Every loyalty transaction generates personal data — names, email addresses, purchase histories, location patterns. Singapore's PDPA sets clear rules for how this data must be handled.
What PDPA Requires
Consent
You must obtain consent before collecting, using, or disclosing personal data. For loyalty programmes, this means clear opt-in during sign-up — not pre-checked boxes or buried terms.
Purpose Limitation
Data collected for loyalty rewards can only be used for loyalty rewards (and reasonably related purposes). You can't sell customer purchase data to third parties without separate, explicit consent.
Access and Correction
Customers have the right to access their data and request corrections. Your platform must support data export and profile editing.
Retention
Don't keep data longer than necessary. If a customer hasn't been active for 2 years and you have no legal reason to retain their data, it should be deleted.
Practical Implementation
- Include a clear, readable privacy policy in your app and sign-up flow
- Implement data access and deletion endpoints in your API
- Log all data processing activities
- Appoint a Data Protection Officer if processing large volumes
- Conduct regular audits of what data you're storing and why
Experience Zeno is designed with PDPA compliance built in — data handling policies are part of the platform architecture.