Not available to general public. Enter your promo code below.
Helping You Drive Further for Less.
This Privacy Policy applies to personal data processed by IAT in our business, including on our websites and other online or offline services. IAT enables the visitors of its websites on the epoints.com and eachperson.com domains to be in control of their personal data. We also provide controls allowing IAT’s users/customers to have control over the privacy of personal data captured by our service. This Privacy Policy provides information about how IAT processes and protects this data.
IAT considers data protection and privacy to be of paramount importance. We never sell personal data and we carry out all processing operations in strict compliance with the EU General Data Protection Regulation (“GDPR”).
For the purpose of this Privacy Policy, Personal data is information that relates to an identified or identifiable individual, natural persons who can be identified or who are identifiable, directly from the information in question, or who can be indirectly identified from that information in combination with other information.
This Privacy Policy covers the recording, processing, transportation, and storage of personal data within both the epoints.com and Each Person online applications, and their supporting architecture, frameworks, resources, and services, required to deliver the solutions to the user. All of the aforementioned are owned and managed by Instant Access Technologies Ltd ( IAT).
IAT is both a Data Controller and a Data processor of your personal data. Via Each Person we are the processor as we store the data provided to us by our customers and process it per their requests and actions in the Each Person application.
Via epoints, we are the controller as we make decisions about processing activities. We exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing.
When you register for our Services, you may provide us with a set of personal details including email, password, and full name. You can then choose to add additional information via the account area including DOB, address, gender and mobile phone number. If, when providing your date of birth, we see that you are under 16 years of age, you will not be permitted to use the epoints service as we do not allow children to participate in the programme.
Epoints allows you to sign-in via a third-party service, such as Facebook. If you choose to sign-in via a third-party app, you will be presented with a dialog box which will request your permission to allow us to access your personal information (e.g. your full name, date of birth, email address and any other information you have made publicly accessible).
When you shop with us online we will record information on any transaction you make, recording the delivery address for the purchase, and information about your online purchases (for example, when and where you bought and how much you spent).
We also record information about your online browsing behaviour on our websites, information about any devices you have used to access our Services (including the make, model and operating system, IP address, browser type and mobile device identifiers).
When you contact us or we contact you or you take part in promotions, competitions, surveys or questionnaires about our Services, we may collect personal data you provide about yourself,(for example, your name, email and contact details), including by phone, email or post or when you speak with us through social media.
We also record details of emails and other digital communications we send to you that you open, including any links in them that you click on, including your feedback and contributions to member surveys and questionnaires.
Through Each Person your Employer may add information relating to your employment such as Job Title, Work Email Address, Company Start Date, and Date of Birth. In addition when you interact with colleagues through your Employer recognition scheme your interactions will be recorded for reporting purposes on the success of the scheme.
We do not seek to collect sensitive data as defined in the second paragraph below (also known as special categories within the EEA) through this site or otherwise.
The term “sensitive data” refers to the various categories of personal data identified by data privacy laws as requiring special treatment, including in some circumstances the need to obtain explicit consent from you. These categories include racial or ethnic origin, political opinions, religious, philosophical or other similar beliefs, membership of a trade union, physical or mental health, biometric or genetic data, sexual life or orientation, or criminal convictions and offences (including information about suspected criminal activities)
We have identified the minimum set of personal data required to enable an account in our solution. We believe if used this minimum set is covered by the basis of contract, as agreed with the user’s employer. This account is dormant until the user completes registration, or consents on a lawful basis. Again this only requires a minimum set of data to complete the account. From this account creation, the user can decide to interact with activities within the applications which can require additional data which again is recognised each time as minimal set to enable the additional feature.
All purposes to use the data are declared in DPA, Terms & Conditions and Privacy Policies. If for any reason the purposes are required to be changed, the documentation is updated and all users informed about this.
We review that the personal data we are processing is adequate, relevant and limited to what is necessary. This is done on a regular schedule as part of the DPIA process. Any new project implemented has a data review as one of the early stages of the project to ensure what is required and why.
Data accuracy is critical to our solution so there are strict rules about how it is processed. Data is not edited directly at rest. The only way is via recognised interfaces with strict validation on what can be entered and what can be edited.
