Xoxoday Loyalife implements end-to-end personal data governance aligned with GDPR, CCPA, and equivalent regional privacy regulations, covering consent capture, lawful disclosure, data subject rights, and secure erasure.
Personal Data Governance in Loyalife
Xoxoday Loyalife treats data privacy as a foundational design principle rather than a compliance checkbox. Every data processing activity performed by the platform — from participant onboarding to reward redemption — is governed by documented legal bases, and your organisation retains full control over how personal data is collected, stored, shared, and deleted. Loyalife is built on infrastructure certified to ISO 27001 and audited under SOC 2 Type II, providing an independently verified baseline for the security and confidentiality of personal data processed within the platform.Consent Management
Xoxoday Loyalife supports granular consent capture at the point of enrolment. When employees or customers join a loyalty programme — whether onboarded directly or via an integration with Workday, SAP SuccessFactors, or Darwinbox — Loyalife records the consent event with a timestamp and the specific purpose for which data is being collected. Consent records are immutable audit entries, meaning they cannot be silently modified after the fact. Participants can withdraw consent through a self-service interface, and Loyalife propagates that withdrawal to downstream processing automatically, stopping further use of the data for communications, profiling, or segmentation.Transparency and Disclosure
GDPR Article 13 and 14 require organisations to inform data subjects about how their data is used. Xoxoday Loyalife supports this through configurable privacy notices that can be surfaced within the loyalty portal, in notification emails, and in embedded flows triggered via MS Teams or Slack integrations. Your organisation controls the notice text and can update it without a platform release cycle. Data processing records maintained by Loyalife are available to your Data Protection Officer on request, covering the categories of data processed, retention periods, and third-party sub-processors involved in delivery.Data Subject Rights: Access, Rectification, and Erasure
Loyalife supports the full set of data subject rights required under GDPR. Participants can submit a Subject Access Request (SAR) and receive a structured export of all personal data held against their profile — including transaction history, reward redemptions, and communication preferences. For the right to erasure (“right to be forgotten”), Loyalife provides a verified deletion workflow. Once triggered, personal identifiers are purged from active records and flagged for removal from backup tiers within the retention window defined in your data processing agreement. Anonymised aggregate data — such as programme-level redemption statistics — is retained for reporting purposes only, with no linkage back to the individual.International Regulatory Alignment
Beyond GDPR, Xoxoday Loyalife’s privacy controls are designed to support compliance with CCPA (California), PDPA (Thailand and Singapore), and India’s Digital Personal Data Protection Act. Your legal and compliance team can configure regional-specific data residency settings to ensure personal data stays within the required geographic boundary. All data transfers outside the EEA are governed by Standard Contractual Clauses, and Loyalife maintains a current Data Processing Agreement that your organisation can execute as part of the procurement process.Learn more: Xoxoday Loyalife Help Centre — Security
Data Residency and Storage Regions
Understand where Loyalife stores personal data and how to configure geographic boundaries for GDPR and regional compliance.
Access Controls and Role-Based Permissions
Learn how Loyalife enforces least-privilege access to limit who can view or export participant personal data.