Privacy Policy
Last updated: 12 March 2026
PaperFree delivers digital receipts to your inbox automatically. This policy explains what personal data we collect, why we collect it, and how we protect it. We keep things simple: we collect only what's needed to deliver your receipts, and nothing more.
What we collect
| Data | Purpose |
|---|---|
| Email address | Where your digital receipts are delivered |
| Card token (Stripe PaymentMethod ID) | Links your card to your email so receipts can be matched to you at the point of sale |
| Card fingerprint | A Stripe-generated identifier used to recognise your card without storing the actual number |
| Card metadata (last 4 digits, brand, expiry, issuing country, funding type) | Helps you identify which card is linked to your account |
What we don't collect
- Your full card number — Stripe handles all card data. Your raw card number never touches our servers.
- Purchase history — we facilitate receipt delivery but don't store what you buy.
- Browsing data — no tracking pixels, no analytics cookies, no fingerprinting.
- Location data — we don't track where you shop.
Why we collect it and our legal basis
We collect your email and card token for one reason: to deliver digital receipts to your inbox when you pay at a participating store. That's it. We don't use your data for marketing, profiling, or advertising.
Our legal basis for processing your data is contractual necessity (GDPR Article 6(1)(b)). Your email and card token are required for PaperFree to function — without them, we cannot deliver the service you signed up for. No additional consent is needed for this core processing.
How it's stored
- Database — your email and card metadata are stored in Supabase, hosted in the EU.
- Card vault — your actual card data is vaulted by Stripe, a PCI DSS Level 1 certified payment processor. We only store a token reference, never the card number itself.
- Encryption — all data is encrypted in transit (TLS) and at rest.
Who has access
- PaperFree team — access to your data solely for operating the service.
- Participating merchants — when you pay at a participating store, your email address is shared with that merchant so they can send you a digital receipt. Merchants only receive your email at the point of sale and only for receipt delivery.
- Stripe — processes and vaults your card data as our payment processor.
- Supabase — hosts our database infrastructure in the EU.
We do not sell, rent, or trade your personal data. We do not share your data with advertisers or marketing platforms. We do not send marketing emails.
Data retention
Your data is kept for as long as your account is active. When you delete your account, all your personal data (email, card tokens, card metadata) is permanently removed from our database and your card token is detached from Stripe.
Your rights under GDPR
Under the General Data Protection Regulation (EU 2016/679), you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — delete your account and all associated data at any time via our self-service deletion page.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing of your data.
- Complaint — lodge a complaint with your national data protection authority. In Sweden, this is Integritetsskyddsmyndigheten (IMY).
To exercise any of these rights, email us at the address below or use our account deletion page for immediate self-service erasure.
Cookies
PaperFree does not use cookies. We don't use analytics trackers, advertising pixels, or any form of browser fingerprinting. The site works without storing anything in your browser.
Contact
For privacy-related questions, data requests, or concerns:
Email: privacy@paperfree.nu
Changes to this policy
If we make changes to this policy, we'll update the "Last updated" date at the top of this page. For significant changes that affect how your data is used, we'll notify you via the email address linked to your account.