How we handle personal information in the United States — for our website and the data we control. Tenant data we process on a customer’s behalf is governed by the DPA.
US notice — counsel review recommended. This privacy notice is written for the United States (incl. California CCPA/CPRA and comparable state laws). An EU/UK (GDPR) addendum is forthcoming. It was drafted for completeness, not as legal advice — have qualified counsel confirm entity name, state-law specifics, and retention periods before relying on it.
Applies to the United States. Effective date set on counsel review; last updated 2026-06. If you are in the EU/UK, an addendum reflecting GDPR/UK GDPR is forthcoming; our processing of customer data on a tenant’s behalf is governed by the DPA.
LoyaltyOS ("we", "us", "our") provides a multi-tenant loyalty platform. For personal information processed on behalf of our business customers (tenants), the tenant is the business/controller and we act as a service provider/processor — that processing is governed by our Data Processing Agreement, not this notice. This notice covers personal information for which we are the business (e.g. website visitors, prospects, and customer account contacts).
We do not intentionally collect sensitive personal information through the marketing site.
To respond to enquiries, provide and improve the service, send service messages and (with your consent where required) marketing, and to meet legal and security obligations.
We do not sell personal information, and we do not “share” it for cross-context behavioural advertising, as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA). We have not done so in the preceding 12 months.
Depending on your state of residence (e.g. California, Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws), you may have the right to:
To exercise a right, email privacy@loyaltyos.example. We will verify your request and respond within the timeframe required by applicable law. You may use an authorised agent where the law permits.
With service providers/sub-processors that help us operate (see the sub-processor register on our Trust Center), under contracts that limit their use of the information; and where required by law or to protect rights and safety. We do not share information with third parties for their own marketing.
We keep personal information only as long as necessary for the purposes above or as required by law. Tenant-controlled data retention is governed by the DPA and the published offboarding process; PII is disposed of by cryptographic erasure (see the Trust Center).
We protect information with encryption in transit and at rest, access controls, and the architectural controls described on our Trust & Security page. No method of transmission or storage is perfectly secure.
The marketing site uses minimal, privacy-respecting analytics and essential cookies. We do not use third-party advertising cookies. Where required, we honour browser opt-out / Global Privacy Control signals.
The service and site are not directed to children, and we do not knowingly collect personal information from children under 13 (or under the age defined by applicable state law).
We may update this notice; material changes will be posted here with a new “last updated” date. Questions or requests: privacy@loyaltyos.example.