Legal

Privacy Policy

Effective: 3 March 2026  ·  Last updated: 16 June 2026

This Privacy Policy explains how Pointify collects, uses, stores, and protects your personal data. We operate under the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable privacy laws. By using Pointify, you confirm you have read and understood this policy.

Who We Are

Pointify (“we”, “us”, “our”) is a loyalty rewards platform that connects customers with partner businesses to earn and redeem points. We are based in Poland.

Customers (individuals earning points) may register from any country we support.

Partners (businesses) are currently accepted from the following countries only:

European Union: Austria, Belgium, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.

Other countries: Armenia, Azerbaijan, Belarus, Georgia, Turkey, Ukraine, United Kingdom, United States.

Data Controller: Pointify (pointify.org), based in Kraków, Poland.

Contact for privacy matters: support@pointify.org

Data Protection Officer: We have not designated a Data Protection Officer as we do not meet the mandatory thresholds under Art. 37 GDPR (we do not process special-category data at large scale as a core activity). All privacy enquiries are handled directly by our team at support@pointify.org.

Pointify has two categories of users, each with different data profiles:

  • Customer — individuals who register to earn and redeem loyalty points
  • Partner — businesses that register to offer points and rewards to customers

Personal Data We Collect

We collect only the data necessary to provide and improve our service.

Customer Data collected at registration and during use:

FieldPurpose
Full nameAccount identification and personalisation
Email addressAccount login, verification, and communications
Phone numberAccount security and optional notifications
Password (hashed)Account authentication — never stored in plain text
CountryService localisation and legal compliance
Approximate device location (latitude/longitude)Used — only with your permission — to show you nearby Partner businesses and the discounts and Benefits available around you. You must grant location access for this feature to work; if you do, your coordinates are processed only to return nearby results and are not stored in your account profile. Location is optional — you can decline or revoke this permission at any time in your device settings, and the rest of Pointify will still work.
Email verification status & timestampAccount security
Last login date & timeSecurity monitoring and fraud detection
Points balanceCore service functionality
Account statusService access management
Notification preferenceTo respect your communication preferences
Transaction and redemption historyAudit trail, fraud detection, and account history
Privacy and terms acceptance (version accepted & timestamp)GDPR compliance record-keeping

Partner Data collected at registration and during use:

FieldPurpose
Business nameBusiness profile and public listing on platform
Email addressAccount login, verification, and communications
Phone numberAccount management and support
Password (hashed)Account authentication — never stored in plain text
Country & business addressLocation display and legal compliance
Business categoryService categorisation (e.g. cafe, retail, fitness)
Business descriptionDisplayed on the Pointify platform
Logo / brand imageDisplayed on the Pointify platform
Account statusService access management
Last login date & timeSecurity monitoring and fraud detection
Notification preferenceTo respect your communication preferences
Geolocation coordinates (latitude/longitude)Provided during partner registration and confirmed at account approval; used to display the business location to customers
Benefits / offers listDisplayed to customers on the platform

What Partners see during a transaction:

When a Customer presents their in-app QR code to a Partner and the Partner scans it, the Partner’s app displays the Customer’s name, email address, current Points balance with that Partner, and any active Benefits the Customer has redeemed at that Partner and not yet used. After the Partner enters the transaction amount and completes the scan, the Partner additionally sees the Customer’s email, the Points earned on that transaction, and the Customer’s updated balance. The Customer’s phone number, password, country, and any data relating to other Partners are never shown to the Partner. Partners act as independent data controllers for the Customer information disclosed to them during a transaction and must use it solely to identify the Customer, fulfil Benefits, and meet their own legal obligations.

Technical data collected automatically from all users:

  • Server access logs (IP address and request timestamp) retained automatically by our hosting infrastructure for security and abuse-prevention purposes. IP addresses are also used transiently to enforce rate limits on authentication requests and are not linked to your account.
  • Crash and error diagnostics from the mobile app, processed by Sentry (see Section 4) to keep the app stable. These reports contain technical information such as the error details, device model, operating-system version, and app version. Sensitive fields are removed before transmission. We do not use any device fingerprinting, behavioural analytics, or cross-app advertising tracking.

