Already have an account? Log in now

Reward Gateway (UK) Ltd (“Reward Gateway”, "we", "us" or "our") is committed to protecting and respecting your privacy.

This Privacy Notice ("Notice") sets out the basis on which any personal data we collect about you from you or from third parties, including from Blue Light Card Ltd trading as Blue Light Card and Defence Discount Service, "Blue Light Card" when you use this website: [https://bluelightcard.rewardgateway.co.uk] (“Site”) and how such personal data will be processed by us.

We will be the Data Controller of your personal data which you provide to us or which is collected by us via the Site. This means that we are responsible for deciding how we hold and use personal data about you and that we are required to notify you of the information contained in this Notice. It is important that you read this Notice so that you are aware of how and why we are using your personal data and how we will treat it.

We have appointed a Data Protection Team, who can be contacted using the details at the end of this Notice should you have any questions, complaints or feedback about your privacy.

The Type of Information We Collect From you and How We Use It

We will collect various types of personal data from you when you use the Site, depending on the services that you use. Further details of how we use your personal data are set out below.

In this section, we have set out the legal bases we will rely upon to process your personal data and linked the relevant legal basis to our processing activity via asterisks throughout this Notice:

  • * to enter into and/or to perform our contract with you to provide the services via the Site;
  • ** to pursue legitimate interests of our own or of third parties, provided that your interests and fundamental rights do not override those interests;
  • *** to enable us to comply with our legal obligations; and/or
  • **** with your consent.

Before you register

Before you register on the Site we will ask Blue Light Card to provide two pieces of unique information about you* (such as your name, email address and Blue Light Card membership number) Blue Light Card will provide that information to us in order for an account with us to be created.

When you register

In addition to the personal data provided to us by Blue Light Card, when you register on Site we will also collect and store personal data about you, such as your name, email address, password, postcode and a contact telephone number.

As required from time to time, you may also need to provide the information necessary to allow us to carry out our eligibility check (which will vary dependent on the information provided by Blue Light Card, see above).

This information will be used in order to complete your registration and to allow you to use the Site*.

When you login

Each time you enter the Site, we automatically conduct checks against your Internet Protocol (IP) address to ensure your security. This includes looking up your IP address against a “proxy denylist” to check that someone is not using your credentials and trying to hide their location**. This proxy denylist is operated by MaxMind, Inc. If your IP address appears on it, we will not allow you to login.

We also look up the IP address in a static database we download from MaxMind Inc. to check which country the IP is affiliated with. This helps us to further protect your account against people who may have access to your credentials**. If we do spot a change, we will alert you via the email held on your account that a login has occurred from a new device or location.

This information along with time and event data (such as successful or failed logins) are also recorded in our database for audit purposes**.

Depending on the services you use on the Site, we may collect and process additional personal data about you, as set out below.

When you make a debit or credit card purchase

If you choose to purchase goods using a credit or debit card through the Site, we will collect your payment details from you and pass them to Checkout.com, our secure payment processors, who will use them to process the payment*. We do not store or process your credit or debit details on our servers.

We will also collect your delivery address from you, and use the contact details previously provided, to allow us to process the order*.

If you opt-in to saving your credit or debit details for future use on the Site, your information will be stored securely by our payment processor. You can update or remove these at any time.

Where goods are dispatched by a third-party supplier, we may need to share your information with them to fulfil your order, such as your contact details and delivery address*. This will be clearly indicated to you at the point of purchase. You will be able to review these suppliers’ privacy terms before any information is shared with them.

We will also carry out a fraud check during the order process. This check is carried out by our third party provider, Sift Science (“Sift Science”)**. Sift Science will only act in accordance with our instructions and how they will process your personal data is set out below.

Sift Science will collect information about your behaviour on the portal (such as the length of time between logging in and reaching checkout), technical information about the device used (such as your browser version and IP address) and the details you enter at checkout (such as your contact details and delivery and billing address).

After you have placed your order and before goods are dispatched, Sift Science will use this information to provide us with a score based on the likelihood of fraud. The score provided determines whether your order is automatically accepted by us or queued for our human review. If it is queued for human review, we will carry out a manual fraud check to decide whether to accept or refuse your order or, in some circumstances, require payment to be made by an alternative, more secure mechanism such as a bank transfer. For more information about this processing activity, please contact us using the details provided at the end of this Notice in the “Contacting Us” section.

