In this Privacy Policy, we explain how OneLoyalty collects, uses, discloses, and stores your personal information. We provide services that allow merchants to offer loyalty programs to their customers.
I. Scope and application of this policy
Who this policy covers
This Policy applies to personal data that OneLoyalty processes when:
- A merchant installs and operates the OneLoyalty app (including their staff users);
- A customer participates in a merchant’s loyalty program powered by OneLoyalty (data such as name, contact details, and program activity are typically synced from Shopify; birthday may be optionally collected for rewards);
- A person visits our website or contacts support (e.g., emails/messages, basic technical logs).
OneLoyalty’s roles
- For merchant customers’ data processed inside the OneLoyalty app, the merchant is the data controller and OneLoyalty acts as the data processor under the merchant’s instructions and our DPA.
- For merchant account/admin data, as well as website/support interactions, OneLoyalty is the data controller (in these limited contexts).
Where this policy does not apply
- Processing a merchant performs outside the OneLoyalty app (e.g., on the merchant’s website, email marketing tools, CRM, ad platforms) is covered by the merchant’s own privacy notice, not this Policy.
- Third‑party services used with or alongside OneLoyalty (for example, Shopify platform services, analytics, or other apps) have their own privacy terms.
- Aggregated or anonymized information (created for analytics, security, or service improvement) is not personal data and falls outside this Policy.
Geographic reach and laws
We apply this Policy globally and handle personal data in line with applicable data‑protection principles (e.g., processing fairly and lawfully and protecting confidentiality), supplementing it as required by local laws such as the GDPR and Switzerland’s nFADP.
Contractual precedence
When OneLoyalty acts as a processor, the merchant’s Data Processing Agreement (DPA) governs our processing on the merchant’s behalf. If there is any inconsistency between this Policy and the DPA for that processing, the DPA controls.
II. The legal frameworks and privacy laws we abide by
Taking into account the locations of our merchants and the locations of individuals, we handle personal data in accordance with, but not limited to, the following applicable privacy laws:
|
Jurisdiction |
Law |
Effective date |
Scope |
|
United States |
California Consumer Privacy Act (CCPA) |
1 Jan 2020 |
Grants California residents rights to access, delete, correct, and opt out of the sale or sharing of their personal information. |
|
European Union |
GDPR (Regulation (EU) 2016/679) |
25 May 2018 |
Applies when processing data of individuals in the EEA or targeting them with services. Sets principles, rights, and controller/processor duties. |
|
United Kingdom |
UK GDPR & Data Protection Act 2018 |
25 May 2018 (post-Brexit adaptation) |
UK-specific regime governing personal information use and data-subject rights. |
|
Switzerland |
Federal Act on Data Protection (nFADP, revised) |
1 Sept 2023 |
Governs processing of personal data about individuals in Switzerland; aligns with GDPR principles. |
|
Canada |
PIPEDA (federal private-sector law) |
2001 (ongoing) |
Governs how private-sector organisations collect, use, and disclose personal information in commercial activities across Canada. |
|
Viet Nam (OneLoyalty HQ jurisdiction) |
Personal Data Protection Decree No. 13/2023/ND-CP (PDPD) |
1 July 2023 |
Establishes comprehensive obligations for personal data processing in Viet Nam |
III. Collecting and processing of personal information
We process personal information to operate and improve OneLoyalty. Our lawful bases include fulfilling our contractual obligations to merchants and their customers, complying with legal obligations, and pursuing legitimate interests such as fraud prevention and service improvement. Specific purposes include:
- Administering loyalty programs: tracking points earned and redeemed, displaying balances, and enabling participation in events and promotions.
- Providing customer support: responding to inquiries, troubleshooting, and improving our app.
- Communications: sending important notices about changes to the app, updates to this policy, and information about features or promotions.
- Analytics and development: analysing usage to understand trends and improve our services.
- Security and fraud prevention: detecting, preventing, and investigating potential fraud or abuse.
We may de‑identify or aggregate data to develop statistics or insights. Aggregated or anonymized data is no longer considered personal information and may be used for any purpose.
Here are the three types of data OneLoyalty collects:
1. Customers of our merchants
When merchants use OneLoyalty to run loyalty programs, we process information about their customers on the merchants’ behalf. The data we obtain is primarily synchronized from the merchant’s Shopify store and may include:
|
Types of data |
Samples |
Purposes |
|
Identity & contact (synced from Shopify) |
Name, phone, address, email |
Identify the customer in the merchant’s store; account lookup; program communications. |
|
Program/account details |
Loyalty activity history (e.g., points earned/redeemed), eligibility status |
Operate the loyalty program, calculate and show balances, and determine reward eligibility. |
|
Optional preferences |
Date of birth (birthday) |
Enable birthday rewards and relevant earn events. |
We collect this data to administer the loyalty program, track points, and allow customers to earn and redeem rewards. Customers can view their program information through the loyalty widget or page and can provide optional data at their discretion.
