Exclusive Access to Each Person Diesel Card

Last Updated: 02/09/2021

1. Purpose

This Privacy Policy applies to personal data processed by IAT in our business, including on our websites and other online or offline services. IAT enables the visitors of its websites on the epoints.com and eachperson.com domains to be in control of their personal data. We also provide controls allowing IAT’s users/customers to have control over the privacy of personal data captured by our service. This Privacy Policy provides information about how IAT processes and protects this data.

IAT considers data protection and privacy to be of paramount importance. We never sell personal data and we carry out all processing operations in strict compliance with the EU General Data Protection Regulation (“GDPR”).

For the purpose of this Privacy Policy, Personal data is information that relates to an identified or identifiable individual, natural persons who can be identified or who are identifiable, directly from the information in question, or who can be indirectly identified from that information in combination with other information.

2. Scope

This Privacy Policy covers the recording, processing, transportation, and storage of personal data within both the epoints.com and Each Person online applications, and their supporting architecture, frameworks, resources, and services, required to deliver the solutions to the user. All of the aforementioned are owned and managed by Instant Access Technologies Ltd ( IAT).

3. Data Controller, Processor, and DPO

IAT is both a Data Controller and a Data processor of your personal data. Via Each Person we are the processor as we store the data provided to us by our customers and process it per their requests and actions in the Each Person application.

Via epoints, we are the controller as we make decisions about processing activities. We exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing.

ICO Data Protection Public Registration Details

1. Instant Access Technologies Limited
2. Each Person Community Interest Company
3. Epoints Rewards Limited

If you have any questions that haven’t been covered, please contact our Data Protection Officer via email at dpo@epoints.com or write to us at:

DPO,
8a Denmark Street,
Wokingham,
Berkshire,
RG40 2BB

4. Why we collect your personal information

a. Which personal data is collected

When you register for our Services, you may provide us with a set of personal details including email, password, and full name. You can then choose to add additional information via the account area including DOB, address, gender and mobile phone number. If, when providing your date of birth, we see that you are under 16 years of age, you will not be permitted to use the epoints service as we do not allow children to participate in the programme.

Epoints allows you to sign-in via a third-party service, such as Facebook. If you choose to sign-in via a third-party app, you will be presented with a dialog box which will request your permission to allow us to access your personal information (e.g. your full name, date of birth, email address and any other information you have made publicly accessible).

When you shop with us online we will record information on any transaction you make, recording the delivery address for the purchase, and information about your online purchases (for example, when and where you bought and how much you spent).

We also record information about your online browsing behaviour on our websites, information about any devices you have used to access our Services (including the make, model and operating system, IP address, browser type and mobile device identifiers).

When you contact us or we contact you or you take part in promotions, competitions, surveys or questionnaires about our Services, we may collect personal data you provide about yourself,(for example, your name, email and contact details), including by phone, email or post or when you speak with us through social media.

We also record details of emails and other digital communications we send to you that you open, including any links in them that you click on, including your feedback and contributions to member surveys and questionnaires.

Through Each Person your Employer may add information relating to your employment such as Job Title, Work Email Address, Company Start Date, and Date of Birth. In addition when you interact with colleagues through your Employer recognition scheme your interactions will be recorded for reporting purposes on the success of the scheme.

b. How we use your information

1. Managing your epoints account
   We need to process your personal data for “service administration purposes”, which means that we may contact you for reasons related to the epoints service you have signed up for (e.g. to provide you with password reminders, verify your email address belongs to you, to notify you if the service is suspended for maintenance, to notify you that you have pending epoints or confirmed epoints, to notify you of updates to our Privacy and Cookies Policy or Terms of Use or to let you know if your epoints account has become dormant (this occurs automatically if you are inactive for a period of 2 years) and to ask if you would like to use it again before we close it).We need to process your personal data so that we can manage your member account, provide you with the goods and Services you want to buy or redeem as a reward and help you with any orders and refunds you may ask for.
2. Manage and improve our day-to-day operations
   We use cookies and similar technologies on our websites to improve your member experience. Some cookies are necessary so you should not disable these if you want to be able to use all the features of our websites. You can disable other cookies but this may affect your member experience. We also use IP addresses and device identifiers to identify the location of users, to block disruptive use, to establish the number of visits from different countries, and to determine whether you are accessing the services from the UK or not.It is also important for us to monitor how our Services are used in order to detect and prevent fraud, other crimes and the misuse of services. This helps us to make sure that you can safely use our Services.
3. Personalise your epoints experience
   Looking at your browsing behaviour and purchases allows us to personalise our offers and services for you. This helps us meet your needs as a member.We want to ensure that we provide you with marketing communications that are relevant to your interests. To achieve this we also measure your responses to marketing communications relating to products and services we offer so that we can offer you products and services that reflect your interests. You can change your marketing choices, both when you register with us, and at any time after that. To change your preferences for marketing communications, visit the My Account section of our website at any time
4. Contact and interaction with you
   We carry out market research to improve our Services. However, if we contact you about this, you do not have to take part in this. If you tell us that you do not want us to contact you for market research, we will respect this choice. This will not affect your ability to use our Services or your epoints reward options.We will hold your personal information on our systems for as long as is necessary for the relevant activity, or as long as is set out in any relevant contract you hold with epoints. If you delete your epoints account, your personal information is deleted without undue delay, and the remaining information is anonymised for analytical purposes only.
5. Employer recognition scheme
   When you interact with colleagues through your Employer recognition scheme these interactions are recorded and reported to demonstrate the success of the scheme. Sending and receiving e-cards, nominations, and rewards are examples of interactions with the scheme that are reported.

