Legal

Privacy Policy

We are committed to protecting your personal data. This policy explains what we collect, why we collect it, and what rights you have over it.

Last updated: 31 May 2026  ·  Effective: 31 May 2026

1. Who we are

LetLoyal ("we", "us", "our") is a QR-based loyalty platform for local businesses, operated by LetLoyal Technologies Private Limited. Our registered address and data controller details are provided in Section 13.

For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), India's Digital Personal Data Protection Act 2023 ("DPDPA"), and all applicable data protection laws, LetLoyal is the Data Controller for personal data collected through this website and our services.

2. Data we collect

2.1 Data you provide to us

When you register for our waitlist or early access programme, we collect:

  • Full name — to personalise communications
  • Email address — to send you onboarding information and updates
  • Phone number — to contact you via WhatsApp/SMS regarding your access
  • Business category — to tailor our onboarding to your type of business

When you subscribe to and use the LetLoyal platform as a merchant, we additionally collect:

  • Business name, location(s) and contact details
  • Billing and payment information (processed by our payment provider)
  • Campaign configuration and reward data you create

2.2 Customer data processed on your behalf

When your customers scan your QR code and join your loyalty programme, we process their phone number (and optionally their name) on your behalf as a Data Processor under your instructions. You (the merchant) are the Data Controller for your customers' data and must ensure your customers are informed accordingly.

2.3 Data collected automatically

  • Log data: IP address, browser type, referring URLs, pages visited, timestamps
  • Device data: device type, operating system, screen resolution
  • Usage data: feature interactions, scan events, redemption events
  • Cookies and similar technologies — see Section 8

We do not collect sensitive personal data such as race, religion, health information, financial account numbers, or government identification numbers through our standard service.

3. How we use your data

We use the personal data we collect for the following purposes:

  • To operate the waitlist: managing your place, communicating your slot availability, and onboarding you to the platform
  • To provide and improve our services: delivering the loyalty platform, processing transactions, and providing customer support
  • To communicate with you: sending service updates, security notices, and — with your consent — marketing messages about new features
  • To prevent fraud and abuse: detecting suspicious activity, verifying OTP redemptions, and enforcing our Terms
  • To comply with legal obligations: responding to lawful requests from authorities and meeting our regulatory duties
  • Analytics and product improvement: understanding how the platform is used so we can improve it — using aggregated, anonymised data wherever possible

4. Legal basis for processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we rely on the following legal bases under Article 6 GDPR:

  • Consent (Art. 6(1)(a)): where you have freely given, specific, informed consent — e.g., marketing emails. You may withdraw consent at any time.
  • Contract performance (Art. 6(1)(b)): processing necessary to deliver the LetLoyal service you have signed up for.
  • Legitimate interests (Art. 6(1)(f)): fraud prevention, platform security, product analytics, and direct marketing to existing customers — where our interests are not overridden by your rights.
  • Legal obligation (Art. 6(1)(c)): processing required by applicable law.

For users in India, we process personal data in accordance with the Digital Personal Data Protection Act 2023 (DPDPA), relying on lawful bases including consent and legitimate uses as defined under the Act.

5. Data sharing and disclosure

We do not sell your personal data. We share data only in the following circumstances:

  • Service providers: trusted third-party processors who help us operate our platform (e.g., cloud hosting, email delivery, SMS/WhatsApp messaging, payment processing, analytics). All processors are bound by data processing agreements.
  • Merchants (for customer data): as a merchant, you have access to the data your customers share when scanning your QR code. You are the Data Controller for this data.
  • Legal requirements: where required by law, court order, or governmental authority.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, personal data may be transferred — you will be notified before your data is transferred and becomes subject to a different privacy policy.
  • Protection of rights: where necessary to protect the rights, property, or safety of LetLoyal, our users, or the public.

6. International data transfers

LetLoyal is based in India. If you are located in the EEA, UK, or another jurisdiction with data transfer restrictions, your personal data may be transferred to and processed in India or other countries where our service providers operate.

Where we transfer data outside the EEA or UK, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • UK International Data Transfer Agreements (IDTAs) for UK transfers

7. Data retention

We retain personal data only for as long as necessary for the purposes outlined in this policy, unless a longer retention period is required by law.

  • Waitlist data: retained until you are onboarded or until 24 months after collection if not onboarded, whichever is earlier
  • Merchant account data: retained for the duration of the subscription and for 7 years thereafter for legal and tax compliance purposes
  • Customer loyalty data: as directed by the merchant (Data Controller) — we will delete it upon termination of the merchant's account or on written request
  • Log and analytics data: aggregated data may be retained indefinitely; raw log data is deleted within 90 days

8. Cookies and tracking technologies

We use cookies and similar technologies on our website. By continuing to use our site, you consent to our use of cookies as described below.

8.1 Types of cookies we use

  • Strictly necessary: essential for the website to function. Cannot be disabled (e.g., session tokens, CSRF protection).
  • Functional: remember your preferences (e.g., form state). Can be disabled without affecting core functionality.
  • Analytics: help us understand how visitors use our site (e.g., page views, referral source). We use anonymised/aggregated data only.

We do not use advertising or third-party tracking cookies. You can manage or disable cookies through your browser settings at any time.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or alteration. These include:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • OTP-based verification for reward redemptions to prevent fraud
  • Access controls and role-based permissions within our systems
  • Regular security reviews and vulnerability assessments

No system is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay.

10. Your rights

Depending on your location, you may have the following rights regarding your personal data. We will respond to verified requests within 30 days (or within the timeframe required by applicable law).

Right of access

Request a copy of the personal data we hold about you.

Right to rectification

Ask us to correct inaccurate or incomplete personal data.

Right to erasure

Request deletion of your personal data ("right to be forgotten").

Right to portability

Receive your data in a structured, machine-readable format.

Right to object

Object to processing based on legitimate interests or for direct marketing.

Right to restrict

Ask us to temporarily limit how we use your data.

Withdraw consent

Withdraw consent at any time where processing is consent-based.

Lodge a complaint

File a complaint with your local data protection authority.

To exercise any of these rights, email us at hello@letloyal.com with the subject line "Data Rights Request". We may ask you to verify your identity before processing the request. There is no charge for submitting a request.

EEA/UK residents may also lodge a complaint with their local supervisory authority — for example, the UK Information Commissioner's Office (ICO) at ico.org.uk, or the relevant EU DPA in your Member State. Indian residents may contact the Data Protection Board of India once established under the DPDPA 2023.

11. Children's privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at hello@letloyal.com and we will take steps to delete such information.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or by a prominent notice on our website.

Your continued use of our services after changes are published constitutes your acceptance of the revised policy. We encourage you to review this page periodically.

13. Contact us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or need to report a data protection concern, please contact us:

Data Controller — LetLoyal

LetLoyal Technologies Private Limited

Email: hello@letloyal.com

We aim to respond to all data-related enquiries within 72 hours. For formal Data Subject Access Requests, please use the subject line "Data Rights Request".