What personal data does Xoxoday Plum collect and process? - Xoxoday

Xoxoday Plum processes multiple categories of personal data—including identity, contact, transactional, and behavioral data—protected by AES-256 encryption at rest, TLS 1.2 in transit, and role-based access controls, with geo-specific data storage available for US and Singapore regions.

Xoxoday Plum processes personal data across five distinct categories, each tied to the nature of the rewards or incentive program your organisation runs. The scope of data collected is determined by your program configuration and is limited to what is necessary for reward delivery, compliance, and program administration. Identity and Contact Data Xoxoday Plum collects identity data such as name, email address, phone number, employee ID, and IP address to authenticate users and personalise reward experiences. Contact information—including mailing address and phone number—is used primarily for physical reward delivery or digital voucher dispatch. This data is never shared beyond what is required to fulfil a given reward transaction. Transactional Data Every reward redemption generates transactional records: order IDs, reward amounts, redemption timestamps, and fulfilment status. Xoxoday Plum retains this data to power administrator dashboards, enable financial audits, and support finance teams reconciling reward spend. Organisations integrating Xoxoday Plum with Workday or SAP SuccessFactors can surface this transactional history directly within their existing HR workflows, eliminating manual reconciliation. Behavioral Data Xoxoday Plum logs interaction data including login activity, reward browsing history, and user preferences. This data drives personalised reward recommendations and helps program administrators identify participation patterns—critical for optimising engagement in long-running programs where notifications are delivered via Slack or Microsoft Teams. Optional Sensitive Data For programs involving tax compliance—such as sales incentives or research participant payouts—Xoxoday Plum supports the collection of tax-relevant fields including W-9 form details and full legal name. This data is activated only when your organisation’s program configuration requires it and is subject to stricter access controls than standard reward data. How Data Is Protected Xoxoday Plum encrypts all stored data using AES-256 and secures data in transit with TLS 1.2. Access to personal data is governed by role-based access controls (RBAC), ensuring program administrators, finance teams, and HR managers access only the data relevant to their function. Xoxoday Plum is certified under ISO 27001 and SOC 2 Type II, providing independent third-party assurance of these controls. Storage, Retention, and Residency Xoxoday Plum supports geo-specific data storage, with dedicated infrastructure available in the United States and Singapore to satisfy regional data residency requirements. Data is retained for up to seven years in line with standard financial and tax compliance obligations, with full audit logs maintained for a minimum of three years. Xoxoday Plum applies data minimisation principles throughout—collecting only what each program configuration requires—and supports anonymisation for data no longer needed for active processing.

Learn more: Xoxoday Plum Help Centre — Data, Policy & Privacy

Data Retention and Audit Logging

Understand how Xoxoday Plum retains reward and transactional data, maintains audit logs, and supports multi-year compliance reporting.

Data Residency and Geo-Specific Storage

Learn how Xoxoday Plum supports regional data storage in the US and Singapore to meet data localisation and sovereignty requirements.