Privacy Policy
At Lekki Rewards, we are committed to protecting your privacy and processing your personal data in a transparent, secure, and lawful manner.
This Privacy Policy explains how Lekki Rewards processes personal data when you use the Lekki mobile app, Lekki for Business app, the Lekki Rewards Portal, and related services. It describes what personal data we collect, how we use it, on which legal bases we rely, with whom we share it, how long we retain it, and what rights you have.
If you would like more detailed information, the legal sections following this summary provide a complete explanation of our privacy practices.
What information do we collect?
👤 Account Information
Name
Email address
Login credentials
🎁 Loyalty Programme Information
Loyalty programme memberships
Loyalty cards
Points, stamps, rewards and benefits
Loyalty transaction history
Reward redemption history
📱 Technical Information
Device information
App version
Browser information
Error logs
Security logs
📍 Location Information
- Location data when permission is granted
💬 Support Information
Messages sent to our support team
Customer support records
Why do we use your information?
We use your information to:
✅ Create and manage your account
✅ Provide loyalty programme services
✅ Track rewards, points and benefits
✅ Connect you with participating Merchants
✅ Improve and secure the Platform
✅ Provide customer support
✅ Prevent fraud and abuse
✅ Comply with legal obligations
Do we sell your personal data?
No. Lekki Rewards does not sell, rent, trade, or otherwise commercially exploit your personal data.
Who receives your information?
Your information may be shared with:
🏪 Participating Merchants
🌥Trusted technology providers
⚖Public authorities where required by law
🔒 Security and fraud prevention service providers
We only share information where there is a valid legal basis and appropriate safeguards are in place.
Your Privacy Rights
You have the right to:
🔍 Access your personal data
🔧 Correct inaccurate information
🗑️ Request deletion of your personal data
📦 Receive a copy of your data
🚫 Object to certain processing activities
🔒 Restrict processing in certain circumstances
📋 Withdraw consent where processing relies on consent
🇳🇱 Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
HOW LEKKI WORKS
🏪 You join loyalty programmes offered by participating businesses.
🎁 You collect rewards, points, discounts, and benefits.
📱 Lekki keeps all your loyalty information organised in one place.
⭐ You track your progress and redeem rewards whenever you choose.
🤝 Participating Merchants provide and fulfil the rewards available through their loyalty programmes.
🔒 We protect your personal information and only process it for legitimate business, security, operational, and legal purposes.
⚖️ You remain in control of your personal data and can exercise your privacy rights at any time.
WHO IS RESPONSIBLE FOR YOUR DATA?
The Lekki Rewards Platform operates through a loyalty ecosystem involving both Lekki Rewards and participating Merchants.
Depending on the activity being performed, personal data may be processed by Lekki Rewards, by a participating Merchant, or jointly by both parties.
KEY TERMS
| Term | Meaning |
| Consumer | A person using the Lekki Rewards Platform. |
| Merchant | A business offering loyalty programmes through Lekki Rewards. |
| Loyalty Programme | A rewards programme operated by a Merchant. |
| Personal Data | Information that identifies or can reasonably be linked to an individual. |
| Platform | The Lekki Rewards mobile application, merchant portal, and website. |
- DATA CONTROLLER
Depending on the processing activity, Lekki Rewards and participating Merchants may act as separate controllers, joint controllers, or as controller and processor.
Data Controllers
Lekki Rewards is a trade name of Kalantrix, vennootschap onder firma (VoF) Responsibilities: Platform account management, authentication, platform-wide analytics, system infrastructure - Contact: support@lekki-rewards.com - KvK-nummer: 42034702 - Address: Roy Eldridgepad 27, 3543 GZ, Utrecht, The Netherlands
Participating Merchants - Responsibilities: Customer loyalty data, transaction history, marketing communications, reward fulfillment - Contact: Each merchant’s designated contact (available in app)
Joint Controllership
Lekki Rewards and participating Merchants may act as Joint Controllers pursuant to Article 26 GDPR for certain processing activities relating to the operation of loyalty programmes through the Platform.
Joint controllership is limited to activities necessary for the administration of loyalty programmes, including consumer loyalty programme enrolment, loyalty account administration, reward allocation, reward redemption, maintenance of loyalty transaction records, and communications necessary for participation in a loyalty programme.
