Home
LoyaltyReward customers for actions
AccountsOn-brand customer accounts
ReferralsTurn customers into brand advocates
MembershipCreate a paid membership program

Platform

Partner ProgramIntegrationsDevelopers

What's New

New Feature
Pricing
Blog
Guides & Tips
Loyalty & Retention
Product Updates
Company Updates

Privacy Policy

Last updated: 1 February 2025

This Privacy Policy describes how Mage Ecom Ltd ("Mage Loyalty", "we", "us", or "our") collects, uses, stores, and shares personal data when you visit our website at www.mageloyalty.com and its subdomains (the "Website"), use our customer retention and loyalty platform for Shopify (the "Platform"), or otherwise interact with us (collectively, the "Service").

We are committed to protecting your privacy and handling your personal data in an open and transparent manner. Please read this policy carefully so that you understand your rights and how we will use your data.

1. Who We Are

Mage Ecom Ltd is a company registered in England and Wales. For the purposes of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, we are the data controller when we process the personal data of visitors to our Website, prospective customers, and users who interact with us directly.

When our customers use the Platform to run loyalty and retention programmes for their own end users, we act as a data processor on behalf of those customers. Section 7 of this policy explains what that means in practice.

Data Controller

Mage Ecom Ltd

Email: hello@mageloyalty.com

2. What Personal Data We Collect

2.1 Data You Give Us Directly

When you create an account, subscribe to a plan, contact us, or otherwise interact with the Service, you may provide:

  • Name and job title
  • Email address
  • Company or trading name
  • Billing address
  • Telephone number
  • The content of messages you send us (including via email, live chat, or social media)

2.2 Data We Collect Automatically

When you visit the Website or use the Platform, we automatically collect certain technical and usage information, including:

  • IP address and approximate geolocation (city or region level)
  • Browser type and version, operating system, and device type
  • Pages you view, how long you spend on each page, and the page that referred you to us
  • Date and time of your visit
  • Information collected through cookies, pixels, and similar technologies (see Section 5)

2.3 Data From Third Parties

We may receive information about you from third-party sources. For example, when you install our app through the Shopify App Store, Shopify shares certain store and account information with us in order to provision your access to the Platform.

2.4 Payment Information

Most payments are processed directly through Shopify in accordance with their billing terms. Where we invoice separately, payments are processed by Stripe. In either case, we do not store your full credit or debit card details on our systems. For information on how these providers handle your data, please refer to Shopify's Privacy Policy and Stripe's Privacy Policy.

3. Lawful Basis for Processing

Under the UK GDPR we must have a valid legal ground for processing your personal data. The bases we rely on are set out below.

Performance of a contract (Article 6(1)(b))

Processing that is necessary to provide the Service to you, manage your account, process payments, and fulfil our obligations under our Terms of Service.

Legitimate interests (Article 6(1)(f))

Processing that supports our legitimate business interests, provided those interests are not overridden by your rights. This includes improving the Service, understanding how the Website and Platform are used, preventing fraud, and ensuring network and information security.

Consent (Article 6(1)(a))

Where we send you direct marketing communications or place non-essential cookies, we do so on the basis of your consent. You may withdraw your consent at any time (see Sections 5 and 11).

Legal obligation (Article 6(1)(c))

Processing that is necessary for us to comply with a legal or regulatory obligation, for example retaining financial records for tax purposes.

4. How We Use Your Personal Data

We use the personal data we collect to:

  • Set up and manage your account and provide access to the Platform
  • Process transactions, send invoices, and manage billing
  • Respond to your enquiries and provide customer support
  • Send service-related notices, including technical updates, security alerts, and changes to our terms or policies
  • Analyse how the Website and Platform are used so that we can improve them
  • Detect, prevent, and investigate fraud, abuse, or other unlawful activity
  • Comply with legal obligations and enforce our Terms of Service
  • With your consent, send marketing communications about products, features, or promotions that may be relevant to you

We will not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

5. Cookies & Analytics

5.1 What Are Cookies?

Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work efficiently and to provide reporting information to site operators. We also use similar technologies such as pixels and tags.

5.2 Cookies We Use

Strictly necessary cookies

Required for the Website to function (e.g., session management and security). These cannot be switched off.

Analytics cookies

We use Google Analytics and Google Tag Manager to understand how visitors interact with the Website. These tools collect information such as the pages you visit, how long you spend on the site, and how you arrived. The data is aggregated and anonymous where possible. You can learn more about Google's data practices at policies.google.com/privacy.

5.3 Managing Your Cookie Preferences

Most browsers allow you to refuse or delete cookies through their settings. You can also opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. Please note that disabling cookies may affect the functionality of some parts of the Website.

