Apple devices;  
Google/Firebase Cloud Messaging for push notifications on Android devices;  
DigitalOcean for hosting, app infrastructure, database hosting, and related server services;  
MySQL database services for storing app data;  
Expo for app development, app services, and notification-related infrastructure.  
These providers may process personal data only where necessary to provide their respective services, such  
as authentication, hosting, subscription verification, notifications, technical delivery, security, or  
infrastructure support.  
11. International data transfers  
We are based in Germany. Some service providers we use may process personal data outside Germany, the  
European Union, or the European Economic Area.  
Where personal data is transferred outside the EU/EEA, we will take appropriate safeguards as required by  
applicable data protection law. These safeguards may include adequacy decisions, Standard Contractual  
Clauses, data processing agreements, and additional technical or organizational measures where required.  
12. Data retention  
We keep personal data only for as long as necessary to provide the Service, comply with legal obligations,  
resolve disputes, maintain security, and enforce our agreements.  
In general:  
• account data is kept while the account is active;  
• punch card and customer records are kept while needed to provide the Service or until deleted by  
the relevant user or Service Provider;  
6
• subscription and transaction records may be kept as required for tax, accounting, and legal  
purposes;  
• support messages may be kept for a reasonable period to handle support history and legal claims;  
• technical logs are kept for a limited period unless longer retention is needed for security, fraud  
prevention, or legal reasons.  
If an account or record is deleted, some data may remain in backups for up to 90 days before being  
overwritten or deleted, unless we need to keep it longer for legal, security, or legitimate business reasons.  
13. Cookies, tracking, and analytics  
We do not use cookies to track Customers, and we do not use advertising or remarketing cookies.  
The Service may collect limited usage data to understand how the app is used, improve performance, fix  
errors, and maintain security. Where possible, usage data is collected in an anonymous or aggregated form  
and is not used to identify individual Customers.  
If we introduce cookies, advertising pixels, remarketing tools, or non-essential analytics in the future, we  
will update this Privacy Policy and, where legally required, ask for consent.  
14. Push notifications and device permissions  
The mobile app may request the following device permissions:  
Push notifications: to send app-related notifications, such as punch card updates, account notices,  
or service-related alerts.  
Camera: to allow users to take photos, for example for profile images, business logos, or other app-  
related images where this feature is available.  
Photos: to allow users to select existing images from their device, for example for profile images,  
business logos, or other app-related images where this feature is available.  
You can manage or disable app permissions through your device settings. If you disable certain  
permissions, some app features may not work correctly.  
15. Marketing communications  
We may send service-related messages, such as account notices, subscription notices, security alerts, or  
support responses.  
We may send marketing emails only where legally permitted. You can opt out of marketing emails at any  
time by using the unsubscribe link or contacting us.  
Even if you opt out of marketing messages, we may still send necessary service-related messages.  
7
16. Security  
We use reasonable technical and organizational measures to protect personal data against unauthorized  
access, loss, misuse, alteration, or disclosure.  
However, no online service can be guaranteed to be completely secure. You are responsible for keeping  
your account login details confidential and for using secure devices and networks.  
17. Your privacy rights  
Depending on your location and applicable law, you may have the right to:  
• request access to your personal data;  
• request correction of inaccurate data;  
• request deletion of your personal data;  
• request restriction of processing;  
• object to certain processing;  
• request data portability;  
• withdraw consent at any time where processing is based on consent;  
• lodge a complaint with a data protection authority.  
To exercise your rights, contact us at [email protected].  
If your request concerns Customer data entered by a Service Provider, we may need to refer you to the  
relevant Service Provider or work with the Service Provider to handle the request.  
18. Right to lodge a complaint  
If you are located in the EU/EEA, you have the right to lodge a complaint with a data protection authority.  
You may contact the data protection authority in your country or the competent authority in Germany.  
For Berlin, the competent authority is generally:  
Berliner Beauftragte für Datenschutz und Informationsfreiheit  
Website: https://www.datenschutz-berlin.de/  
19. Deleting your account  
You may request deletion of your account by contacting us at [email protected] or by using  
any account deletion feature available in the app.  
Some data may need to be retained for legal, tax, accounting, security, or legitimate business reasons.  
8
If a Customer account is connected to a Service Provider's records, some punch card records may also  
remain visible to or controlled by the Service Provider, depending on the situation and applicable law.  
20. Changes to this Privacy Policy  
We may update this Privacy Policy from time to time.  
If we make material changes, we will take reasonable steps to notify users, for example through the app,  
website, or email.  
The updated Privacy Policy applies from the date stated at the top of the document.  
21. Contact  
For questions about this Privacy Policy or the processing of personal data, contact us at:  
TopSoft UG  
Johann-Landefeldt 109  
14089 Berlin  
Germany  
Email: [email protected]  
Website: punch-card-app.com  
9