UK General Data Protection Regulation (GDPR) and TrueLoyal - (Loyalty Platform)

In this article, we will cover:

• GDPR Compliance Overview for Loyalty Programme Clients
• Roles and Responsibilities under GDPR
• How TrueLoyal Ensures Compliance
• Categories of Personal Data Processed within the TrueLoyal Platform
  • Category 1: TrueLoyal Client Account Data
  • Category 2: Product Usage Analytics (B2B)
  • Category 3: End-Customer Loyalty Profile Data
  • Category 4: Transactional & Activity Data
  • Category 5: Integrated Third-Party Data
• Recommended Website Disclosures
  • Privacy Policy
  • Terms of Service

GDPR Compliance Overview for Loyalty Programme Clients

This document sets out the measures implemented by TrueLoyal to support compliance with the UK data protection framework, including the UK GDPR (the retained version of Regulation (EU) 2016/679), the Data Protection Act 2018, and subsequent UK data reform legislation where applicable.

The UK GDPR governs the processing of personal data relating to individuals in the UK, as well as certain processing activities carried out by organisations outside the UK where UK individuals are targeted. TrueLoyal implements appropriate technical and organisational measures to ensure that personal data is handled lawfully, transparently, and securely under the oversight of the Information Commissioner's Office (ICO), the UK’s independent supervisory authority.

Roles and Responsibilities under GDPR

In UK regulatory terminology:

• Data Controller: TrueLoyal clients (the brands) are the controllers. They determine what data is collected from their end-customers via their integrated tech stack to run their loyalty programs.
• Data Processor: TrueLoyal acts as the processor. We process data only when explicitly instructed by the data controller to power loyalty features such as points calculation, tier management, and reward fulfillment.

How TrueLoyal Ensures Compliance

We have converted UK legal provisions into tangible platform actions to protect your data and that of your customers:

• International Data Transfers (UK Extension to the DPF): TrueLoyal is self-certified under the UK Extension to the EU-US Data Privacy Framework. This "Data Bridge" serves as a valid Article 45 adequacy mechanism for transfers from the UK to our US-based servers. For transfers not covered by this framework, we utilize the UK International Data Transfer Agreement (IDTA) supported by a Transfer Risk Assessment (TRA) as required by the ICO following the Schrems II judgment.

• Comprehensive Data Subject Rights: We provide tools to satisfy all UK GDPR rights, including the right to Access (DSAR), Rectification, Erasure (Right to be Forgotten), and Data Portability. We support automated redaction and access requests initiated via major integrations (Shopify, Salesforce, etc.) to ensure compliance across your entire stack.

• Data Protection Lead: We have a dedicated Data Protection Lead to oversee our privacy program and act as a point of contact for the ICO. You can reach them at compliance@trueloyal.com. 

• Regulatory Accountability: We acknowledge the ICO as our supervisory authority. While we strive for seamless compliance, UK data subjects have the right to lodge a complaint directly with the Information Commissioner’s Office if they believe their data has been mishandled.

Categories of Personal Data Processed within the TrueLoyal Platform

Category 1: TrueLoyal Client Account Data

• Examples: Brand admin email addresses and passwords used to access the TrueLoyal dashboard.
• Compliance: Covered by TrueLoyal’s Privacy Policy agreed to upon sign-up.

Category 2: Product Usage Analytics (B2B)

• Examples: Tracking how brand admins interact with the TrueLoyal dashboard via tools like Google Analytics.
• Compliance: Used to improve the platform experience and covered by TrueLoyal’s Privacy Policy.

Category 3: End-Customer Loyalty Profile Data

• Examples: Name, email address, phone number, and unique Member ID synced from your eCommerce (Shopify, BigCommerce), CRM (Salesforce, HubSpot), or ERP (NetSuite) database.
• Compliance: This is core data required to run the program. Consent is typically obtained by the brand during the storefront account creation or program enrollment.

Category 4: Transactional & Activity Data

• Examples: Order IDs, total spend, and items purchased (synced via API or webhooks), as well as current point balances and tier levels.
• Compliance: This data is processed to calculate rewards. TrueLoyal maintains high security standards to ensure the integrity of these transactions.

Category 5: Integrated Third-Party Data

• Examples: Loyalty data synced to your ESP (e.g., Klaviyo/Mailchimp) or CRM (e.g., HubSpot), such as "Points to Next Tier" or "Referral Link."
• Compliance: Our DPA ensures that the transfer and storage of this data across your tech stack meet GDPR requirements.

Recommended Website Disclosures

Note: We recommend reviewing these with your legal team.

Privacy Policy:

Add the following verbiage or something similar to clearly indicate to your users that you are using TrueLoyal as a data processor for your loyalty program and passing information to TrueLoyal. We recommend adding this verbiage in the section “Will my personal information be shared?” or “Do you plan to share my personal information?”

"Use of TrueLoyal Services: We use third-party services such as TrueLoyal to offer a loyalty rewards program and other services to you on our website. In particular, we provide a limited amount of your information (such as sign-up date and some personal information like your email address, name, phone number, social profiles and purchase data) to TrueLoyal and utilize TrueLoyal to show the rewards program and social components when you visit our website or use our product. As a data processor acting on our behalf, TrueLoyal processes your information to display the rewards program data such as points earned, points redeemed, tiers, eligible rewards etc. We may also use TrueLoyal to send you messages regarding the rewards program.For more information on the privacy practices of TrueLoyal, please visit TrueLoyal’s Privacy Policy. If you would like to opt out of having this information collected by or submitted to TrueLoyal, please contact us."

Terms of Service:

Add the following verbiage to your Terms of Service to let your users know that when they log in or register on your website, they will receive the rewards program as an integral part of your site’s offering. This will eliminate the need to have a separate opt-in for the rewards program. It will also let the users know that the rewards program is powered by TrueLoyal. When the users explicitly accept your terms of service, they also agree to the terms of the Rewards program, because that program is an integral part of your site. The understanding is that every user whether already registered or new registration, will be sent the updated Terms of Service.

"Inclusion in the Rewards Program: Our Rewards program is an integral part of our Site’s offering. By creating an account or signing in, you agree to be included in the Rewards Program to receive rewards for activities you do on our site and agree to the Rewards Program Terms (add a hyperlink to your Rewards Program Terms). We use third-party services such as TrueLoyal to power this rewards program. For more information on the privacy practices of TrueLoyal, please visit TrueLoyal’s Privacy Policy. You may opt-out of the rewards program at any time by visiting your rewards program dashboard or by contacting us."

Questions? Reach out to us at compliance@trueloyal.com, we are happy to discuss how our loyalty platform helps you stay compliant across all your sales channels.