Privacy Policy

1. Introduction

Zlox B.V. ("Zlox", "we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital loyalty and gamification platform (the "Service").

This Privacy Policy complies with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection laws in the Netherlands and the European Union.

Data Controller: Zlox B.V., registered in the Netherlands (Chamber of Commerce number: 85823252), with its registered office at Amsterdam Tech District, Netherlands. For privacy-related inquiries, please contact us at privacy@zlox.nl.

2. Information We Collect

We collect various types of information to provide and improve our Service:

2.1 Personal Information You Provide:

• Account Information: Name, first name, last name, email address, password, profile image, date of birth, phone number (with country code), address, country, city, timezone, language preferences, job title
• Company Information: Company name, business category, company registration number (KvK), business address, location coordinates (latitude/longitude), phone number, email, website URL, business type, company description
• Payment Information: Payment method details, billing address, transaction history, subscription information, invoice data (processed securely through Mollie)
• Communication Data: Messages, support requests, feedback, and other communications you send to us
• Content Data: Loyalty program configurations, reward structures, customer engagement data, QR codes, NFC data, program descriptions, and other content you create or upload

2.2 Information Collected Automatically:

• Usage Data: Log files, access times, pages viewed, features used, clickstream data, device information, browser type, IP address, operating system
• Location Data: GPS coordinates, location-based service usage (when enabled), beacon detection data
• Technical Data: Device identifiers, unique device tokens, mobile device information, network information, connection data
• Activity Data: Login timestamps, last activity timestamps, session duration, engagement metrics, points earned, rewards redeemed, program enrollments

2.3 Information from Third Parties:

• Payment Processors: Transaction status, payment confirmations, refund information from Mollie
• Business Registry Data: Company information from KvK (Dutch Chamber of Commerce) API when you register with a KvK number
• AI Services: Content generated through OpenAI services (processed according to OpenAI's privacy policy)
• Image Services: Image metadata from Unsplash when you use image search features

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

• Contractual Necessity (Art. 6(1)(b)): To perform our contract with you, provide the Service, process payments, manage your account, and deliver requested features
• Legitimate Interests (Art. 6(1)(f)): To improve our Service, prevent fraud, ensure security, analyze usage patterns, and communicate important service updates
• Consent (Art. 6(1)(a)): For marketing communications, analytics cookies, and optional features where you have provided explicit consent
• Legal Obligation (Art. 6(1)(c)): To comply with legal requirements, tax obligations, and regulatory compliance

4. How We Use Your Information

We use the collected information for the following purposes:

• Service Provision: To create and manage your account, provide loyalty program features, process transactions, generate QR codes, manage rewards, and deliver core platform functionality
• Payment Processing: To process subscription payments, handle billing, manage payment methods, and process refunds through Mollie
• Communication: To send service-related notifications, account updates, security alerts, support responses, and important service announcements
• AI-Enhanced Features: To generate and improve content descriptions, translate text, and provide AI-powered features using OpenAI and DeepL services
• Analytics and Improvement: To analyze usage patterns, improve Service functionality, develop new features, and optimize user experience
• Security and Fraud Prevention: To detect and prevent fraud, unauthorized access, security breaches, and other malicious activities
• Legal Compliance: To comply with legal obligations, respond to legal requests, enforce our Terms and Conditions, and protect our rights
• Marketing (with consent): To send promotional communications, newsletters, and marketing materials (you can opt-out at any time)

5. Data Sharing and Third-Party Services

We share your information with trusted third-party service providers to operate our Service. All third parties are contractually obligated to protect your data:

5.1 Payment Processing - Mollie B.V.:

• Data Shared: Payment method information, transaction amounts, billing addresses, customer identifiers
• Purpose: Processing payments, managing subscriptions, handling refunds, fraud prevention
• Location: Netherlands (EU)
• Privacy Policy: www.mollie.com/en/privacy

5.2 AI Services - OpenAI, L.L.C.:

• Data Shared: Text content, company descriptions, program information (for content generation and improvement)
• Purpose: Generating and improving text content, translations, and AI-powered features
• Location: United States (with appropriate safeguards)
• Privacy Policy: openai.com/policies/privacy-policy
• Note: OpenAI may use your content to train their models unless you opt-out. We recommend reviewing OpenAI's privacy policy for details.

5.3 Image Services - Unsplash Inc.:

• Data Shared: Search queries, image selection data
• Purpose: Providing image search and integration features
• Location: United States
• Privacy Policy: unsplash.com/privacy

5.4 Translation Services - DeepL SE:

• Data Shared: Text content for translation
• Purpose: Multi-language content translation
• Location: Germany (EU)
• Privacy Policy: deepl.com/privacy

5.5 Microsoft Services - Microsoft Corporation:

• Data Shared: Email, calendar data (if Microsoft Graph integration is used)
• Purpose: Email and calendar integration features
• Location: Various (with EU data residency options)
• Privacy Policy: privacy.microsoft.com

5.6 Business Registry - KvK (Dutch Chamber of Commerce):

• Data Shared: Company registration number (KvK number)
• Purpose: Retrieving and verifying company information during registration
• Location: Netherlands (EU)

5.7 Other Sharing: We may also share your information:

• With your explicit consent
• To comply with legal obligations, court orders, or government requests
• To protect our rights, property, or safety, or that of our users
• In connection with a business transfer, merger, or acquisition
• With service providers who assist us in operating the Service (hosting, analytics, customer support) under strict confidentiality agreements

6. International Data Transfers

Some of our third-party service providers are located outside the European Economic Area (EEA). When we transfer your data to these providers, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with service providers in non-EEA countries
• Adequacy Decisions: Some countries have been deemed adequate by the European Commission
• Privacy Shield (where applicable): For US-based services, we rely on appropriate transfer mechanisms
• Your Rights: You have the right to request information about the safeguards we have in place for international transfers

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law:

• Account Data: Retained while your account is active and for 3 years after account closure (for legal and tax purposes)
• Transaction Data: Retained for 7 years (as required by Dutch tax and accounting laws)
• Marketing Data: Retained until you withdraw consent or opt-out
• Legal Obligations: Some data may be retained longer if required by law, court order, or regulatory requirements
• Deletion: Upon request, we will delete your data in accordance with your rights under GDPR, subject to legal retention requirements

8. Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

8.1 Right of Access (Art. 15): You have the right to obtain confirmation as to whether we process your personal data and to access that data, along with information about how it is processed.

8.2 Right to Rectification (Art. 16): You have the right to have inaccurate or incomplete personal data corrected or completed.

8.3 Right to Erasure / "Right to be Forgotten" (Art. 17): You have the right to request deletion of your personal data under certain circumstances, such as when the data is no longer necessary or you withdraw consent.

8.4 Right to Restriction of Processing (Art. 18): You have the right to request that we limit the processing of your personal data in certain situations.

8.5 Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

8.6 Right to Object (Art. 21): You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

8.7 Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

8.8 Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of the alleged infringement. In the Netherlands, this is the Autoriteit Persoonsgegevens (AP): autoriteitpersoonsgegevens.nl.

To exercise any of these rights, please contact us at privacy@zlox.nl. We will respond to your request within one month (may be extended by two months for complex requests).

9. Data Security

We implement comprehensive technical and organizational measures to protect your personal data:

• Encryption: Data in transit is encrypted using TLS/SSL protocols. Sensitive data at rest is encrypted using industry-standard encryption algorithms
• Access Controls: Strict access controls, authentication requirements, and role-based access management
• Security Monitoring: Continuous monitoring for security threats, unauthorized access attempts, and suspicious activities
• Regular Updates: Security patches, software updates, and vulnerability assessments
• Employee Training: Regular security awareness training for employees with access to personal data
• Incident Response: Procedures for detecting, reporting, and responding to data breaches in accordance with GDPR requirements
• Backup and Recovery: Regular data backups and disaster recovery procedures

Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, analyze usage, and support our Service. For detailed information about our use of cookies, please see our Cookie Policy.

Key points:

• We use essential cookies necessary for the Service to function
• We use analytics cookies (with consent) to understand how users interact with our Service
• We use functional cookies to remember your preferences and settings
• You can manage cookie preferences through your browser settings or our cookie consent banner

11. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@zlox.nl. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

12. Marketing Communications

With your consent, we may send you marketing communications, including newsletters, promotional offers, and updates about new features. You can opt-out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your preferences in your account settings
• Contacting us at privacy@zlox.nl

Please note that even if you opt-out of marketing communications, we may still send you important service-related messages (e.g., account updates, security alerts, payment confirmations).

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms
• Provide clear information about the nature of the breach, likely consequences, and measures taken to address it

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated Privacy Policy on this page with a new "Last updated" date
• Sending an email notification to your registered email address (for significant changes)
• Displaying a prominent notice on our Service

Your continued use of the Service after such changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically.

15. Third-Party Links and Services

Our Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to third-party websites or services. We encourage you to review the privacy policies of any third-party websites or services you access through our Service.

16. Contact Information and Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We are committed to addressing your privacy concerns promptly and transparently. We will respond to your inquiries within one month of receipt.