Last update: 26.04.2026

Privacy Policy

Introduction

Thank you for choosing loyalty.gokk.agency ("company," "we," "us," or "our"). We are dedicated to safeguarding your personal information and respecting your privacy rights. If you have any inquiries or concerns about our policy or the way we handle your personal information, please reach out to us at [email protected].

The data controller responsible for your personal information is GOKK AGENCY LTD (registration number HE459343), 3022 Ethnikis Antistaseos 15, Limassol, Cyprus. For data protection matters, you may contact us at [email protected].

When you visit our website, loyalty.gokk.agency ("Site"), and utilise our services, you entrust us with your personal information. We prioritise the protection of your privacy and aim to present our Privacy Policy in the clearest manner possible. This privacy notice outlines our policy, explaining what information we collect, how we use it, and what rights you have in relation to it. We encourage you to carefully read through it as it holds significance. Should you disagree with any terms in this Privacy Policy, we kindly request that you refrain from using our site and services.

This Privacy Policy is applicable to all information collected through our websites, such as loyalty.gokk.agency, as well as any related services, sales, marketing, or events (referred to collectively as the "Site" in this Privacy Policy).

We urge you to thoroughly review this Privacy Policy as it will enable you to make informed decisions regarding the sharing of your personal information with us.

Predefined Site roles

As a user, you may hold one of the following predefined roles: (i) a client of the Service with a paid subscription for its use ("Client"), or (ii) a customer of the client utilizing a phone wallet card ("Customer"). We process your personal data slightly differently depending on the role you use.

What information do we collect?

Personal information you disclose to us

We gather personal information that you provide to us, including your name, contact information, passwords, and security data, payment information, as well purchases information (The data set may vary depending on your role on the Site).

The personal information we collect is voluntarily provided by you when you register on the Site, express an interest in obtaining information about us or our products and services, participate in activities on the Site, or contact us in any other way.

The specific personal information we collect depends on the nature of your interactions with us and the Site, the choices you make, and the products and features you use. The personal information we collect may include:

• Name and Contact Data: We collect your first and last name, email address, phone number, date of birthday (applies for the Client and the Customer roles).
• Credentials: We collect passwords, password hints, and other security information used for authentication and account access (applies for the Client role only).
• Payment Data: If you are subscribed to our services, we transfer the necessary data to process your payment, such as your payment instrument number (e.g., credit card number) and the associated security code, to our Payment Provider. All payment data is stored by our Payment Processor, and we recommend reviewing their privacy policies and contacting them directly for any inquiries (applies for the Client role only).
• Purchase Data: If you make purchases at our clients' stores, we may collect the purchase amount, timestamp, and corresponding cashback (applies to the Customer role only and only if the loyalty program logic is supposed to gather such details).
• Relatives Data: Some of our Clients may optionally ask you to provide the name, relationship, and date of birth of your relatives to use this data for birthday reminders or relevant promotions (applies for the Customer role only and only if a Client gathers this data).

It is essential that any personal information you provide to us is truthful, complete, and accurate. Please notify us of any changes to such personal information.

Information automatically collected

Certain information, such as IP address, browser, and device characteristics, is automatically collected when you visit our websites.

When you visit, use, or navigate the Site, we automatically collect specific information. This information does not disclose your specific identity, such as your name or contact details, but may include device and usage details. This can encompass your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you utilise our Site, and other technical information. The primary purpose of collecting this information is to ensure the security and functionality of our Site and for internal analytics and reporting purposes.

Similar to many other businesses, we also gather information through the use of cookies and similar technologies. For more details on this, please refer to our Cookie Policy.

How do we use information?

We process your information for various purposes, including legitimate business interests, the fulfilment of our contract with you, compliance with legal obligations, and/or with your consent.

We utilise the personal information collected through our Site for the following business purposes, relying on specific processing grounds:

1. Facilitating account creation and the login process.
   • Processing ground: Contractual.
2. Sending marketing and promotional communications.
   • Processing grounds: Legitimate business interests and Consent.
   • Please note that you can opt-out of receiving our marketing emails at any time by following the instructions provided in the "Your Privacy Rights" section below.
3. Sending administrative information to you.
   • Processing ground: Contractual.
4. Fulfilling and managing your orders.
   • Processing ground: Contractual.
5. Posting testimonials with your Consent.
   • Processing ground: Consent.
   • If you want to update or delete your testimonial, please contact us at [email protected], providing your name, testimonial location, and contact information.
6. Requesting feedback and contacting you about your use of our Site.
   • Processing ground: Legitimate business interests.
7. Protecting the security of our Site.
   • Processing ground: Legitimate business interests.
8. Enabling user-to-user communications.
   • Processing ground: Consent.
9. Enforcing our terms, conditions, and policies.
   • Processing ground: Legitimate interests.
10. Responding to legal requests and preventing harm.
    • Processing ground: Legal Reasons.
11. Other Business Purposes.
    • Processing ground: Legitimate interests.
    • This includes data analysis, identifying usage trends, evaluating the effectiveness of promotional campaigns, improving our Site, products, services, marketing efforts, and enhancing your overall experience.

