This document is currently available in English only. Translations will follow legal review.

Template — legal review required. The text below is a working draft intended to be reviewed and adapted by qualified privacy counsel before this Service is operated commercially in any jurisdiction. It is not legal advice.

Privacy Policy

Last updated: May 5, 2026

1. Who we are

This policy describes how we ("Loyalty," "we," "us," "our") and the participating loyalty-program operators ("Operators") collect, use, share, and protect personal information when you use our Service. We act as a service provider / processor to Operators with respect to the personal information of their customers, and as a controller with respect to platform-level user accounts and security.

2. Information we collect

Account information: name, email address, password (hashed and salted; never stored in plaintext), language preference.
Loyalty activity: membership numbers, points balance, transaction history, redemption history, organization memberships, and tier status.
Marketing-consent metadata: if you opt in to receive promotional communications from an Operator, we record the timestamp, IP address, and User-Agent string at the moment of consent as proof of consent. You may withdraw consent at any time from your profile.
Device and connection information: IP address, browser User-Agent, mobile platform, and approximate location derived from IP, used for security and audit purposes.
Audit logs: we maintain an internal audit trail of changes to your account and your loyalty data. Sensitive fields such as password hashes are redacted from audit records.
Cookies and similar: we use cookies to keep you signed in to the administrator portal and to remember your language preference. The customer mobile app uses local device storage for the same purposes.

3. How we use your information

To provide and operate the Service (account creation, sign-in, points and rewards, security).
To send transactional emails (account security, points activity, password resets, reward redemption).
To send marketing communications, only with your opt-in consent and only on behalf of the Operator(s) you have joined.
To detect, prevent, and respond to fraud, abuse, and security incidents.
To comply with legal obligations and respond to lawful requests.

4. Legal bases (EU/EEA/UK)

Contract performance — for account creation, sign-in, points and rewards processing.
Legitimate interests — for service security, fraud prevention, audit logging, and product improvement, balanced against your interests.
Consent — for marketing communications and any non-essential cookies.
Legal obligation — for tax records, lawful requests, and statutory retention.

5. Sharing your information

With Operators you have joined. The Operator of each loyalty program you enroll in receives your name, email, membership number, points history, and (if applicable) marketing-consent state.
With service providers who help us run the Service, including cloud infrastructure, transactional email delivery (SendGrid), and storage. We bind these providers to confidentiality and data-protection obligations.
For legal reasons when we are required to disclose by valid legal process or to protect our rights, users, or the public.
We do not sell personal information. We do not "share" personal information for cross-context behavioral advertising as defined under California, Colorado, Connecticut, or Virginia law.

6. International transfers

The Service is operated from data centers located in [region to be set during legal review]. If you are located in a jurisdiction with cross-border transfer restrictions (EU/EEA, UK, China, etc.), your personal information may be transferred to and processed in another country. Where required, we rely on Standard Contractual Clauses (EU/UK), the EU–US Data Privacy Framework, or equivalent safeguards, and we will provide a copy on request.

7. Retention

We retain personal information for as long as your account is active and for a reasonable period afterwards to satisfy legal obligations, resolve disputes, and enforce our agreements. Audit logs are retained for [retention period to be set during review]. After that, records are deleted or anonymized.

8. Your rights

Depending on where you live, you may have the right to:

Access the personal information we hold about you.
Correct or update inaccurate information.
Delete your account and personal information, subject to legal retention obligations.
Restrict or object to certain processing.
Data portability — receive your data in a machine-readable format.
Withdraw consent (e.g., marketing) without affecting prior lawful processing.
Lodge a complaint with a supervisory authority.

To exercise any of these rights, contact us at [privacy@operator.example]. We respond within 30 days (or sooner where required by law).

9. Region-specific notices

Canada (PIPEDA + provincial laws)

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws including Quebec Law 25, Alberta's PIPA, and BC's PIPA. You have the right to access and correct your personal information held by us and to file a complaint with the Office of the Privacy Commissioner of Canada or your provincial commissioner. Our designated Privacy Officer can be contacted at [privacy@operator.example].

United States — California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), and similar state laws

Residents of these states have the right to know what personal information is collected, the right to delete it, the right to correct it, the right to opt out of "sale" or "sharing" (we do neither), and the right not to be discriminated against for exercising these rights. To exercise these rights, see Section 8 above. California residents may also designate an authorized agent.

European Union, EEA, and United Kingdom (GDPR / UK GDPR)

We process personal information in accordance with the GDPR / UK GDPR. The legal bases are described in Section 4. EU residents may lodge a complaint with their national supervisory authority; UK residents may complain to the ICO. For cross-border transfers we rely on Standard Contractual Clauses or the EU–US Data Privacy Framework as applicable.

Asia

Mainland China (PIPL): separate consent is obtained where the law requires it (e.g., cross-border transfers, sensitive personal information). Necessary security assessments and standard contracts under the Personal Information Protection Law are observed for any export of personal information from the PRC.
Hong Kong SAR (PDPO): we comply with the six Data Protection Principles. You may request access to and correction of personal data we hold.
Japan (APPI): we obtain consent before transferring personal information to a third party in a foreign country and provide the disclosures required by Article 28.
Singapore (PDPA): we follow the Consent, Purpose Limitation, Notification, Access & Correction, Accuracy, Protection, Retention Limitation, Transfer Limitation, and Accountability obligations.
South Korea (PIPA): separate consent is obtained where required by Article 17 of PIPA, and your rights of access, correction, deletion, and processing suspension are respected.
India (DPDP Act 2023): we obtain consent from Data Principals for the specified purposes notified, and we honor withdrawal of consent as required by Section 6(4).

10. Children

The Service is not directed to children under the age of 13 (or 16 in the EU/EEA, or as otherwise prescribed locally). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

11. Security

We use industry-standard security including TLS in transit, encryption at rest for data stored in our cloud provider, hashing for credentials, role-based access for staff, multi-factor authentication for administrative access where supported, and routine security review. No method of transmission or storage is fully secure; we cannot guarantee absolute security.

12. Changes

We will update this policy as our practices change. Material changes will be announced via email or in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the current version.

13. Contact us

Privacy questions or rights requests: [privacy@operator.example]. Mailing address: [company mailing address]. EU representative (if required): [EU rep contact]. UK representative (if required): [UK rep contact].