1.0 Introduction and Contact Information
Welcome to Looop. This Privacy Policy explains how LOOOP, a subsidiary of RR Agriotech Sdn. Bhd. (1265686-P), referred to as “Looop,” “we,” “us,” or “our,” collects, uses, protects, and discloses personal data when you use our digital loyalty card platform (the “Service”).We are committed to protecting your privacy and ensuring compliance with applicable data protection laws, including Malaysia’s Personal Data Protection Act 2010 (“PDPA”).
1.1 Our Details:Business Name: Looop
Legal Entity Name: RR Agriotech Sdn. Bhd
Company Registration Number: 1265686-P
Business Address: B-3-5, SASTRA U-THANT, Lorong Ampang 2, Taman U-Thant, 55000, Kuala Lumpur, Malaysia.
Data Protection Contact: For any privacy-related inquiries, please contact our designated Privacy Contact at Email: hello@getlooop.io
2.0 Our Role and Your Responsibilities
Our role under data protection law depends on whose data we are processing. It is crucial to understand these roles as they define legal responsibilities.
As a Data Controller (or “Data User” under the PDPA): When we collect personal data directly from our business clients (“Merchants”) for account registration, billing, and service management, we determine the purposes and means of processing. For this Merchant data, Loop is the Data Controller .
As a Data Processor: When a Merchant uses our Service to create and manage a loyalty program for their own customers (“Customers”), the Merchant collects the Customer’s personal data. The Merchant decides why and how this data is collected. For this Customer data, the Merchant is the Data Controller, and Looop acts as the Data Processor, processing the data on the Merchant’s behalf and instruction.
A Simple Example:
The Corner Cafe When 'The Corner Cafe' signs up for a Looop account, they provide their business contact and billing information. For this data, Looop is the Data Controller.When a shopper, Ali, visits the cafe and scans a QR code to get a loyalty card, the cafe asks for his name and email. The cafe is the Data Controller for Ali's data. Looop’s platform, which stores Ali’s details and tracks his stamps for the cafe, is the Data Processor.
3.0 Personal Data Protection Notice (PDPA Section 7)
This notice explains what personal data we process, why we process it, and your rights.
3.0 Data We Process as a Data Controller (Merchant Data)
What we collect:
Account & Profile Data: Your name, email address, phone number, company name, business address, business type, and profile picture.
Payment & Transaction Data: We do not store your credit card details. Our third-party payment processors (e.g., Stripe) handle all payment transactions. We only store a history of your package purchases, transaction dates, and amounts for billing and record-keeping.
Communications Data: If you contact us for support or other inquiries, we collect your contact information and the content of your message.
Usage & Analytics Data: We collect data on how you interact with our platform, such as features used, page views, and login times. We also track aggregated, anonymized platform-wide metrics.
Purpose of Processing (Why we collect it):
To enter into a contract with you and provide the Service.To create, manage, and secure your Merchant account.To process payments and manage your subscription.To communicate with you about your account, service updates, and support requests. To monitor platform performance, prevent fraud, and improve our Service.To comply with our legal and financial obligations (e.g., tax and corporate law).
Source of Data: We collect this data directly from you when you register and use our Service.
Is it Obligatory?: Providing this data is necessary to enter into a contract with us and use our Service. Failure to provide it will result in you being unable to create an account and use Looop.
Disclosure to Third Parties: We may disclose your data to the following classes of third parties: Payment gateway providers (to process your payments). Cloud hosting providers (who store our platform data). Email and communication service providers (to send you service-related messages). Analytics service providers (to help us improve our platform). Professional advisors (e.g., lawyers, accountants) and regulatory authorities where required by law.
4.0 Data We Process as a Data Processor (Merchant's Customer Data)
What we process: The personal data the Merchant collects from their Customers via our platform. This may include the Customer’s name, email address, or phone number.
Purpose of Processing (Why we process it): We process this data solely on behalf of and under the instruction of the Merchant for the following purposes:To generate and manage the digital loyalty card for the Customer.To track the Customer’s loyalty stamps and rewards.To enable the Merchant to communicate with their Customers (if this feature is used).
Source of Data: This data is provided by the Customer to the Merchant through the Looop platform interface (e.g., QR code scan and enrollment form).
Is it Obligatory?: It is voluntary for a Customer to provide their data to a Merchant. However, it is necessary if the Customer wishes to participate in the Merchant’s loyalty program. The Merchant, as the Data Controller, is responsible for informing their Customers of this.
Disclosure to Third Parties: We do not disclose this data to any third party, except to our authorized sub-processors (like our cloud hosting provider) as necessary to provide the Service, or as lawfully instructed by the Merchant.
Our Obligations as a Data ProcessorWhen we process Customer data on behalf of our Merchants, we are a Data Processor. We are committed to upholding our legal obligations and providing a secure and reliable platform. We contractually commit to our Merchants to:
Process Only on Instruction: We will only process Customer personal data in accordance with the Merchant’s lawful and documented instructions.