For other processing activities, including platform infrastructure, authentication, platform security, analytics, service improvement, employee account management, customer service, and independent marketing activities, the relevant Party acts as an independent Controller or Processor, as applicable.
Data subjects may exercise their GDPR rights with either Party.
The allocation of responsibilities between Lekki Rewards and participating Merchants is governed by a separate Joint Controllership Agreement entered into pursuant to Article 26 GDPR.
- Privacy Contact
For privacy-related questions, GDPR rights requests, or complaints about the processing of your personal data, please contact us at support@lekki-rewards.com.
Email: support@lekki-rewards.com
Role: Privacy contact point for data subjects and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
This contact point also serves as the privacy contact channel for data subjects and, where applicable, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
PERSONAL DATA WE COLLECT
Information You Provide Directly
We collect personal data that you provide to us directly.
Consumer Accounts (Lekki mobile app): - Account information: Name, email address (from Google/Apple Sign-In) - Profile data: Optional demographic information from OAuth providers - Communication data: Messages to customer support - Preferences: App settings and privacy preferences.
Merchant Accounts (Lekki Rewards Portal): - Business information: Business name, KVK number, address, contact details - Account credentials: Email, password (hashed) - Payment information: Billing details for invoice delivery (name, business address, email) - Staff information: Employee names, emails, roles, permissions.
Employee Accounts (Lekki for Business / Lekki Rewards Portal): - Employee accounts are created and managed by the Merchant, not by Lekki Rewards - Account information: Name, email address, assigned role - The Merchant is responsible for informing employees about data processing and obtaining any necessary authorisations under employment law - Lekki Rewards processes employee data as a processor on behalf of the Merchant for the purpose of providing platform access.
Some information is necessary to create or manage an account or to use core platform functions. Other information may be optional.
- Information We Collect Automatically
When you use the Platform, we automatically collect device information (type, OS, app version), usage data (features used, session duration), technical data (error logs, performance metrics, crash reports), and loyalty activity (stamps issued, points earned, rewards redeemed, timestamps).
Purchase amounts associated with loyalty transactions may be recorded by the participating Merchant and processed within the Platform only where necessary for loyalty programme administration, reward calculation, fraud prevention, or transaction integrity. Fraud prevention, abuse detection, and platform security activities are carried out independently by Lekki Rewards and do not form part of the Joint Controllers described in Section 1.2.
With your permission, the Lekki mobile app uses your device’s location while the App is in use (“foreground” location) to discover nearby participating merchants and to sort cards in your wallet by proximity. Location data is processed in real time and is not stored as a continuous tracking history. We do not run background location monitoring or geo-fencing services.
- Information from Third Parties
We may receive limited personal data from third parties in connection with your use of the Platform, including:
OAuth Providers: Basic profile information from Google/Apple Sign-In
Merchant Partners: Loyalty program participation and transaction data
Payment Processors: Payment confirmation and billing status
Analytics Services: Aggregated usage statistics (when consented)
Universal Card Wallet Data
The Lekki mobile app lets you scan and store loyalty card barcodes from any retailer, not only Lekki merchants. For third-party cards we collect the barcode value and format (common formats including QR Code, EAN-13, Code 128 and others), card metadata you enter or that we auto-suggest (merchant name, category), and usage indicators (last used date, usage count).
Barcode scanning uses your device camera, and optionally your photo gallery if you scan from an existing photo. Images are processed on-device using Google ML Kit; image files are not uploaded to our servers.
Third-party card data is stored in your Lekki account (Firebase) to enable cross-device sync. We do not share this data with the third-party retailers whose cards you store, and we have no relationship with those retailers.
- Anonymous Account Data
The Lekki mobile app allows anonymous usage without creating a full account. During anonymous sessions a temporary identifier is created via Firebase Authentication; we collect limited usage data (features used, session data) but no name or email.
If you later create a full account, data associated with that temporary identifier may, where technically supported, be linked to your registered account in order to maintain continuity of service.
Anonymous accounts are temporary in nature. If an anonymous account is not upgraded to a registered account within 30 days, the account and associated data may be scheduled for deletion in accordance with our retention policies.
