Privacy Policy
Last updated: April 2026
Loyalite ('we', 'us', 'our') operates the loyalty platform at loyalite.app. This policy explains what personal data we collect, why, where we store it, and the rights you have over it. Our infrastructure is in the European Union; we do not sell data, do not run ad pixels, and do not share data with brokers. By using Loyalite — as a merchant or as a customer of a merchant — you acknowledge the practices below.
1. Who We Are — Data Controller
Loyalite operates the loyalty platform available at loyalite.app. For the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws, Loyalite is the data controller of the personal data processed through this platform. Merchants who use Loyalite to manage their customers' loyalty data act as independent data controllers for that customer data; Loyalite acts as a data processor on their behalf for that subset of data.
2. Data We Collect
Merchant accounts: We collect the email address used during registration, the brand name and URL slug chosen for the organisation, and billing metadata transmitted by our payment processor (subscription status, renewal dates — we never receive or store full payment card numbers). Customer accounts: We collect an email address, which is the only field required at enrollment. First name, last name, and phone number are strictly optional and stored only if the customer voluntarily adds them through their profile. We also store a unique numeric customer code per organisation, loyalty balance, complete transaction history (timestamps, type, amount, coupon usage), and the customer's preferred language. Where a customer authenticates via Google or Apple Sign-In, we store the OAuth provider name and a provider-issued subject identifier; we never store or have access to social platform passwords. Technical data: We collect IP addresses and HTTP request timestamps to enforce rate limits and detect abuse. Authentication artefacts: One-time password codes are stored exclusively in bcrypt-hashed form and expire after five minutes. JWT access tokens are short-lived (15 minutes for customers, 24 hours for merchants) and are not persisted server-side. Refresh tokens are stored in bcrypt-hashed form and expire after 30 days.
3. Legal Basis for Processing (GDPR Article 6)
Performance of a contract (Art. 6(1)(b)): Processing an email address, loyalty transaction records, and session tokens is necessary to provide the service you have signed up for. Without this data we cannot authenticate users or maintain loyalty balances. Legitimate interests (Art. 6(1)(f)): We process IP addresses, request timestamps, and authentication audit records to enforce rate limits, prevent brute-force attacks, and ensure platform security. These interests do not override your fundamental rights and freedoms. Compliance with a legal obligation (Art. 6(1)(c)): We may retain certain records where required to comply with applicable law. Consent (Art. 6(1)(a)): Where we request consent — such as for optional marketing communications — we process data only after you have given affirmative consent, and we stop processing if consent is withdrawn.
4. How We Use Your Data
Authentication and access control: Your email address is used to send one-time password codes and to uniquely identify your account within an organisation. Service delivery: Loyalty transaction data is recorded to maintain accurate balances, display history to the customer, generate HMAC-signed QR codes for use at merchant points of sale, and calculate coupon eligibility. Transactional communications: We send OTP codes and, for merchants, system notifications (billing alerts, staff invite emails). We do not send marketing emails without explicit consent. Security and abuse prevention: IP addresses and authentication event timestamps are used to detect and block brute-force attempts, replay attacks, and other malicious activity. Audit logging: We record which merchant user performed each loyalty transaction, providing accountability for organisation owners. Aggregated analytics: We compute non-personal, aggregated statistics (daily transaction counts, active-customer trends, redemption rates) displayed to merchant users as business insights. These statistics cannot be used to identify individual customers.
5. Data Storage and Infrastructure
All data — including primary databases, in-memory caches, and backups — is stored exclusively on servers operated by Hetzner Cloud GmbH, located in Germany within the European Union. Hetzner Cloud is certified under ISO/IEC 27001 and operates in compliance with EU data protection requirements. PostgreSQL is used as the primary relational database, backed by persistent encrypted volumes. Redis is used as an ephemeral cache and message broker; no sensitive personal data is persisted in Redis beyond short-lived hashed token references and rate-limit counters. Database backups are encrypted at rest using AES-256 and are retained within the same EU region. Under standard operating conditions, no personal data leaves EU territory.
6. Third-Party Sub-Processors
We use a limited number of third-party services ('sub-processors') to operate the platform, each bound by a data processing agreement. Hetzner Cloud GmbH (Germany): cloud infrastructure, servers, and storage. Resend (Resend Inc.): delivery of transactional emails (OTP codes and system notifications). Resend processes email addresses solely for message delivery and does not use them for any other purpose. RevenueCat Inc.: subscription entitlement management for the merchant mobile app. RevenueCat may receive a device identifier and subscription status; it does not receive customer loyalty data or email addresses. Apple Inc. / Google LLC: in-app purchases processed through the App Store and Google Play are subject to Apple's and Google's respective privacy policies. Sentry (Functional Software Inc.): application error monitoring. Error reports are sanitised before transmission; we deliberately exclude personal data from error payloads and apply data scrubbing rules in our Sentry configuration. We do not use advertising networks. We do not sell, rent, or broker personal data. We do not share personal data with data brokers or analytics companies.
