Welcome to LoyltWorks (operated by Loyltworks IT Private Limited, "we", "us", or "our"). This page sets out our compliance posture under India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), which establishes a comprehensive framework for the processing of digital personal data in India.

As a platform that processes personal data of loyalty program members, channel partners, business clients, and employees across India and internationally, LoyltWorks is fully committed to complying with this legislation. This statement should be read alongside our DPDP Compliance and Terms & Conditions.

Our Commitment, In Brief

We have appointed a Data Protection Officer, deployed a Consent Management Platform, completed a company-wide data mapping exercise, and updated our contracts with business clients and processors to reflect DPDP Act requirements. The sections below document each obligation and how we meet it.

1. About the DPDP Act & Its Applicability to Us

The DPDP Act, 2023 is India's primary law governing digital personal data. It applies to processing within India and to processing outside India where it relates to offering goods or services to individuals located in India — which covers LoyltWorks' operations across India, the GCC, Southeast Asia, and Africa wherever Indian Data Principals' data is involved.

The Act establishes the Data Protection Board of India as the regulator responsible for adjudicating non-compliance, and prescribes penalties of up to ₹250 crore per breach for failure to implement adequate safeguards. Its core pillars are: lawful, purpose-limited processing; free, specific, informed, unconditional and unambiguous consent; defined rights for Data Principals; clear obligations for Data Fiduciaries; and heightened protection for children's data.

2. Scope & Our Dual Role

This statement applies to personal data we process in connection with: Business Clients who use our platform to run loyalty programs; Loyalty Members who enrol in and participate in those programs; Channel Partners and Trade Influencers enrolled in partner or influencer programs; Employees and Contractors, including job applicants; and Website Visitors who access loylt.works or our apps.

Dual Roles Notice

LoyltWorks acts as a Data Fiduciary when it determines the purpose and means of processing directly — for example, our own marketing, platform analytics, or employee data. LoyltWorks acts as a Data Processor when it processes personal data on behalf of a Business Client under a Data Processing Agreement (DPA). We comply with all applicable DPDP Act obligations in both capacities.

3. Key Definitions
Data Principal

The individual to whom personal data relates — including loyalty members, channel partners, website visitors, and employees.

Data Fiduciary

Any person who, alone or with others, determines the purpose and means of processing personal data.

Data Processor

Any person who processes personal data on behalf of a Data Fiduciary under a written agreement.

Significant Data Fiduciary (SDF)

A Data Fiduciary designated by the Central Government based on the volume and sensitivity of data processed, or risk to Data Principals' rights.

Consent

A free, specific, informed, unconditional, and unambiguous indication of agreement, given through a clear affirmative action.

Data Protection Board of India

The statutory body established under the DPDP Act to adjudicate breaches, impose penalties, and hear appeals.

4. Lawful Basis for Processing

We process personal data only on one of the following lawful grounds recognised by the DPDP Act:

  • Consent (Section 6): our primary basis for processing data of loyalty members, channel partners, and visitors — always free, specific, informed, unconditional, and given through a clear affirmative action, never a pre-ticked box.
  • Legitimate Uses (Section 7): limited circumstances such as employment-related HR processing, compliance with a court order, or processing required by law.
  • Contractual Necessity: processing required to perform our contract with you, such as operating your loyalty account, crediting points, and processing redemptions.
5. Personal Data We Collect & Process

We apply the data minimisation principle, collecting only what is necessary, adequate, and relevant for a specified purpose. Our collection fields are reviewed annually and unnecessary fields are removed and deleted.

CategoryExamplesLawful Basis
Identity DataName, DOB, government ID (KYC programs)Consent / Legal obligation
Contact DataMobile number, email, addressConsent / Contract
Transaction & Loyalty DataPurchases, points earned/redeemed, order valuesConsent / Contract
Device & Usage DataIP address, device type, login timestampsLegitimate use / Consent
Location DataApproximate GPS for SFA visits or QR scansExplicit consent
Financial DataBank/UPI details, collected only for reward payoutsExplicit consent
Sensitive DataDietary/health preferences, in applicable F&B programs onlyExplicit consent
Employee DataEmployment, payroll, and tax recordsLegitimate use (employment) / Legal obligation
6. Consent Management

LoyltWorks operates a Consent Management Platform that handles the full lifecycle of consent in line with Section 6 of the DPDP Act:

