Privacy Policy

Last updated: 22 February 2026

1. Who We Are

Digital Cards Club ("we", "us", "our") provides a digital wallet pass management platform for UK businesses. We act as a data processor on behalf of our customers (organisations who use our platform), who act as data controllers for their members' personal data.

For data we collect directly (e.g. account registration), we act as the data controller. We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Data We Collect

Account Data (Data Controller)

  • Name and email address (for account registration and login)
  • Organisation name, address, and contact details
  • Payment information (processed by Stripe; we do not store card numbers)
  • Login timestamps and IP addresses (for security)

Member Data (Data Processor)

  • Name, email address, and phone number (encrypted at rest)
  • Membership number, type, and dates
  • Digital wallet pass records and status
  • Consent records (timestamp, method)
  • Custom fields as configured by the organisation

Technical Data

  • Browser type, operating system, and device information
  • IP address and approximate location
  • Pages visited and actions taken within the platform
  • Cookies and similar tracking technologies (see Section 9)

3. Legal Basis for Processing

We process personal data under the following legal bases:

  • Contract: To provide the services you have subscribed to (Article 6(1)(b))
  • Legitimate Interest: To maintain security, prevent fraud, and improve our services (Article 6(1)(f))
  • Consent: Where explicitly obtained, for marketing communications (Article 6(1)(a))
  • Legal Obligation: To comply with legal and regulatory requirements (Article 6(1)(c))

4. How We Process Data

Personal data is used to operate the platform, process digital wallet passes, manage subscriptions, and provide customer support. Member PII (names, emails, phone numbers) is encrypted at rest using industry-standard encryption (Fernet/AES-128-CBC). Access to personal data is restricted to authorised personnel within the member's organisation and our technical support team when required.

5. Data Retention

  • Account data: Retained for the duration of your account plus 30 days after deletion request
  • Member data: Retained until the organisation deletes it or the organisation's account is closed
  • Billing records: Retained for 7 years to comply with UK tax and accounting requirements
  • Audit logs: Retained for 2 years for security and compliance purposes
  • Technical logs: Retained for 90 days

6. Your Rights

Under the UK GDPR, you have the right to:

  • Access: Request a copy of the personal data we hold about you (Article 15)
  • Rectification: Request correction of inaccurate personal data (Article 16)
  • Erasure: Request deletion of your personal data ("right to be forgotten") (Article 17)
  • Data Portability: Request your data in a portable, machine-readable format (Article 20)
  • Restriction: Request restriction of processing in certain circumstances (Article 18)
  • Objection: Object to processing based on legitimate interest (Article 21)
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent

Organisation owners can exercise data export and deletion rights directly through the GDPR tools in the Settings area of their account. For individual member requests, please contact the relevant organisation or reach out to us directly.

7. Data Sharing and Third-Party Processors

We use the following third-party processors:

  • Stripe (payment processing) - PCI DSS compliant, US-based with EU data processing
  • Resend (transactional email delivery) - for sending pass distribution and account emails
  • Cloudflare (CDN and security) - for content delivery and DDoS protection
  • Render (hosting) - for application and database hosting
  • Google (Google Wallet API) - for creating and distributing Google Wallet passes
  • Apple (Apple Wallet) - for creating and distributing Apple Wallet passes

We do not sell personal data to third parties. Data may be shared with law enforcement if required by law.

8. International Transfers

Some of our third-party processors are based outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions by the UK government.

9. Cookies

We use essential cookies required for the platform to function (session management, CSRF protection). We do not use advertising or non-essential tracking cookies. Essential cookies do not require consent under UK GDPR as they are strictly necessary for the service to operate.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption of PII at rest and in transit (TLS 1.2+)
  • Role-based access control with multi-tenant isolation
  • Regular security audits and vulnerability assessments
  • Comprehensive audit logging of data access and modifications
  • Secure password hashing and session management

11. Contact Us

If you have questions about this privacy policy or wish to exercise your data rights, please contact us:

  • Email: privacy@digitalcardsclub.com
  • Data Protection Officer: dpo@digitalcardsclub.com

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data rights have been violated.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify registered users of significant changes via email. The "Last updated" date at the top of this page indicates when the policy was last revised.