Privacy Policy

Important Notice. In connection with the acquisition of Reward Gateway (UK) Ltd by Edenred SE, the assets of Edenred (UK Group) Limited were in January 2024, transferred to Reward Gateway (UK) Ltd. As a consequence, Reward Gateway (UK) Ltd became the Data Controller of the personal data of Edenred (UK Group) Limited from the date of transfer. To ensure data subject rights remain fully respected in a consistent way, a single DPO has been appointed across both organisations, who can be contacted at dpo.uk@edenred.com or privacy-requests@rewardgateway.com.

If Clients and Data Subjects who are being migrated over from the Edenred (UK Group) Ltd platform from March 11, 2024 have questions concerning the privacy and security aspects of the Reward Gateway (UK) Ltd platform please also visit https://trust.rewardgateway.com which provides comprehensive and detailed information concerning the compliance and assurance status of the platform.

-------------------------

Reward Gateway UK Limited (“Reward Gateway”, “we”, “us” or “our”) knows that you care how information about you is used and shared and we are careful to ensure that any such information that comes into our possession is properly looked after. This Privacy Policy sets out the basis on which any personal data we collect from or about you on our website, www.rewardgateway.com/uk, will be processed by us. It also sets out the steps that we take to ensure that any information provided to us is kept secure and is used only for the purposes for which it is provided.

We will be the data controller of your personal data which you provide to us or which is collected by us via our website. This means that we are responsible for deciding how we hold and use personal information about you and that we are required to notify you of the information contained in this Privacy Policy. It is important that you read this Privacy Policy so that you are aware of how and why we use your personal information and how we will treat it.

Reward Gateway has appointed a Data Protection Team, who can be contacted using the details at the end of this Notice should you have any questions, complaints or feedback about your privacy.

You can also contact us using the details provided at the end of this Privacy Policy in the “Contacting Us” section.

Personal Information

When you communicate with us via our website, for example, by submitting a query, requesting a demo, subscribing to our blog, commenting on a blog post or using the chat function, we will collect the personal information that you provide to us for that purpose. You don’t have to give us any of this personal information but, if you don’t provide us with certain information, we may not be able to provide you with the information or service you have requested from us. The forms you fill in on our website will make it clear what information we need in order to provide the information or service you are requesting and what information you can choose to provide if you wish.

We will also collect technical information about your equipment, browsing actions and patterns to serve more relevant content to you on the site. We collect this personal data by using cookies, server logs and other technologies and full details as to how we use cookies can be found in our Cookie Policy.

We will only use your personal data to send you our newsletter and blog updates where you have consented to us doing so. Otherwise, we will collect and process the information set out above about you on the basis that it is in our legitimate interests to use your data for the purposes set out below, and those interests are not overridden by your interests and fundamental rights. 

Much of the information we hold will have been provided by you, but some may come from other internal sources, such as a Sales representative, or in some cases, external sources, such as marketing or event management agencies. We will combine information we receive from other sources (as set out in this Notice) with information you give to us. We will only use this information and the combined information for the purposes set out in this Notice.

Purposes for which Personal Information may be used

The personal information that you provide to us or which we collect about you via our website will be used only for the following purposes:

1. To provide information or services to you as requested by you.

2. To the extent permitted by law, to let you know about information and services from Reward Gateway in which you may be interested including via our newsletter.

3. To review and understand the content on our website which users are most interested in.

4. To improve the content of our website.

5. To customise the content and /or layout of the website for each individual user.

6. To notify you about updates to the website.
   
   

Automated Decision Making

We do not carry out any solely automated decision-making using your personal information.

Change of Purpose

We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and permitted under data protection laws. If we need to use your personal information for an unrelated purpose, in most cases we will notify you and we will explain the legal basis which allows us to do so.

Disclosure

As of the date of this Privacy Policy, we share your personal data with the following trusted third parties for the purposes of managing our business and providing the information and services you request from us:

1. Member of the Edenred SE group of companies including RG Engagement Group Ltd, Reward Gateway (Australia) Pty Ltd, Reward Gateway (USA) Inc, International Benefits Holdings Ltd., Asperity Employee Benefits Group Ltd, our group companies;

2. Google Analytics, our web analytics provider;

3. HubSpot, our lead generation provider and website host;

4. Cvent, our event management platform provider; 

5. Salesforce, our customer and prospect record management system provider.

When we do share your data with these third parties we only provide the information they need to perform the service. We have written contracts in place with them to ensure they only use your data for the purpose we specify to them and that your privacy is secure and respected.