2. Our merchants
At the time of installation, merchants are shown a Shopify confirmation screen that clearly asks for permission to access the relevant store data before OneLoyalty is enabled. If you give explicit consent, we collect and use the following data to set up your app instance, provide support, and improve our services.
|
Data category |
Sample fields |
Primary purpose |
|
Business contact & store context |
Store name, business email, store domain |
Set up and manage the app instance for the merchant; provide account support. |
|
App usage by merchant staff |
Admin/user actions in the app (e.g., configuration steps) |
Troubleshoot issues; improve features and UX. |
|
Support communications |
Messages sent to our support |
Respond to inquiries and resolve problems. |
These data enable us to provide and improve our services, as described in the OneLoyalty policy.
3. Website or support service users
Individuals who visit the OneLoyalty website or contact us for support may provide personal information. We collect:
|
Data category |
Sample fields |
Primary purpose |
|
Communications |
Emails/messages sent to us |
Respond to requests and provide support. |
|
Basic usage/technical logs |
IP address, browser/device metadata |
Keep the site reliable and secure; understand usage at a high level (industry‑standard practice includes logging IP and browser identifiers). |
We do not intentionally collect sensitive personal information (such as race, health or financial account numbers). Payment information for subscription fees is handled through Shopify’s billing system; we do not collect or store credit‑card details.
IV. Sharing the information you provide us
OneLoyalty does not sell personal information. We may share personal information in the following ways:
- With merchants: Because merchants control customer data, we provide them with analytics and program information necessary to manage their loyalty programs. Merchants’ own privacy policies apply to their use of this data.
- With service providers: We use third‑party companies (e.g., hosting providers, analytics, customer support tools) to operate OneLoyalty. These providers process personal information only as needed to perform their services and are bound by confidentiality obligations.
- With Shopify: Installation and use of our app through Shopify may involve sharing information with Shopify as required by its app platform and policies. Shopify may access customer data in accordance with its privacy policy.
- Business transfers: If OneLoyalty or its parent company is involved in a merger, acquisition or sale of all or part of its business, personal information may be transferred as part of the transaction.
- Legal and safety: We may disclose information when required by law or to protect our rights or the rights of others.
V. International transfers of your data
We may store and process personal information in Vietnam. Laws in Vietnam may differ from those in your jurisdiction, and personal information may be accessible to government authorities as permitted by law. By using OneLoyalty, you consent to the transfer of your data to the country where we or our service providers operate.
VI. Storing data
Personal information is retained only as long as necessary for the purposes set out in this policy. For customers of our merchants, we follow Shopify’s data‑retention rules. If a merchant uninstalls OneLoyalty, we retain customer data associated with that merchant for 60 days to allow for potential re‑installation or account reconciliation, after which the data is deleted from our systems. Merchants can also request the deletion of their customers’ data via Shopify at any time.
Usage logs, analytics data, and support communications are kept for up to 24 months (or longer if required by law) for auditing, legal, and business purposes.
VII. Cookies and tracking technologies
OneLoyalty uses cookies, web beacons, and similar technologies to operate our website and understand how it is used. Session cookies allow basic functions and expire when you close your browser. Persistent cookies stay on your device and help us remember your preferences and analyse usage. We also collect IP addresses and browser information, which we keep for 24 months. Most browsers allow you to refuse or delete cookies; however, this may affect the functionality of our services. At this time, we do not respond to “Do Not Track” signals.
VIII. Security
We employ administrative, technical and physical safeguards designed to protect personal information against unauthorized access, loss or theft. Measures include encryption in transit, strict access controls, regular security audits and training for employees on confidentiality and data‑protection obligations. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.
IX. Exercising your rights
Depending on your location, you may have rights to access, correct, or erase your personal information; object to or restrict our processing of your personal information; and request a copy of your data. OneLoyalty’s policy notes similar rights for individuals. Because merchants control customer data, customers should first direct their requests to the merchant’s privacy contact. Merchants may submit deletion or correction requests through Shopify, and OneLoyalty will process the request promptly.
To exercise rights directly with OneLoyalty (e.g., regarding merchant or website user data), please contact us using the details below. We may need to verify your identity before fulfilling your request. We may refuse or charge a reasonable fee for repeat, excessive, or unfounded requests as permitted by law.
X. Changes to this policy
We may update this policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify merchants via email or through Shopify and update the “Effective Date” at the top of the policy. Your continued use of OneLoyalty after an update constitutes acceptance of the new policy.
XI. Contact us
If you have questions or concerns about this policy or how OneLoyalty handles personal information, please contact our Privacy Officer at:
- Email: [email protected]
Address: Level 22, Flemington Tower, 182 Le Dai Hanh Street, Ward 15, District 11