HOW WE USE YOUR INFORMATION
- Primary Purposes (Legal Basis: Contract Performance)
We use personal data to provide and operate the Platform.
For Consumers: - Service delivery: Provide loyalty program functionality and rewards tracking - Account management: Create and maintain user accounts - Merchant matching: Connect with participating loyalty programs - Customer support: Respond to inquiries and provide assistance.
For Merchants: - Subscription management: Process payments and manage subscriptions - Loyalty program tools: Provide program creation and management features - Analytics: Generate customer insights and business reports - Staff management: Manage employee access and permissions
- Secondary Purposes (Legal Basis: Legitimate Interest)
We may also use personal data for the following purposes, where appropriate:
service improvement and product development;
security, fraud prevention, and abuse detection;
technical operations and platform maintenance; and
compliance with applicable legal and regulatory requirements.
- Marketing Purposes
Where we have a valid legal basis and, where required, your prior consent, we may use personal data for marketing-related purposes, including:
sending newsletters and promotional communications;
personalising promotional content within the Platform; and
displaying offers or promotions from participating Merchants.
Displaying Merchant promotions within the Platform does not mean that your personal data is shared with a Merchant for that Merchant’s own direct marketing, unless this has been clearly disclosed to you and supported by a valid legal basis.
Where applicable law requires separate consent for communications by email, SMS, telephone, WhatsApp, or similar channels, we will request and manage that consent separately and provide an easy opt-out.
GDPR Legal Bases for Processing
Depending on the processing activity, we rely on one or more of the following legal bases:
performance of a contract, where processing is necessary to provide the requested Platform service;
legal obligation, where processing is necessary to comply with accounting, tax, or other legal requirements;
legitimate interests, where processing is necessary for security, fraud prevention, service improvement, operational management, or anonymous access functionality, provided those interests are not overridden by your rights and freedoms; and
consent, where required, including for certain analytics, location access, and marketing activities.
This includes, among other things:
| Personal Data Processed | Purpose of Processing | Legal Basis |
|---|---|---|
| Name, email address, account credentials, authentication identifiers | Account registration, authentication, and account management | Performance of a contract — Art. 6(1)(b) GDPR |
| Consumer profile information, loyalty account ID, loyalty balances, reward history, transaction timestamps | Loyalty programme participation, reward allocation, redemption, and account administration | Performance of a contract — Art. 6(1)(b) GDPR |
| Login activity, IP address, device information, authentication logs | Platform security, access control, fraud prevention, and account protection | Legitimate interest — Art. 6(1)(f) GDPR |
| Usage statistics, platform interactions, feature usage data, performance metrics | Service improvement, platform optimisation, analytics, and troubleshooting | Legitimate interest / Consent where required — Art. 6(1)(f) / 6(1)(a) GDPR |
| Financial records, invoices, transaction records, legal correspondence | Compliance with legal, regulatory, accounting, and tax obligations | Legal obligation — Art. 6(1)(c) GDPR |
| Email address, marketing preferences, communication history | Marketing communications, newsletters, and promotional messages | Consent — Art. 6(1)(a) GDPR |
| Location data while the App is in use | Display nearby merchants and proximity-based features | Consent — Art. 6(1)(a) GDPR |
| Barcode value, loyalty card metadata, wallet information | Universal Card Wallet functionality and cross-device synchronisation | Performance of a contract — Art. 6(1)(b) GDPR |
| Anonymous session identifiers and limited usage data | Anonymous access functionality and platform operation | Legitimate interest — Art. 6(1)(f) GDPR |
- INFORMATION SHARING AND DISCLOSURE
We share personal data only where this is necessary for the purposes described in this Privacy Policy, where you request or authorise such sharing, or where we are legally required to do so.
This may include sharing with:
participating Merchants, where necessary for Loyalty Programme enrolment, account administration, reward allocation, reward redemption, transaction integrity, and related programme communications;
third-party services that you explicitly authorise or connect to the Platform;
other users or services, where you choose to share achievements or rewards; and
competent authorities or other parties where disclosure is required by law, valid legal process, or necessary to protect rights, property, or safety.
- Service Providers
Where service providers process personal data on our behalf, we enter into data processing arrangements where required by applicable law.
