1. Introduction
Lokaly (a trading name of Eelavan Ltd, registered in England and Wales, with registered address at 86-90 Paul Street, London, EC2A 4NE, United Kingdom) is committed to protecting your privacy and personal data.
This Privacy Policy explains how we collect, use, share, and protect your personal data when you use the Lokaly digital loyalty platform, including our website (lokaly.co.uk), mobile application, and merchant portal (collectively, the "Platform").
This policy applies to:
- Customers who use the Lokaly app to participate in merchant loyalty programmes
- Merchants who use our platform to create and manage loyalty programmes
- Visitors to our website
Please read this policy carefully. By using our Platform, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:
- Lokaly (Eelavan Ltd) is the data controller for personal data we collect directly from you for our own purposes (e.g., account management, platform operation, marketing).
- Merchants are data controllers for customer data collected through their loyalty programmes. Lokaly acts as a data processor on behalf of merchants for this data.
If you have questions about how a specific merchant handles your data, please refer to that merchant's privacy policy or contact them directly.
3. Information We Collect
3.1 Information from Customers
When you use the Lokaly app as a customer, we may collect:
- Account Information: Name, email address, phone number, date of birth, gender (optional), username, password, profile picture.
- Loyalty Activity: Stamps and points collected, rewards earned and redeemed, check-in history, visit timestamps, participating merchants.
- Device Information: Device type, operating system, unique device identifiers, mobile network information, IP address, user agent.
- NFC Data: When you tap an NFC-enabled loyalty tag, we collect NFC chip identifiers (UID), tap counters, cryptographic verification data, and timestamps to verify and record your check-in.
- Location Data: With your consent, we may collect precise location data when you check in at merchant locations.
- Usage Data: How you interact with the app, features used, pages viewed, time spent, app performance data.
- Communication Data: Messages, feedback, support enquiries, and survey responses.
- Authentication Data: If you sign in using Google or Apple, we receive your name, email address, and profile picture from those services.
3.2 Information from Merchants
When you register as a merchant, we collect:
- Business Information: Business name, trading name, business type, address(es), website, business description, logo.
- Contact Information: Contact person name, email address, phone number.
- Account Credentials: Username, password (securely hashed), account preferences.
- Payment Information: Billing address, payment card details (processed securely by Stripe; we do not store full card numbers), VAT number.
- Loyalty Programme Data: Stamp card designs, reward configurations, promotional content, NFC tag assignments.
3.3 Information Collected Automatically
When you use our Platform, we automatically collect:
- Log data (IP addresses, browser type, pages visited, referring URLs, user agent)
- Session data (authentication tokens, session identifiers)
- Cookies and similar technologies (see Section 10)
- Audit logs for security and compliance purposes
3.4 Security and Fraud Prevention Data
To protect our Platform and users, we collect and analyse:
- Tap patterns and transaction velocity to detect unusual activity
- Device fingerprints and signatures
- Rate limiting data (request counts, timestamps)
- Last scan IP addresses and device associations
- Failed authentication attempts
3.5 Information from Third Parties
We may receive information from:
- Google or Apple if you choose to sign in using their authentication services
- Stripe regarding payment transaction status and verification
- Merchants regarding your participation in their loyalty programmes
4. How We Use Your Information
The following table sets out our purposes for processing your personal data and the legal basis we rely on:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Create and manage your account | Account information, contact details, authentication data | Contract |
| Provide loyalty programme services | Loyalty activity, NFC data, location data | Contract |
| Verify NFC check-ins | NFC chip identifiers, tap counters, cryptographic data | Contract |
| Process payments (merchants) | Payment information, billing details | Contract |
| Prevent fraud and ensure security | Device info, tap patterns, IP addresses, rate limits | Legitimate interests |
| Send service communications | Contact details | Contract / Legitimate interests |
| Send marketing communications | Contact details, preferences | Consent |
| Provide merchant analytics | Loyalty activity (aggregated) | Contract / Legitimate interests |
| Improve our Platform | Usage data, error logs | Legitimate interests |
| Provide customer support | Communication data, account info | Contract / Legitimate interests |
| Comply with legal obligations | Various data as required | Legal obligation |
| Location-based check-ins | Precise location data | Consent |
5. Who We Share Your Data With
5.1 Sharing with Merchants
When you participate in a merchant's loyalty programme, we share relevant data with that merchant, including your name, loyalty activity at their business, and contact information (if you've consented to receive communications from them). Merchants are independent data controllers for this data.
5.2 Service Providers
We share data with trusted service providers who help us operate our Platform. These providers are contractually bound to protect your data and may only use it for the purposes we specify. See Section 6 for our specific sub-processors.
5.3 Legal Requirements
We may disclose your data if required to do so by law or in response to valid legal requests (e.g., court orders, regulatory requests). We may also disclose data to protect our rights, privacy, safety, or property, or that of our users or the public.
5.4 Business Transfers
If Lokaly is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.
5.5 Aggregated Data
We may share aggregated, anonymised data that cannot identify you for research, analysis, or marketing purposes.
