Privacy Policy

1. Introduction

RewardyClub ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital stamp card platform (the "Service").

This policy applies to all users of the Service, including Customer Users and Business Users.

Important: By using the Service, you consent to the data practices described in this policy.

2. Data Controller

For the purposes of the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, the data controller is:

3. Information We Collect

3.1 Information You Provide

For All Users (via Google OAuth):

• Name
• Email address
• Google profile picture (optional)
• Google account ID

For Customer Users:

• Member ID (automatically generated: RC-YYYY-XXXXXX)
• Stamp card history and progress
• Reward redemption history

For Business Users:

• Business name and type
• Business address and postcode
• Business logo (if uploaded)
• Stamp card configuration (number of stamps, rewards)
• Employee email addresses (for team management)
• Payment information (processed by Stripe, we do not store card details)

3.2 Information Collected Automatically

• Transaction data (stamps added, rewards redeemed, timestamps)
• Device information (browser type, operating system)
• IP address and general location
• Usage data (features used, pages visited)
• Authentication tokens

3.3 Data We Do NOT Collect

• Payment card numbers (handled by Stripe)
• Precise geolocation without consent
• Biometric data
• Data from children under 18

4. How We Use Your Information

We use your personal data for the following purposes:

4.1 To Provide the Service

• Create and manage your account
• Authenticate your identity via Google OAuth
• Process stamp additions and reward redemptions
• Display your stamp card progress and history
• Enable businesses to scan customer QR codes
• Send transactional emails (account confirmations, password resets)

4.2 To Process Payments (Business Users)

• Process subscription payments via Stripe
• Manage billing and invoices
• Detect and prevent fraud

4.3 To Improve the Service

• Analyze usage patterns and trends
• Fix bugs and technical issues
• Develop new features
• Conduct research and analytics

4.4 To Communicate With You

• Respond to your inquiries and support requests
• Send important service updates and security alerts
• Send marketing communications (with your consent, opt-out available)

4.5 Legal Obligations

• Comply with legal requirements
• Enforce our Terms of Service
• Protect our rights and prevent fraud
• Respond to lawful requests from authorities

5. Legal Basis for Processing (UK GDPR)

We process your personal data on the following legal grounds:

• Contractual Necessity: To provide the Service you've requested
• Legitimate Interests: To improve our Service, prevent fraud, and maintain security
• Consent: For marketing communications (where required)
• Legal Obligation: To comply with laws and regulations

6. How We Share Your Information

We do not sell your personal data. We may share your information with:

6.1 Service Providers

• Google (Firebase): Cloud hosting, authentication, database, and file storage
• Google (OAuth): Authentication services
• Stripe: Payment processing for subscriptions

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

6.2 Between Users

• When a Customer User shows their QR code to a Business User, the business can see the customer's name and member ID
• Business logos and names are visible to Customer Users on their stamp cards

6.3 Legal Requirements

We may disclose your information if required to:

• Comply with legal obligations or court orders
• Enforce our Terms of Service
• Protect our rights, property, or safety
• Prevent fraud or illegal activity

7. Data Retention

We retain your personal data for as long as necessary to provide the Service and comply with legal obligations:

• Active Accounts: Data retained while your account is active
• Deleted Accounts: Most data deleted within 30 days of account deletion
• Transaction Records: Retained for 7 years for tax and accounting purposes (UK law requirement)
• Payment Data: Managed by Stripe according to their retention policies
• Backup Data: May persist in encrypted backups for up to 90 days

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption: Data encrypted in transit (HTTPS/TLS) and at rest
• Authentication: Secure Google OAuth authentication
• Access Controls: Role-based access to limit who can view data
• Firestore Security Rules: Database-level security to prevent unauthorized access
• Regular Updates: Security patches and updates applied promptly
• Monitoring: Continuous monitoring for suspicious activity

Note: No security measures are 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Your Data Protection Rights (UK GDPR)

Under UK GDPR, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data (subject to legal obligations)
• Right to Restrict Processing: Request limitation on how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for marketing at any time
• Right to Complain: Lodge a complaint with the Information Commissioner's Office (ICO)

To exercise your rights: Email us at [your-email@example.com] with your request. We will respond within 30 days.

ICO Contact: If you're unhappy with how we've handled your data, you can contact the UK Information Commissioner's Office at https://ico.org.uk

10. Cookies and Tracking

We use the following types of cookies and similar technologies:

Essential Cookies (Always Active)

• Authentication cookies (to keep you logged in)
• Security cookies (to protect against fraud)
• Session cookies (to remember your preferences)

Analytics Cookies (Optional)

Currently, we do not use third-party analytics cookies. If this changes, we will update this policy and request your consent.

Managing Cookies: You can control cookies through your browser settings. Note that disabling essential cookies may affect functionality.

11. Third-Party Services

Our Service integrates with third-party providers. Their privacy policies govern their data practices:

• Google (Firebase & OAuth): Google Privacy Policy
• Stripe: Stripe Privacy Policy

12. International Data Transfers

Your data may be transferred to and processed in countries outside the UK, including:

• United States: For Firebase and Google services
• European Union: For backup and redundancy

We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK government and EU adequacy decisions.

13. Children's Privacy

The Service is not intended for children under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us immediately so we can delete it.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy with a new "Last updated" date
• Sending an email notification (for significant changes)

Your continued use after changes take effect constitutes acceptance of the new policy.

15. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us: