← Back to LoyalTea

Privacy Policy

Last updated: 29 March 2026

1. Who We Are

LoyalTea ("we", "us", "our") is a digital loyalty platform operated by LoyalTea Technologies. We help businesses run loyalty programs (stamp cards, points, prepaid cards) and help their customers earn and redeem rewards via digital wallet passes.

For the purposes of India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), we are a Data Fiduciary. Our merchant partners who use LoyalTea to manage their loyalty programs are also Data Fiduciaries for their customer data.

2. What Data We Collect

For Customers (Data Principals)

When you join a merchant's loyalty program, we collect:

  • Phone number — to identify your account and send OTPs
  • Name — to personalise your experience
  • Email (optional) — for communications if you opt in
  • Date of birth (optional) — for birthday rewards, if the merchant enables this
  • Device type and wallet type — to deliver passes to Apple Wallet, Google Wallet, or web

For Merchants

When you sign up as a business, we collect:

  • Email and password — for account access
  • Business name and industry — to configure your loyalty program
  • Business address and location — for proximity alerts (if enabled)
  • Team member emails — for staff access management

3. Why We Collect It

We process personal data only for these purposes:

  • Operating loyalty programs (stamps, points, prepaid cards)
  • Delivering digital wallet passes
  • Sending transactional notifications (reward earned, balance update)
  • Sending marketing communications (only with explicit consent)
  • Birthday rewards (only if you provide your date of birth)
  • Proximity alerts (only if you add the pass to your wallet)
  • Preventing fraud and abuse

4. Consent

We collect your data only with your explicit consent, given at the point of enrollment. You may withdraw your consent at any time by contacting us or the merchant. Withdrawing consent is as simple as giving it — contact our Grievance Officer (see Section 10) or use the preferences page on your pass.

If a merchant enables Terms & Conditions for their program, you must accept them before joining. These are specific to each merchant's program and are shown on your wallet pass.

5. Data Storage and Security

Your data is stored securely on Supabase (our database provider) with the following protections:

  • Encryption in transit (TLS/HTTPS) and at rest (AES-256)
  • Row-level security ensuring merchants can only access their own customer data
  • Access controls with role-based permissions (owner, manager, staff)
  • Audit logging of all data access and modifications

Our database infrastructure may be hosted outside India. As of March 2026, this is permitted under the DPDP Act as no countries have been placed on the restricted transfer list. We will comply with any future government notifications regarding cross-border data transfers.

6. Data Retention

We retain your personal data only as long as it is needed for the loyalty program you enrolled in. If a merchant deletes your record, or if you request deletion, your data is permanently removed from our systems.

Inactive accounts (no transactions for 3+ years) will be flagged for deletion with 48 hours' notice before erasure.

7. Your Rights

Under the DPDP Act, you have the right to:

  • Access — request a summary of your personal data we hold
  • Correction — request correction of inaccurate data
  • Erasure — request deletion of your data when consent is withdrawn or the purpose is fulfilled
  • Grievance redressal — file a complaint with our Grievance Officer
  • Nomination — nominate someone to exercise your rights on your behalf

We will respond to all requests within 90 days.

8. Children's Data

LoyalTea is intended for users aged 18 and above. We do not knowingly collect personal data from children under 18. If you are under 18, please do not use our services without parental or guardian consent. If we discover that we have collected data from a child without appropriate consent, we will delete it promptly.

9. Third-Party Sharing

We do not sell your personal data. We share data only with:

  • The merchant whose loyalty program you joined — they see your name, phone, stamps/points, and activity
  • Supabase — our database provider, bound by data processing agreements
  • Apple and Google — for wallet pass delivery (only pass-level data, not your personal profile)
  • SMS/email providers — for OTPs and notifications (only your phone number or email)

10. Grievance Officer

For any questions, concerns, or requests regarding your personal data, contact our Grievance Officer:

Arnav Shrivastava

Grievance Officer, LoyalTea Technologies

Email: privacy@loyaltea.in

Response time: Within 90 days of receiving your request

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via our platform. The "Last updated" date at the top indicates the most recent revision.

© 2026 LoyalTea Technologies. All rights reserved.