eco
LoyaltyTree
OneSeed.green Inc
arrow_back Back to Home
gavel

GDPR Compliance

LoyaltyTree is committed to protecting privacy and complying with the General Data Protection Regulation (GDPR) for all users in the European Union.

policy

Our GDPR Commitment

As a data processor working with Shopify merchants worldwide, LoyaltyTree implements comprehensive measures to ensure GDPR compliance. We process personal data lawfully, fairly, and transparently, collecting only what is necessary for loyalty program operations.

Last Updated: January 2026

Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

visibility

Right to Access

You can request a copy of the personal data we hold about you, including purchase history, loyalty program participation, and account information.

edit

Right to Rectification

You can request that we correct any inaccurate personal data or complete any incomplete data we hold about you.

delete

Right to Erasure

You can request deletion of your personal data when it's no longer necessary for the purpose it was collected, or when you withdraw consent.

download

Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format to transfer to another service.

block

Right to Restrict Processing

You can request that we limit how we use your data while we address your concerns about accuracy or our legal basis for processing.

do_not_disturb

Right to Object

You can object to processing based on legitimate interests, and we will stop unless we have compelling grounds to continue.

Data Protection Measures

Encryption at Rest

Sensitive personal data including Shopify access tokens and integration credentials are encrypted using AES-256-CBC encryption before storage. Encryption keys are stored separately from the database.

Email Address Protection

Customer email addresses are stored as SHA-256 hashes, making them irreversible while still allowing for customer identification. This pseudonymization technique protects privacy while maintaining functionality.

Data Minimization

We collect only the data necessary for loyalty program operation. Customer names and purchase details are sourced from Shopify and retained only as needed to calculate and display loyalty rewards.

Access Controls

Multi-tenant architecture ensures complete data isolation between merchants. SQL-level verification prevents any cross-account data access. All administrative access requires multi-factor authentication.

Secure Transmission

All data transmitted between your browser, our servers, and third-party services (Shopify, OneSeed.eco) is encrypted using TLS 1.3. HMAC verification ensures webhook authenticity.

Shopify GDPR Integration

As a Shopify app, LoyaltyTree fully integrates with Shopify's GDPR compliance framework, ensuring seamless handling of privacy requests.

cookie

Cookie Consent Honoring

We respect customer cookie preferences set through Shopify's Customer Privacy API. When customers opt out of tracking, we disable analytics cookies and limit data collection to only what's essential for the loyalty program to function.

person_remove

Customer Data Deletion

When a customer requests data deletion through Shopify, we receive automatic webhook notifications and promptly remove all associated loyalty data, seed balances, transaction history, and personal information from our systems.

inventory_2

Customer Data Request

We respond to Shopify's customer data request webhooks by providing a complete export of all personal data we store, including loyalty points, eco rewards, transaction history, and notification preferences.

store

Shop Data Erasure

When a merchant uninstalls LoyaltyTree or requests shop data erasure, we delete all store configuration, customer data, and transaction records associated with that shop within 48 hours.

Legal Basis for Processing

check_circle

Contract Performance

Processing loyalty transactions and rewards as part of the merchant's service agreement

check_circle

Legitimate Interest

Fraud prevention, security monitoring, and service improvement

check_circle

Consent

Marketing communications and optional program features

check_circle

Legal Obligation

Compliance with tax, accounting, and regulatory requirements

Data Retention

schedule

Active Customer Data

Retained while the loyalty program is active and for 12 months after last activity

schedule

Transaction Records

Retained for 7 years to comply with financial record-keeping requirements

schedule

Security Logs

Authentication and access logs retained for 90 days for security purposes

schedule

Deleted Account Data

Permanently removed within 30 days of account deletion request

International Data Transfers

LoyaltyTree operates from Canada and the United States. When personal data is transferred from the EEA, we ensure appropriate safeguards are in place:

  • check Standard Contractual Clauses (SCCs) with data partners
  • check Adequacy decisions where applicable
  • check Encryption of data during transit and at rest
  • check Data Processing Agreements with all sub-processors

Our Sub-Processors

  • Shopify Inc. Canada/USA
  • Neon Inc. (Database) USA
  • OneSeed.eco New Zealand
  • SMTP2GO (Email) New Zealand

Exercising Your Rights

email

Contact Us

Email our privacy team with your request

privacy@loyaltytree.eco
verified_user

Verification

We'll verify your identity to protect your data from unauthorized access

timer

Response Time

We respond to all requests within 30 days as required by GDPR

Data Protection Officer

For any questions about our GDPR compliance or to exercise your data protection rights, please contact our Data Protection Officer.

email dpo@loyaltytree.eco description Full Privacy Policy