Effective date: 6 May 2026 · Last updated: 6 May 2026
Plain-English summary: We collect what we need to run the Service — account info, billing details, usage data, and the member records you upload. We never sell personal data, and we use industry-standard encryption everywhere. Under UK/EU GDPR you can ask to see, correct, or delete your data at any time. Cookies are used only as described in section 12.
1. Overview
This Privacy Policy describes how Membership Wallet Ltd ("we", "us", "our") collects, uses, and protects personal data when you visit our website at membershipwallet.co.uk, sign up for an account, or use our digital wallet, loyalty, and membership-management Service.
This policy applies to two types of data subject:
- Customers — businesses and individuals who hold an account with us.
- Members — the end-users to whom our Customers issue digital membership cards. For Member data, we typically act as a data processor on behalf of our Customer, who is the data controller.
2. Data Controller
For data we collect directly (e.g. your account information, billing data, support enquiries), the data controller is:
- Membership Wallet Ltd
- Unit 8, Northgate Industrial Park, Collier Row Road, Romford, England, RM5 2BG
- ICO registration: ZA000000 (UK)
- Data Protection Officer: dpo@membershipwallet.co.uk
3. Data We Collect
From Customers
- Account data — name, work email, phone, company name, role, and password hash.
- Billing data — billing address, VAT number, and payment-method tokens (held by our payment provider, not us).
- Usage data — feature interactions, log-in times, device/browser type, IP address, and diagnostic events.
- Communications — support tickets, chat transcripts, and feedback you submit.
From Members (collected by our Customers and processed by us)
- Name, email, phone (if provided), date of birth, address, and any custom fields the Customer chooses to capture.
- Loyalty activity — points, stamps, tier, transaction history, and reward redemptions.
- Device tokens for Apple Wallet / Google Wallet pass updates.
From website visitors
- Standard server logs (IP, user-agent, referrer, timestamp).
- Cookies and similar technologies — see section 12.
4. How We Use Data
We use personal data to:
- provide, maintain, and improve the Service;
- process payments, send invoices, and manage subscriptions;
- authenticate accounts and prevent fraud or abuse;
- respond to support requests and communicate service updates;
- send product news and marketing — only with your consent, and you can unsubscribe at any time;
- generate aggregated, anonymised analytics about platform usage;
- comply with legal obligations and respond to valid requests from public authorities.
We do not sell, rent, or share personal data with third parties for their own marketing purposes. We do not use Member data to train generative-AI models.
5. Legal Basis for Processing
Under UK GDPR / EU GDPR we process personal data on the following legal bases:
- Contract — to provide the Service you have signed up for.
- Legitimate interests — to secure our infrastructure, prevent fraud, improve the product, and communicate essential service notices. We have balanced these interests against your rights.
- Consent — for marketing emails, non-essential cookies, and any optional features that require it. Consent can be withdrawn at any time.
- Legal obligation — to comply with tax, accounting, and law-enforcement requirements.
6. Sharing & Sub-Processors
We share personal data only with carefully vetted sub-processors who help us operate the Service. Each sub-processor is bound by a written data-processing agreement and provides equivalent or stronger protections:
- Cloud hosting — Amazon Web Services (UK / EU regions only).
- Payments — Stripe (PCI DSS Level 1 certified).
- Email delivery — Postmark for transactional, Mailchimp for opt-in marketing.
- Customer support — Intercom for live chat and helpdesk.
- Analytics — Plausible Analytics (privacy-first, no cookies).
- Wallet pass distribution — Apple Wallet and Google Wallet for pass delivery.
A current list of sub-processors is available on request from dpo@membershipwallet.co.uk.
7. International Transfers
Personal data is primarily stored in the UK and the European Economic Area. Where data is transferred outside these regions (e.g. to US-based sub-processors), we rely on UK International Data Transfer Agreements, EU Standard Contractual Clauses, or adequacy decisions to ensure equivalent protection.
8. Data Retention
- Account data — retained for the life of the account plus 6 years for tax and legal purposes after closure.
- Member data — retained only while our Customer's subscription is active. Deleted within 60 days of subscription termination unless legal hold applies.
- Support tickets — retained for 3 years from the last interaction.
- Server logs — retained for 90 days.
- Backups — encrypted backups are retained for 30 days on a rolling basis and then automatically purged.
9. Security
We protect personal data using industry best practices:
- AES-256 encryption at rest, TLS 1.3 in transit;
- SOC 2 Type II certified data centres;
- least-privilege access control with mandatory two-factor authentication for staff;
- independent third-party penetration testing every 12 months;
- continuous vulnerability scanning, patching, and 24/7 monitoring;
- documented incident-response plan with breach notification within 72 hours where required.
No system can be 100% secure, but we work continuously to reduce risk and respond quickly when issues are identified.
10. Your Rights Under UK / EU GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you.
- Right to rectification — ask us to correct inaccurate data.
- Right to erasure ("right to be forgotten") — ask us to delete data we no longer have a lawful reason to hold.
- Right to restrict processing — limit how we use your data while a complaint is investigated.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests, including profiling.
- Rights related to automated decision-making — request human review of decisions made solely by automated means.
- Right to withdraw consent — where processing is based on consent.
To exercise any of these rights, email dpo@membershipwallet.co.uk. We will respond within one calendar month. We do not charge a fee for reasonable requests.
If you are a Member of one of our Customers, please contact that business in the first instance — they are the data controller for your loyalty account.
11. Children's Data
The Service is not directed at individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact dpo@membershipwallet.co.uk and we will delete it promptly.
12. Cookies & Similar Technologies
Our website and dashboard use a small number of cookies. We group them as follows:
Strictly necessary (always on)
- session — keeps you logged in (deleted when you close the browser or sign out).
- csrf-token — protects forms from cross-site request forgery.
- cookie-consent — remembers your cookie preferences.
Analytics (optional)
- We use Plausible Analytics, which is cookie-free and does not track individuals across sites.
Marketing (off by default, opt-in only)
- If you consent, we may set conversion cookies for LinkedIn or Google Ads to measure campaign effectiveness. You can revoke consent at any time via the cookie banner or your browser settings.
You can control cookies through your browser. Disabling strictly-necessary cookies will impair the website's functionality.
13. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when changes were made. For material changes affecting your rights, we will provide prominent notice (e.g. by email or an in-app banner) at least 14 days before the changes take effect.