EU General Data Protection Regulation (GDPR) and TrueLoyal - (Loyalty Platform)

In this article, we will cover:

• GDPR Compliance Overview for Loyalty Programme Clients
• Roles and Responsibilities under GDPR
• How TrueLoyal Ensures Compliance
• Categories of Personal Data Processed within the TrueLoyal Platform
  • Category 1: TrueLoyal Client Account Data
  • Category 2: Product Usage Analytics (B2B)
  • Category 3: End-Customer Loyalty Profile Data
  • Category 4: Transactional & Activity Data
  • Category 5: Integrated Third-Party Data
• Recommended Website Disclosures
  • Privacy Policy
  • Terms of Service

GDPR Compliance Overview for Loyalty Programme Clients

This document sets out the measures implemented by TrueLoyal to ensure compliance with the EU’s General Data Protection Regulation (GDPR) and describes how personal data is processed across the organisation’s enterprise systems.

TrueLoyal integrates with a wide range of enterprise technologies, including eCommerce platforms such as Shopify, enterprise resource planning (ERP) systems such as NetSuite, customer relationship management (CRM) systems such as Salesforce, and customer support platforms such as Zendesk, among others.

The GDPR establishes stringent requirements governing the collection, use, and protection of personal data relating to individuals within the European Union. TrueLoyal has implemented appropriate technical and organisational measures to meet these requirements, ensuring that personal data is handled in a lawful, transparent, and secure manner.

Roles and Responsibilities under GDPR

In GDPR terminology:

• Data Controller: TrueLoyal clients (the brands) are the controllers. They determine what data is collected from their end-customers via their integrated tech stack to run their loyalty programs.

• Data Processor: TrueLoyal acts as the processor. We process data only when explicitly instructed by the data controller to power loyalty features such as points calculation, tier management, and reward fulfillment.

How TrueLoyal Ensures Compliance

We have converted legal provisions into tangible platform actions to protect your data and that of your customers:

• Standard Contractual Clauses (SCCs): To satisfy the Schrems II judgment, all EU clients are covered by a Data Processing Addendum (DPA) that includes the SCCs approved by the European Commission on June 4, 2021. This ensures legal data transfers from the EU to our US-based servers.

• Data Portability & Erasure: We have built features that allow you to easily export granular subsets of data linked to an individual or permanently delete a user's data to satisfy "Right to be Forgotten" requests.

• Seamless Integration Compliance: Whether data is flowing from Shopify, NetSuite, or Salesforce, TrueLoyal supports automated data handling. We support automated redaction requests initiated within major eCommerce and CRM platforms to ensure data privacy parity across your entire stack.

• Dedicated Data Protection Officer (DPO): We have a dedicated DPO to oversee and advise on our data management. You can get in touch by emailing compliance@TrueLoyal.com.

Categories of Personal Data Processed within the TrueLoyal Platform

Category 1: TrueLoyal Client Account Data

• Examples: Brand admin email addresses and passwords used to access the TrueLoyal dashboard.
• Compliance: Covered by TrueLoyal’s Privacy Policy agreed to upon sign-up.

Category 2: Product Usage Analytics (B2B)

• Examples: Tracking how brand admins interact with the TrueLoyal dashboard via tools like Google Analytics.
• Compliance: Used to improve the platform experience and covered by TrueLoyal’s Privacy Policy.

Category 3: End-Customer Loyalty Profile Data

• Examples: Name, email address, phone number, and unique Member ID synced from your eCommerce (Shopify, BigCommerce), CRM (Salesforce, HubSpot), or ERP (NetSuite) database.
• Compliance: This is core data required to run the program. Consent is typically obtained by the brand during the storefront account creation or program enrollment.

Category 4: Transactional & Activity Data

• Examples: Order IDs, total spend, and items purchased (synced via API or webhooks), as well as current point balances and tier levels.
• Compliance: This data is processed to calculate rewards. TrueLoyal maintains high security standards to ensure the integrity of these transactions.

Category 5: Integrated Third-Party Data

• Examples: Loyalty data synced to your ESP (e.g., Klaviyo/Mailchimp) or CRM (e.g., HubSpot), such as "Points to Next Tier" or "Referral Link."
• Compliance: Our DPA ensures that the transfer and storage of this data across your tech stack meet GDPR requirements.

Recommended Website Disclosures

Note: We recommend reviewing these with your legal team.

Privacy Policy:

Add the following verbiage or something similar to clearly indicate to your users that you are using TrueLoyal as a data processor for your loyalty program and passing information to TrueLoyal. We recommend adding this verbiage in the section “Will my personal information be shared?” or “Do you plan to share my personal information?”

"Use of TrueLoyal Services: We use third-party services such as TrueLoyal to offer a loyalty rewards program and other services to you on our website. In particular, we provide a limited amount of your information (such as sign-up date and some personal information like your email address, name, phone number, social profiles and purchase data) to TrueLoyal and utilize TrueLoyal to show the rewards program and social components when you visit our website or use our product. As a data processor acting on our behalf, TrueLoyal processes your information to display the rewards program data such as points earned, points redeemed, tiers, eligible rewards etc. We may also use TrueLoyal to send you messages regarding the rewards program.For more information on the privacy practices of TrueLoyal, please visit TrueLoyal’s Privacy Policy. If you would like to opt out of having this information collected by or submitted to TrueLoyal, please contact us."

Terms of Service:

Add the following verbiage to your Terms of Service to let your users know that when they log in or register on your website, they will receive the rewards program as an integral part of your site’s offering. This will eliminate the need to have a separate opt-in for the rewards program. It will also let the users know that the rewards program is powered by TrueLoyal. When the users explicitly accept your terms of service, they also agree to the terms of the Rewards program, because that program is an integral part of your site. The understanding is that every user whether already registered or new registration, will be sent the updated Terms of Service.

"Inclusion in the Rewards Program: Our Rewards program is an integral part of our Site’s offering. By creating an account or signing in, you agree to be included in the Rewards Program to receive rewards for activities you do on our site and agree to the Rewards Program Terms (add a hyperlink to your Rewards Program Terms). We use third-party services such as TrueLoyal to power this rewards program. For more information on the privacy practices of TrueLoyal, please visit TrueLoyal’s Privacy Policy. You may opt-out of the rewards program at any time by visiting your rewards program dashboard or by contacting us."

Questions? Reach out to us at compliance@trueloyal.com, we are happy to discuss how our loyalty platform helps you stay compliant across all your sales channels.