Privacy Policy — Loyalty Loop

This policy is written in plain language, not legalese. We genuinely want you to understand how we handle data. If anything is unclear, reach out — we are happy to explain.

Introduction

Welcome to Loyalty Loop, a SaaS loyalty platform operated by "Loyalty Loop Technologies Pvt Ltd" ("we", "us", or "our"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have.

This policy applies to:

Business owners and their staff who create accounts on Loyalty Loop to run a loyalty programme for their customers.
End customers who participate in a loyalty programme managed by a business using Loyalty Loop.
Visitors to our website and marketing pages.

This policy is effective from 18 April 2026. By using Loyalty Loop, you agree to the practices described here. If you do not agree, please discontinue use of the platform.

We are registered and operate under the laws of India. This policy is compliant with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023 (DPDP Act).

Information We Collect

2.1 Business Account Data

When you register as a business on Loyalty Loop, we collect:

Full name and email address of the account owner
Business name, category, and contact details
Password (stored as a bcrypt hash — we never store your plain-text password)
GST Identification Number (GSTIN) and PAN, where provided for invoice purposes
Billing address
Profile or logo image, if uploaded

2.2 Customer Loyalty Data (Processed on Behalf of Businesses)

When end customers join a business's loyalty programme via Loyalty Loop, the following data is collected and stored on behalf of that business:

Customer name, phone number, and email address
Date of birth (optional, used for birthday rewards)
Unique QR loyalty card identifier
Stamp history, reward history, and redemption records
Date and time of each transaction

Important: For this category of data, Loyalty Loop acts as a Data Processor. The business running the loyalty programme is the Data Controller. We process customer loyalty data only on the instruction of the business and not for any independent purpose of our own. See Section 4 for a full explanation.

2.3 Payment Data

Subscription payments are processed by Razorpay, a PCI-DSS compliant payment gateway. We do not store your full card number. We retain only:

Last four digits of the card and card type (Visa, Mastercard, RuPay, etc.)
Billing name and address
Transaction reference IDs and timestamps

All sensitive card data is handled exclusively by Razorpay. Their privacy policy governs that processing.

2.4 Technical & Usage Data

We automatically collect the following when you use the platform:

IP address and approximate geographic location
Browser type, version, and operating system
Device identifiers
Pages visited, features used, and actions taken
Session cookies (required for login)
Error logs and performance metrics

How We Use Your Information

We use the data we collect for the following purposes:

Provide the Service

Run your loyalty programme, manage customer cards, track stamps and rewards, and give your staff access to the dashboard.

Billing & Invoicing

Process subscription payments via Razorpay, issue GST-compliant tax invoices, and manage your billing history.

GST Compliance

Generate accurate GST invoices under Indian tax law using your GSTIN and billing details.

Transactional Emails

Send welcome emails, stamp confirmations, reward notifications, birthday messages, and payment receipts to you and your customers.

Customer Support

Respond to your support tickets, diagnose issues, and assist with account management.

Product Analytics

Understand how the platform is used so we can fix bugs, improve features, and build what matters most.

Fraud Detection

Identify and prevent abuse, fraudulent activity, and unauthorised access to accounts.

Legal Compliance

Meet our obligations under Indian law, including the IT Act 2000, DPDP Act 2023, GST rules, and any court or regulatory orders.

We do not use your data or your customers' data for advertising, profiling for third-party marketing, or any purpose unrelated to operating the platform.

Data Controller vs Data Processor

This distinction is important under India's Digital Personal Data Protection Act, 2023 (DPDP Act) and equivalent frameworks worldwide. Here is how it applies to Loyalty Loop:

Data Fiduciary (Controller)

The Business — any merchant, shop owner, or organisation that creates an account on Loyalty Loop and uses it to run a loyalty programme for their customers. The business decides what data to collect from their customers and why.

Data Processor

Loyalty Loop — we store and process customer loyalty data strictly on the instructions of the business. We do not use that data for our own purposes, sell it, or share it outside the scope of providing the service.

Responsibilities of Businesses (Data Fiduciaries)

Obtaining valid consent from their customers before enrolling them in the loyalty programme.
Maintaining a privacy notice for their own customers that explains how their data is used.
Handling customer data deletion or correction requests from their loyalty members.
Ensuring they have a lawful basis under the DPDP Act to process the personal data of their customers.

