Privacy Policy

Important Notice. In connection with the acquisition of Reward Gateway (UK) Ltd by Edenred SE, the assets of Edenred (UK Group) Limited were in January 2024, transferred to Reward Gateway (UK) Ltd. As a consequence, Reward Gateway (UK) Ltd became the Data Controller of the personal data of Edenred (UK Group) Limited from the date of transfer. To ensure data subject rights remain fully respected in a consistent way, a single DPO has been appointed across both organisations, who can be contacted at dpo.uk@edenred.com.

If Clients and Data Subjects who are being migrated over from the Edenred (UK Group) Ltd platform from March 11, 2024 have questions concerning the privacy and security aspects of the Reward Gateway (UK) Ltd platform please also visit https://trust.rewardgateway.com which provides comprehensive and detailed information concerning the compliance and assurance status of the platform.

-------------------------

Reward Gateway UK Limited (“Reward Gateway”, “we”, “us” or “our”) knows that you care how information about you is used and shared and we are careful to ensure that any such information that comes into our possession is properly looked after. This Privacy Policy sets out the basis on which any personal data we collect from or about you on our website, www.rewardgateway.com/uk, will be processed by us. It also sets out the steps that we take to ensure that any information provided to us is kept secure and is used only for the purposes for which it is provided.

We will be the data controller of your personal data which you provide to us or which is collected by us via our website. This means that we are responsible for deciding how we hold and use personal information about you and that we are required to notify you of the information contained in this Privacy Policy. It is important that you read this Privacy Policy so that you are aware of how and why we use your personal information and how we will treat it.

Reward Gateway has appointed a Data Protection Team, who can be contacted using the details at the end of this Notice should you have any questions, complaints or feedback about your privacy.

You can also contact us using the details provided at the end of this Privacy Policy in the “Contacting Us” section.

Personal Information

When you communicate with us via our website, for example, by submitting a query, requesting a demo, subscribing to our blog, commenting on a blog post or using the chat function, we will collect the personal information that you provide to us for that purpose. You don’t have to give us any of this personal information but, if you don’t provide us with certain information, we may not be able to provide you with the information or service you have requested from us. The forms you fill in on our website will make it clear what information we need in order to provide the information or service you are requesting and what information you can choose to provide if you wish.

We will also collect technical information about your equipment, browsing actions and patterns to serve more relevant content to you on the site. We collect this personal data by using cookies, server logs and other technologies and full details as to how we use cookies can be found in our Cookie Policy.

We will only use your personal data to send you our newsletter and blog updates where you have consented to us doing so. Otherwise, we will collect and process the information set out above about you on the basis that it is in our legitimate interests to use your data for the purposes set out below, and those interests are not overridden by your interests and fundamental rights. 

Much of the information we hold will have been provided by you, but some may come from other internal sources, such as a Sales representative, or in some cases, external sources, such as marketing or event management agencies. We will combine information we receive from other sources (as set out in this Notice) with information you give to us. We will only use this information and the combined information for the purposes set out in this Notice.

Purposes for which Personal Information may be used

The personal information that you provide to us or which we collect about you via our website will be used only for the following purposes:

1. To provide information or services to you as requested by you.

2. To the extent permitted by law, to let you know about information and services from Reward Gateway in which you may be interested including via our newsletter.

3. To review and understand the content on our website which users are most interested in.

4. To improve the content of our website.

5. To customise the content and /or layout of the website for each individual user.

6. To notify you about updates to the website.
   
   

Automated Decision Making

We do not carry out any solely automated decision-making using your personal information.

Change of Purpose

We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and permitted under data protection laws. If we need to use your personal information for an unrelated purpose, in most cases we will notify you and we will explain the legal basis which allows us to do so.

Disclosure

As of the date of this Privacy Policy, we share your personal data with the following trusted third parties for the purposes of managing our business and providing the information and services you request from us:

1. Member of the Edenred SE group of companies including RG Engagement Group Ltd, Reward Gateway (Australia) Pty Ltd, Reward Gateway (USA) Inc, International Benefits Holdings Ltd., Asperity Employee Benefits Group Ltd, our group companies;

2. Google Analytics, our web analytics provider;

3. HubSpot, our lead generation provider and website host;

4. Cvent, our event management platform provider; 

5. Salesforce, our customer and prospect record management system provider.

Use of Braze for Marketing and Customer Engagement

We use Braze, a customer engagement platform, to help us deliver personalised communications and improve the relevance of our marketing efforts. Braze allows us to analyse and understand how you interact with our communications and services, helping us create a more tailored experience.

Data Collected and Processed

In connection with our use of Braze, we may collect and process the following types of personal information:

• Contact information (e.g. email address, name, unique identifier, company name)

• Interaction data (e.g. open rates, clicks, or engagement with messages we send you)

• Usage data (e.g. information about how you use our website or app, if applicable)

Purpose of Processing

We use Braze to:

• Deliver personalised email, SMS, and in-app messages based on your preferences and activity.

• Track engagement and interaction to improve our messaging and enhance your experience.

• Conduct analytics to better understand the effectiveness of our communication and make improvements.

Data Sharing and Privacy Protections

Braze processes this data on our behalf and is obligated to comply with applicable data protection laws. We have a data processing agreement with Braze to ensure that your personal information is handled securely, and we regularly review their data protection practices.

Opting Out of Marketing Communications 

You can opt out of receiving marketing communications at any time by following the unsubscribe link in any email we send or by contacting us directly. If you opt out, Braze will no longer process your data for marketing purposes on our behalf.

When we do share your data with these third parties, we only provide the information they need to perform the service. We have written contracts in place with them to ensure they only use your data for the purpose we specify to them and that your privacy is secure and respected.

We will also disclose your personal information to third parties:

• In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets;

• If we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets; and/or

• If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms of Use and other agreements; or to protect the rights, property, or safety of us, our users, customers and providers. This will include sharing your information as part of a legal or official investigation if legally required to do so.
  
  

International Transfers

Reward Gateway's commitment to data security and privacy is paramount. We host all our personal data in Ireland and Germany in a highly secure environment, ensuring it remains within the European Economic Area (EEA). Adhering to strict data protection regulations, we do not allow any technical access to personal data concerning citizens of the EEA from outside the EEA.

However, we engage with a select few US based technology providers as part of our workflow. These providers have undergone rigorous assessments and are carefully chosen to ensure they meet or exceed our high standards for data security and full compliance with our privacy and data protection commitments.

We can supply a copy of the EU Standard Contractual Clauses to you on request.

UK-U.S. Data Privacy Framework

Reward Gateway US Inc complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce.

Reward Gateway US Inc is in the process of certifying to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S.DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit Data privacy framework website.

Reward Gateway US Inc is subject to the  investigatory and enforcement powers of the Federal Trade Commission (FTC).

Reward Gateway US Inc is obligated to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that an individual has invoked binding arbitration by delivering notice to your organization and following the procedures and subject to conditions set forth in Annex I of Principles.

Reward Gateway US Inc is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Reward Gateway US Inc is liable in cases of onward transfers to third parties.

In compliance with the UK Extension to the EU-U.S. DPF, Reward Gateway US Inc commits to cooperate and comply respectively with the advice of the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the UK Extension to the EU-U.S. DPF.

Retention of Information

Unless we need to keep your data for legal purposes (such as to defend against a legal claim), we will only retain your personal information for 24 months from your last interaction with us, for example, when you opted in or when you submitted a query on our website.

Protection of Information

We have implemented appropriate technology safeguards, security policies and other measures to protect data under our control from unauthorised access, improper use, alteration, unlawful or accidental destruction or accidental loss. These include being ISO 27001 certified, implementing suitable access controls, and ensuring that encryption and hashing are used and robust physical security controls are in place. We also protect your information by requiring that all our employees and others who have access to or are associated with the processing of your data respect your confidentiality.

Your Rights

Data protection laws provide you with the following rights to:

• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;

• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;

• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);

• Request the restriction of processing of your personal information, for example if you want to establish its accuracy or the reason for processing it; and

• Obtain a copy of the personal information you’ve provided us with and to reuse it elsewhere or to ask us to transfer it to a third party of your choice.

You also have the right to object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object to where we are processing your personal information for direct marketing purposes.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Where we rely on your consent to process your personal data, for example in relation to any direct marketing we provide to you, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent in relation to direct marketing, please contact us using any of the details set out below in the “Contacting Us” section.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please do contact us in the first instance.

