Stikkr: Privacy Policy

This page explains what data Stikkr collects, what it doesn't, and how we handle the small amount of data that does leave your device. Stikkr is a label-design and printing app for Bluetooth thermal label printers, and it was built around three commitments that this policy is meant to back up in detail.

The short version.

Your designs, spreadsheets, print history, and printer pairings stay on your device. They are never sent to us or to anyone else.
No accounts, no signup, no tracking. We don't ask for an email, we don't run advertising or analytics SDKs, and we never sell or share your data.
The network is used only for purchases, optional anonymous diagnostics (off by default), and any cloud features you turn on yourself. You can verify this with any network monitor.

Topics:

Who we are
What stays on your device
What uses the network
Permissions Stikkr asks for
Children
Third-party services
Data retention
Security
Your rights
International transfers
Changes to this policy
How to contact us
How to contact a data protection authority

Who we are

Stikkr is published by Ham and More ("we", "us", "our"), based in Aotearoa New Zealand. The data controller for the small amount of personal information described in this policy is Ham and More. You can reach us by email at [email protected].

This policy applies to the Stikkr app on iOS and Android, and to this page on our website. It does not apply to any other app or website operated by us or by anyone else.

What stays on your device

Stikkr is offline-first. Everything in the list below is stored only in the app's private storage on your device. None of it is transmitted to our servers or to any third party.

Designs and templates — every label you create or edit, every design you save to your library, and any custom template you build.
Spreadsheet data — any CSV file you import for batch printing or mail-merge stays on your device. Stikkr never uploads imported spreadsheets.
Images you insert — pictures you pick from your photo library and embed in a label live inside the design file, on your device.
Print history — the list of jobs Stikkr has sent to your printer, with timestamps and label counts.
Printer pairings — the Bluetooth identifier and friendly name of any label printer you've connected to.
Roll information read from the printer — when supported, Stikkr reads the labels-remaining counter and roll identifier from your media's RFID tag and shows them in the Library and Settings. This data stays on your device.
Print quota counters — Stikkr meters daily print volume locally to enforce the free quota and to show you how many labels you have left today. The counters never leave your device.
App settings — including theme, units, snap-to-grid preference, and any opt-in toggles you've set.

If you uninstall Stikkr, all of the above is deleted with the app, except where you have explicitly used a backup or export feature to write a file outside the app's storage. We have no copy.

What uses the network

None of the network-touching activities below are required for Stikkr to work as a label designer and printer. Connecting to your printer is a local Bluetooth link — no internet involved. The optional anonymous diagnostics and any cloud features are off by default and can be toggled in Settings without affecting any other feature. Purchases are network-dependent only if you choose to buy something.

Connecting to your printer

Stikkr communicates with your label printer over Bluetooth. This is a direct, local connection between your device and the printer; it does not use the internet and it does not pass through any server we operate. Print jobs, designs, and label content go straight from your device to the printer head — they never reach our servers.

Purchases

If you choose to buy an in-app product (for example, the one-time "Unlock unlimited prints"), the purchase itself is handled by Apple's App Store on iOS or Google Play Billing on Android. Stikkr never sees your card number, billing address, or any payment details. Apple or Google handle that, and only tell Stikkr that you have successfully bought a specific product.

To confirm that a purchase is genuine and to remember it across reinstalls, Stikkr sends the store transaction identifier — Apple's original_transaction_id or Google's purchaseToken — to a small server we operate. The server checks that identifier with Apple or Google and answers yes or no. The transaction identifier is the only thing that reaches our server in this flow. We never receive your name, email, or payment information.

We retain receipts only as long as required by tax and accounting law (typically seven years in New Zealand).

Optional anonymous diagnostics

Stikkr can send a small amount of anonymous diagnostic information to Google Firebase (Crashlytics for crash reports, Analytics for printer-compatibility events). This is off by default. You can turn it on or off at any time in Settings → Diagnostics; with the toggle off, neither service is initialised and nothing leaves your device.

If you turn it on, what is collected is:

Anonymous crash reports — when the app crashes, Crashlytics records the stack trace plus the standard context Google attaches to every crash (app version, OS version, device model, language, and a Firebase-generated installation identifier that is not linked to your name, email, or account).
Printer-compatibility events — three event types tell us which printer models work with our current driver code so we can claim support honestly: printer_paired (logged once per session when a printer connects successfully, with the model family — e.g. "D110" — and the transport, "ble"); printer_print_success (logged after each successful print, with the model family); and printer_print_failure / printer_error (logged on failure, with the model family, the phase where the error happened — "connect" or "print" — and a short error tag such as "bluetooth_off" or "disconnected").

What is not sent, even when diagnostics is on:

Your name, email, phone number, postal address, or any other contact information.
The content of any design, spreadsheet, or printed label.
Your printer's Bluetooth MAC address, serial number, or any other hardware identifier. Only the model family string (e.g. "D110", "B21") is included.
The user-set display name you may have given your printer (e.g. "Kitchen printer") — only the model family is sent.
Your location.
A device fingerprint (advertising ID, IDFA, IDFV, GAID, or similar).
The contents of your local print history or roll telemetry log — those stay on the device.

