Welcome to LoyltWorks (operated by Loyltworks IT Private Limited, "we", "us", or "our"). This page sets out our compliance posture under India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), which establishes a comprehensive framework for the processing of digital personal data in India.
As a platform that processes personal data of loyalty program members, channel partners, business clients, and employees across India and internationally, LoyltWorks is fully committed to complying with this legislation. This statement should be read alongside our DPDP Compliance and Terms & Conditions.
We have appointed a Data Protection Officer, deployed a Consent Management Platform, completed a company-wide data mapping exercise, and updated our contracts with business clients and processors to reflect DPDP Act requirements. The sections below document each obligation and how we meet it.
The DPDP Act, 2023 is India's primary law governing digital personal data. It applies to processing within India and to processing outside India where it relates to offering goods or services to individuals located in India — which covers LoyltWorks' operations across India, the GCC, Southeast Asia, and Africa wherever Indian Data Principals' data is involved.
The Act establishes the Data Protection Board of India as the regulator responsible for adjudicating non-compliance, and prescribes penalties of up to ₹250 crore per breach for failure to implement adequate safeguards. Its core pillars are: lawful, purpose-limited processing; free, specific, informed, unconditional and unambiguous consent; defined rights for Data Principals; clear obligations for Data Fiduciaries; and heightened protection for children's data.
This statement applies to personal data we process in connection with: Business Clients who use our platform to run loyalty programs; Loyalty Members who enrol in and participate in those programs; Channel Partners and Trade Influencers enrolled in partner or influencer programs; Employees and Contractors, including job applicants; and Website Visitors who access loylt.works or our apps.
LoyltWorks acts as a Data Fiduciary when it determines the purpose and means of processing directly — for example, our own marketing, platform analytics, or employee data. LoyltWorks acts as a Data Processor when it processes personal data on behalf of a Business Client under a Data Processing Agreement (DPA). We comply with all applicable DPDP Act obligations in both capacities.
The individual to whom personal data relates — including loyalty members, channel partners, website visitors, and employees.
Any person who, alone or with others, determines the purpose and means of processing personal data.
Any person who processes personal data on behalf of a Data Fiduciary under a written agreement.
A Data Fiduciary designated by the Central Government based on the volume and sensitivity of data processed, or risk to Data Principals' rights.
A free, specific, informed, unconditional, and unambiguous indication of agreement, given through a clear affirmative action.
The statutory body established under the DPDP Act to adjudicate breaches, impose penalties, and hear appeals.
We process personal data only on one of the following lawful grounds recognised by the DPDP Act:
- Consent (Section 6): our primary basis for processing data of loyalty members, channel partners, and visitors — always free, specific, informed, unconditional, and given through a clear affirmative action, never a pre-ticked box.
- Legitimate Uses (Section 7): limited circumstances such as employment-related HR processing, compliance with a court order, or processing required by law.
- Contractual Necessity: processing required to perform our contract with you, such as operating your loyalty account, crediting points, and processing redemptions.
We apply the data minimisation principle, collecting only what is necessary, adequate, and relevant for a specified purpose. Our collection fields are reviewed annually and unnecessary fields are removed and deleted.
| Category | Examples | Lawful Basis |
|---|---|---|
| Identity Data | Name, DOB, government ID (KYC programs) | Consent / Legal obligation |
| Contact Data | Mobile number, email, address | Consent / Contract |
| Transaction & Loyalty Data | Purchases, points earned/redeemed, order values | Consent / Contract |
| Device & Usage Data | IP address, device type, login timestamps | Legitimate use / Consent |
| Location Data | Approximate GPS for SFA visits or QR scans | Explicit consent |
| Financial Data | Bank/UPI details, collected only for reward payouts | Explicit consent |
| Sensitive Data | Dietary/health preferences, in applicable F&B programs only | Explicit consent |
| Employee Data | Employment, payroll, and tax records | Legitimate use (employment) / Legal obligation |
LoyltWorks operates a Consent Management Platform that handles the full lifecycle of consent in line with Section 6 of the DPDP Act:
- A clear, plain-language Notice is shown before or at the time data is collected, describing what is collected, why, and with whom it may be shared;
- Consent is captured through a deliberate affirmative action — never a pre-ticked box or implied consent;
- Where data is processed for multiple purposes, we seek granular, separate consent for each;
- Every consent interaction is logged with a timestamp, the exact notice shown, and the method of affirmation, and retained for 3 years from withdrawal or expiry;
- Data Principals can view, manage, and withdraw consent at any time through their account, or by emailing us — withdrawal is effective within 7 business days and does not affect the lawfulness of prior processing;
- Where a program is designed for younger members, we require verifiable parental consent before any data is collected, and apply age-gating on registration flows.
