Privacy Policy

This Privacy Policy explains how [ENTITY_NAME](“Repik,” “we,” or “us”) collects, uses, discloses, and protects personal data when you or your Business uses the Repik loyalty platform (“the Service”).

Repik operates in the United States and Mexico. Personal data may be transferred between those two countries so we can deliver the Service. When we act as a processor on behalf of a Business, our obligations to that Business are set out in the Data Processing Addendum (DPA).

• Business data. When a Business signs up we act as the controller of information about that Business and its staff (name, email, phone, postal address, logo, and tax identifiers).
• End-customer data.When a Business’s own customer enrolls in a loyalty card, we act as a processor on behalf of that Business. The Business is the controller of its end-customer data and is responsible for providing lawful notices and consents to its end customers.

From Businesses (controller-data).

• Account: legal/commercial name, email, password hash, role.
• Business profile: address, phone, logo, hero image, brand color, slug.
• Tax identifiers: RFC (MX) or EIN (US) when provided.
• Geolocation (latitude/longitude) for wallet-pass geo-fencing, when provided.
• Billing: subscription tier, status, manual-pilot records. Card numbers are handled by Stripe or Conekta and are never stored on Repik servers.
• Usage and device metadata: IP address, user agent, timestamps, audit logs.

From end customers (processor-data — held on behalf of the Business).

• Customer ID (generated by Repik, linked to an httpOnly signed cookie).
• Phone number in E.164 format when the end customer provides it during wallet enrollment and/or to enable later card recovery via a signed SMS link.
• Stamp history, redemption history, last tap timestamp.
• Wallet identifiers needed to deliver pass updates (Apple device library ID, Google wallet object ID, push tokens).

We do not knowingly collect data from anyone we know to be under 13 (US) / 13 (MX). Loyalty enrollment is intended for adult consumers of the Business.

• Operate and secure the Service (authentication, session cookies, rate limits).
• Issue and update Apple Wallet and Google Wallet passes.
• Send SMS messages strictly for security-critical flows (phone-based card recovery link) — we do not send marketing SMS.
• Compute stamp progress, redemption eligibility, and anti-fraud rate limits.
• Produce aggregated, non-identifying analytics about platform health (MAB, MRR, cohort growth). Aggregated analytics are not tied to any individual end customer.
• Meet legal, tax, and accounting obligations (for example, CFDI in Mexico).
• Enforce our Terms, investigate fraud, and respond to legal process.

• United States.The California Consumer Privacy Act (CCPA) as amended by the CPRA applies to California residents. Repik does not “sell” or “share” personal data for cross-context behavioral advertising.
• Mexico. The Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) applies. Business data and end-customer data are processed under contract (Terms + DPA) and legitimate business interest.
• [TBD by counsel] If the Service becomes available to EU/UK residents, lawful bases under GDPR/UK GDPR must be confirmed (contract, legitimate interest, or consent).

We share personal data only with service providers who help us deliver the Service and who are contractually bound to protect the data:

• Vercel (application hosting and edge network).
• Neon (managed PostgreSQL database).
• Upstash (Redis cache for rate limits and tokens).
• Apple and Google (wallet pass issuance and updates, push notifications).
• Twilio (transactional SMS for phone-based card recovery).
• Stripe (US billing), Conekta (MX billing), Facturapi (MX CFDI invoicing).
• Google Cloud Platform (service-account key for Google Wallet API).

A current, versioned list of sub-processors is maintained in the DPA. We will provide Businesses at least 30 days’ notice of any material change.

Repik’s infrastructure is located in the United States (US-West regions for Vercel, Neon, and Upstash). Personal data originating in Mexico is transferred to the United States and processed there under the protections of the LFPDPPP for international remittances and the contractual commitments in the DPA.

• Business accounts. Retained for the life of the subscription and deleted within 30 days of termination, except as required by tax/accounting law.
• End-customer loyalty cards. Retained while the card is active. Deactivated cards are deleted within 90 days unless the Business requests earlier deletion.
• Audit logs. Retained for up to 12 months for security and fraud investigation.
• Backups. Rolling disaster-recovery backups are purged on a rolling schedule (typically 30 days).

We apply industry-standard safeguards: TLS 1.2+ for all traffic, bcrypt (cost 12) for password hashes, RS256-signed JWTs in httpOnly cookies, serializable database transactions for stamp/redeem operations, per-origin CORS whitelisting, and per-endpoint rate limits. We review access to production systems on a least-privilege basis.

No security measure is perfect. If we become aware of a breach affecting personal data we will notify affected Businesses without undue delay and in line with applicable law. End-customer breach notifications are coordinated with the Business as controller.

Depending on where you live, you have the following rights with respect to your personal data:

• Access — confirm what personal data we hold and request a copy.
• Rectification / correction — correct inaccurate or out-of-date data.
• Deletion / erasure — request deletion where there is no ongoing legal or contractual reason to retain the data.
• Objection and restriction — object to, or ask us to restrict, certain processing.
• Portability — obtain an export of your data in a machine-readable format.
• CCPA / CPRA (California) — the right to know, delete, correct, and to non-discrimination. We do not sell or share your personal data.
• LFPDPPP ARCO rights (Mexico) — Acceso, Rectificación, Cancelación, y Oposición.

To exercise a right, email [PRIVACY_EMAIL]. End customers of a Business should contact that Business first; Repik will assist the Business in fulfilling the request.

Repik uses only strictly necessary cookies:

• token — httpOnly JWT for Business dashboard authentication (24h).
• repik_cid — httpOnly, HMAC-signed customer identifier for the public /tap/[slug] flow. Persistent (730 days) so a returning customer keeps the same loyalty card across visits on the same device.
• Short-lived CSRF and impersonation audit cookies where applicable.

We do not set analytics or advertising cookies today. If that changes we will update this Policy and present a consent banner where required by law.

We may update this Policy from time to time. Material changes will be notified by email and in the dashboard at least 30 days in advance.

Email [PRIVACY_EMAIL] for any privacy question. Postal address: [ENTITY_REGISTERED_ADDRESS].

[TBD by counsel]Confirm whether a dedicated privacy officer, LFPDPPP “departamento de datos personales,” or EU/UK representative is required before relying on this Policy publicly.