Please note that the specific processing grounds may vary depending on the nature of the processing activity.

Disclosure of Your Information

We prioritise the protection of your information and only share it in specific circumstances, including:

1. Compliance with Laws: We may disclose your information if required by applicable laws, governmental requests, court orders, or legal processes. This includes responding to court orders or subpoenas, meeting national security or law enforcement requirements, and fulfilling other legal obligations.
2. Vital Interests and Legal Rights: We may disclose your information if we believe it is necessary to investigate, prevent, or take action regarding potential policy violations, suspected fraud, threats to the safety of individuals, illegal activities, or as evidence in litigation in which we are involved.
3. Vendors, Consultants, and Third-Party Service Providers: We may share your data with trusted third-party service providers who assist us in performing various functions on our behalf. These may include payment processing, data analysis, POS services and systems, email delivery, hosting services, customer service, and marketing efforts. We may also allow selected third parties to use tracking technology on the Site to collect data about your interactions for analysis, tracking, and better understanding of online activity. Please refer to our list of Vendors for more information.
4. Business Transfers: In the event of a merger, sale of company assets, financing, or acquisition of our business, we may share or transfer your information as part of the transaction.
5. Affiliates: We may share your information with our affiliates, including our parent company, subsidiaries, joint venture partners, or other companies under common control, while ensuring that they adhere to this Privacy Policy.
6. Business Partners: We may collaborate with business partners to offer you specific products, services, or promotions.
7. Our Clients: If you are a user with the Customer role, your personal data is processed by us on behalf of the Client with whom you have enrolled. In this context, the Client acts as the data controller for loyalty programme purposes, and GOKK AGENCY LTD acts as a data processor under a written Data Processing Agreement. We recommend reading the Client's own privacy policy for details on how they use your data. We require all Clients to comply with GDPR.
8. With Your Consent: We may disclose your personal information for any other purpose with your consent.

Please note that we do not share, sell, rent, or trade your information with third parties for their promotional purposes, except as explicitly mentioned in this Privacy Policy.

Do we use cookies and other tracking technologies?

Cookies

We utilise cookies and similar tracking technologies, such as web beacons and pixels, to collect and store information. Details regarding the specific usage of these technologies and your options to reject certain cookies are outlined in our Cookie Policy.

Other tracking technologies

In addition to cookies, we may also employ web beacons, pixel tags, and similar tracking technologies on our Site. These technologies help us customise the Site and enhance your experience. A web beacon or pixel tag is a small object or image embedded in a web page or email. They enable us to track the number of users who have visited specific pages, viewed emails, and gather statistical data. The information collected by web beacons and pixel tags is limited and may include a cookie number, the time and date of page or email views, and a description of the page or email where they are located. It is important to note that web beacons and pixel tags cannot be declined individually. However, you can manage their use by controlling the cookies that interact with them.

Is your information transferred internationally?

We may transfer, store, and process your information in countries outside of your own. Our servers are located in EU. If you access our Site from a country outside the EU, please note that your information may be transferred to, stored, and processed by us and our trusted third parties in the EU and other countries.

Where we transfer personal data to processors located outside the European Economic Area — including Stripe, Inc. (payments), Google LLC (Firebase push notifications and Analytics), and Apple Inc. (push notifications) in the United States — we rely on Standard Contractual Clauses approved by the European Commission as the appropriate safeguard under Article 46 GDPR. A copy of the applicable clauses is available on request at [email protected].

What is our stance on third-party websites?

Please be aware that the Site may display advertisements from third parties that are not affiliated with us. These advertisements may direct you to other websites, online services, or mobile applications. It's important to note that we cannot guarantee the safety and privacy of any information you provide to these third parties. The collection and handling of data by third parties are not governed by this Privacy policy.

We are not responsible for the content, privacy practices, and security policies of any third parties, including websites, services, or applications that may be linked to or from the Site. We recommend reviewing the policies of these third parties and contacting them directly to address any inquiries or concerns you may have.

How long do we keep your information?

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected. The table below sets out our standard retention periods by data category:

Data Category	Retention Period	Basis
Account and profile data	1 year after account termination	Contractual
Transaction and financial records	7 years after the transaction	Tax and accounting law
Marketing preferences and history	Until opt-out, then deleted within 30 days	Consent
Technical logs (IP address, device data)	90 days	Legitimate interests (security)
Push notification tokens	Until account deletion or token expiry	Contractual

Once we no longer have a legitimate business need to process your personal information, we will delete or anonymise it. Where immediate deletion is not possible (for example, data held in backup archives), we will securely isolate the data from further processing until deletion becomes feasible.

