Legal
Privacy Policy
1. Overview
Orbit Loyalty ("we", "us", or "our") operates the Orbit Loyalty platform, a multi-tenant loyalty and rewards management system available at orbitloyalty.appand related applications (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use the Service as a customer, merchant (store owner), or staff member.
By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please discontinue use of the Service.
2. Data We Collect
We collect the following categories of personal data:
2.1 Customer Accounts
| Full name | Provided at registration. Displayed on your loyalty card and in the merchant dashboard. |
| Email address | Your login identifier. Used to match your account to purchases made online. |
| Phone number | Optional. Used by store staff to look up your account at the point of sale. |
| Date of birth | Optional. Used for birthday promotions and age verification. |
| Points & stamps | Earned through purchases. Stored to track your loyalty progress. |
| Transaction history | A record of every earn and redeem event across all stores you belong to. |
| Wallet card identifiers | Google Wallet Object ID and Apple Wallet pass serial number, used to update your digital loyalty cards. |
2.2 Merchant Accounts (Store Owners & Staff)
| Full name & email | Account registration and billing communications. |
| Business name & logo | Displayed on your public store page and customer loyalty cards. |
| Branch locations | Address and coordinates entered manually, shown on your store's public location map. |
| Subscription plan | The billing tier you are on (Free, Starter, Pro, or Enterprise). |
| API keys & webhooks | Hashed keys generated for POS integrations. Webhook secrets stored to verify signatures. |
2.3 Data We Do NOT Collect
- Payment card numbers or bank details
- Passwords in plaintext (all passwords are hashed using PBKDF2-SHA256)
- Device identifiers, browser fingerprints, or advertising IDs
- Precise real-time GPS location
- Biometric data
3. How We Use Your Data
- Account management: To create and authenticate your account, verify identity, and communicate important service updates.
- Loyalty programme operation: To calculate points and stamps earned on purchases, track balances, and process reward redemptions.
- Digital wallet cards: To issue and update loyalty cards in Google Wallet and Apple Wallet when your balance changes.
- In-app notifications: To send you platform announcements, promotional offers from stores you have joined, and system alerts.
- Merchant dashboard: To allow store owners and staff to view their own members' names, emails, points balances, and transaction records.
- Customer support: To investigate and resolve support tickets submitted through the platform.
- Platform security: To detect abuse, enforce rate limits, and protect against fraudulent use of earn codes and API keys.
We do not sell, rent, or trade your personal data to third parties for advertising or marketing purposes.
4. Third-Party Services
We share limited data with the following third-party services to operate the platform:
Google Wallet API
Data shared: Store name, your name, loyalty points balance, and tier.
Purpose: To issue and update digital loyalty cards on Android devices.
View their Privacy PolicyApple Wallet (PassKit)
Data shared: Store name, your name, points/stamps balance.
Purpose: To generate signed .pkpass files for iOS devices.
View their Privacy PolicyShopify / WooCommerce / Salla / Square
Data shared: We receive the customer's email address and purchase total from these platforms via webhook when a merchant has connected their store.
Purpose: To automatically award loyalty points on completed purchases.
5. Data Storage & Security
All data is stored in a PostgreSQL database hosted on secure servers. Media files (logos, images) are stored in S3-compatible object storage.
Password hashing
PBKDF2 with SHA-256. Plaintext passwords are never stored.
API key hashing
SHA-256 hash only. Plaintext is displayed once at creation and never stored.
Earn codes
Stored as SHA-256 hashes. The raw code is shown once and then discarded.
Transport encryption
HTTPS enforced on all endpoints.
Authentication tokens
JWT tokens expire after 8 hours. Refresh tokens allow re-authentication.
Data isolation
Each merchant only has access to their own members and transactions. Cross-tenant access is blocked at the query level.
6. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service.
- Customer accounts: Retained until you delete your account. Deleting your account permanently removes your profile, memberships, points, and transaction history.
- Merchant accounts: Retained while your subscription is active. Data may be retained for up to 90 days after account closure for billing dispute resolution.
- Support tickets: Retained for 2 years for record-keeping purposes.
- Transaction logs: Retained indefinitely while your account is active for loyalty tracking accuracy.
7. Your Rights
Depending on your country of residence, you may have the following rights regarding your personal data:
| Access | View all data we hold about you via your dashboard, or by contacting us. |
| Rectification | Update your name, phone number, and date of birth directly from Account Settings. |
| Erasure | Delete your account and all associated data from Settings, Danger Zone. Deletion is immediate and permanent. |
| Portability | Request an export of your transaction history by contacting support. |
| Objection | You may opt out of marketing notifications from within the platform. |
| Restriction | Contact us to request that we restrict processing of your data in specific circumstances. |
To exercise any of these rights, use the self-service tools in your dashboard or contact us at the address below. We will respond within 30 days.
9. Children
The Orbit Loyalty Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us immediately and we will delete that information.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will notify you via in-app notification or email. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us: