Boostly Rewards ("Boostly", "we", "us") provides QR-powered loyalty and review tools for local businesses. This Privacy Policy describes the information we collect, how we use and disclose it, and the security practices we use to protect it.
1. Information we collect
We collect the following categories of information:
- Account information — name, business name, email, password (hashed), and billing details you provide when registering.
- Payment information — processed by our payment provider Stripe. We never store full card numbers; we receive a token and limited metadata (last 4 digits, brand, expiration).
- Campaign and content data — campaigns, rewards, QR codes, and analytics you create in the dashboard.
- End-customer interaction data — when a customer scans a QR code, we log the scan event, reward outcome, and (if provided) an email or phone for reward delivery.
- Technical data — IP address, browser, device type, referring URL, and pages viewed, collected via cookies and similar technologies.
- Communications — messages you send to support@boostlyrewards.com.
2. How we use information
- Provide, operate, and improve the Boostly Rewards service.
- Process payments, send invoices, and prevent fraud.
- Send transactional emails (account, billing, password reset, reward delivery).
- Send product updates and marketing — you can opt out anytime via the unsubscribe link.
- Generate aggregated analytics to improve campaign performance and our product.
- Comply with legal obligations and enforce our Terms of Service.
3. Parties we share information with
We do not sell personal information. We share data only with the following categories of recipients, under contracts requiring confidentiality and security:
- Stripe, Inc. — payment processing and subscription billing.
- Supabase / Lovable Cloud — database, authentication, and hosting.
- Email delivery providers — to send transactional and marketing emails.
- Analytics providers — to understand product usage in aggregate.
- Law enforcement or regulators — when required by valid legal process.
- Acquirers — in connection with a merger, acquisition, or asset sale, subject to this Policy.
4. Method of disclosure
Disclosures to service providers occur over encrypted API connections (TLS 1.2+). We do not transmit personal data via unencrypted channels. Public disclosures (e.g. aggregated marketing statistics) contain only de-identified data.
5. Security practices
- All data is transmitted over HTTPS/TLS 1.2 or higher.
- Data is encrypted at rest using AES-256 by our hosting providers.
- Passwords are hashed with bcrypt; we never store plaintext passwords.
- Access to production systems is restricted via role-based access control and multi-factor authentication.
- Row-Level Security policies enforce data isolation between accounts at the database layer.
- Payment card data is handled exclusively by Stripe (PCI-DSS Level 1 certified).
- We log access to sensitive systems and review logs for anomalies.
6. Data retention
We retain account data while your account is active and for up to 24 months after closure, unless a longer period is required by law (e.g. tax records: 7 years). You may request earlier deletion at support@boostlyrewards.com.
7. Your rights
Depending on your jurisdiction (GDPR, CCPA, etc.) you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to marketing. Submit requests to support@boostlyrewards.com — we respond within 30 days.
8. International transfers
Data may be processed in the United States and the European Union. Where required, we rely on Standard Contractual Clauses to safeguard cross-border transfers.
9. Children
Boostly Rewards is not directed to children under 16, and we do not knowingly collect data from them.
10. Changes
We will post updates to this page and, for material changes, notify you by email at least 14 days before they take effect.