Crash reports and analytics events are transmitted to Google's Firebase servers. Google receives your IP address as part of any network request, and applies its own data handling described in its privacy policy. We hold the project-level Firebase data; we never attempt to link it to any other information about you.

We use these diagnostics to understand which printer models work with our current driver code, to fix the crashes you actually hit, and to claim model support honestly without buying every variant. We never share or sell them, and we never combine them with any other source of data.

The website you're reading this on

Our web hosting keeps standard server access logs (your IP address and a timestamp for each request) for a short period for security and diagnostic purposes. These logs are not linked to your use of the app. This page does not set cookies and does not run any third-party analytics or advertising scripts.

Permissions Stikkr asks for

The app asks the operating system for the permissions below, and only these. Each one is used only for the purpose described.

Bluetooth — to discover, pair with, and send print jobs to label printers. Stikkr does not scan for or interact with any Bluetooth device that is not a recognised label printer.
Internet access — for in-app purchases, for the optional anonymous diagnostics if you have them on, and for any cloud feature you explicitly enable.
Files — when you import a CSV spreadsheet or pick a file from storage, the operating system's file picker hands the chosen file to Stikkr. Stikkr only reads the file you select; it never browses your wider storage.
Photo library — when you tap "insert image" and choose to pick from your photos, the operating system's photo picker returns the image you select. Stikkr never accesses other photos.

On Android 11 and earlier, the Bluetooth scanning APIs technically belong to the operating system's "location" permission group, even though Stikkr does not use your location and contains no code that requests, reads, or transmits a location. On Android 12 and later, the new Bluetooth permissions are used and the location permission is not requested.

Children

Stikkr is a general-purpose utility for Bluetooth label printers. It is not directed at children, is not designed to appeal to children, and we do not knowingly collect personal information from anyone under the age of 13 (or under 16 in jurisdictions where that is the threshold for parental consent under data-protection law).

If you are a parent or guardian and you believe that a child has provided us with information through Stikkr, please contact us at [email protected] and we will delete that information promptly.

Third-party services

Stikkr keeps third-party dependencies to a minimum. The third parties that may receive data from Stikkr are:

Apple App Store In-App Purchase on iOS — receives in-app purchase requests. See Apple's privacy policy.
Google Play Billing on Android — receives in-app purchase requests. See Google's privacy policy.
Google Firebase (Crashlytics + Analytics) — receives the anonymous crash reports and printer-compatibility events described under "Optional anonymous diagnostics", and only when you have that toggle on. See Google's privacy policy.

Stikkr does not include any advertising network, social-media SDK, attribution SDK, push-notification SDK, or other tracking code beyond what is listed above. We do not embed any third-party JavaScript on this page.

If we ever add a third-party service that materially affects how data is handled, we will update this policy and the in-app information about it before that service is enabled.

Data retention

On-device data stays as long as the app is installed and you have not deleted it from inside the app.
Anonymous diagnostics (crash reports + printer-compatibility events, when you have them enabled) are retained by Google Firebase under their default settings — Crashlytics keeps crashes for 90 days and Analytics keeps event-level data for 14 months before aggregation. See Google's privacy policy for their retention details.
Purchase receipts we hold are retained for seven years, the period required by New Zealand tax law (Inland Revenue Department).
Web-server access logs are retained for up to 30 days.

You can ask us to delete any data we hold about you at any time by emailing [email protected]. Because the only handle Firebase exposes is a per-install identifier generated by Google, we may need to ask you to turn off the diagnostics toggle (which prevents any further collection) and to wait for the retention window above to expire for older records to drop out of Google's systems.

Security

Anything that does leave your device is sent over HTTPS (TLS). The small amount of optional diagnostic data described in this policy is processed and stored by Google Firebase; Google encrypts data at rest using its standard server-side encryption (AES-256) and applies the security controls documented in its Cloud Security and Compliance materials. We do not operate a Stikkr-side backend that holds your data ourselves. We hold the smallest amount of data we can — we do not collect anything we don't need, and we do not share data with anyone we have not named on this page.

No system is perfectly secure. If we ever discover a security incident that affects information we hold about you, we will notify affected users and the New Zealand Office of the Privacy Commissioner without undue delay, in line with our obligations under the Privacy Act 2020.

Your rights

Depending on where you live, you have specific rights in relation to your personal information. We honour these rights regardless of where you live:

Access — request a copy of any personal information we hold about you.
Rectification — ask us to correct information that is inaccurate or incomplete.
Erasure — ask us to delete information we hold about you. (For anonymous Firebase diagnostics: switching the toggle off stops further collection; existing records age out within Google's retention windows.)
Restriction — ask us to stop processing your information for a particular purpose.
Objection — object to our processing of your personal information.
Portability — receive a copy of your data in a portable, machine-readable format.
Withdrawal of consent — turn off any feature you have turned on (anonymous statistics, cloud sync if and when offered) at any time, in Settings. Doing so stops further data being sent immediately.

