Privacy Policy
Important Notice. In connection with the acquisition of Reward Gateway (UK) Ltd by Edenred SE, the assets of Edenred (UK Group) Limited were in January 2024, transferred to Reward Gateway (UK) Ltd. As a consequence, Reward Gateway (UK) Ltd became the Data Controller of the personal data of Edenred (UK Group) Limited from the date of transfer. To ensure data subject rights remain fully respected in a consistent way, a single DPO has been appointed across both organisations, who can be contacted at dpo.uk@edenred.com or privacy-requests@rewardgateway.com.
If Clients and Data Subjects who are being migrated over from the Edenred (UK Group) Ltd platform from March 11, 2024 have questions concerning the privacy and security aspects of the Reward Gateway (UK) Ltd platform please also visit https://trust.rewardgateway.com which provides comprehensive and detailed information concerning the compliance and assurance status of the platform.
--
Reward Gateway UK Limited (“Reward Gateway”, “we”, “us” or “our”) knows that you care how information about you is used and shared and we are careful to ensure that any such information that comes into our possession is properly looked after. This Privacy Policy sets out the basis on which any personal data we collect from or about you on our website, www.rewardgateway.com/uk, will be processed by us. It also sets out the steps that we take to ensure that any information provided to us is kept secure and is used only for the purposes for which it is provided.
We will be the data controller of your personal data which you provide to us or which is collected by us via our website. This means that we are responsible for deciding how we hold and use personal information about you and that we are required to notify you of the information contained in this Privacy Policy. It is important that you read this Privacy Policy so that you are aware of how and why we use your personal information and how we will treat it.
Reward Gateway has appointed a Data Protection Team, who can be contacted using the details at the end of this Notice should you have any questions, complaints or feedback about your privacy.
You can also contact us using the details provided at the end of this Privacy Policy in the “Contacting Us” section.
Personal Information
When you communicate with us via our website, for example, by submitting a query, requesting a demo, subscribing to our blog, commenting on a blog post or using the chat function, we will collect the personal information that you provide to us for that purpose. You don’t have to give us any of this personal information but, if you don’t provide us with certain information, we may not be able to provide you with the information or service you have requested from us. The forms you fill in on our website will make it clear what information we need in order to provide the information or service you are requesting and what information you can choose to provide if you wish.
We will also collect technical information about your equipment, browsing actions and patterns to serve more relevant content to you on the site. We collect this personal data by using cookies, server logs and other technologies and full details as to how we use cookies can be found in our Cookie Policy.
We will only use your personal data to send you our newsletter and blog updates where you have consented to us doing so. Otherwise, we will collect and process the information set out above about you on the basis that it is in our legitimate interests to use your data for the purposes set out below, and those interests are not overridden by your interests and fundamental rights.
Much of the information we hold will have been provided by you, but some may come from other internal sources, such as a Sales representative, or in some cases, external sources, such as marketing or event management agencies. We will combine information we receive from other sources (as set out in this Notice) with information you give to us. We will only use this information and the combined information for the purposes set out in this Notice.
Purposes for which Personal Information may be used
The personal information that you provide to us or which we collect about you via our website will be used only for the following purposes:
- To provide information or services to you as requested by you.
- To the extent permitted by law, to let you know about information and services from Reward Gateway in which you may be interested including via our newsletter.
- To review and understand the content on our website which users are most interested in.
- To improve the content of our website.
- To customise the content and /or layout of the website for each individual user.
- To notify you about updates to the website.
Automated Decision Making
We do not carry out any solely automated decision-making using your personal information.
Change of Purpose
We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and permitted under data protection laws. If we need to use your personal information for an unrelated purpose, in most cases we will notify you and we will explain the legal basis which allows us to do so.
Disclosure
As of the date of this Privacy Policy, we share your personal data with the following trusted third parties for the purposes of managing our business and providing the information and services you request from us:
- Member of the Edenred SE group of companies including RG Engagement Group Ltd, Reward Gateway (Australia) Pty Ltd, Reward Gateway (USA) Inc, International Benefits Holdings Ltd., Asperity Employee Benefits Group Ltd, our group companies;
- Google Analytics, our web analytics provider;
- CrazyEgg, an analytics service provider;
- Hubspot, our lead generation provider;
- Drift, our chat provider;
- Cvent, our event management platform provider;
- Salesforce, our customer and prospect record management system provider.
Use of Braze for Marketing and Customer Engagement
We use Braze, a customer engagement platform, to help us deliver personalized communications and improve the relevance of our marketing efforts. Braze allows us to analyse and understand how you interact with our communications and services, helping us create a more tailored experience.