To make a Subject Access Request:

If you would like to exercise any of your rights set out above, please use this secure link.

Changes to our Privacy Policy

If we decide to change our Privacy Policy we will post the changes here and, where appropriate, notify you by email. Please check back frequently to see any updates or changes to our Privacy Policy.

Privacy Policy last updated: 1st August, 2024

Contacting Us

If you have any comments or requests regarding this Privacy Policy or have any data protection enquiries or queries, you can contact us in the following ways:

• By email at dpo.uk@edenred.com or;

• By post at Reward Gateway (UK) Ltd, Third Floor, 1 Dean Street, London, W1D 3RB.

Reward Gateway Pty Limited ("we", "us" or "our") is committed to protecting and respecting your privacy under the Privacy Act 1988 (Cth) (Privacy Act) and other applicable laws.

This Privacy Notice ("Notice") describes how we collect, store, use, disclose, share and secure any personal information ("Personal Information") we collect from you or from third parties, including Citi (the "administrator") who we have entered into a Licence Agreement with, about you on this website (the "programme", "My Perks") will be processed by us.

In the event of a conflict between the terms of this Notice and the terms of the Licence Agreement, the Licence Agreement shall prevail.

We have appointed a Data Protection Team, who can be contacted using the details at the end of this notice should you have any questions, complaints or feedback about your privacy.

Information We Collect From You and How We Use It

We will collect various types of personal information from you when you use My Perks, depending on the particular services which you use. Further details of how we use your personal information are set out below.

Before you register

Before you register on My Perks, to allow us to carry out our eligibility checks we will ask the administrator to provide two pieces of information about you (such as your postcode, payroll ID, start date or date of birth).

The administrator has provided us with your information for an account to be created.

When you register

In addition to the personal information provided to us by the Administrator, when you register on My Perks we will also collect and store some personal information about you, such as your name, company identifier, email address, password, postcode, contact telephone number, gender and date of birth. At the Administrator’s choice, we may also collect additional information about you such as your office location.

You will also need to provide the information necessary to allow us to carry out our eligibility check (which will vary dependent on the information provided by the Administrator, see above).

This information will be used in order to complete your registration and to allow you to use My Perks. You will not be able to register without at least providing your name, email address, password and postcode or date of birth, as these are used to secure your account and to allow us to confirm your identity if you contact the support team.

When you login

Each time you log in to My Perks, we automatically conduct checks against your Internet Protocol (IP) address to ensure your security. This includes looking up your IP address against a “proxy denylist” to check that someone is not using your credentials and trying to hide their location. This proxy denylist is operated by MaxMind, Inc. If your IP address appears on it, we will not allow you to login.

We also look up the IP address in a static database we download from MaxMind Inc. to check which country the IP is affiliated with. This helps us to further protect your account against people who may have access to your credentials. If we do spot a change, we will alert you and ask you to confirm your login in order to verify your identity before continuing.

This information along with time and event data (such as successful or failed logins) are also recorded in our database for audit purposes.

Depending on the services you use on My Perks, we may collect and process additional personal information about you, as set out below.

When you write a blog or comment / react to content

When you write a blog or comment / react to content on the site, we will display your name and any other personal information you choose to share via your blog or comment.

When you complete a survey

From time to time you may be invited to participate in a survey run by the Administrator.

If you complete a survey, all of the information that you provide in connection with that survey will be provided to the Administrator. Please be aware that the administrator controls the survey and what happens to the survey data, which may include using that data for research purposes or making the survey responses public.

We recommend that you contact the administrator to understand how they will use your survey responses. In some cases, the administrator may decide to provide you with their own separate privacy notice governing the use of your survey data in which case the information you submit in connection with such surveys will be governed by that privacy notice.

When you contact us

If you contact us for support purposes, we will require some information to handle your query. The following data are saved in Zendesk to enable processing: your name, email address, telephone number, and any other personal information you provide to us for the purpose of dealing with your query.

When you visit My Perks

When you visit My Perks we will automatically collect information about your visit such as the pages you viewed, offers or services you viewed or searched for, length of visits to certain pages, the times and dates of these actions, details of page response times and any download errors that occurred.

We will also collect data from the device and application that you use to access our services, including your IP address (from which we may infer your geographic location), login information and browser type.

If you arrive at our website from an external source (such as a link on another website or in an email) we record information about that source.

We will use the above information in order to:

• To administer My Perks and for internal operations, including troubleshooting, data analysis (including analysing the use of the various services available on My Perks and measuring their popularity and effectiveness), testing, research, statistical and survey purposes, and to comply with our legal obligations/;

• To improve My Perks to ensure that content is presented in the most effective manner for you and for your computer / device;

• As part of our efforts to keep My Perks safe and secure to comply with our legal obligations/;

• To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you. We, or our third party advertisers, may use your age or gender to determine whether advertising is relevant to you; and

• To make suggestions and recommendations to you and other users of My Perks about goods or services that may interest you or them/.

Other information and uses

We will also collect the personal information you provide when you use My Perks:

• To provide you with our newsletter and with information about other third party benefits we offer that are similar to those you have already used or enquired about or that we feel may interest you/.

• To notify you about changes (permanent or temporary) to our service.

• To ensure that content from our website is presented in the most effective manner for you and your computer.

• To administer our website and for internal operations, including troubleshooting, data analysis, testing, research and statistical purposes, and as part of our efforts to keep our website safe and secure.

Information we receive from other sources

We will combine information we receive from other sources (as set out in this notice) with information you give to us. We will use this information and the combined information for the purposes set out in this notice (depending upon the services you access).

Change of Purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and permitted under data protection laws. If we need to use your personal information for an unrelated purpose, in most cases we will notify you and we will explain the legal basis which allows us to do so.

Disclosures of Your Information

We use service providers to help us to provide the website, such as data storage providers, marketing email providers, analysis providers and benefit providers:

• Amazon Web Services EMEA SARL, a cloud hosting provider;

• Emailcenter UK, a transactional and bulk email gateway;

• Google Inc., a web analytics tool;

• FullStory Inc., an analytics service provider;

• Heap Inc., an analytics service provider;

• New Relic Inc., a performance measurement tool;

• Twilio Inc., a SMS / text-messaging gateway;

• Formstack, LLC, a configurable data-capture provider;

• Zendesk Inc., a customer support platform;

• Atlassian Pty Ltd., a ticketing system for our internal teams;

• Mailgun Technologies Inc., a transactional and bulk email gateway;

• WalkMe, Inc., Contextual help, support and assistance for administrators;
  
  

Use of Braze for Marketing and Customer Engagement

We use Braze, a customer engagement platform, to help us deliver personalized communications and improve the relevance of our marketing efforts. Braze allows us to analyse and understand how you interact with our communications and services, helping us create a more tailored experience.

Data Collected and Processed

In connection with our use of Braze, we may collect and process the following types of personal information:

• Contact information (e.g. email address, name, unique identifier, company name)

• Interaction data (e.g. open rates, clicks, or engagement with messages we send you)

• Usage data (e.g. information about how you use our website or app, if applicable)

Purpose of Processing

We use Braze to:

• Deliver personalised email, SMS, and in-app messages based on your preferences and activity.

• Track engagement and interaction to improve our messaging and enhance your experience.

• Conduct analytics to better understand the effectiveness of our communication and make improvements.

Data Sharing and Privacy Protections

Braze processes this data on our behalf and is obligated to comply with applicable data protection laws. We have a data processing agreement with Braze to ensure that your personal information is handled securely, and we regularly review their data protection practices.

Opting Out of Marketing Communications

You can opt out of receiving marketing communications at any time by following the unsubscribe link in any email we send or by contacting us directly. If you opt out, Braze will no longer process your data for marketing purposes on our behalf.

We also share your personal information with:

The Administrator

Because the administrator pays us to operate for you, they’ll want to know how the website is performing. Except as set out elsewhere in this notice, we will only share information with the administrator on an aggregated and anonymous basis about how often you’ve used the website and what services you used. We will not share information with the administrator about how much you’ve spent, where you shop, and how much you’ve saved as an individual, as we treat this as confidential.

Our Internal Teams and Prospective Retailers

We also use information about you on an aggregated and anonymised basis for internal management purposes, to, share it with current or prospective retailers and to use it to target offers that are made to users of My Perks. This type of information includes, for example, the types of product that you purchase and the value of those purchases. However, you can’t be identified from this information.

