Contact
Legal / Privacy

Privacy Policy.

Effective 2026-01-01Last updated 2026-01-01Version 1.0

Who we are

Loyara is an operating system for rental businesses. We provide a branded customer website, an operations dashboard, and an automation engine as a managed service. When you use our marketing site, contact us, or access our service, we act as the controller of the personal data we collect from you. When we handle data on behalf of a rental business (our customer), we act as the processor under the instructions of that business.

For all privacy questions, data requests, and complaints, contact us at support@loyara.io.

Personal data we collect

From you directly

  • Identity and contact data: name, email address, phone number, business name.
  • Account data: role, permissions, preferences, sign-in email address.
  • Correspondence: emails and support tickets you send us.
  • Billing data: billing contact, tax identifier, invoice history. Card numbers are not stored by Loyara; they are processed by a PCI-DSS compliant payment aggregator.

From customers of rental businesses using Loyara

  • Booking data: item booked, dates, delivery address, distance, price.
  • Payment tokens only, returned by the payment aggregator. Loyara does not see the primary account number, the card verification value, or the expiry date.
  • Communication preferences and booking-related messages.

Automatically

  • Log and technical data: IP address, user agent, approximate location derived from IP, device and browser properties, timestamps, and pages visited.
  • Security and abuse signals: sign-in attempts, rate-limit triggers, audit trail entries.
  • Performance and diagnostic data for debugging and reliability.

How we use your data

  • Provide, operate, and maintain the Loyara service.
  • Authenticate users via email one-time codes.
  • Process bookings, payments, refunds, and associated records.
  • Send service messages such as booking confirmations, reminders, receipts, and notifications.
  • Prevent fraud, detect abuse, enforce terms, and investigate incidents.
  • Comply with legal obligations, tax requirements, and lawful requests.
  • Improve the service, including measuring performance and reliability.

Legal bases

Where applicable data protection law requires a legal basis, we rely on the following:

  • Performance of a contract, to deliver the service you or your business signed up for.
  • Legitimate interests, to keep the service secure, prevent abuse, measure reliability, and communicate with you about the service.
  • Consent, for optional cookies or analytics where required, and for marketing communications you can opt in or out of.
  • Legal obligation, to comply with tax, accounting, fraud prevention, or lawful requests from authorities.

Who we share with

We do not sell personal data. We share the minimum necessary with:

  • Processors acting on our instructions under written data processing terms: hosting and infrastructure providers, transactional email delivery, and customer support tooling.
  • Google LLC, which provides Google Analytics 4. Only visitors who accept analytics cookies are included. IP addresses are truncated and advertising personalisation is disabled.
  • The rental business you interact with, for the booking you place.
  • A PCI-DSS payment aggregator, which handles card details directly. Loyara receives only transaction references and tokens.
  • A connected customer relationship management (CRM) system, only when the rental business has chosen to connect one. Sync is scoped to contacts, bookings, and opportunity status.
  • Professional advisers, such as accountants and lawyers, under duties of confidentiality.
  • Government, regulatory, or judicial authorities, when required by law or to protect rights, property, or safety.
  • Successors in the event of a merger, acquisition, or sale of assets, with equivalent commitments to this policy.

International transfers

Loyara operates from India and may use infrastructure providers with facilities in other countries. Where personal data is transferred outside the country where you reside, we apply appropriate safeguards, including standard contractual clauses for transfers from the European Economic Area, the United Kingdom, and Switzerland, and equivalent mechanisms required by your local law. A copy of the relevant safeguards is available on request at support@loyara.io.

How long we keep it

We retain personal data only for as long as necessary for the purposes set out in this policy, including to satisfy legal, tax, accounting, or reporting requirements. Booking, payment, and audit records are retained for the life of the account and up to eight years after closure to meet financial and legal obligations. Sign-in tokens, abandoned checkouts, and expired sessions are pruned automatically on a nightly cycle. Account data is deleted on written request, subject to legal hold obligations.