We have a set of retention rules following the guidelines laid out in ISO27001. The user data is classified into 2 types: business ( provided by the employer) and personal (added by the user directly. The user personal data is obfuscated after 2 years of application inactivity. Business data is removed once the company terminates their contract with us. We remove any business reference from the user’s personal account
We have completed the audit process for ISO27001 certification, conducted by BSI, without any non-conformities and have been recommended for certification. We are confident that we have data security completely covered from a development, operational, physical and personal basis, and are happy to share certification details on request.
We regularly ensure that we validate our GDPR governance and ensure we are at required levels. We use the following policies and procedures to do this:
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
We use cookies, to personalise and improve your member experience as you use our websites. This section provides more information about cookies, including how we use them and how you can exercise your choices about our use of cookies.
Cookies are small data files that allow a website to collect and store a range of data on your desktop computer, laptop or mobile device.
Cookies allow us to improve the way our websites work so that we can personalise your experience and allow you to use many of their useful features.
For example, we use Cookies so we can remember your preferences and the contents of your basket when you return to our websites after selecting a reward from our catalogue. Another example is to enable you to log in to our website as, without cookies, you cannot do this.
Cookies can help us to understand how our websites are being used, for example, by telling us if you get error messages as you browse.
These Cookies collect data that is mostly aggregated and anonymous
You can use your browser settings to accept or reject new Cookies and to delete existing Cookies. You can also set your browser to notify you each time new Cookies are placed on your computer or other devices. You can find more detailed information about how you can manage Cookies at the All About Cookiesand Your Online Choices websites.
If you choose to disable some or all Cookies, you may not be able to make full use of our Websites. For example, you may not be able to add login, add rewards to your basket, or proceed to checkout.
For more information on what cookies are set per application please visit the relevant Cookie policy page for each website
IAT’s architecture is designed to be secure and reliable. We use architecture with firewalls between each tier and additionally within certain tiers between services. Services are accessible only by other services that require access. Access keys are rotated regularly and stored separately from our code and data.
Each of our services is fully redundant with replication and failover. Services are distributed across multiple AWS availability zones. These zones are hosted in physically separate data centres, protecting services against single data centre failures.
IAT data stores are accessible only by servers that require access. Access keys are stored separately from our source code repository and only available to the systems that require them. Additionally, production environments are separated from testing environments, and no data sharing is enabled across environments.
We use AWS services for data management and use their best practice for backups and log management. We test backup restoration regularly. We ensure all personal information is filtered from our log records.
We never store passwords in a form that can be retrieved and ensure sessions are invalidated when users change key information and sessions automatically expire after a period of inactivity.
We enable two-factor authentication on all our internal applications that have access to your personal data.
We monitor and rate limit authentication attempts on all accounts ensuring attempts and geographical location are within acceptable usage rules.
We provide multiple user roles with different permissions levels within our internal applications, ensuring the right resources access the right levels and views to enable them to do their role.
All IAT web traffic is served over HTTPS. We force HTTPS for all web resources, including our REST API, web app and public website.
Our databases, including backups, are fully encrypted at rest. In addition, all archives and logs are fully encrypted at rest. We use industry-standard encryption algorithms.
IAT has completed ISO-27001 certification, with the certification carried out by BSI. For a copy of our certification please send a request to dpo@epoints.com
All IAT employees complete security training when they join and are continually updated and retested. IAT performs background checks on all new employees. The background check includes employment verification, identity fraud, and criminal checks carried out by Experian. All employees have signed a confidentiality agreement with IAT
IAT also have a defined protocol for responding to security events, and disaster recovery scenarios, which the staff are tested on regularly
You have a number of legal rights in relation to the information that we hold about you, including:
You can exercise any of the above-mentioned rights by completing this form and emailing it to support@epoints.com
IAT services and websites are not intended for, nor does IAT knowingly collect any personal information, from children under the age of 16. If you have reason to believe that any Personal Information from any children under the age of 16 has been collected or submitted to IAT for any reason, please notify us at support@epoints.com, and IAT will seek to remove such information as soon as practicably possible.
If you have any general support concerns or for any more service clarity please contact us at support@epoints.com. For any specific data security or GDPR questions please contact us at dpo@epoints.com
Alternatively, you can write to us at:
IAT Ltd,
Welcome to our site!
We've sent you an email to verify your account. Please check your inbox and follow the instructions to complete your registration
Didn't get the email?