GDPR-compliant digital loyalty cards

Cockato is a privacy-first loyalty platform built for GDPR compliance from day one. Run digital wallet passes, stamp cards, and points programmes with encryption, consent management, and data minimisation baked into the infrastructure — not bolted on as an afterthought.

Start Free Read Our DPA

How Cockato meets GDPR requirements

Six compliance pillars that protect your customers' data and keep your loyalty programme within regulatory boundaries.

Data Minimisation

Only essential customer data is collected — name, contact, and transaction history. No unnecessary profiling or behavioural tracking beyond what your loyalty program requires.

Encryption

All data encrypted with AES-256 at rest and TLS 1.3 in transit. Database-level encryption ensures customer records are protected even at the infrastructure layer.

Consent Management

Region-gated cookie consent, granular marketing opt-in, and compliant SMS messaging. Customers control what communications they receive — and can withdraw consent at any time.

Right to Erasure

Customers can request full deletion of their data at any time via a self-service portal. Cockato processes erasure requests within 72 hours in compliance with Article 17.

Data Portability

Customer data can be exported in machine-readable formats. Merchants retain full ownership of their programme data and can migrate at any time.

DPA Available

A public Data Processing Agreement is available for all merchants. It defines controller/processor obligations, sub-processor disclosures, and breach notification procedures per Article 28.

How your customer data flows through Cockato

When a customer joins a loyalty programme powered by Cockato, the merchant acts as the data controller and Cockato acts as the data processor under GDPR Article 28. This distinction is critical: the merchant decides what data to collect and why, while Cockato processes that data strictly according to the merchant's instructions and the terms of the Data Processing Agreement.

What data is collected

Cockato enforces data minimisation by design. A typical loyalty card stores only the customer's name, email address or phone number, and their reward balance (stamps or points). No location data, device fingerprints, or behavioural profiles are collected. This aligns with GDPR Article 5(1)(c) — data must be adequate, relevant, and limited to what is necessary.

Where data is stored

All customer data is hosted on Supabase infrastructure within AWS ap-southeast-2 (Sydney, Australia). Each merchant's data is logically isolated at the database level through tenant-scoped row-level security policies. Data is encrypted with AES-256 at rest and protected by TLS 1.3 during transit.

How long data is retained

Customer data is retained for the duration of the merchant's active subscription. When a merchant closes their account, all associated customer data is permanently deleted within 30 days. Customers can also request individual erasure at any time via the self-service deletion portal, with processing completed within 72 hours per GDPR Article 17.

Sub-processors

Cockato discloses all sub-processors in the DPA. The primary sub-processors are:

Supabase Inc. — Database hosting and authentication (AWS Sydney)
Stripe Inc. — Payment processing for merchant subscriptions
SendGrid / Twilio — Transactional email and SMS delivery

No customer data is shared with advertising networks, data brokers, or any third party beyond these essential service providers.

Compliance resources

Full transparency — every policy and agreement, publicly available.

Privacy PolicyHow we collect, use, and protect personal data

Data Processing AgreementController/processor terms for merchants

Security OverviewEncryption, infrastructure, and access controls

Delete AccountSelf-service data erasure for customers

Cookie PolicyCookie categories and consent mechanisms

GDPR & data protection FAQ

Is Cockato GDPR compliant?

Yes. Cockato operates as a data processor under GDPR Article 28. We provide a public Data Processing Agreement, enforce data minimisation, support right to erasure, and encrypt all data with AES-256 at rest and TLS 1.3 in transit.

What customer data does Cockato collect?

Cockato collects only the minimum data required to operate loyalty programmes: customer name, email or phone number, and transaction history (stamps or points). No behavioural profiling, location tracking, or unnecessary personal data is collected.

Where is customer data stored?

All data is hosted on Supabase infrastructure within AWS ap-southeast-2 (Sydney, Australia). Data is encrypted at rest and in transit, with tenant-level isolation ensuring each merchant's data is logically separated.

Can customers delete their data?

Yes. Customers can request full data erasure through a self-service portal or by contacting the merchant. Cockato processes deletion requests within 72 hours in compliance with GDPR Article 17 (Right to Erasure).

Does Cockato share data with third parties?

Cockato only shares data with essential sub-processors: Supabase (database hosting), Stripe (payment processing), and SendGrid/Twilio (transactional communications). All sub-processors are disclosed in our Data Processing Agreement.

Launch a loyalty programme you can trust

Start free with GDPR compliance built in. No credit card required.

Get Started Free