Curzan Loyalty
Sign inBook a demo
PIPEDA + Quebec Law 25

Privacy Policy.

Plain language. No dark patterns. Your data lives in Canada and stays with the business whose loyalty program you joined.

Last updated

1. Who we are

Curzan Loyalty is operated by Curzan Solutions Inc., a Canadian company. We build white-label loyalty software for restaurants, cafés, and shops. References to “we,” “us,” and “our” mean Curzan Solutions Inc.

You can reach us at privacy@curzanloyalty.ca for any privacy question or request, or by mail at:

Curzan Solutions Inc.
15 Hackett Street
Alliston, Ontario L9R 0G9
Canada

2. What this policy covers

This policy explains how we handle personal information across the Curzan Loyalty service, including:

  • This marketing website (curzanloyalty.ca).
  • Member-facing loyalty programs at <program>.curzanloyalty.ca (the member web app, also installable as a PWA).
  • The Curzan Loyalty mobile apps on the Apple App Store and Google Play (when published).
  • The tenant admin and staff tools used by participating merchants.

Multi-tenant model. Curzan Loyalty is a platform; each loyalty program belongs to a specific merchant. The merchant is the data controller for your information as a member of their program. Curzan acts as their data processor and provides the technology that runs the program on their behalf. If you have a question about a specific program, the merchant is the right first stop; if the question is about the platform itself, write to us.

3. Information we collect

We collect only what we need to run the loyalty program you joined. There are no advertising trackers, no cross-site profiling, and no data broker relationships.

Account information

  • Your name (or display name).
  • Email address (required so we can sign you in).
  • Phone number (optional — used for SMS/WhatsApp only if you opt in).
  • Birthday (optional — used for birthday rewards if the merchant offers them).

Loyalty activity

  • Earn events from the merchant’s point-of-sale: the transaction amount, the time, and the location. We never receive or store payment card numbers.
  • Redemptions you make and rewards you select.
  • Tier changes, points balance, and lifetime spend.

Technical and diagnostic data

  • Crash reports and performance data from the member app (via Sentry, with personal information scrubbed before it leaves the app).
  • Session cookies (so you stay signed in) and preference cookies (UI state). We do not use advertising cookies or cross-site tracking pixels.

Communication preferences

  • Your push-notification, email-marketing, SMS, and WhatsApp opt-in status — including the timestamp and channel of each consent so we can prove it was given.

4. How we use your information

  • To run the loyalty program. Credit points from your purchases, show you your balance and tier, process redemptions, and apply promotions.
  • Transactional communications. Confirmations when you sign up, earn points, level up a tier, or redeem a reward. These are operational and you can’t opt out of them while you have an active account.
  • Optional marketing communications. Only on the channels you’ve explicitly opted into (email, push, SMS, or WhatsApp). You can revoke any channel at any time from your in-app settings or by replying STOP to SMS.
  • Fraud prevention. Detecting fake-account signup loops, automated point-farming, and account takeovers — using internal audit logs, never sold or shared externally.
  • Tax and accounting compliance. Canadian tax law requires merchants to retain financial transaction records for approximately seven years. Anonymized loyalty activity is retained for that purpose (see Section 8).

We do not use your information for targeted advertising, profile you for ad networks, or share data across merchants. Each program’s data stays with that program.

5. Who we share information with

We share the minimum required to operate the service:

  • The merchant whose program you joined. They are the data controller and can see their members’ profiles and activity.
  • Service providers (sub-processors) under written data-processing agreements, listed below.

We do not share your data with advertising networks, data brokers, analytics-for-monetization vendors, or any third party for marketing purposes. We do not sell personal information under any definition of the term.

Sub-processors

ProviderPurposeRegion
SupabaseHosted Postgres database and authenticationCanada (ca-central-1, Toronto)
VercelWeb hosting and edge request handlingUnited States / global edge
ResendTransactional and opt-in marketing emailUnited States
TwilioSMS and WhatsApp (only when you’ve opted in)United States
SentryError and performance monitoring (personal information is scrubbed at the source)United States
Apple Push Notification service (APNs)iOS push and Apple Wallet pass updatesUnited States
Google (Firebase Cloud Messaging, Google Wallet)Android push and Google Wallet pass updatesUnited States
StripeMerchant billing (Curzan’s subscription invoices to merchants). Members do not pay Curzan, so members’ payment information is never sent to Stripe by us.United States
Cloudflare TurnstileBot protection on public formsUnited States / global

6. International transfers

Your account and loyalty data live on Supabase Postgres in Canada (Toronto, ca-central-1). Some service providers above are located in the United States and your information may transit through their systems for the functions described (for example, sending a transactional email through Resend, or delivering a push notification through APNs). Each sub-processor is bound by a written data-processing agreement and is required to apply comparable safeguards.

