Reward programme - Privacy Policy

Last Updated and Effective as of 04 March 2025

1. In general

This Privacy Policy (hereinafter referred to as the ‘Policy’) applies to your use of the loyalty programme (hereinafter referred to as the ‘Reward Programme’). The Reward Programme gives you as a user the opportunity to obtain rewards (hereinafter referred to as ‘Rewards’) from participating Merchants such as shops, restaurants, web shops, and similar vendors (hereinafter referred to as ‘Merchants’). The identity of the controller responsible for providing this Policy and protecting your privacy and personal data depends on the nature of the Reward Programme:

  • For United Kingdom (UK) and European Economic Area (EEA) Reward Programmes, the Reward Programme partner that you signed up with will act as controller. Our Reward Programme partners include The Reward Collection Ltd, LUX Rewards Ltd, TLS Discounts (Leads 2 Trade Ltd), Geek Retreat, and Cashbackpoint Ltd (which acts as the controller in connection with the Swipii, Fidel and CashbackApp Reward Programmes);
  • For US Reward Programmes, Alluvial Rewards Limited acts as controller;
  • For Indian Reward Programmes Enigmatic Smile Rewards Pvt Ltd acts as controller; and
  • In addition (regardless of the country of your Reward Programme), Enigmatic Smile Ltd will also act as controller.

The controller(s) relevant to your Reward Programme are hereinafter referred to as ‘ES’, ‘we’, or ‘us’. The Policy applies across all channels, regardless of whether you access the Reward Programme via the website or the app (hereinafter referred to as the ‘Platforms’).

If you are located in India, please also see the Addendum for Individuals in India, below.

2. Individuals who are not users of our service; our customer referral programme

When users sign up to the service, they may consent to allowing us to access their contact list to check which contacts are users of the service, and which are not. This means that if you are included in the contact list of one of our users, we may process your personal data in a limited way - even if you are not currently a user of our service. This means that the information in this Policy is relevant to you too.

Users may seek to refer you to our service. They may earn Rewards or other incentives for referring you if you decide to sign up.

3. Types of personal data processed, the purposes of processing, and legal basis

We process personal data as described in the following table

Purposes of processing
Categories of personal data
Legal basis (EEA and UK users)
To identify you as a user and to enable the Reward Programme to be delivered to you, including to be able to invoice Merchants for your earned Rewards.
When you create a user profile, you must enter your name, your e-mail address, your mobile phone number, your address, a password, and one or more payment cards.

We will also assign you a customer number.
We process such personal data on the basis that it is necessary for the performance of our agreement with you as a user.
To register the purchases you make that entitle you to receive a Reward.
For this purpose, we process information about your payment card, including the payment card number, expiry date and name of the cardholder. ES only collects this information when you add your payment card details.

In the event that you wish to make a payment for an additional service, you must also enter the card's CVV/CVC. You may be asked to provide your CVV/CVC when registering your card. ES does not store your CVV/CVC, but uses this to authorise a specific payment or to authorise your card.

Your payment card information is only processed in an IT environment that is certified according to the PCI (Payment Card Industry) rules.
We process such personal data on the basis that it is necessary for the performance of our agreement with you as a user.
To calculate the Rewards or other incentives you are entitled to, and to invoice Merchants for your earned Rewards.
For this purpose, we process information about your payment card(s), and the transactions/ purchases you make, including:

• the time of the transaction;
• the amount spent;
• the name and the location of the Merchant where you made the payment; and
• the Rewards added to your balance.

