Back to Legal

Privacy Policy

How We Collect, Use, and Protect Your Information

Last updated: February 2026

This Privacy Policy explains how LoyalStash ("LOYALSTASH," "we," "us," or "our") processes personal information of Users, Merchants, and any other individuals with whom we interact as part of running our business and providing our Services.

At LoyalStash, we are committed to helping local businesses build customer loyalty through digital stamp collection programs. This Policy, together with our Cookie Policy, is designed to help you understand our information collection practices depending on your relationship with us.

By accessing or using our Platform, you accept, without limitation or qualification, the practices described in this Policy. If you do not agree with this Policy, you are prohibited from using any portion of our Platform.

1. Definitions

In this Privacy Policy:

  • "Platform" means the LoyalStash websites, mobile applications (including LoyalStash and LoyalStash Merchant), and related services.
  • "User" means an individual who uses the LoyalStash customer mobile application to collect stamps and redeem rewards.
  • "Merchant" means a business that uses LoyalStash to operate loyalty programs for their customers.
  • "Loyalty Card" means a digital loyalty program created by a Merchant on our Platform.
  • "Stamp" means a digital credit collected by a User when they scan a Merchant's QR code.
  • "Reward" means a benefit offered by a Merchant when a User collects the required number of Stamps.
  • "Personal Data" or "Personal Information" means any information relating to an identified or identifiable natural person.

2. Who We Are

2.1 About LoyalStash

LoyalStash is a loyalty program platform that connects Users with Merchants through digital stamp collection. Our mission is to help local businesses build lasting customer relationships while providing Users with a simple, rewarding experience.

2.2 Data Controller

LoyalStash is the data controller of all Personal Data collected from Users through the Platform. This means we determine the purposes and means of processing your Personal Data.

For Personal Data processed on behalf of Merchants (such as loyalty transaction data), we act as a data processor. Merchants remain the data controllers for their customer relationship data.

2.3 Contact Details

LoyalStash
Email: contact@loyalstash.com
Website: www.loyalstash.com

3. Information We Collect from Users

When you use the LoyalStash app as a User, we collect information in the following categories:

3.1 Account Information

When you create a LoyalStash account, we collect:

  • Full name
  • Email address
  • Password (stored in encrypted form)
  • Profile photo (optional)
  • Language preference

If you choose to sign up using a third-party service (Google, Apple, or Facebook), we receive your name and email address from that service in accordance with their privacy policies and your privacy settings.

3.2 Loyalty Program Data

When you participate in Merchant loyalty programs, we collect:

  • Stamps collected at each Merchant
  • Rewards earned and redeemed
  • Date, time, and location of stamp collection
  • Merchant locations you have visited
  • Your loyalty card collection and preferences

3.3 Device and Usage Information

We automatically collect certain information when you use our Platform:

  • Device type, operating system, and version
  • Unique device identifiers
  • App version and settings
  • Features used and actions taken within the app
  • Time and duration of usage
  • Crash reports and performance data

3.4 Location Information

With your consent, we collect your device's location to show you nearby Merchants and enable stamp collection. You can enable or disable location services through your device settings at any time. When location services are disabled, you can still use the app but some features may be limited.

3.5 Communications

When you contact us for support or provide feedback, we collect the content of your communications, including any attachments, along with your contact information.

4. Information We Collect from Merchants

When you use LoyalStash as a Merchant, we collect additional information to provide our services:

4.1 Business Information

  • Business name and trading name
  • Business address and contact details
  • Business logo and images
  • Business category and description
  • Operating hours

4.2 Account Holder Information

  • Name of account holder
  • Email address and phone number
  • Role within the business
  • Authentication credentials

4.3 Employee Information

When you invite employees to access your Merchant account, we collect their name, email address, and assigned role. Employees create their own passwords during the account activation process.

4.4 Loyalty Program Data

  • Loyalty card configurations and rules
  • Stamp and reward transaction history
  • Customer engagement analytics (aggregated)
  • QR code scan data

5. How We Use the Information We Collect

We use the information we collect for the following purposes:

5.1 Providing Our Services

  • Creating and managing your account
  • Processing stamp collection and reward redemption
  • Displaying nearby Merchants and available loyalty programs
  • Tracking your loyalty progress across Merchants
  • Enabling Merchants to manage their loyalty programs

5.2 Communications

  • Sending service-related notifications (e.g., reward earned, stamp expiring)
  • Responding to your inquiries and support requests
  • Sending important updates about changes to our services or policies

5.3 Improving Our Services

  • Analyzing usage patterns to improve our Platform
  • Developing new features and functionality
  • Conducting research and analytics
  • Troubleshooting technical issues

5.4 Security and Legal Compliance

  • Detecting and preventing fraud, abuse, and security incidents
  • Enforcing our Terms and Conditions
  • Complying with legal obligations and responding to lawful requests
  • Protecting our rights, property, and safety, and that of our users

6. How We Share Information

6.1 With Merchants

When you collect stamps or redeem rewards at a Merchant, we share transaction details with that Merchant, including the time of transaction and stamp/reward information. We provide Merchants with aggregated analytics about their loyalty program performance. We do not share your personal contact information with Merchants without your consent.

