Contact Us
← Back to Policies Trust Center · Policy

Data Privacy & Backup

Maintaining Compliance with Data Privacy Laws

Since our inception, Loyalty Juggernaut Inc.'s (LJI) approach has been anchored with a strong commitment to privacy, security, compliance and transparency. As the user of LJI Services, we respect the trust you place in us to safely process your data. To maintain the privacy of Client Data, LJI Service ensures comprehensive compliance with various applicable Data Privacy Laws.

LJI uses Client Data solely to provide the Service, or to prevent or address service or technical problems, in accordance with the Agreement with the Customers, or in accordance with Client's instructions, and not disclose Client Data to anyone other than the Authorized Parties.

LJI's approach to Data Privacy includes supporting our customers' compliance with EU data protection requirements, including those set out in the General Data Protection Regulation ("GDPR"), which replaced the EU Data Protection Directive (also known as "Directive 95/46/EC") and became enforceable on May 25, 2018.

The General Data Protection Regulation (GDPR) seeks to update and harmonize privacy laws across Europe while providing individuals in the EU ("Data Subjects") with enhanced control over their personal data. At its core, the GDPR challenges organizations to make privacy a key factor in customer, product and partnership decisions.

The GDPR tasks all organizations to:

  • "address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data"
  • "demonstrate compliance with this Regulation"
  • "take into account the rights and legitimate interests of data subjects and other persons concerned."

LJI Service complies with the GDPR to protect Personal Data and its Privacy, Safety, and Security.

How LJI meets requirements under the GDPR

At LJI, we are committed to helping Clients to comply with the General Data Protection Regulation (GDPR) through a comprehensive set of platform capabilities, access to the Personal Data, and suitable processes to deliver on the Data Subject's rights.

We have a Data Protection Officer to oversee GDPR compliance and to represent the interests of EU individuals, whose Personal Data we handle as both an enterprise and a service provider.

As a Data Processor, LJI helps Clients comply with the following rights of the individuals that are recognized under GDPR:

Right to Access

The right to access allows the Data Subject to access the personal data belonging to them that LJI processes. Additionally, the Data Controllers (Clients) under GDPR have an obligation to inform Data Subjects about the following:

  • Why and how LJI processes the data
  • Categories of Personal Data involved
  • Who sees the data (including and especially in countries outside the EU)
  • How long the Data Controllers intend to store the data
  • How the Data Subjects can exercise their rights
  • Any available information to the source of data when the Data Controllers do not collect the data from the data subject
  • The use of profiling and automated decision-making by Data Controllers

LJI provides the ability to the Clients and Authorized Parties to honor the Right to Access of the Data Subjects.

Right to Rectification

On request, the Data Controllers (Clients) under GDPR have to provide the Data Subjects with their Personal Data and fix inaccuracies or add the missing information. LJI enables Clients to access and update information of the Data Subjects.

Right to Erasure

On request, the Data Subject has the right to ask Data controllers (Clients) to erase their data. At an individual's request routed by the Data Controller (Client) to LJI, LJI anonymizes the Personal Data of the Data Subject to prevent access to Data Subject's PII (Personally Identifiable Information) thenceforth.

Alternatively, LJI also enables Clients to delete the Personal Data of Data Subjects on a self-service basis using GRAVTY® UI.

Right to Data Portability

This involves the Data Subject's right to receive the Personal Data concerning him or her, which he or she has provided to a Data Controller (Client), in a structured, commonly used and machine-readable format and has the right to transmit those data to another Data Controller without hindrance from the Controller to which the Personal Data have been provided.

At an individual's request, routed by the Data Controller (Client), LJI provides the Data Subject with their Personal Data, and also transmit the data to another organization on Client's instructions. Alternatively, the Client or Authorized Parties can access and route this information to the Data Subject by exporting from the Member360 view on GRAVTY® UI on a self-service basis.

Right to Object

This involves the Data Subject's right to object processing of their Personal Data, including profiling, when it is on relevant grounds. Data Controller has an obligation to stop processing Personal Data for direct marketing or other actions when such an objection is received from a Data Subject under GDPR. LJI provides a range of capabilities for Data Controllers to honor Data Subject's Right to Object.

Right to Information

Each Data Subject has the right to ask Data Controllers what kind of data they process and why they need it. It holds that the Data Subject has the right to enquire about the kind of data the Data Controller will process and why.

Right to Restriction of Processing

Each Data Subject has the right to request the restriction of processing personal data under certain conditions. The Data Controller must halt all data processing temporarily, and it must communicate to the Data Subject the intent to resume processing if they choose to do so.

Right to Avoid Automated Decision-Making

Each Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly affects them.

How LJI meets requirements under the CCPA

LJI's commitment towards ensuring data protection and privacy of the Data Subjects also involves compliance to the California Consumer Privacy Act (CCPA). As a Service Provider, LJI also assists its Customers in their compliance with the CCPA.

The California Consumer Privacy Act (CCPA), Cal. Civ. Code §§ 1798.100 et seq. (CCPA) is a U.S. law enacted in the State of California with an effective date of January 1, 2020. It expands upon the privacy rights available to particular California Data Subjects and requires companies to comply with various data protection requirements.

The intentions of the Act are to provide Data Subjects with the right to:

  1. Know what Personal Data is being collected about them.
  2. Know whether their Personal Data is sold or disclosed and to whom.
  3. Say no to the sale of Personal Data.
  4. Access their Personal Data.
  5. Request a Client to delete their Personal Data.
  6. Not be discriminated against for exercising their privacy rights.

LJI assists the Clients in their compliance under CCPA to enact upon the requests coming from Data Subjects to delete Personal Data or share Personal Data with the Clients or any other requests made in accordance with the aforementioned rights.

Data Backup

Data backups for both PostgreSQL and DynamoDB Databases are automatically and continuously taken (continuous backups) as opposed to snapshot backups which are usually done daily. Due to continuous backups, LJI can restore data from data backups using PITR (Point In Time Recovery) which allows data to be restored to a point in time within the retention period.

Continuous Backups are retained for 1 month and happen with no impact on performance or availability. All data in data backups are encrypted. Data restore tests are done regularly to validate data backups.

Upon termination of LJI Service, LJI maintains Client Data for up to six months. LJI also retains Audit Logs for six months.

Termination of Service

The Client has complete control over their data in GRAVTY®. In case of Termination of Service, LJI provides the following ways for the Clients to get possession of their data:

  1. The Client can request the designated LJI Customer Success Leader to provide full DB Backup of their data, which includes the entire Program Data such as but not limited to Member Data, BITs, Offer Data, Sponsor Data, and Location Data. LJI will deliver the full DB Backup to the Client within 30 days. LJI may charge a reasonable fee mutually agreed upon with the Client for this Service.
  2. The Client can use GRAVTY® APIs to extract Program Data on a self-service basis.

Once the Client terminates the Service and has taken out all the data, LJI will permanently delete all the data associated with the Client.

This Policy does not apply to third-party websites, products, or services, even if they link to our Services or Sites, and you should consider the privacy practices of those third parties carefully.

"Client Data" means the electronic data or information submitted by Client or Authorized Parties to the Service. This may include data of Client's customers as applicable.

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Authorized Parties" means, for Services, those employees, contractors, and end users, as applicable, authorized by the Client or on the Client's behalf to use the Services in accordance with the Client Agreement and the relevant Subscription Service Order.