Privacy Policy
Last updated: 13 July 2026
LoyaltyCards ("we", "us") provides digital loyalty cards that customers save to their mobile wallet. This policy explains what personal data we collect, why, and what rights you have under the EU General Data Protection Regulation (GDPR).
Who is responsible for your data
The data controller is [YOUR NAME / COMPANY, ADDRESS]. You can reach us at [YOUR CONTACT EMAIL] or through the contact form on our homepage.
When you hold a loyalty card of a specific business, that business also sees your data (see "Who can see your data" below) and uses it to run its loyalty program.
What we collect
- Account data — your name and email address, which you provide when creating a loyalty card, registering, or signing in with Google. We verify your email with a one-time code before creating anything.
- Loyalty data — your stamps, earned and redeemed rewards, and the businesses whose cards you hold, with timestamps.
- Business account data — if you run a business on LoyaltyCards: your business name, logo, program settings and team members.
- Technical data — your IP address, used briefly for rate limiting and abuse prevention. We use only essential cookies, to keep you signed in; there are no advertising or analytics trackers.
Why we process it (legal bases)
- To provide the service (contract, Art. 6(1)(b) GDPR) — creating your loyalty card, tracking stamps, and handing out rewards.
- Wallet notifications(contract) — the pass in your wallet may receive updates and messages from the business whose card you hold, such as "your reward is ready" or occasional announcements. You can remove the pass from your wallet at any time to stop them.
- Security and abuse prevention (legitimate interest, Art. 6(1)(f)) — rate limiting, email verification and fraud checks.
Who can see your data
The business whose loyalty card you hold can see your name, email address and loyalty activity for their own program only — never for other businesses.
We also use these processors to run the service:
- Supabase — database and authentication hosting.
- Vercel — application hosting.
- Google (Google Wallet)— stores and displays the pass on your device; Google's own privacy policy applies to your Google account and wallet.
- Upstash — rate-limiting infrastructure (IP-keyed counters with short retention).
We never sell your data or share it with advertisers.
How long we keep it
We keep your account and loyalty data for as long as you hold at least one active loyalty card. Rate-limiting counters expire automatically within hours. If you ask us to delete your data, we do so as described below.
Your rights
Under the GDPR you can, at any time:
- ask for a copy of the data we hold about you (access & portability),
- ask us to correct it (rectification),
- ask us to delete it (erasure — see below),
- object to or ask us to restrict certain processing.
If you believe we handle your data unlawfully, you can complain to your supervisory authority — in Slovenia, the Information Commissioner (Informacijski pooblaščenec, ip-rs.si).
Deleting your data
You can delete your account and all associated loyalty cards, stamps and rewards yourself at any time on our account deletion page — we verify your email with a code and erase everything immediately.
If you prefer, or if your account manages a business, contact us instead at [YOUR CONTACT EMAIL] or via the contact form on our homepage, from the email address your account uses; we will complete the deletion within 30 days. Removing a pass from your wallet removes it from your device, but not from our records — use the deletion page or ask us for full erasure.
Changes to this policy
If we change this policy in a meaningful way, we will update the date at the top and, for significant changes, notify you by email or through the service.