Privacy Policy

1. Introduction

Loya Labs Inc. ("Loya", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our website, mobile application, payment services, and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use the Service.

This Privacy Policy applies to all users of the Service, including both shoppers and merchants.

2. Information We Collect

We collect several types of information from and about users of our Service.

2.1 Information You Provide to Us

Account Registration Information:
When you create an account (either as a shopper or merchant), we collect:

• First name and last name
• Email address
• Password (encrypted and securely stored)
• Phone number (optional)
• Profile photo (if you sign in with Google or Apple)
• Date of birth (for age verification)

Merchant-Specific Information:
For merchant accounts, we also collect:

• Business name and legal entity name
• Business address and phone number
• Business type and category
• Tax identification number (EIN or SSN)
• Bank account information (for payouts)
• Business representative information

Payment Information:
When you make a purchase or receive payouts:

• Payment card information (collected and stored by Stripe, not by us)
• Billing address
• Bank account details (for merchant payouts, stored by Stripe)

Communications:

• Messages you send us through email or support channels
• Feedback, reviews, and survey responses
• Customer support inquiries

2.2 Information Automatically Collected

Transaction Data:
We automatically collect information about your transactions, including:

• Purchase amounts and dates
• Merchant identifiers
• Products or services purchased (basic category information)
• Payment method used
• Transaction status (completed, refunded, failed)
• Rewards earned and redeemed
• Wallet balances and history

Usage Information:
When you use our Service, we automatically collect:

• Device information (model, operating system, unique device identifiers)
• IP address and general location (city/country level)
• Browser type and version
• Pages you visit and features you use
• Time spent on pages
• Referring website or source
• Date and time of access
• Clickstream data

Cookies and Tracking Technologies:
We use cookies, web beacons, and similar technologies to:

• Remember your preferences and settings
• Authenticate your account
• Analyze usage patterns and trends
• Provide personalized experiences
• Measure the effectiveness of our marketing

See Section 10 for detailed information about cookies.

2.3 Information from Third Parties

Authentication Providers:
When you sign in using Google OAuth or Apple Sign-In:

• We receive your name, email address, and profile picture from these providers
• This information is subject to the third party's privacy policies

Payment Processors:
Stripe provides us with:

• Transaction confirmation and status
• Settlement and payout information
• Fraud detection signals

Referrals:
If another user refers you to Loya:

• We may receive your email address or contact information
• Referral relationship and bonus tracking data

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Provide and Improve the Service

• Account Management: Create and manage your account, authenticate your identity, and provide customer support
• Transaction Processing: Process payments, issue rewards, track balances, and manage refunds
• Service Delivery: Enable core functionality of the payment and loyalty platform
• Platform Improvement: Analyze usage patterns to improve features, user experience, and performance
• Bug Fixes: Identify and resolve technical issues

3.2 Communication

• Transactional Emails: Send purchase confirmations, receipts, and reward notifications
• Account Notifications: Alert you about account activity, security issues, or policy changes
• Customer Support: Respond to inquiries and provide assistance
• Marketing Communications: Send promotional emails about new features, offers, or merchants (you can opt out)

3.3 Business Operations

• Analytics: Understand user behavior, measure service effectiveness, and generate insights
• Fraud Prevention: Detect and prevent fraudulent transactions, unauthorized access, and abuse
• Compliance: Meet legal obligations, respond to legal requests, and enforce our Terms of Service
• Financial Reporting: Calculate commissions, generate tax documents, and process merchant payouts

3.4 Marketing and Personalization

• Personalized Recommendations: Suggest merchants or offers based on your preferences
• Targeted Advertising: Show relevant ads (with your consent where required)
• Referral Programs: Manage and track referral bonuses

3.5 Legal and Safety

• Legal Compliance: Comply with applicable laws, regulations, and legal processes
• Dispute Resolution: Investigate and resolve disputes, chargebacks, or complaints
• Safety and Security: Protect against security threats, fraud, and illegal activity
• Rights Protection: Enforce our rights and protect our property

4. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We may share your information in the following circumstances:

4.1 Service Providers

We share information with trusted third-party service providers who help us operate the Service:

Payment Processing:

• Stripe: Processes payments, manages payouts, and provides fraud detection. See Stripe's Privacy Policy.

Authentication and Account Management:

• Clerk: Manages user authentication, sessions, and account security. See Clerk's Privacy Policy.

Data Storage and Infrastructure:

• Convex: Provides backend database management and real-time data storage with enterprise-grade encryption. See Convex's Privacy Policy.