How We Use Your Data

We use your data only for defined, lawful purposes. The table below shows each purpose and its legal basis under GDPR Article 6:

PurposeApplies toLegal Basis
Creating and managing your accountCustomers & PartnersContract performance
Tracking and processing loyalty pointsCustomersContract performance
Disclosing limited Customer details (name, email, balance, active Benefits) to a Partner at the point of QR scan to enable the transactionCustomersContract performance
Displaying partner profile to customersPartnersContract performance
Showing nearby Partner businesses, discounts, and Benefits based on your device locationCustomersConsent (granted through your device’s location permission; can be withdrawn at any time in your device settings)
Email verification and account securityCustomers & PartnersContract performance / Legitimate interest (we have assessed this legitimate interest and determined it does not override your rights and freedoms)
Sending transactional notifications (points earned, rewards, account alerts)Customers & PartnersContract performance
Sending marketing and promotional communicationsCustomers & PartnersConsent (opt-in only — can be withdrawn at any time via Consent Management in app settings or by emailing support@pointify.org). You may also lodge a complaint about our use of your data with a supervisory authority at any time — see Section 14.
Fraud detection and platform securityCustomers & PartnersLegitimate interest (we have assessed this legitimate interest and determined it does not override your rights and freedoms)
Improving and developing the platformCustomers & PartnersLegitimate interest (we have assessed this legitimate interest and determined it does not override your rights and freedoms)
Responding to support requestsCustomers & PartnersContract performance / Legitimate interest (we have assessed this legitimate interest and determined it does not override your rights and freedoms)
Complying with legal obligationsCustomers & PartnersLegal obligation

Data Processors & Third Parties

We do not sell your personal data to any third party.

We use the following data processors to operate the platform:

ProcessorPurposeLocation
Amazon Web Services (AWS)Cloud hosting, database, and file storage (partner logos and images)EU regions primarily; may involve US servers
Transactional email providerDelivery of verification codes (one-time passwords) and account & notification emails. Receives your name and email address only — never your password, points, or transaction data.EU / EEA; Standard Contractual Clauses apply to any non-EEA processing
Sentry (crash & error monitoring)Crash and error reporting for the mobile app, used to detect and fix stability issues. Receives diagnostic data only — error reports including device model, operating system, and app version. Sensitive fields (passwords, tokens, OTP codes, and authorization headers) are scrubbed from reports before they are sent. We never send your name, email, points, or transaction data to Sentry.EU / US; Standard Contractual Clauses apply to any non-EEA processing

All processors are bound by data processing agreements that require them to protect your data to GDPR standards. We will update this section as we integrate additional services.

We may also disclose data to legal authorities if required by law, court order, or regulatory authority.

International Data Transfers

Pointify is based in Poland (EU) and primarily processes data within the European Economic Area (EEA) using Amazon Web Services (AWS). Because we serve users in countries outside the EEA, personal data may be transferred internationally. We ensure appropriate safeguards are in place for every transfer:

Country / RegionBasis for Transfer
EU member statesNo transfer — data stays within the EEA
United KingdomEU adequacy decision for the UK
United StatesEU–US Data Privacy Framework; AWS Standard Contractual Clauses (SCCs)
Armenia, Azerbaijan, Belarus, Georgia, Turkey, UkraineStandard Contractual Clauses (SCCs) approved by the European Commission

All data is stored on AWS infrastructure (primarily EU regions). SCCs are in place with AWS covering transfers to any non-EEA AWS regions.

Any transfer to a non-EEA country we support is covered by the same AWS SCCs framework, ensuring an equivalent level of protection.

Data Retention

We retain your personal data for as long as necessary to provide the service and comply with legal obligations:

Data TypeRetention Period
Active account data (customers & partners)For the duration of the account
Account data after deletion requestPersonal identifiers (name, email, phone number, password) are anonymised immediately upon account deletion — replaced with a placeholder so the record can no longer be attributed to you. The anonymised account entry is retained for audit-log integrity.
Transaction and points historyRetained in anonymised form after account deletion for audit and legal-compliance purposes. The records cannot be linked back to your identity after anonymisation.
Security logs (login history, IP logs)12 months
Support communications2 years
Legal and compliance recordsUp to 7 years (as required by Polish and EU law)
Marketing consent recordsUntil consent is withdrawn + 3 years for proof of consent

After the retention period, data is permanently and securely deleted or anonymised.