If you are a customer of a business that uses Loyalty Loop and you have questions about how your data is handled, please contact that business directly. They are the data fiduciary for your personal information.

Legal Basis for Processing

We rely on the following legal grounds to process personal data, consistent with Indian law:

Legal Basis	How It Applies
Contractual Necessity	Processing your account data and payment data is necessary to deliver the service you have subscribed to under our Terms of Service.
Consent	End customers provide consent when joining a loyalty programme. Business users provide consent at account registration.
Legitimate Interests	Improving the platform, detecting fraud, and maintaining security — where these do not override individual rights.
Legal Obligation	Retaining tax records for GST compliance under the CGST Act, and responding to lawful orders from Indian government authorities.
Applicable Law	Information Technology Act, 2000 & IT (Amendment) Act, 2008 IT (Reasonable Security Practices) Rules, 2011 Digital Personal Data Protection Act, 2023 (DPDP Act) Central Goods & Services Tax Act, 2017

Third-Party Service Providers

We work with a small number of carefully selected third-party providers to operate Loyalty Loop. Each is engaged under a data processing agreement (DPA) that restricts them to processing data only for the specified purpose.

Razorpay — Payment Processing

Handles all subscription payment transactions. PCI-DSS Level 1 compliant. Card data is stored and processed exclusively by Razorpay. Governed by the Razorpay Privacy Policy.

Twilio — SMS & WhatsApp Notifications (Optional)

Used by businesses that enable SMS or WhatsApp customer notifications. Customer phone numbers are transmitted to Twilio solely to deliver the notification. This feature is opt-in and can be disabled. Governed by the Twilio Privacy Policy.

SMTP / Email Delivery Providers

Transactional emails (stamps, rewards, invoices, support replies) are delivered via trusted SMTP providers. Email addresses are transmitted to send the message and are not used for any other purpose by the provider.

Cloud Hosting & Infrastructure

Our platform runs on cloud infrastructure hosted in India or within jurisdictions that provide adequate data protection. Providers are contractually bound by DPAs and industry-standard security requirements.

We do not use analytics platforms (e.g. Google Analytics) on the main application — only on public marketing pages, in aggregate, non-personal form.

Data Sharing

We never sell, rent, or trade your personal data or your customers' data. Ever.

We share data only in the following limited circumstances:

With service providers listed in Section 6 — strictly to operate the platform, under DPAs, and for no other purpose.
To comply with Indian law — if required by a valid court order, summons, or directive from a competent Indian government authority, law enforcement agency, or regulatory body, we will disclose only the minimum data required and will notify you where we are legally permitted to do so.
To protect rights or safety — in the rare event that disclosure is necessary to prevent fraud, cybercrime, or protect the safety of users, in accordance with applicable law.
Business restructuring — in the event of a merger, acquisition, or transfer of business, personal data may be transferred to the successor entity, which will be bound by this same policy or a policy offering equivalent protections. We will notify you before any such transfer.

Data Security

We take security seriously and implement measures consistent with the IT (Reasonable Security Practices and Procedures) Rules, 2011:

HTTPS / TLS Encryption

All data in transit between your browser and our servers is encrypted using TLS 1.2+. We enforce HTTPS with HSTS headers.

Encrypted Storage at Rest

Sensitive database fields and backups are encrypted at rest. Storage volumes use encryption provided by our cloud infrastructure.

Bcrypt Password Hashing

Passwords are never stored in plain text. We use bcrypt with a strong work factor, meaning even we cannot read your password.

Access Controls

Database and server access is restricted to authorised personnel only, authenticated via multi-factor methods. Staff access is role-based and least-privilege.

Periodic Security Reviews

We conduct internal security reviews and are committed to responsible vulnerability disclosure. Critical patches are applied promptly.

Isolated Business Data

Each business account's data is logically isolated. One business cannot access another business's customer data.

No system is 100% secure. If you believe your account has been compromised, please contact us immediately at support@loyaltyloop.in.

