Data Processing Agreement

For your customers' data, you (the business) are the controller and LoyalPanther is the processor. LoyalPanther processes this customer data solely to provide the service and on the basis of your instructions.

For the business's own data (your account and company details) LoyalPanther is the controller; the privacy policy applies to that.

Subject matter: processing customer data in the context of the loyalty platform. Duration: for as long as the agreement for the service is in force. Nature and purpose: storage, management and processing of loyalty data, and (on your instruction) customer communication.

Categories of data subjects: your customers. Categories of data: including name, email address, optional date of birth and loyalty data (points, transactions, rewards).

LoyalPanther processes customer data only on your written (including electronic) instructions, as set out in the agreement and the settings you choose in the service, unless required otherwise by law. If LoyalPanther considers an instruction to be in breach of the law, we will notify you.

Persons processing customer data under the authority of LoyalPanther are bound by confidentiality and are granted access only to the extent necessary for their task.

LoyalPanther implements appropriate technical and organisational measures (in line with Article 32 GDPR), including encryption in transit, role-based access control, logical separation of data per business (row-level security) and periodic security reviews.

You grant LoyalPanther general authorisation to engage sub-processors to provide the service, currently including Supabase (hosting and database), Vercel (website hosting) and Resend (email delivery).

LoyalPanther imposes on each sub-processor the same obligations as in this agreement. Where we intend to change or add a sub-processor, we will inform you in advance so you can object on reasonable grounds.

LoyalPanther assists you, as far as reasonably possible and with appropriate technical measures, in handling data subject requests (such as access, rectification or erasure) and in meeting your obligations regarding security, data breaches and data protection impact assessments (DPIAs).

If LoyalPanther receives a request directly from one of your customers, we will in principle refer that customer to you.

LoyalPanther notifies you without undue delay once we become aware of a breach involving customer data, and provides the information you reasonably need to meet your own notification obligations.

Customer data is preferably processed within the EEA. Where a transfer outside the EEA takes place, LoyalPanther ensures a valid transfer mechanism, such as an adequacy decision or the Standard Contractual Clauses with additional safeguards.

On termination of the agreement, LoyalPanther deletes the customer data or, at your request, makes it available to you within a reasonable period, unless legislation requires longer retention. Backups are overwritten according to our usual cycle.

On request, LoyalPanther makes available the information needed to demonstrate compliance with this agreement and cooperates with audits by you or an auditor mandated by you, within reasonable limits and respecting the confidentiality of other customers.