This will be processed alongside your customer number. We may also process other information relevant to calculating a Reward or incentive, such as any referrals you have made to your contacts. ES does not process information about what you have purchased, unless it is necessary for the purpose of calculating a Reward.
We process such personal data on the basis that it is necessary for the performance of our agreement with you as a user.
To share proof of a relevant transaction with third parties as necessary (for example if the third party receives a commission on transactions).
We process such personal data on the basis that it is in our legitimate (commercial) interests in operating our business.
To allow you to use your Reward in the manner that you have requested. For example, you may have asked that your Reward be used for offsetting a payment total, or to pay towards a gift card.
For this purpose, we process your customer number, and Reward total, and information about your payment method.
We process such personal data on the basis that it is necessary for the performance of our agreement with you as a user.
To provide you with relevant offers and to adapt our marketing to ensure that you receive the offers that are most likely to correspond to your personal interests and needs.To enable us to target our marketing (see section 9 below) and show you Merchants that offer Rewards near you.

The profiling does not mean that you are restricted from certain offers, products, or services, we process this data in order to tailor your experience in accordance with your interests.
For this purpose, we process the following personal data, depending on the circumstances:

• customer number, and contact information, such as your name, mailing address, email address, and phone number;
• demographic information (to the extent you provide it), such as your date of birth, age, gender, number of people in your household, marital status, education, occupation, postcode;
• transaction and Reward-related information, such as information about products or services purchased, order history, transaction details, payment information, Rewards earned, and how they are used;
• preferences and interests, such as information about your preferences, interests, hobbies, and activities, and the names of Merchants that you follow;
• subscription information, such as information about newsletter subscriptions, memberships, or other services you may have opted into;
• referral source, such as information about how you found our service, whether through search engines, social media, referral links, our website, or other sources;
• user feedback and satisfaction scores;
• behavioural data, such as your interactions with our service and Merchants, including functionality used, time spent on each page, click-through rates, and navigation patterns;
• device information, such as details about your device, including device type, operating system, browser type, and screen resolution;
• other information collected using cookies and similar technologies, such as IP address and other technical information;
• location data, including data obtained through GPS, IP addresses, or Wi-Fi connections; and• social media data, such as information from social media profiles, such as likes, shares, comments, and other social interactions.

Further, we can also make an estimate of your gende rand your postcode based on your entered name, and your geographical location (which we will only process with your consent if that is required by law).
• We rely on consent when required by law (for example, when the law requires that we collect consent to send you direct electronic marketing, to collect and process certain location data, or in relation to cookies and similar technologies).

• In other circumstances, we rely on our legitimate(commercial) interests in promoting our business and improving and optimising our services.
To provide Merchants with information about the transactions/purchases you make with them, so that they can help us decide what kind of marketing messages to show you (e.g., if you meet certain criteria, like being one of their top customers, based on spend).
For this purpose, we process your first name, last name, customer number, and information about the transactions/purchases you make with the Merchant.
• We rely on consent when required by law.
• In other circumstances, we rely on our legitimate (commercial) interests in promoting our business and improving and optimising our services.
To provide Merchants with information about their customers for their analytics and product/service improvement purposes.
In particular:

• when you shop with a Merchant, ES passes on your gender, postal code, the amount spent, the Rewards paid to you and the time of the transaction;
• if you choose to ‘follow’ a Merchant on the Platforms, ES passes on your first name, gender, postal code, the amount spent with the Merchant, the relevant Rewards, and the time of the transaction(s).
We process such personal data on the basis of our legitimate (commercial) interests in operating our business.
To carry out analytics and to improve our services.
For this purpose, we process:
• any feedback you may provide to us (including in reviews);
• information collected about your use of our service; and
• other personal data as set out in row 6 of this table.
• We rely on consent when required by law.
• In other circumstances, we rely on our legitimate (commercial) interests in promoting our business and improving and optimising our services.
To provide customer services and support.
For this purpose, we process any personal data which may be applicable to your customer services query, including in particular your customer number.
We process such personal data on the basis of our legitimate (commercial) interests in providing an efficient service to users.
Where you give your consent, we access contacts in your contact list to find out which of your contacts are users of the service, and which are not.
For this purpose:

