Privacy Policy

Joy Loyalty Pte. Ltd. ("Joy," "we," "us," or "our") is committed to protecting your privacy and handling your personal information with transparency and care. This Privacy Policy explains how we collect, use, share, and protect personal information in connection with our loyalty program platform and related services.

1. SCOPE AND APPLICATION

1.1 What This Policy Covers

This Privacy Policy applies to personal information we collect through:

  • Our Shopify loyalty program application ("Joy Loyalty App")
  • Our websites, including joy.so and related domains
  • Customer support interactions and communications
  • Direct use of our loyalty platform and services

1.2 Our Role in Data Processing

Joy operates in different capacities depending on your relationship with us:

  • As a Data Processor/Service Provider: When merchants use our platform, we process their customers' data on their behalf according to the merchant's instructions
  • As a Data Controller/Business: When you interact directly with us (as a merchant, website visitor, or job applicant), we determine how your personal information is processed

1.3 What This Policy Does Not Cover

  • Merchant Privacy Practices: Each merchant using our platform has their own privacy policy governing their customer relationships
  • Third-Party Services: External websites, applications, or services linked from our platform
  • Anonymized Data: Information that has been de-identified and cannot reasonably be linked back to an individual

2. INFORMATION WE COLLECT

2.1 Customer Data (When Acting as Processor)

When merchants use our platform, we may process the following categories of their customers' personal information:

  • Identity Information: Names, usernames, customer IDs
  • Contact Information: Email addresses, phone numbers, mailing addresses
  • Transaction Data: Purchase history, order details, payment information
  • Loyalty Program Data: Points balances, reward redemptions, program participation
  • Behavioral Data: Website interactions, app usage, preference settings

2.2 Merchant and User Data (When Acting as Controller)

When you interact directly with Joy, we may collect:

  • Account Information: Email addresses, passwords (encrypted), profile details
  • Business Information: Company name, industry, contact details, team member information
  • Platform Usage Data: Login records, feature usage, performance metrics
  • Support Communications: Messages, chat logs, support tickets
  • Marketing Data: Newsletter subscriptions, event participation, communication preferences

2.3 Website Visitor Data

When you visit our websites, we automatically collect:

  • Technical Information: IP addresses, browser type, device information, operating system
  • Usage Information: Pages visited, time spent, click patterns, referral sources
  • Location Data: General geographic location based on IP address
  • Cookie Data: As described in our Cookie Notice below

2.4 Employment-Related Data

For job applicants and employees:

  • Application Information: Resumes, cover letters, interview notes, references
  • Employment Records: Personnel files, performance evaluations, compensation details
  • Background Information: As permitted by applicable law and with appropriate consent

3. HOW WE USE PERSONAL INFORMATION

3.1 Service Delivery and Platform Operations

  • Providing and maintaining our loyalty platform services
  • Processing transactions and managing loyalty program operations
  • Authenticating users and maintaining account security
  • Providing customer support and technical assistance
  • Monitoring platform performance and troubleshooting issues

3.2 Business Operations and Improvement

  • Analyzing usage patterns to improve our services
  • Developing new features and functionality
  • Conducting research and analytics
  • Managing merchant relationships and onboarding
  • Processing payments and managing billing

3.3 Communications

  • Sending transactional emails and service notifications
  • Providing customer support responses
  • Delivering marketing communications (with appropriate consent)
  • Sharing platform updates and important announcements

3.4 Legal and Compliance

  • Complying with applicable laws and regulations
  • Responding to legal requests and court orders
  • Protecting against fraud, abuse, and security threats
  • Enforcing our terms of service and other agreements

We process personal information based on the following legal grounds:

  • Contract Performance: To fulfill our obligations under agreements with merchants and users
  • Legitimate Interests: To operate our business, improve our services, and protect our systems
  • Legal Compliance: To comply with applicable laws and regulations
  • Consent: Where required by law or for specific purposes like marketing communications
  • Vital Interests: To protect the safety and well-being of individuals

5. INFORMATION SHARING AND DISCLOSURE

5.1 We Do Not Sell Personal Information

Joy does not sell personal information as defined by applicable privacy laws, including the California Consumer Privacy Act (CCPA).