Your Rights Under GDPR

If you are located in the EU or UK, you have the following rights regarding your personal data. To exercise any of these rights, contact us at support@pointify.org — we will respond within 30 days.

RightWhat it means
Right of AccessRequest a copy of all personal data we hold about you
Right to RectificationRequest correction of inaccurate or incomplete data
Right to ErasureRequest deletion of your personal data (“right to be forgotten”)
Right to RestrictionRequest that we pause processing of your data in certain circumstances
Right to Data PortabilityReceive your data in a structured, commonly used, machine-readable format (e.g. PDF)
Right to ObjectObject to processing based on legitimate interests or direct marketing. Your right to object to direct marketing is absolute and does not require any justification.
Right to Withdraw ConsentWithdraw any consent you have given at any time, without negative consequences and without affecting the lawfulness of any processing carried out before withdrawal
Right re: automated decisionsWe do not make solely automated decisions that significantly affect you
Right to Lodge a ComplaintYou have the right to lodge a complaint with a supervisory authority at any time without prejudice to any other administrative or judicial remedy. See Section 14 for details of the relevant authorities.

Cookies & Local Storage

The Pointify mobile app does not use advertising or tracking cookies. To keep you signed in, the app stores authentication tokens (a JWT access token and a refresh token) locally on your device. These tokens are essential — they are how the app proves who you are on each request, and the service cannot function without them.

TypePurposeCan be disabled?
Authentication tokens (essential)Stored locally on your device to keep you signed in and to authenticate your requests to our serversNo — required for the service to work; removed when you log out
Preference storageRemembering your language and settings on your deviceYes
AnalyticsWe may introduce analytics tools in the future to understand how users interact with the platform. If and when implemented, these will be optional and require your explicit consent before activation.Yes — opt-in consent required

We do not currently use any advertising, profiling, or cross-site tracking technologies. Clearing the app’s data or logging out removes the stored tokens and signs you out.

Data Security

We take the security of your data seriously and implement the following measures:

  • All passwords are hashed using industry-standard algorithms — we never store plain-text passwords
  • All data in transit is encrypted using HTTPS/TLS
  • Data at rest is encrypted on AWS infrastructure
  • Access to personal data is restricted to authorised personnel only
  • Active session management to invalidate sessions on suspicious activity
  • Regular security reviews and access audits

In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay.

Children’s Privacy

Pointify is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe your child has registered, please contact us at support@pointify.org and we will delete the account and all associated data promptly.

UK Users

If you are located in the United Kingdom, your data is protected under the UK GDPR and the Data Protection Act 2018. Your rights are equivalent to those described in Section 7. You may lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

California Users (CCPA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information we collect, use, and disclose
  • The right to delete your personal information
  • The right to opt out of the sale of personal information — we do not sell personal data
  • The right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at support@pointify.org.

Changes to This Policy

We may update this Privacy Policy as our service evolves or when required by law. When we make significant changes, we will notify you by email (to the address on your account) at least 30 days before the changes take effect. The “Last updated” date at the top of this page will always reflect the most recent revision.

Continued use of Pointify after the effective date constitutes acceptance of the updated policy. If you disagree with changes, you may delete your account before they take effect.

Complaints

If you are unhappy with how we handle your data, please contact us first at support@pointify.org — we will do our best to resolve your concern within 30 days.

You also have the right to lodge a complaint with your local supervisory authority:

  • Poland (EU): UODO — Urząd Ochrony Danych Osobowych — uodo.gov.pl
  • UK: Information Commissioner’s Office (ICO) — ico.org.uk
  • Other EU countries: your national data protection authority

Contact

For any questions, requests, or concerns about this Privacy Policy or your personal data:

  • Email: support@pointify.org
  • Data Controller: Pointify (pointify.org), Poland
  • Response time: Within 30 days for all GDPR-related requests

By using Pointify, you acknowledge that you have read and understood this Privacy Policy. It works together with our Terms of Service. If you have any concerns about how we handle your data, we are always happy to help at support@pointify.org.