Privacy Policy

Last updated: April 1, 2026

1. Introduction

Loyalisto (“we”, “our”, or “us”) operates the loyalisto.com platform, which provides digital loyalty card services for businesses and their customers. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

Loyalisto is the data controller for the personal data processed through our platform. For any questions regarding this policy or your data rights, contact us at privacy@loyalisto.com.

3. Information We Collect

3.1 Business accounts (merchants)

When you create a business account, we collect: name, email address, business name, business address, phone number, and payment information (handled by a PCI-compliant payment processor). We also collect usage data such as login times, features used, and loyalty program configurations.

3.2 Loyalty program members (customers)

When customers join a loyalty program, the following data may be collected: name, email address, phone number (if SMS is enabled), date of birth (if birthday rewards are enabled), and transaction data (stamps, points, visits, redemptions). The exact data collected depends on the loyalty program configuration set by the merchant.

3.3 Automatically collected data

We collect standard web analytics data including IP address, browser type, device type, operating system, referring URL, and pages visited. This data is used for service improvement and security purposes.

4. How We Use Your Information

  • To provide, maintain, and improve our platform and services
  • To process transactions and manage loyalty programs
  • To send transactional communications (reward notifications, account updates)
  • To send marketing communications (with your explicit consent)
  • To provide customer support
  • To detect, prevent, and address fraud, abuse, and technical issues
  • To comply with legal obligations
  • To generate aggregated, anonymized analytics for service improvement

5. Legal Basis for Processing

We process personal data under the following legal bases: (a) performance of a contract — to provide our services to merchants and process loyalty transactions; (b) legitimate interest — to improve our services, ensure security, and prevent fraud; (c) consent — for marketing communications and optional data collection; (d) legal obligation — to comply with applicable laws and regulations.

6. Data Storage and Security

All data is stored on servers located in the European Union. We implement industry-standard security measures including encryption at rest and in transit, access controls, regular security audits, and automated backups. Payment data is handled by a PCI-compliant payment processor and is never stored on our servers.

7. Third-Party Services

We share data with the following categories of third-party service providers, all of which are bound by data processing agreements:

  • Payment processor — Subscription billing and payment method storage (PCI-compliant)
  • Cloud infrastructure provider — Data storage and compute, located in the European Union
  • Apple & Google Wallet — Loyalty pass delivery to customers' phones
  • SMS delivery provider — Transactional SMS when enabled by the merchant
  • Email delivery provider — Transactional email delivery

A current list of sub-processors is available on request from privacy@loyalisto.com.

8. Your Rights

Under GDPR and applicable data protection laws, you have the following rights:

  • Right of access — Request a copy of your personal data
  • Right to rectification — Request correction of inaccurate data
  • Right to erasure — Request deletion of your personal data
  • Right to restriction — Request limitation of processing
  • Right to data portability — Receive your data in a structured format
  • Right to object — Object to processing based on legitimate interest
  • Right to withdraw consent — Withdraw consent at any time

To exercise any of these rights, contact us at privacy@loyalisto.com. We will respond within 30 days.

9. Data Retention

We retain personal data for as long as necessary to provide our services and comply with legal obligations. Merchant account data is retained for the duration of the account plus 30 days after deletion. Loyalty member data is retained according to the merchant's program settings. Anonymized analytics data may be retained indefinitely.

10. Cookies

We use essential cookies required for the platform to function (authentication, session management). We use analytics cookies only with your consent. You can manage cookie preferences at any time through your browser settings.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on our platform. Continued use of our services after changes constitutes acceptance of the updated policy.

12. Contact

For any questions about this Privacy Policy or to exercise your data rights, contact us at privacy@loyalisto.com.

GDPR ComplianceBack to home