Punchly

Virtual punch card that gets the job done. Customers just tap with their phone to check in, earn a stamp, and redeem rewards!

Comment 1

Inspiration

Paper punch cards get lost; QR codes are slow and have security issues. We wanted a 1-second secure “tap and go” that small businesses can actually deploy, without any hassle from their end.

What it does

Turns an NFC tag at the counter into a virtual punch card. Customer taps -> we log the visit, add a “stamp,” and show progress toward a reward. Merchant dashboard: view customer analytics, manage customer stamps

How we built it

Mobile App (Customer Experience)

  • Expo + React Native for cross-platform iOS/Android development
  • Deep linking handles NFC taps via custom URL schemes (e.g. exp://, loyaltyapp://)
  • Session management: Email Authentication using Supabase

Web Dashboard (Merchant Portal)

  • Flask (Python 3) with server-side rendering
  • Lightweight JavaScript for dynamic hassle-free updates (no unnecessary frameworks)
  • Features: Real-time KPIs, customer search, manual stamp management, reward redemption tracking
  • Auth: Email/password login with bcrypt, session cookies (7-day expiry)

Backend API

  • Flask REST API with JSON responses

  • Key endpoints:

    • POST /api/mobile/scan - Validates NFC signature, upserts reward record, returns progress
    • POST /api/auth/login - Merchant authentication
    • GET /api/stats - Dashboard analytics (total users, scans, near-reward customers)

Data Layer

  • SQLite, Schema: 3 tables (users, companies, rewards) with foreign keys + indexes

NFC

  • Signature validation: Simple hash of program_id + points + timestamp (production would use HMAC-SHA256) (note: this was replaced by a static tag for reducing tag write maintenance-- can still be secure by utilizing NTAG 424 DNA)
  • Replay protection: 24-hour expiry on tags
  • Tag format: Deep links that auto-open app when scanned

Challenges we ran into

We started on Supabase but ran into RLS/policy complexity and auth–data mismatches that slowed prototyping. To move faster, we pivoted to a simpler SQLite setup for the POC while maintaining Supabase for auth, which removed policy overhead and let us iterate quickly on the mobile/web flows.

Accomplishments that we're proud of

We managed to complete the web dashboard, and functional mobile app within the 24 hour timeframe!

What we learned

Supabase is powerful but RLS/policies and the auth.users/app-data split require upfront design; for a 24 hackathon pace, SQLite let us iterate much faster.

What's next for Punchly

We plan to fully port over our SQLite database to supabase. We also plan to harden the dashboard: add CRUD for rewards/tags, audit logs, and better analytics. Improved multi-layer security for NFC.

Built With

Share this project:

Updates