Members of our Group

We share personal information with members of our group for the purposes of providing the benefits to you and managing our business: RG Engagement Group Ltd, Reward Gateway Pty Ltd, Reward Gateway (USA) Inc, Reward Gateway (UK) Ltd Branch, SEO Reward Gateway DOOEL Skopje, International Benefits Holdings Ltd., Asperity Employee Benefits Group Ltd

Other Parties

We will also disclose your personal information to third parties:

• In the event that we sell or buy any business or assets, in which case we will disclose your personal information to the prospective seller or buyer of such business or assets;

• If we or substantially all of our assets are acquired by a third party, in which case personal information held by us about our customers will be one of the transferred assets; and/or

• If we are under a duty to disclose or share your personal information in order to comply with any legal obligation, or in order to enforce or apply our Terms and Conditions and other agreements; or to protect the rights, property, or safety of us, our users, customers and providers. This will include sharing your information as part of a legal or official investigation if we have evidence or reason to suspect that purchases on your account could be fraudulent.
  
  

Transfers of Your Personal Information

A number of the service providers listed above are based outside of Australia and your personal information may therefore be transferred to or accessed from outside of Australia where the data protection laws may differ.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with the Privacy Act (Australian Privacy Principle 8), this notice, and the GDPR, and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

We remain fully accountable for these transfers in accordance with Section 16C of the Privacy Act.

Your Rights

Under the Privacy Act (Australian Privacy Principles 12 and 13), you have the right to:

• Request access to your Personal Information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it; and

• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

To withdraw your consent in relation to direct marketing, please contact us using any of the details set out below in the “Contacting Us” section or change your preferences in the “My Account” section of My Perks.

To Make Subject Access Request

If you would like to exercise any of your rights set out above, please use this secure link.

Please note that as the administrator may store other information from your use of this service, you should also contact them directly if you would like to exercise your rights in relation to the data held by them.

Residents of the United Kingdom (UK) and European Economic Area (EEA)

If you are located in the UK or the EEA, you have additional rights under UK and European law with respect to your Personal Information, including the right to request delete, port to another service provider, or object to certain uses of your Personal Information.

We will only collect personal information from you where we need the Personal Information to perform a contract with you (e.g. to provide you with a service), where the processing is in our legitimate interests when your interests and fundamental rights do not override those interests, or where we have your consent.

You also have the right to object to the processing of your Personal Information where we are relying on a legitimate interest (or those of a third party), which is not overridden by your data protection interests or fundamental rights and freedoms. In particular we process your Personal Information to pursue the following legitimate interests:

• To prevent risk and fraud on our platform;

• To provide customized communications, marketing, and advertising;

• To provide reporting and analytics;

• To provide troubleshooting, technical support, or to answer questions;

• To trial new features or additional services; and

• To help improve our services, applications, and websites.

Where we rely on your consent to process your Personal Information, for example in relation to any direct marketing we provide to you, you have the right to withdraw your consent for that specific processing at any time.

In some cases, we may also have a legal obligation to collect Personal Information from you.

If you have any questions, comments or complaints about the handling of your personal information under this notice, or you wish to enquire further about the legal basis on which we collect and use your Personal Information, please contact our representative:

• By email at dpo.uk@edenred.com or:

• By post at Reward Gateway (UK) Ltd, Third Floor 1 Dean Street, London, W1D 3RB.

Resolving your privacy concerns and complaints

If you have a question or complaint about how your Personal Information is being handled by us, our affiliates or contracted service providers, please contact us using the contact details provided below.

We will treat your complaint confidentially and, after investigating your complaint, discuss the ways in which we can remedy the situation. We will ensure that we respond to your complaint within a reasonable time (and in any event within the time required by the Privacy Act.)

You also have the right to make a complaint at any time to:

Australian Information Commissioner

The Australian Information Commissioner receives complaints under the Privacy Act. Complaints can be made:

• Online: http://www.oaic.gov.au/

• Phone: 1300 363 992

• In writing: Office of the Australian Information Commissioner, GPO Box 5218, Sydney, NSW 2001

Other Data Protection Authorities

If you are based in the European Union, then you may lodge a complaint with your local National Data Protection Authority (‘NDPA’). Your local NDPA can be found using the European Commission website.

If you are based in, or the issue relates to, the United Kingdom, the Information Commissioner’s Office can be contacted online.

Please note that as the administrator may store other information from your use of this service, you should also contact them directly if you would like to exercise your rights in relation to the data held by them.

Updating your information

It is important that the personal information we hold about you is accurate and current. Please keep your records on My Perks up-to-date. If you wish to update or amend your personally identifiable information or data you may do so by making the change within your account once logged in or by contacting our Helpdesk. We will respond to your request within 5 working days.

Storage of your information

Unless we need to keep your data for legal purposes, we will only retain your personal information for 60 days after the administrator lets us know you no longer work for them or they decide to use a different service.

The legal purposes for which we may need to retain your data for include:

• Retaining payment records for one year to comply with PCI DSS regulations;

• Retaining backups for up-to 180 days after de-provisioning; and

• Retaining your order history for two years from the date of your order in case of a dispute.

We may also retain anonymised data about you for longer periods for integrity and financial reporting purposes.

Recordings of calls are retained for 40 days and chat transcripts are retained for 90 days.

We take the security and confidentiality of your personal information very seriously. We will use strict procedures and security features to aim at preventing unauthorised access, such as being ISO 27001 and ISMS certified, access controls, penetration testing, the use of encryption and hashing and robust physical security controls.

You are also responsible for the security of your personal information by taking precautionary measures, such as keeping your account password confidential and using secure wireless connections.

Changes to This Notice

Any changes we make to this notice in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to this notice.

Last Updated: 29th January, 2025

Contacting Us

If you have any queries, comments or requests regarding this notice, or you would like to exercise any of your rights set out above, or contact our Data Protection Team, you can contact us in the following ways:

• By email at dpo.uk@edenred.com or:

• By post at Reward Gateway, Suite 13.01, Level 13, Australia Square Plaza 95 Pitt St, NSW 2000.

Important Notice. In connection with the acquisition of Reward Gateway (UK) Ltd by Edenred SE, the assets of Edenred (UK Group) Limited were in January 2024, transferred to Reward Gateway (UK) Ltd. As a consequence, Reward Gateway (UK) Ltd became Data Controller of the personal data of Edenred (UK Group) Limited from the date of transfer. To ensure data subject rights remain fully respected in a consistent way, a single DPO has been appointed across both organisations, who can be contacted at dpo.uk@edenred.com.

If Clients and Data Subjects who are being migrated over from the Edenred (UK Group) Ltd platform from March 11, 2024 have questions concerning the privacy and security aspects of the Reward Gateway (UK) Ltd platform, please also visit http://trust.rewardgateway.com which provides comprehensive and detailed information concerning the compliance and assurance status of the platform.

-------------------------

Reward Gateway (UK) Ltd ("we", "us" or "our") is committed to protecting and respecting your privacy.

This Privacy Notice ("Notice") sets out the basis on which any personal data we collect from you or from third parties, including Reward Gateway (the "administrator") who we have entered into a Licence Agreement with, about you on this website (the "programme", "boom! Discounts UK") will be processed by us.

We will be the Data Controller of your personal data which you provide to us or which is collected by us via boom! Discounts UK. This means that we are responsible for deciding how we hold and use personal information about you and that we are required to notify you of the information contained in this Privacy Notice ("Statement"). It is important that you read this Statement so that you are aware of how and why we are using your personal information and how we will treat it.

We have appointed a Data Protection Team, who can be contacted using the details at the end of this Notice should you have any questions, complaints or feedback about your privacy.

The Type of Information We Collect From You and How We Use It

We will collect various types of personal information from you when you use boom! Discounts UK, depending on the services which you use. Further details of how we use your personal data are set out below.

In this section, we have indicated with asterisks whether we need to process your personal data:

• * to enter into and/or to perform our contract with you to provide the services via boom! Discounts UK;

• ** to pursue legitimate interests of our own or of third parties, provided that your interests and fundamental rights do not override those interests;

• *** to enable us to comply with our legal obligations; and/or

• **** with your consent.

Before you register

Before you register on boom! Discounts UK, to allow us to carry out our eligibility checks* we will ask the administrator to provide two pieces of unique information about you (such as your postcode, start date or date of birth).

The administrator has provided us with your information for an account to be created.