Service providers used in connection with the Platform include:
Firebase / Google Cloud (EU region europe-west1, Netherlands): Authentication, Firestore database, Cloud Storage for files, Cloud Functions, analytics (Firebase Analytics → GA4, consent-gated), and crash reporting via Firebase Crashlytics on the mobile apps.
Sentry: Error and performance monitoring for the Lekki Rewards Portal (web) only. Error reports may incidentally contain device identifiers, browser metadata, and the user identifier of the affected session. Sentry is not used in the Lekki mobile app or Lekki for Business app, where Firebase Crashlytics handles crash reporting instead.
Google Maps Platform: Address autocomplete and geocoding within the Lekki Rewards Portal during merchant onboarding.
Primary personal data storage takes place in the EU. Certain authorised sub-processors of these providers may process data in other regions under appropriate safeguards.
- Merchant invoicing and Consumer Payments
At present, Lekki Rewards uses an external payment-processing provider for merchant subscriptions. If this changes further, we will update this Privacy Policy and ensure that appropriate data processing arrangements are in place before integration.
The Lekki mobile app is free for consumers. Lekki Rewards does not process payments from consumers.
Legal Requirements
Law Enforcement: When required by valid legal process
Safety Protection: To protect rights, property, or safety of users
Regulatory Compliance: To meet legal obligations in applicable jurisdictions.
Data Sharing and Use of Platform Information
We do not sell, rent, or trade your personal information to third parties
Data sharing is limited to purposes described in this policy
You can control data sharing preferences in privacy settings
We may use aggregated and anonymised platform usage information for service improvement, operational analytics, security monitoring, performance optimisation, and internal business intelligence purposes. Such information does not directly identify individual users or merchants.
- DATA RETENTION AND DELETION
We retain personal data only for as long as necessary for the purposes described in this Privacy Policy. Different retention periods may apply depending on the type of data and the context in which it is processed.
- Consumer Data (Lekki Mobile App Users)
Personal data is retained while your account is active. When you delete your account, identifying data is removed from active systems within 30 days. Loyalty transaction records linked to a specific merchant are handled in accordance with that merchant’s own retention obligations.
Where loyalty transaction records are subject to the Joint Controllership described in Section 1.2, the respective responsibilities of Lekki Rewards and the participating Merchant may continue after termination of the merchant relationship for as long as such records are retained in accordance with applicable law, contractual obligations, fraud prevention requirements, dispute resolution needs, or legitimate business purposes.
5.2 Other Retention Rules
Certain categories of data may be retained for specific compliance and operational purposes, including:
anonymised data, which may be retained for analytics purposes;
consent records, which may be retained while the consent remains active and for a reasonable audit period thereafter;
security and audit logs, retained for periods consistent with security and legal requirements; and
backup data, retained in accordance with our backup lifecycle or as required by law.
Where data is subject to a statutory retention obligation or legal hold, that obligation overrides normal deletion periods.
- Your Right to Deletion
You may request deletion of your account through the app or portal settings or by contacting support@lekki-rewards.com .
After verification, we will delete or de-identify personal data that is no longer necessary, unless we must retain certain data to comply with legal obligations, resolve disputes, prevent fraud, or establish, exercise, or defend legal claims.
If we cannot fully delete certain data immediately, we will inform you of the relevant reason and, where possible, the applicable retention period.
- YOUR RIGHTS AND CONTROLS
Subject to applicable law, you have the following rights in relation to your personal data.
| Your Right | What It Means |
| Access and Portability | You may request access to your personal data and, where applicable, receive a copy in a structured, commonly used, and machine-readable format. |
| Rectification | You may update certain account information directly in the app or portal. If personal data is inaccurate or incomplete, you may request correction. Where profile data is sourced from a sign-in provider, updates may synchronise automatically, subject to available settings and manual correction options. |
| Erasure | Request deletion of personal data |
| Restriction | Where we rely on consent, you may withdraw that consent at any time through the relevant settings or by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. |
| Objection | You may object to processing based on our legitimate interests and request restriction of processing in the situations provided by applicable law. You may also opt out of promotional communications at any time. Where appropriate, we may limit certain account functions while a restriction request is being assessed or implemented. |
| Complaint to the Supervisory Authority | You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). Website: https://autoriteitpersoonsgegevens.nl |
- DATA SECURITY AND PROTECTION
We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, and disclosure.
