Referral Fuel Privacy Policy (UK)

1. Who this policy applies to

Our Services are used by multiple types of users:

• Business Customers (publishers, creators, brands, organisations) and their Authorised Users.
• Subscribers / contacts who receive emails sent by Business Customers using the Services.
• Referrers, Referred Visitors, and other Visitors to hosted landing pages or referral links.

2. Our roles under data protection law

Data protection law (including the UK GDPR and the Data Protection Act 2018) distinguishes between:

• Controllers (who decide why and how personal data is processed), and
• Processors (who process personal data on a controller's instructions).

2.1 When we are a controller

We are a controller for personal data relating to:

• our public website and marketing;
• account creation and administration;
• billing and payments;
• customer support and service communications;
• security, abuse prevention, and platform integrity;
• product analytics and service improvement.

2.2 When we are a processor

Business Customers may upload, sync or otherwise process Subscriber/contact data through the Services (for example, email addresses and related attributes) to run referral programmes and send emails.

In those situations, we generally act as a processor on the Business Customer's instructions, and the processing is governed by our Data Processing Addendum (DPA). The relevant Business Customer is the controller and is responsible for providing appropriate notices to its Subscribers/contacts.

If you are a Subscriber/contact and want to exercise your rights about emails you receive from a Business Customer, you should normally contact that Business Customer directly.

3. The personal data we collect

The personal data we collect depends on how you interact with the Services.

3.1 Information you provide to us

This may include:

• Account and profile data: name, business name, email address, role, login credentials, and other account settings.
• Billing and transaction data: billing contact details, invoicing information, payment status and plan details.
• Card/payment details: processed by our payment provider (for example Stripe). We do not store full card details.
• Support and communications: messages you send to us (including via email, forms, chat), and any information you choose to include.
• Customer Content (Business Customers): content you create or upload, such as email templates, landing pages, forms, reward rules, and referral programme settings.

3.2 Information we collect automatically

This may include:

• Device and network data: IP address, device identifiers, browser type, operating system, language settings.
• Usage and activity data: pages viewed, links clicked, timestamps, referral link interactions, and in-product events.
• Log and diagnostic data: audit logs and error logs used for security and troubleshooting.

3.3 Information we receive from third parties

Depending on how you use the Services, we may receive information from:

• Payment providers (for example, payment confirmation, fraud signals, chargeback information).
• Integrations you enable (what we receive depends on the integration and your settings).
• Service providers helping us run marketing campaigns (for example, conversion data for our ads).

3.4 Information we may infer or derive

We may infer information such as approximate location based on IP address, or product usage insights based on activity data.

4. Special category data and criminal offence data (strict prohibition)

Our Services are not designed to process:

• special category data (for example: health data, biometric data, genetic data, racial or ethnic origin, religious or philosophical beliefs, trade union membership, sex life or sexual orientation), or
• criminal offence data.

You must not send, upload, or include special category data or criminal offence data in:

• support messages,
• Customer Content,
• contact lists,
• forms, landing pages, free-text fields, or
• any other data you submit to or process through the Services.

If we become aware that such data has been provided, we may:

• delete or redact it where reasonably possible,
• restrict processing and access,
• suspend or terminate the relevant account or feature access (to protect individuals and comply with law), and
• retain only the minimum information necessary for security, audit, legal claims, or compliance purposes.

You remain responsible for ensuring that special category data and criminal offence data is not processed through the Services.

5. How we use personal data and our lawful bases

We only process personal data when we have a lawful basis.

5.1 To provide the Services (contract)

• create and manage accounts;
• provide core product features;
• provide customer support;
• administer subscriptions and billing.

5.2 To operate, secure and improve the Services (legitimate interests)

• maintain performance and reliability;
• prevent abuse, fraud, and security incidents;
• debug, monitor errors, and run audits;
• analyse usage to improve product features.

5.3 To comply with legal obligations (legal obligation)

• tax and accounting;
• responding to lawful requests and regulatory obligations.

5.4 Marketing communications (consent or legitimate interests)

• send updates and marketing about Referral Fuel where permitted by law;
• you can opt out at any time using the unsubscribe link or by contacting us.

6. Cookies, tracking, referral attribution and analytics

We use cookies and similar technologies (for example, pixels, local/session storage and SDKs) to:

• provide essential functionality and security;
• remember preferences;
• analyse and improve performance;
• measure marketing effectiveness;
• support referral attribution (where enabled).

For details on cookies, lawful bases, and how to manage preferences, see our Cookie Policy.

Business Customers' responsibility: Business Customers are responsible for ensuring that their use of landing pages, forms and referral flows complies with applicable cookie and marketing laws (including PECR). Where consent is required, Business Customers must ensure appropriate consent mechanisms and notices are in place.

7. How we share personal data

We may share personal data with:

7.1 Vendors and service providers

We use service providers to help us operate the Services (for example: cloud hosting, email delivery infrastructure, payment processing, fraud prevention, customer support tooling, and analytics). They process personal data on our instructions and under contract.

7.2 Business Customers (where relevant)

If you submit details via a form on a hosted landing page or interact with a referral programme, relevant data may be shared with the relevant Business Customer (as controller) so they can administer their programme and communicate with you.

7.3 Legal, compliance and safety

We may disclose information where we believe it is required by law, or necessary to protect rights, property and safety, prevent fraud, or enforce our terms and policies.

7.4 Professional advisors

We may share data with professional advisers (for example, lawyers, accountants, insurers) where necessary.

7.5 Corporate transactions

We may share data in connection with a merger, acquisition, reorganisation, financing or sale of assets.

7.6 Aggregated / anonymised data

We may share aggregated and/or anonymised information that cannot reasonably be used to identify an individual.

8. International transfers

We and our service providers may process personal data outside the UK.

Where we make a restricted transfer of personal data outside the UK, we will ensure appropriate safeguards are in place, such as:

• UK adequacy regulations, or
• the UK International Data Transfer Agreement (IDTA), or
• the UK Addendum to the EU Standard Contractual Clauses (as applicable),

together with any additional measures required by law.

You can contact us for more information about the safeguards used for a particular transfer.

9. Data retention

We keep personal data only as long as necessary for the purposes described in this Policy, including:

• while an account is active;
• to provide the Services;
• to meet legal, tax and accounting obligations;
• for security, abuse prevention, and dispute handling.

We may retain certain logs (for example, security logs) for longer where needed for fraud prevention and compliance.

When an account is closed, we will delete or anonymise personal data within a reasonable period, subject to legal retention requirements and the terms of our DPA (where we act as a processor).

10. Security

We implement reasonable technical and organisational measures designed to protect personal data. No system is completely secure, and you are responsible for maintaining the security of your own devices and credentials.

11. Your rights (UK GDPR)

Depending on the circumstances, you may have rights to:

• access your personal data;
• correct inaccurate data;
• request deletion;
• restrict processing;
• object to processing (particularly where based on legitimate interests);
• data portability (in certain cases);
• withdraw consent (where we rely on consent).

To exercise your rights, contact info@referralfuel.co.

We may need to verify your identity. We aim to respond within one month, and may extend where permitted for complex requests.

Important: If you are a Subscriber/contact of a Business Customer (not our direct customer), requests about marketing emails and programme data should normally be directed to the relevant Business Customer, though we may support them under the DPA.

12. Complaints

If you have concerns, please contact us first and we will try to resolve them.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

13. Children

Our Services are intended for business use. We do not knowingly allow children to create accounts or intentionally collect personal data from children.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date and, where appropriate, provide additional notice.