§ 1Data controller
The controller of your personal data within the meaning of Article 4(7) GDPR* is:
- ESPORT INDUSTRIES sp. z o.o.
- registered office: ul. Karmelicka 47, 31-128 Kraków, Poland
- Tax ID (NIP): 6762690058, National Court Register (KRS): 0001163276
- data protection contact: [email protected]
* Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR).
We have not formally appointed a Data Protection Officer (DPO). Please direct any questions regarding data processing to the Controller’s e-mail address.
§ 2Our roles in data processing
Loyalif acts in two roles depending on the category of person:
1. Controller — towards our Customers (entrepreneurs)
With respect to individuals representing the businesses using the Platform (owners, administrative staff), we are the controller of their data. This Policy describes the processing of that data.
2. Processor — towards End Consumers
With respect to the data of our Customers’ customers (people who have added a loyalty card to Apple Wallet / Google Wallet), we act as a processor on the Customer’s behalf. The Customer remains the controller of that data. The terms of this entrustment are set out in the Data Processing Agreement (DPA).
§ 3Scope of data processed
Customer data (business administration)
- the first and last name of the person creating the Account;
- business e-mail address;
- phone number (optional);
- company data: name, Tax ID, registered address;
- invoicing data (if different from the company data);
- login credentials (login + an encrypted password hash);
- transaction history in the service, subscription data;
- technical login data: IP address, device identifier, browser user-agent;
- system logs (time of action, operations performed on the Platform).
End Consumer data (entrusted by Customers)
As part of providing the Service, we process on behalf of our Customers the data of their consumer-customers: first name, phone number (optional), date of birth (optional, for birthday campaigns), e-mail address (optional), visit history at the venue, points balance / number of stamps, mobile device identifiers used to send push notifications (APNs/FCM push tokens).
§ 4Purposes and legal bases of processing
We process your data as a Customer for the following purposes:
- 1.Providing the Service and performing the agreement — basis: Article 6(1)(b) GDPR (necessity for the performance of a contract). This covers login, subscription management, invoice delivery, and providing Platform features.
- 2.Issuing invoices and keeping accounting records — basis: Article 6(1)(c) GDPR (legal obligation — the Accounting Act and the Tax Ordinance).
- 3.Marketing of our own services (information about new features, educational materials, offers) — basis: Article 6(1)(f) GDPR (the Controller’s legitimate interest). You may object at any time.
- 4.Statistics and analytics — basis: Article 6(1)(f) GDPR (legitimate interest — improving the Service).
- 5.Security and abuse prevention (logs, monitoring of suspicious activity) — basis: Article 6(1)(f) GDPR.
- 6.Establishing or defending against claims — basis: Article 6(1)(f) GDPR.
§ 5Data recipients — processors
To provide the Service, we use trusted providers (processors) to whom we entrust data under data processing agreements. The current list of sub-processors:
- Stripe Payments Europe Ltd. (Ireland) and Stripe Inc. (USA) — subscription payment handling, invoicing.
- Resend, Inc. (USA) — sending transactional e-mails (confirmations, invoicing, campaigns).
- Apple Inc. (USA) — the Apple Wallet service and APNs notifications.
- Google LLC (USA) — the Google Wallet service and FCM notifications.
- Cloudflare, Inc. (USA) — asset storage (R2), DNS, attack protection.
- Hostinger International Ltd. (Cyprus/Lithuania) — server infrastructure hosting.
- Backblaze, Inc. (USA) — database backups (B2 Cloud Storage).
The list is updated whenever providers change — the latest version is available in the DPA.
§ 6Data transfers outside the EEA
Some of our sub-processors are based outside the European Economic Area (mainly in the USA). Transfers of data to such countries take place on the basis of:
- European Commission adequacy decisions — in particular the EU-U.S. Data Privacy Framework (for certified providers);
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- additional technical and organizational measures (encryption at rest and in transit, pseudonymization).
You can obtain a copy of the safeguards applied by writing to [email protected].
§ 7Data retention period
- Account and subscription data — for the term of the agreement and 30 days after its termination (after that period the account and related data are permanently deleted).
- Invoicing and accounting data — 5 years counting from the end of the financial year in which the invoice was issued (in accordance with the Tax Ordinance and the Accounting Act).
- System and security logs — up to 90 days.
- Marketing data — until an objection is raised.
- Documentation relating to claims — until the limitation period for claims expires (usually 3 or 6 years).
- Backups — deleted on a 14-day cycle (daily rotation, 90-day retention in Backblaze B2 for off-site copies).
§ 8Your rights
In connection with our processing of your data, you have the following rights:
- Right of access — you may request information about what data we process about you and obtain a copy of it.
- Right to rectification — you may correct outdated or incorrect data (most of it directly in the Account panel).
- Right to erasure (“right to be forgotten”) — you may request the deletion of your data in the situations indicated in Article 17 GDPR.
- Right to restriction of processing — in the cases set out in Article 18 GDPR.
- Right to data portability — you may receive your data in a structured, commonly used format (JSON / CSV).
- Right to object — to processing based on a legitimate interest, including marketing profiling.
- Right to withdraw consent — to the extent that processing was based on consent. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.
- Right to lodge a complaint with the PUODO — the Polish Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, www.uodo.gov.pl.
To exercise a right, write to [email protected]. We respond within 30 days.
§ 10Changes to the Privacy Policy
We will inform you of material changes to the Privacy Policy 14 days in advance by e-mail and through a notice in the Platform panel. Previous versions of the Policy are available on request at [email protected].
§ 11Contact
Please direct questions about the processing of your data to:
- [email protected]
- ESPORT INDUSTRIES sp. z o.o., ul. Karmelicka 47, 31-128 Kraków, Poland