Privacy Policy | Lekki Rewards

1. Introduction

This Privacy Policy describes how the Lekki Rewards Platform ("we," "our," or "us") collects, uses, and protects your personal information when you use our mobile applications and web portal.

We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) for European users and the Dutch GDPR Implementation Act.

Platform Components:

Lekki mobile app (iOS and Android): Digital loyalty card services, universal card wallet
Lekki for Business mobile app (iOS and Android): Point-of-sale loyalty management for merchant employees
Lekki Rewards Portal (web): Business dashboard and analytics for merchants

2. Data Controllers

2.1 Joint Data Controllers

The Lekki Rewards Platform operates under a dual data controller model:

Lekki Rewards is a trade name of Kalantrix, vennootschap onder firma (VoF) (Data Controller #1)

Responsibilities: Platform account management, authentication, platform-wide analytics, system infrastructure
Contact: support@lekki-rewards.com
KvK-nummer: 42034702
Address: Roy Eldridgepad 27, 3543 GZ, Utrecht, The Netherlands

Participating Merchants (Data Controller #2)

Responsibilities: Customer loyalty data, transaction history, marketing communications, reward fulfillment
Contact: Each merchant's designated contact (available in app)

2.2 Joint Controllership Arrangement

Lekki Rewards and Merchants jointly determine the purposes and means of processing personal data for loyalty programs
Each controller is responsible for GDPR compliance for their respective data processing activities
Data subjects can exercise their rights with either controller
This arrangement is documented in our Merchant Agreement

2.3 Privacy Contact

Lekki Rewards is not required to appoint a Data Protection Officer under GDPR Article 37. For all privacy-related inquiries, contact:

Email: support@lekki-rewards.com
Role: Privacy contact point for data subjects and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)

3. Personal Data We Collect

3.1 Information You Provide Directly

Consumer Accounts (Lekki mobile app):

Account information: Name, email address (from Google/Apple Sign-In)
Profile data: Optional demographic information from OAuth providers
Communication data: Messages to customer support
Preferences: App settings and privacy preferences

Merchant Accounts (Lekki Rewards Portal):

Business information: Business name, KVK number, address, contact details
Account credentials: Email, password (hashed)
Payment information: Billing details for invoice delivery (name, business address, email)
Staff information: Employee names, emails, roles, permissions

Employee Accounts (Lekki for Business / Lekki Rewards Portal):

Employee accounts are created and managed by the Merchant, not by Lekki Rewards
Account information: Name, email address, assigned role
The Merchant is responsible for informing employees about data processing and obtaining any necessary authorisations under employment law
Lekki Rewards processes employee data as a processor on behalf of the Merchant for the purpose of providing platform access

3.2 Information We Collect Automatically

Device Information: Device type, operating system, app version
Usage Data: App features used, session duration, interaction patterns
Location Data: With your permission, we collect:
- Approximate location: For discovering nearby merchants (foreground only)
- Precise GPS location: For geo-fencing features that automatically surface relevant loyalty cards when near a store (requires separate background location permission on iOS and Android)
- Location data is not stored as a continuous tracking history; it is used in real-time and discarded
Technical Data: Error logs, performance metrics, crash reports
Transaction Data: Purchase amounts, timestamps, loyalty activity

3.3 Information from Third Parties

OAuth Providers: Basic profile information from Google/Apple Sign-In
Merchant Partners: Loyalty program participation and transaction data
Payment Processors: Payment confirmation and billing status
Analytics Services: Aggregated usage statistics (when consented)

3.4 Universal Card Wallet Data

The Lekki mobile app allows users to scan and store loyalty card barcodes from any retailer — not only Lekki merchants. For these third-party cards we collect:

Barcode data: The barcode value and format (e.g., QR Code, EAN-13, Code 128)
Card metadata: Merchant name (user-entered or auto-suggested), category, custom colour, notes
Usage data: Last used date, usage count
Camera access: Required to scan barcodes; images are processed on-device and not stored
Photo gallery access: If you choose to scan a barcode from an existing photo, the image is processed on-device only

Third-party card data is stored in your Lekki account (Firebase Cloud) to enable cross-device sync. Lekki Rewards does not share this data with the third-party retailers whose cards you store, and has no relationship with those retailers.

