Legal

Privacy Policy

Last updated: March 7, 2026

Rewally ("we," "us," or "our") is a mobile application developed by Awaz Solutions that helps you organise, track, and manage your loyalty programs, gift cards, and coupons. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Rewally app and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect the email address you provide for authentication purposes. We use a passwordless email OTP (one-time password) flow, so we never store or handle plaintext passwords.

1.2 Loyalty and Reward Data

You may store the following types of information in the Service:

  • Loyalty program names, categories, and descriptions
  • Gift card numbers and balances
  • Coupon codes and usage status
  • Transaction records (amounts, dates, descriptions)
  • Notes attached to cards or transactions
  • Expiry dates and reward status

1.3 Device Information

We collect limited device information for security and push notification delivery, including:

  • Device identifier (for per-device data isolation and session management)
  • Push notification token for delivering notifications to your device
  • Device platform (iOS or Android) and app version

1.4 Usage Data

We collect minimal usage analytics such as app activity logs (e.g., when loyalty cards or rewards are created, updated, or deleted). These records are associated with your account and used solely to power the activity timeline feature within the app.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and secure your account
  • Store and sync your loyalty data across sessions
  • Send push notifications (e.g., expiry reminders) when you opt in
  • Display your activity history within the app
  • Respond to support requests
  • Improve the Service and fix issues

We do not use your data for advertising, profiling, or selling to third parties.

3. Data Encryption and Security

Protecting your data is a core principle of Rewally. We implement the following security measures:

  • AES-256-GCM Encryption: Sensitive data such as gift card numbers and coupon codes are encrypted using AES-256-GCM before being stored. Encryption keys are derived per-workspace using HKDF (SHA-256) so that no two users share the same key material.
  • TLS in Transit: All network communication between the app and our backend services is encrypted using TLS (HTTPS).
  • Row Level Security (RLS): Our database enforces row-level security so that each user can only access their own data.
  • Secure Token Storage: Authentication tokens are stored in your device's secure keychain (iOS Keychain / Android Keystore), not in plain storage.
  • Passwordless Authentication: We use a custom auth flow with email OTP, eliminating password-related attack vectors.

4. Data Storage and Hosting

Your data is stored on secure cloud infrastructure that adheres to industry-standard security practices. We employ database-level encryption at rest and enforce strict access controls.

5. Tracking and Analytics

Rewally does not track you across other companies' apps or websites. We do not participate in any cross-app or cross-site tracking, and we do not use advertising identifiers (such as Apple's IDFA or Google's Advertising ID). The only analytics we collect are internal activity logs within the app, as described in Section 1.4.

6. Third-Party Services

We use select third-party infrastructure providers to operate the Service, including services for user authentication, database hosting, and push notification delivery. These providers process data only as necessary to provide their respective functionality. We do not share your loyalty data with any third party for marketing, advertising, or analytics purposes.

7. International Data Transfers

Your data may be processed and stored on servers located outside your country of residence. By using the Service, you consent to the transfer of your information to facilities outside your jurisdiction. We ensure that appropriate safeguards are in place, including encryption in transit and at rest, to protect your data regardless of where it is processed.

8. Data Sharing

We do not sell, rent, or share your personal information with third parties except in the following limited circumstances:

  • Service Providers: As described above, we share limited data with infrastructure providers that are necessary to operate the Service.
  • Legal Requirements: We may disclose your information if required to do so by law or in response to valid legal process (e.g., a court order or subpoena).
  • Safety: We may share information if we believe it is necessary to prevent fraud, protect our rights, or ensure the safety of our users.

9. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law.

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

10.1 General Rights

  • Access, correct, or delete your personal data
  • Export your data in a portable format
  • Withdraw consent for push notifications at any time via device settings
  • Request restriction or objection to certain processing activities

10.2 Rights for European Economic Area (EEA) Residents (GDPR)

If you are located in the EEA, the UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal Basis: We process your data based on (a) your consent when you create an account and use the Service, (b) contractual necessity to provide the Service, and (c) our legitimate interest in improving and securing the Service.
  • Right to Erasure: You may request deletion of your personal data at any time.
  • Right to Portability: You may request a copy of your data in a structured, machine-readable format.
  • Right to Object: You may object to processing based on legitimate interest.
  • Right to Lodge a Complaint: You may file a complaint with your local data protection authority.

10.3 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of the personal information we have collected.
  • Right to Opt-Out of Sale: We do not sell your personal information. As such, there is no need to opt out — but we honour this right regardless.
  • Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

10.4 Do Not Sell My Personal Information

Rewally does not sell, rent, or trade your personal information to any third party for monetary or other valuable consideration. This applies to all users, regardless of jurisdiction.

To exercise any of these rights, contact us at support@rewaly.com. We will respond to verified requests within 30 days (or within the timeframe required by applicable law).

11. Account Deletion

You may delete your account directly from within the app via the account settings menu. You may also request account deletion by contacting us at support@rewaly.com. Upon deletion, all your personal data — including loyalty cards, rewards, transactions, and notes — will be permanently removed within 30 days, except where retention is required by law.

12. Children's Privacy

The Service is not directed to children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we learn that we have collected data from a child without appropriate consent, we will delete it promptly.

13. Push Notifications

Rewally may send you push notifications for expiry reminders and important account alerts. You can opt out of push notifications at any time through your device settings. Disabling push notifications will not affect the core functionality of the Service.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app or by other appropriate means. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: