GDPR Compliance

Last updated: March 2026

Our Commitment

LoyalMT is committed to complying with the General Data Protection Regulation (GDPR). As a platform based in Malta and operating within the European Union, we take data protection seriously and have built our platform with privacy by design.

Roles & Responsibilities

Businesses (Data Controllers): When you use LoyalMT to manage your loyalty program, you are the data controller for your customers’ personal data. You decide what data to collect, how to use it, and are responsible for having a lawful basis for processing.

LoyalMT (Data Processor): We act as a data processor on your behalf. We process personal data only as instructed by you and in accordance with our Privacy Policy and these GDPR commitments.

Lawful Basis for Processing

We process personal data under the following lawful bases:

  • Contract: To provide the Service you have signed up for
  • Legitimate interest: To improve the Service, prevent fraud, and ensure security
  • Consent: Where explicitly given (e.g. marketing communications)
  • Legal obligation: To comply with applicable laws and regulations

Data Subject Rights

Under GDPR, individuals (data subjects) have the following rights. Both businesses and their end-customers can exercise these rights:

  • Right of access: Request a copy of your personal data
  • Right to rectification: Correct inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data (“right to be forgotten”)
  • Right to restrict processing: Limit how your data is used
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Withdraw consent at any time without affecting prior processing

To exercise any of these rights, email us at privacy@loyalmt.com. We will respond within 30 days.

Data Processing Agreement

Businesses on paid plans can request a Data Processing Agreement (DPA) that outlines the terms under which we process personal data on their behalf. Contact us at legal@loyalmt.com to request a DPA.

Data Storage & Transfers

All data is stored on secure servers within the European Union. We use Supabase (EU region) for our database and Vercel for hosting. Where any sub-processor is located outside the EU, appropriate safeguards (such as Standard Contractual Clauses) are in place.

Security Measures

We implement the following measures to protect personal data:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Row-level security (RLS) in our database so businesses can only access their own data
  • Secure authentication with email verification
  • Regular security reviews and updates
  • Access controls limiting employee access to personal data

Breach Notification

In the event of a personal data breach, we will notify affected data controllers within 72 hours of becoming aware of the breach, as required by GDPR Article 33. We will provide details of the breach, its likely consequences, and the measures taken to address it.

Sub-Processors

We use the following sub-processors:

  • Supabase — Database and authentication (EU)
  • Vercel — Application hosting
  • Stripe — Payment processing (PCI DSS compliant)

We will notify you before adding or changing sub-processors.

Contact

For any GDPR-related questions or requests, contact our data protection team at privacy@loyalmt.com.