6. Sub-processors
We use the following sub-processors to help deliver our services:
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Replit (Neon PostgreSQL) | Cloud hosting, database infrastructure | US | SCCs / DPF |
| Stripe | Payment processing | US/UK | SCCs / DPF |
| SendGrid (Twilio) | Transactional and marketing emails | US | SCCs / DPF |
| Google Cloud Storage | Object storage (images, files) | UK/EEA | Adequacy |
| Redis (Upstash) | Session management, caching | UK/EEA | Adequacy |
| Sentry | Error monitoring and debugging | US | SCCs / DPF |
Safeguards key: SCCs = Standard Contractual Clauses; DPF = EU-US/UK Data Privacy Framework; Adequacy = UK adequacy decision.
An up-to-date list is also available at lokaly.co.uk/subprocessors.
7. International Data Transfers
Some of our sub-processors are located in the United States. Where we transfer data outside the UK, we ensure appropriate safeguards are in place, including:
- Transfers to countries with UK adequacy decisions
- The EU-US and UK-US Data Privacy Framework (for certified US organisations)
- UK International Data Transfer Addendum (IDTA) or Standard Contractual Clauses with the UK Addendum
You may request a copy of the relevant safeguards by contacting us.
8. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are:
- Customer accounts: For the duration of your account, plus 30 days after deletion request
- Merchant accounts: For the duration of the account, plus 6 years for financial records
- Loyalty activity: For the duration of your account or as required by the merchant
- Inactive accounts: We may delete accounts inactive for 24 months after providing notice
- Marketing preferences: Until you withdraw consent or unsubscribe
- Support enquiries: 2 years from resolution
- Security/audit logs: 12 months
When we delete your data, we use our anonymisation process (piiRedacted) to ensure personal data is irreversibly removed. We may retain anonymised or aggregated data indefinitely for analytics and research purposes.
9. Your Rights
Under the UK GDPR, you have the following rights:
- Right to access: Request a copy of your personal data
- Right to rectification: Request correction of inaccurate data
- Right to erasure: Request deletion of your data (subject to legal obligations)
- Right to restrict processing: Request limitation of processing
- Right to data portability: Receive your data in a portable format
- Right to object: Object to processing based on legitimate interests
- Right to withdraw consent: Withdraw consent at any time (where consent is the legal basis)
- Rights related to automated decisions: Not be subject to decisions based solely on automated processing
To exercise your rights, please contact us at privacy@lokaly.co.uk. We will respond within one month. We may need to verify your identity before processing your request.
10. Cookies and Similar Technologies
We use cookies and similar technologies to enable essential functionality and improve your experience. The following table describes the cookies we use:
| Cookie/Storage | Type | Purpose |
|---|---|---|
| Session token | Strictly Necessary | HTTP-only cookie that maintains your authenticated session |
| Refresh token | Strictly Necessary | Enables secure token rotation for session continuity |
| CSRF token | Strictly Necessary | Protects against cross-site request forgery attacks |
| Theme preference | Functional | Remembers your dark/light mode preference |
| Sidebar state | Functional | Remembers your sidebar expanded/collapsed preference |
Strictly Necessary cookies are essential for the Platform to function and cannot be disabled. They do not require consent under PECR.
Functional cookies enhance your experience but are not essential. You can manage these through your browser settings.
Note: We do not currently use analytics or marketing/advertising cookies. If this changes, we will update this policy and obtain your consent where required.
For more information on managing cookies, please see our Cookie Policy at lokaly.co.uk/cookies.
11. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit: All data transmitted to and from our Platform uses TLS (Transport Layer Security)
- Encryption at rest: Data stored in our database (Neon PostgreSQL) and cloud storage (Google Cloud Storage) is encrypted using AES-256
- Password security: Passwords are hashed using industry-standard algorithms (never stored in plain text)
- Access controls and role-based authentication
- Regular security testing and vulnerability assessments
- Staff training on data protection
- Incident response procedures
- Fraud detection and rate limiting
While we take security seriously, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
12. Children's Privacy
Our Platform is not intended for children under 13 years of age. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will delete such information.
13. Third-Party Links
Our Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on our Platform or by sending you an email at least 30 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Eelavan Ltd (trading as Lokaly)
86-90 Paul Street
London, EC2A 4NE
United Kingdom
Email: privacy@lokaly.co.uk
Website: lokaly.co.uk
16. Complaints
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
17. Additional Information for Merchants
If you are a merchant using our Platform, the following additional provisions apply:
17.1 Data Controller Responsibilities
You are the data controller for Customer Data collected through your loyalty programme. You are responsible for ensuring you have a lawful basis for processing, providing privacy notices to your customers, and responding to data subject requests.
17.2 Data Processing Agreement
Our Data Processing Agreement at lokaly.co.uk/dpa governs how we process Customer Data on your behalf, including our obligations under Article 28 of the UK GDPR.
17.3 Your Privacy Obligations
You must maintain an appropriate privacy policy that informs your customers about how their data is collected and used, including through the Lokaly Platform.
— End of Privacy Policy —