Privacy Policy

Last updated: 4 July 2026

Labs Loyalty is operated by T‑Minus Labs, a UK-based business ("we", "us", "our"). This policy explains what personal data we collect, why, and what rights you have — whether you're a customer tapping a loyalty card, or a business owner using Labs Loyalty to run your loyalty programme.

Who we are

T‑Minus Labs is the data controller for the information described in this policy, except where noted below. You can reach us at tminuslabs@gmail.com with any question or request about your data.

If you're a customer using a loyalty card

When you tap an NFC stand at a participating business, we collect:

We store your phone number in your browser (localStorage) so your card loads instantly on return visits, and on our servers (hosted in the EU via Supabase) so your stamps stay in sync if you use a different device.

Why we process this: to provide the loyalty card service you're actively using — this is our legitimate interest in running the service you've engaged with, and that of the business whose programme you've joined. We don't use your phone number for marketing, and we never sell it to anyone.

Who sees it: the business you tapped in at can see your stamp progress and phone number (partially masked) to run their programme. We use Supabase (database hosting, EU region) and Resend (transactional email) as sub‑processors — neither uses your data for their own purposes.

How long we keep it: until you delete it yourself, or until the business closes their Labs Loyalty account.

Your rights: you can delete your data at any time directly from your loyalty card — look for the "Delete my data" option. This immediately and permanently removes your phone number, visit history, and any redemptions tied to it from our systems.

If you're a business owner

When you sign up to Labs Loyalty, we collect your business name, location, email address, and a PIN (stored as a secure hash, never in plain text) to protect access to your dashboard. We use your email to send you account-related messages — such as a welcome email — via Resend.

In this relationship, you are the data controller for your customers' phone numbers and visit data, and T‑Minus Labs acts as your data processor, handling that data only to provide the service on your behalf. See our Terms of Service for the data processing terms that apply to this relationship.

Cookies and local storage

We don't use tracking or advertising cookies. The only browser storage we use is functionally necessary — remembering your phone number so your card works — and falls under the "strictly necessary" exemption in UK privacy law, meaning we don't need to show you a cookie banner for it.

Your rights under UK GDPR

Depending on your relationship with us, you may have the right to:

To exercise any of these, email tminuslabs@gmail.com. Customers can also self-serve deletion directly from their loyalty card.

If you're unhappy with how we've handled your data, you also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

This service is not directed at children, and we don't knowingly collect data from anyone under 13. If you believe a child has used the service and provided personal data, contact us and we'll remove it.

Changes to this policy

We'll update this page if how we handle data changes, and update the date at the top. For material changes, we'll aim to notify business owners directly by email.

Contact

T‑Minus Labs — tminuslabs@gmail.com