5.2 Service Providers and Sub-Processors

We share personal information with trusted service providers who assist in our operations:

Service Provider Purpose Location Safeguards
Google Cloud Platform Cloud infrastructure and data storage United States Data Processing Agreement, security measures
Crisp Customer support chat European Union GDPR compliance, data protection obligations
Mailgun Email delivery services United States Data Processing Agreement, security protocols
Customer.io Email automation and marketing United States Data Processing Agreement, consent management
PostHog Analytics and performance monitoring United States Data Processing Agreement, privacy controls

All service providers are contractually required to protect personal information and use it only for specified purposes.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of the transaction, subject to appropriate protections.

5.4 Legal Requirements

We may disclose personal information when required by law, legal process, or to:

  • Comply with court orders, subpoenas, or regulatory requests
  • Protect our rights, property, or safety, or that of others
  • Investigate or prevent fraud, security breaches, or illegal activities
  • Enforce our terms of service or other agreements

5.5 Merchant Data Sharing

When acting as a processor, we may share customer data with merchants as necessary to provide our services, always in accordance with merchant instructions and applicable data protection agreements.

6. INTERNATIONAL DATA TRANSFERS

6.1 Cross-Border Processing

Personal information may be transferred to and processed in countries other than your country of residence, including the United States and other jurisdictions where our service providers operate.

6.2 Transfer Safeguards

For transfers of personal information subject to European data protection laws, we rely on:

  • Adequacy Decisions: Recognized by the European Commission or UK authorities
  • Standard Contractual Clauses: EU-approved transfer mechanisms
  • Additional Safeguards: Supplementary measures to ensure adequate protection

7. DATA RETENTION

7.1 Retention Principles

We retain personal information only for as long as necessary to:

  • Fulfill the purposes for which it was collected
  • Comply with legal obligations and resolve disputes
  • Maintain business records as required by law
  • Provide ongoing services to merchants and users

7.2 Specific Retention Periods

  • Customer Data (as Processor): Retained according to merchant instructions and legal requirements
  • Merchant Account Data: Retained for the duration of the business relationship plus 7 years
  • Website Analytics: Typically retained for 26 months
  • Support Communications: Retained for 3 years after resolution
  • Marketing Data: Retained until consent is withdrawn or 3 years of inactivity

7.3 Secure Deletion

When personal information is no longer needed, we securely delete or anonymize it using industry-standard methods.

8. DATA SECURITY

8.1 Technical Safeguards

  • Encryption: Data encrypted in transit (TLS) and at rest (AES-256)
  • Access Controls: Role-based access with multi-factor authentication
  • Infrastructure Security: Secure cloud hosting with Google Cloud Platform
  • Network Security: Firewalls, intrusion detection, and monitoring systems

8.2 Organizational Safeguards

  • Employee Training: Regular privacy and security awareness training
  • Access Limitation: Personal information access limited to authorized personnel
  • Incident Response: Established procedures for security breach response
  • Vendor Management: Due diligence and contractual protections for service providers

8.3 Security Limitations

While we implement robust security measures, no system is completely secure. Users should protect their account credentials and report suspected security issues promptly.

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 Types of Cookies We Use

  • Essential Cookies: Required for platform functionality and security
  • Analytics Cookies: Help us understand usage patterns and improve our services
  • Marketing Cookies: Used for advertising and measuring campaign effectiveness (with consent)
  • Preference Cookies: Remember your settings and customizations

9.2 Cookie Management

You can control cookies through your browser settings. However, disabling essential cookies may affect platform functionality.

