May a loyalty programme keep my purchases for years?

Loyalty programmes (Albert Heijn Bonuskaart, Bol.com Plus, Air Miles, Plus Spaarkaart) collect purchase history + profile data. GDPR basis: typically contract performance (Art. 6(1)(b)) + for marketing consent (Art. 7). Allowed retention: (1) Points balance: active membership + 1-3 years wind-down. (2) Purchase history for points allocation: 1-2 years (for dispute + correction). (3) Fiscal: 7 years (Dutch Tax Act Art. 52) — only invoice data, not purchase detail. (4) Profiling for marketing: only until consent withdrawn. What is NOT allowed: purchase detail 10+ years for "trend analysis" without consent, transfer to partners without basis, profiling for insurance or credit refusal, linking to third-party data without purpose-limitation basis. Important detail: Bonuskaart data traditionally also goes to Air Miles database — joint controller responsibility with joint controller arrangement required. For customer: Art. 15 access — request purchases overview + profiling + your segmentation categories. Art. 21 objection to profiling for marketing (absolute). Art. 17 erasure on consent withdrawal. AP enforcement 2024: multiple loyalty programmes investigated for unnecessary retention + unclear segmentations. Our GDPR rights pack (€29) has letters for access + erasure.