Data Processing Agreement
For Merchants (GDPR/CCPA Compliant)
Last updated: February 2026
Note: By using LoyalStash's merchant services, you agree to this DPA. If you have questions about data processing, please contact us at contact@loyalstash.com.
This Data Processing Agreement ("DPA") sets out the terms under which LoyalStash will process personal data on behalf of merchants using our platform. This DPA ensures compliance with applicable data protection laws including GDPR and CCPA.
This DPA is incorporated into and forms part of the Merchant Terms & Conditions. Together with our Privacy Policy, these documents govern how we handle data.
1. Definitions
- "Controller" means the entity that determines the purposes and means of processing Personal Data
- "Processor" means the entity that processes Personal Data on behalf of the Controller
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on Personal Data
- "Data Subject" means the individual whose Personal Data is processed
- "Sub-processor" means a third party engaged by the Processor to process Personal Data
- "Data Protection Laws" means GDPR, CCPA/CPRA, and other applicable data protection legislation
2. Scope and Roles
2.1 Data Controller vs. Processor
| Data Type | Controller | Processor |
|---|---|---|
| Customer account data | LoyalStash | — |
| Loyalty transaction data | Merchant (you) | LoyalStash |
| Merchant employee data | Merchant (you) | LoyalStash |
2.2 Processing Details
- Subject Matter: Provision of loyalty program platform services
- Duration: For the term of the Merchant Terms & Conditions
- Nature: Collection, storage, and processing of loyalty transaction data
- Purpose: To enable merchants to operate loyalty programs
- Data Subjects: Customers participating in merchant loyalty programs, merchant employees
- Data Categories: Name, email, transaction history, stamps, rewards, timestamps
3. Data Processing
3.1 LoyalStash Obligations
As a Processor, LoyalStash will:
- Process Personal Data only on documented instructions from you
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist you in responding to Data Subject requests
- Delete or return Personal Data upon termination (at your choice)
- Make available information necessary to demonstrate compliance
3.2 Merchant Obligations
As a Controller, you will:
- Ensure you have a lawful basis for processing Customer data
- Provide appropriate privacy notices to Customers
- Respond to Data Subject requests (with our assistance)
- Notify us of any changes to processing instructions
- Ensure your use of the platform complies with Data Protection Laws
4. Security Measures
We implement the following security measures:
Technical Measures
- Encryption in transit (TLS 1.2+)
- Encryption at rest (AES-256)
- Secure authentication (OAuth 2.0, PKCE)
- Regular security testing
- Access logging and monitoring
Organizational Measures
- Role-based access control
- Employee security training
- Vendor security assessments
- Incident response procedures
- Business continuity planning
5. Sub-processors
5.1 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database and authentication | USA (AWS) |
| Vercel Inc. | Web hosting | USA/Global |
| Resend Inc. | Email delivery | USA |
5.2 Sub-processor Changes
We will notify you of any new sub-processors at least 30 days before they begin processing. You may object to a new sub-processor by contacting us within 14 days. If we cannot address your objection, you may terminate the agreement.
6. International Transfers
Personal Data may be transferred to and processed in countries outside the EEA, UK, or your jurisdiction. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK Addendum to the SCCs for UK transfers
- Adequacy decisions where applicable
- Supplementary measures including encryption and access controls
7. Data Subject Rights
We will assist you in responding to requests from Data Subjects exercising their rights under Data Protection Laws:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
If we receive a request directly from a Data Subject regarding your loyalty program, we will forward it to you within 48 hours unless legally prohibited.
8. Data Breach Notification
In the event of a Personal Data breach affecting your data:
- We will notify you without undue delay (within 48 hours of becoming aware)
- We will provide details of the breach, affected data, and remediation steps
- We will cooperate with any investigation and regulatory notification
- We will take reasonable steps to mitigate the effects of the breach
9. Audit Rights
Upon reasonable notice (at least 30 days), you may:
- Request information about our data processing practices
- Request copies of relevant certifications and audit reports
- Conduct an on-site audit (at your expense, during business hours)
We may satisfy audit requests by providing existing certifications, audit reports, or responses to security questionnaires.
10. Termination
Upon termination of the Merchant Terms & Conditions:
- We will, at your choice, delete or return all Personal Data within 90 days
- We may retain data as required by law or for legitimate business purposes
- This DPA will survive termination with respect to any remaining data
To request data deletion or export, contact contact@loyalstash.com.
Contact
Email: contact@loyalstash.com