Data Protection

Last updated: 18 May 2026

This policy is provided for transparency. It is not legal advice; seek independent counsel for your specific situation.

1. Scope and purpose

This document describes how SamePoints handles personal data for merchants using our loyalty platform, end-customers whose loyalty records merchants connect through Shopify or Square, prospective customers who contact us or sign up, and visitors to SamePoints websites.

Personal data means information that identifies a person (for example name or email) or can reasonably be linked to a person (for example a platform customer ID combined with purchase history). For broader privacy rights and legal bases, see our Privacy Policy.

2. Data retention schedule

We keep personal data only as long as needed for the purposes below. When retention ends, we delete or anonymise data unless a longer period is required by law.

Data categoryTypical contentsRetention period
Merchant accountName, email, tenant settings, integration credentials (encrypted at rest)While the account is active, then up to 90 days after closure to complete offboarding and support requests
End-customer loyalty recordsPoints balance, identifiers from Shopify/Square, redemption historyWhile the merchant’s subscription is active and they use SamePoints; deleted with the merchant account or on merchant instruction, subject to the soft-delete window below
Soft-deleted customers (trash)Customer rows moved to trash by a merchant7 days restore window, then permanent deletion (enforced in application code)
Integration & webhook event logsEvent type, status, limited payload metadata for troubleshootingUp to 90 days, then deleted or aggregated where possible
Infrastructure & security logsHTTP access, errors, authentication events from hosting and database providersTypically 30–90 days per subprocessors’ default log retention unless a longer period is needed for an active security investigation
Billing & tax recordsInvoices, subscription status, payment referencesUp to 7 years where required for Australian tax and accounting obligations
Marketing & analytics (with consent)Cookie-based analytics where enabledPer our Cookie Policy; withdraw consent at any time

Merchants may request earlier deletion of their data or their customers’ loyalty data by contacting info@samepoints.com, subject to legal holds and legitimate backup recovery windows described in section 3.

3. Encryption and backups

  • Encryption in transit: All production web traffic uses HTTPS (TLS). Database connections use TLS (sslmode=require or equivalent).
  • Encryption at rest: Customer data is stored in PostgreSQL hosted by Supabase, which encrypts data at rest on managed infrastructure.
  • Encrypted backups: Database backups and point-in-time recovery are managed by Supabase and stored encrypted. We do not maintain separate unencrypted copies of production customer databases.
  • Secrets: API keys, OAuth tokens, and webhook secrets are stored in environment configuration on the application host and are not committed to source control.

4. Test and production separation

Production customer data lives only in the production Supabase project and production deployment on Railway. Local development and automated tests use separate configuration; we do not copy live merchant customer databases into developer machines. Synthetic or anonymised data is used for testing where feasible.

5. Data loss prevention and access controls

SamePoints operates a practical data protection programme designed for a small, dedicated team:

  • Least privilege: Access to production databases, deployment consoles, and service-role keys is limited to authorised personnel who need it to operate the service.
  • Tenant isolation: Application logic and PostgreSQL row-level security restrict each merchant to their own tenant data.
  • No routine bulk export: Production personal data is not exported to personal devices or non-production environments except for documented support, migration, or legal requirements.
  • Merchant-facing exports: CSV export in the product is available only to authenticated merchants for their own tenant data.
  • Backup recovery: Supabase backups and point-in-time recovery protect against accidental deletion or infrastructure failure; this complements but does not replace access and retention controls.

6. Staff access, passwords, and logging

  • Staff access to customer personal data is limited to roles that require it for engineering, security, or support. SamePoints is operated by a sole trader; there are no additional employees with standing production access unless explicitly authorised in writing.
  • Strong authentication: Cloud provider accounts (Supabase, Railway, GitHub, email) require strong unique passwords and multi-factor authentication where available.
  • Access logging: We rely on subprocessors’ platform logs (authentication, database, hosting) and application integration event logs to investigate security and reliability issues. We do not maintain a separate stand-alone “PII access register” beyond these operational logs.

7. Security incident response

If we suspect unauthorised access, loss, or disclosure of personal data, we follow this process:

  1. Detect and contain — Revoke compromised credentials, block suspicious access, and preserve relevant logs.
  2. Assess — Determine scope, data categories affected, and whether notification is required under applicable law (including the Australian Privacy Act Notifiable Data Breaches scheme where relevant).
  3. Notify — Inform affected merchants and, where required, regulators and individuals without undue delay, consistent with our Privacy Policy.
  4. Remediate — Patch vulnerabilities, rotate secrets, and improve controls to reduce recurrence.
  5. Review — Document lessons learned and update this policy or technical controls as needed.

Report suspected incidents to info@samepoints.com with subject line “Security incident”.

8. Subprocessors

Key providers that process personal data on our behalf include Supabase (database and authentication), Railway (application hosting), Shopify (app installation, billing, and store APIs), Square (optional merchant-connected in-store payments), and transactional email providers. App subscription charges are billed through Shopify App Pricing. We require appropriate contractual and technical safeguards and share only data necessary to deliver the service.

9. Shopify protected customer data (Level 1 & 2)

SamePoints accesses Shopify protected customer data only to provide loyalty functionality for merchants. We implement Shopify's Level 1 and Level 2 requirements as follows:

  • Data minimisation (Level 1): We process customer email, phone, and name fields only where needed to match Shopify and Square customers to a single loyalty profile, sync points, issue gift cards, and display wallet history. We do not request shipping or billing address fields from Shopify for loyalty processing.
  • Transparency (Level 1): This document and our Privacy Policy describe what personal data we process and why. Merchants are informed during onboarding and in our Terms of Service.
  • Purpose limitation (Level 1): Personal data is used only to operate the loyalty service, prevent fraud, maintain security, and comply with law — not for unrelated advertising or resale.
  • Merchant agreement (Level 1): Merchants agree to our Terms of Service and Privacy Policy before using SamePoints, which govern our processing on their behalf.
  • Retention, encryption, backups, environments, DLP, access, logging, and incidents (Levels 1–2): Covered in sections 2–7 above.

10. Contact

Data protection enquiries: info@samepoints.com