The administrator will sometimes also provide the information necessary to allow us to conduct National Minimum Wage and Basic Earnings assessments automatically on their behalf when we are required to do so***/** (see When you enter into a salary deduction agreement with the administrator section below for more details).

When you register

In addition to the personal data provided to us by the administrator, when you register on boom! Discounts UK we will also collect and store personal information about you, such as your name, company identifier, email address, password, postcode, a contact telephone number, gender and date of birth. At the administrator’s choice, we may also collect additional information about you such as your office location.

You will also need to provide the information necessary to allow us to carry out our eligibility check (which will vary dependent on the information provided by the administrator, see above).

This information will be used in order to complete your registration and to allow you to use boom! Discounts UK*. You will not be able to register without at least providing your name, email address and password, as these are used to secure your account and to allow us to confirm your identity if you contact the support team.

When you login

Each time you log in to boom! Discounts UK, we automatically conduct checks against your Internet Protocol (IP) address to ensure your security. This includes looking up your IP address against a “proxy denylist” to check that someone is not using your credentials and trying to hide their location**. This proxy denylist is operated by MaxMind, Inc. If your IP address appears on it, we will not allow you to login.

We also look up the IP address in a static database we download from MaxMind Inc. to check which country the IP is affiliated with. This helps us to further protect your account against people who may have access to your credentials**. If we do spot a change, we will alert you that a login has occured from a new device or location.

This information along with time and event data (such as successful or failed logins) are also recorded in our database for audit purposes**.

Depending on the services you use on boom! Discounts UK, we may collect and process additional personal data about you, as set out below.

When you use Cashback

If you visit a Cashback retailer on boom! Discounts UK, we will record that you clicked and visited their website for the purpose of tracking the Cashback earned*. We will provide the retailer with a pseudo-anonymous ‘click reference’ to allow us to attribute the purchase and Cashback to you.

Each of these retailers are independent on boom! Discounts UK so you should check their privacy terms to make sure you are happy with them before providing any other details to them.

If you have a problem with the retailer and your Cashback, we may need to provide them with additional information about your order to help**. We will ask you for the minimum information we need to do this, but you will be responsible for the accuracy and level of detail it contains.

When you withdraw your Cashback

If you make a request for a Cashback withdrawals to your bank account, you will need to provide your bank details for us to process the withdrawal but we will only store your bank details until the withdrawal is processed*. They will be shared with our bank, HSBC, to process your request after which all the details will be destroyed.

Alternatively you will be able to withdraw your Cashback as part or full payment for goods on boom! Discounts UK or ask us to donate it to the nominated charity on boom! Discounts UK*.

When you make a debit or credit card purchase

If you choose to purchase goods using a credit or debit card through boom! Discounts UK, we will collect your payment details from you and pass them to Checkout.com, our secure payment processors, who will use them to process the payment*. We do not store or process your credit or debit details on our servers.

We will also collect your delivery address from you, and use the contact details previously provided, to allow us to process the order*.

If you opt-in to saving your credit or debit details for future use on boom! Discounts UK, your information will be stored securely by our payment processor. You can update or remove these at any time.

Where goods are dispatched by a third-party supplier, we may need to share your information with them to fulfil your order, such as your contact details and delivery address*. This will be clearly indicated to you at the point of purchase. You will be able to review these suppliers’ privacy terms before any information is shared with them.

We will also carry out a fraud check during the order process. This check is carried out by our third party provider, Sift Science (“Sift Science”)**. Sift Science will only act in accordance with our instructions and how they will process your personal data is set out below.

Sift Science will collect information about your behaviour on the portal (such as the length of time between logging in and reaching checkout), technical information about the device used (such as your browser version and IP address) and the details you enter at checkout (such as your contact details and delivery and billing address).

After you have placed your order and before goods are dispatched, Sift Science will use this information to provide us with a score based on the likelihood of fraud. The score provided determines whether your order is automatically accepted by us or queued for our human review. If it is queued for human review, we will carry out a manual fraud check to decide whether to accept or refuse your order or, in some circumstances, require payment to be made by an alternative, more secure mechanism such as a bank transfer. For more information about this processing activity, please contact us using the details provided at the end of this Notice in the “Contacting Us” section.

After too many failed orders

If too many failed orders originate from your account, we will automatically restrict access to your account. Before allowing you to access your account again, we will notify you and ask you for further supporting documents such as your driving licence, council tax bill or statement, bank or credit card statement, utility bill or payslip, as evidence that it is you attempting these orders**. If these documents are not to our satisfaction, we may contact the administrator with the intention of verifying that it is you using your account in this way**.

These supporting documents will only be used for the purpose of verifying your identity, will not be shared with any third parties and will only be retained by us until we have reviewed them, even if we are not satisfied with their legitimacy or authenticity.

You do not need to provide these supporting documents to us but, if you choose not to, then we will not be able to provide you with access to your account.

When you enter into a salary deduction agreement with the administrator

If you choose to purchase goods through boom! Discounts UK and enter into a salary deduction agreement with the administrator, such as Childcare Vouchers, Cycle to Work, Smart Tech or Holiday Trading, we will collect your name, address, IP address, browser details, payroll information, and deduction amount. This information will be provided to the administrator as proof of your electronic signature of the salary deduction agreement and to enable them to administer the deduction and pay us for the goods on your behalf*.

Additionally, if the administrator has provided us with the information necessary such as your payroll and salary information (see National minimum wage and national living wage for more details), we will use this information to conduct the National Minimum Wage check on their behalf in line with the parameters they have provided***. The employer is legally obliged to conduct such as check.

If they have not provided us with this information, we will ask you to provide it instead.

If the administrator provided us with the information necessary to conduct the National Minimum Wage check, we will conduct the check and automatically approve or forward your application for salary sacrifice benefits to them for review. For more information about this processing activity, please contact us using the details provided at the end of this Notice in the “Contacting Us” section.

If you provide us with the information necessary to conduct the National Minimum Wage check, then we will conduct the check but the results of all checks will be forwarded for review by the administrator before your application is approved or rejected. If you are not eligible, you can contest the assessment with the administrator.

You will not be able to purchase goods through boom! Discounts UK via a salary deduction agreement unless you or the administrator provide this information to us.

We will also provide the information necessary to the relevant third party benefit provider (see the Disclosures of your Information section) to allow them to provide the benefit to you. This information will vary by benefit provider but will usually contain at least your name and application amount.

Special Information for Cycle to Work

When you use Cycle to Work to purchase a bike and/or safety equipment, in addition to processing your personal data as set out in the ‘When you enter into a salary deduction agreement with the administrator’ section above, we will also process your personal data as set out below.

At the end of the Hire Period, when you have finished paying via the salary deduction agreement, the administrator cannot simply give you the equipment as this may turn the purchase into a benefit in kind. Instead you will be offered, depending on the administrator, either to make a final payment through a P11D or to continue the agreement with our chosen supplier until the equipment has no residual value (you can read more about this in the Employment Income Manual - see Employment Income Manual.)

If the administrator has selected to allow you to continue the agreement, your application details, including your name, email address, telephone number, and postal address must be transferred to our supplier*. We will contact you about this process.

Special Information for Smart Tech

When you use SmartTech to purchase technology, your personal information is not shared with a third-party supplier. We obtain vouchers direct from our supplier and issue them to you when you choose to participate in SmartTech.

Special information for Childcare Vouchers

When you enter in to a salary deduction agreement with the administrator for Childcare Vouchers, in addition to processing your personal data as set out in the ‘When you enter into a salary deduction agreement with the administrator’ section above, we will also process your personal data as set out below.

We are under a statutory obligation to conduct an ongoing eligibility check on you based on the age of your youngest child*** and we will require you to provide their date of birth for us to carry out that check. This information is only used to perform this check and to remind you when they enter their last school year that your eligibility is coming to an end.

Additionally, if the administrator has provided us with the information necessary such as your payroll and salary information (see Employer-supported Childcare - guidance and FAQs for employers for more details), we will use this information to conduct a Basic Earnings Assessment check on their behalf***. The employer is legally obliged to conduct such a check.

If the employer provided us with the necessary information to conduct the Basic Earning Assessments check, we will conduct the check and automatically approve or forward your application for Childcare Vouchers for review by the administrator. For more information about this processing activity, please contact us using the details provided at the end of this Notice in the “Contacting Us” section.

If you provide us with the necessary information to conduct the Basic Earning Assessments check instead, then we will conduct the check but the results of all checks will be forwarded for review by the administrator before your application is approved or rejected.

