Loyalty Club PLC is a UK data controller and processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page summarises your rights and how we honour them.
Lawful basis
- Contract — to deliver the loyalty platform you signed up for.
- Legitimate interest — fraud prevention, security, product improvement.
- Consent — for marketing communications and for non-essential cookies (analytics and advertising). Always opt-in, always reversible via “Cookie settings”.
- Legal obligation — financial reporting and tax compliance.
Your rights
- Access — request a copy of the data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — delete your account and associated personal data.
- Restriction — limit how we process your data while a query is resolved.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests, and to direct marketing or ad personalisation at any time.
- Withdraw consent — for any processing where consent is the lawful basis.
Exercising your rights
Members can delete their account directly in the Loyalty Club app. For other rights, email hello@loyaltyclubplc.com. We respond within 30 days.
Data we share
We don’t sell personal data. We use vetted processors to operate the platform — payments (Square), transactional email (Resend), and hosting (Vercel) — under UK GDPR-compliant terms.
With your consent, we also share analytics and advertising data with Google (Analytics 4 and Ads), Microsoft (Clarity — heatmaps and session replays), and Meta (the Facebook/Instagram Pixel), which may act as independent or joint controllers for their own measurement and audience purposes. See our Cookie policy for the full list and to manage your choice.
Cookies & consent
We set non-essential analytics and advertising cookies only after you opt in via our cookie banner, and you can change or withdraw your choice at any time using “Cookie settings” in the footer. For the full list of cookies and partners, see our Cookie policy.
International transfers
Some partners (notably Google and Meta) process data in the United States. We rely on the UK Extension to the EU–US Data Privacy Framework where the recipient is certified, or otherwise the UK International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses with a transfer risk assessment.
Security
Personal data is encrypted at rest and in transit. We apply role-based access, audit logging, and least-privilege principles to all systems.
Complaints
You can complain to the UK Information Commissioner’s Office at ico.org.uk. We encourage you to contact us first so we can put things right.