← LoyaltyAI

Privacy Policy

Last updated: February 9, 2026

1. Data Controller

In compliance with Regulation (EU) 2016/679 General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD), we inform you that the data controller is:

Company: Nexus Business Intelligence S.L.

CIF: B23986540

Address: Calle Contraalmirante Pou Magraner 2 -2, 07181 Calvià, Illes Balears, España

Email: hola[at]nexusbisolutions[dot]com

Phone: +34 684 777 162

2. Personal Data We Collect

a) End users (loyalty program members):

  • Full name
  • Mobile phone number (with international prefix)
  • Email address
  • Date of birth
  • Transaction history, accumulated and redeemed points
  • Device language preferences
  • Country of origin (inferred from phone prefix)
  • Satisfaction survey responses (if completed)

b) Business clients (businesses using the platform):

  • Business name and legal entity
  • Administrator email and contact details
  • POS system configuration data
  • Billing and payment data (processed by Stripe, Inc.)
  • Access credentials (password stored encrypted with bcrypt)

3. Purposes of Processing

  • Loyalty program management: point accumulation and redemption, tier management and rewards.
  • Sending commercial communications (only with express consent): personalized offers, birthday reminders, satisfaction surveys via SMS or email.
  • SaaS service provision to businesses: administration panel, analytics, POS integration.
  • Billing and subscription charges.
  • Service improvement and anonymous statistics.
  • Fraud prevention and platform security.

4. Legal Basis for Processing

  • Data subject consent (Art. 6.1.a RGPD): For voluntary registration in the loyalty program and for sending commercial communications.
  • Performance of a contract (Art. 6.1.b RGPD): For the provision of the service contracted by businesses (Free, Pro or Enterprise plan).
  • Legitimate interest (Art. 6.1.f RGPD): For service improvement, fraud prevention and anonymous statistics.
  • Legal obligation (Art. 6.1.c RGPD): For compliance with tax and fiscal obligations (retention of billing data).

5. Recipients and Data Processors

Your data may be communicated to the following data processors, with whom the corresponding data processing agreements have been signed (Art. 28 GDPR):

Supabase, Inc.

Database storage and management

Location: EU (AWS eu-central-1, Frankfurt)

Vercel, Inc.

Web hosting and CDN

Location: Global (with EU nodes)

Stripe, Inc.

Payment processing and billing

Location: USA (with SCCs/DPF)

Infobip Ltd.

SMS and email sending

Location: EU/USA (with SCCs)

Your data will not be sold or transferred to third parties for commercial purposes. The business managing the loyalty program acts as Joint Controller regarding its end customers' data.

6. International Data Transfers

Some of our data processors are located outside the European Economic Area (EEA). In these cases, transfers are made with the following safeguards under Chapter V of the GDPR:

  • Stripe, Inc.: Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework.
  • Vercel, Inc.: Standard Contractual Clauses (SCCs).
  • Infobip Ltd.: Standard Contractual Clauses (SCCs) and DPF certification.

7. Data Retention Periods

  • Member data: While the loyalty program is active or until the user exercises their right to erasure. After deletion, data will be blocked for the applicable legal limitation period.
  • Transaction data: 5 years in accordance with Spanish tax regulations (Art. 70 General Tax Law).
  • Billing data: 6 years in accordance with the Spanish Commercial Code (Art. 30).
  • Commercial communications: Until consent is withdrawn.
  • Analytics data: Anonymized after 24 months.

8. Data Subject Rights

Under Articles 15 to 22 of the GDPR and Articles 12 to 18 of the LOPDGDD, you have the following rights:

  • Access (Art. 15): Obtain a copy of your personal data being processed.
  • Rectification (Art. 16): Correct inaccurate or complete incomplete data.
  • Erasure (Art. 17): Request deletion of your data when no longer necessary, you withdraw consent, or you object to processing.
  • Restriction (Art. 18): Request restriction of processing under certain circumstances.
  • Portability (Art. 20): Receive your data in a structured, commonly used and machine-readable format (JSON).
  • Objection (Art. 21): Object to the processing of your data, including profiling.

How to exercise your rights?

You can send your request accompanied by a copy of your ID/passport to: hola[at]nexusbisolutions[dot]com. You can also use the "Export my data" or "Delete my data" function available in the app. We will respond within a maximum of 30 days.

9. Security Measures

In compliance with Article 32 of the GDPR, we have implemented appropriate technical and organizational measures, including:

  • Data encryption in transit via TLS 1.3 (HTTPS)
  • Passwords encrypted with bcrypt algorithm (10 salt rounds)
  • Optional two-factor authentication (2FA/TOTP) for administrators
  • HTTP security headers: HSTS, X-Frame-Options, CSP, X-Content-Type-Options
  • Row Level Security (RLS) in database
  • Automatic daily backups
  • Role-based access control (owner, admin, staff, viewer)

10. Complaints

If you believe that the processing of your data does not comply with current regulations, you have the right to file a complaint with the competent supervisory authority:

Spanish Data Protection Agency (AEPD)

C/ Jorge Juan, 6 — 28001 Madrid

www.aepd.es

Phone: 901 100 099

11. Changes to this Policy

We reserve the right to modify this policy to adapt it to legislative or jurisprudential developments, as well as industry practices. In case of substantial changes, we will notify you through the application or by email.
Legal NoticeCookie PolicyTerms of Service