Data Collected and Processed
In connection with our use of Braze, we may collect and process the following types of personal information:
- Contact information (e.g. email address, name, unique identifier, company name)
- Interaction data (e.g. open rates, clicks, or engagement with messages we send you)
- Usage data (e.g. information about how you use our website or app, if applicable)
Purpose of Processing
We use Braze to
- Deliver personalised email, SMS, and in-app messages based on your preferences and activity.
- Track engagement and interaction to improve our messaging and enhance your experience.
- Conduct analytics to better understand the effectiveness of our communication and make improvements.
Data Sharing and Privacy Protections
Braze processes this data on our behalf and is obligated to comply with applicable data protection laws. We have a data processing agreement with Braze to ensure that your personal information is handled securely, and we regularly review their data protection practices.
Opting Out of Marketing Communications
You can opt out of receiving marketing communications at any time by following the unsubscribe link in any email we send or by contacting us directly. If you opt out, Braze will no longer process your data for marketing purposes on our behalf.
When we do share your data with these third parties we only provide the information they need to perform the service. We have written contracts in place with them to ensure they only use your data for the purpose we specify to them and that your privacy is secure and respected.
We will also disclose your personal information to third parties:
- In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets;
- If we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets; and/or
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms of Use and other agreements; or to protect the rights, property, or safety of us, our users, customers and providers. This will include sharing your information as part of a legal or official investigation if legally required to do so.
International Transfers
Reward Gateway's commitment to data security and privacy is paramount. We host all our personal data in Ireland and Germany in a highly secure environment, ensuring it remains within the European Economic Area (EEA). Adhering to strict data protection regulations, we do not allow any technical access to personal data concerning citizens of the EEA from outside the EEA.
However, we engage with a select few US based technology providers as part of our workflow. These providers have undergone rigorous assessments and are carefully chosen to ensure they meet or exceed our high standards for data security and full compliance with our privacy and data protection commitments.
We can supply a copy of the EU Standard Contractual Clauses to you on request.
UK-U.S. Data Privacy Framework
Reward Gateway US Inc complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce.
Reward Gateway US Inc is in the process of certifying to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S.DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.
If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit Data privacy framework website.
Reward Gateway US Inc is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Reward Gateway US Inc is obligated to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that an individual has invoked binding arbitration by delivering notice to your organization and following the procedures and subject to conditions set forth in Annex I of Principles.
Reward Gateway US Inc is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Reward Gateway US Inc is liable in cases of onward transfers to third parties.
In compliance with the UK Extension to the EU-U.S. DPF, Reward Gateway US Inc commits to cooperate and comply respectively with the advice of the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the UK Extension to the EU-U.S. DPF.
Retention of Information
Unless we need to keep your data for legal purposes (such as to defend against a legal claim), we will only retain your personal information for 24 months from your last interaction with us, for example, when you opted in or when you submitted a query on our website.
Protection of Information
We have implemented appropriate technology safeguards, security policies and other measures to protect data under our control from unauthorised access, improper use, alteration, unlawful or accidental destruction or accidental loss. These include being ISO 27001 certified, implementing suitable access controls, and ensuring that encryption and hashing are used and robust physical security controls are in place. We also protect your information by requiring that all our employees and others who have access to or are associated with the processing of your data respect your confidentiality.
Your Rights
Data protection laws provide you with the following rights to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
- Request the restriction of processing of your personal information, for example if you want to establish its accuracy or the reason for processing it; and
- Obtain a copy of the personal information you’ve provided us with and to reuse it elsewhere or to ask us to transfer it to a third party of your choice.
You also have the right to object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object to where we are processing your personal information for direct marketing purposes.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Where we rely on your consent to process your personal data, for example in relation to any direct marketing we provide to you, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent in relation to direct marketing, please contact us using any of the details set out below in the “Contacting Us” section.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please do contact us in the first instance.
To Make Subject Access Request
If you would like to exercise any of your rights set out above, please use this secure link.
Changes to our Privacy Policy
If we decide to change our Privacy Policy we will post the changes here and, where appropriate, notify you by email. Please check back frequently to see any updates or changes to our Privacy Policy.
Contacting Us
If you have any comments or requests regarding this Privacy Policy or have any data protection enquiries or queries, you can contact us in the following ways:
- By email at dpo.uk@edenred.com or;
- By post at Reward Gateway (UK) Ltd, Third Floor, 1 Dean Street, London, W1D 3RB