Introduction
Spaaza is a software company that builds tools to incentivise modern commerce. This includes providing solutions such as loyalty programs. Spaaza helps businesses create incentives that add value to their business, customers, employees and their communities.
To create more relevant and personal incentives we provide businesses with a solution that collects and stores personal data that is shared through the various places that a customer interacts with that business - for example in physical stores, on webshops and through mobile applications.
Spaaza takes data protection and privacy very seriously. We consider it not just a legal and moral responsibility but also key competitive advantage of our solution.
Spaaza’s role as a data processor
Spaaza provides the tools necessary to run a modern incentive program but the program itself is run and managed by the business.
Spaaza therefore has the role of a “data processor” and the business has the role of the “data controller”. As a data processor, and under the European General Data Protection Regulation (GDPR), Spaaza has certain responsibilities towards protecting personal data that we store and process. This document covers what data we store, what this data is used for, how customers can update or access their data and measures we take to ensure the security of this data.
As a data controller the business can choose what data they want to store in Spaaza and how they want this to be used. The business, as a data controller, is also responsible for communicating to customers how their data will be used and what personal data is currently stored. In many cases businesses will use Spaaza’s solution in conjunction with other data processing solutions. This document thus serves a general overview of data privacy at Spaaza rather than a specific overview of the privacy policy of one or more of our business clients.
Data that Spaaza collects
Businesses use Spaaza to store personal data that customers have agreed to share in order to: participate in a businesses loyalty or incentive program; receive email communication from a business; receive physical mail from a business; participate in competitions or events managed by a business; or to maintain an account on a businesses webshop.
Spaaza advocates and supports privacy-by-design and “data minimisation” which means that we encourage and support businesses to collect only the data that they require.
Spaaza may store the following personal data that customers have shared with a business:
- Email addresses
- Name
- Address
- Gender
- Birthday
- Communications preferences and opt-ins (email, notifications and physical mail)
- Facebook likes
- Phone numbers
- Whether they are an "influencer" or employee
- Their interests or preferences
- Opt-in to loyalty program
When a customer profile exists in Spaaza, and when permission has been given by the customer, Spaaza may also collect and store data that is derived from the interactions the customer has with the business. This includes:
- Purchases
- Logins to the webshop
- Logins to the application
- Visits to the physical store
- Visits to the webshop
- Product reviews
- The details of who referred the customer to the business (this would always be another profile stored in Spaaza)
- The details of who referred the customer to buy a particular product (this would always be another profile stored in Spaaza)
- Product page views on a webhop or mobile application
- Web browser details from visits to the webshop
- Mobile phone details from the installation and usage of the businesses app
The IP address used by a customer may also be stored temporarily if a businesses is using Spaaza’s mobile application solutions. This data is only stored in our logs and is not accessible to a business. Logs are used internally to maintain our service and identify and solve problems in our software. Logs are automatically deleted after 30 days.
How data collected in Spaaza is used
Spaaza provides tools to businesses which uses the data stored in Spaaza to create better incentives and experiences for the customer. Spaaza also provides tools that use the data stored in Spaaza to help a business make better, data-driven, decisions.
Below are some common examples of how data collected by Spaaza is used by businesses:
- When a customer who has shared their personal data visits a store and wants to make a purchase the staff member may ask them for their email address, name or postcode in order to identify the customer and link their profile to a transaction so that the customer can earn points as a result of their purchase.
- When a customer logs into the webshop, data stored in Spaaza is used to show them their correct points balance, any rewards they have earned and their full purchase history.
- When a business wishes to send an email to a customer, either directly or as a newsletter, then the contents of the mails may be personalised based on data stored in Spaaza. For example clothing for males would not be shown to female customers.
- Businesses can create segments or groups of customers who fit within a specific demographic. For example they can use Spaaza to get a list of all males who have shopped at a particular store for the purposes of then communicating that their is a special event for them at the store.
- Businesses can use the birth date of a customer to give the customer a gift for their birthday.
- Businesses can use the address and direct mail opt-in data in Spaaza to send physical mail to customers, like brochures.
- Staff in store may ask customers for some personal details in order to look up that customer’s Spaaza profile to see their previous purchases. They could use this data to make a better product recommendation to the customer.
- Support staff at head office can use the data in Spaaza to help a customer who has a support request.
Spaaza adds additional data or "insights" to a customer’s profile which are derived from the data that we store. This data is typically statistical in nature and helps businesses to identify how they could improve their business - for example “who are my biggest spending customers this month”. Spaaza does not take any actions based on this profiling data but a business may choose to use this data in their own activities, for example in marketing campaigns.
Data we share with third parties
Spaaza will not share any personal customer data with a third party, unless that party has been authorised to access the data by the business, who controls the data.
Businesses often work with other data processors who they have authorised and who will connect with Spaaza through our secure API (Application Programming Interface) to access customer data. Examples of this include:
- Email marketing solutions
- Webshop software
- Point of sale software for physical stores
- CRM (Customer Relationship Management) tools
It is the businesses responsibility as a data controller to communicate to customers how their personal data is being used and Spaaza is only responsible for the data stored in its own systems.
Accessing and updating personal data
Spaaza aims to make it as easily as possible for customers to update any incorrect or out-of-date data that is stored in Spaaza. We also aim to make it easy for a customer to access all their data.
Data in Spaaza can typically be accessed and updated through the following methods:
- By staff in a retailer’s physical shops who have access to Spaaza’s Store interface
- By staff in a retailer’s physical shops via a POS system that has integrated Spaaza
- By logging in to the businesses mobile app
- By logging in to the businesses webshop
- By contacting customer support who have access to Spaaza head office tools
Should a customer wish to remove their data stored in Spaaza they need to submit a request to the business which then needs to pass this request on to Spaaza. Spaaza will then remove all personally identifiable data about the customer from it’s systems in a timely manner.
Spaaza is not responsible for removing customer data that is stored in other systems that the business may use.
Data security
Spaaza adheres to best practise and works hard to prevent unauthorised access to personal data stored in our systems. In particular:
- we encrypt all web traffic using SSL
- we restrict access to personal data to Spaaza employees and contractors who are subject to confidentiality agreements. Staff and contractors are only given access to personal data that they require in order to carry our their role or task at Spaaza.
- we have physical security measures as well as software and infrastructure based measures to protect against unauthorised access
- we require that customers need to log in with a password and username to view or access their data
- we require that staff need to be given a Spaaza account together with the necessary privileges to be able login and access and change any customer data
- we locate all our servers and databases where we store customer data in the European Union.
Back to top