GDPR Compliance

Last updated: April 1, 2026

Loyalisto is built with privacy at its core. As an EU-based platform handling customer loyalty data, we take GDPR compliance seriously. This page outlines the specific measures we implement to protect personal data and uphold the rights of data subjects.

Our compliance measures

EU-hosted infrastructure

All data is stored and processed within the European Union. Our database, application servers, file storage, and caching infrastructure are hosted in EU data centres. Customer data never leaves the EU.

Encryption at rest and in transit

All data is encrypted at rest using AES-256 encryption. All communications between clients and our servers use modern TLS. Internal service communication is also encrypted. Database backups are encrypted.

Privacy by design

We follow privacy-by-design principles throughout our development process. Data minimization is a core principle — we only collect data that is necessary for the service to function. Default settings are privacy-protective.

Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all sub-processors that handle personal data on our behalf. These agreements ensure GDPR-compliant data handling across our supply chain. A current list of sub-processors is available on request.

Right to erasure (right to be forgotten)

Both merchants and their customers can request complete deletion of their personal data. We process erasure requests within 30 days and ensure data is removed from all systems, including backups within 90 days.

Data portability

Merchants can export all their data — customer lists, transaction history, program configurations — in standard formats (CSV, JSON) at any time. Customers can request their data in a portable format.

Consent management

We implement granular consent management for marketing communications. Customers explicitly opt in to SMS and email campaigns. Consent records are timestamped and auditable.

Access controls and audit logging

Staff access to customer data is controlled through role-based permissions (Owner, Manager, Staff). All data access is logged. Administrative actions are tracked with full audit trails.

Breach notification

In the event of a data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. Affected data subjects will be notified without undue delay when the breach poses a high risk.

Regular security assessments

We conduct regular security assessments and code reviews. Our infrastructure is monitored 24/7 for anomalies. We follow industry best practices for secure software development.

Your rights as a data subject

Under GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@loyalisto.com.

Right of access

Request a copy of all personal data we hold about you

Right to rectification

Request correction of inaccurate or incomplete data

Right to erasure

Request deletion of your personal data from all systems

Right to restrict processing

Request limitation of how we process your data

Right to data portability

Receive your data in a structured, machine-readable format

Right to object

Object to processing based on legitimate interest or direct marketing

Right to withdraw consent

Withdraw previously given consent at any time

Right to lodge a complaint

File a complaint with your local data protection authority

For merchants using Loyalisto

When you use Loyalisto to manage loyalty programs, you act as a data controller for your customers' data, and Loyalisto acts as a data processor. This means:

  • --You are responsible for obtaining valid consent from your customers to collect their data
  • --We process data only according to your instructions and our Data Processing Agreement
  • --You can request a Data Processing Agreement (DPA) at any time
  • --We provide tools to help you respond to data subject requests from your customers

Sub-processor categories

We rely on a small number of carefully selected service providers to deliver Loyalisto. The categories below describe the type of processing they perform. A current list of sub-processors, with vendor names and locations, is available on request — contact privacy@loyalisto.com.

Category
Purpose
Location
Cloud infrastructure
Data storage, compute, backups
European Union
Payment processor
Subscription billing (PCI-compliant)
European Union
Email delivery
Transactional email notifications
EU / US
SMS delivery
Transactional SMS notifications
EU / US
Wallet pass delivery
Apple & Google Wallet pass distribution
EU / US
Edge network
DNS, content delivery, DDoS protection
Global

Contact our Data Protection team

For any GDPR-related inquiries, data subject requests, or to request a Data Processing Agreement, contact us at privacy@loyalisto.com. We aim to respond to all requests within 30 days.

Privacy PolicyBack to home