Chapter III of the DPDP Act grants you the following rights, which we are committed to facilitating promptly.
Right to Access
Request a summary of personal data we hold, how it's processed, and which processors it has been shared with.
Right to Correction
Request correction of inaccurate, misleading, or incomplete personal data.
Right to Erasure
Request deletion of data no longer needed for its original purpose, subject to legal retention rules.
Right to Withdraw Consent
Withdraw consent at any time, as easily as it was given, without penalty.
Right to Grievance Redressal
Raise a grievance with our DPO and, if unresolved, appeal to the Data Protection Board.
Right to Nominate
Nominate someone to exercise your rights in the event of death or incapacity.
You may exercise these rights via your account's "My Privacy Settings," or by contacting us using the details in Section 17. We acknowledge requests within 48 hours and respond substantively within 30 calendar days (extendable by up to 30 further days for complex requests, with reasons given). We may request reasonable identity verification before fulfilling a request.
Section 8 of the DPDP Act sets out our general obligations. We implement each as follows:
| Obligation | How We Meet It | Status |
|---|---|---|
| Purpose-limited processing with valid consent or legitimate use | Enforced at system level; consent recorded per purpose | Implemented |
| Clear, accurate Notice before or at consent | Layered notices at every collection touchpoint, web and app | Implemented |
| Accuracy and completeness of data used for decisions | Self-service update portal; periodic verification prompts | Implemented |
| Reasonable security safeguards | AES-256 encryption, MFA, RBAC, SOC 2 Type II, regular pen testing | Implemented |
| Breach notification to Board and Data Principals | Incident response plan with prompt Board notification commitment | Implemented |
| Erasure on consent withdrawal or cessation of necessity | Automated deletion workflows on withdrawal or account closure | Implemented |
| Published contact details for rights requests | Published on this page, our DPDP Compliance, and account settings | Implemented |
| Grievance redressal mechanism | DPO-managed process with defined resolution timelines | Implemented |
Section 9 of the DPDP Act imposes heightened obligations regarding children's (under-18) data. We do not process a child's personal data without verifiable consent from a parent or legal guardian, and we apply age-gating across all registration flows.
In compliance with Section 9(3), we strictly prohibit: behavioural tracking or monitoring of children across our properties; targeted advertising directed at children; and any processing likely to cause detriment to a child's well-being. If we discover that a child's data has been inadvertently collected without valid consent, we suspend all processing of it immediately and delete it within 48 hours of discovery.
If you believe a child's personal data has been collected without proper consent, contact us immediately using the details in Section 17. We treat all such reports with the highest priority.
We retain personal data only for as long as necessary for its purpose, or as required by Indian law. Once a retention period expires, data is securely erased using cryptographic deletion or overwriting methods; aggregated, fully anonymised data may be retained indefinitely for analytics.
| Data Category | Retention Period | Basis |
|---|---|---|
| Active member/partner account data | Active period + 3 years after closure | Contractual; DPDP Act |
| Transaction and points records | 7 years from transaction date | Income Tax Act; GST Act |
| KYC / identity verification documents | 5 years post-relationship | PMLA, 2002 |
| Consent records | 3 years from withdrawal or expiry | DPDP Act audit requirement |
| Marketing preferences | Until opt-out + 6 months | Consent |
| Security and access logs | 12 months (24 for incidents) | IT Act, 2000 |
| Employee data | Employment + 7 years | Labour laws; Income Tax Act |
| Device/usage analytics | 90 days, then anonymised | DPDP data minimisation |
We primarily store and process personal data in India, at data centres located in Mumbai and Bengaluru. In limited circumstances, data may be processed by cloud or technology providers in Singapore and the United Arab Emirates to support our infrastructure and regional operations — both currently permissible under applicable Government notifications.