After too many failed orders

If too many failed orders originate from your account, we will automatically restrict access to your account. Before allowing you to access your account again, we will notify you and ask you for further supporting documents such as your driving licence, council tax bill or statement, bank or credit card statement, utility bill or payslip, as evidence that it is you attempting these orders**. If these documents are not to our satisfaction, we may contact Blue Light Card with the intention of verifying that it is you using your account in this way**.

These supporting documents will only be used for the purpose of verifying your identity, will not be shared with any third parties and will only be retained by us until we have reviewed them, even if we are not satisfied with their legitimacy or authenticity.

You do not need to provide these supporting documents to us but, if you choose not to, then we will not be able to provide you with access to your account.

When you contact us

If you contact us for support purposes, we will require some information to handle your query. The following data are saved in Zendesk to enable processing: your name, email address, telephone number any other personal data you provide to us for the purpose of dealing with your query.

When you visit the Site

When you visit the Site we will automatically collect information about your visit such as the pages you viewed, services you viewed or searched for, length of visits to certain pages, the times and dates of these actions, details of page response times and any download errors that occurred.

We will also collect data from the device and application that you use to access our services, including your IP address (from which we may infer your geographic location), login information and browser type.

If you arrive at the Site from an external source (such as the link on Blue Light Card’s website) we record information about that source.

We will use the above information in order to:

  • to administer the Site and for internal operations, including troubleshooting, data analysis (including analysing the use of the various services available on the Site and measuring their popularity and effectiveness), testing, research, statistical and survey purposes, and to comply with our legal obligations**/***;
  • to improve the Site to ensure that content is presented in the most effective manner for you and for your computer / device**;
  • as part of our efforts to keep the Site safe and secure to comply with our legal obligations**/***;
  • to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you. We, or our third party advertisers, may use your age or gender to determine whether advertising is relevant to you**;
  • to make suggestions and recommendations to you and other users of the Site about goods or services that may interest you or them/**.

Other information and uses

We will also collect the personal data you provide when you use the Site:

  • to notify you about changes (permanent or temporary) to our service*.
  • to ensure that content from our Site is presented in the most effective manner for you and your computer*.
  • to administer our Site and for internal operations, including troubleshooting, data analysis, testing, research and statistical purposes, and as part of our efforts to keep our Site safe and secure**.

Information we receive from other sources

We will combine information we receive from other sources (as set out in this Notice) with information you give to us. We will use this information and the combined information for the purposes set out in this Notice (depending upon the services you access).

Change of Purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and permitted under data protection laws. If we need to use your personal data for an unrelated purpose, in most cases we will notify you and we will explain the legal basis which allows us to do so.

Disclosures of your Information

We use service providers to help us to run the Site and deliver our services. These service providers will only receive your personal data if required for the service you are using. They include:

  • Amazon Web Services EMEA SARL, a cloud hosting provider that runs the underlying servers for our Site ;
  • Emailcenter UK, a transactional and bulk email gateway, used to send some of our email;
  • Mailgun Technologies Inc., a transactional and bulk email gateway, used to send the majority of our email;
  • Twilio Inc., a SMS / text-messaging gateway, used if you opt-in for a service that requires us to send you a text message;
  • Zendesk Inc., a customer support platform;
  • Atlassian Pty Ltd., a ticketing system for our internal teams, used in rare cases if you report a bug to us;
  • WalkMe, Inc., Contextual help, support and assistance for the Site’s administrators only;
  • Google Inc., a web analytics tool only used if you Consent to analytics cookies;
  • FullStory Inc., an analytics service provider only used if you Consent to analytics cookies;
  • Heap Inc., an analytics service provider only used if you Consent to analytics cookies;
  • New Relic Inc., a performance measurement tool only used if you Consent to analytics cookies.
  • Braze Inc, a marketing automation platform that we use to improve our services to you.

