1. Who we are
Kulto is a software-as-a-service (SaaS) platform that lets businesses create and run digital loyalty programs.
Subscribed businesses (which we call "tenants") issue digital stamp cards or points cards to
their own end customers (which we call "end customers") through Apple Wallet and Google Wallet.
In this policy, the words "Kulto", "we" and "our" refer to
the Kulto service, available at kultoapp.com.
2. Scope of this policy
This privacy policy applies to:
- The public website kultoapp.com.
- The Kulto web application used by tenants and their authorized staff.
- Digital passes issued to end customers in Apple Wallet and Google Wallet.
Roles under data protection law: With respect to data of tenants and their staff, Kulto acts
as the data controller. With respect to end-customer data that tenants register in their
programs, the tenant is the data controller and Kulto acts as the
data processor, processing such data on behalf of and under the instructions of the tenant.
3. Data we collect
3.1 Tenant and staff data
- Account data: business name, user name, email, password (stored hashed).
- Billing data: contracted plan, payment receipts uploaded by the tenant and subscription
transaction history.
- Operational data: loyalty programs created, configuration, card design, panel activity.
- Technical data: IP address, browser type, operating system, access logs for security and
audit purposes.
3.2 End-customer data
- Pass identifiers: a unique identifier assigned by Kulto, plus the Apple Wallet or Google
Wallet identifier associated with the pass.
- Optional data: end customer's name and/or email, only if the tenant collects them for the
program. Kulto does not require end customers to create an account.
- Program activity: stamps earned, points granted, rewards redeemed, date and location of each
transaction recorded by the tenant.
- Device technical data: push notification token associated with the pass, required to update
the card when stamps or points change.
4. How we use the data
We use the collected data for the following purposes:
- Operate the platform and deliver the service contracted by the tenant.
- Issue, update and, when applicable, revoke digital passes in Apple Wallet and Google Wallet.
- Send push notifications associated with the pass (for example, "you earned a stamp").
- Send transactional emails (account verification, password recovery, receipts).
- Process payments for the tenant's subscription.
- Prevent fraud and abuse, and protect the security of the platform.
- Comply with legal and accounting obligations.
- Generate aggregated and anonymous statistics about service usage.
5. Apple Wallet and Google Wallet integration
Kulto uses the official Apple PassKit and Google Wallet API to issue loyalty
cards on end customers' devices. For this purpose:
- We send Apple and Google only the data needed to display the pass: business name, program name, accumulated
stamps or points, pass identifier, colors and logo configured by the tenant.
- We do not transmit passwords, payment data or financial information to these providers.
- When the end customer adds the pass to their wallet, Apple or Google return an identifier and a notification
token that we use exclusively to update the pass.
- The use of the passes within Apple Wallet and Google Wallet is additionally subject to the privacy policies
of Apple and Google.
6. Service providers
To operate the service we share strictly necessary data with trusted providers, who act as data processors on
behalf of Kulto:
- Apple Inc. — issuance of passes in Apple Wallet.
- Google LLC — issuance of passes in Google Wallet, delivery of associated push notifications.
- Amazon Web Services (including Amazon SES) — infrastructure hosting and transactional email
delivery.
We do not sell personal data to third parties and we do not use it for cross-context behavioral advertising.
7. Data retention
- Tenant account data is kept while the account is active and for a reasonable period afterwards for legal and
accounting purposes.
- End-customer data is kept while the tenant's loyalty program is active, or until the tenant or end customer
requests its deletion.
- Technical and audit logs are kept for a limited period, sufficient to detect and respond to security
incidents.
8. Your rights
Regardless of your location, we offer you the following rights over your personal data:
- Access: request a copy of the data we hold about you.
- Rectification: correct inaccurate or incomplete data.
- Deletion: request the erasure of your data.
- Objection and restriction: object to certain processing or request that it be restricted.
- Portability: receive your data in a structured, readable format.
- Withdrawal of consent: when processing is based on your consent.
To exercise any of these rights, write to [email protected]. If you are
an end customer whose data was collected by a tenant, we recommend contacting the business that issued your card
first. If you do not get a response, we can handle your request directly.
9. Security
We apply reasonable technical and organizational measures to protect the data, including:
- Encryption in transit using HTTPS/TLS.
- Passwords stored with strong hashing functions.
- Token-based authentication using JWT with expiration times.
- Per-tenant isolation: each tenant accesses only its own data.
- Audit logs for critical actions (stamp and point credits, plan changes, accesses).
- Dynamic rotation of QR codes to prevent fraud.
No system is 100% impenetrable, but we work continuously to improve our defenses.
10. Cookies and similar technologies
Kulto uses cookies and equivalent technologies only for the following purposes:
- Strictly necessary cookies: keep the user's session active, remember the active tenant and
protect against CSRF attacks.
- Functional cookies: remember preferences such as the interface language.
We do not use advertising cookies or third-party trackers for behavioral marketing.
11. Minors
Kulto is not directed at children under 13. We do not knowingly collect data from children under this age. If
you believe a child has provided us with personal data, please write to [email protected] and we will delete it.
12. Changes to this policy
We may update this privacy policy from time to time to reflect changes in the service or in applicable law.
When changes are significant, we will notify the tenant by email or through a notice on the platform. The last
updated date appears at the top of the document.
If you have questions, comments or wish to exercise any of your rights, write to:
Email: [email protected]