6. Who We Share Your Data With

We do not sell your personal data. We share it only where necessary and only with the following categories of recipient:

Infrastructure & hosting providers

We use Fly.io for application hosting and Supabase for database and file storage. These providers process data on our behalf under appropriate contractual safeguards.

Payment processors

Shopify processes the majority of subscription payments. Where invoicing is handled outside of Shopify, we use Stripe. Both providers act as independent controllers for the payment data they process.

Analytics providers

Google Analytics and Google Tag Manager, as described in Section 5.

Professional advisers

Lawyers, accountants, and auditors where reasonably necessary for the operation of our business.

Law enforcement & regulators

Where we are required to do so by law, court order, or regulatory obligation, or where disclosure is necessary to protect our legal rights or the safety of others.

Business transfers

In connection with a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change.

7. Customer Platform Data

When you use the Platform to run loyalty programmes, rewards, or referral campaigns for your own customers, you may upload or generate personal data relating to those end users ("Customer Platform Data").

In this context, you are the data controller and we are the data processor. We process Customer Platform Data only on your instructions and solely for the purpose of providing the Service. Our obligations as a processor are set out in Section 4 of our Terms of Service.

If an end user wishes to access, correct, or delete their personal data, that request should be directed to you (the merchant) as the data controller. We will assist you in responding to such requests in accordance with our obligations under applicable data protection law.

8. International Transfers

Mage Ecom Ltd is based in the United Kingdom. Some of the third-party service providers we use (including our hosting and database infrastructure) may process data outside the UK and the European Economic Area.

Where personal data is transferred to a country that has not been deemed to provide an adequate level of data protection, we ensure appropriate safeguards are in place, such as the International Data Transfer Agreement (UK IDTA) or the EU Standard Contractual Clauses (as supplemented by the UK Addendum), to protect your data in accordance with the UK GDPR. You may request a copy of the relevant safeguards by contacting us at hello@mageloyalty.com.

9. Data Retention

We keep your personal data only for as long as necessary for the purposes for which it was collected. The retention period depends on the nature of the data and the reason we hold it:

  • Account data: retained for the duration of your account and for up to 90 days afterwards (to allow reactivation), unless you request earlier deletion.
  • Billing and transaction records: retained for up to 7 years to comply with tax and accounting obligations.
  • Support correspondence: retained for up to 2 years after the issue is resolved.
  • Website analytics data: retained in accordance with Google Analytics' default retention settings (currently 14 months).

When personal data is no longer required, we will securely delete or anonymise it. Data held on automated backups will be overwritten in the normal backup cycle.

10. Your Rights

Under the UK GDPR you have a number of rights in relation to your personal data. Subject to certain conditions and exemptions, you have the right to:

AccessRequest a copy of the personal data we hold about you.
RectificationAsk us to correct personal data that is inaccurate or incomplete.
ErasureAsk us to delete your personal data where there is no compelling reason for us to continue processing it.
RestrictionAsk us to restrict the processing of your personal data in certain circumstances.
PortabilityReceive a copy of data you have provided to us in a structured, commonly used, machine-readable format.
ObjectionObject to processing based on legitimate interests or for direct marketing purposes.
Withdraw consentWhere processing is based on consent, withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, please contact us at hello@mageloyalty.com. We will respond within one month of receiving your request. In complex cases we may extend this by a further two months, in which case we will let you know.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection. You can contact the ICO at ico.org.uk/make-a-complaint or by calling 0303 123 1113.

11. Marketing Communications

We may send you emails about products, features, or updates that we think will be of interest to you. We will only do so where you have given your consent or where we are permitted to do so under the "soft opt-in" rule (i.e., you are an existing customer and the communications relate to similar products or services).

You can opt out of marketing emails at any time by clicking the "unsubscribe" link at the bottom of any marketing email, or by emailing us at hello@mageloyalty.com. Opting out of marketing will not affect service-related communications (such as billing notices or security alerts).

12. Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration. These measures include encryption of data in transit, access controls, and regular security reviews.

However, no method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee its absolute security.

13. Children

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that a child has provided personal data to us, please contact us at hello@mageloyalty.com and we will take steps to delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make changes, we will revise the "Last updated" date at the top of this page. If we make material changes that affect how we use your personal data, we will notify you by posting a notice on the Website or by sending you an email before the changes take effect.

16. Contact Us

If you have any questions about this Privacy Policy, want to exercise your data protection rights, or wish to make a complaint, please get in touch:

Mage Ecom Ltd

Email: hello@mageloyalty.com

You also have the right to complain to the Information Commissioner's Office if you believe your data protection rights have been breached. Visit ico.org.uk for more information.

End of Privacy Policy

Let's talk loyalty and retention.

Chat with us and see why brands looking for a modern loyalty platform choose Mage.