Privacy Policy

Welcome to RewardForge ("we", "our", or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have in relation to it.

This policy applies to all information collected through our Progressive Web Application (PWA) and any related services, communications, or interactions with us.

By using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms described herein, please discontinue use of our services immediately.

For the purposes of applicable data protection legislation (including the UK General Data Protection Regulation and the Data Protection Act 2018), the data controller is:

If you have any questions about how we handle your personal data, you may contact us at the address above at any time.

We only process your personal data when we have a lawful basis to do so. The legal bases we rely on include:

• Consent: You have given us clear, informed consent to process your personal data for specific purposes (e.g. marketing communications, SMS notifications, birthday offers). You may withdraw consent at any time by contacting us or adjusting your account settings.
• Contract Performance: Processing is necessary to fulfil our contractual obligations to you, such as managing your loyalty program account, tracking stamps, and issuing rewards.
• Legitimate Interests: Processing is necessary for our legitimate business interests (e.g. improving our services, preventing fraud, ensuring security) provided those interests are not overridden by your rights and freedoms.
• Legal Obligation: Processing is necessary for us to comply with applicable laws and regulations.

We collect personal information that you voluntarily provide when you register for and use our loyalty program services:

Personal Information

• Full Name: To identify you within the loyalty program and personalise your experience
• Email Address: To manage your account, send programme updates, reward notifications, and important service communications
• Phone Number: To send SMS notifications about rewards, stamps, and offers (with your explicit consent)
• Date of Birth: To provide age-appropriate services and deliver birthday offers

Programme Activity Data

• Loyalty Programme Participation: Which programmes you have joined, stamps collected, and rewards redeemed
• Transaction History: Records of stamps issued and rewards claimed, including dates and times
• QR Code Scanning Activity: Data generated when scanning QR codes to collect stamps or redeem rewards

Technical and Device Data

• Device Information: Device type, operating system, and browser type used to access our PWA
• Camera Access: Temporary access to your device camera for QR code scanning only; we do not store images or video
• Authentication Tokens: Securely generated tokens stored on your device to maintain your login session
• Local Storage Data: We use browser local storage and session storage to maintain your authentication state and preferences

We use the personal information we collect for the following purposes:

• Account Management: To create, maintain, and secure your user account
• Programme Management: To manage your participation in loyalty programmes, track your stamps and rewards, and process redemptions
• Personalised Notifications: To send you relevant notifications based on the reward programmes you participate in (with your consent for marketing communications)
• Rewards Delivery: To notify you when you have earned rewards and when special offers are available
• Birthday Offers: To send you special birthday rewards and promotions
• Communication: To respond to your enquiries, provide customer support, and send essential service communications
• Service Improvement: To understand how our services are used, identify issues, and improve the user experience
• Security: To detect and prevent fraud, abuse, and unauthorised access to accounts

We may share your information in the following circumstances:

• Partner Companies: Your information is shared with the companies whose loyalty programmes you voluntarily join. This enables them to provide you with rewards, stamps, and relevant communications. Each partner company acts as an independent data controller for the data they receive.
• Service Providers: We may share your data with trusted third-party service providers who assist us in delivering our services (e.g. email delivery, SMS messaging, cloud hosting). These providers are contractually bound to process your data only on our instructions and in compliance with applicable data protection laws.
• Legal Requirements: We may disclose your information if required by law, regulation, legal process, or enforceable governmental request.
• Business Transfers: In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred to the new entity. We will notify you of any such change and any choices you may have regarding your data.
• Protection of Rights: We may disclose information where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, or violations of our terms of service.

Our services may involve the transfer of your personal data to countries outside the United Kingdom. Where we transfer personal data internationally, we ensure that appropriate safeguards are in place in accordance with applicable data protection legislation, including:

• Transfers to countries recognised as providing an adequate level of data protection
• Standard contractual clauses approved by the relevant authorities
• Other legally recognised transfer mechanisms

You may contact us for further information about the specific safeguards applied to the transfer of your personal data.

We implement appropriate technical and organisational security measures to protect your personal information from unauthorised access, disclosure, alteration, or destruction. These measures include:

• Encrypted data transmission using HTTPS/TLS
• Secure authentication using industry-standard JWT tokens with expiration controls
• Password hashing and salting — we never store passwords in plain text
• Access controls limiting data access to authorised personnel only
• Regular security assessments and software updates
• Secure cloud infrastructure with access logging

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security but are committed to implementing and maintaining best practices.

We retain your personal information only for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

• Active Accounts: Your data is retained for the duration of your account's existence and active participation in loyalty programmes.
• Account Deletion: When you delete your account or request data deletion, we will remove your personal information from our active databases within 30 days, unless retention is required for legal, regulatory, or legitimate business purposes (e.g. fraud prevention, dispute resolution).
• Programme Data: Transaction and stamp history associated with partner companies may be retained by those companies in accordance with their own retention policies.
• Backup Systems: Residual copies in backup systems will be overwritten in line with our backup rotation schedule.

Under the UK GDPR and Data Protection Act 2018, you have the following rights regarding your personal data:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request that we correct any inaccurate or incomplete personal data. You can also update your information directly through your account settings.
• Right to Erasure ("Right to be Forgotten"): You may request deletion of your personal data where there is no compelling reason for its continued processing.
• Right to Restrict Processing: You may request that we limit the processing of your personal data in certain circumstances.
• Right to Data Portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to Object: You may object to the processing of your personal data where we rely on legitimate interests as the legal basis.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to Opt-Out of Marketing: You may opt out of receiving promotional notifications and marketing communications at any time by contacting us or using the unsubscribe mechanism in our communications.

To exercise any of these rights, please contact us at stefan@rewardforge.co.uk. We will respond to your request within 30 days of receipt. In certain circumstances, we may need to verify your identity before processing your request.

We use browser local storage and session storage to maintain your authentication state and improve your user experience. Specifically, we store:

• Your authentication token (to keep you logged in)
• Your user profile details (to display your account information)

We do not use third-party tracking cookies, advertising cookies, or analytics cookies. We do not track your browsing activity across other websites.

You may clear your local storage at any time through your browser settings, which will sign you out of the application.

Our services are not intended for individuals under the age of 16. We do not knowingly collect or solicit personal information from children under 16. If we learn that we have collected personal information from a child under 16 without parental consent, we will delete that information as quickly as possible.

If you believe that a child under 16 has provided us with personal information, please contact us immediately at stefan@rewardforge.co.uk.

Our application may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policy of every site you visit.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email or in-app notification for significant changes
• Where required by law, seek your renewed consent

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

If you are not satisfied with how we handle your personal data or your privacy rights, you have the right to lodge a complaint with the UK supervisory authority:

We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first at stefan@rewardforge.co.uk.