Version 2026-06-30
The café is the controller for the loyalty relationship with you — they decide the program and the communications you receive. Loopo acts as a processor on behalf of the café, under a DPA.
Loopo additionally acts as an independent controller for limited service purposes: operating, improving and securing the service, analysing aggregated/anonymised data, and preventing abuse. Legal basis: legitimate interest — you may object at any time.
Mobile phone (for ID and the card), an optional first name, stamp/reward counts and transaction timestamps. We do not collect email.
Café marketing consent is separate, optional, and applies only to communications from that specific café. You can withdraw it anytime from your card.
Access, correction, deletion, objection, portability. Data deletion: from your card, with SMS verification.
privacy@loopo.app (TODO-legal:)