Communication Services:

• Email service providers for transactional and marketing emails
• Customer support platforms

Analytics and Monitoring:

• Analytics providers to understand usage patterns
• Performance monitoring tools

These service providers are bound by confidentiality obligations and may only use your information to provide services to us.

4.2 Business Partners

Merchants:
When you make a purchase, we share limited information with the merchant:

• Your first name and last name
• Purchase amount and date
• Rewards earned
• General transaction details necessary for order fulfillment

We do not share your full contact information or payment details with merchants.

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Court orders, subpoenas, or legal processes
• Requests from government authorities or law enforcement
• Legal obligations or regulatory requirements

4.4 Business Transfers

If Loya is involved in a merger, acquisition, bankruptcy, or sale of assets:

• Your information may be transferred as part of that transaction
• We will notify you via email and/or prominent notice on our Service
• You will have choices regarding your information

4.5 Consent

With your explicit consent, we may share your information for purposes not described in this Privacy Policy.

4.6 Aggregated or De-identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you:

• Industry reports and statistics
• Marketing materials
• Research and analysis

5. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

5.1 Retention Periods

Active Accounts:

• We retain your account information and transaction history while your account is active

Closed Accounts:

After account closure, we retain certain information for:

• Legal compliance (e.g., tax records for 7 years)
• Fraud prevention (e.g., to prevent re-registration of banned users)
• Dispute resolution (e.g., chargeback investigations)

Transaction Records:

• Financial transaction data is retained for at least 7 years to comply with tax and financial regulations

Marketing Data:

• Marketing preferences and communications are retained until you opt out or we no longer need them

Inactive Accounts:

• Accounts inactive for 24+ months may be deleted or anonymized after notification

5.2 Deletion Requests

You may request deletion of your personal information at any time (see Section 8 - Your Rights). However, we may retain certain information when required by law or for legitimate business purposes.

6. Data Security

We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect it.

6.1 Security Measures

Encryption:

• Data in transit is encrypted using TLS/SSL protocols
• Sensitive data at rest is encrypted using industry-standard algorithms
• Payment information is tokenized and encrypted by Stripe (PCI DSS compliant)

Access Controls:

• Role-based access controls limit employee access to personal information
• Multi-factor authentication for administrative accounts
• Regular access reviews and least-privilege principles

Infrastructure Security:

• Secure cloud hosting with enterprise-grade providers (Convex, Clerk)
• Regular security updates and patches
• Firewall protection and intrusion detection systems
• Automated security monitoring and logging

Authentication Security:

• Passwords are hashed and salted using bcrypt or similar strong algorithms
• Session management with secure, httpOnly cookies
• Automatic session expiration and refresh tokens

6.2 Security Practices

• Regular security audits and vulnerability assessments
• Employee security training and awareness programs
• Incident response plan and breach notification procedures
• Third-party security certifications where applicable

6.3 Your Responsibility

You are responsible for:

• Maintaining the confidentiality of your password
• Using a strong, unique password
• Not sharing your account credentials
• Logging out when using shared devices
• Reporting suspicious activity immediately

6.4 No Absolute Security

While we implement strong security measures, no system is completely secure. We cannot guarantee absolute security of your information. You use the Service at your own risk.

7. International Data Transfers

Loya is based in the United States, and our Service is primarily intended for users in the United States.

7.1 Data Storage Location

Your personal information is stored and processed in the United States, where our service providers (Convex, Clerk, Stripe) operate data centers.

7.2 International Users

Service Availability:
The payment and transaction features of the Service are available only to US residents. However, our website may be accessed internationally for informational purposes.

If you access the Service from outside the United States:

• Your information will be transferred to and processed in the United States
• U.S. privacy laws may differ from those in your country
• By using the Service, you consent to the transfer of your information to the United States

Note: You will not be able to create an account or complete transactions unless you are a US resident

7.3 European Users

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland:

• Data transfers from the EEA to the U.S. are based on approved transfer mechanisms
• Our service providers use Standard Contractual Clauses or other approved methods
• You have additional rights under GDPR (see Section 8)

8. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information.

