1. Introduction
PointClub ("we", "us", "our") is operated by Point Club (Private) Limited, a company incorporated in Pakistan (SECP Incorporation No. 0331020, NTN I763370), with its registered office at 4 Mavani Chambers, off I.I. Chundrigar Road, Karachi, Pakistan.
We operate the PointClub and PointClub Merchant mobile applications (the "Apps") and associated backend services. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our loyalty points platform.
PointClub primarily serves businesses and consumers within Pakistan. By using our Apps, you agree to the collection and use of information as described in this policy.
2. Information We Collect
2.1 Customer Information
When you create a PointClub customer account, we collect:
- Full name -to personalise your experience and identify you to merchants
- Email address -for account authentication, verification, and password recovery
- Phone number -for account verification and optional SMS notifications (Pakistani mobile numbers in +92 format)
- Password -securely hashed and stored; we never store or view your plaintext password
2.2 Merchant Information
When you register a business on PointClub Merchant, we collect:
- Business name and category -displayed publicly to customers
- Owner name -for account management
- Business email and phone number -for account authentication and communication
- Business logo -uploaded images stored securely for branding loyalty cards
- Brand colours -custom colour preferences for loyalty card display
- Points configuration -earning rates and redemption values
2.3 Staff Information
Merchant owners may add staff members. We collect:
- Name, phone number, and email -for account creation and OTP verification
- Role and permissions -to control access within the merchant platform
2.4 Transaction Data
When loyalty points are earned or redeemed, we record:
- Transaction amount (in PKR), points earned or redeemed, and resulting balance
- Order or receipt ID provided by the merchant
- Timestamp and associated merchant and customer identifiers
2.5 Device and Usage Data
- IP address and user agent -recorded in audit logs for security monitoring
- Location data -approximate GPS coordinates (medium accuracy) used to find nearby merchants; only collected when you use the "Nearby" feature and grant location permission
- Camera access -used solely for scanning QR codes (merchant app scans customer QR; customer app scans at merchant locations)
- Photo library access -used by merchants to upload business logos
- Local storage -authentication tokens, theme preferences, and cached data stored on your device
2.6 Information We Do NOT Collect
- We do not collect payment card or bank account information
- We do not collect contacts, call logs, or browsing history
3. How We Use Your Information
| Purpose | Data Used |
|---|---|
| Account creation and authentication | Name, email, phone, password |
| Loyalty points earning and redemption | Transaction data, enrollment data |
| QR code generation and validation | Enrollment ID, cryptographic nonces |
| Merchant branding and loyalty card display | Logo, brand colours, business name |
| Staff management and access control | Staff name, phone, role, permissions |
| SMS, WhatsApp, and email notifications and OTP verification | Phone number, email address |
| Security monitoring and fraud prevention | IP address, user agent, audit logs |
| Business analytics and reporting | Aggregated transaction and points data |
| Personalised offers and promotions | Transaction history, enrollment data, points balance |
| Improving pricing and service features | Aggregated usage patterns and transaction trends |
| In-app personalised offers and promotional content | Customer preferences, merchant enrollment data, transaction patterns |
4. Data Storage and Security
4.1 Where We Store Data
All data is stored on Amazon Web Services (AWS) infrastructure in the Asia Pacific (Singapore) -ap-southeast-1 region. This includes:
- AWS Cognito -secure user authentication with hashed passwords
- AWS DynamoDB -encrypted database for user profiles, transactions, and enrollments
- AWS S3 -encrypted storage for merchant logos and audit log archives
4.2 Security Measures
- All data transmitted over HTTPS/TLS encryption
- Server-side AES-256 encryption for all stored data
- Passwords hashed using AWS-managed key derivation (never stored in plaintext)
- Single-use cryptographic nonces for QR code transactions (prevents replay attacks)
- HMAC signatures for QR code integrity verification
- Role-based access control (RBAC) for merchant staff
- Automatic token expiry and refresh mechanisms
- Comprehensive audit logging of all security-relevant events
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Customer and merchant accounts | Until account deletion is requested |
| Transaction records | Retained indefinitely for accounting and dispute resolution |
| Enrollment records | Until cancelled by the customer |
| Audit logs (active) | 30 days in primary database |
| Audit logs (archive) | Archived to cold storage indefinitely for compliance |
| OTP codes | 5–10 minutes (automatically deleted) |
| QR code nonces | 5 minutes (automatically deleted) |
| Merchant logos | Until replaced or account deleted |
| Staff accounts | Until deleted by the merchant owner |
5.1 Account Deletion
Customers can delete their PointClub account at any time in the app by going to Profile → Settings → Delete Account. If you cannot access the app, you may also request deletion by emailing support@pointclub.pk from the email address registered on your account.
We also publish step-by-step web instructions at /delete-account. That page explains the full process, the data that is deleted, and the records we must retain.
When an account is deleted, we permanently remove or anonymise personal profile data and associated customer-side records such as loyalty enrollments, device tokens, wallet passes, punch card progress, promotion redemption history, and audience memberships. Certain transaction records are retained for tax, merchant billing, and audit compliance. Those retained records are no longer linked to your name, email address, or phone number.
