1. Introduction

Lokaly (a trading name of Eelavan Ltd, registered in England and Wales, with registered address at 86-90 Paul Street, London, EC2A 4NE, United Kingdom) is committed to protecting your privacy and personal data.

This Privacy Policy explains how we collect, use, share, and protect your personal data when you use the Lokaly digital loyalty platform, including our website (lokaly.co.uk), mobile application, and merchant portal (collectively, the "Platform").

This policy applies to:

• Customers who use the Lokaly app to participate in merchant loyalty programmes
• Merchants who use our platform to create and manage loyalty programmes
• Visitors to our website

Please read this policy carefully. By using our Platform, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:

• Lokaly (Eelavan Ltd) is the data controller for personal data we collect directly from you for our own purposes (e.g., account management, platform operation, marketing).
• Merchants are data controllers for customer data collected through their loyalty programmes. Lokaly acts as a data processor on behalf of merchants for this data.

If you have questions about how a specific merchant handles your data, please refer to that merchant's privacy policy or contact them directly.

3. Information We Collect

3.1 Information from Customers

When you use the Lokaly app as a customer, we may collect:

• Account Information: Name, email address, phone number, date of birth, gender (optional), username, password, profile picture.
• Loyalty Activity: Stamps and points collected, rewards earned and redeemed, check-in history, visit timestamps, participating merchants.
• Device Information: Device type, operating system, unique device identifiers, mobile network information, IP address, user agent.
• NFC Data: When you tap an NFC-enabled loyalty tag, we collect NFC chip identifiers (UID), tap counters, cryptographic verification data, and timestamps to verify and record your check-in.
• Location Data: With your consent, we may collect precise location data when you check in at merchant locations.
• Usage Data: How you interact with the app, features used, pages viewed, time spent, app performance data.
• Communication Data: Messages, feedback, support enquiries, and survey responses.
• Authentication Data: If you sign in using Google or Apple, we receive your name, email address, and profile picture from those services.

3.2 Information from Merchants

When you register as a merchant, we collect:

• Business Information: Business name, trading name, business type, address(es), website, business description, logo.
• Contact Information: Contact person name, email address, phone number.
• Account Credentials: Username, password (securely hashed), account preferences.
• Payment Information: Billing address, payment card details (processed securely by Stripe; we do not store full card numbers), VAT number.
• Loyalty Programme Data: Stamp card designs, reward configurations, promotional content, NFC tag assignments.

3.3 Information Collected Automatically

When you use our Platform, we automatically collect:

• Log data (IP addresses, browser type, pages visited, referring URLs, user agent)
• Session data (authentication tokens, session identifiers)
• Cookies and similar technologies (see Section 10)
• Audit logs for security and compliance purposes

3.4 Security and Fraud Prevention Data

To protect our Platform and users, we collect and analyse:

• Tap patterns and transaction velocity to detect unusual activity
• Device fingerprints and signatures
• Rate limiting data (request counts, timestamps)
• Last scan IP addresses and device associations
• Failed authentication attempts

3.5 Information from Third Parties

We may receive information from:

• Google or Apple if you choose to sign in using their authentication services
• Stripe regarding payment transaction status and verification
• Merchants regarding your participation in their loyalty programmes

4. How We Use Your Information

The following table sets out our purposes for processing your personal data and the legal basis we rely on:

5. Who We Share Your Data With

5.1 Sharing with Merchants

When you participate in a merchant's loyalty programme, we share relevant data with that merchant, including your name, loyalty activity at their business, and contact information (if you've consented to receive communications from them). Merchants are independent data controllers for this data.

5.2 Service Providers

We share data with trusted service providers who help us operate our Platform. These providers are contractually bound to protect your data and may only use it for the purposes we specify. See Section 6 for our specific sub-processors.

5.3 Legal Requirements

We may disclose your data if required to do so by law or in response to valid legal requests (e.g., court orders, regulatory requests). We may also disclose data to protect our rights, privacy, safety, or property, or that of our users or the public.

5.4 Business Transfers

If Lokaly is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

5.5 Aggregated Data

We may share aggregated, anonymised data that cannot identify you for research, analysis, or marketing purposes.

6. Sub-processors

We use the following sub-processors to help deliver our services:

Safeguards key: SCCs = Standard Contractual Clauses; DPF = EU-US/UK Data Privacy Framework; Adequacy = UK adequacy decision.

An up-to-date list is also available at lokaly.co.uk/subprocessors.

7. International Data Transfers

Some of our sub-processors are located in the United States. Where we transfer data outside the UK, we ensure appropriate safeguards are in place, including:

• Transfers to countries with UK adequacy decisions
• The EU-US and UK-US Data Privacy Framework (for certified US organisations)
• UK International Data Transfer Addendum (IDTA) or Standard Contractual Clauses with the UK Addendum

You may request a copy of the relevant safeguards by contacting us.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are:

• Customer accounts: For the duration of your account, plus 30 days after deletion request
• Merchant accounts: For the duration of the account, plus 6 years for financial records
• Loyalty activity: For the duration of your account or as required by the merchant
• Inactive accounts: We may delete accounts inactive for 24 months after providing notice
• Marketing preferences: Until you withdraw consent or unsubscribe
• Support enquiries: 2 years from resolution
• Security/audit logs: 12 months

When we delete your data, we use our anonymisation process (piiRedacted) to ensure personal data is irreversibly removed. We may retain anonymised or aggregated data indefinitely for analytics and research purposes.

9. Your Rights

Under the UK GDPR, you have the following rights:

• Right to access: Request a copy of your personal data
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your data (subject to legal obligations)
• Right to restrict processing: Request limitation of processing
• Right to data portability: Receive your data in a portable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw consent at any time (where consent is the legal basis)
• Rights related to automated decisions: Not be subject to decisions based solely on automated processing

To exercise your rights, please contact us at privacy@lokaly.co.uk. We will respond within one month. We may need to verify your identity before processing your request.

10. Cookies and Similar Technologies

We use cookies and similar technologies to enable essential functionality and improve your experience. For detailed information about the cookies we use, please see our Cookie Policy.

11. Children's Privacy

Our Services are not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete that information.

12. Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include encryption, access controls, regular security assessments, and staff training.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on our Platform or by sending you an email. We encourage you to review this policy periodically.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Eelavan Ltd (trading as Lokaly)
86-90 Paul Street
London, EC2A 4NE
United Kingdom

Email: privacy@lokaly.co.uk
Website: lokaly.co.uk

15. Information Commissioner's Office

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF

Telephone: 0303 123 1113
Website: ico.org.uk