6.2 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

  • Cloud hosting and database services (Supabase)
  • Website hosting (Vercel)
  • Email delivery services (Resend)
  • Analytics services

These service providers are contractually bound to use your information only for the purposes of providing services to us and in accordance with this Policy.

6.3 Legal Requirements

We may disclose information when required by law, such as in response to a subpoena, court order, or other legal process, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and the choices you may have.

6.5 We Do Not Sell Your Personal Information

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

7. Data Retention

We retain your information for as long as necessary to provide our services and fulfill the purposes described in this Policy. Specific retention periods include:

Data TypeRetention Period
Account dataUntil account deletion + 30 days
Loyalty transaction data7 years (legal/accounting requirements)
Usage analytics2 years (aggregated/anonymized)
Support communications3 years after resolution
Deactivated loyalty cards90 days (redemption period) + 30 days

When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal or legitimate business purposes.

8. International Data Transfers

Your information may be transferred to, stored, and processed in countries other than your country of residence. Some of our service providers are established in countries that may not provide the same level of data protection as your home country.

When we transfer personal data internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement/Addendum where applicable
  • Adequacy decisions where the destination country provides adequate protection
  • Supplementary measures including encryption and access controls

9. Security

We maintain personal information on secure servers and implement appropriate technical and organizational measures to protect your information, including:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest using AES-256
  • Secure authentication with OAuth 2.0 and PKCE
  • Role-based access controls limiting data access to authorized personnel
  • Regular security assessments and vulnerability testing
  • Monitoring and logging of system access

While we take reasonable measures to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10. Your Rights

Depending on your location, you may have certain rights regarding your personal information. These may include:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data
  • Right to Restriction: Request restriction of processing in certain circumstances
  • Right to Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent where processing is based on consent

To exercise any of these rights, please contact us at contact@loyalstash.com. We will respond to your request within 30 days (or as required by applicable law).

For region-specific rights, please see the relevant Schedule at the end of this Policy.

11. Children's Privacy

Our Platform is intended for Users 13 years of age or older, and we do not knowingly collect personal information from children under the age of 13 (or the applicable age of consent in your jurisdiction).

If we become aware that we have collected personal information from a child under the applicable age, we will use all reasonable efforts to delete such information from our databases. If you believe we have collected information from a child, please contact us immediately at contact@loyalstash.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes, we will notify you by:

  • Posting a notice in the App and on our Website
  • Sending you an email notification (if we have your email address)
  • Updating the "Effective date" at the top of this Policy

We encourage you to review this Policy periodically. Your continued use of our Platform after any changes indicates your acceptance of the updated Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

LoyalStash
Email: contact@loyalstash.com

Schedule A: Australia & New Zealand Privacy Rights

This Schedule applies to individuals located in Australia or New Zealand and supplements the information in the main Policy.

Australia (Privacy Act 1988)

If you are located in Australia, you have the following rights:

  • Right to access your personal information
  • Right to request correction of inaccurate information
  • Right to make a complaint to the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached

We will take reasonable steps to ensure the personal information we collect, use, and disclose is accurate, complete, and up-to-date.

New Zealand (Privacy Act 2020)

If you are located in New Zealand, you have the following rights:

  • Right to access your personal information
  • Right to request correction of inaccurate information
  • Right to make a complaint to the Privacy Commissioner

We will ensure that personal information is collected, stored, used, and disclosed in accordance with the New Zealand Privacy Act 2020 and the Information Privacy Principles.

Schedule B: California Privacy Rights (CCPA/CPRA)

This Schedule applies to California residents and supplements the information in the main Policy. The California Consumer Privacy Act of 2018 ("CCPA"), as amended by the California Privacy Rights Act of 2020 ("CPRA"), provides California consumers with specific rights regarding their personal information.

Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers (name, email address, device identifiers)
  • Commercial information (loyalty transaction history)
  • Internet or network activity (app usage data)
  • Geolocation data (with consent)
  • Inferences (preferences derived from the above)

Your California Rights

  • Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You have the right to request correction of inaccurate personal information.
  • Right to Opt-Out: You have the right to opt out of the "sale" or "sharing" of your personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

We Do Not Sell or Share Your Personal Information

LoyalStash does not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising purposes.

How to Exercise Your Rights

To exercise your California privacy rights, please contact us at contact@loyalstash.com. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

Schedule C: European Privacy Rights (GDPR)

This Schedule applies to individuals located in the European Economic Area (EEA), United Kingdom, or Switzerland and supplements the information in the main Policy.

Legal Bases for Processing

We process your personal data on the following legal bases:

  • Contract: Processing necessary to perform our contract with you (providing the Platform services)
  • Legitimate Interests: Processing necessary for our legitimate interests (improving services, security, fraud prevention), where not overridden by your rights
  • Consent: Where you have given consent (e.g., location services, marketing communications)
  • Legal Obligation: Processing necessary to comply with legal obligations

Your GDPR Rights

In addition to the rights described in Section 10, you have:

  • Right to Object: You may object to processing based on legitimate interests at any time
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority

International Transfers

When we transfer personal data outside the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place as described in Section 8, including Standard Contractual Clauses and the UK International Data Transfer Addendum.

Supervisory Authorities

If you are located in the EEA, UK, or Switzerland and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.