Privacy Policy
Last updated: June 2026At The Reward Lounge, we are committed to protecting your privacy and handling your personal data responsibly and transparently. This policy explains what data we collect, how we use it, how long we keep it, who we share it with and your rights under UK GDPR and the Data Protection Act 2018.
1. Data Controller
The data controller responsible for personal data collected through this website is:
The Reward Lounge Ltd
Registered in Northern Ireland. Company number: NI740715
Email: hello@therewardlounge.co.uk
Website: therewardlounge.co.uk
We use third-party service providers (data processors) to operate our website and services. These providers process personal data on our behalf and under our instructions in accordance with UK GDPR Article 28.
2. Information We Collect
We collect and process the following categories of personal data:
- Identity data — your full name as provided at registration
- Contact data — your email address, used as your unique account identifier and for service communications
- Authentication data — your password, stored as a one-way encrypted hash. Your original password is never stored or accessible by us
- Technical data — IP address recorded at the point of registration for fraud prevention
- Membership data — your chosen membership tier, subscription start date, renewal date, expiry date and current status
- Location data — your council area, provided optionally at registration, used to help us understand where our members are based so we can prioritise bringing new partner discounts to those areas
- Financial reference data — your Stripe customer reference ID and transaction records. No payment card details are ever stored on The Reward Lounge servers — all card data is handled exclusively by Stripe Payments Europe Ltd
- Behavioural data — records of partner business visits including partner name, visit timestamp and credits awarded
- Redemption data — records of discount redemptions and referral credit awards
- Engagement data — giveaway entry records including credits spent and entry timestamps
- Credit balance data — your current loyalty credit balance and monthly credit allowance
- Referral data — where you refer another person to The Reward Lounge, we record your member ID, the referred member’s ID, the referral credit amount awarded and the referral date. This is used to accurately award referral credits and prevent fraudulent referral activity
- Analytics data — anonymised website usage statistics. No personally identifiable analytics data is collected
3. How We Use Your Information
- Create and manage your membership account
- Process payments and subscription renewals
- Provide membership benefits including partner discounts, loyalty credits and giveaway participation
- Log and verify partner discount redemptions
- Operate fair and random prize draws
- Send service communications such as account updates, renewal reminders and winner notifications
- Send marketing communications where you have separately opted in — you may unsubscribe at any time
- Prevent fraud and misuse of the membership system
- Track and award referral credits fairly and prevent referral fraud or misuse
- Understand where our members are located to inform future partner recruitment
- Improve our website and services using anonymised analytics
Lawful basis for processing:
- Article 6(1)(b) — Performance of a contract — membership management, payments and core service delivery
- Article 6(1)(c) — Legal obligation — retention of financial records for HMRC compliance
- Article 6(1)(f) — Legitimate interests — fraud prevention, service improvement and partner redemption logging
- Article 6(1)(a) — Consent — marketing communications, analytics cookies, and optional location data
4. Sharing Your Information
We do not sell your personal data to any third party.
We share personal data only with the following trusted third-party processors:
- Automattic Inc. (WordPress.com) — website hosting. Data processed in USA and EU. Standard Contractual Clauses in place. Privacy policy
- Stripe Payments Europe Ltd — payment processing. Data processed in Ireland and USA. No card data stored on our servers. Standard Contractual Clauses for US transfers. Privacy policy
- Caseproof LLC (MemberPress) — membership management. Data processed in USA. Standard Contractual Clauses in place. Privacy policy
- Jetpack (Automattic Inc.) — anonymised website analytics. Data processed in USA and EU. No individuals can be identified from analytics data
- Complianz B.V. — cookie consent management. Data processed in the Netherlands (EU). GDPR applies directly. Privacy policy
Standard Contractual Clauses approved by the UK Information Commissioner’s Office are in place for all international data transfers.
5. Data Retention
- Membership and account data — duration of membership plus 6 years after closure for HMRC compliance
- Payment and transaction records — 6 years minimum as required by law
- Partner visit and redemption logs — 2 years from the date of the visit
- Giveaway entry records — duration of membership. Winner records retained 2 years
- Marketing preferences — until you withdraw consent
- Analytics data — anonymised and aggregated, retained indefinitely
6. Cookies
We use cookies to operate our website, manage your membership session and understand how visitors use our site. Essential cookies are always active. Analytics cookies are only placed with your consent. For full details see our Cookie Policy. You can manage your preferences at any time using the Manage Cookies link in our footer.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data including:
- SSL/TLS encryption on all pages — enforced HTTPS
- Password encryption using bcrypt hashing — passwords are never stored in plain text
- Brute force login protection — IP lockout after repeated failed login attempts
- Payment card data handled exclusively by Stripe — PCI DSS Level 1 compliant
- Enterprise hosting with encrypted storage and automated backups via WordPress.com
- Access to member data restricted to the named Data Controller only
8. Data Breaches
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office within 72 hours of becoming aware, as required by UK GDPR Article 33. Where a breach poses a high risk to your rights and freedoms we will notify affected members directly without undue delay, in accordance with UK GDPR Article 34.
9. Your Rights
Under UK GDPR you have the following rights:
- Right of access — request a copy of all personal data we hold about you
- Right to rectification — request correction of inaccurate or incomplete data
- Right to erasure — request deletion of your personal data where there is no lawful reason to continue processing it
- Right to restrict processing — request that we restrict processing in certain circumstances
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — withdraw consent at any time where processing is based on consent
If you are unhappy with how we have handled your personal data you have the right to complain to the Information Commissioner’s Office:
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
10. ICO Registration
The Reward Lounge Ltd is registered with the Information Commissioner’s Office as a data controller. ICO registration number: ZC155344
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Significant changes will be communicated to members by email. The date at the top of this policy indicates when it was last updated.