Privacy Policy
Last updated: 18 May 2026
This policy is provided for transparency. It is not legal advice; seek independent counsel for your specific situation.
1. Who we are
SamePoints is operated by Xiang Zheng (Lance), sole trader, trading as SamePoints (ABN 11 359 038 061). Contact us at info@samepoints.com.
SamePoints provides loyalty software for merchants using Shopify and Square. We act as a data processor for end-customer loyalty data you connect through those platforms, and as a controller for merchant account and billing data.
2. Personal data we process
- Merchant account data, including name, email, and billing profile.
- Customer loyalty records, such as points balance, redemption activity, and identifiers shared by connected platforms.
- Order and payment events from Shopify and Square webhooks.
- Technical telemetry, logs, and security audit events needed to run and protect the service.
3. Legal bases under GDPR
- Contract performance to provide your subscribed SamePoints services.
- Legitimate interests for fraud prevention, platform security, and service quality improvements.
- Consent for non-essential analytics and marketing cookies, where required.
- Legal obligations where tax, regulatory, or law-enforcement requirements apply.
4. Subprocessors and data sharing
We use trusted service providers to host and operate SamePoints. Typical subprocessors include Supabase (database and auth), cloud infrastructure providers, monitoring vendors, and transactional email providers. We share only the minimum data needed to deliver the service and require appropriate contractual safeguards.
5. International transfers
Personal data may be processed in regions outside your country. Where GDPR applies, we use approved transfer mechanisms such as Standard Contractual Clauses and supplementary safeguards.
6. Retention
We keep personal data only as long as needed for contractual delivery, legal requirements, and dispute handling. Key periods include: merchant account data for up to 90 days after closure; end-customer loyalty data while the merchant uses SamePoints; a 7-day restore window for merchant-deleted customers before permanent deletion; integration logs for up to 90 days; and billing records for up to 7 years where required by law.
Full schedules, encryption, access controls, and incident response are in our Data Protection document.
7. Your rights
- Access, correction, deletion, and portability of your personal data.
- Objection to certain processing activities and restriction requests.
- Withdrawal of consent for non-essential cookies at any time.
- Right to lodge a complaint with your supervisory authority (or the OAIC in Australia).
8. Security
We apply role-based access controls, encryption in transit and at rest (via our hosting providers), tenant isolation, encrypted backups, and monitoring controls designed to protect customer data. Technical and organisational measures are described in our Data Protection document. No internet transmission is fully risk-free, so we continuously review and strengthen our controls.
9. Data breaches (Australia)
If we become aware of an eligible data breach under the Privacy Act 1988 (Cth), we will assess it promptly and, where required, notify affected individuals and the Office of the Australian Information Commissioner (OAIC). If you believe your data has been compromised, contact info@samepoints.com without undue delay.