Users are responsible for maintaining the confidentiality of their account credentials and for promptly notifying Lekki Rewards of any suspected unauthorised access or other security incident affecting their account.
Technical Safeguards
Our technical safeguards may include:
encryption in transit and at rest where appropriate;
access controls and audit trails;
secure cloud infrastructure;
logging and monitoring; and
periodic security assessments and vulnerability testing.
Organisational Measures
Our organisational measures may include:
privacy-by-design processes;
employee confidentiality, privacy, and security training;
incident response procedures; and
vendor selection and monitoring procedures
Personal Data Breach Response
In the event of a personal data breach, we will assess the incident and take appropriate containment and remediation measures.
Where required by applicable law, we will notify the competent supervisory authority and affected individuals, particularly where the breach is likely to result in a high risk to their rights and freedoms.
- INTERNATIONAL DATA TRANSFERS
Where personal data is processed outside the European Economic Area by our service providers or their authorised sub-processors, such transfers are protected through adequacy decisions, Standard Contractual Clauses approved by the European Commission, or other legally recognised safeguards
Transfer Safeguards
Where relevant, transfers outside the EEA may rely on:
adequacy decisions for countries recognised as providing an adequate level of protection;
Standard Contractual Clauses approved by the European Commission; or
other recognised transfer safeguards.
Data Locations
Primary storage for Platform data is located in the EU, including Firebase Europe-West1 in the Netherlands.
Backup storage may also be located in the EU. However, certain service providers or authorised sub-processors may access or process personal data from other countries in connection with support, infrastructure, or related services, subject to appropriate safeguards.
If you would like more information about relevant processing locations, you may contact us.
- CHILDREN'S PRIVACY
The Lekki mobile app and Lekki Rewards platform are intended for use by individuals 16 years or older, consistent with GDPR Article 8 as implemented in the Netherlands.
We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will delete that data without undue delay.
If you are a parent or legal guardian and believe that a child under 16 has provided personal data to us, please contact support@lekki-rewards.com.
We do not send marketing communications to users we identify as minors.
COOKIES AND TRACKING TECHNOLOGIES
- Web Cookies
The Lekki Rewards Portal uses cookies and similar technologies for:
authentication and session management;
preferences and settings;
analytics, where consent is required and has been given; and
marketing-related purposes, where applicable and only on an opt-in basis.
For more information about cookie categories, retention periods, and opt-out mechanisms, please see our separate Cookie & Tracking Policy.
- Mobile App Tracking Technologies
The Lekki mobile app and Lekki for Business app may use device-based technologies and SDKs for:
app preferences and cached data stored on-device;
analytics for app improvement, where consent is required and has been given;
crash diagnostics through Firebase Crashlytics;
on-device barcode scanning through ML Kit; and
push notification delivery through device notification tokens.
Non-essential tracking technologies are activated only after consent where required.
- Your Choices
You can manage tracking and cookie preferences through the relevant browser, device, or in-app privacy settings, depending on the service you use.
Where available, we provide separate controls for:
essential technologies;
analytics technologies; and
marketing-related technologies.
You may also opt out of analytics and advertising-related tracking where such controls are offered.
CHANGES TO THIS PRIVACY POLICY
- Change Notification
We may update this Privacy Policy from time to time to reflect changes in our services, processing activities, or legal obligations.
- Your Options
Where changes are material, we may provide notice through:
in-app notifications;
the portal;
email; or
another appropriate channel.
Previous versions may be retained for reference. Where required by law or appropriate in light of the impact of the change, we may provide advance notice.
- CONTACT US
For all privacy inquiries, GDPR rights requests, and complaints, contact us at support@lekki-rewards.com. We respond to general inquiries within 72 hours and to GDPR rights requests within 30 days as required by law.
Postal Address:
Lekki Rewards is a trade name of Kalantrix, vennootschap onder firma (VoF)
KvK-nummer: 42034702
BTW-nummer: NL869406607B01
Roy Eldridgepad 27, 3543 GZ, Utrecht, The Netherlands
By using the Lekki Rewards Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.
This agreement is drawn up in Dutch and English. If there are any differences between the two versions, the Dutch version takes precedence.