Last updated: 20 June 2026
The data controller for personal data collected through the Puncheo platform is Thalamus Spain SL, tax ID (NIF) B87752986, registered address Av. Juan Antonio Samaranch 121, 28055 Madrid (Spain). Contact: support@puncheo.com.
We collect the following personal data when you register and use Puncheo:
We process your data for the following purposes and legal bases:
We will retain your personal data for as long as your account remains active. After account deletion, data will be erased or anonymised, except for data we are legally required to keep: in particular, billing data is retained for 6 years under the Spanish Commercial Code, and tax data for the periods required by tax law.
To provide the service we rely on the following processors:
Some of these providers are located in the United States, which may involve international data transfers. Such transfers rely on the appropriate safeguards set out in Chapter V GDPR (European Commission Standard Contractual Clauses and/or the EU–US Data Privacy Framework).
We do not sell or share your data with third parties for commercial or advertising purposes unrelated to Puncheo.
Puncheo uses only cookies that are strictly necessary for the platform to work, plus functional and security cookies. We do not use advertising or commercial tracking cookies.
Necessary, functional and security cookies are exempt from the consent requirement under Article 22.2 of the Spanish LSSI. You can block or delete cookies through your browser settings, although this may affect how the service works.
If a retailer registers you as a customer by entering your phone number to create your loyalty card, we process that data to provide the service. In that case, we inform you through this policy and you may exercise the rights described below at any time, including objection and erasure.
Under the GDPR, you have the right to:
To exercise any of these rights, write to us at support@puncheo.com. If you are not satisfied, you may lodge a complaint with your national supervisory authority (in Spain, the Agencia Española de Protección de Datos, www.aepd.es).
We apply appropriate technical and organisational measures to protect your data against unauthorised access, loss or disclosure, including encryption in transit (TLS) and at rest.
We may update this policy periodically. The date of the last update is shown at the top of this document. We will notify you of material changes via a notice on the platform or by email.
See also our Terms and Conditions.