We also share your personal data with:

  • Blue Light Card - Because they pay us to operate for you, they’ll want to know how the Site is performing. Except as set out elsewhere in this Notice, we will share information with Blue Light Card about how often you’ve used the Site and what services you used, including Member ID / Order number / Order date - time / Company / Product / Face value / Member spend / Order status
  • Our Internal Teams and Prospective Retailers - We also use information about you on an aggregated and anonymised basis for internal management purposes, to, share it with current or prospective retailers and to use it to target offers that are made to users of the Site. This type of information includes, for example, the types of product that you purchase and the value of those purchases. However, you can’t be identified from this information.
  • Members of our Group - We share personal data with members of our group for the purposes of providing the benefits to you and managing our business: RG Engagement Group Ltd, Reward Gateway Pty Ltd, Reward Gateway (UK) Ltd Branch, Reward Gateway (USA) Inc, International Benefits Holdings Ltd, Asperity Employee Benefits Group Ltd
  • Other Parties - We will also disclose your personal data to third parties:
    • in the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets;
    • if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets; and/or
    • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms and Conditions and other agreements; or to protect the rights, property, or safety of us, our users, customers and providers. This will include sharing your information as part of a legal or official investigation if we have evidence or reason to suspect that transactions on your account could be fraudulent.

International Transfers of your Personal Data

A number of the service providers listed above are based outside the UK and European Economic Area and your personal data may therefore be transferred to or accessed from outside of the UK and European Economic Area.

We have either signed UK and EU Commission-approved Standard Contractual Clauses with these providers or we have confirmed that they have Binding Corporate Rules in place. This ensures that your personal data is treated by those providers in a way that is consistent with and which respects the EU and UK laws on data protection. We also ensure there are adequate supplementary measures in place, such as encryption at rest and in transit.

Other entities in our group, Reward Gateway (USA) Inc and Reward Gateway (Australia) Pty Ltd, are also located outside the EEA in countries that are not considered to provide an adequate level of data protection. We have put in place appropriate intra-group agreements using the EU Commission-approved Standard Contractual Clauses, to protect personal data when it is transferred to those entities. Where this is not the case we have restricted the flows of personal data to ensure compliance with applicable legislation.

We can supply a copy of the EU Standard Contractual Clauses to you on request.

Your Rights

Data protection laws provide you with the following rights to:

  • request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it;
  • request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
  • request erasure of your personal data . This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below);
  • request the restriction of processing of your personal data , for example if you want to establish its accuracy or the reason for processing it; and
  • request the transfer of your personal data to another party.

You also have the right to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.

To Make Subject Access Request

If you would like to exercise any of your rights set out above, please use this secure Link.

Please note that as the administrator may store other information from your use of this service, you should also contact them directly if you would like to exercise your rights in relation to the data held by them.

Alternatively please email dpo.uk@edenred.com

Updating your information

It is important that the personal data we hold about you is accurate and current. Please keep your records on the Site up-to-date. If you wish to update or amend your personal data you may do so by making the change within your account once logged in or by contacting our Helpdesk. We will respond to your request within 5 working days.

Storage of your information

Unless we need to keep your data for legal purposes, we will only retain your personal data for 60 days after Blue Light Card lets us know you are no longer a valid Blue Light Card holder or they decide to use a different provider.

The legal purposes for which we may need to retain your data for include:

  • retaining payment records for one year to comply with PCI DSS regulations;
  • retaining backups for up-to 180 days after deprovisioning; and
  • retaining your order history for two years from the date of your order in case of a dispute.

We may also retain anonymised data about you for longer periods for integrity and financial reporting purposes.

Recordings of calls are retained for 40 days and chat transcripts are retained for 90 days.

We take the security and confidentiality of your personal data very seriously. We will use strict procedures and security features to aim at preventing unauthorised access, such as secure software design, being ISO 27001 certified, strict access controls, penetration testing, the use of encryption and hashing and robust physical security controls.

You are also responsible for the security of your personal data by taking precautionary measures, such as keeping your account password confidential and using secure internet connections.

Changes to this notice

Any changes we make to our Notice in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our Notice.

Contacting Us

If you have any queries, comments or requests regarding this Notice, or you would like to exercise any of your rights set out above, or contact the Rewards Gateway Data Protection Team, you can contact us in the following ways:

  • by email at dpo.uk@edenred.com or:
  • by post at Reward Gateway (UK) Ltd, Third Floor 1 Dean Street, London, W1D 3RB.

10/03/2025