Cookies & Privacy

We use essential cookies to make our site work. With your consent, we also use analytics to improve our services. You can change your choices at any time in Account Settings.

UK GDPR Compliance Statement

Last updated: 5 April 2026

This page summarises how ZediPass approaches data protection under the UK GDPR and other applicable privacy laws. For full details, see our Privacy Policy.

Our Commitment

  • We collect only what we need to operate the service (data minimisation).
  • We explain what we collect, why we collect it, and how long we keep it (transparency).
  • We use access controls and logging, and design for privacy by default.
  • We provide in-app/account controls such as consent preferences and account deletion.

We pay the UK ICO data protection fee as part of our data protection compliance programme.

Data We Collect

We process different categories of data depending on whether you are an end customer, a retailer/brand admin, or an operator admin:

  • Account & identity: name, email, phone (if provided), user identifiers, and login metadata.
  • Profile (optional): optional demographic fields (e.g. age band / date of birth where provided), preferences, and settings.
  • Loyalty ledger: enrolments, scans/check-ins, rewards earned/activated/redeemed/expired, and related timestamps.
  • Device & diagnostics: device/app version, approximate location (if enabled), IP address/logs, and security events.
  • Consents: your consent preferences (functional/analytics/marketing) and the policy version.
  • Support: messages you send us (and related metadata) so we can help you.
  • Retailer/operator admin data: business contact details and the content you create (offers, rewards, event posts) and metadata.

Where feasible, we separate sensitive contact details into restricted-access storage and use pseudonymous identifiers for analytics and partner reporting. This is pseudonymisation (risk reduction), not full anonymisation.

How We Use Personal Data

  • Provide core app/dashboard features and operate the loyalty ledger.
  • Secure the service (fraud/abuse prevention, rate limiting, investigations).
  • Provide customer support and service communications.
  • Run analytics to improve the product (only where permitted by your settings and applicable law).
  • Comply with legal obligations and respond to lawful requests.

Lawful Bases

  • Contract: to provide the service you request.
  • Legitimate interests: to keep the service secure, reliable, and improved (balanced against your rights).
  • Consent: for non-essential analytics and marketing where required.
  • Legal obligation: where we must retain/produce data by law.

Retention

We keep personal data only as long as necessary for the purposes above. Typical retention windows (which may vary by context, legal holds, and backups) include:

  • Raw product events/telemetry: typically up to 180 days.
  • Aggregated analytics: typically up to 24 months.
  • Security/audit logs: typically up to 24 months.
  • Support records: typically up to 18 months.
  • Billing records (if applicable): typically up to 7 years to meet legal/accounting needs.

You can request deletion via the app settings (where available) or by emailing support@zedipass.com.

Processors & Vendors

We use trusted service providers (“processors”) to operate ZediPass. Current core vendors include:

  • Google/Firebase (hosting, authentication, database, cloud functions)
  • Stripe (payments, where applicable)
  • Cloudinary (media storage/transforms)

Where required, we put data processing agreements in place with vendors and use appropriate safeguards for international transfers.

Security

  • Encryption in transit (TLS).
  • Access controls and least privilege.
  • Audit logging for administrative actions.
  • Backend enforcement for consent and permissions.

International Transfers

Some vendors may process data outside the UK. Where required, we use appropriate safeguards (for example UK IDTA and/or the UK Addendum to EU SCCs) and perform transfer assessments as needed.

Your Rights

Subject to UK GDPR conditions and exceptions, you can request access, correction, deletion, restriction, portability, and you can object to processing (including marketing).

Requests

To exercise your rights, email support@zedipass.com. We may need to verify your identity before acting on a request and typically respond within one month. For enterprise accounts, we may coordinate with the relevant organisation’s administrator where appropriate.

Cookies

For website cookies and similar technologies, see our Cookie Policy.

Updates

We update this statement when our processing changes. Material changes will be communicated via the website and, where appropriate, in-app notice.

Contact

Controller: ZEDIPASS LIMITED

Company No.: 16508367

Email: support@zedipass.com

Postal: 71–75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom

ICO: You may complain to the UK ICO at ico.org.uk.