  • A clear, plain-language Notice is shown before or at the time data is collected, describing what is collected, why, and with whom it may be shared;
  • Consent is captured through a deliberate affirmative action — never a pre-ticked box or implied consent;
  • Where data is processed for multiple purposes, we seek granular, separate consent for each;
  • Every consent interaction is logged with a timestamp, the exact notice shown, and the method of affirmation, and retained for 3 years from withdrawal or expiry;
  • Data Principals can view, manage, and withdraw consent at any time through their account, or by emailing us — withdrawal is effective within 7 business days and does not affect the lawfulness of prior processing;
  • Where a program is designed for younger members, we require verifiable parental consent before any data is collected, and apply age-gating on registration flows.
7. Rights of Data Principals

Chapter III of the DPDP Act grants you the following rights, which we are committed to facilitating promptly.

Section 11

Right to Access

Request a summary of personal data we hold, how it's processed, and which processors it has been shared with.

Section 12(a)

Right to Correction

Request correction of inaccurate, misleading, or incomplete personal data.

Section 12(b)

Right to Erasure

Request deletion of data no longer needed for its original purpose, subject to legal retention rules.

Section 6(4)

Right to Withdraw Consent

Withdraw consent at any time, as easily as it was given, without penalty.

Section 13

Right to Grievance Redressal

Raise a grievance with our DPO and, if unresolved, appeal to the Data Protection Board.

Section 14

Right to Nominate

Nominate someone to exercise your rights in the event of death or incapacity.

You may exercise these rights via your account's "My Privacy Settings," or by contacting us using the details in Section 17. We acknowledge requests within 48 hours and respond substantively within 30 calendar days (extendable by up to 30 further days for complex requests, with reasons given). We may request reasonable identity verification before fulfilling a request.

8. Our Obligations as Data Fiduciary

Section 8 of the DPDP Act sets out our general obligations. We implement each as follows:

ObligationHow We Meet ItStatus
Purpose-limited processing with valid consent or legitimate useEnforced at system level; consent recorded per purposeImplemented
Clear, accurate Notice before or at consentLayered notices at every collection touchpoint, web and appImplemented
Accuracy and completeness of data used for decisionsSelf-service update portal; periodic verification promptsImplemented
Reasonable security safeguardsAES-256 encryption, MFA, RBAC, SOC 2 Type II, regular pen testingImplemented
Breach notification to Board and Data PrincipalsIncident response plan with prompt Board notification commitmentImplemented
Erasure on consent withdrawal or cessation of necessityAutomated deletion workflows on withdrawal or account closureImplemented
Published contact details for rights requestsPublished on this page, our DPDP Compliance, and account settingsImplemented
Grievance redressal mechanismDPO-managed process with defined resolution timelinesImplemented
9. Children's Personal Data

Section 9 of the DPDP Act imposes heightened obligations regarding children's (under-18) data. We do not process a child's personal data without verifiable consent from a parent or legal guardian, and we apply age-gating across all registration flows.

In compliance with Section 9(3), we strictly prohibit: behavioural tracking or monitoring of children across our properties; targeted advertising directed at children; and any processing likely to cause detriment to a child's well-being. If we discover that a child's data has been inadvertently collected without valid consent, we suspend all processing of it immediately and delete it within 48 hours of discovery.

Report Concerns About Children's Data

If you believe a child's personal data has been collected without proper consent, contact us immediately using the details in Section 17. We treat all such reports with the highest priority.

10. Data Retention & Erasure

We retain personal data only for as long as necessary for its purpose, or as required by Indian law. Once a retention period expires, data is securely erased using cryptographic deletion or overwriting methods; aggregated, fully anonymised data may be retained indefinitely for analytics.

Data CategoryRetention PeriodBasis
Active member/partner account dataActive period + 3 years after closureContractual; DPDP Act
Transaction and points records7 years from transaction dateIncome Tax Act; GST Act
KYC / identity verification documents5 years post-relationshipPMLA, 2002
Consent records3 years from withdrawal or expiryDPDP Act audit requirement
Marketing preferencesUntil opt-out + 6 monthsConsent
Security and access logs12 months (24 for incidents)IT Act, 2000
Employee dataEmployment + 7 yearsLabour laws; Income Tax Act
Device/usage analytics90 days, then anonymisedDPDP data minimisation
11. Cross-Border Data Transfers

We primarily store and process personal data in India, at data centres located in Mumbai and Bengaluru. In limited circumstances, data may be processed by cloud or technology providers in Singapore and the United Arab Emirates to support our infrastructure and regional operations — both currently permissible under applicable Government notifications.

