Privacy Policy

1. Overview

LoyaltyHero ("we", "our", or "us") is committed to protecting your personal information in accordance with Republic Act No. 10173, the Data Privacy Act of 2012 (DPA), and its Implementing Rules and Regulations. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights as a data subject.

2. Data We Collect

We collect only the minimum data necessary to provide the LoyaltyHero service:

• →Merchants: Business name, mobile number or email address, store location (city/province), and loyalty program configuration.
• →Customers: Mobile number or email address used for stamp tracking. No name or address is required.
• →Usage data: QR scan timestamps, reward redemptions, and session logs for service reliability.
• →Device data: Browser type, OS version, and IP address for security and abuse prevention only.

We do not collect payment card details, government IDs, or sensitive personal information as defined under the DPA.

3. How We Use Your Data

• →To operate and deliver the loyalty stamp and reward service.
• →To authenticate users and prevent unauthorized access.
• →To send transactional notifications (reward milestones, OTP codes) with your consent.
• →To generate anonymous, aggregated analytics for merchants (e.g., scan trends).
• →To comply with legal obligations under Philippine law.

4. Legal Basis for Processing

We process personal data on the basis of: (a) contract performance — to provide the service you signed up for; (b) legitimate interest — for fraud prevention and service security; and (c) consent — for optional marketing communications which you may withdraw at any time.

5. Data Retention

Merchant and customer account data is retained for the duration of the active account plus 12 months after deletion to meet tax and regulatory requirements. Scan logs are purged after 24 months. You may request earlier deletion subject to legal hold obligations.

6. Data Sharing

We do not sell your personal data. We share data only with:

• →Firebase / Google Cloud: Our infrastructure provider, bound by a Data Processing Agreement.
• →Merchants: Aggregated stamp counts for their own customers — never raw contact details of other merchants.
• →Authorities: When required by a valid court order or NPC directive.

7. Your Rights Under the DPA

As a data subject, you have the right to:

• →Access — request a copy of the data we hold about you.
• →Rectification — correct inaccurate or incomplete data.
• →Erasure / Right to be Forgotten — request deletion of your account and associated data.
• →Data Portability — receive your data in a structured, machine-readable format.
• →Object — opt out of direct marketing at any time.
• →Lodge a complaint — with the National Privacy Commission (NPC) at privacy.gov.ph.

To exercise any of these rights, email us at [email protected].

8. Security

We implement industry-standard safeguards: TLS encryption in transit, AES-256 encryption at rest, role-based access controls, and regular security audits. In the event of a data breach affecting your rights, we will notify you and the NPC within 72 hours as required by law.

9. Cookies

We use only essential session cookies required for authentication and service operation. We do not use tracking or advertising cookies. You can disable cookies in your browser settings; however, this may prevent you from logging in.

10. Changes to This Policy

We may update this policy periodically. We will notify registered users by email at least 30 days before any material change takes effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.

11. Contact

Data Protection Officer:
LoyaltyHero
Email: [email protected]