For any cross-border transfer, we ensure the receiving country is not on any Central Government restricted list, that contractual safeguards equivalent to the DPDP Act are in place (including Standard Contractual Clauses where applicable), and that Data Principals are informed of the jurisdictions involved at the time consent is sought. We review our transfer arrangements periodically and will halt any transfer immediately upon a relevant Government restriction being notified.
In line with Section 8(5) of the DPDP Act, we maintain a multi-layered security programme: AES-256 encryption at rest and TLS 1.3 in transit, with additional field-level encryption for sensitive data; role-based access control and mandatory multi-factor authentication; ISO 27001-certified cloud infrastructure with automated failover; annual independent penetration testing; real-time AI-powered fraud and anomaly detection; SOC 2 Type II certification audited annually; mandatory employee data-protection training; and security assessments of every third-party processor before engagement.
In the event of a personal data breach, we follow a structured response: real-time detection and immediate containment by our Incident Response Team; a preliminary assessment of the breach's scope and likely consequences; notification to the Data Protection Board of India within the timeline prescribed under applicable DPDP Rules; clear, plain-language notification to affected Data Principals describing what happened and what they should do; and a post-incident remediation and review process, with findings documented and shared with the Board as required.
If you discover a vulnerability or believe your personal data has been compromised, contact us immediately using the details in Section 17. We investigate all reports promptly and in confidence.
Section 10 of the DPDP Act allows the Central Government to designate certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data processed and the associated risk. We monitor these criteria on an ongoing basis and have proactively implemented several SDF-grade practices ahead of any formal designation, including appointing an India-based Data Protection Officer. Should we be designated an SDF, we are prepared to appoint an independent Data Auditor, conduct periodic Data Protection Impact Assessments, and implement any further measures prescribed by the Board or Central Government.
We operate a two-tier grievance process in line with Section 13 of the DPDP Act:
- Tier 1 — LoyltWorks DPO: submit your grievance using the contact details in Section 17. We acknowledge within 48 hours and aim to resolve within 30 calendar days, extendable by up to 30 further days for complex matters with reasons provided.
- Tier 2 — Data Protection Board of India: if unresolved at Tier 1, you may appeal to the Board under Section 19 of the DPDP Act. We cooperate fully with any Board inquiry or proceeding.
We strictly prohibit any retaliation against a Data Principal or employee for raising a genuine grievance under the DPDP Act.
We engage third-party processors — cloud infrastructure, payment and banking partners, communication gateways, KYC providers, analytics platforms, and support tools — only under written Data Processing Agreements requiring them to process data solely on our documented instructions, maintain equivalent security standards, notify us immediately of any breach, assist with Data Principal rights requests, and delete or return data on termination.
In the interest of transparency, the DPDP Act prescribes penalties of up to ₹250 crore for inadequate security safeguards, up to ₹200 crore for breach-notification failures or non-compliance with children's data obligations, and up to ₹10,000 crore for non-compliance with a voluntary undertaking accepted by the Board. We disclose this to underscore the seriousness of our compliance commitment, not because we anticipate non-compliance.
We review this statement at least annually, and whenever there is a material change to our data processing activities, our processors, or the DPDP Act and its Rules. Where a change is material, we will provide at least 15 days' advance notice to registered users before it takes effect; minor or clarificatory updates will simply be reflected with a revised date above.
Company
Loyltworks IT Private Limited
Website: www.loylt.works
Mobile
+91-95133-85711
Registered Office
No. 47 Atma Creer, Ground Floor
5th Cross, 5th Main Rd, 3rd Industrial Area
Vasachanradi, Bengaluru, KA – 560 058
If your grievance with LoyltWorks remains unresolved after 30 days, you may file a complaint with the Data Protection Board of India at www.meity.gov.in. The Board is the statutory authority under the DPDP Act, 2023, empowered to adjudicate complaints and impose remedies. LoyltWorks will cooperate fully with any Board proceedings.
This statement should be read alongside our DPDP Compliance and Terms & Conditions.
© 2026 Loyltworks IT Private Limited. All rights reserved.