• a one way cryptographic hash value is created for each of the mobile numbers in your contact list. This anonymises each mobile number so it is no longer obtainable from the hash value. It is only the hash value for each mobile number that is collected and transmitted to our servers, we do not collect the mobile number itself or any other personal data included in your contact list. The hash value obtained is not stored on our servers. It is compared against existing hash values for existing customers and you are notified which of your contacts have an account with us in order for you to send/receive rewards to/from them or invite them to set up an account. We kindly request you ensure your friend or relative is happy to receive the invite before you send it to them.
We rely on your consent to access the mobile phone numbers contained in your contacts list. If you are not a user, and we process your personal data for this purpose, we rely on our (commercial) interests in providing an efficient service to users.
To allow you to send and receive Rewards to and from contacts who are also using the service.
For this purpose, we process:
• your customer number, and that of your contact; and
• information about your Rewards.
We process such personal data on the basis that it is necessary for the performance of our agreement with you as a user.
To comply with laws and regulation applicable to us and our affiliates enforcing legal rights and obligations, and for purposes in connection with legal claims, lawful requests by public authorities (including without limitation to meet national security or law enforcement requirements), investigations, discovery requests, or where otherwise required or permitted by applicable laws, court orders, government regulations, or regulatory authorities (including data protection and tax authorities).
For this purpose, we may process any (of the above) personal data.

In particular, we may be required by law in some jurisdictions to collect your date of birth, email, telephone number, or national identity number.
Depending on the circumstances, we will rely on either:

• the fact that such processing is necessary for compliance with a legal obligation to which we are subject; or
• our legitimate(commercial) interests in exercising or defending our interests and rights.
We may process personal data in connection with a merger, divestiture, acquisition, restructuring, reorganisation, dissolution, or other sale or transfer of some or all of our or our affiliates’ assets, whether as a going concern or as part of a bankruptcy, liquidation, or similar proceedings, in which personal data held by us or our affiliates is among the assets transferred.
For this purpose, we may process any (of the above) personal data.
Depending on the circumstances, we will rely on either:
• the fact that such processing is necessary for compliance with a legal obligation to which we are subject; or
• our legitimate (commercial) interests in managing our business.

If you would like further information about how we have balanced our legitimate interests against your rights and freedoms for particular processing purposes, you may contact us using the contact details set out below.

Your decision to provide personal data to ES is typically voluntary, except where our processing of your personal data is necessary, for example:

  • to meet a legal requirement; or
  • in connection with a contract we have with you.

If you do not provide certain personal data, we may not be able to achieve some of the purposes outlined in this Policy.

4. Disclosure of personal data

The personal data about you that ES processes will not be passed on to third parties without your consent, unless ES has another legal basis for the disclosure.

ES shares your personal data as follows:

  1. As described above, ES provides certain information to Merchants to invoice them for your Rewards, to allow you to use your Rewards in the manner requested, to enable Merchants to help us decide what kind of marketing messages to show you, and to provide Merchants with information about their customers. We do not provide your contact details to Merchants.
  2. ES also shares personal data across its affiliates as necessary, including affiliates in India, the US, the EEA and the UK. In particular, your personal data will be processed by ES in the UK for payment processing.
  3. ES collaborates with a number of service providers and others in connection with the general operation of our business, the Reward Programme, and the Platforms. These include:
    • service providers that provide hosting services, technical support services, customer service support, and platform providers;
    • service providers that assist us to create targeted marketing for you and optimise our marketing efforts. To receive such services, we pass on pseudonymised personal data about you to the service providers; and
    • Visa, Mastercard, Pinelabs, Innoviti and any other payment card providers and payment services providers connected to ES that assist us to carry out the processing described above

      If you would like further information about the affiliates, service providers, and others we share personal data with, please contact us using the contact details set out below.

  4. ES may also pass on your personal data to third parties for the purposes of complying with laws and in connection with legal claims and similar (as further described above).

5. Sources of personal data

ES’ sources of your personal data are as follows:

  • ES receives transaction and payment-related information (such as a card number) from the payment card providers whose cards you use (such as Visa and Mastercard) and from payment service providers like Pinelabs and Innoviti. Those providers match transactions to you and provide relevant information about the transaction to us to enable us to carry out the processing described above.
  • ES also shares personal data across its affiliates as necessary, including affiliates in India, the US, the EEA, and the UK.

