Privacy Policy
Who we are
Rewards Pro (“Rewards Pro,” “we,” “us,” or “our”) provides CRM and loyalty program software-as-a-service to business customers (“Customers”) who use our platform to manage rewards, promotions, and customer engagement.
This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when:
You visit our website(s) and subdomains that link to this policy (the “Site”),
You use our SaaS platform, dashboards, APIs, browser extensions, and mobile apps (the “Services”),
We process personal information on behalf of our Customers as their service provider/processor.
Scope and roles
Controller vs. Processor:
We are a controller for personal information we collect through our Site and during our own business operations (e.g., prospective customers, account admins, billing contacts).
We act as a processor/service provider for personal information we process on behalf of our Customers through the Services (e.g., end-customer profiles, transactions, rewards points). In those cases, our Customers are the controllers and their privacy policies apply. We process such data only under their instructions and our agreements.
Information we collect
A) Information you provide to us (directly)
Account and profile data: name, company, role, email address, phone number, password or SSO identifiers, preferences.
Business information: company name, industry, billing address, tax IDs, subscription details.
Communications: support requests, chat messages, feedback, survey responses, call recordings (where permitted and with notice).
Payment information: cardholder name, partial card details (tokenized), billing contact; payment data is typically processed by our PCI-compliant payment processor.
Marketing opt-ins: newsletter subscriptions, event registrations.
B) Information we process for Customers (on their behalf)
End-customer data: names, emails, phone numbers, loyalty IDs, birthdates (if collected), addresses, preferences.
Transactional and loyalty data: purchases, redemptions, points balances, coupons, visit frequency, referrals.
Engagement data: campaign interactions, message opens/clicks, in-store interactions, support history.
Integrations data: data synced from POS, e-commerce, CDP, CRM, or marketing tools.
C) Information collected automatically
Usage and device data: IP address, device/browser type, operating system, language, referring URLs, pages viewed, links clicked, session duration, crash and performance data.
Cookies and similar technologies: for authentication, preferences, analytics, and advertising. See “Cookies & tracking” below.
Location data: approximate location inferred from IP; precise location only if you grant permission in our apps.
D) Information from third parties
Service providers and partners: identity verification, fraud prevention, analytics, advertising networks.
Customer-provided sources: imports from point-of-sale, e-commerce, and other systems.
Public sources: business contact information from public websites or directories, where permitted.
How we use personal information
Provide and maintain the Services: account creation, authentication, user management, feature delivery, service personalization.
Customer success and support: respond to inquiries, diagnostics, training, and troubleshooting.
Security and integrity: monitor, prevent, and detect fraud, abuse, and security incidents; maintain audit logs and backups.
Product improvement: analytics, research, and development; quality assurance; A/B testing; de-identified and aggregated insights.
Marketing and communications: send service-related notices, product updates, newsletters, and promotional messages consistent with your preferences and applicable laws. You can opt out of marketing at any time.
Legal and compliance: enforce terms, comply with legal obligations, and protect our rights, users, and the public.
Payments and billing: process subscriptions, invoicing, tax compliance.
Legal bases for processing (EEA/UK/Switzerland)
Where GDPR or similar laws apply, we rely on:
Contract: to provide the Services you request.
Legitimate interests: to secure and improve the Services, prevent fraud, and market to business contacts, balanced against your rights.
Consent: where required for certain cookies, marketing, or processing of sensitive data.
Legal obligation: to comply with applicable laws and regulations.
When we act as a processor, the Customer’s lawful basis applies; we process under their instructions and our data processing agreement (DPA).
Cookies and tracking technologies
We use:
Strictly necessary cookies for login and core functionality.
Functional cookies to remember preferences.
Analytics cookies to understand usage and improve performance.
Advertising cookies for remarketing and measuring campaigns (on our marketing site only).
You can manage cookies via our cookie banner and your browser settings. Some features may not function without certain cookies.
We may use pixels, SDKs, and server-side tracking where appropriate. See our Cookie Notice for details.
How we share information
We do not sell personal information.
We may share personal information with:
Service providers: hosting, infrastructure, customer support, analytics, email/SMS delivery, payment processing, identity verification, security, logging, and communications tools, under contracts that limit use to our instructions.
Integrations and partners: when you connect third-party apps or enable data flows, we share data as needed to deliver that integration, per your settings.
Professional advisors: lawyers, accountants, auditors, insurers.
Change of control: if we engage in a merger, acquisition, financing, or sale of assets, information may be transferred subject to confidentiality and applicable laws.
Legal and safety: to comply with law, enforce terms, or protect rights, privacy, safety, or property of you, us, or others.
Aggregated/de-identified data: insights that cannot reasonably identify an individual.
Data retention
We retain personal information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements.
For processor data, we retain according to our Customer’s instructions and our DPA. Upon termination, we delete or return personal information within a commercially reasonable period, unless law requires retention.
Backups and logs are retained for limited periods consistent with security and compliance requirements.
International data transfers
We operate globally and may transfer personal information across borders, including to countries that may not have equivalent data protection laws.
Where required, we use appropriate safeguards, such as Standard Contractual Clauses (SCCs), UK Addendum, and additional measures.
Our subprocessor list and transfer mechanisms are available upon request or in your admin portal.
Security
We implement technical and organizational measures designed to protect personal information, including encryption in transit, network segmentation, access controls, least-privilege access, MFA for internal systems, secure software development practices, vulnerability management, and employee training.
No method of transmission or storage is 100% secure; we maintain incident response and business continuity plans.
Your privacy rights
Depending on your location, you may have rights such as:
Access, correction, and deletion of your personal information.
Portability of certain information.
Object to or restrict processing, including for direct marketing.
Withdraw consent where processing is based on consent.
Appeal our decision regarding a rights request (where applicable).
How to exercise your rights:If Rewards Pro is the controller: contact us using the details below. We may need to verify your identity.
If your data is processed by us on behalf of a Customer: contact that Customer directly. We will support them in responding to your request.
Children’s privacy
Our Services are not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided personal information to us, contact us and we will take appropriate action.
Communications preferences
Service communications: you may not opt out of essential service, security, or transactional messages.
Marketing communications: you can unsubscribe via the link in our emails or by contacting us. Preferences may also be available in your account settings.
Do Not Track and global privacy controls
Our Site does not currently respond to browser “Do Not Track” signals. Where required by law, we honor Global Privacy Control (GPC) signals for relevant domains and contexts.
State and regional disclosures
A) California (CCPA/CPRA)
We do not “sell” or “share” personal information as defined by CPRA, unless stated otherwise in a specific notice. If we ever do, you will have the right to opt out.
Categories collected: identifiers, commercial information, internet activity, geolocation (approximate), professional information, inferences (limited, for product improvement).
Sensitive personal information: generally not required; if collected (e.g., precise location, government IDs), we use it only for permitted purposes and do not use it to infer characteristics.
Rights: know, delete, correct, opt-out of sale/share, limit use of sensitive PI, and non-discrimination.
B) Colorado/Connecticut/Utah/Virginia and similar lawsWe provide access, correction, deletion, portability, and opt-out of targeted advertising or certain profiling where applicable.
C) EEA/UK/SwitzerlandSee Section 5; you may lodge a complaint with your local supervisory authority.
Third-party links and services
Our Site and Services may contain links to third-party websites, apps, and services. Their privacy practices are governed by their own policies. We encourage you to review them.
Data processing addendum (DPA) and subprocessors
For Customers, our DPA forms part of our service agreement and includes standard contractual protections.
We maintain a list of subprocessors used to deliver the Services and will provide reasonable advance notice of changes where legally required.