The GDPR-native loyalty program for EU retailers
Apple Wallet and Google Wallet loyalty cards with customer data hosted exclusively in the European Union. No Privacy Shield risk. No transatlantic transfer. DPA signed by default.
Why GDPR matters for loyalty programs in 2026
Since the July 2020 Schrems II ruling of the Court of Justice of the European Union, the Privacy Shield framework that allowed US companies to process EU customer data was invalidated. The replacement (the EU-US Data Privacy Framework, 2023) remains contested. In parallel, national data protection authorities — CNIL in France, BfDI in Germany, AEPD in Spain — have issued increasingly strict guidance on US cloud dependencies.
For retailers running a loyalty program, this creates real exposure. Every customer email, every visit history, every spending pattern is personal data under GDPR. If your loyalty platform stores that data on US servers (as most US-native SaaS does by default), you're implicitly transferring EU customer data to a jurisdiction with significantly weaker privacy protections. In case of an audit, a data breach, or a customer complaint, you bear the compliance burden.
A GDPR-native loyalty program removes this exposure by design. Data is stored in the EU, processing is documented in a standard DPA, sub-processors are all EU-aligned, and customer rights (access, rectification, export, erasure) are built into the product rather than bolted on.
How HanyPass is built GDPR-first
EU-only data hosting
All customer data stored in Supabase EU (Ireland + Germany). No US hosting option needed because there's no US infrastructure in the critical path.
DPA by default
Every paid plan includes a pre-signed Data Processing Agreement. Free plan users can request one via email at any time, no friction.
Minimal data collection
We collect the minimum necessary: first name, email, optional birthday. No phone tracking, no device fingerprinting, no third-party advertising pixels.
Customer rights built-in
Every customer can request data export (JSON) or account deletion directly from their loyalty card. Merchants handle requests from their dashboard in one click.
Transparent sub-processors
Sub-processors are publicly listed: Supabase (EU), Stripe (Dublin), APNs (pass delivery). No hidden analytics vendors, no data brokers.
30-day default retention
Inactive customer data can be auto-purged after configurable retention periods (default 24 months) to comply with data minimization principles.
GDPR compliance vs GDPR-native — the difference
Most loyalty platforms claim "GDPR compliance." This usually means they'll sign a DPA if you ask, they have a privacy policy, and they offer data export on request. That's the minimum required to do business in the EU — it doesn't mean privacy was a design principle.
GDPR-native is a stronger claim: privacy is assumed in the architecture, not retrofitted. HanyPass data lives in the EU because the team chose EU infrastructure from day one (Supabase), not because a compliance consultant added an "EU region" option later. Customer rights (export, deletion) are primary product features, not API workarounds. Sub-processors were chosen for their privacy posture, not their convenience.
In practice, the difference matters most when: your customers ask pointed privacy questions, your national data authority opens an investigation, a security incident happens, or your auditor asks where your vendor's sub-processors are located. GDPR-native means simpler answers, less risk, less friction.
GDPR loyalty program — FAQ
What makes a loyalty program GDPR-compliant?
A GDPR-compliant loyalty program must have a legal basis for processing customer data (usually consent), collect only necessary data (data minimization), store data in an accessible location with a DPA in place with each processor, and allow customers to access, rectify, export and delete their data on request. HanyPass is built around all these principles by default — EU hosting, minimal data collection (name + email + optional birthday), signed DPA, and built-in customer data export and deletion.
Where is my customer data hosted?
Customer data is hosted exclusively in the European Union on Supabase infrastructure (Ireland and Germany regions), with Stripe (Dublin) processing payments. No transatlantic data transfer is required for the core loyalty operations. This eliminates the Schrems II risk that affects most US-native SaaS platforms.
What about Apple Wallet and Google Wallet — they're US companies?
Correct, and this is a subtle but important point. Apple Wallet passes themselves are cryptographically signed .pkpass files delivered to the customer's iOS device. Apple receives minimal metadata (pass type identifier, update endpoints) but not the customer's full profile. The customer's loyalty data (email, points, visit history) stays in HanyPass EU infrastructure. Google Wallet works similarly via JWT tokens. We've built the architecture to minimize data exposure to US cloud providers.
Do you sign a Data Processing Agreement (DPA)?
Yes. A DPA is automatically included with every paid subscription. Free plan users can also request a DPA via email. It covers data processing purposes, retention periods, sub-processors (Supabase, Stripe), security measures, and breach notification procedures in line with GDPR Article 28.
Can customers export or delete their data?
Yes, customers have full GDPR rights. From their loyalty card, they can request their data export (JSON format with all points, visits, profile fields) or account deletion. Merchants receive the request in their dashboard and can either approve it in one click or let it auto-process after 30 days. Deletion is hard-delete (not soft-delete) to comply with right to erasure.
What if I'm a non-EU business selling to EU customers?
You're still subject to GDPR if you offer services to EU residents. Using a GDPR-native platform like HanyPass dramatically reduces your compliance burden compared to rolling your own solution on US infrastructure. Your customers benefit from the same privacy protection, and you avoid the Schrems II trap that complicates many US-SaaS dependencies.
Is HanyPass SOC 2 or ISO 27001 certified?
SOC 2 Type II is on our 2026 roadmap (Q3). ISO 27001 will follow. For merchants who need these certifications today, we offer a detailed security questionnaire response and can coordinate direct DPAs with our sub-processors (Supabase is SOC 2 Type II certified and ISO 27001, Stripe is both).
How does HanyPass compare to US-hosted competitors on GDPR?
Most loyalty SaaS vendors (PassKit, LoyaltyLion, Yotpo, Smile.io) are US-native with EU hosting as an upsell, not a default. This means standard customer data flows to US servers unless you specifically upgrade and configure otherwise. HanyPass inverts this: EU hosting is default for all plans, including free. This is our core positioning as the GDPR-native loyalty platform.
Launch a GDPR-native loyalty program today
Free up to 10 customers. DPA signed by default on paid plans.