Privacy Policy — PopsterRoyal Ltd.

This Privacy Policy explains how PopsterRoyal Ltd. ("PopsterRoyal", "we", "us", or "our") collects, uses, shares, and protects personal information when you use our card-linked loyalty platform and website at popster-royal.com. By using our services, you agree to the practices described in this policy.

1. Who We Are

PopsterRoyal Ltd. is a Canadian company registered and operating at 4735 51 St, Rycroft, AB T0H 3A0, Canada. We provide white-label card-linked loyalty technology to independent coffee shops. Our owner and primary contact is Chin Niall. You may reach us at info@popster-royal.com.

2. Information We Collect

2.1 Information You Provide

Account registration: Your name, email address, and any profile preferences.
Card enrolment: The last 4 digits of your payment card and expiry date. We do not collect or store your full card number, CVV, or billing address.
Communications: Messages you send us via contact forms or email.

2.2 Information Collected Automatically

Transaction data triggered by your payment card at participating cafés (purchase amount, date, merchant identifier).
Website usage data: pages visited, time on site, browser type, device type, and referring URL.
Cookie data as described in our Cookie Policy.

2.3 Information from Third Parties

We receive anonymised transaction signals from our payment network partners (Visa, Mastercard, and certified card-linking intermediaries) to detect qualifying purchases. These partners operate under strict PCI DSS standards and provide only the minimum data necessary for loyalty point calculation.

3. How We Use Your Information

To operate and provide the PopsterRoyal Rewards loyalty programme.
To calculate and credit points for qualifying purchases.
To send transactional emails (point confirmations, tier updates, reward notifications).
To respond to your support and contact enquiries.
To improve our platform, diagnose technical issues, and analyse usage trends.
To comply with legal obligations and prevent fraud.

We do not sell your personal information to third parties. We do not use your data for targeted advertising.

4. Legal Basis for Processing (PIPEDA)

As a Canadian company, we process personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Our legal basis for processing is:

Consent: For card enrolment and marketing communications.
Contract: For operating the loyalty programme you have enrolled in.
Legitimate interests: For fraud prevention, security, and platform improvement.

5. Data Sharing and Disclosure

We share personal information only with:

Payment network partners: Certified card-linking intermediaries who facilitate transaction detection. These partners are contractually bound to PCI DSS compliance and data minimisation.
Café partners: Participating café owners receive only aggregate loyalty statistics — not individual member data.
Service providers: Email delivery, hosting, and analytics providers who act as data processors under our instructions.
Legal authorities: When required by applicable law, court order, or to protect rights and safety.

6. Data Retention

We retain your personal information for as long as your account is active and for a period of 7 years after account closure (as required for financial record-keeping under Canadian law). Transaction records are retained for 7 years. You may request earlier deletion subject to legal obligations.

7. Your Rights

Under PIPEDA, you have the right to:

Access the personal information we hold about you.
Correct inaccurate or incomplete information.
Withdraw consent (where processing is consent-based) and request deletion, subject to legal limitations.
Complain to the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, contact us at info@popster-royal.com.

8. Security

We implement industry-standard security measures including 256-bit SSL encryption, tokenised card data storage, access controls, and regular security audits. Our card-linking partner is PCI DSS Level 1 certified. However, no system is completely secure and we cannot guarantee absolute security of data transmitted over the internet.

9. Cookies

We use cookies and similar technologies as described in our Cookie Policy. You can manage cookie preferences at any time through your browser settings.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and by a prominent notice on our website at least 14 days before taking effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:

PopsterRoyal Ltd.
Attn: Privacy Officer
4735 51 St, Rycroft, AB T0H 3A0, Canada
info@popster-royal.com