Data Retention

Data Category	Retention Period
Active account data (profile, customers, stamps)	Retained for as long as the account is active.
Data after account cancellation	30 days from the cancellation date, then permanently and irreversibly deleted. You can export all data before cancelling.
Payment records & GST invoices	7 years, as required by the CGST Act, 2017 and Indian tax law for audit and compliance purposes.
Support communications	Retained for up to 2 years to assist with follow-up enquiries and service improvements.
Server and access logs	Retained for 90 days for security and debugging, then deleted.
Data subject to legal hold	Where we receive a lawful preservation order or are party to legal proceedings, relevant data is retained until the matter is resolved, regardless of the above schedules.

Your Rights

Under the Digital Personal Data Protection Act, 2023 (DPDP Act), you have the following rights as a Data Principal (the person whose data is processed):

Right to Access

You may request a summary of the personal data we hold about you and how it is being processed.

Right to Correction

You may request that we correct inaccurate or incomplete personal data. Business account holders can update most details directly in Settings.

Right to Erasure

You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, subject to our legal retention obligations.

Right to Grievance Redressal

If you believe your data rights have been violated, you may raise a complaint with our Grievance Officer (see Section 14). We will respond within 30 days.

Right to Nominate

Under the DPDP Act, you may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity.

For business account holders: Most rights can be exercised directly within the platform via Settings. For requests that require our assistance, raise a support ticket or email us at support@loyaltyloop.in.

For end customers of a loyalty programme: Your personal data is controlled by the business whose loyalty programme you joined, not directly by Loyalty Loop. Please direct access, correction, and deletion requests to that business. If you are unable to reach them, contact us and we will assist where we are able.

Cookies

We use a minimal set of cookies. Here is exactly what we use and why:

Cookie Type	Purpose	Essential?
Session cookie	Keeps you logged in during your browser session. Expires when you close your browser or after the session timeout.	Yes
Remember-me cookie	If you choose "Stay logged in", a secure token keeps your session alive for up to 30 days.	Optional
Preference cookie	Stores your UI preferences (e.g. sidebar state, date range filter). No personal data stored.	Optional

We do not use advertising cookies, tracking pixels, or any third-party cookies that profile you across the web.

How to disable cookies

You can disable cookies in your browser settings. Note that disabling the session cookie will prevent you from logging in. Instructions for common browsers: Chrome, Safari, Firefox, Edge.

Children

Loyalty Loop is a business platform. The minimum age to create a business account is 18 years.
Loyalty programme customer cards may be used by minors (for example, a child using a family café's loyalty card). However, where the customer is below 18, we expect the participating business to obtain parental or guardian consent in accordance with the DPDP Act, 2023.
We do not knowingly collect personal data directly from children under the age of 13.
If you believe a child under 13 has submitted personal data to Loyalty Loop without appropriate consent, please contact us at support@loyaltyloop.in and we will promptly review and delete the data.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the platform, applicable law, or our practices.

For material changes — changes that significantly affect your rights or how we use your data — we will send an email notification to all registered business account holders at least 30 days before the changes take effect.
For minor changes (corrections, clarifications, formatting), we may update the policy without prior notice, though the effective date at the top will always reflect the latest revision.
Continued use of Loyalty Loop after the effective date of a material change constitutes your acceptance of the updated policy.
If you do not agree to a material change, you may cancel your account before it takes effect. We will not penalise you for cancelling in response to a policy change.

Grievance Officer

As required by Rule 5(9) of the IT (Reasonable Security Practices) Rules, 2011 and the Digital Personal Data Protection Act, 2023, we have designated a Grievance Officer to address privacy-related complaints and queries.

Grievance Officer Details

Organisation "Loyalty Loop Technologies Pvt Ltd"

Email support@loyaltyloop.in

Response Time Within 30 days of receipt of grievance

Contact Form loyaltyloop.in/contact

To file a grievance, please email the Grievance Officer with the subject line "Privacy Grievance" and include your registered email address, a description of the concern, and any relevant details. We take all privacy grievances seriously and will acknowledge receipt within 48 hours.

If you are not satisfied with our response, you may escalate to the Data Protection Board of India once the DPDP Act's enforcement provisions come into full effect.

Contact Us

For any questions, requests, or concerns about this Privacy Policy or how we handle your data, please reach out through any of the following channels:

support@loyaltyloop.in

Contact Form

loyaltyloop.in/contact

Support Ticket

loyaltyloop.in/support

Support Hours

Mon – Sat, 10am – 7pm IST

← Back to Home