3.5 Anonymous Account Data

The Lekki mobile app allows anonymous usage without creating a full account. During anonymous sessions:

A temporary anonymous identifier is created via Firebase Authentication
Limited usage data is collected (app features used, session data)
No personal information (name, email) is collected
If you later create a full account, your anonymous activity (e.g., favourited merchants) is linked to your new account
The legal basis for anonymous session data is legitimate interest (service delivery)

4. How We Use Your Information

4.1 Primary Purposes (Legal Basis: Contract Performance)

For Consumers:

Service delivery: Provide loyalty program functionality and rewards tracking
Account management: Create and maintain user accounts
Merchant matching: Connect with participating loyalty programs
Customer support: Respond to inquiries and provide assistance

For Merchants:

Subscription management: Process payments and manage subscriptions
Loyalty program tools: Provide program creation and management features
Analytics: Generate customer insights and business reports
Staff management: Manage employee access and permissions

4.2 Secondary Purposes (Legal Basis: Legitimate Interest)

Service Improvement: Analyze usage patterns to enhance functionality
Security: Detect and prevent fraud, abuse, and security threats
Business Operations: Maintain and optimize technical infrastructure
Legal Compliance: Meet regulatory requirements and legal obligations

Promotional Communications: Send newsletters and promotional offers (opt-in only)
Personalized Content: Customize app experience based on preferences
Partner Promotions: Share relevant offers from merchant partners (with consent)

Dutch Telecommunications Act Compliance:

Separate opt-in consent required for email, SMS, telephone, and WhatsApp marketing
Consent is distinct from GDPR consent and managed separately
Easy opt-out available in all marketing communications

Merchant Partners: Share necessary data for loyalty program participation
Third-Party Services: When you explicitly authorize integrations
Social Sharing: When you choose to share achievements or rewards

5.2 For Business Operations

Service Providers (Data Processors):

We have Data Processing Agreements (GDPR Art 28) in place with each of the following processors:

Firebase / Google Cloud (EU region europe-west1): Authentication, database, file storage, analytics, cloud functions
Moneybird: Invoice generation and delivery for merchant subscriptions

All primary data storage occurs in the EU (Firebase europe-west1, Netherlands). Sub-processors may process data in other locations under Standard Contractual Clauses or adequacy decisions.

Business Transfers:

In case of merger, acquisition, or asset sale, with advance notice

5.3 Legal Requirements

Law Enforcement: When required by valid legal process
Safety Protection: To protect rights, property, or safety of users
Regulatory Compliance: To meet legal obligations in applicable jurisdictions

5.4 We Do NOT Sell Personal Data

We do not sell, rent, or trade your personal information to third parties
Data sharing is limited to purposes described in this policy
You can control data sharing preferences in privacy settings

6. Data Retention and Deletion

6.1 Retention Periods

Active Accounts: Data retained while account remains active
Inactive Accounts: Data reviewed and potentially deleted after 24 months of inactivity
Legal Requirements: Financial records retained for 7 years (Dutch tax law)
Anonymized Data: May be retained indefinitely for analytics purposes
Consent Records: Retained for 5 years (GDPR compliance)

6.2 Your Right to Deletion (GDPR Article 17)

Account Deletion: Complete account removal available in privacy settings
Personal Data: All identifying information permanently deleted within 30 days
Business Data: Transaction records anonymized (legal retention requirements)
Backup Systems: Complete removal from all systems within 90 days

6.3 Data Deletion Process

Immediate UI Removal: Your data disappears from the app immediately
System Cleanup: Backend systems purged within 30 days
Backup Removal: Complete removal from backup systems
Audit Trail: Deletion activities logged for compliance verification

7. Your Rights and Controls

7.1 Access and Portability (GDPR Articles 15 & 20)

Data Export: Download complete copy of your data in JSON format
Data Access: View all data we hold about you
Account Dashboard: Real-time access to your information
Processing History: See how your data has been used

Profile Updates: Modify account information at any time
Correction Requests: Contact us to fix inaccurate data
Automatic Sync: OAuth profile updates sync automatically
Manual Override: Override automatic data where applicable

Granular Controls: Separate consent for marketing, analytics, and sharing
Easy Withdrawal: Toggle consent on/off in privacy settings
Consent History: View when and how you provided consent
Processing Impact: Understand how consent changes affect your experience

Processing Objection: Object to data processing for legitimate interests
Marketing Opt-Out: Stop promotional communications at any time
Restriction Requests: Limit how we process your data
Account Suspension: Temporarily restrict data processing

7.5 Right to Lodge a Complaint

You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):

Website: https://autoriteitpersoonsgegevens.nl
Email: info@autoriteitpersoonsgegevens.nl
Phone: +31 (0)70 888 8500

8. Data Security and Protection

8.1 Technical Safeguards

Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
Access Controls: Strict employee access limitations with audit trails
Infrastructure Security: Industry-standard cloud security (Google Cloud/Firebase)
Regular Audits: Periodic security assessments and vulnerability testing
Secure ID Generation: Cryptographically secure UUIDs for all document IDs