Ensure Confidentiality: We will ensure that our personnel authorized to process Customer data are committed to confidentiality.
Implement Robust Security: We will implement and maintain the technical and organizational security measures detailed in Section 5 of this policy to protect the Customer data we process.
Manage Sub-processors: We will not engage another processor (a “sub-processor”) without the Merchant’s general written authorization. We will maintain a list of our sub-processors (such as cloud providers) and inform Merchants of any intended changes. We will ensure that any sub-processor is bound by contractual obligations that are at least as protective as those in our agreement with the Merchant.
Assist the Merchant: We will provide reasonable assistance to the Merchant to help them fulfill their own data protection obligations, such as responding to data subject rights requests from their Customers and notifying them in the event of a data breach on our platform affecting their Customer data.
Secure Deletion: Upon termination of a Merchant's account, we will delete or return all Customer personal data in our possession, as instructed by the Merchant, unless required by law to retain it.
5.0 Data Security and Retention
Security Principle: We are committed to the PDPA’s Security Principle. We take practical and reasonable steps to protect personal data from loss, misuse, modification, unauthorized or accidental access or disclosure, alteration, or destruction. We implement the following technical and organizational security measures:
Technical Measures: Encryption of data in transit (using industry-standard SSL/TLS) and at rest; network firewalls; access controls and authentication mechanisms to limit access to data on a need-to-know basis; regular security patching and vulnerability management.
Organizational Measures: A formal internal data protection policy; regular employee training on data security and privacy obligations; a documented incident response plan for data breaches; strict vendor security assessments; and secure data disposal protocols.
Retention Principle: We adhere to the PDPA’s Retention Principle by not keeping personal data longer than is necessary.
Merchant Data: We retain your account data for as long as your account is active and for a subsequent period of up to 7 years to comply with legal, tax, and financial record-keeping requirements.
Customer Data (as Processor): We retain Customer data for as long as the relevant Merchant’s account is active. This data is permanently deleted from our systems within a reasonable period following the termination of the Merchant’s account, or earlier upon the Merchant’s instruction.
International Data Transfers: Our Service is built on world-class cloud infrastructure providers, such as Amazon Web Services (AWS). This means that personal data may be transferred to, and stored and processed in, data centers located outside of Malaysia. We ensure that all such transfers are lawful under the PDPA. We do this by:Acknowledging that we use global cloud providers whose data centers are located worldwide.Ensuring that our cloud providers have committed to providing a level of data protection at least equivalent to that required by the PDPA. We rely on their robust compliance frameworks, which include:Implementation of internationally recognized security standards (e.g., ISO 27001, ISO 27017, ISO 27018, SOC 2).The use of legally binding data transfer mechanisms, such as Standard Contractual Clauses (SCCs), which contractually oblige them to protect personal data to a high standard, regardless of where it is processed.By using these providers, we take reasonable steps to ensure that any personal data transferred outside Malaysia is treated securely and in accordance with this Privacy Policy and the requirements of the PDPA.
6.0 Your Data Protection Rights
You have specific rights concerning your personal data under the PDPA. The procedure to exercise these rights depends on your relationship with us.
For Merchants (Our Direct Clients)As a Merchant, you are a data subject of Looop. You have the following rights in relation to the personal data we hold about you:
Right to Access: You have the right to request access to a copy of the personal data we hold about you.
Right to Correct: You have the right to request the correction of any of your personal data that is inaccurate, incomplete, or out-of-date
Right to Withdraw Consent: You have the right to withdraw your consent for us to process your personal data. Please note that withdrawing consent for the processing necessary to provide the Service will result in the termination of your account. You can always withdraw consent for non-essential processing, such as receiving marketing communications, without affecting your Service.To exercise any of these rights, please submit your request in writing to our Privacy Contact at hello@getlooop.io
We will respond to your request within the timeframes stipulated by the PDPA.
For Customers (End-Users of a Merchant's Loyalty Program)If you are a Customer of a Merchant using our platform, the Merchant is the Data Controller for your personal data. Looop is the Data Processor and cannot directly fulfill your requests.To exercise your data protection rights (such as accessing, correcting, or deleting your data), you must contact the Merchant directly (e.g., the cafe, salon, or shop whose loyalty program you joined). We will provide reasonable assistance to our Merchants to help them respond to your requests.
7.0 Third-Party Services and Links
Our Service integrates with third-party services, such as payment gateways (e.g., Curlec, Stripe) and cloud infrastructure providers (e.g., AWS). This Privacy Policy does not cover the privacy practices of these third parties. We encourage you to review their respective privacy policies to understand how they handle your data.
8.0 Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new policy on our website and, where appropriate, by notifying you via email. We encourage you to review this policy periodically.
9.0 Governing Law and Jurisdiction
This Privacy Policy is governed by and shall be construed in accordance with the laws of Malaysia.
