Privacy Policy

Effective: October 27, 2025

This Privacy Policy explains how DoLoyalty (“we”) collects, uses, and shares information when you use our website and Services, including loyalty and messaging tools.

1) Information we collect

  • Account & Venue: Name, email, phone, roles, venue association, login timestamps, subscription status.
  • Customer (for Venues): Name (optional), phone, opt-in status/timestamps, pass & punch history, signed QR identifiers, messaging preferences.
  • Technical: IP, device/OS, browser, referring URLs, security/performance logs.
  • Communications: SMS/MMS content sent via the platform, opt-out events (STOP), help requests (HELP).
  • Cookies: Session cookies, CSRF token, optional remember-me (HMAC-signed).

2) How we use information

  • Provide and improve Services (passes, punches, secure QR flows).
  • Authenticate, maintain sessions, and prevent fraud/abuse.
  • Enable compliant SMS/MMS campaigns and honor opt-outs.
  • Communicate about updates, security, and support.
  • Analyze usage for reliability, performance, and UX.
  • Comply with legal obligations and enforce Terms.

3) Legal bases (EEA/UK)

We process data based on contract performance, legitimate interests (security/product improvement), consent (e.g., messaging opt-ins), and legal obligations.

4) How we share information

  • With Venues/Managers: Customer data linked to that Venue’s program.
  • Service Providers: Hosting, storage, analytics, messaging providers under appropriate safeguards.
  • Legal/Compliance: Where required by law or to protect rights/security.
  • Business Transfers: In M&A or similar events, subject to this Policy.

5) SMS/MMS compliance

Venues must obtain valid opt-in consent before sending promotional messages. Recipients may reply STOP to unsubscribe and HELP for assistance. Message/data rates may apply.

6) Cookies

  • Essential: Session ID, CSRF.
  • Remember-me: Optional persistent login token.

You may control cookies in your browser. Blocking essential cookies may break core functionality.

7) Retention

We retain account/venue data while your account is active. Customer records (passes, punches, opt-ins/outs, logs) are retained as needed for the program, disputes, and compliance. Data may be aggregated/anonymized for analytics.

8) Security

We use reasonable safeguards (signed QR tokens, secure cookies, RBAC). No system is perfectly secure—protect your credentials and notify us of suspected compromise.

9) Your rights

  • EEA/UK: Access, rectify, erase, restrict, port, object; withdraw consent.
  • California (CCPA/CPRA): Know, delete, correct; opt-out of sale/share. We do not sell personal information as defined by CCPA/CPRA.

To exercise rights, email support@doloyalty.com. We may verify your identity.

10) Children

Services are not directed to children under 13. We do not knowingly collect their data; if we do, we delete it.

11) International transfers

Data may be processed in the United States and other countries with appropriate safeguards where required.

12) Do Not Track

We currently do not respond to browser “Do Not Track” signals.

13) Changes

We may update this Policy; we will revise the Effective date and may provide additional notice for material changes.

14) Contact

Questions/requests: support@doloyalty.com

This document is provided for general informational purposes and does not constitute legal advice.