You will not be able to purchase Childcare Vouchers through boom! Discounts UK via a salary deduction agreement unless you or the administrator provide this information to us.

When you take out a Healthcare Cashplan

If you decide to purchase a Healthcare Cashplan through boom! Discounts UK, we will ask for your bank account details. These are used to allow our Healthcare Cashplan provider to set up a Direct Debit for all future payments*. We will pass your bank details directly to the provider to allow them to set up the Direct Debit. We will also provide the Healthcare Cashplan provider with your name, telephone number, date of birth, gender, details of any existing medical conditions and selected plan (and your partner’s if you choose this option) to allow them to provide the benefit to you.

When you send an eCard or when you make a nomination

If you ask us to send an eCard, you will need to provide us with the name of the person you are sending the eCard to (“the recipient”). If the recipient has already registered on boom! Discounts UK, we will send the eCard on your behalf to their registered email address****.

If they have not already registered, you will also need to provide an email address which we will send the eCard on your behalf to****. The recipient will be asked to confirm that they have read and understood this notice and agree to our Terms & Conditions before being able to view your message.

You must have the consent of the recipient to give us their name and, if applicable, email address and also any personal information you disclose in your message to them. This information will also be disclosed to the administrator for the purposes of performance management.

When you write a blog or comment / react to content

When you write a blog or comment / react to content on the site, we will display your name and any other personal information you choose to share via your blog or comment**.

When you complete a survey

From time to time you may be invited to participate in a survey run by the administrator.

If you complete a survey, all of the information that you provide in connection with that survey will be provided to the administrator. Please be aware that the administrator controls the survey and what happens to the survey data, which may include using that data for research purposes or making the survey responses public****.

We recommend that you contact the administrator to understand how they will use your survey responses. In some cases, the administrator may decide to provide you with their own separate privacy notice governing the use of your survey data in which case the information you submit in connection with such surveys will be governed by that privacy notice.

When you contact us

If you contact us for support purposes, we will require some information to handle your query. The following data are saved in Zendesk to enable processing: your name, email address, telephone number any other personal information you provide to us for the purpose of dealing with your query.

When you visit boom! Discounts UK

When you visit boom! Discounts UK we will automatically collect information about your visit such as the pages you viewed, services you viewed or searched for, length of visits to certain pages, the times and dates of these actions, details of page response times and any download errors that occurred.

We will also collect data from the device and application that you use to access our services, including your IP address (from which we may infer your geographic location), login information and browser type.

If you arrive at our website from an external source (such as a link on another website or in an email) we record information about that source.

We will use the above information in order to:

• to administer boom! Discounts UK and for internal operations, including troubleshooting, data analysis (including analysing the use of the various services available on boom! Discounts UK and measuring their popularity and effectiveness), testing, research, statistical and survey purposes, and to comply with our legal obligations**/***;

• to improve boom! Discounts UK to ensure that content is presented in the most effective manner for you and for your computer / device**;

• as part of our efforts to keep boom! Discounts UK safe and secure to comply with our legal obligations**/***;

• to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you. We, or our third party advertisers, may use your age or gender to determine whether advertising is relevant to you**;

• to make suggestions and recommendations to you and other users of boom! Discounts UK about goods or services that may interest you or them**/****.

Other information and uses

We will also collect the personal data you provide when you use boom! Discounts UK:

• to notify you about changes (permanent or temporary) to our service*.

• to ensure that content from our website is presented in the most effective manner for you and your computer*.

• to administer our website and for internal operations, including troubleshooting, data analysis, testing, research and statistical purposes, and as part of our efforts to keep our website safe and secure**.

Information we receive from other sources

We will combine information we receive from other sources (as set out in this Statement) with information you give to us. We will use this information and the combined information for the purposes set out in this Statement (depending upon the services you access).

Change of Purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and permitted under data protection laws. If we need to use your personal information for an unrelated purpose, in most cases we will notify you and we will explain the legal basis which allows us to do so.

Disclosures of Your Information

We use service providers to help us to run the website and deliver our services. These service providers will only receive your data if required for the service you are using. They include:

• Amazon Web Services EMEA SARL, a cloud hosting provider that runs the underlying servers for our website;

• Emailcenter UK, a transactional and bulk email gateway, used to send some of our email;

• Mailgun Technologies Inc., a transactional and bulk email gateway, used to send the majority of our email;

• Twilio Inc., a SMS / text-messaging gateway, used if you opt-in for a service that requires us to send you a text message;

• Zendesk Inc., a customer support platform;

• Atlassian Pty Ltd., a ticketing system for our internal teams, used in rare cases if you report a bug to us;

• WalkMe, Inc., Contextual help, support and assistance for boom! Discounts UK administrators only;

• Google Inc., a web analytics tool only used if you Consent to analytics cookies;

• FullStory Inc., an analytics service provider only used if you Consent to analytics cookies;

• Heap Inc., an analytics service provider only used if you Consent to analytics cookies;

• New Relic Inc., a performance measurement tool only used if you Consent to analytics cookies.
  
  

Use of Braze for Marketing and Customer Engagement

We use Braze, a customer engagement platform, to help us deliver personalized communications and improve the relevance of our marketing efforts. Braze allows us to analyse and understand how you interact with our communications and services, helping us create a more tailored experience.

Data Collected and Processed

In connection with our use of Braze, we may collect and process the following types of personal information:

• Contact information (e.g. email address, name, unique identifier, company name)

• Interaction data (e.g. open rates, clicks, or engagement with messages we send you)

• Usage data (e.g. information about how you use our website or app, if applicable)

Purpose of Processing

We use Braze to:

• Deliver personalised email, SMS, and in-app messages based on your preferences and activity.

• Track engagement and interaction to improve our messaging and enhance your experience.

• Conduct analytics to better understand the effectiveness of our communication and make improvements.

Data Sharing and Privacy Protections

Braze processes this data on our behalf and is obligated to comply with applicable data protection laws. We have a data processing agreement with Braze to ensure that your personal information is handled securely, and we regularly review their data protection practices.

Opting Out of Marketing Communications

You can opt out of receiving marketing communications at any time by following the unsubscribe link in any email we send or by contacting us directly. If you opt out, Braze will no longer process your data for marketing purposes on our behalf.

We also share your personal information with:

The Administrator

Because the administrator pays us to operate for you, they’ll want to know how the website is performing. Except as set out elsewhere in this Statement, we will only share information with the administrator on an aggregated and anonymous basis about how often you’ve used the website and what services you used. If you use our SmartSpending discounts product, we will not share information with the administrator about how much you’ve spent, where you shop, and how much you’ve saved as an individual, as we treat this as confidential.

Our Internal Teams and Prospective Retailers

We also use information about you on an aggregated and anonymised basis for internal management purposes, to, share it with current or prospective retailers and to use it to target offers that are made to users of boom! Discounts UK. This type of information includes, for example, the types of product that you purchase and the value of those purchases. However, you can’t be identified from this information.

Members of our Group

We share personal information with members of the Edenred SE group for the purposes of providing the benefits to you and managing our business and in particular the following entities: RG Engagement Group Ltd, Reward Gateway Pty Ltd, Reward Gateway (UK) Ltd Branch, Reward Gateway (USA) Inc, International Benefits Holdings Ltd, Asperity Employee Benefits Group Ltd

Other Parties

We will also disclose your personal information to third parties:

• in the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets;

• if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets; and/or

• if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms and Conditions and other agreements; or to protect the rights, property, or safety of us, our users, customers and providers. This will include sharing your information as part of a legal or official investigation if we have evidence or reason to suspect that transactions on your account could be fraudulent.
  
  

International Transfers of your Personal Data

Reward Gateway's commitment to data security and privacy is paramount. We host all our personal data in Ireland and Germany in a highly secure environment, ensuring it remains within the European Economic Area (EEA). Adhering to strict data protection regulations, we do not allow any technical access to personal data concerning citizens of the EEA from outside the EEA.

However, we engage with a select few US based technology providers as part of our workflow. These providers have undergone rigorous assessments and are carefully chosen to ensure they meet or exceed our high standards for data security and full compliance with our privacy and data protection commitments.

We can supply a copy of the EU Standard Contractual Clauses to you on request.

Your Rights

Data protection laws provide you with the following rights to:

• request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;

• request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;

• request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);

• request the restriction of processing of your personal information, for example if you want to establish its accuracy or the reason for processing it; and

• request the transfer of your personal information to another party.