6. Data Sharing
6.1 With Merchants
When you enrol in a merchant's loyalty programme, that merchant can see your:
- Name, email, and phone number
- Points balance and transaction history with that merchant
- Enrollment status
Merchants cannot see your activity with other merchants.
6.2 With Service Providers
We use the following third-party services to operate PointClub:
- Amazon Web Services (AWS) -cloud infrastructure, authentication, database, storage, and SMS delivery. Data is stored in the Asia Pacific (Singapore) region (ap-southeast-1).
- Resend (Resend, Inc.) -transactional email delivery. Resend may process your email address and message metadata. Resend's data handling is governed by their privacy policy at https://resend.com/legal/privacy-policy
- Google Firebase -We use Firebase for:
- Push notifications -device tokens linked to your account for delivering transaction and account notifications via Firebase Cloud Messaging (FCM)
- Crash reporting -error data, stack traces, device information, and your account identifier (internal UUID, not your name or email) via Firebase Crashlytics, to diagnose and fix app issues
- Analytics -screen views, feature usage events (e.g., enrollment, transactions, profile updates), and your account identifier (internal UUID) via Firebase Analytics, to understand how the app is used and improve it. We also collect your user type (customer, merchant, or support) and, if provided during signup, your gender as analytics properties.
Firebase may assign a device identifier and correlate your analytics, crash reports, and push notification data using your account identifier. Your name, email address, and phone number are not sent to Firebase. Firebase's data handling is governed by Google's Privacy Policy.
We do not sell or rent your personal information to any third parties for their marketing purposes.
6.3 Legal Requirements
We may disclose your information if required by law, court order, or government authority under the laws of Pakistan, including but not limited to the Prevention of Electronic Crimes Act 2016 (PECA) and any applicable data protection regulations.
7. Your Rights
You have the right to:
- Access your personal data -view your profile and transaction history in the App
- Correct inaccurate data -update your name and phone number in the App
- Delete your account -use the in-app flow at Profile → Settings → Delete Account, visit /delete-account, or email support@pointclub.pk
- Cancel enrolments -unenrol from any merchant's loyalty programme at any time
- Opt out of promotional communications -via App settings or by contacting us
- Data portability -request a copy of your data by contacting us
We will respond to your request within 30 days.
8. Children's Privacy
PointClub is not intended for children under the age of 18. We do not knowingly collect personal information from minors. If you believe a child has provided us with personal data, please contact us immediately at support@pointclub.pk and we will delete such information.
9. SMS, WhatsApp, and Email Communications
We send messages to Pakistani mobile numbers (+92) via SMS and WhatsApp, and to your registered email address via Resend, for:
- One-time passwords (OTP) for account verification and login (via WhatsApp, SMS, or email)
- Email verification links for account signup and email address changes
- Password reset codes
- Account-ready confirmation emails after successful registration
- Initial staff account password delivery (via WhatsApp or SMS)
- Staff and support user onboarding invitations (via email)
- Transactional notifications related to your account and loyalty activity
These are transactional messages essential for account security and service delivery. We do not send marketing or promotional emails, SMS, or WhatsApp messages unless you have explicitly opted in.
9.1 WhatsApp Messaging
We use the WhatsApp Business Platform to deliver one-time passwords (OTPs) and transactional notifications to your registered phone number. By providing your phone number during account registration, you consent to receiving these messages via WhatsApp.
WhatsApp messages are sent through Meta's WhatsApp Business API. Meta may process your phone number and message delivery metadata in accordance with WhatsApp's Privacy Policy. We do not share any other personal information with Meta beyond what is required to deliver the message.
9.2 Opting Out
You may opt out of WhatsApp messages at any time by contacting us at support@pointclub.pk. If you opt out of WhatsApp, we will use SMS as a fallback for OTP delivery. Note that opting out of all messaging channels may prevent you from verifying your account or completing security-sensitive actions.
Standard SMS rates from your mobile carrier may apply for SMS-based messages.
10. Cookies and Local Storage
Our Apps do not use browser cookies. We store the following data locally on your device using secure local storage:
- Authentication tokens (cleared on logout)
- Theme preference (light/dark/system)
- Last login identifier (for convenience)
- Cached merchant profile data (for instant loading)
- Hidden and favourite loyalty card preferences
All locally stored data is cleared when you log out of the App.
11. International Data Transfers
Your data is primarily stored in the AWS Asia Pacific (Singapore) region. While AWS may process data globally for infrastructure management, your personal data remains within the AWS ap-southeast-1 region. By using PointClub, you consent to the storage of your data in Singapore-based AWS data centres. Google Firebase services may process device data, crash reports, analytics events, and your account identifier (internal UUID) in Google's global infrastructure as described in Section 6.2.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the App or via email. The "Last Updated" date at the top of this policy indicates when it was last revised.
13. Governing Law
This Privacy Policy is governed by the laws of Pakistan, including the Prevention of Electronic Crimes Act 2016 (PECA) and any future data protection legislation enacted in Pakistan.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
- Email: support@pointclub.pk
- Website: www.pointclub.pk