Your rights

Depending on your location, you may have the following rights. To exercise any of them, contact support@loyara.io. We will respond within the time frame set by the applicable law.

Under the Digital Personal Data Protection Act 2023 (India)

  • Access to, and correction of, your personal data.
  • Erasure of your personal data, subject to legal retention requirements.
  • Grievance redressal through our Grievance Officer listed below.
  • Nomination of another individual to exercise rights on your behalf in the event of death or incapacity.

Under the GDPR (EEA) and UK GDPR

  • Access, rectification, erasure, restriction, portability, and objection.
  • Withdrawal of consent at any time, without affecting prior processing.
  • Lodging a complaint with a supervisory authority in your member state.

Under CCPA and CPRA (California)

  • Right to know what personal information is collected, used, disclosed.
  • Right to delete, correct, and limit the use of sensitive personal information.
  • Right to opt out of sale or sharing. Loyara does not sell personal information.
  • Right to non-discrimination for exercising these rights.

Under LGPD (Brazil)

  • Confirmation, access, correction, anonymisation, portability, and deletion.
  • Information about sharing, and the right to revoke consent.

Cookies and tracking

What we use

The Loyara marketing site uses a small number of cookies. The Loyara dashboard uses a session cookie to keep you signed in, set on your explicit sign-in and cleared on sign-out or expiry.

Google Analytics 4

We use Google Analytics 4 ("GA4") to understand how visitors use the marketing site. GA4 is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, United States. GA4 is loaded with Google Consent Mode v2 and with default consent set to denied. No analytics or advertising cookies drop, and no personal identifiers are sent to Google, until you accept analytics cookies through the cookie banner.

When you accept, the following first-party cookies are set in your browser by GA4:

  • _ga - distinguishes visitors; expires after two years.
  • _ga_<PROPERTY-ID> - persists session state for GA4; expires after two years.

GA4 records pageviews, events, approximate geography, device and browser properties, referrer, and a pseudonymous client identifier. IP addresses are truncated before storage. No advertising personalisation is enabled.

Because Google is based in the United States, accepting analytics cookies involves a transfer of your data outside your home jurisdiction. We rely on Google's Standard Contractual Clauses and its supplementary measures for that transfer.

Controlling cookies

  • Most browsers let you block or delete cookies in settings.
  • You can install the Google Analytics Opt-out Browser Add-on for a device-level opt out.
  • You can clear the cookie from your browser storage at any time to reset the notice on your next visit.

What we do not do

  • We do not use advertising cookies.
  • We do not use cross-site tracking pixels.
  • We do not sell personal data.

Security measures

  • Encryption in transit with TLS at the grade used by banking services.
  • Encryption at rest for stored data and integration credentials.
  • Role-based access control with four roles and fifteen granular permissions.
  • Complete audit trail of privileged actions, including actor, time, device, and IP.
  • Rate-limiting on sign-in and sensitive endpoints.
  • Continuous, encrypted, offsite backups tested against a recovery runbook.
  • Per-tenant data isolation verified in automated tests.

No system is perfectly secure. If you suspect a security incident involving your data, contact support@loyara.io without delay.

Children

Loyara is not directed to, and we do not knowingly collect data from, children under 16. If you believe a child has provided personal data to us, contact us and we will promptly investigate and delete the data.

Changes to this policy

We may update this policy from time to time. Material changes will be notified by email to account administrators at least thirty days before the change takes effect, unless a shorter period is required by law. Continued use of the service after the effective date constitutes acceptance of the updated policy.

Grievance Officer

In accordance with the Digital Personal Data Protection Act 2023 and other applicable Indian regulations, you may address grievances to our Grievance Officer at support@loyara.io. We will acknowledge complaints within the statutory timelines and work in good faith to resolve them.

Governing law

This policy is governed by and construed in accordance with the laws of the Republic of India. Any disputes shall be subject to the exclusive jurisdiction of the courts of Kochi, Kerala, without prejudice to your rights under mandatory local law.

Contact

For privacy questions, rights requests, or legal notices, write to support@loyara.io. A person replies to every message, usually within one business day.