We will also disclose your personal information to third parties:

• In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets;

• If we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets; and/or

• If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms of Use and other agreements; or to protect the rights, property, or safety of us, our users, customers and providers. This will include sharing your information as part of a legal or official investigation if legally required to do so.
  
  

International Transfers

Reward Gateway's commitment to data security and privacy is paramount. We host all our personal data in Ireland and Germany in a highly secure environment, ensuring it remains within the European Economic Area (EEA). Adhering to strict data protection regulations, we do not allow any technical access to personal data concerning citizens of the EEA from outside the EEA.

However, we engage with a select few US based technology providers as part of our workflow. These providers have undergone rigorous assessments and are carefully chosen to ensure they meet or exceed our high standards for data security and full compliance with our privacy and data protection commitments.

We can supply a copy of the EU Standard Contractual Clauses to you on request.

UK-U.S. Data Privacy Framework

Reward Gateway US Inc complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce.

Reward Gateway US Inc is in the process of certifying to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S.DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit Data privacy framework website.

Reward Gateway US Inc is subject to the  investigatory and enforcement powers of the Federal Trade Commission (FTC).

Reward Gateway US Inc is obligated to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that an individual has invoked binding arbitration by delivering notice to your organization and following the procedures and subject to conditions set forth in Annex I of Principles.

Reward Gateway US Inc is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Reward Gateway US Inc is liable in cases of onward transfers to third parties.

In compliance with the UK Extension to the EU-U.S. DPF, Reward Gateway US Inc commits to cooperate and comply respectively with the advice of the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the UK Extension to the EU-U.S. DPF.

Retention of Information

Unless we need to keep your data for legal purposes (such as to defend against a legal claim), we will only retain your personal information for 24 months from your last interaction with us, for example, when you opted in or when you submitted a query on our website.

Protection of Information

We have implemented appropriate technology safeguards, security policies and other measures to protect data under our control from unauthorised access, improper use, alteration, unlawful or accidental destruction or accidental loss. These include being ISO 27001 certified, implementing suitable access controls, and ensuring that encryption and hashing are used and robust physical security controls are in place. We also protect your information by requiring that all our employees and others who have access to or are associated with the processing of your data respect your confidentiality.

Your Rights

Data protection laws provide you with the following rights to:

• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;

• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;

• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);

• Request the restriction of processing of your personal information, for example if you want to establish its accuracy or the reason for processing it; and

• Obtain a copy of the personal information you’ve provided us with and to reuse it elsewhere or to ask us to transfer it to a third party of your choice.

You also have the right to object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object to where we are processing your personal information for direct marketing purposes.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Where we rely on your consent to process your personal data, for example in relation to any direct marketing we provide to you, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent in relation to direct marketing, please contact us using any of the details set out below in the “Contacting Us” section.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please do contact us in the first instance.

To make a Subject Access Request:

If you would like to exercise any of your rights set out above, please use this secure link.

Changes to our Privacy Policy

If we decide to change our Privacy Policy we will post the changes here and, where appropriate, notify you by email. Please check back frequently to see any updates or changes to our Privacy Policy.

Privacy Policy last updated: 1st August, 2024

Contacting Us

If you have any comments or requests regarding this Privacy Policy or have any data protection enquiries or queries, you can contact us in the following ways:

• By email at privacy-requests@rewardgateway.com or;

• By post at Reward Gateway (UK) Ltd, 265 Tottenham Court Road, London, W1T 7RQ.

What we do at MoveSpring

At MoveSpring, a Reward Gateway | Edenred company, our mission is to make fitness fun and accessible for individuals of all activity levels. We aim to empower people to lead a healthier life and provide a community that supports them along their fitness journey.

To provide this Service to you, we collect some information about you. We appreciate that you share this information with us. We work hard to make sure your information is secure and private. We also want be transparent with you on what we collect, how we use it and what you can do to control your information.

How we gather information

Information you provide us

• Account Information: You provide us with information when you create an account such as your name, email, username, and password. This information is required for account creation. You may also share a profile photo and your activity preferences.

• Additional Information: When you use our Service and interact with certain features, you may choose to provide us with additional information such as chats, messages on group threads or discussion boards, comments, likes, and logs for things like your mood, food, or other specified habits.

  If you contact us or participate in a survey, contest or promotion, we gather the information you provide such as name, contact info, organization or company name, and message.

• Payment and Card Information: If you give us credit card information, we use it solely to check your financial qualifications and collect payment from you. We use a third-party service provider to manage credit card processing. This service provider is not permitted to store, retain, or use information you provide except for the sole purpose of credit card processing on our behalf.