You also have the right to object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.

You also have the right to object where we are processing your personal information for direct marketing purposes.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Where we rely on your consent to process your personal data, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us using any of the details set out below in the “Contacting Us” section or change your preferences in the "Communication Preferences" section, under “My Account” within boom! Discounts UK. If we email you under the basis of Consent, there will always be a an easy way to opt out in the footer of the email.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.

To Make Subject Access Request

If you would like to exercise any of your rights set out above, please use this secure link.

Please note that as the administrator may store other information from your use of this service, you should also contact them directly if you would like to exercise your rights in relation to the data held by them.

Alternatively please email dpo.uk@edenred.com.

Updating your information

It is important that the personal information we hold about you is accurate and current. Please keep your records on boom! Discounts UK up-to-date. If you wish to update or amend your personal data you may do so by making the change within your account once logged in or by contacting our Helpdesk. We will respond to your request within 5 working days.

Storage of your information

Unless we need to keep your data for legal purposes, we will only retain your personal information for 60 days after the administrator lets us know you no longer work for them or they decide to use a different service.

The legal purposes for which we may need to retain your data for include:

• retaining payment records for one year to comply with PCI DSS regulations;

• retaining backups for up-to 180 days after deprovisioning; and

• retaining your order history for two years from the date of your order in case of a dispute.

We may also retain anonymised data about you for longer periods for integrity and financial reporting purposes.

Recordings of calls are retained for 40 days and chat transcripts are retained for 90 days.

We take the security and confidentiality of your personal information very seriously. We will use strict procedures and security features to aim at preventing unauthorised access, such as secure software design, being ISO 27001 certified, strict access controls, penetration testing, the use of encryption and hashing and robust physical security controls.

You are also responsible for the security of your personal information by taking precautionary measures, such as keeping your account password confidential and using secure internet connections.

Changes to This Notice

Any changes we make to our Statement in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our Statement.

Last Updated: 29th January, 2025

Contacting Us

If you have any queries, comments or requests regarding this Statement, or you would like to exercise any of your rights set out above, or contact our Data Protection Team, you can contact us in the following ways:

• by email at dpo.uk@edenred.com or:

• by post at Reward Gateway (UK) Ltd, Third Floor 1 Dean Street, London, W1D 3RB.
  
  

Other boom! Discounts UK Users

Some of the collaboration features on boom! Discounts UK display your name and profile picture to other boom! Discounts UK users. For example, if you comment on content, we will display your profile picture and name next to your comments so that other users understand who made the comment.

Important Notice. In connection with the acquisition of Reward Gateway (UK) Ltd by Edenred SE, the assets of Edenred (UK Group) Limited will in early January 2024, be transferred to Reward Gateway (UK) Ltd. As a consequence, Reward Gateway (UK) Ltd will become Data Controller of the personal data of Edenred (UK Group) Limited from the date of transfer. To ensure data subject rights remain fully respected in a consistent way, a single DPO has been appointed across both organisations, who can be contacted via the details listed below. Please be aware that the technical IT networks of Edenred (UK Group) Limited and Reward Gateway (UK) Ltd will remain completely segregated and air-gapped, such that there is no transmission of personal data between them other than any normally occurring network communication such as email. Clients and data subjects of Edenred (UK Group) Limited are reassured that the service provision will be identical. It will continue to be delivered by the same people and all personal data will continue to be processed in line with applicable standards and contracts in place. All data subject rights will continue to be fully respected.

-------------------------

Reward Gateway (USA) Inc (“we”, “us” or “our”) is committed to upholding your privacy and respect your rights under the Privacy Act 1974 and other applicable laws.

This Privacy Notice ("Notice") describes how any personally identifiable information (“PII”, “personal information”) we collect from you or from third parties, including Reward Gateway (the “administrator”) who we have entered into a License Agreement with, about you on this website (the “portal”, “boom! Discounts US”) will be processed by us.

In the event of a conflict between the terms of this Notice and the terms of the License Agreement, the License Agreement shall prevail.

The Type of Information We Collect From You and How We Use It

We will collect various types of personal information from you when you use boom! Discounts US, depending on the services which you use. Further details of how we use your personal data are set out below.

Before you register

The administrator has provided us with your information for an account to be created.

When you login

Each time you log in to boom! Discounts US, we automatically conduct checks against your Internet Protocol (IP) address to ensure your security. This includes looking up your IP address against a “proxy denylist” to check that someone is not using your credentials and trying to hide their location. This proxy denylist is operated by MaxMind, Inc. If your IP address appears on it, we will not allow you to login.

We also look up the IP address in a static database we download from MaxMind Inc. to check which country the IP is affiliated with. This helps us to further protect your account against people who may have access to your credentials. If we do spot a change, we will alert you and ask you to confirm your login in order to verify your identity before continuing.

This information along with time and event data (such as successful or failed logins) are also recorded in our database for audit purposes.

Depending on the services you use on boom! Discounts US, we may collect and process additional PII about you, as set out below.

When you use Cashback

If you visit a Cashback merchant on boom! Discounts US, we will record that you clicked and visited their website for the purpose of tracking the Cashback earned. We will provide the merchant with a pseudo-anonymous ‘click reference’ to allow us to attribute the purchase and Cashback to you.

If you have a problem with the merchant and your Cashback, we may need to provide them with additional information about your order to help. We will ask you for the minimum information we need to do this, but you will be responsible for the accuracy and level of detail it contains.

Each of these merchants are independent of boom! Discounts US so you should check their privacy terms to make sure you are happy with them before providing any other details to them.

When you withdraw your Cashback

If you make a request for a Cashback withdrawals to your bank account, you will need to provide your bank details for us to process the withdrawal but we will only store your bank details until the withdrawal is processed. They will be shared with our bank, HSBC, to process your request after which all the details will be destroyed.

Alternatively you will be able to withdraw your Cashback as part or full payment for goods on boom! Discounts US or ask us to donate it to the nominated charity on boom! Discounts US.

When you make a debit or credit card purchase

If you choose to purchase goods using a credit or debit card through boom! Discounts US, we will collect your payment details from you and pass them to Checkout.com, our secure payment processor, who will use them to process the payment and to comply with legal requirements. We do not store or process your credit or debit details on our servers.

We will also collect your delivery address from you, and use the contact details previously provided, to allow us to process the order.

If you opt-in to saving your credit or debit details for future use on boom! Discounts US, your personal information will be stored securely by Checkout.com and made available to you for future transactions. You can update or opt-out of saving details for future use at any time.

Where goods are dispatched by a third-party supplier, we may need to share your personal information with them to fulfil your order, such as your contact details and delivery address. This will be clearly indicated to you at the point of purchase. You will be able to review these suppliers’ privacy terms before any information is shared with them.

We will also carry out a fraud check during the order process. This check is carried out by our third party provider, Sift Science (“Sift Science”). Sift Science will only act in accordance with our instructions and how they will process your personal information is set out below.

Sift Science will collect information about your behavior on the portal (such as the length of time between logging in and reaching checkout), technical information about the device used (such as your browser version and IP address) and the details you enter at checkout (such as your contact details and delivery and billing address).

After you have placed your order and before goods are dispatched, Sift Science will use this information to provide us with a score based on the likelihood of fraud. The score provided determines whether your order is automatically accepted by us or queued for our human review. If it is queued for human review, we will carry out a manual fraud check to decide whether to accept or refuse your order or, in some circumstances, require payment to be made by an alternative, more secure mechanism such as a bank transfer. For more information about this processing activity, please contact us using the details provided at the end of this Notice in the “Contacting Us” section.

After too many failed orders

If too many failed orders originate from your account, we will automatically restrict access to your account. Before allowing you to access your account again, we will notify you and ask you for further supporting documents such as your utilities bill or payslip, as evidence that it is you attempting these orders. If these documents are not to our satisfaction, we may contact the administrator with the intention of verifying that it is you using your account in this way.

These supporting documents will only be used for the purpose of verifying your identity, will not be shared with any third parties and will only be retained by us until we have reviewed them, even if we are not satisfied with their legitimacy or authenticity.

You do not need to provide these supporting documents to us but, if you choose not to, then we will not be able to provide you with access to your account.

When you send an eCard or when you make a nomination

If you ask us to send an eCard, you will need to provide us with the name of the person you are sending the eCard to (“the recipient”). If the recipient has already registered on boom! Discounts US, we will send the eCard on your behalf to their registered email address.