8.1 Rights for All Users

• Access: Request a copy of the personal information we hold about you
• Correction: Update or correct inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal obligations)
• Opt-Out: Unsubscribe from marketing communications
• Account Closure: Close your account at any time

8.2 Additional Rights for California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of:
  • Categories of personal information collected
  • Categories of sources from which information is collected
  • Business purpose for collecting information
  • Categories of third parties with whom information is shared
  • Specific pieces of personal information collected
• Right to Delete: Request deletion of personal information we collected from you (with certain exceptions)
• Right to Opt-Out of Sale: We do not sell your personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information (if applicable)
• Authorized Agent: You may designate an authorized agent to make requests on your behalf
• Shine the Light: California residents can request information about disclosure of personal information to third parties for direct marketing purposes (we do not engage in this practice)

8.3 Additional Rights for European Users (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Access: Obtain confirmation of whether we process your data and access to such data
• Right to Rectification: Correct inaccurate or incomplete personal data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data in certain circumstances
• Right to Restrict Processing: Request limitation of processing in certain situations
• Right to Data Portability: Receive your personal data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent: Withdraw consent for processing based on consent
• Right to Lodge a Complaint: File a complaint with your local data protection authority
• Automated Decision-Making: Right not to be subject to decisions based solely on automated processing

8.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: hello@useloya.com
• Subject Line: "Privacy Rights Request"
• Include: Your name, email address, account details, and specific request

We will respond to verified requests within:

• 45 days for most requests (may extend to 90 days if complex)
• 30 days for GDPR requests (may extend to 90 days with notification)

We may require verification of your identity before processing requests.

9. Children's Privacy (COPPA Compliance)

The Service is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18.

9.1 Age Requirement

You must be at least 18 years old to:

• Create an account
• Use the Service
• Make purchases or earn rewards

9.2 Parental Notice

If you are a parent or guardian and believe your child under 18 has provided personal information to us:

• Contact us immediately at hello@useloya.com
• We will delete the information as soon as possible
• We may request verification of your relationship to the child

9.3 Age Verification

We may implement age verification measures to ensure compliance with this policy.

10. Cookies and Tracking Technologies

We use cookies, web beacons, pixels, and similar technologies to enhance your experience and collect usage information.

10.1 Types of Cookies We Use

Essential Cookies (Always Active):

• Authentication and session management
• Security and fraud prevention
• Shopping cart and checkout functionality
• Load balancing and performance

These cannot be disabled as they are necessary for the Service to function.

Analytics Cookies (Optional):

• Usage statistics and performance metrics
• User behavior analysis
• A/B testing and feature optimization
• Error tracking and debugging

Functional Cookies (Optional):

• Remember preferences and settings
• Personalize content and recommendations
• Language and region preferences

Marketing Cookies (Optional, with Consent):

• Targeted advertising
• Measure advertising effectiveness
• Track conversions and campaign performance
• Retargeting and remarketing

10.2 Third-Party Cookies

We may allow third parties to place cookies on your device:

• Google Analytics (for usage analytics)
• Advertising networks (for targeted ads, with consent)
• Social media platforms (for social features and analytics)

10.3 Cookie Management

Browser Controls:
Most browsers allow you to:

• View and delete cookies
• Block all cookies or only third-party cookies
• Receive notification before cookies are placed

Note: Blocking essential cookies may impair Service functionality.

Our Cookie Preferences:
You can manage non-essential cookies through:

• Cookie consent banner (on first visit)
• Account settings (if logged in)
• Privacy preferences center (link in footer)

Do Not Track:
Some browsers support "Do Not Track" (DNT) signals. Currently, there is no industry standard for responding to DNT signals, and we do not respond to them.

10.4 Other Tracking Technologies

Web Beacons/Pixels:

• Small image files embedded in emails and web pages
• Track email opens and webpage views
• Measure marketing campaign effectiveness

Local Storage:

• HTML5 local storage for persisting data in your browser
• Session storage for temporary data
• Used for performance and functionality

11. Marketing Communications

11.1 Types of Communications

Transactional (Cannot Opt Out):

• Purchase confirmations and receipts
• Reward notifications
• Account security alerts
• Service updates and policy changes
• Customer support responses

Promotional (Can Opt Out):

• Marketing emails about features, offers, or merchants
• Product announcements and updates
• Newsletters and blog content
• Surveys and feedback requests

11.2 Opt-Out Methods

You can opt out of promotional communications by:

• Clicking "unsubscribe" link in any promotional email
• Adjusting email preferences in your account settings
• Contacting us at hello@useloya.com

Note: Even if you opt out of marketing emails, we will still send transactional communications necessary for the Service.

11.3 Communication Frequency

We respect your inbox and aim to send relevant, timely communications. You can adjust frequency preferences in your account settings.

12. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services not operated by Loya.

