Data Protection

The principles of loyalty marketing require the highest possible care, respect and protection of customer data, and our system has been developed to give your programme the highest possible standards of data security.

Our team of loyalty experts monitor and apply global best practice principles for data protection, and we understand and ensure our software and your programme are fully compliant with the European General Data Protection Regulation (GDPR) as the industry benchmark globally for data protection and marketing excellence.

As a company, for peace of mind, we in Liquid Barcodes often act as a trusted data processor for our clients, storing and processing data on behalf of programme owners who are known as data controllers.

Privacy By Design

Our loyalty marketing platform provides privacy and data protection by design.

This simple graphic shows how the system is set up and managed in separate areas – the ‘Production’ and the ‘Test’ platforms.

This separation is important as it allows us to maintain better control of updates and user access.


Data Access:

We employ strict access control to customer data, and permissions are allocated on a clear need-to-access basis by each individual client for their programme’s specific needs.

All our user interfaces are fully configurable, so you can assign clearly defined user roles with high granularity and provide the right permissions for every person within your organization.

Users with the most extensive rights require two-factor authentication, and all communication to and from the system is subject to numerous authentication processes and other security mechanisms.

Our software developers who manage our production system are all located within the EU.

Data Storage:

Our databases are encrypted wherever large quantities of data are stored or where the most sensitive data (with direct identifiers) is stored for extended periods of time.

Encryption is considered best practice globally because it reduces the risk of loss of personal data in case of unauthorized access to these most sensitive databases.

For each layer of the system (except for the communication layer), we use pseudonymization for the directly identifiable data, such as phone number or email. Pseudomization is defined by GDPR as the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.”

These directly identifiable details are kept in an encrypted database and linked to random user references which are then used by both the operational system and our archives. Pseudonymization is the most powerful protection available to your customers if their data ever did get into the wrong hands. While this approach varies from program to program, whenever the link between the identifiable data and the pseudonym is deleted, your data is essentially anonymized.

Customer’s data is kept for the minimum duration necessary to maintain your marketing operation. We automatically delete logs and users after agreed periods of inactivity. When we delete users, we also remove all pseudonymized user references to ensure your data is then completely anonymized.

Rights of Data Subjects

Any customer for whom you hold marketing data is individually known as a ‘data subject’ and they have extensive rights under GDPR.

We make it easy for you and your loyalty programme managers (known as data controllers) to comply with these legal and ethical requirements to the highest possible standard using a simple solution which allows them to access their own data at any time on a simple page like this.

Here users can update their details, correct any previous information they have provided, adjust their permission settings, download the data they have supplied to you, withdraw their marketing consent or even delete their profile.

When your customers see that you are giving them easy access to their private data, they increasingly trust your brand.

Consent Handling

Customers must give clearly consent before receiving any communication from us or from your programme.

We support granular levels of consent and this process is described in detail here.

Platform Security

Liquid Barcodes entire loyalty marketing platform is hosted on Amazon Web Services (AWS) for peace of mind. The platform security is further described here.

Incident Reporting:

A full protocol is developed with each client before a new programme is launched, ensuring all stakeholders are trained how to minimize risk and report any suspected data breaches in a timely and effective manner.

What should CEOs ask their marketing, legal and IT team on GDPR?


Click here to read our article.


Click here to browse EU Data protection site, EU's own information site on the regulation.