Reference Point Limited (we) is committed to protecting and respecting your privacy.
This policy, together with our end-user licence terms (Licence Terms), applies to your use of:
Our Vircarda mobile application software (App) once you have downloaded a copy of the App onto your mobile telephone or handheld device (Device). Our service accessible through the App (Service).
For the purpose of the General Data Protection Regulation (GDPR (EU) 2016/679) and any successor legislation (“data protection legislation”), the data controller is Reference Point Limited of 2-4 Technology House, Chalfont St Peter, Gerrards Cross, Buckinghamshire SL9 9QA +44 (0) 1753 279 927.
How Does the Service Work?
Vircarda is an app that holds virtual cards. Before you can use the app, you have to register with us. Once you have registered, you can download virtual cards that have been issued to you by card issuers authorised by us. Virtual cards downloaded by you into Vircarda can be read by other parties using software or application protocol interfaces (APIs) supplied by us. Such parties can only read your cards with your permission. Your permission is given by you presenting them with card credentials such as a code generated by your card.
You must use a secure password for your use of the App and Service and it is your responsibility to keep your password confidential.
What Types of Personal Information We Collect
The Personal Information that you give us or we collect from or about you may include:
Contact Information such as name, telephone numbers and e‐mail addresses; Information such as date of birth to help verify your identity; Details of any ancillary services you have subscribed to via the Service; Your location - we use GPS technology to determine your current location. The location-enabled aspects of our Service require your Personal Information for the feature to work. You can withdraw your consent at any time by disabling location services on your device; What you have used the Service for; Notifications sent to you; What cards are held or have been held in your app but not details of the card contents except where you have given permission; Information to help authenticate your access to the Service; Technical information, including the type of mobile device you use, a unique device identifier (for example, your Device's IMEI number, the MAC address of the Device's wireless network interface, or the mobile phone number used by the Device), mobile network information, your mobile operating system, the type of mobile browser you use, time zone setting and other information about your device; If you contact us, a record of that correspondence.
How and from Whom We Collect Your Information
The Service may collect Personal Information about you:
Directly through your entry of information for the Service (for example, when you fill in forms to register); From card scheme operators or service providers whose virtual cards you download; From other third parties (including, for example, sub-contractors in technical services, analytics providers, search information providers, and so on); From geolocation services utilised by your device; From backend services integral to the Service.
How We May Use (Purpose) and Disclose Your Personal Information
To provide services authorised by you (such as to share information about your virtual cards with people reading your cards and to send messages to you related to authorised services, including sending notifications to your device from us or your card scheme operator); To verify your identity and perform fraud screening by comparing details you give us about yourself with information from third parties including card scheme operators; To share details of your card usage with the relevant card scheme operator; To prevent fraudulent or other abusive use of a card in your app or the Service; To comply with laws and regulations, including compliance with court orders or lawful instructions from a governmental or regulatory body, to protect the personal safety of card holders or the public, to defend the Service against legal claims and to protect the Service’s rights and property, as permitted by applicable law; To provide you with information, products or services that you authorise us to provide; To carry out our obligations arising from any contracts entered into between you and us; To allow you to participate in interactive features of our service, when you choose to do so; To notify you about changes to our service; To complete a change of control transaction in which all or a portion of our operations and business are purchased or acquired by a third party; and As otherwise authorised by you.
In addition, we will disclose your personal information to third parties:
We will share your personal information with third parties where required by law or where necessary to deliver the service.
We may disclose your personal information to third parties:
In the event that we sell or buy any business or assets, in which case we will disclose your Personal Information to the prospective seller or buyer of such business or assets; If Reference Point Limited or substantially all of its assets are acquired by a third party, in which case Personal Information held by it about its customers will be one of the transferred assets; In order to enforce or apply the Licence Terms and other agreements or to investigate potential breaches; or To protect the rights, property or safety of Reference Point Limited, our customers, or others.
Legal basis for processing
We will only use your personal data when the law allows us to.
- We may use your personal data to perform the contract we have entered into with you or in order to take steps at your request to enter into a contract with you (Basis: Art 6(b) GDPR).
- We and any third parties with whom we share your personal data may also find it necessary to process your data for legitimate interests we pursue (Basis: Art 6(f) GDPR), for example, to maintain the security of our services or improve them.
- Where we do not rely on another legal basis, we may process your personal data based on consent you provide (Basis: Art 6(a) GDPR).
How We Keep Your Information Secure
To ensure your Personal Information remains confidential, the Service maintains physical, electronic, and procedural safeguards to help prevent unauthorised access to your Personal Information.
The Service has policies and procedures that limit employee access to your Personal Information to those with a business reason to have such information and we educate our employees about the importance of confidentiality and customer privacy.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Information, we cannot guarantee the security of the information you transmit to us; any transmission is at your own risk. Once we have received your information, we will use reasonable procedures and security features to try to prevent unauthorised access.
Where We Store Your Personal Information
The Personal Information that we collect from you will be stored in the European Economic Area ("EEA"). It will only be processed by staff operating inside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the processing of your payment details and the provision of support services.
We will not transfer any data that we collect or receive from you that constitutes personal data outside of the EEA unless there are appropriate safeguards or an adequacy decision in relation to the transfer as set out in the data protection legislation or the transfer otherwise complies with the data protection legislation. Such transfers may involve, for example, our use of third party services allowing us to send e-mails or automated SMS messages which make use of facilities in third countries to process and store data.
Retention period and criteria used to determine the retention period
- Information collected will be retained for a period no longer than is necessary to support the purpose of processing personal data set out above.
- Encrypted back ups: We will retain encrypted back up tapes for a maximum of 3 years from the termination of our contract with you, if any, or from when you cease to use our services. This time limit is set in line with the limitation period for possible legal claims which may require such data in order to be investigated and defended against.
You have the right to:
- Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information (commonly known as “the right to be forgotten”). This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
Where our processing is based on your explicit consent to our processing, you have the right to withdraw such consent (this will not affect the lawfulness of processing prior to the withdrawal of your consent).
If you wish to exercise any of these rights please contact our Data Protection Officer at firstname.lastname@example.org.
You have the right to ask us not to process your personal data for marketing purposes. We will inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes and you can withhold your consent to and prevent such processing by not checking certain boxes on the forms we use to collect your data. You can also exercise the right to prevent such processing at any time by contacting us at email@example.com.
Complaints to Information Commissioner: You have the right to lodge a complaint about our processing with the Information Commissioner.
Consequences of failure to provide personal data: Your provision of personal data to us may be a requirement necessary for you to enter into a contract with us. If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you.
The App or any related website of ours may, from time to time, contain links to third party websites. If you follow a link to any of these websites, please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal information that may be collected through these websites or services, such as contact and location data. Please check these policies before you submit any personal information to these websites or use these services.
If you have any questions, comments or concerns about this Policy, please contact us at firstname.lastname@example.org.