12.1 No Responsibility for Third Parties

We are not responsible for:

• Privacy practices of third-party sites or services
• Content on third-party platforms
• Terms and policies of linked sites

12.2 Review Third-Party Policies

We encourage you to review the privacy policies of any third-party services you visit or use:

• Stripe Privacy Policy: https://stripe.com/privacy
• Clerk Privacy Policy: https://clerk.com/legal/privacy
• Convex Privacy Policy: https://www.convex.dev/legal/privacy/v2024-09-24
• Google Privacy Policy: https://policies.google.com/privacy
• Apple Privacy Policy: https://www.apple.com/legal/privacy/

13. Changes to This Privacy Policy

13.1 Right to Modify

We may update this Privacy Policy from time to time to reflect:

• Changes to our practices
• New features or services
• Legal or regulatory requirements
• User feedback

13.2 Notification of Changes

When we make changes:

• We will update the "Last Updated" date at the top
• For material changes, we will provide prominent notice via:
  • Email notification
  • In-app notification
  • Banner on our website

13.3 Material Changes

Material changes include:

• Changes to how we collect or use personal information
• Changes to data retention periods
• Changes to how we share information
• Changes that reduce your privacy rights

13.4 Continued Use

Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy. If you don't agree with the changes, you should stop using the Service and close your account.

13.5 Review Regularly

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Business Transitions

In the event of a merger, acquisition, bankruptcy, dissolution, reorganization, or similar corporate event:

14.1 Transfer of Information

• Your personal information may be transferred to a successor or affiliate
• Information transfers will be subject to this Privacy Policy unless you consent otherwise
• The successor will be bound by the same privacy obligations

14.2 Notification

We will provide notice of any such change via:

• Email to your registered email address
• Prominent notice on our website
• 30 days advance notice when possible

14.3 Your Choices

If you do not wish your information to be transferred:

• You may close your account before the transfer
• You may exercise your deletion rights (subject to legal limitations)

15. Legal Basis for Processing (GDPR)

For users in the EEA, UK, or Switzerland, we process your personal data based on the following legal grounds:

15.1 Contract Performance

Processing necessary to provide the Service and fulfill our contractual obligations to you:

• Account creation and management
• Payment processing
• Reward tracking and redemption
• Customer support

15.2 Legitimate Interests

Processing necessary for our legitimate business interests:

• Fraud prevention and security
• Service improvement and analytics
• Marketing to existing customers
• Business operations and administration

We balance our interests against your rights and freedoms.

15.3 Legal Obligations

Processing required to comply with legal obligations:

• Tax reporting and financial compliance
• Response to legal requests
• Regulatory compliance

15.4 Consent

Processing based on your explicit consent:

• Marketing communications (where consent is required)
• Optional cookies and tracking
• Sharing information beyond what's necessary for the Service

You may withdraw consent at any time without affecting prior processing.

16. Data Protection Officer and Representative

16.1 Contact for Privacy Matters

For privacy-related inquiries, concerns, or requests:

• Email: hello@useloya.com
• Subject: Privacy Inquiry
• Response Time: Within 45 days (or as required by applicable law)

16.2 European Representative

If required under GDPR, we will appoint a representative in the European Union. Contact details will be updated here once appointed.

17. State-Specific Privacy Rights

17.1 Nevada Residents

Nevada residents have the right to opt out of the sale of certain personal information. We do not sell personal information as defined by Nevada law.

17.2 Virginia, Colorado, Connecticut, and Utah Residents

Residents of Virginia, Colorado, Connecticut, and Utah have rights similar to those under CCPA, including:

• Right to access personal information
• Right to delete personal information
• Right to correct inaccurate information
• Right to opt out of targeted advertising, sale of personal information, and profiling

To exercise these rights, contact us at hello@useloya.com.

17.3 Other States

If your state has enacted comprehensive privacy legislation, you may have additional rights. Contact us to learn more about rights available to you.

18. Accessibility

We are committed to ensuring this Privacy Policy is accessible to all users. If you have difficulty accessing this policy due to a disability:

• Contact us at hello@useloya.com
• We will provide the policy in an alternative format
• We will work with you to ensure you can understand our privacy practices

19. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

Loya Labs Inc.
Email: hello@useloya.com
Website: useloya.com

For Privacy Rights Requests:
Email: hello@useloya.com
Subject Line: "Privacy Rights Request"

For Security Issues:
Email: hello@useloya.com
Subject Line: "Security Issue"

Response Time:

• General inquiries: Within 5 business days
• Privacy rights requests: Within 45 days (CCPA) or 30 days (GDPR)
• Security issues: Within 24 hours

20. Supervisory Authority

If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

• List of EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/board/members_en
• UK Information Commissioner's Office: https://ico.org.uk/
• Swiss Federal Data Protection and Information Commissioner: https://www.edoeb.admin.ch/

21. Effective Date

This Privacy Policy is effective as of January 12, 2026.

By using the Service after this date, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Thank you for trusting Loya with your personal information. We are committed to protecting your privacy and being transparent about our practices.