Privacy Policy

Effective Date: 16 November 2024
LoyaltyRepeat, part of RISPER Outbound, located in Enschede and registered with the Dutch Chamber of Commerce under number 88191834, is committed to protecting your privacy. This policy outlines how we collect, use, store, and secure personal data in the context of our loyalty programs for business clients (B2B), such as those in the wellness and sports sectors.

1. Scope

This privacy policy applies to all personal data collected and processed by LoyaltyRepeat (hereinafter “LoyaltyRepeat,” “we,” “us,” or “our”) in connection with the loyalty services we provide to business clients.

Our services are strictly B2B, meaning we offer our platforms and applications to companies that provide loyalty benefits, engagement tools, and survey rewards to their end users.

2. Roles and Responsibilities

2.1 Controller and Processor

Controller: Our business clients act as the data controllers for the personal data of their end users. They determine the purpose and means of the data processing.

Processor: LoyaltyRepeat functions as the data processor for the end-user personal data processed through our services. We process this data strictly according to the instructions of our clients and do not use it for our own purposes.

2.2 Contact Information

For questions about the processing of your personal data by the service provider using the LoyaltyRepeat platform, please contact the privacy officer of that organization.

For inquiries directed to LoyaltyRepeat, you can contact us via:

Email: <...>

Address: <...>

3. What Personal Data Do We Process?

3.1 Business Client Data

We process the following categories of personal data from our business clients:

Identification and contact information: Contact person’s name, company name, job title, address, phone number, email address.

Account data: Credentials for access to the LoyaltyRepeat Dashboard, profile information (such as preferences and settings).

Financial data: Bank account number, invoicing information, payment data.

Communication data: Correspondence with LoyaltyRepeat, including emails and support requests.

3.2 End-User Data

On behalf of our clients, we process the following categories of end-user data:

Identification and contact information: First and last name, phone number, email address.

Loyalty and engagement data: Participation in loyalty programs, submission of reviews and feedback, participation in social media actions (such as likes or shares).

Technical data: IP address, browser information, device data, log files, and usage statistics.

4. Purposes and Legal Grounds for Processing

4.1 Processing Business Client Data

We process personal data of business clients for the following purposes:

Contract execution: Delivering our services, including facilitating loyalty programs, managing reviews, and tracking social media engagement.

Communication and support: Maintaining contact with clients and providing technical support.

Billing and administration: Processing payments and maintaining financial records.
Legal Grounds: Necessary for the performance of a contract (Article 6(1)(b) GDPR)Our legitimate interest in effective communication and support (Article 6(1)(f) GDPR)

4.2 Processing End-User Data

As a processor, we process end-user personal data solely based on our clients’ instructions for the following purposes:

Loyalty programs: Managing end-user participation in loyalty programs.

Reviews and feedback: Collecting reviews and feedback on behalf of our clients.

Social media engagement: Facilitating social media actions, such as likes and shares.

Legal Grounds: Consent from the end user (Article 6(1)(a) GDPR)Performance of a contract (Article 6(1)(b) GDPR)

5. Data Processing Agreement

We enter into a data processing agreement with all our business clients, outlining terms regarding data processing, security measures, and responsibilities in accordance with the GDPR. LoyaltyRepeat processes data strictly according to client instructions and does not use this data for its own purposes.

6. Personal Data Security

We implement technical and organizational measures to protect personal data against loss, misuse, unauthorized access, disclosure, and alteration, including:

Access control: Only authorized personnel have access to data.

Encryption: Data is encrypted where necessary during transmission and storage.

Network security: Our networks are secured with firewalls and protected servers.

Monitoring and logging: Systems are actively monitored for unauthorized access, and log files are managed.

Regular audits and updates: We perform periodic security audits and software updates.

7. Data Retention Periods

We retain personal data no longer than necessary to deliver our services and meet legal obligations, as follows:

Business client data: Up to two years after the end of the agreement, unless a longer retention period is required by law.

End-user loyalty and engagement data: Up to two years after the last point of contact, unless a longer retention period is required by law.

Financial data: Seven years in accordance with tax retention obligations.

8. Sharing Personal Data with Third Parties

8.1 Sub-processors

We engage third parties as sub-processors to support our services, such as:

Hosting and cloud providers: For data storage and management.Payment providers: For processing payments.

Analytics and marketing services: For analyzing user behavior and executing marketing activities.

We enter into data processing agreements with all sub-processors to ensure compliance with our privacy and security standards.

8.2 Legal Obligations

We may disclose personal data to public authorities if legally required or as part of legal proceedings.

9. International Data Transfers

Data is processed within the European Economic Area (EEA). If data is transferred outside the EEA, we and our sub-processors ensure appropriate safeguards are in place, such as:

Adequacy decisions: Transfers to countries deemed adequate by the European Commission.Standard Contractual Clauses: Use of EU-approved model contracts.

10. Data Subject Rights

Business clients (our contractual parties) have the following rights regarding their personal data:

Right of access: To view the data we process.Right to rectification: To correct inaccurate data.Right to erasure: To have personal data deleted when no legal retention obligation applies.Right to restriction of processing: To limit data processing.Right to data portability: To receive data in a structured, machine-readable format.Right to object: To object to processing based on legitimate interest.Right to withdraw consent: To withdraw consent where it is the legal basis for processing.

To exercise these rights, you may contact us using the details in section 2.2.

11. Cookies and Similar Technologies

Our platforms use cookies and similar technologies to enhance functionality and optimize the user experience, such as:

Functional cookies: Necessary for the operation of the service (e.g., login functionality).Analytical cookies: Collect usage statistics to understand behavior and improve services.

12. Changes to This Privacy Policy

This policy may be updated to reflect changes in our services or legal obligations. The most recent version is available on our website. In the event of significant changes, we will notify our clients so they can inform their end users.

13. Questions and Contact

For questions or comments regarding this policy, you can contact us via:
Email: <...>

Address: <...>

14. Complaints

If you believe we are processing your data incorrectly, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):

Website: www.autoriteitpersoonsgegevens.nl

Phone: <...>