Data Processing Agreement

This Data Processing Agreement explains how Alvy processes customer, staff, and business data on behalf of businesses that use Alvy.

It is intended to support businesses that need data protection terms for customer phone numbers, emails, loyalty progress, and visit history collected through Alvy.

For customer loyalty data, the business is usually the controller because it decides why customer information is collected and how the loyalty program works.

Alvy is usually the processor because it processes that data to provide the loyalty platform, wallet passes, QR codes, scans, analytics, and related support.

Alvy will process customer data only to provide the service, follow documented business instructions, comply with law, maintain security, prevent abuse, and support the business account.

Data may include customer name, phone number, email address, date of birth where enabled, loyalty progress, rewards, visits, wallet pass identifiers, branch activity, and scan history.

Staff data may include name, phone or username, branch, role, and activity logs.

Alvy uses reasonable technical and organisational measures designed to protect data, including access controls, secure infrastructure providers, encrypted connections where available, and operational safeguards.

Businesses must keep owner and staff credentials secure and remove staff access when no longer needed.

Alvy may use subprocessors for hosting, database, authentication, payments, email delivery, analytics, wallet services, and infrastructure.

Examples may include Supabase, Vercel, Stripe, Resend, Apple, and Google where relevant.

Alvy will provide reasonable assistance where a business needs to respond to a customer request to access, correct, delete, or export personal data.

When a business account ends, Alvy may delete, anonymise, or retain data according to the service settings, legal obligations, security requirements, and backup retention periods.

If Alvy becomes aware of a security incident affecting personal data, we will take reasonable steps to investigate, reduce harm, and notify affected businesses where required.

For data processing questions, contact alvy.co.uk@gmail.com.