Loyal SikkaLoyalSikka
Get in touch
Legal

Privacy Policy

How we collect, use, and protect personal data on Loyal Sikka.

Last updated · 2026-06-04

Loyal Sikka (“we”, “us”) is a digital loyalty platform based in Islamabad, Pakistan. This policy explains what personal data we collect when you or your customers use the platform, how we use it, and the rights you have over it. We follow the principles of data minimisation under Pakistan's Prevention of Electronic Crimes Act (PECA) 2016 and the draft Personal Data Protection Bill.

This policy covers both of our Android apps — Sikka Wallet (the customer wallet, where shoppers hold their loyalty cards) and the Loyal Sikkashop app (used by shop owners and staff to issue sikkas and redeem rewards) — as well as the loyalsikka.com merchant panel and marketing site.

1. Who this applies to

  • Shop owners and staff who sign in to the Loyal Sikka shop app or the merchant panel.
  • Shop customers who hold a digital loyalty card via Sikka Wallet on their phone.
  • Visitors to loyalsikka.com marketing pages.

2. What we collect

From shop owners and staff

  • Email address and password, used to sign in.
  • Phone number, kept as profile and contact information (for branded SMS); it is not used to sign in.
  • Shop profile (name, vertical, city, geo coordinates, radius).
  • Approximate device location captured at the moment a sikka is issued, used only to verify the staff device is inside the shop's declared radius. This is foreground-only (while the app is open during a scan); we never track location in the background and do not retain raw GPS coordinates beyond the event row.
  • Plan, billing, and trial status.
  • Audit-log entries: action taken, timestamp, IP, user-agent.

From shop customers

  • Phone number (used to identify the loyalty card).
  • First name (optional, only if the merchant provides it).
  • Last name, date of birth, and any custom enrolment fields — all optional, and only when the shop's enrolment form requests them.
  • Sikka / redemption events at participating shops.
  • A device push token (Firebase Cloud Messaging), so we can send notifications about your loyalty card to Sikka Wallet.

Device permissions the apps request

  • Camera— both apps use the camera only to scan QR codes (a shop's enrolment code in Sikka Wallet; a customer's card in the Loyal Sikka shop app). Camera images are never stored or uploaded.
  • Location(Loyal Sikka shop app only) — used at the moment a sikka is issued to confirm the staff device is inside the shop's radius. Foreground-only; no background location.
  • Notifications— to deliver loyalty-card updates via Firebase Cloud Messaging. You can turn these off in your device settings.

3. What we do with it

  • Operate the loyalty product itself (issue cards, count sikkas).
  • Prevent fraud (geofence checks, rate limits, signed scan payloads).
  • Send transactional SMS and in-app notifications related to the loyalty card.
  • Aggregate, anonymised analytics so we can improve the product. We never sell personal data.

4. Where it lives

Personal data is stored in Supabase Postgres hosted in the Asia-Pacific region. Backups are held in the same region. Operational access is limited to Loyal Sikka staff using audited admin accounts protected by access controls.

5. Sharing

We share personal data with the shop the customer holds a card with — that's the point of the product. We do not share customer data with other shops on the platform. Sub-processors who help us run the platform:

  • Supabase (database, auth, storage)
  • Vercel (web hosting)
  • Cloudflare (DNS / CDN)
  • Firebase Cloud Messaging (push notifications to Sikka Wallet)
  • Branded SMS aggregator (Jazz / Telenor — transactional messages only)
  • SafePay / NayaPay (payment processing — billing only)
  • Sentry (error monitoring — IPs and user-agents)

6. Retention

  • Active shop accounts: held for as long as the shop subscribes plus 12 months after cancellation.
  • Customer cards: held while the customer's linked shop is active. Customers can request deletion at any time.
  • Audit logs: 24 months, after which they are anonymised but kept for regulatory compliance.

7. Your rights

You can ask us to access, correct, or delete the personal data we hold about you. Email privacy@loyalsikka.com from the phone number or email address on the account. We respond within 30 days.

8. Cookies

We use cookies that are strictly necessary to keep you signed in. We do not run advertising or cross-site-tracking cookies.

9. Children

Loyal Sikka is intended for businesses. We do not knowingly target users under the age of 18. If you believe a child has provided personal data, contact us and we will delete it.

10. Changes

We may update this policy. Material changes are announced via Sikka Wallet, email, and the merchant panel at least 14 days before they take effect. The “Last updated” date at the top reflects the most recent revision.

Questions about anything on this page? Email legal@loyalsikka.com.

Contact us