Privacy Policy

LB Trading GmbH · Eustrasse 56, 6313 Menzingen · Zug, Switzerland

Version 1.1 — February 2026

Introduction

noon ("we", "us", "our") operates the noon mobile application and website (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our Service.

We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

By using noon, you agree to the collection and use of information in accordance with this policy.

Data Controller

LB Trading GmbH
Eustrasse 56, 6313 Menzingen
Zug, Switzerland
Email: hello@noon-loyalty.com

Information We Collect

Information You Provide

Account Information

Email address
Username
Profile picture (optional)
Password (encrypted)

Profile Data

Display name
Bio (optional)
Date of birth (used for birthday rewards)
Social connections (friends, followed influencers)

Social Login Data

If you sign in with Apple or Google, we receive your name and email address (or an Apple relay address). We use this information solely for account creation and authentication. We do not access your Apple or Google contacts, photos, or other account data.

Information Collected Automatically

Usage Data

Tap-in history (which cafés you visit)
Points balance and transactions
Event bookings
App usage patterns

Device Information

Device type and model
Operating system
App version
Unique device identifiers

Location Data

We collect location data only when you actively use the map feature
Location is used to show nearby cafés
You can disable location access in your device settings

Health Data (Step Count)

We access step count data from Apple Health or Google Fit
We only check whether you've reached 5,000 steps
We do not store your detailed step history
This data never leaves your device except as a yes/no verification
The step bonus feature is optional and may be modified, suspended, or discontinued at any time
Step data is processed on your device only and is never shared with Partner cafés

How We Use Your Information

We use your data to:

Provide and maintain the Service
Process tap-ins and point redemptions
Verify step bonus eligibility
Show you relevant cafés and events
Enable social features (friends, influencers)
Send important service notifications
Improve and personalise your experience
Ensure security and prevent fraud

Legal Basis for Processing

Under GDPR, we process your data based on:

Contract: To provide the Service you signed up for
Legitimate Interest: To improve our Service and prevent fraud
Consent: For optional features like marketing emails
Legal Obligation: To comply with applicable laws

The following table maps each processing activity to its legal basis:

Processing Activity	Legal Basis
Account management and authentication	Contract performance
Points, rewards, and redemptions	Contract performance
Step bonus verification (health data)	Explicit consent
Analytics and service improvement	Legitimate interest
Push notifications (marketing)	Consent
Push notifications (transactional)	Legitimate interest
Fraud prevention and security	Legitimate interest
Birthday rewards	Contract performance / Consent
Legal and accounting obligations	Legal obligation

Data Sharing

With Partner Cafés

When you tap in at a café, they receive:

Your username
Timestamp of visit
Whether you redeemed points

They do NOT receive your email, step data, or personal details.

With Other Users

Friends can see your favourite cafés and events
If you're an influencer, your activity is public
You control your privacy settings

Service Providers

We use trusted providers for:

Cloud hosting (Supabase — EU servers)
Product analytics — PostHog (anonymised usage events, device type, app version; data hosted in the United States; we use Standard Contractual Clauses for this transfer)
Push notifications — Expo (device push tokens for notification delivery; data hosted in the United States)

Push Notifications

We collect device push tokens to deliver notifications about your rewards, events, and friend activity. Your notification preferences are stored securely on our servers. You can manage which notification types you receive in Settings > Notifications, or disable all push notifications through your device settings.

Automated Decision-Making

We use automated processing in the following areas:

Step bonus eligibility: Automatically determined based on whether your device reports 5,000+ steps. You can disable the step bonus feature at any time.
Birthday rewards: Automatically triggered based on your date of birth. This is an optional feature.

These automated processes do not produce legal or similarly significant effects. You may contact us to request human review of any automated decision.

We Never

Sell your personal data
Share your email with cafés
Share your step data with anyone
Use your data for third-party advertising

Data Retention

Data Category	Retention Period
Account data (profile, email, username)	While account is active
Tap-in history	24 months
Points balance and ledger	While account is active + 12 months after last activity
Event bookings	24 months
Reviews	Indefinitely (anonymised after account deletion)
Friend connections	Deleted with account
Push notification tokens	Deleted with account or when app is uninstalled
Device/usage analytics	Anonymised; may be kept indefinitely
Deleted accounts	Personal data removed within 30 days
Transaction records (for accounting)	As required by Swiss law (up to 10 years)

noon retains ownership of all aggregated and anonymised data derived from the Service. Such data does not constitute Personal Data and may be used by noon for platform improvement, benchmarking, and statistical analysis, including after account deletion.

Your Rights

Under GDPR, you have the right to:

Access: Request a copy of your data
Rectification: Correct inaccurate data
Erasure: Delete your account and data
Portability: Receive your data in a machine-readable format (JSON). To request an export, contact us at hello@noon-loyalty.com
Restriction: Limit how we process your data
Objection: Object to certain processing
Withdraw Consent: For consent-based processing

To exercise these rights, contact us at hello@noon-loyalty.com. We aim to respond to all data subject requests within 30 days as required by GDPR Article 12.

Data Security

We implement appropriate security measures:

Encryption in transit (HTTPS/TLS)
Encryption at rest
Access controls and authentication
Regular security assessments
Employee training

International Transfers

Your data is primarily stored in the EU (Supabase EU servers). The following services process data in the United States:

PostHog — product analytics (anonymised usage data)
Expo — push notification delivery (device tokens)
Vercel — application hosting

For all transfers outside the EU/EEA, we use:

EU Standard Contractual Clauses
Adequacy decisions where applicable
Additional technical and organisational safeguards

Children's Privacy

noon is not intended for children under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us.

Google API Services

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Cookies

For details on cookies and similar tracking technologies we use on our website, please see our Cookie Policy.

Data Protection Officer

noon does not currently meet the threshold for mandatory Data Protection Officer appointment under GDPR Article 37. For all data protection inquiries, contact hello@noon-loyalty.com.

Changes to This Policy

We may update this policy. Material changes will be notified via the app or email at least 30 days before taking effect.

Contact Us

For privacy questions or to exercise your rights:

Email: hello@noon-loyalty.com
Address: LB Trading GmbH, Eustrasse 56, 6313 Menzingen, Switzerland

You also have the right to lodge a complaint with your local data protection authority.