Please note that certain legal obligations, such as tax, accounting, or other regulatory requirements, may necessitate the retention of your personal information for a longer period.

How do we keep your information safe?

We are committed to safeguarding your personal information and have implemented a combination of organisational and technical security measures to protect it. These measures are designed to prevent unauthorised access, use, disclosure, alteration, or destruction of the personal information we process. We regularly review and update our security practices to ensure the ongoing protection of your information.

However, it's important to note that no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security. Any transmission of personal information to or from our Site is done at your own risk. We recommend accessing our services only from a secure environment and taking appropriate precautions to protect your personal information.

If you have any concerns about the security of your personal information, please contact us at [email protected].

What happens in the event of a data breach?

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority — the Commissioner for Personal Data Protection of Cyprus — within 72 hours of becoming aware of the breach, as required by Article 33 GDPR.

Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, unless an exception under Article 34(3) GDPR applies (for example, where the data was encrypted and remains inaccessible to the attacker).

If you believe your personal data may have been compromised, please contact us immediately at [email protected].

Do we collect information from minors?

Our Site is not intended for children, and we do not market our products or services to minors. By using our Site, you confirm that you are at least 16 years old or that you are the parent or legal guardian of a minor who is using the Site with your consent.

If we become aware that you are under 16 and using the Site, we will immediately deactivate your account and delete your information from our records. If you believe that we have collected personal information from a child under 16, please contact us at [email protected], and we will promptly address the issue.

However, in some cases, our Clients may ask you to provide your relatives' names and birth dates optionally to target related promotions to you (such as exclusive birthday offers or events).

Do we use automated decision-making or profiling?

We use rule-based processing to assign Customers to segments within their loyalty programme. Segmentation criteria may include visit frequency, total spend, loyalty tier, and programme activity. For example, a Customer who has made five or more visits in a month may be assigned to an "active" segment and receive targeted promotions from the Client.

This segmentation is carried out on behalf of our Clients (who act as data controllers for these purposes). No purely automated decisions that produce legal or similarly significant effects on you are made solely by our systems.

You have the right to object to segmentation processing at any time by contacting us at [email protected].

What are your privacy rights?

In accordance with applicable data protection laws, including those in the European Economic Area (EEA), you have certain rights regarding your personal information. These rights may include:

1. Right of Access: You have the right to request access to the personal information we hold about you and to obtain a copy of that information.
2. Right to Rectification: You have the right to request the correction of inaccurate or incomplete personal information we hold about you.
3. Right to Erasure: In certain circumstances, you have the right to request the deletion of your personal information. However, please note that this right is not absolute and may be subject to legal obligations or legitimate interests.
4. Right to Restrict Processing: You have the right to request the restriction of the processing of your personal information in certain situations. Again, this right is not absolute and may be subject to legal requirements.
5. Right to Data Portability: If applicable, you have the right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit that information to another data controller.
6. Right to Object: In certain circumstances, you have the right to object to the processing of your personal information, including for direct marketing purposes.
7. Right to Withdraw Consent: If we rely on your consent to process your personal information, you have the right to withdraw that consent at any time. However, please note that this will not affect the lawfulness of the processing carried out before the withdrawal.

To exercise any of these rights, or if you have any questions or concerns regarding the processing of your personal information, please contact us at [email protected]. We will respond to your request within one month of receipt. In complex or numerous cases we may extend this period by a further two months; we will inform you of any such extension within one month of receiving your request.

If you are a resident in the EEA and believe that we are unlawfully processing your personal information, you have the right to lodge a complaint with your local data protection supervisory authority.

Please note that the availability and scope of these rights may vary depending on the applicable data protection laws and the context of our processing activities.

Account Information

To review, change, or terminate your account, as well as manage your preferences for cookies and email marketing, you can take the following actions:

1. Account Review and Changes:
   • Log into your account settings on the website and update the relevant information as desired.
2. Account Termination:
   • Contact us using the provided contact information below and request the termination of your account. Upon receiving your request, we will deactivate or delete your account and information from our active databases. However, please note that certain information may be retained for specific purposes, such as fraud prevention, troubleshooting, investigations, enforcing our Terms of Use, or complying with legal obligations.
3. Cookies and Similar Technologies:
   • Most web browsers are set to accept cookies by default. If you prefer, you can usually modify your browser settings to remove or reject cookies. However, please be aware that this may impact certain features or services on our Site. For more detailed information, refer to our Cookie Policy.
4. Opting Out of Email Marketing:
   • Unsubscribe from our marketing email list by clicking on the unsubscribe link provided in the emails you receive. This will remove you from the marketing email list, but you may still receive service-related emails necessary for the administration and use of your account.
   • Alternatively, you can update your email preferences by logging into your account settings and adjusting your preferences accordingly.
   • Contact us using the provided contact information to request opting out of email marketing.

