Privacy
Policy

Personal Data: Any information relating to an identified individual or an individual who can be identified from that information.

Processing: Any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, and erasure.

Service: The Reglr loyalty platform, including all web pages, APIs, and features.

Customers:

• Phone number (required for authentication)
• Name (optional, for personalized experience)
• Email address (optional, for communications)
• Birthday (optional, for loyalty rewards)
• Check-in history (timestamp, merchant, location)
• Tier status and progress
• IP address and device information
• Marketing preferences

Merchants:

• Business name and registration details
• Email address and phone number
• Business hours and location
• Payment information for subscriptions
• Analytics data (customer counts, visit patterns)
• IP address and access logs

Automatically Collected:

• Browser type and version
• IP address and geolocation (city-level)
• Pages visited and time spent
• Referrer information
• Device identifiers and operating system

We collect and process your personal data for the following purposes:

• To provide the loyalty tracking and analytics service
• To authenticate users and maintain secure sessions
• To process payments and subscription billing
• To calculate customer tiers and rewards eligibility
• To generate merchant analytics and insights
• To detect and prevent fraud
• To comply with legal obligations
• To send transactional emails (order confirmations, password resets)
• To send marketing communications (with your consent)
• To improve and optimize our Service
• To provide cross-merchant discovery and personalized recommendations
• To share your visit data with merchants you check in at (see Section 7)
• To enable merchants to send you loyalty offers, rewards, and campaigns

Under Singapore PDPA, we process your data based on:

• Consent: You have explicitly agreed to the processing
• Contract: Processing is necessary to fulfill our service agreement with you
• Legal Obligation: Processing is required by law (e.g., tax records, anti-fraud)
• Legitimate Interests: Processing is necessary for our business operations (e.g., fraud prevention, service improvement)
• Deemed Consent: When you voluntarily provide your phone number to check in, consent is deemed given for the stated purposes (PDPA Section 15)
• Business Improvement: We may use your data in aggregate to improve our service and develop new features (PDPA Section 17A, 2020 Amendment)

We retain personal data for the following periods:

• Check-in Records: 2 years (for analytics and dispute resolution)
• Customer Accounts: Active period + 1 year after account deletion (soft delete)
• Payment Records: 7 years (Singapore tax and accounting requirements)
• Fraud Detection Logs: 90 days (for pattern analysis)
• IP Logs: 30 days

After the retention period, data is permanently deleted unless longer retention is required by law.

We do NOT sell your personal data. We may share data with third parties in the following cases:

• Merchants you check in at: When you check in at a merchant, they can see your first name (if provided), your visit count and timestamps, your tier status and progress, and your birthday (if provided, for rewards). Merchants cannot see your phone number (encrypted, never shared), your email address, your activity at other merchants, or your IP address and device information.
• Cross-Merchant Discovery: We use anonymized and aggregated visit patterns across our network to power personalized recommendations. Individual visit data is never shared between merchants.
• Service Providers: Twilio (SMS), Stripe (payments), Supabase (hosting), PostHog (analytics), Sentry (error monitoring) - under data processing agreements
• Legal Requirements: When required by law, court order, or government request
• Fraud Prevention: With other merchants to detect repeat fraud patterns
• Business Transfer: In case of merger, acquisition, or asset sale

All third-party processors are bound by confidentiality agreements and are only authorized to use data as necessary to provide services to us.

You have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Correction: Request correction of inaccurate data
• Right to Deletion: Request deletion of your account (soft delete)
• Right to Opt-Out: Unsubscribe from marketing communications anytime
• Right to Data Portability: Export your data in a structured format
• Right to Withdraw Consent: You may withdraw consent for data collection at any time. Note that withdrawal may affect your ability to use certain features (e.g., tier tracking, loyalty rewards). Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at [email protected]. We will respond within 14 days.

You can export your data at any time from the app (Profile → Privacy → Export Data).

Reglr does not track you. We do not share data with advertisers, ad networks, or data brokers; we do not link data we collect with third-party data for advertising purposes; and we do not use Apple's Advertising Identifier (IDFA).

The only cookies we set are first-party session and preference cookies:

• reglr_customer_token: Session authentication cookie (30 days, httpOnly)
• reglr_merchant_session: Merchant session cookie (30 days, httpOnly)
• reglr_onboarding_seen: Onboarding completion flag (1 year)

First-party product analytics. We use PostHog as a first-party product analytics processor under a Data Processing Agreement. PostHog runs in memory-only mode and does not set persistent cookies or local-storage entries. For logged-in customers, events are tagged with your customer ID so we can understand product usage at a customer level — this data stays with us and is not shared with advertisers, ad networks, or data brokers. PostHog is configured with autocapture: false, disable_session_recording: true, and respect_dnt: true.

You can disable cookies in your browser settings, but this may affect Service functionality (you will not stay signed in).

We implement industry-standard security measures:

• HTTPS/TLS encryption for all data in transit
• Encrypted session tokens with 90-second expiry
• Password hashing with bcrypt
• Rate limiting and fraud detection
• IP geofencing (5km radius check)
• Phone numbers encrypted at rest with AES-256-GCM
• Regular security audits

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

If you have questions about this Privacy Policy or our privacy practices, please contact:

If you are not satisfied with our handling of your personal data, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) in Singapore.

PDPC Contact: www.pdpc.gov.sg or 1800-4746-628