Privacy Policy

Last updated: 20 April 2026 · Version 1.0

LetLoyal ("we", "us", "LetLoyal") is a QR-based loyalty platform for small businesses. This policy explains what personal data we collect, why we process it, and the rights you have under the EU General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act 2023 (DPDP Act).

This is a demo deployment for testing and evaluation. Do not submit real personal data you would not want shared with the operator running the demo.

1. Who is the data controller

The operator of the LetLoyal instance you are using is the data controller (GDPR terminology) or data fiduciary (DPDP Act terminology). For this demo deployment, that is the individual or business running the Hostinger account this software is installed on. For data-rights requests, contact them directly.

2. What data we collect

We collect only the minimum data needed to operate the loyalty service:

Identifier — the phone number or email you sign up with.
Name — if you choose to provide it.
Role — customer or merchant.
Transactions — purchase amounts you scan, coins earned or redeemed, and the merchant involved.
Consent records — what cookie and marketing permissions you have granted, and when.
Audit log — login events and data-rights actions (for security and accountability).
Hashed IP address — a one-way hash of the connecting IP, used for fraud detection only. The original IP is not stored.

We do not collect: payment card details, bank details, government ID numbers, precise location, contacts, or any special-category data.

3. Why we process your data (legal bases)

Contract performance (GDPR Art. 6(1)(b)) — to run your account, credit coins, and honour redemptions.
Legitimate interest (GDPR Art. 6(1)(f)) — fraud prevention via rate-limits and IP hashing; merchant accounting via aggregated totals.
Consent (GDPR Art. 6(1)(a)) — optional analytics cookies and marketing communications. You can withdraw consent at any time.
Legal obligation (GDPR Art. 6(1)(c)) — where applicable tax or accounting law requires retention of transaction records.

For users in India, processing is carried out on the equivalent grounds under Section 7 of the DPDP Act 2023 (consent and legitimate use).

4. Cookies and local storage

Essential — a single signed session cookie (letloyal_session) to keep you logged in. Cannot be disabled without breaking login.
Analytics — off by default. If you enable them, we would use them to measure feature usage. None are active in this demo.
Marketing — off by default. If you enable, we may contact you with product updates.

You can change these choices any time via the "Cookie preferences" link in the footer or the Privacy tab after signing in.

5. Who we share data with

For this demo, we do not sell, rent, or share your personal data with third parties. The infrastructure provider hosting this instance (Hostinger) processes data on our behalf as a sub-processor under its own DPA. We do not use advertising networks.

6. International transfers

Depending on the Hostinger region selected by the operator, your data may be processed in the European Economic Area or another jurisdiction with adequate protections. Transfers out of the EEA, if any, rely on Standard Contractual Clauses.

7. How long we keep your data

Account profile and consents: until you delete your account.
Transactions: retained in aggregated form after account deletion for merchant accounting; your identifier is replaced with a tombstone value so the record can no longer be linked to you.
Audit log: 12 months rolling.
Hashed IPs: 90 days.

8. Your rights

Under GDPR and the DPDP Act you have the right to:

Access a copy of your data — use the "Export my data" button on your Privacy tab.
Erasure — use the "Delete my account" button on your Privacy tab. Your profile is anonymised and you are logged out.
Portability — the export is in machine-readable JSON.
Rectification — edit your profile in Settings. For anything you cannot change in-app, contact the operator.
Withdraw consent — toggle cookie and marketing preferences at any time.
Object to processing based on legitimate interest — contact the operator.
Complain to a supervisory authority (e.g. Latvia: Datu valsts inspekcija; India: Data Protection Board).

9. Security

Sessions use signed cookies over HTTPS (handled by Hostinger). Passwords are not used in this demo (sign-in is by phone or email only — do not deploy this to production without adding OTP/passkey authentication). IP addresses are hashed. The database is local to the host; access is restricted to the operator's hosting account.

10. Children

LetLoyal is not intended for users under 16 (EU) or under 18 where applicable under the DPDP Act. Do not use the service if you are under that age.

11. Changes to this policy

Material changes will be announced on this page. Continued use after a change constitutes acceptance.

12. Contact

For any privacy request — access, erasure, rectification, objection — contact the operator of the deployment you are using. For general questions about the LetLoyal software itself, contact the project owner via the channel they provided to you.

Manage cookie preferences