Privacy Policy — BeyondLoyalty

1. INTRODUCTION

BeyondLoyalty ("we," "our," or "us") provides loyalty and rewards program services for Shopify merchants and their customers. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our services.

By using BeyondLoyalty, you agree to the collection and use of information in accordance with this policy.

2. WHO WE ARE

BeyondLoyalty is a loyalty program platform that operates as a Shopify App.

Contact Information:

Website: https://beyondloyaltyandrewards.com
Email: support@beyondloyalty.app
Company: BeyondLoyalty, LLC

3. INFORMATION WE COLLECT

3.1 INFORMATION FROM MERCHANTS (STORE OWNERS)

When a merchant installs our Shopify app, we collect:

• Shop Information:

Shop domain (e.g., yourstore.myshopify.com)
Shop name and email
Shopify store ID
Shop timezone and currency

• Authentication Data:

OAuth access tokens (securely encrypted)
Session tokens for embedded app functionality

• Billing Information:

Subscription plan selected
Billing status and history
Payment is processed by Shopify (we do not store credit card numbers)

• Configuration Data:

Loyalty program settings
Reward rules configured
Branding preferences (colors, logos)
Email templates customized

3.2 INFORMATION FROM CUSTOMERS (END USERS)

When customers participate in a merchant's loyalty program, we collect:

• Account Information:

Email address
First and last name
Phone number (optional)
Shopify customer ID

• Loyalty Program Data:

Points balance and transaction history
Rewards earned and redeemed
Loyalty tier/VIP status
Referral codes and referral activity

• Purchase History:

Order information synced from Shopify
Products purchased
Order values and dates
Discount codes used

• Birthday Information (Optional):

Birth date (month and day only)
Used exclusively for birthday reward automation

• Referral Activity:

Unique referral code
Number of successful referrals
Referral link click tracking
Earnings from referrals

• Engagement Data:

Last activity date
Program enrollment date
Redemption history
Abandoned cart information (if applicable)

3.3 AUTOMATICALLY COLLECTED INFORMATION

• Technical Data:

IP address
Browser type and version
Device information
Session duration
Pages visited

• Cookies and Similar Technologies:

Session cookies for authentication
Preference cookies for user settings
Analytics cookies (optional, can be disabled)

4. HOW WE USE YOUR INFORMATION

4.1 FOR MERCHANTS:

Provide and maintain the loyalty program service
Process subscription billing
Send service-related notifications
Provide customer support
Improve our services and develop new features
Ensure security and prevent fraud
Comply with legal obligations

4.2 FOR CUSTOMERS:

Manage your loyalty account and points balance
Process rewards and redemptions
Send loyalty program notifications (points earned, rewards available)
Personalize your experience (tier status, birthday rewards)
Track referral activity and earnings
Provide customer support
Comply with the merchant's loyalty program terms

5. LEGAL BASIS FOR PROCESSING (GDPR)

We process personal data under the following legal bases:

Contract Performance: To fulfill our service obligations to merchants and their customers
Legitimate Interests: To improve our services, ensure security, and prevent fraud
Consent: For optional features like birthday rewards and marketing communications
Legal Obligation: To comply with applicable laws and regulations

6. DATA SHARING AND DISCLOSURE

6.1 WE SHARE DATA WITH:

Shopify: Our app operates on Shopify's platform and exchanges data via their API
Cloud Hosting Providers: We use secure cloud infrastructure (Hetzner Cloud, AWS)
Database Services: PostgreSQL for data storage, Redis for caching
Email Service Providers: For transactional emails (planned: SendGrid, Klaviyo integration)
Analytics Services: For service improvement (aggregated, anonymized data)

6.2 WE DO NOT:

Sell your personal data to third parties
Share your data with advertisers
Use your data for purposes other than providing our service
Share data between different merchant stores (data isolation is maintained)

6.3 WE MAY DISCLOSE DATA WHEN:

Required by law or legal process
Necessary to protect our rights or the safety of others
In connection with a business merger, acquisition, or sale (with notice)
With your explicit consent

7. DATA RETENTION

Merchant Data: Retained as long as the subscription is active, plus 90 days after cancellation
Customer Loyalty Data: Retained as long as the merchant's subscription is active
Transaction Logs: Retained for 7 years for accounting and compliance purposes
Analytics Data: Aggregated data retained indefinitely (anonymized)

When a merchant uninstalls the app:

We retain data for 90 days to allow for reinstallation
After 90 days, all personally identifiable information is permanently deleted
Aggregated, anonymized analytics may be retained

8. DATA SECURITY

We implement industry-standard security measures:

Encryption: All data in transit (TLS/SSL) and at rest (AES-256)
Access Controls: Role-based access, least privilege principle
Authentication: Multi-factor authentication for admin access
Monitoring: Real-time security monitoring and intrusion detection
Regular Audits: Quarterly security audits and penetration testing
Backups: Daily encrypted backups with 30-day retention
Incident Response: Documented breach notification procedures

We are SOC 2 Type II compliant (in progress) and follow OWASP security guidelines.