6. Storage

Personal data is not stored longer than is necessary to fulfil the purpose for which it was collected, unless the storage is necessary to meet legal requirements, including statutory storage periods in connection with bookkeeping etc., or to exercise or defend legal claims.

ES stores your personal data until you unsubscribe from the Reward Programme, after which your personal data is either deleted or pseudonymised. If you revoke your consent to processing of personal data, the personal data previously processed under that consent will be deleted or anonymised, unless we have another legal basis for continued processing.

Further information about our retention periods is available on request, by contacting us using the contact details set out in the ‘How to contact us’ section below.

7. Your data subject rights

If you are an individual in the EEA or the UK, you have a number of rights with respect to the personal data we process about you, which may be restricted by law. Individuals located in India should refer to the Addendum for Individuals in India, below

One key right is the right to ‘object’ to processing of your personal data in certain circumstances - e.g., if we are processing on the basis of legitimate interests or if we are using it for direct marketing purposes (including profiling for such purposes). You also have the right:

  1. to have personal data erased. You can ask us to erase all or some of your personal data. We will comply with this request unless there is a legal right for us to deny this request;
  2. to rectify or complete personal data. You can also ask us to rectify your personal data if it’s inaccurate or complete it if it’s incomplete;
  3. to restrict use of personal data. You can ask us to limit our use of your personal data in some situations (e.g., if your personal data is inaccurate or unlawfully held); and
  4. to access and/or take your personal data away (data portability). You can ask us for information about, and a copy of your personal data. In some cases, you have a right to receive your personal data or have it transmitted to others in an interoperable, machine readable format.

You can request to exercise your rights by contacting us using the contact details in the ‘How to contact us’ section below.

If you wish to raise an issue in connection with our use of your personal data, we encourage you to get in contact with us in the first instance. You may also have a right to file a complaint with a Data Protection Authority, in particular in the EEA Member State of your habitual residence, place of work, or of an alleged infringement of the GDPR. In the UK, the Data Protection Authority is the UK ICO (https://ico.org.uk/).

8. Revocation of Consent

You can revoke one or more of your consents at any time by deleting your profile, by changing your settings on the Platforms, or by contacting us using the contact details in the ‘How to contact us’ section below.

If you revoke your consent, please note that in some cases you may not be able to continue using the Reward Programme.

9. Cookies and similar technologies

We may use cookies and other similar tracking technologies to collect and retain usage data, as further described in this section. Please also refer to our cookie notice / cookie consent mechanism on our APPS for specific information about the cookies and similar technologies we use, and to change your preferences.

You may be able to block, disable, or delete cookies at any time by changing the settings in your web browser. However, blocking, disabling, or deleting cookies may interfere with certain functionality. You can find more information about cookies and other options you may have for restricting them at www.cookiesandyou.com/, and www.aboutads.info/choices.

  1. Analysing your use of our services
    We, along with our third-party vendors, may collect personal data about your visits to our website and mobile app. In doing so, we may log the details of your visits to our website or mobile app and information generated from such visits, such as your interactions with our service, functionality used, time spent on each page, click-through rates, navigation patterns, and other details of your visits to or actions on our services. We may share this information generated from your visits to our webpage or mobile app with third parties as described in this Privacy Policy.
  2. Interest-based advertising
    You may see certain ads on other websites because we participate in advertising networks. This is called interest-based advertising. Advertising networks use cookies and other similar tracking technologies to collect information about your online activities over time. For more information regarding the personal data we collect for targeted advertising, see Section 3 (Types of personal data processed, the purposes of processing, and legal bases) above.