If they have not already registered, you will also need to provide an email address which we will send the eCard on your behalf to. The recipient will be asked to confirm that they have read and understood this notice and agree to our Terms & Conditions before being able to view your message.

You must have the consent of the recipient to give us their name and, if applicable, email address and any personal information you disclose in your message to them. This information will also be disclosed to the administrator for the purposes of performance management.

When you complete a survey

If you complete a survey, all of the information that you provide will be provided to the administrator. Please be aware that the administrator controls the survey and what happens to the survey data, which may include using that data for research purposes or making the survey responses public.

We recommend that you contact the administrator to understand how they will use your survey responses. The administrator may decide to provide you with their own separate privacy Notice governing the use of your survey data.

When you contact us

If you contact us for support purposes, we will require some information to handle your query. The following data are saved in Zendesk to enable processing: your name, email address, telephone number, and any other personal information you provide to us for the purpose of dealing with your query.

When you visit boom! Discounts US

When you visit boom! Discounts US we will automatically collect information about your visit, such as the pages you viewed, offers or services you viewed or searched for, length of visits to certain pages, the times and dates of these actions, details of page response times and any download errors that occurred.

We will also collect data from the device and application that you use to access our services, including your IP address (from which we may infer your geographic location), login information and browser type.

If you arrive at our website from an external source (such as a link on another website or in an email) we record information about that source.

We will use the above information in order to:

• To administer boom! Discounts US and for internal operations, including troubleshooting, data analysis (including analysing the use of the various services available on boom! Discounts US and measuring their popularity and effectiveness), testing, research, statistical and survey purposes, and to comply with our legal obligations;

• To improve boom! Discounts US to ensure that content is presented in the most effective manner for you and for your computer / device;

• As part of our efforts to keep boom! Discounts US safe and secure to comply with our legal obligations;

• To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you. We, or our third party advertisers, may use your age or gender to determine whether advertising is relevant to you; and

• To make suggestions and recommendations to you and other users of boom! Discounts US about goods or services that may interest you or them.

Other information and uses

We will also collect the PII you provide when you use boom! Discounts US:

• To provide you with our newsletter and with information about other third party benefits we offer that are similar to those you have already used or enquired about or that we feel may interest you.

• To notify you about changes (permanent or temporary) to our service.

• To ensure that content from our website is presented in the most effective manner for you and your computer.

• To administer our website and for internal operations, including troubleshooting, data analysis, testing, research and statistical purposes, and as part of our efforts to keep our website safe and secure.

Interaction with Children Online

We do not knowingly collect personal information on children. The content of our website and the products and services available are not intended for, or directed to, children. If you are under 13 years of age, then please do not use or access our website at any time or in any manner.

Information we receive from other sources

We will combine information we receive from other sources (as set out in this Notice) with information you give to us. We will use this information and the combined information for the purposes set out in this Notice (depending upon the services you access).

Change of Purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and permitted under applicable laws. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Disclosures of Your Information

We use service providers to help us to provide the website, such as data storage providers, marketing email providers, analysis providers and benefit providers:

• Amazon Web Services EMEA SARL, a cloud hosting provider;

• Emailcenter UK, a transactional and bulk email gateway;

• Google Inc., a web analytics tool;

• FullStory Inc., an analytics service provider;

• Heap, Inc., an analytics service provider;

• New Relic Inc., a performance measurement tool;

• Twilio Inc., a SMS / text-messaging gateway;

• Formstack, LLC, a configurable data-capture provider;

• Zendesk Inc., a customer support platform;

• Atlassian Pty Ltd., a ticketing system for our internal teams;

• Mailgun Technologies Inc., a transactional and bulk email gateway;

• WalkMe, Inc., Contextual help, support and assistance for administrators.
  
  

Use of Braze for Marketing and Customer Engagement

We use Braze, a customer engagement platform, to help us deliver personalized communications and improve the relevance of our marketing efforts. Braze allows us to analyse and understand how you interact with our communications and services, helping us create a more tailored experience.

Data Collected and Processed

In connection with our use of Braze, we may collect and process the following types of personal information:

• Contact information (e.g. email address, name, unique identifier, company name)

• Interaction data (e.g. open rates, clicks, or engagement with messages we send you)

• Usage data (e.g. information about how you use our website or app, if applicable)

Purpose of Processing

We use Braze to:

• Deliver personalised email, SMS, and in-app messages based on your preferences and activity.

• Track engagement and interaction to improve our messaging and enhance your experience.

• Conduct analytics to better understand the effectiveness of our communication and make improvements.

Data Sharing and Privacy Protections

Braze processes this data on our behalf and is obligated to comply with applicable data protection laws. We have a data processing agreement with Braze to ensure that your personal information is handled securely, and we regularly review their data protection practices.

Opting Out of Marketing Communications

You can opt out of receiving marketing communications at any time by following the unsubscribe link in any email we send or by contacting us directly. If you opt out, Braze will no longer process your data for marketing purposes on our behalf.

We also share your personal information with:

The Administrator

Because the administrator pays us to operate boom! Discounts US for you, they’ll want to know how the website is performing. Except as set out elsewhere in this Notice, we will only share information with the administrator on an aggregated and anonymous basis about how often you’ve used the website and what services you used.

Our Internal Teams

We also use information about you on an aggregated and anonymized basis for internal management purposes. This type of information includes, for example, the number of activities you complete. However, you can’t be identified from this information.

Members of our Group

We share personal information with members of our group for the purposes of providing the benefits to you and managing our business: RG Engagement Group Ltd, Reward Gateway Pty Ltd, Reward Gateway (USA) Inc, Reward Gateway (UK) Ltd Branch, International Benefits Holdings Ltd., Asperity Employee Benefits Group Ltd

Other Parties

We will also disclose your personal information to third parties:

• in the event that we sell or buy any business or assets, in which case we will disclose your personal information to the prospective seller or buyer of such business or assets;

• if we or substantially all of our assets are acquired by a third party, in which case PII held by us about our customers will be one of the transferred assets; and/or

• if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, or in order to enforce or apply our Terms and Conditions and other agreements; or to protect the rights, property, or safety of us, our users, customers and providers. This will include sharing your personal information as part of a legal or official investigation if we have evidence or reason to suspect that purchases on your account could be fraudulent.
  
  

Transfers of Your Information

Your information, including PII, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this notice, and applicable law, and no transfer of your personal information will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

We remain fully accountable for these transfers.

Your Choices

To withdraw your consent in relation to direct marketing, please contact us using any of the details set out below in the “Contacting Us” section or change your preferences in the “My Account” section of boom! Discounts US.

California Privacy Rights

Under California law you are entitled to certain rights and disclosures. Please read our California Privacy Policy for more information.

Residents of the European Economic Area (EEA) and The United Kingdom (UK)

If you are located in the EEA and UK, applicable EU/UK and Member State data protection laws provide certain rights to you. These include the rights to:

• Request details about the personal data that we process, and obtain a copy of the data that we hold about you;

• Correct or update your personal data;

• Port personal data that has been provided by you, in machine readable format, to another supplier

• Erase the data that we hold about you in some cases;

• Restrict processing in some cases;

• Object to processing based on grounds relating to the individual’s particular situation, where the processing is based on legitimate interest;

These rights are not absolute and are subject to various conditions under applicable data protection and privacy legislation and the laws and regulations to which we are subject.

We will only collect personal information from you where we need the personal information to enter into a contract or perform a contract with you (e.g. to provide you with a service), where the processing is in our legitimate interests when your interests and fundamental rights do not override those interests, where we have your consent, or where we have a legal obligation to collect and process personal information.

Where the provision of data is necessary to enter into a contract with us or for us to perform a contract with you and you choose not to provide the information we will not be able to provide our services to you.

You have the right to object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party), which is not overridden by your data protection interests or fundamental rights and freedoms. In particular we process your personal data to pursue the following legitimate interests:

• To prevent fraud on our platform;

• To provide customized communications, marketing, and advertising;

• To provide reporting and analytics;

• To provide troubleshooting, technical support, or to answer questions;

• To trial new features or additional services; and

• To help improve our services, applications, and websites.

Where we rely on your consent to process your personal data, you may decline to give your consent, or withdraw your consent for that specific processing at any time.

In some cases, we may also have a legal obligation to collect personal information from you.

