GDPR and Marketing Consent for Wallet Loyalty Cards

Explicit opt-in only

The sign-up form has an unticked marketing-consent checkbox. We never tick it by default and we treat null/unanswered as a no. This is stricter than the law strictly requires, but it keeps shops out of regulator trouble across all EU jurisdictions.

Transactional vs marketing pushes

• Transactional pushes ("you got a stamp", "your reward is ready") are part of the service and do not require marketing consent.
• Marketing/broadcast pushes (one-off promos) require explicit consent.

Opt-out is one tap, in the wallet itself

Wallet pushes don't need an in-body unsubscribe URL because Apple Wallet and Google Wallet both expose a per-pass notification toggle. The customer opens the pass, flips the switch, and pushes stop — no link to find, no extra page to load. This satisfies the GDPR/ePrivacy "easy withdrawal as easy as opt-in" requirement.

For a full marketing-consent revocation (which also drops them from your audience-size count), the customer can ask you to update their profile, or use the unsubscribe link if it ever surfaces from a future email or SMS channel — the signed /u/:customerId route still exists for those cases.

Customer data deletion

Customers can self-delete from the unsubscribe page. Owners can delete from the merchant app. Either action removes the customer record, revokes the wallet pass, and clears stamps.

We retain anonymised aggregates (e.g. "this shop sent 4 broadcasts in March") for billing and audit purposes only.

What you should write in your privacy policy

Most shops link to a one-page privacy notice from More -> Profile. Cover: what data you collect, why, how long you keep it, who you share it with (us), and how customers can exercise their rights. We can provide a template if needed.