GetLoyalBack to Home

Privacy Policy

Last updated: April 10, 2026

1. Introduction

GetLoyal ("we", "us", or "our") is a digital loyalty platform operated by GetLoyal FZ-LLC, registered in the United Arab Emirates. This Privacy Policy explains how we collect, use, store, and protect the personal data of business owners ("Merchants"), their end-customers ("Loyalty Members"), and visitors to our platform at getloyal.ai ("Platform"). We are committed to complying with the EU General Data Protection Regulation (GDPR) and the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL).

2. Data We Collect

We collect and process the following categories of personal data:

  • Merchant Account Data: Name, business name, email address, phone number, country, business type, and password (stored as a one-way hash) when you register as a Merchant. Subscription billing details (processed securely by Stripe; we retain only the last four card digits and expiry date for display).
  • Loyalty Member Data: Name, email address, phone number, and (where optionally enabled by the Merchant) date of birth, collected when an end-customer joins a loyalty programme through a Merchant's QR code or join link. This data is collected and processed on behalf of the relevant Merchant.
  • Analytics & Usage Data: Log files, IP addresses, browser type, device type, pages visited, referrer URLs, and interaction timestamps. This data is used for platform security, debugging, and aggregated product analytics. It is not used for targeted advertising.
  • Loyalty Programme Configuration Data: Card designs, reward rules, branch details, branding assets, and notification settings uploaded or configured by Merchants.

3. How We Use Your Data

  • To provision, operate, and maintain your GetLoyal Merchant account and loyalty cards.
  • To run loyalty programmes on behalf of Merchants — including issuing digital passes, recording stamp and point balances, and processing rewards.
  • To send push notifications and WhatsApp alerts to Loyalty Members on behalf of Merchants (where the Member has consented and the Merchant has configured such notifications).
  • To process subscription payments and issue billing receipts via Stripe.
  • To send transactional emails (e.g., password resets, account notifications, trial reminders).
  • To improve and secure the Platform using aggregated, anonymised analytics.
  • To comply with applicable UAE laws and regulations.

We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.

4. Data Storage & Retention

Personal data is stored on secure servers provided by our hosting infrastructure provider. All data is encrypted in transit (TLS 1.2+) and at rest.

  • Merchant account data is retained for as long as your account is active. Upon closure, data is deleted or anonymised within 90 days, unless a longer period is required by law.
  • Loyalty Member data is retained for as long as the Merchant's account is active or until a deletion request is received. Merchants may instruct us to delete Member data at any time.
  • Analytics data is retained for up to 24 months in identifiable form, after which it is aggregated or deleted.
  • Transaction logs (stamps, points, redemptions) are retained for up to 7 years for record-keeping purposes, as may be required under UAE commercial law.

5. Third-Party Services

We share data only with trusted sub-processors necessary to operate the Platform. All sub-processors are bound by data processing agreements and may not use your data for their own purposes. Key sub-processors include:

  • Apple Wallet (Apple Inc.): Loyalty Member data is used to generate and update Apple Wallet passes. Apple's device registration and push notification infrastructure is used to deliver pass updates.
  • Google Wallet (Google LLC): Loyalty Member data is used to generate and update Google Wallet passes via the Google Pay & Wallet API.
  • WhatsApp / Meta Platforms: Where Merchants enable WhatsApp notifications, the Loyalty Member's phone number is used to send messages via the WhatsApp Business API. Members may opt out at any time by replying "STOP".
  • Stripe, Inc.: Payment processing for Merchant subscriptions. Stripe is PCI-DSS Level 1 certified. We do not store full card numbers.
  • Database & Hosting Provider: Our primary database and application servers are hosted on infrastructure that stores data within secured data centres. Data may be replicated across regions for redundancy.

We do not sell personal data to third parties for advertising or marketing purposes.

6. Your Rights

In accordance with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and, where applicable, the GDPR, you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure ("Right to be Forgotten"): Request deletion of your personal data where no legal obligation requires its retention.
  • Restriction: Request that we limit the processing of your data in certain circumstances.
  • Portability: Receive your personal data in a structured, machine-readable format where processing is based on consent or contract.
  • Objection: Object to processing based on legitimate interests.
  • Opt-out of communications: Unsubscribe from marketing or notification messages at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. If you are an end-customer of a Merchant (Loyalty Member), please contact the relevant Merchant directly — they are the data controller for your loyalty programme data.

