Privacy Policy

Last updated: March 22, 2026

1. Who We Are

Loyalisto ("we", "us", "our") operates loyalisto.com, a digital loyalty card platform. We act as a Data Processor for Merchants who use our platform, and as a Data Controller for platform-level data. Contact: support@loyalisto.com.

2. Data We Collect

For Merchants: Business name, email, password (hashed), billing information (handled by a PCI-compliant payment processor), business type, and brand assets (logo, colors).

For End Users (Customers): Phone number (optional), email (optional), first name (optional), birth date (optional), loyalty card activity (stamps, points, visits), and digital wallet identifiers. All personal data fields are optional — customers can join a loyalty program without providing any personal information.

3. How We Use Data

  • To operate and maintain loyalty programs on behalf of Merchants
  • To generate and update digital wallet passes (Apple Wallet, Google Wallet)
  • To send transactional notifications (stamp confirmations, reward alerts) — only with consent
  • To send marketing messages — only with explicit opt-in consent
  • To provide analytics and insights to Merchants about their loyalty programs
  • To process subscription payments through our payment processor

4. Consent & Communication

All notifications require explicit opt-in. We support the following channels:

  • SMS Transactional: Stamp confirmations, reward alerts
  • SMS Marketing: Promotional campaigns from the Merchant
  • Email Transactional: Reward and account notifications
  • Email Marketing: Promotional campaigns from the Merchant
  • Push Notifications: Via Google Wallet pass messages

Customers can opt out at any time by:

  • Visiting the self-service preference page (linked from every loyalty card)
  • Replying STOP to any SMS message
  • Replying STOP PROMO to opt out of marketing SMS only
  • Using the one-click email unsubscribe link

All consent changes are logged with timestamp, IP address, user agent, and consent text version for full GDPR auditability.

5. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

  • Access: View your data via the preference page on your loyalty card
  • Rectification: Update your contact information
  • Erasure: Request complete deletion of your data ("right to be forgotten"). Available via the preference page — your personal data will be anonymized and your loyalty card deactivated
  • Portability: Request an export of your data
  • Objection: Opt out of any or all communication channels

6. Data Storage & Security

  • All data is stored on infrastructure located in the European Union
  • Data is encrypted at rest and in transit using modern industry-standard encryption
  • Passwords are hashed using a strong one-way algorithm — we never store plaintext passwords
  • Authentication uses short-lived access tokens with rotation
  • Sensitive credentials are stored in a secrets management system, never in source code
  • Tenant data isolation is enforced at the application layer on every database query
  • Regular backups, access logging, and monitoring are in place

7. Sub-processor categories

We rely on a small number of carefully selected sub-processors to deliver Loyalisto. All sub-processors are bound by data processing agreements:

  • Payment processor: PCI-compliant subscription billing
  • Cloud infrastructure: Data storage, compute, and backups (EU)
  • Apple & Google Wallet: Loyalty pass delivery to customers' phones
  • Email delivery: Transactional email notifications
  • SMS delivery: Transactional SMS notifications (when enabled)
  • Edge network: DNS, content delivery, and DDoS protection

A current list of sub-processors is available on request at privacy@loyalisto.com.

8. Data Retention

Active loyalty card data is retained for the duration of the Merchant's subscription. Upon account deletion or data erasure request, personal data is anonymized within 30 days. Anonymized transaction data may be retained for analytics purposes. Consent logs are retained for 5 years for regulatory compliance.

9. Cookies

Loyalisto uses only essential storage for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the platform after changes constitutes acceptance.

11. Contact

For privacy-related inquiries or to exercise your GDPR rights, contact us at support@loyalisto.com.