7. Your rights

Under Canadian privacy law you have the right to:

  • Access the personal information we hold about you (PIPEDA s. 8).
  • Correct inaccurate personal information (PIPEDA s. 13).
  • Withdraw consent to marketing communications at any time.
  • Request deletion of your account and personal information (PIPEDA s. 4.4 and 5.4).

If you are a Quebec resident, Law 25 also gives you the right to:

  • Data portability — receive your information in a structured, commonly used format.
  • Disclosure of automated decision-making if any decision affecting you is made solely by automated means. Curzan does not make automated decisions about you today; tier promotions are rules-based and visible in the program’s configuration.

How to exercise these rights: account deletion is self-service from inside the member app at Settings → Delete account (see our account deletion page). For everything else, email privacy@curzanloyalty.ca from the address on your account and we’ll respond within 30 days, as PIPEDA requires.

8. How long we keep your information

  • While your account is active. Your profile and loyalty activity are retained so the program works.
  • After account deletion. Personally identifying fields (name, email, phone, birthday) are scrubbed or replaced with placeholders within 24 hours of a verified deletion request, and we send a confirmation to the email on file.
  • Financial records. Anonymized transaction history is retained for approximately seven years to meet the merchant’s obligations under Canadian tax law. At that point it can no longer be linked back to you.
  • Audit logs. Security and admin-action logs are retained for forensic purposes; they reference internal IDs only after a deletion.

9. Children

Curzan Loyalty is not directed at children. We do not knowingly create accounts for users under 14 in Quebec or under 13 elsewhere in Canada. If you believe a child has created an account, email privacy@curzanloyalty.ca and we’ll remove it.

10. Cookies and similar technologies

We use a small number of first-party cookies and similar storage mechanisms:

  • Session cookies to keep you signed in.HttpOnly, Secure, and SameSite=Lax.
  • Preference cookies / local storage for UI state (for example, remembering you’ve dismissed an install prompt).
  • Service-worker caches on the PWA so the app works offline and is fast on second visit.

We do not use advertising cookies, cross-site tracking pixels, or third-party analytics that build a behavioural profile. Operational diagnostics through Sentry are scrubbed of personal information before leaving the app.

11. Security

  • In transit: TLS 1.2+ on every connection to *.curzanloyalty.ca. HSTS preload is configured.
  • At rest: AES-256 encryption on the Supabase Postgres database. Tenant integration secrets are additionally encrypted with per-row keys.
  • Access control: Row-level security in the database means tenant data cannot leak across tenants even if an application bug tried to.
  • Authentication: Magic-link sign-in (no passwords stored). Two-factor authentication via authenticator app or passkey is available to merchant administrators and is required for super-admins.
  • Audit logging: Privileged actions and security events are written to an append-only audit log that even our service role cannot edit.

We monitor for incidents continuously. If a breach poses a real risk of significant harm to you, we will notify you and the Office of the Privacy Commissioner of Canada under PIPEDA, and the Commission d’accès à l’information du Québec within 72 hours where Quebec residents are affected, per Law 25.

12. Changes to this policy

We may update this policy as the service evolves. When we do, we’ll change the “Last updated” date at the top of this page. For material changes that affect your rights, we’ll also send an email to active accounts before the change takes effect.

13. Contact us

For any privacy question, request, or complaint, write to privacy@curzanloyalty.ca. Our privacy officer (currently the founder) will respond within 30 days.

If you are not satisfied with our response, you can contact the Office of the Privacy Commissioner of Canada at priv.gc.ca. Quebec residents can additionally contact the Commission d’accès à l’information du Québec at cai.gouv.qc.ca.

See also our Terms of Service and our account deletion page.