If you are a California resident, you also have the rights described in the California Consumer Privacy Act (as amended by the California Privacy Rights Act): the right to know what personal information we collect about you, the right to delete it, the right to correct it, and the right to opt out of "sale" or "sharing" of personal information for cross-context behavioural advertising.

Stikkr does not sell or share personal information for cross-context behavioural advertising, has no advertising or analytics SDKs, sets no tracking cookies on this page, and never will. Because there is nothing to opt out of, the Global Privacy Control browser signal has no operational effect on Stikkr. We acknowledge it here for transparency, and to confirm that if any opt-out-able processing were ever added in the future, GPC would be honoured.

If you are in the European Union, the European Economic Area, the United Kingdom, Switzerland, Australia, or another jurisdiction with similar data-protection legislation, the equivalent rights apply under the GDPR, the UK GDPR, the Australian Privacy Principles, or your local equivalent.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. We will not charge you a fee unless your request is manifestly unfounded or excessive (the GDPR/UK GDPR threshold), in which case we will tell you in advance what the cost would be.

International transfers

When you have the optional anonymous diagnostics toggle on, crash reports and printer-compatibility events are sent to Google Firebase. Google processes Firebase data in its global infrastructure, predominantly in the United States. This means the small amount of data described in this policy crosses an international border and is stored outside New Zealand. The safeguards below are how Google protects it.

For all users — the Google contract

Google is bound by its Firebase Data Processing and Security Terms (which Google offers to every Firebase customer) to handle data only on our written instructions, to protect it with industry-standard security (including encryption at rest and in transit), to limit its use strictly to providing the Firebase service to us, and not to disclose it except where compelled by law. Those terms incorporate the European Standard Contractual Clauses (Commission Decision 2021/914, Modules 2 and 3). Google LLC is also a certified participant in the EU-US Data Privacy Framework (and its UK and Swiss extensions), which provides a parallel adequacy basis for transfers to Google US infrastructure.

For users in New Zealand

Under Information Privacy Principle 12 of the New Zealand Privacy Act 2020, we are responsible for ensuring that your personal information continues to be protected when stored outside New Zealand. The United States is not a "prescribed country" under section 214 of the Act. We rely on the binding contractual safeguards in Google's Firebase Data Processing and Security Terms (described above) to satisfy our IPP 12 obligations. By using Stikkr with diagnostics turned on, you are also informed that the small data described in this policy is stored on Google's infrastructure (predominantly United States), where applicable laws may not provide the same level of protection as the New Zealand Privacy Act 2020.

For users in the European Union, EEA, United Kingdom, or Switzerland

New Zealand has been recognised by the European Commission as providing an adequate level of data protection — most recently reaffirmed in the Commission's January 2024 review — so the flow of personal data from your device to us as a New Zealand controller does not itself require additional safeguards.

The onward transfer from us to Google in the United States is the regulated step. It is covered by (a) the EU Standard Contractual Clauses included in Google's Firebase terms, and, in parallel, (b) Google's certification under the EU-US Data Privacy Framework. The DPF is subject to ongoing legal challenge in the EU; if it is invalidated, the SCCs in Google's terms continue to apply as our primary safeguard.

For users in Australia

Under Australian Privacy Principle 8, we disclose anonymous diagnostic data to Google in the United States. Google is bound by contract to protect your information consistently with the Australian Privacy Principles, and is itself subject to data-protection laws in the jurisdictions in which it operates.

Apple and Google (payment platforms)

Apple's App Store and Google Play operate globally and may process purchase-related data in the United States, the European Union, or elsewhere as part of running their respective payment platforms. The safeguards each of them publishes (their own data-processing agreements and standard contractual clauses) apply.

Changes to this policy

We review this policy whenever we change something material about how Stikkr handles data, and we re-publish it (with the date below updated) at least once each calendar year regardless of whether anything has changed. Material changes will be reflected in the "last updated" date at the bottom of this page. Where a change affects you and you have the app installed, we will also notify you in-app the next time you open Stikkr.

Earlier versions of this policy are kept for our own audit purposes; if you would like a copy of an older version, email [email protected].

How to contact us

If you have any questions about this policy, want to exercise one of your rights, or just want to chat about Stikkr, we would love to hear from you.

Email us

How to contact a data protection authority

If you feel we have not handled your concern satisfactorily, you may complain to a data protection authority. Stikkr's primary regulator is the New Zealand Office of the Privacy Commissioner.

If you are in another jurisdiction, you may complain to your local authority instead. A list of European data protection authorities is maintained by the European Data Protection Board; users in the United Kingdom may contact the Information Commissioner's Office (ICO); users in Australia may contact the Office of the Australian Information Commissioner (OAIC); and users in California may direct CCPA-related complaints to the California Attorney General.

Last updated: 13 May 2026.