For any cross-border transfer, we ensure the receiving country is not on any Central Government restricted list, that contractual safeguards equivalent to the DPDP Act are in place (including Standard Contractual Clauses where applicable), and that Data Principals are informed of the jurisdictions involved at the time consent is sought. We review our transfer arrangements periodically and will halt any transfer immediately upon a relevant Government restriction being notified.

12. Security Safeguards

In line with Section 8(5) of the DPDP Act, we maintain a multi-layered security programme: AES-256 encryption at rest and TLS 1.3 in transit, with additional field-level encryption for sensitive data; role-based access control and mandatory multi-factor authentication; ISO 27001-certified cloud infrastructure with automated failover; annual independent penetration testing; real-time AI-powered fraud and anomaly detection; SOC 2 Type II certification audited annually; mandatory employee data-protection training; and security assessments of every third-party processor before engagement.

13. Personal Data Breach Notification

In the event of a personal data breach, we follow a structured response: real-time detection and immediate containment by our Incident Response Team; a preliminary assessment of the breach's scope and likely consequences; notification to the Data Protection Board of India within the timeline prescribed under applicable DPDP Rules; clear, plain-language notification to affected Data Principals describing what happened and what they should do; and a post-incident remediation and review process, with findings documented and shared with the Board as required.

To Report a Suspected Security Breach

If you discover a vulnerability or believe your personal data has been compromised, contact us immediately using the details in Section 17. We investigate all reports promptly and in confidence.

14. Significant Data Fiduciary Readiness

Section 10 of the DPDP Act allows the Central Government to designate certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data processed and the associated risk. We monitor these criteria on an ongoing basis and have proactively implemented several SDF-grade practices ahead of any formal designation, including appointing an India-based Data Protection Officer. Should we be designated an SDF, we are prepared to appoint an independent Data Auditor, conduct periodic Data Protection Impact Assessments, and implement any further measures prescribed by the Board or Central Government.

15. Grievance Redressal Mechanism

We operate a two-tier grievance process in line with Section 13 of the DPDP Act:

  • Tier 1 — LoyltWorks DPO: submit your grievance using the contact details in Section 17. We acknowledge within 48 hours and aim to resolve within 30 calendar days, extendable by up to 30 further days for complex matters with reasons provided.
  • Tier 2 — Data Protection Board of India: if unresolved at Tier 1, you may appeal to the Board under Section 19 of the DPDP Act. We cooperate fully with any Board inquiry or proceeding.
No Retaliation Policy

We strictly prohibit any retaliation against a Data Principal or employee for raising a genuine grievance under the DPDP Act.

16. Third-Party Data Processors & Penalties Disclosure

We engage third-party processors — cloud infrastructure, payment and banking partners, communication gateways, KYC providers, analytics platforms, and support tools — only under written Data Processing Agreements requiring them to process data solely on our documented instructions, maintain equivalent security standards, notify us immediately of any breach, assist with Data Principal rights requests, and delete or return data on termination.

In the interest of transparency, the DPDP Act prescribes penalties of up to ₹250 crore for inadequate security safeguards, up to ₹200 crore for breach-notification failures or non-compliance with children's data obligations, and up to ₹10,000 crore for non-compliance with a voluntary undertaking accepted by the Board. We disclose this to underscore the seriousness of our compliance commitment, not because we anticipate non-compliance.

17. Updates & Contact Information

We review this statement at least annually, and whenever there is a material change to our data processing activities, our processors, or the DPDP Act and its Rules. Where a change is material, we will provide at least 15 days' advance notice to registered users before it takes effect; minor or clarificatory updates will simply be reflected with a revised date above.

Company

Loyltworks IT Private Limited
Website: www.loylt.works

Mobile

+91-95133-85711

Registered Office

No. 47 Atma Creer, Ground Floor
5th Cross, 5th Main Rd, 3rd Industrial Area
Vasachanradi, Bengaluru, KA – 560 058

If your grievance with LoyltWorks remains unresolved after 30 days, you may file a complaint with the Data Protection Board of India at www.meity.gov.in. The Board is the statutory authority under the DPDP Act, 2023, empowered to adjudicate complaints and impose remedies. LoyltWorks will cooperate fully with any Board proceedings.

This statement should be read alongside our DPDP Compliance and Terms & Conditions.
© 2026 Loyltworks IT Private Limited. All rights reserved.