7. Legal Basis for Processing

We process personal data on the following legal bases:

  • Contract performance: Processing necessary to provide the Platform services to Merchants.
  • Consent: Processing of Loyalty Member data for push notifications, WhatsApp alerts, and optional fields (e.g., date of birth).
  • Legitimate interests: Analytics and platform security, where such interests are not overridden by your rights.
  • Legal obligation: Retention of transaction and billing records as required by UAE law.

8. Security

We employ industry-standard security measures including TLS encryption in transit, encryption of sensitive data at rest, strict access controls, and regular security reviews. We will notify affected individuals and, where required, relevant authorities, in the event of a data breach that poses a risk to your rights and freedoms.

9. Cookies

We use essential session cookies required for the Platform to function securely (e.g., authentication tokens). We may use analytics cookies to understand usage patterns in an aggregated, non-identifiable manner. You can disable cookies in your browser settings, though some platform features may not work correctly as a result.

10. Children's Privacy

The Platform is intended solely for use by businesses and individuals who are 18 years of age or older. GetLoyal does not knowingly collect, solicit, or process personal data from individuals under the age of 18. Merchants are prohibited from using the Platform to collect data from individuals known to be under 18 years of age without appropriate parental or guardian consent as required by applicable law.

If you are a parent or guardian and believe that a child under 18 has provided personal data to GetLoyal or through a Merchant's loyalty programme on the Platform, please contact us immediately at [email protected]. We will take prompt steps to investigate and, where appropriate, delete any such data from our systems.

11. Marketing Communications

GetLoyal will not use the personal data of Loyalty Members for its own marketing or promotional communications. Loyalty Member data is processed solely to operate and maintain loyalty programmes on behalf of Merchants and is not used by GetLoyal for any independent marketing purposes.

Merchants who use the Platform to send marketing communications to their Loyalty Members must comply with the following requirements:

  • Merchants may only send marketing communications to end-customers who have explicitly opted in to receive such communications. Sending marketing messages to end-customers who have not affirmatively consented is prohibited.
  • Every marketing or promotional message sent through the Platform must include a clear and functional opt-out mechanism, allowing recipients to unsubscribe from future communications at any time.
  • Merchants must honour opt-out requests promptly and must not continue to send marketing messages to individuals who have opted out.

Failure to comply with these requirements may result in suspension or termination of the Merchant's account in accordance with our Terms of Service.

12. Merchant Compliance Responsibility

Merchants are solely responsible for establishing their own privacy policies and notices for their end-customers, and for ensuring that their collection, use, and processing of end-customer data through the Platform complies with all applicable data protection laws and regulations, including but not limited to the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) and the GDPR (where applicable).

GetLoyal acts as a data processor on behalf of Merchants with respect to Loyalty Member data and processes such data only in accordance with Merchant instructions and these Terms. Merchants, as data controllers, bear full responsibility for: (a) ensuring a valid legal basis exists for collecting and processing end-customer data; (b) providing adequate privacy notices to end-customers at the point of data collection; (c) managing data subject rights requests from their end-customers; and (d) ensuring any cross-border data transfers comply with applicable law. GetLoyal shall not be liable for any failure by a Merchant to meet their obligations as a data controller.

13. International Data Transfers

Your data may be processed in countries outside the UAE, including the European Economic Area (EEA) and the United States, by our sub-processors. Where such transfers occur, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses or adequacy decisions) in accordance with the UAE PDPL and GDPR.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered Merchants of material changes by email at least 14 days before they take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy. The latest version is always available at getloyal.ai/privacy.

15. Governing Law

This Privacy Policy is governed by the laws of the United Arab Emirates. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the competent courts of the UAE.

16. Contact Us

For all privacy-related enquiries, data subject requests, or complaints, please contact our Privacy Team at: [email protected].

If you are not satisfied with our response, you have the right to lodge a complaint with the UAE Data Office or the relevant data protection authority in your country of residence.