    Some advertising networks that we may use are the Digital Advertising Alliance (“DAA”), Digital Advertising Alliance of Canada (“DAAC”) or the Network Advertising Initiative (“NAI”). To learn more about interest-based advertising and how to opt out, please visit the websites below:

    •  Digital Advertising Alliance (for US residents) at http://optout.aboutads.info/?lang=EN&c=2#!%2F
    •  Network Advertising Initiative at https://optout.networkadvertising.org/?c=1#!%2F

10. Do not track
Please note that our websites and mobile apps are not designed to respond to "do not track" requests from Web browsers.

11. Data sharing for direct marketing purposes (California)
California law permits residents of California to request certain details about how their personal data is shared with third parties for direct marketing purposes.

12. Transfers of personal data outside your country or territory
In connection with the purposes described above, your personal data will be transferred outside your territory (which is the UK, if you are a UK user, or the EEA if you an EEA user). Personal data may be transferred to the UK, the EEA, India, and/or the United States of America.

Transfers between the EEA and the UK are covered by ‘adequacy decisions’ under article 45 of the UK and EU GDPR. However, in other cases personal data may be transferred to a country which is not recognised under local data protection rules as providing for an equivalent level of protection for personal data as is provided for in your territory. If and to the extent that such transfers take place, we will ensure that appropriate measures are in place to protect your personal data. This may include entering into a contract governing the transfer which contains relevant language approved for this purpose, such as language approved by the European Commission and/or the UK Government.

You can obtain further information (including a copy of any such measures) by contacting us using the contact details in the ‘How to contact us’ section below.

13. Changes to the Policy
ES reserves the right to change the Policy at any time, and we advise you to check this page regularly. Changes to the Policy are effective as of the effective date provided above. We will not process your personal data for purposes that we did not disclose to you when we initially collected your personal data without your consent - unless required or permitted to do so by law.

14. How to contact us
We can be contacted by emailing: Privacy@enigmaticsmile.com.

Addendum for Individuals in India

Last Update: April 2024

The statement below supplements the information provided in the generally applicable portion of our Policy and applies to you only if you are located in India. It provides additional information about how we collect, use, disclose and otherwise process your personal data online in accordance with the Information Technology Act 2000 read along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. This statement should be read together with the Policy, and in case of any conflict the terms of this statement will prevail as to personal data processing of individuals located in India. For the purposes of this statement, the term “personal data” includes “sensitive personal data or information” as defined in the relevant laws of India.

  • Consent
    By acknowledging this Policy and providing us with your personal data, you hereby consent to the collection, storage, disclosure, processing and transfer of such personal data for the purposes disclosed in this Policy.

    Further, you have the option to withhold your consent, or withdraw any consent given earlier, provided that the decision to withhold/withdraw consent is communicated to us in writing. If you do not provide us with personal data or withdraw consent at any point in time, we shall have the option not to provide the benefits in relation to which the personal data was sought
  • Access, correction and deletion
    You can make a request to access, correct, update, or delete your personal data at any time by contacting us at Privacy@enigmaticsmile.com.
  • Reasonable security practices and procedures
    We have adopted reasonable security practices and procedures, as further described in the Information Security Policy for Enigmatic Smile Rewards Private Ltd (available upon request), to ensure that the personal data collected is secure. You agree that such measures are secure and adequate.
  • Data transfers outside of India
    We may need to share your personal data with third-party businesses within and outside in connection with the purposes set out in section 3 of the Policy above. In doing so we ensure that the third party adheres to the same level of data protection measures as implemented by us.
  • Contact
    If you would like to contact us or if you find any discrepancies/ have any grievances in relation to the processing of personal data under this Policy, please contact us at:

    Name: Vanita Ruparel (DPO & GC)
    Contact Details: Privacy@enigmaticsmile.com
AboutTechnologyNews
Merchants, Publishers, Banks and Loyalty companies, contact us at:
hello@enigmaticsmile.com
LegalBrand GuidelinesCareers
© 2025 Enigmatic Smile Limited
ENIGMATIC SMILE LTD. Swift House Ground Floor, 18 Hoffmanns Way, Chelmsford, Essex, England, CM1 1GU. Company Number UK08869163 Vat Registration No GB247613206