If you have questions about the legal basis on which we collect and use your personal information or if you wish to assert your rights, please contact us using the contact details provided under the “Contact Us” section below.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a measure to ensure that personal information is not disclosed to any person who has no right to receive it.

To Make Subject Access Request

If you would like to exercise any of your rights set out above, please use this secure link.

Please know that you also have the right to submit a complaint concerning our processing of your personal data to the appropriate supervisory authority.

Resolving your privacy concerns and complaints

If you have a question or complaint about how your personal information is being handled by us, our affiliates or contracted service providers, please contact us using the contact details provided below.

Please note that as the administrator may store other information from your use of this service, you should also contact them directly if you would like to exercise your rights in relation to the data held by them.

Updating your information

It is important that the personal information we hold about you is accurate and current. Please keep your records on boom! Discounts US up-to-date. If you wish to update or amend your personally identifiable information or data you may do so by making the change within your account once logged in or by contacting our Helpdesk. We will respond to your request within 5 working days.

Storage of your information

Unless we need to keep your data for legal purposes, we will only retain your personal information for 60 days after the administrator lets us know you no longer have a relationship with them or they decide to use a different service.

The legal purposes for which we may need to retain your data for include:

• retaining payment records for one year to comply with PCI DSS regulations;

• retaining backups for up-to 180 days after deprovisioning; and

• retaining your order history for two years from the date of your order in case of a dispute.

We may also retain anonymized data about you for longer periods for integrity and financial reporting purposes.

Recordings of calls are retained for 40 days and chat transcripts are retained for 90 days.

We take the security and confidentiality of your personal information very seriously. We will use strict procedures and security features to aim at preventing unauthorized access, such as implementing ISO 27001 standards, access controls, penetration testing, the use of encryption and hashing and robust physical security controls.

EU-U.S. Data Privacy Framework

Reward Gateway US Inc complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce.

Reward Gateway US Inc has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit: Data Privacy Framework Website.

Reward Gateway US Inc is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC),

Reward Gateway US Inc is obligated to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that an individual has invoked binding arbitration by delivering notice to your organization and following the procedures and subject to conditions set forth in Annex I of Principles

Reward Gateway US Inc is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Reward Gateway US Inc is liable in cases of onward transfers to third parties.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Reward Gateway US Inc commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

Changes to This Notice

Any changes we make to our Notice in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our Notice.

Last Updated: January 29th, 2025

Contacting Us

If you have any queries, comments or requests regarding this Notice, or you would like to exercise any of your rights set out above, or contact our Data Protection Team, you can contact us in the following ways:

• by email at dpo.uk@edenred.com or:

• by post at Reward Gateway (USA) Inc., 141 Tremont Street, Boston, MA 02111.

What we do at MoveSpring

At MoveSpring, a Reward Gateway | Edenred company, our mission is to make fitness fun and accessible for individuals of all activity levels. We aim to empower people to lead a healthier life and provide a community that supports them along their fitness journey.

To provide this Service to you, we collect some information about you. We appreciate that you share this information with us. We work hard to make sure your information is secure and private. We also want to be transparent with you on what we collect, how we use it and what you can do to control your information.

How we gather information

Information you provide us

• Account Information: You provide us with information when you create an account such as your name, email, username, and password. This information is required for account creation. You may also share a profile photo and your activity preferences.

• Additional Information: When you use our Service and interact with certain features, you may choose to provide us with additional information such as chats, messages on group threads or discussion boards, comments, likes, and logs for things like your mood, food, or other specified habits.

  If you contact us or participate in a survey, contest or promotion, we gather the information you provide such as name, contact info, organization or company name, and message.

• Payment and Card Information: If you give us credit card information, we use it solely to check your financial qualifications and collect payment from you. We use a third-party service provider to manage credit card processing. This service provider is not permitted to store, retain, or use information you provide except for the sole purpose of credit card processing on our behalf.

Information from using our services

• Device and Activity Information: Your fitness tracking device or mobile smartphone collects data to estimate a variety of metrics like your steps, distance traveled and active minutes moved. Not every device tracks every one of these metrics. The data collected varies depending on the device you use. When your device syncs with our applications and software, data recorded on your device is transferred from your device or device app to our service.

  When you pair your device to your account, you grant us access to your exercise or activity data from that device service. You can use your account settings and tools to withdraw this consent at any time by stopping use of a feature, removing our access to a third-party service, unpairing your device, or deleting your data or your account.

• Location Information: We collect your timezone. This is either gathered from your mobile device, your connected fitness device or is manually set by you. We use timezone to allow challenges to start and end locally at the same time for everyone participating in the challenge. You can change your timezone at any time in your profile settings.

• Usage information: When you access or use our Services, we retain certain usage data. This includes information about your interaction with our Services such as how long you’re in our app or what you’re viewing in our app.

  We also collect data about the devices and computers you use to access our Services, including IP addresses, browser type, language, operating system, fitness device type or mobile device information, the referring web page and pages visited.
  
  

How we use information

Provide and maintain our services

We use things like your activity information, username, and location to run things like challenges, groups and other core services listed in our Terms & Services. This includes things like scoring your activity in a challenge, populating your dashboard and personal trends, enabling our community features, and providing you with support.

Develop and improve our services

By using our product, you’re constantly helping us to improve! We take a look at what is resonating with most of our users to ensure we can continue to create useful features that you love. We’re always looking to make our existing features better and how you interact with our product helps us decide what improvements should be made.

Communicate with you

We use your information to communicate important service, account or support updates. This allows us to provide relevant information about our product and to respond to you when you contact us. You can always turn off your marketing preferences by unsubscribing at the bottom of emails and by adjusting your app notifications in your profile settings.

Keep our services safe and secure

It’s important that you’re always safe and secure when using our services. We use some of your information to ensure we are only allowing secure usage by authenticating your account details, protecting against fraud and abuse and enforcing our terms and policies.

How we protect your data

We work hard to keep your data safe by implementing appropriate technology safeguards, security policies, and other measures. This includes using a combination of technical, administrative, and physical controls, such as suitable access controls, robust physical security measures, and encryption, including Transport Layer Security (TLS), for many of our services. Additionally, we ensure that all employees and others who access or process your data respect your confidentiality. While no method of transmitting or storing data is completely secure, if you have any security-related concerns, please contact customer support.

How we share information

When you agree or ask us to share

If you choose to participate in a challenge, information like your profile photo, posted messages, total steps in the challenge, personal statistics, and achievements will be visible to all other challenge participants.

If you sign up for our service through an employer or organization, remember that their use of your information will be governed by their privacy policies and terms. You can revoke your consent to share with organizational or employee wellness programs by deleting your personal account or asking your administrator to remove you from the organization account.

MoveSpring does not control the way our organizational clients or admins use our tool. They control the configuration of groups, challenges, content, and communications associated with hosting a wellness program.

Corporate Events

If we (or our assets) are acquired by another company, whether by merger, acquisition, bankruptcy or otherwise, that company would receive all information gathered by MoveSpring. If this does occur, you will be notified of any change in ownership, uses of your personal information, and choices you may have regarding your personal information.

Compelled Disclosure

We reserve the right to use or disclose your personal information if required by law or if we reasonably believe that use or disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with a law, court order, or legal process.

We never sell personal information

We will not sell, rent, transfer, or disclose your personal information to advertisers or other third parties.

Cookies and similar technologies

We use cookies or similar technologies (such as web beacons) to analyze trends, administer our services, track users’ movements around the website and app, and to gather demographic information about our user base as a whole. View our full list of cookie technologies below.

How you control your information

Our goal is to make control over your information simple. You can easily edit your information in your profile:

• Update your name, email, username, and timezone.

• Choose to set your profile to private.

• Completely delete your account at any time. MoveSpring will delete all your information within 60 days.

For client challenges, your challenge admin has access to the same information you share with MoveSpring. You can opt out of this information being shared at any time by asking to be removed from their group.

If you’re participating as part of an organizational client who chooses to end their service with us, we will delete your data within 60 days of the client service termination.

How you can learn more

If you have any comments or requests regarding this Privacy Policy, subject access requests or have any data protection enquiries or queries, you can contact our Data Protection Officer:

• By email at ailine.fachinetti@edenred.com

Changes to our Privacy Policy

If we decide to change our Privacy Policy, we will post the changes here and, where appropriate, notify you by email. Please check back frequently to see any updates or changes to our Privacy Policy.

Last updated: March 3rd, 2025