General Data Protection Regulation - GDPR
The General Data Protection Regulation (GDPR) provides consistent standards across the EU to protect the rights of EU citizens regarding how their personal data is being used. It went into effect on May 25, 2018, and applies to any company that processes personal data from EU citizens, regardless of the company’s location.
At Joy Loyalty, we are committed to privacy, transparency, and security. We support both our compliance and yours, acting as a Data Processor for end-user data on behalf of our customers (who act as Controllers). We have taken steps to help you meet your GDPR obligations while protecting your users’ personal data.
GDPR Basics
Replacing the prior EU privacy directive 95/46/EC, the GDPR modernized and strengthened privacy rights in an increasingly digital world. It applies to all organizations processing personal data of EU individuals, whether or not those organizations are based in the EU.
Some core principles include:
- Lawful, fair, and transparent processing
- Purpose limitation and data minimization
- Storage limitation and integrity
- Data subject rights: access, correction, erasure, restriction, objection, and portability
We recommend reviewing the full regulation and consulting with legal counsel for implementation details.
What Has Joy Loyalty Done to Prepare for the GDPR?
As a Joy Loyalty customer, you are a Data Controller under GDPR. Joy Loyalty operates as your Data Processor. Additionally, we act as a Data Controller in relation to the data we collect about you as a customer.
Here’s what we’ve done:
Legal Updates
- We revised our Data Processing Addendum (DPA) to clarify our commitments
- We updated our Privacy Policy and Terms of Service to include GDPR-aligned provisions
- We reviewed and signed appropriate DPA contracts with each of our Sub-processors
Security and Data Management
- Role-based access control and secure authentication
- HTTPS/TLS for data in transit, encryption at rest
- Security policies and logging
- Breach response procedures
- Data minimization and audit trails
Support for Your Compliance
- Honor Shopify’s mandatory GDPR webhooks
- Export tools for user data (portability and access requests)
- Deletion logic to permanently remove customer data on request or uninstallation
- Planned improvements: Trust Center and DSAR automation
Our Sub-processors
We use a number of third-party Sub-processors located in the United States to help us provide services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud | In-app database, data warehouse | US |
| Firebase | Realtime backend infrastructure | US |
| Mailgun | Transactional email delivery | US |
| Customer.io | Email marketing automation | US |
| Crisp | Chat and support communication | US |
| Posthog | In-app analytics and performance | US |
All sub-processors are bound by agreements that enforce GDPR-equivalent data protection safeguards.
Our View on GDPR
We believe GDPR is a step in the right direction. Fair, transparent use of personal data leads to better customer experiences, built on trust. Our mission is to help brands connect with their customers in a secure and respectful way.
For any questions about GDPR and our policies, feel free to email us at: [email protected]