Get the app

Legal

Privacy Policy

Last updated: 2 June 2025

1. Who we are

Loyable ("we", "us", "our") operates the Loyable platform — a loyalty programme service for independent shops. Our registered address is London, United Kingdom. Questions about this policy can be sent to privacy@loyabel.app.

2. Data we collect

We collect data in two contexts:

  • Customers — name, email address, phone number (optional), loyalty card activity (stamps, points, rewards redeemed), and the shops you have joined.
  • Business owners — name, email address, business name, address, category, logo, and programme configuration.
  • All users — browser or device type, IP address, and usage events collected automatically via server logs.

We do not collect payment card details. Billing is handled by Stripe.

3. How we use your data

  • To provide and improve the Loyable service.
  • To send transactional emails (e.g. stamp confirmations, reward unlocks).
  • To send product updates and marketing emails — you can unsubscribe at any time.
  • To detect and prevent fraud or abuse.
  • To comply with legal obligations.

We do not sell your personal data to third parties.

4. Legal basis (GDPR)

For users in the EEA and United Kingdom, we process data under:

  • Contract — to fulfil the loyalty service you signed up for.
  • Legitimate interests — to improve the platform and prevent fraud.
  • Consent — for marketing communications.
  • Legal obligation — where required by law.

5. Cookies

We use strictly necessary cookies to maintain your session. We do not use advertising or tracking cookies. You can disable cookies in your browser settings, but the service will not function correctly without session cookies.

6. Data sharing

We share data only with:

  • Supabase — database and authentication hosting (EU region).
  • Vercel — application hosting and edge delivery.
  • Stripe — payment processing for business subscriptions.
  • Resend — transactional email delivery.

Each sub-processor is bound by a Data Processing Agreement and may only process data on our instructions.

7. Data retention

We retain account data for as long as your account is active. If you delete your account, we erase your personal data within 30 days, except where retention is required by law (e.g. billing records for 7 years).

8. Your rights

Under GDPR and UK data protection law you have the right to access, correct, port, restrict, or erase your data. You also have the right to object to processing based on legitimate interests and to withdraw consent at any time.

To exercise any right, email privacy@loyabel.app. We respond within 30 days. You may also lodge a complaint with the UK Information Commissioner's Office.

9. Security

We use TLS for all data in transit and AES-256 encryption at rest. Access to production data is restricted to authorised personnel only. We conduct regular security reviews.

10. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or by a prominent notice on the site at least 14 days before they take effect.

← Back to home