1.Who we are
LoyaltyPass is a loyalty card platform for hospitality vendors, operated by Joseph Mattouk and based in Accra, Ghana. We let cafés, bars, studios, and similar venues issue digital loyalty cards to Apple Wallet and Google Wallet, record visits via QR scans at their shops, and message their customers through the wallet pass.
Questions about this policy go to support@loyaltypass.org.
2.Data we collect
We collect different things from vendors (the business that runs the loyalty programme) and from customers (the people who get a loyalty card from that vendor).
From vendors
- Business name and brand slug.
- Contact email, used to sign in to the admin app.
- Optional logo and brand colors.
- Loyalty reward setup (how many punches earn a reward, what the reward is, which icon represents it).
- Industry (café, bar, studio, etc.).
- Shop names and addresses.
- Staff PINs used by counter staff to authorise the scanner on their shift.
- Subscription and billing data, including the Paystack authorization reference we use to take recurring monthly charges. We do not store full card numbers; Paystack handles that.
From customers
- Name and mobile phone number, captured at QR signup.
- A one-time verification code used to confirm the phone number at signup. The code is stored as a hash and expires in five minutes.
- Visit history and punch count on the loyalty card for that vendor, plus the timestamp of every redeemed reward.
- Whether the customer installed the loyalty card into Apple Wallet or Google Wallet, and the device push tokens that the wallet apps register with us so we can update the card and deliver push notifications.
- The timestamp the customer signed up.
We do not collect customer email at this time. We do not collect location data. We do not run third-party analytics or advertising trackers on the customer-facing pages.
3.How we use it
Vendor data
- Run the admin app so you can manage your loyalty programme.
- Render your brand on the loyalty card customers add to their wallet.
- Bill you monthly via Paystack and keep your subscription in good standing.
- Send transactional product email (billing notices, security alerts, material changes to this policy or the Terms).
Customer data
- Deliver the loyalty card to Apple Wallet or Google Wallet.
- Record visits when staff scan the customer's pass at a shop.
- Deliver marketing broadcasts authored by the vendor as wallet push notifications: lock-screen alerts on Apple Wallet, message updates on Google Wallet.
- Confirm the customer's phone number at signup with a one-time code.
5.How long we keep it
- Customer loyalty data is kept while the vendor's subscription is active. If a vendor cancels and 90 days pass without resubscribing, the customer records tied to that vendor are deleted.
- Vendor data is kept while the account is active. On cancellation, plus 90 days, vendor data is deleted unless we are required to retain it for legal or tax reasons (Ghana Revenue Authority record-keeping, dispute defence, and similar).
- OTP records are short-lived and removed within 30 days.
- Server logs kept by our hosting and database providers may persist for up to 90 days for diagnostic and security purposes.
6.Your rights
Customers
You can ask the vendor whose loyalty card you signed up for to:
- Show you the data they hold about you.
- Correct anything that is wrong.
- Remove you from broadcasts.
- Delete your record entirely.
Vendors handle these requests because they are the controller of their own customer list (see section 6 of the Terms of Service). If a vendor will not respond, you can email support@loyaltypass.org and we will help.
Vendors
- You can export your customer list as CSV from the admin app.
- You can correct your account data inside the admin app.
- You can request full account deletion by emailing support@loyaltypass.org.
Ghana does not currently have a statutory equivalent of the EU General Data Protection Regulation. We follow GDPR-style data subject rights as our standard regardless.
7.Children's data
LoyaltyPass is not directed at children under 18. We do not knowingly collect data from anyone under 18. If you believe a child has signed up to a vendor's loyalty card through LoyaltyPass, contact support@loyaltypass.org and we will delete the record.
9.Data security
Data is encrypted in transit (TLS) and at rest (Supabase managed encryption). Every cross-vendor boundary is enforced at the database level using Postgres Row Level Security, not just at the application layer. Signing material for Apple PassKit and Google Wallet is held server-side only and never transmitted to the customer's browser.
No system is perfectly secure. If you believe you have found a vulnerability, please email support@loyaltypass.org and we will get back to you quickly.
10.International data transfers
LoyaltyPass relies on cloud infrastructure that may process data outside Ghana:
- Supabase processes data primarily in the EU (eu-west-2 region).
- Apple processes data in the jurisdictions where Apple operates wallet and push infrastructure, including the United States.
- Google operates Google Wallet globally, including the United States.
- Vercel hosting runs on US-based infrastructure.
By using LoyaltyPass you consent to your data being processed in these regions.
11.Changes to this policy
We may update this policy. The “Last updated” date at the top of this page reflects the most recent change. If a change is material (for example, a new third-party processor or a new category of data), we will notify vendors by email and update the customer signup screen so customers see a notice on their next signup.
12.Contact
Email support@loyaltypass.org for any privacy question, data access request, or deletion request.