Please note that specific instructions and options may vary depending on the platform and services provided. It is recommended to refer to the website's account settings and privacy settings for more detailed instructions on managing your account and preferences.

Additional Rights for California Residents

Applicability

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants specific rights to California residents. The CCPA applies to for-profit businesses that collect California residents' personal information and meet at least one of the following thresholds: annual gross revenues exceeding $25 million; annually buying, selling, or sharing the personal information of 100,000 or more California consumers or households; or deriving 50% or more of annual revenues from selling or sharing consumers' personal information. We comply with CCPA/CPRA as a matter of good practice regardless of our current threshold status, and we will update this section if our status changes.

We Do Not Sell or Share Your Personal Information

We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising purposes, as those terms are defined by the CCPA/CPRA. You will never need to opt out of a sale or sharing arrangement with us because we do not engage in these activities.

Categories of Personal Information We Collect

In the preceding 12 months, we have collected the following categories of personal information from California residents:

CCPA Category	Examples of data collected	Business purpose	Disclosed to
A — Identifiers	Name, email address, phone number, IP address, device identifiers	Account creation, site security, analytics	Service providers (see Vendor List)
B — Personal information per Cal. Civ. Code §1798.80(e)	Name, credit card number (transmitted to Stripe; not stored by us)	Payment processing	Stripe, Inc.
D — Commercial information	Purchase amounts, timestamps, cashback amounts	Loyalty programme operation	Clients (merchants) with whom you are enrolled
F — Internet or other electronic network activity	IP address, browser type, device characteristics, cookies, usage logs	Site security and analytics	Google LLC (Analytics)
G — Geolocation data	Country and general location inferred from IP address	Site localisation	None
K — Inferences	Customer segment assignments based on visit frequency, spend, and loyalty tier	Loyalty programme segmentation	Clients (merchants) with whom you are enrolled

Sensitive Personal Information

Payment card numbers are transmitted directly to and stored solely by Stripe, Inc. — we do not retain them. We do not use or disclose other sensitive personal information for purposes beyond those permitted by CPRA §1798.121(a). To limit our use of sensitive personal information, contact us at [email protected].

Your California Privacy Rights

If you are a California resident, you have the following rights under CCPA/CPRA:

1. Right to Know — Categories: You may request disclosure of the categories of personal information we have collected about you, the purposes for which it was collected, and the categories of third parties to whom it was disclosed, covering the preceding 12 months.
2. Right to Know — Specific Pieces: You may request the specific pieces of personal information we hold about you.
3. Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions permitted by law (such as completing a transaction, detecting security incidents, or complying with legal obligations).
4. Right to Correct: You may request that we correct inaccurate personal information we hold about you.
5. Right to Opt-Out of Sale or Sharing: You have the right to opt out of the sale or sharing of your personal information. As stated above, we do not sell or share personal information, so this right is not currently applicable. Should our practices change, we will update this policy and provide an opt-out mechanism before doing so.
6. Right to Limit Use of Sensitive Personal Information: You have the right to limit our use and disclosure of sensitive personal information to what is necessary to provide the services you have requested. Contact us at [email protected] to exercise this right.
7. Right to Non-Discrimination: We will not discriminate against you for exercising any of your California privacy rights. We will not deny you goods or services, charge you different prices, provide a different level or quality of service, or suggest that you will receive a different level or quality of service because you exercised a right under CCPA/CPRA.

How to Submit a California Privacy Request

To exercise any of the rights listed above, submit your request by email to [email protected]. Please include "California Privacy Request" in the subject line and describe the right you wish to exercise. We may need to verify your identity before processing your request.

We will respond within 45 days of receiving your request. Where reasonably necessary, we may extend this period by an additional 45 days and will notify you of the extension within the initial 45-day period.

Shine the Light

Under California Civil Code §1798.83, California residents may request information about personal information disclosed to third parties for their direct marketing purposes in the prior calendar year. We do not disclose personal information to third parties for their own direct marketing purposes.

Do we make updates to this policy?

Yes, we may update this Privacy Policy periodically to ensure compliance with relevant laws and regulations. The updated version will be clearly marked with a revised date and will become effective as soon as it is made accessible. If there are significant changes that may impact your rights or the way we handle your personal information, we will notify registered users by email in addition to posting the updated policy on this page. We encourage you to review this Privacy Policy regularly to stay informed about how we protect your information.

How can you contact us about the policy?

If you have any further questions or comments about our company or our policies, please feel free to email us at [email protected]. We will be happy to assist you and address any concerns you may have.