9.3 Other Tracking Technologies

  • Web Beacons: Used in emails to track delivery and engagement
  • Log Files: Automatically collected server logs for security and performance
  • Local Storage: Browser-based storage for user preferences and session data

9.4 Do Not Track

Our platform does not currently respond to Do Not Track browser signals, as there is no universal standard for how to interpret such signals.

10. YOUR PRIVACY RIGHTS

10.1 Rights Under European Law (GDPR/UK GDPR)

If you are in the European Economic Area or United Kingdom, you have the right to:

  • Access: Request a copy of your personal information
  • Rectification: Correct inaccurate or incomplete information
  • Erasure: Request deletion of your personal information
  • Restriction: Limit how we process your information
  • Portability: Receive your information in a portable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: For processing based on consent

10.2 Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know: What personal information we collect, use, and share
  • Delete: Request deletion of your personal information
  • Correct: Request correction of inaccurate information
  • Opt-Out: Opt-out of the sale or sharing of personal information
  • Non-Discrimination: Equal service regardless of privacy choices
  • Limit Sensitive Information: Restrict use of sensitive personal information

10.3 Rights Under Other Laws

We respect privacy rights under other applicable laws and will respond to valid requests according to legal requirements.

10.4 Exercising Your Rights

To exercise your privacy rights:

  • Email: [email protected]
  • Include: Your name, contact information, and specific request
  • Verification: We may request additional information to verify your identity

10.5 Response Timeline

We will respond to privacy requests within the timeframes required by applicable law, typically within 30 days.

10.6 Authorized Agents

You may designate an authorized agent to make privacy requests on your behalf. The agent must provide written authorization and you may need to verify your identity directly with us.

11. MARKETING COMMUNICATIONS

11.1 Types of Communications

  • Transactional Emails: Account notifications, security alerts, service updates
  • Marketing Emails: Product announcements, newsletters, promotional offers
  • In-App Notifications: Platform updates and feature announcements

11.2 Consent and Opt-Out

  • Marketing communications require opt-in consent
  • You can unsubscribe using links in emails or by contacting us
  • Transactional communications cannot be disabled but are limited to essential information

12. CHILDREN'S PRIVACY

12.1 Age Restrictions

Our services are not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16 without verifiable parental consent.

12.2 Parental Rights

If you believe we have collected information from a child under 16, please contact us immediately at [email protected] so we can delete such information.

13. PRIVACY POLICY UPDATES

13.1 Policy Changes

We may update this Privacy Policy periodically to reflect changes in our practices, services, or applicable laws.

13.2 Notification of Changes

  • Material Changes: We will provide prominent notice and may seek additional consent
  • Minor Updates: Posted on our website with an updated "Last Modified" date
  • Communication: Important changes may be communicated via email or in-app notifications

13.3 Continued Use

Your continued use of our services after policy updates constitutes acceptance of the revised terms.

14. CONTACT INFORMATION

14.1 Privacy Team

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

Joy Loyalty Privacy Team
Email: [email protected]
Website: https://joy.so/privacy

14.2 Data Protection Officer

If required by applicable law, you may contact our Data Protection Officer at the same email address.

14.3 Supervisory Authorities

You have the right to lodge complaints with relevant data protection authorities in your jurisdiction.

15. JURISDICTION-SPECIFIC INFORMATION

15.1 European Economic Area and United Kingdom

For individuals in the EEA and UK, Joy Loyalty Pte. Ltd. is the data controller for direct interactions. Our representative for GDPR matters can be contacted at [email protected].

15.2 California

This Privacy Policy includes additional information required under California privacy laws. California residents have specific rights as outlined in Section 10.2 above.

15.3 Other Jurisdictions

We comply with applicable privacy laws in all jurisdictions where we operate and will provide additional information as required by local regulations.

Effective Date: This Privacy Policy is effective as of the date listed above.
Website: The current version is always available at https://joy.so/privacy

By using Joy's services, you acknowledge that you have read and understood this Privacy Polic