c. Sensitive data

We do not seek to collect sensitive data as defined in the second paragraph below (also known as special categories within the EEA) through this site or otherwise.

The term “sensitive data” refers to the various categories of personal data identified by data privacy laws as requiring special treatment, including in some circumstances the need to obtain explicit consent from you. These categories include racial or ethnic origin, political opinions, religious, philosophical or other similar beliefs, membership of a trade union, physical or mental health, biometric or genetic data, sexual life or orientation, or criminal convictions and offences (including information about suspected criminal activities)

5. How we manage your personal data

a. Lawfulness, fairness and transparency

We have identified the minimum set of personal data required to enable an account in our solution. We believe if used this minimum set is covered by the basis of contract, as agreed with the user’s employer. This account is dormant until the user completes registration, or consents on a lawful basis. Again this only requires a minimum set of data to complete the account. From this account creation, the user can decide to interact with activities within the applications which can require additional data which again is recognised each time as minimal set to enable the additional feature.

b. Purpose limitation

All purposes to use the data are declared in DPA, Terms & Conditions and Privacy Policies. If for any reason the purposes are required to be changed, the documentation is updated and all users informed about this.

c. Data minimisation

We review that the personal data we are processing is adequate, relevant and limited to what is necessary. This is done on a regular schedule as part of the DPIA process. Any new project implemented has a data review as one of the early stages of the project to ensure what is required and why.

d. Accuracy

Data accuracy is critical to our solution so there are strict rules about how it is processed. Data is not edited directly at rest. The only way is via recognised interfaces with strict validation on what can be entered and what can be edited.

e. Storage limitation

We have a set of retention rules following the guidelines laid out in ISO27001. The user data is classified into 2 types: business ( provided by the employer) and personal (added by the user directly. The user personal data is obfuscated after 2 years of application inactivity. Business data is removed once the company terminates their contract with us. We remove any business reference from the user’s personal account

f. Integrity and confidentiality (security)

We have completed the audit process for ISO27001 certification, conducted by BSI, without any non-conformities and have been recommended for certification. We are confident that we have data security completely covered from a development, operational, physical and personal basis, and are happy to share certification details on request.

g. Accountability.

We regularly ensure that we validate our GDPR governance and ensure we are at required levels. We use the following policies and procedures to do this:

1. data protection policy
2. privacy notice
3. staff training policy
4. information security policy
5. data protection impact assessment procedure
6. retention of records procedure
7. subject access request form and procedure
8. privacy procedure and notice
9. third party analysis
10. complaints procedure

6. Sharing your personal data

a. Third Parties.

1. We share personal data with our retail partners so that your order from our catalogue can be completed via the retailer and they are able to deliver the product.When we share personal data with these companies we require them to keep it safe, and they must not use your personal data for their own marketing purposes.We work with a number of retail partners who sell products through our Services in the epoints reward catalogue.We only share personal data that enables our retail partners to provide their services. For example, when you redeem your epoints we will give the relevant retail partner your name and contact details so that they can deliver your items.
2. We share personal data to partner companies or agencies and their subcontractors or prospective partners who help us run our services.
3. We share personal data across products and services within the IAT group.

b. Third Parties outside the European Economic Area (EEA)

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

1. We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
2. Where we use providers based in the US, we will only transfer data to them if they proove they abide by, and process EU Data in compliance with the SCCs (Standard Contractual Clauses) For more information Standard Contractual Clauses (SCCs).

7. Use of cookies

We use cookies, to personalise and improve your member experience as you use our websites. This section provides more information about cookies, including how we use them and how you can exercise your choices about our use of cookies.

a. How we use Cookies

Cookies are small data files that allow a website to collect and store a range of data on your desktop computer, laptop or mobile device.