9. YOUR RIGHTS (GDPR & CCPA)

You have the right to:

Access: Request a copy of your personal data
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion of your data ("right to be forgotten")
Restriction: Limit how we process your data
Portability: Receive your data in a machine-readable format
Object: Object to processing based on legitimate interests
Withdraw Consent: For processing based on consent

To exercise these rights:

Customers: Contact the merchant who operates the loyalty program
Merchants: Email privacy@beyondloyalty.app

We will respond within 30 days.

10. CHILDREN'S PRIVACY

BeyondLoyalty is not intended for children under 16. We do not knowingly collect data from children under 16. If we discover we have collected such data, we will delete it immediately.

11. INTERNATIONAL DATA TRANSFERS

Our services are hosted in the European Union (Hetzner Cloud - Germany). If you are located outside the EU, your data may be transferred to and processed in the EU.

We ensure adequate protection through:

Standard Contractual Clauses (SCCs)
GDPR-compliant data processing agreements
EU-US Data Privacy Framework compliance (when applicable)

12. COOKIES AND TRACKING

We use the following types of cookies:

Strictly Necessary Cookies: Required for authentication and security
Functional Cookies: Remember your preferences and settings
Analytics Cookies: Help us understand how you use our service (optional)

You can control cookies through your browser settings. Note that disabling necessary cookies may impact functionality.

13. THIRD-PARTY INTEGRATIONS

Our service may integrate with:

Shopify: E-commerce platform (required)
Klaviyo: Email marketing (optional, merchant-configured)
Judge.me: Product reviews (optional, if merchant uses this app)
Yotpo: Reviews and UGC (optional, if merchant uses this app)

Each integration has its own privacy policy. We are not responsible for third-party practices.

14. DATA BREACH NOTIFICATION

In the event of a data breach affecting personal data, we will:

Notify affected merchants within 72 hours
Provide details of the breach and affected data
Outline steps we are taking to mitigate harm
Assist merchants in notifying their customers if required
Report to relevant data protection authorities as required by law

15. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

For material changes:

We will notify merchants via email
Continued use of the service constitutes acceptance
You may terminate your subscription if you disagree

16. CONTACT US

For privacy-related questions or requests:

Email: privacy@beyondloyalty.app
Website: https://beyondloyaltyandrewards.com
Mail: BeyondLoyalty Privacy Team, [Address]

For data subject access requests:

Use the form at: https://beyondloyalty.app/privacy/data-request
Or email: privacy@beyondloyalty.app with subject line "Data Access Request"

17. DATA PROTECTION OFFICER

For EU/UK customers, our Data Protection Officer can be reached at:

Email: dpo@beyondloyalty.app

18. SUPERVISORY AUTHORITY

If you are located in the EU, you have the right to lodge a complaint with your local data protection authority:

EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/board/members_en
UK Information Commissioner's Office: https://ico.org.uk

JURISDICTION-SPECIFIC PROVISIONS

19. CALIFORNIA RESIDENTS (CCPA)

California residents have additional rights under the CCPA:

Right to Know: What personal information we collect and how it's used
Right to Delete: Request deletion of your personal information
Right to Opt-Out: Opt-out of sale of personal information (we do not sell data)
Non-Discrimination: We will not discriminate for exercising CCPA rights

To exercise CCPA rights, email: privacy@beyondloyalty.app

20. NEVADA RESIDENTS

Nevada residents may opt-out of the sale of personal information. We do not sell personal information.

This Privacy Policy is compliant with:

GDPR (EU General Data Protection Regulation)
CCPA (California Consumer Privacy Act)
UK GDPR
PIPEDA (Canada)
LGPD (Brazil)
Shopify Partner Program Privacy Requirements

BY USING BEYONDLOYALTY, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.