Privacy Policy

Loyalti Sdn Bhd (“Loyalti”, “we”, “us”, or “our”) is a Malaysian company that operates the Loyalti platform — a digital loyalty programme management service connecting businesses (“Vendors”) with their end customers (“Customers”) through points, rewards, and WhatsApp messaging.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in connection with your use of our website at loyalti.my, our mobile-optimised web application, and any related services (collectively, the “Platform”).

We are committed to protecting your personal data in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia and all applicable subsidiary legislation. By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

We collect the following categories of personal data:

We collect personal data directly from you (when you register or contact us), automatically (through cookies and usage tracking), and from third parties such as Supabase (authentication), Stripe (payment processing), and WhatsApp Business API (messaging).

We use the personal data we collect for the following purposes:

• Providing the Platform: Creating and managing your account, processing loyalty transactions, and delivering core Platform functionality.
• Processing Transactions: Handling subscription payments, issuing invoices, and managing billing cycles through our payment processors.
• Sending Notifications: Delivering points confirmations, reward alerts, promotional messages (with your consent), and transactional WhatsApp messages on behalf of Vendors you have opted into.
• Customer Support: Responding to enquiries, resolving disputes, and providing technical assistance.
• Improving the Platform: Analysing usage patterns, conducting internal research, fixing bugs, and developing new features.
• Legal Compliance: Meeting our obligations under Malaysian law, including the PDPA, the Companies Act 2016, and applicable tax legislation.
• Security & Fraud Prevention: Detecting and preventing unauthorised access, fraudulent activity, and misuse of the Platform.

We will not use your personal data for purposes incompatible with those described above without first obtaining your explicit consent.

Under the PDPA 2010 (Malaysia), we process personal data on the following bases, as set out in Section 6 of the PDPA:

• Consent: Where you have provided explicit consent, such as opting in to receive marketing messages from a Vendor via WhatsApp. You may withdraw your consent at any time (see Section 7).
• Contractual Necessity: Where processing is necessary to perform the contract between you and Loyalti — for example, creating your account, processing points transactions, and providing the Platform services.
• Legitimate Interest: Where processing is necessary for our legitimate business interests, such as improving Platform security, preventing fraud, and conducting analytics to enhance our services, provided such interests are not overridden by your rights and interests.
• Legal Obligation: Where processing is required to comply with a legal obligation under Malaysian law, including tax record-keeping and regulatory reporting requirements.

We do not sell your personal data. We may share it in the following circumstances:

We retain personal data only for as long as necessary for the purposes for which it was collected:

• Active accounts: Personal data is retained for the duration of the account relationship.
• Deleted accounts: Following account deletion, personal data is purged from our live systems within 90 days. Certain anonymised or aggregated data may be retained for analytical purposes.
• Transaction records: Financial transaction records are retained for 7 years from the date of the transaction, in accordance with Malaysian tax law (Income Tax Act 1967 and the requirements of the Inland Revenue Board of Malaysia).
• Backup data: Data in backup systems may persist for up to 30 additional days after deletion from live systems, after which it is permanently destroyed.

Under the Personal Data Protection Act 2010 (Malaysia), you have the following rights in relation to your personal data:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right of Correction: You may request that inaccurate or incomplete personal data be corrected.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.
• Right to Limit Processing: In certain circumstances, you may request that we limit the processing of your personal data.
• Right to Request Deletion: Subject to our legal retention obligations (see Section 6), you may request that your personal data be deleted.

To exercise any of these rights, please email our Data Protection Officer at privacy@loyalti.my. We will respond within 21 days of receiving your request, as required by the PDPA. We may require you to verify your identity before processing your request.

We use cookies and similar tracking technologies to operate the Platform, remember your preferences, and analyse usage. Essential cookies are required for core functionality such as authentication. Analytics cookies are optional and can be disabled.

For detailed information on the specific cookies we use, their purpose, and how to manage them, please see our Cookie Policy.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, misuse, alteration, or destruction:

• Encryption at rest: All data stored in our databases is encrypted using AES-256 encryption.
• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
• Access controls: Access to personal data is limited to authorised personnel on a strict need-to-know basis. All staff with data access undergo background checks and sign confidentiality agreements.
• Regular security audits: We conduct annual security assessments and penetration testing on critical systems.
• Breach response: In the event of a data breach, we will notify affected individuals and the relevant Malaysian authorities within 72 hours of becoming aware of the breach, where required by applicable law.

No method of electronic storage or transmission is 100% secure. While we take our security obligations seriously, we cannot guarantee absolute security.

The Platform is not intended for, and we do not knowingly collect personal data from, individuals under the age of 18. If you are a parent or guardian and believe that your child has provided personal data to us, please contact us at privacy@loyalti.my and we will take steps to delete the data promptly.

Loyalti primarily stores and processes data within the Southeast Asia region — specifically on infrastructure hosted in Singapore and Malaysia. Our primary cloud infrastructure provider hosts data in Singapore, which is geographically proximate to Malaysia and subject to robust data protection legislation.

Where data is transferred outside Malaysia — for example, when using third-party service providers with infrastructure in other jurisdictions — we ensure that appropriate contractual safeguards are in place, including data processing agreements that require the recipient to provide a level of protection comparable to that under the PDPA 2010.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features. The date of the most recent revision is indicated at the top of this page.

For material changes, we will provide at least 30 days' notice by sending a notification to your registered email address and/or via a WhatsApp message if you have opted in to Platform notifications. Your continued use of the Platform after the effective date of the updated policy constitutes your acceptance of the changes.

If you have questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact our Data Protection Officer:

If you are not satisfied with our response, you have the right to lodge a complaint with the Jabatan Perlindungan Data Peribadi (Department of Personal Data Protection, Malaysia).