BUYA Loyalty Privacy Policy

Effective Date: 01/05/2025

1. Introduction

BUYA Loyalty ("BUYA", "we", "us", or "our") operates a SaaS loyalty platform that enables businesses to offer branded mobile apps and in-store kiosks. This Privacy Policy outlines how we collect and process personal data under POPIA (South Africa) and GDPR (EU).

2. Data We Collect

Business Data:

  • Business name, registration number, billing details
  • Payment info (via PayFast)
  • Brand assets, loyalty rules, app config

Customer Data:

  • Phone number (used as identifier)
  • QR codes, loyalty transactions, timestamps
  • Optional metadata (tags, preferences)

3. Purpose of Processing

  • Configure and operate loyalty programs
  • Enable customers to earn/redeem points
  • Send loyalty notifications
  • Monitor system performance and troubleshoot

We do not use customer data for unsolicited marketing.

4. Legal Basis for Processing

Under GDPR, data is processed for contractual obligations or legitimate interest. Under POPIA, we rely on Section 11(1) for lawful processing within the scope of the service agreement.

5. Data Storage and Security

All data is hosted securely via Firebase with:

  • TLS & AES encryption
  • Role-based access controls
  • Audit logs & anomaly detection
  • Regular vulnerability assessments

6. Sharing of Information

We do not sell data. Only critical sub-processors receive data under strict agreements:

  • Firebase – hosting & authentication
  • PayFast – payment handling
  • Cloud CI/CD tools – automation & monitoring

7. Data Subject Rights

Individuals may:

  • Request access, correction, or deletion
  • Withdraw consent
  • Object to certain processing

Requests are to be sent to the respective business or escalated to app@buya-loyalty.com.

8. Data Retention

Data is retained for the duration of active subscriptions. After 60 days of non-payment, accounts are deactivated. Data is deleted 30 days later. Encrypted backups persist for up to 14 additional days.

9. International Data Transfers

Data may be stored outside South Africa/EEA with appropriate safeguards (SCCs, POPIA 72 compliance). Clients may request transfer details via our contact email.

10. Changes to this Policy

Policy updates are announced via email and dashboard alerts. Continued use constitutes acceptance of changes.

11. Contact Information

BUYA-BUSINESS (Pty) Ltd
453 Winifred Yell Street
Garsfontein, Pretoria, South Africa
contact@buya-business.com