Cookies allow us to improve the way our websites work so that we can personalise your experience and allow you to use many of their useful features.

For example, we use Cookies so we can remember your preferences and the contents of your basket when you return to our websites after selecting a reward from our catalogue. Another example is to enable you to log in to our website as, without cookies, you cannot do this.

Cookies can help us to understand how our websites are being used, for example, by telling us if you get error messages as you browse.

These Cookies collect data that is mostly aggregated and anonymous

b.Your choices when it comes to Cookies

You can use your browser settings to accept or reject new Cookies and to delete existing Cookies. You can also set your browser to notify you each time new Cookies are placed on your computer or other devices. You can find more detailed information about how you can manage Cookies at the All About Cookiesand Your Online Choices websites.

If you choose to disable some or all Cookies, you may not be able to make full use of our Websites. For example, you may not be able to add login, add rewards to your basket, or proceed to checkout.

For more information on what cookies are set per application please visit the relevant Cookie policy page for each website

1. https://www.eachperson.com/cookie-policy
2. https://www.eachperson.com

8. How your personal data is kept safe

a. Infrastructure

IAT’s architecture is designed to be secure and reliable. We use architecture with firewalls between each tier and additionally within certain tiers between services. Services are accessible only by other services that require access. Access keys are rotated regularly and stored separately from our code and data.

Each of our services is fully redundant with replication and failover. Services are distributed across multiple AWS availability zones. These zones are hosted in physically separate data centres, protecting services against single data centre failures.

b. Data

IAT data stores are accessible only by servers that require access. Access keys are stored separately from our source code repository and only available to the systems that require them. Additionally, production environments are separated from testing environments, and no data sharing is enabled across environments.

We use AWS services for data management and use their best practice for backups and log management. We test backup restoration regularly. We ensure all personal information is filtered from our log records.

c. Authentification

We never store passwords in a form that can be retrieved and ensure sessions are invalidated when users change key information and sessions automatically expire after a period of inactivity.

We enable two-factor authentication on all our internal applications that have access to your personal data.

We monitor and rate limit authentication attempts on all accounts ensuring attempts and geographical location are within acceptable usage rules.

We provide multiple user roles with different permissions levels within our internal applications, ensuring the right resources access the right levels and views to enable them to do their role.

d. Encryption

All IAT web traffic is served over HTTPS. We force HTTPS for all web resources, including our REST API, web app and public website.

Our databases, including backups, are fully encrypted at rest. In addition, all archives and logs are fully encrypted at rest. We use industry-standard encryption algorithms.

e. Policies and certifications

IAT has completed ISO-27001 certification, with the certification carried out by BSI. For a copy of our certification please send a request to dpo@epoints.com

All IAT employees complete security training when they join and are continually updated and retested. IAT performs background checks on all new employees. The background check includes employment verification, identity fraud, and criminal checks carried out by Experian. All employees have signed a confidentiality agreement with IAT

IAT also have a defined protocol for responding to security events, and disaster recovery scenarios, which the staff are tested on regularly

9. Your rights

You have a number of legal rights in relation to the information that we hold about you, including:

1. The right to request details of the information we have about you.
2. The right to withdraw your consent to the use of your information where we are relying on that consent (for example, you can opt-out of receiving marketing messages from us). Please note that we may still be entitled to process your information if we have another legitimate reason (other than consent) for doing so.
3. In some circumstances, you have the right to receive some of your information in a usable format and/or request we transmit that data to a third party where this is technically feasible. Please note that this right only applies to information which you have provided to us.
4. The right to ask that we update your information if it is inaccurate or incomplete.
5. The right to ask that we erase your information in certain circumstances. Please note that there may be circumstances where you ask us to erase your information but we are legally entitled to retain it.
6. The right to request that we restrict the processing of your information in certain circumstances. Again, there may be circumstances where you ask us to restrict the processing of your information, but we are legally entitled to refuse that request.
7. The right to make a complaint with the Information Commissioner www.ico.org.uk if you think that any of your rights have been infringed by us.

You can exercise any of the above-mentioned rights by completing this form and emailing it to support@epoints.com

10. Our under 16s policy

IAT services and websites are not intended for, nor does IAT knowingly collect any personal information, from children under the age of 16. If you have reason to believe that any Personal Information from any children under the age of 16 has been collected or submitted to IAT for any reason, please notify us at support@epoints.com, and IAT will seek to remove such information as soon as practicably possible.

11. Contact Us

If you have any general support concerns or for any more service clarity please contact us at support@epoints.com. For any specific data security or GDPR questions please contact us at dpo@epoints.com

Alternatively, you can write to us at:

IAT Ltd,
8a Denmark Street,
Wokingham,
Berkshire,
RG40 2BB