Privacy Policy
1. Introduction
This Privacy Policy explains how DUAL Ltd ("we", "us", "our"), the operator of the DUAL Perks loyalty platform ("the Service"), collects, uses, stores, and protects your personal data. DUAL Perks connects members of organisations (such as cities, villages, gyms, and clubs) with local business partners through a loyalty and discount programme.
We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable data protection legislation.
By using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
The data controller for your personal data is:
DUAL Ltd
St Andrews, Fife, Scotland, United Kingdom
Email: privacy@dualcreative.com
If your organisation operates within the EU/EEA, we can ensure your data is hosted within the European Union. Contact your organisation administrator or us directly for details.
3. What Data We Collect
3.1 Member Data
When your organisation creates your account or when you use the DUAL Perks app, we collect and process:
| Data Category | Examples | Purpose |
|---|---|---|
| Identity data | Full name, email address | Account identification and login |
| Authentication data | 4-digit PIN (hashed at rest), card token (UUID) | Secure access to your account |
| Membership data | Membership tier (standard, premium, VIP, unlimited), account status, organisation affiliation | Delivering tier-appropriate benefits |
| Usage data | Discount redemptions, punch card stamps, redemption timestamps | Operating the loyalty programme |
| Device data | Device type, OS version (mobile app only) | App compatibility and troubleshooting |
3.2 Organisation Administrator Data
For administrators managing an organisation account, we collect:
- Full name and email address
- Organisation name and settings
- API key credentials
3.3 Partner Data
For business partners listed on the platform, we collect:
- Business name, address, phone, and website
- Contact person name and email
- Logo image URL
- Discount and offer details
3.4 Data We Do Not Collect
- We do not collect payment card numbers, bank details, or financial information from members.
- We do not collect precise geolocation data.
- We do not collect data from social media profiles.
4. How We Use Your Data
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Creating and managing your loyalty account | Performance of a contract (Art. 6(1)(b)) |
| Authenticating your identity at login | Performance of a contract (Art. 6(1)(b)) |
| Delivering partner discounts and offers to you | Performance of a contract (Art. 6(1)(b)) |
| Tracking punch card stamps and rewards | Performance of a contract (Art. 6(1)(b)) |
| Recording redemption history | Legitimate interest (Art. 6(1)(f)) |
| Displaying announcements from your organisation | Legitimate interest (Art. 6(1)(f)) |
| Maintaining platform security and preventing abuse | Legitimate interest (Art. 6(1)(f)) |
| Responding to your enquiries or support requests | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not use your data for automated decision-making or profiling.
5. Data Storage and Security
Your data is stored in a PostgreSQL database hosted by Supabase. All data transmitted uses TLS 1.2+. Database storage is encrypted at rest using AES-256. Row Level Security ensures members can only access data associated with their organisation.
6. Third-Party Data Processors
| Processor | Purpose | Data Shared |
|---|---|---|
| Supabase | Database hosting, authentication | All platform data |
| Vercel | Web application hosting | Request metadata, IP addresses |
| Stripe | Organisation subscription billing | Organisation billing data only |
We do not sell, rent, or trade your personal data to any third party.
7. International Data Transfers
Where data is transferred outside the EU/EEA, we ensure appropriate safeguards including Standard Contractual Clauses (SCCs).
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Member account data | Duration of active account + 30 days after deletion |
| Redemption history | Duration of active account |
| Authentication data | Duration of active account |
| Organisation and partner data | Duration of active subscription |
| Server logs | 90 days |
9. Your Rights Under GDPR
You have the right to:
- Access your personal data (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure of your data (Art. 17)
- Data portability (Art. 20)
- Restriction of processing (Art. 18)
- Object to processing (Art. 21)
- Withdraw consent at any time
- Lodge a complaint with your local Data Protection Authority
Contact: privacy@dualcreative.com. We respond within 30 days.
10. Cookies and Local Storage
The mobile app does not use cookies. The web version uses essential cookies only. See our Cookie Policy for details.
11. Children's Data
DUAL Perks is not directed at individuals under 16. We do not knowingly collect data from children under 16.
12. Changes to This Policy
We will update the "Last updated" date and notify administrators of material changes.
13. Contact Us
DUAL Ltd
Email: privacy@dualcreative.com
DPO: dpo@dualcreative.com
St Andrews, Fife, Scotland, United Kingdom