Information from using our services

• Device and Activity Information: Your fitness tracking device or mobile smartphone collects data to estimate a variety of metrics like your steps, distance traveled and active minutes moved. Not every device tracks every one of these metrics. The data collected varies depending on the device you use. When your device syncs with our applications and software, data recorded on your device is transferred from your device or device app to our service.

  When you pair your device to your account, you grant us access to your exercise or activity data from that device service. You can use your account settings and tools to withdraw this consent at any time by stopping use of a feature, removing our access to a third-party service, unpairing your device, or deleting your data or your account.

• Location Information: We collect your timezone. This is either gathered from your mobile device, your connected fitness device or is manually set by you. We use timezone to allow challenges to start and end locally at the same time for everyone participating in the challenge. You can change your timezone at any time in your profile settings.

• Usage information: When you access or use our Services, we retain certain usage data. This includes information about your interaction with our Services such as how long you’re in our app or what you’re viewing in our app.

  We also collect data about the devices and computers you use to access our Services, including IP addresses, browser type, language, operating system, fitness device type or mobile device information, the referring web page and pages visited.
  
  

How we use information

Provide and maintain our services

We use things like your activity information, username, and location to run things like challenges, groups and other core services listed in our Terms & Services. This includes things like scoring your activity in a challenge, populating your dashboard and personal trends, enabling our community features, and providing you with support.

Develop and improve our services

By using our product, you’re constantly helping us to improve! We take a look at what is resonating with most of our users to ensure we can continue to create useful features that you love. We’re always looking to make our existing features better and how you interact with our product helps us decide what improvements should be made.

Communicate with you

We use your information to communicate important service, account or support updates. This allows us to provide relevant information about our product and to respond to you when you contact us. You can always turn off your marketing preferences by unsubscribing at the bottom of emails and by adjusting your app notifications in your profile settings.

Keep our services safe and secure

It’s important that you’re always safe and secure when using our services. We use some of your information to ensure we are only allowing secure usage by authenticating your account details, protecting against fraud and abuse and enforcing our terms and policies.

How we protect your data

We work hard to keep your data safe by implementing appropriate technology safeguards, security policies, and other measures. This includes using a combination of technical, administrative, and physical controls, such as suitable access controls, robust physical security measures, and encryption, including Transport Layer Security (TLS), for many of our services. Additionally, we ensure that all employees and others who access or process your data respect your confidentiality. While no method of transmitting or storing data is completely secure, if you have any security-related concerns, please contact customer support.

How we share information

When you agree or ask us to share

If you choose to participate in a challenge, information like your profile photo, posted messages, total steps in the challenge, personal statistics, and achievements will be visible to all other challenge participants.

If you sign up for our service through an employer or organization, remember that their use of your information will be governed by their privacy policies and terms. You can revoke your consent to share with organizational or employee wellness programs by deleting your personal account or asking your administrator to remove you from the organization account.

MoveSpring does not control the way our organizational clients or admins use our tool. They control the configuration of groups, challenges, content, and communications associated with hosting a wellness program.

Corporate Events

If we (or our assets) are acquired by another company, whether by merger, acquisition, bankruptcy or otherwise, that company would receive all information gathered by MoveSpring. If this does occur, you will be notified of any change in ownership, uses of your personal information, and choices you may have regarding your personal information.

Compelled Disclosure

We reserve the right to use or disclose your personal information if required by law or if we reasonably believe that use or disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with a law, court order, or legal process.

We never sell personal information

We will not sell, rent, transfer, or disclose your personal information to advertisers or other third parties.

Cookies and similar technologies

We use cookies or similar technologies (such as web beacons) to analyze trends, administer our services, track users’ movements around the website and app, and to gather demographic information about our user base as a whole. View our full list of cookie technologies below.

How you control your information

Our goal is to make control over your information simple. You can easily edit your information in your profile:

• Update your name, email, username, and timezone.

• Choose to set your profile to private.

• Completely delete your account at any time. MoveSpring will delete all your information within 30 days.

For client challenges, your challenge admin has access to the same information you share with MoveSpring. You can opt out of this information being shared at any time by asking to be removed from their group.

If you’re participating as part of an organizational client who chooses to end their service with us, we will delete your data within 30 days of the client service termination.

How you can learn more

Our Data Protection Officer can be contacted as follows:

• Telephone: +353 1 678 8997

• Email: dpo@xpertdpo.com

• Post: XpertDPO Ltd. 20 Harcourt Street, Dublin, D02 H364, Ireland
  
  

Changes to our Privacy Policy

If we decide to change our Privacy Policy, we will post the changes here and, where appropriate, notify you by email. Please check back frequently to see any updates or changes to our Privacy Policy.

Last updated: September 25th, 2024