8.2 Organizational Measures

Privacy by Design: Privacy considerations built into all new features
Staff Training: Regular privacy and security training for employees
Incident Response: Defined procedures for data breach response
Third-Party Vetting: Careful selection and monitoring of service providers

8.3 Breach Notification

User Notification: You'll be informed of breaches affecting your data within 72 hours
Regulatory Reporting: Dutch DPA notified as required by law
Remediation: Immediate steps taken to address and prevent future breaches
Transparency: Public disclosure when legally required or in users' interest

9. International Data Transfers

9.1 Transfer Safeguards

Adequacy Decisions: Transfers to countries with adequate protection levels
Standard Contractual Clauses: EU-approved contracts for data protection
Certification Programs: Partners certified under recognized privacy frameworks
User Consent: Explicit consent for transfers where required

9.2 Data Locations

Primary Storage: EU region (Firebase Europe-West1, Netherlands)
Backup Locations: EU region (multi-region backup)
Processing Locations: Various locations for global service delivery
User Control: EU users can request data localization where technically feasible

10. Children's Privacy

10.1 Age Requirements

Minimum Age: Platform requires users to be 16 years or older
Age Verification: Users confirm age during account creation
Parental Consent: Users under 16 in EU need parental consent
Special Protections: Enhanced privacy protections for younger users

10.2 Child Data Handling

Limited Collection: Minimal data collection for users under 18
No Marketing: No promotional communications to minors
Parental Rights: Parents can request deletion of child's data
Educational Use: Age-appropriate privacy education provided

11. Cookies and Tracking Technologies

Lekki Rewards Portal (web):

Essential Cookies: Required for authentication and session management
Analytics Cookies: Usage tracking for app improvement (with consent)
Preference Cookies: Remember your settings and preferences
Marketing Cookies: Personalized content and advertising (opt-in only)

For full details on cookie categories, retention periods, and opt-out mechanisms, see our separate Cookie & Tracking Policy.

11.2 Mobile App Tracking Technologies

Lekki mobile app and Lekki for Business mobile app (iOS and Android):

Local Storage: App preferences and cached data (stored on-device)
Firebase Analytics SDK: Usage tracking for app improvement (with consent; not initialised until consent granted)
Crash Reporting: Error tracking for app stability (Firebase Crashlytics)
ML Kit: On-device barcode scanning; no data sent to external servers
Push Notification Tokens: Device tokens collected to deliver notifications; you can disable notifications in device settings

Mobile SDKs that collect usage data are treated equivalently to cookies under the ePrivacy Directive. Non-essential tracking is only activated after you grant consent.

11.3 Your Choices

Cookie Controls: Manage preferences in privacy settings
Browser Settings: Control cookies through device/browser settings
Third-Party Tracking: Opt out of analytics and advertising tracking
Granular Consent: Separate controls for essential, analytics, and marketing cookies

12. Updates to This Privacy Policy

12.1 Change Notification

App Notifications: In-app alerts for material changes
Email Updates: Notifications sent to registered email addresses
Version History: Previous versions available for reference
Advance Notice: 30-day notice period for significant changes

12.2 Your Options

Review Changes: Compare new and previous policy versions
Accept or Decline: Continue using platform to accept changes
Account Termination: Delete account if you disagree with changes
Data Export: Download your data before policy changes take effect

13. Contact Information

For all privacy inquiries, GDPR rights requests, and complaints, contact us at support@lekki-rewards.com. We respond to general inquiries within 72 hours and to GDPR rights requests within 30 days as required by law.

13.2 Postal Address

Lekki Rewards is a trade name of Kalantrix, vennootschap onder firma (VoF)
KvK-nummer: 42034702
BTW-nummer:
Roy Eldridgepad 27, 3543 GZ, Utrecht, The Netherlands

Appendix A: Legal Basis Summary

Purpose	Legal Basis	User Control
Account Management	Contract Performance	Account deletion
Loyalty Programs	Contract Performance	Program withdrawal
Customer Support	Contract Performance	Limit contact
Security & Fraud Prevention	Legitimate Interest	Object to processing
Service Improvement	Legitimate Interest	Opt out of analytics
Marketing Communications	Consent	Withdraw consent
Legal Compliance	Legal Obligation	Limited control

Appendix B: Data Controller Responsibilities

Data Type	Lekki Rewards Responsibility	Merchant Responsibility
Account Authentication	✅ Primary Controller	❌ No Access
Platform Analytics	✅ Primary Controller	❌ No Access
Loyalty Transaction Data	⚠️ Joint Controller	⚠️ Joint Controller
Customer Contact Info	⚠️ Joint Controller	⚠️ Joint Controller
Marketing Communications	❌ No Access	✅ Primary Controller
Reward Fulfillment	❌ No Access	✅ Primary Controller

By using the Lekki Rewards Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.