7. Security Measures
All connections to the platform are encrypted in transit using TLS 1.2 or TLS 1.3. Merchant passwords, where set, are hashed with bcrypt using a cost factor of 12 or higher; they are never stored in plain text. OTP codes are hashed with bcrypt, are single-use, expire after five minutes, and are invalidated permanently after five failed verification attempts. Session cookies are flagged HttpOnly and Secure, rendering them inaccessible to JavaScript and preventing transmission over non-HTTPS connections. Authentication endpoints are rate-limited using a Redis-backed sliding-window algorithm, with an in-process fallback that activates if Redis becomes unavailable. QR codes are HMAC-SHA256 signed using a randomly generated, per-organisation secret of at least 32 bytes and are verified server-side on every scan; expired or tampered QR codes are rejected. All database queries are scoped to an organisation_id at the query level, enforcing strict tenant data isolation regardless of the application layer. The customer web dashboard applies a per-request Content Security Policy nonce to mitigate cross-site scripting attacks. Security-relevant HTTP headers (X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Referrer-Policy) are applied globally at the nginx reverse proxy layer.
8. Cookies and Tracking
We set only the minimum cookies necessary to operate the service. The customer dashboard sets one HttpOnly, Secure session cookie (access_token) containing a signed JWT used for authentication, and one non-HttpOnly mirror cookie (session_expiry) that the browser JavaScript can read solely to determine whether the session is still valid. On the public marketing site at loyalite.app, we load Google Analytics 4 (GA4) only after you have given explicit consent through our cookie banner; until you accept, no GA4 cookies are set. GA4 is configured with IP-address anonymisation enabled and is used solely to count visits and understand which pages perform well. You may decline analytics, and you may withdraw a previously given consent at any time by clearing your cookies for loyalite.app or by using the cookie banner controls. We do not run advertising pixels, Meta Pixel, Hotjar, session-replay tools, or any other behavioural tracker. We do not use data brokers and we do not retarget. Cookies we set expire when the session ends or, for the refresh token, after 30 days; the GA4 consent and analytics cookies expire after 13 months in line with Google's defaults.
9. Data Retention
Active account data is retained for as long as the account remains active. Upon account deletion, personal data is purged from production databases within 30 days of the deletion request. Anonymised transaction aggregates (from which all personal identifiers have been removed) may be retained beyond 30 days for statistical integrity and fraud-pattern analysis. Expired bcrypt-hashed OTP codes and invalidated refresh tokens are purged by a scheduled background job within 24 hours of expiry. Application error logs processed by Sentry are retained for 90 days, after which they are automatically deleted by Sentry's retention policy. Database backup snapshots are retained for 14 days, then permanently deleted.
10. Your Rights Under the GDPR
If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with equivalent data protection legislation, you have the following rights regarding your personal data. Right of access (Art. 15): You may request a copy of the personal data we hold about you, including information on how it is processed. Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data. Right to erasure — 'right to be forgotten' (Art. 17): You may request deletion of your personal data where we no longer have a legitimate or legal basis for continued processing. Right to restriction of processing (Art. 18): You may request that we restrict processing of your data while a dispute about its accuracy or the lawfulness of processing is resolved. Right to data portability (Art. 20): You may request your personal data in a structured, commonly used, machine-readable format (JSON) for transfer to another controller. Right to object (Art. 21): You may object to processing based on legitimate interests; we will cease processing unless we demonstrate compelling legitimate grounds that override your interests. Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing based on consent before withdrawal. Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. As our infrastructure is located in Germany, the competent supervisory authority is the Federal Commissioner for Data Protection and Freedom of Information (BfDI, https://www.bfdi.bund.de). You may also contact the data protection authority in your country of habitual residence. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days, or within 60 days for complex requests with prior notice.
11. International Data Transfers
Our infrastructure is located entirely within the European Union (Germany). Personal data is therefore processed within the EEA under standard operating conditions. Where third-party sub-processors (such as Resend or Sentry) operate data centres outside the EEA, personal data transfers to those processors are governed by the European Commission's Standard Contractual Clauses (SCCs) as adopted under Commission Decision (EU) 2021/914, or by an adequacy decision in force at the time of transfer. We will update this section if new adequacy decisions or transfer mechanisms become applicable.
12. Children's Privacy
The Loyalite platform is not directed at individuals under the age of 16 and we do not knowingly collect personal data from children. If you are a parent or guardian and believe that a child under 16 has provided personal data to Loyalite, please contact us at [email protected]. Upon confirmation, we will promptly delete the data in question.
13. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or applicable law. When we make material changes, we will notify registered users by email at least 14 days before the changes take effect and update the 'Last updated' date at the top of this page. For non-material changes, the revised policy will take effect on the date shown. Continued use of the platform after the effective date of any change constitutes your acceptance of the revised policy. We recommend reviewing this page periodically.
14. Contact
For privacy-related inquiries, data subject access requests, or to exercise any of your rights under applicable data protection law, please contact us at: [email protected]. We aim to acknowledge all requests within 5 business days and to provide a substantive response within 30 days.