© 2026 Totally Rewards Ltd. All rights reserved.
TOTALLY PRIVACY STATEMENT
1. Introduction
This Privacy Statement explains how Totally Rewards Ltd. ("we," "us," or "our") collects, uses,and protects personal information. We are committed to protecting your privacy and handlingyour data in an open and transparent manner.
This statement covers our role as both a Data Controller (when we collect data for our ownpurposes, such as through our website and marketing) and as a Data Processor (when wehandle data on behalf of our business customers to provide our services).
Contact details:
Totally Rewards Ltd.
Kemp House, 152–160 City Road, London, England, EC1V 2NX
Email: support@totallyrewards.com
2. Our Role in Data Processing
- As a Data Controller: We act as a controller when we collect personal data directly fromyou for our own business purposes. This includes information from visitors to ourwebsite, marketing contacts, and representatives of our business customers.
- As a Data Processor: We act as a processor when we provide our gift card services toour business customers (the "Controller"). In this role, we process data strictly in linewith our customers’ instructions and our contractual obligations.
3. Information We Process as a Data Processor
When providing services on behalf of our business customers, they remain the Data Controller.We process only the data necessary to fulfil our contractual obligations, which may include:
- Email address: To deliver digital gift cards.
- IP address: For security, fraud prevention and redemption monitoring.
If you have received a gift card fulfilled by Totally Rewards and have questions about yourpersonal data, please contact the organisation that issued the gift card. They are the DataController responsible for your data.
4. Information We Collect as a Data Controller
When you interact with our website or conduct business with us, we may collect:
- Contact information: Name, email address, phone number, and company name.
- Technical information: IP address, browser type and operating system, collected viacookies or similar technologies.
- Marketing information: Preferences and communication history if you engage with ourcampaigns.
5. How We Use Your Information (as a Data Controller)
We process your data only where we have a lawful basis under Article 6 of the UK/EU GDPR.
You can withdraw consent for marketing at any time by clicking “unsubscribe” in our emails orcontacting us directly.
6. Data Sharing and International Transfers
We do not sell your personal data. We may share it only:
- With sub-processors: We use trusted service providers (such as cloud hosting, emaildelivery) under contracts that ensure equivalent data protection.
- For international transfers: Our systems are primarily hosted in the UK and Europe. Forescalated support, some technical staff in Serbia may access data under strict securitycontrols. We use the EU Standard Contractual Clauses and the UK International DataTransfer Addendum to ensure compliant transfers.
- To meet legal obligations: We may disclose data where required by law or court order.
A list of sub-processors is available on request.
7. Cookies and Similar Technologies
Our website uses cookies to enhance user experience, analyse traffic, and deliver relevantcontent. Non-essential cookies are used only with your consent. You can manage cookiepreferences via your browser settings or our cookie banner.
For more details, please see our Cookie Policy.
8. Data Security
We implement appropriate technical and organisational measures to safeguard personal data,including:
- Encryption of data in transit and at rest.
- Access controls ensuring only authorised personnel can view personal data.
- Regular staff security training.
- Secure network and data centre protections.
9. Data Retention
- As a Processor: We retain personal data only for the period agreed with our businesscustomers.
- As a Controller: We retain personal data only as long as necessary to fulfil the purposefor which it was collected or as required by law.
10. Your Data Protection Rights
Under UK and EU GDPR, you have the right to:
- Access your personal data.
- Correct any inaccuracies.
- Request erasure of your data (“the right to be forgotten”).
- Object to or restrict processing.
- Receive your data in a portable format.
To exercise these rights, contact us at support@totallyrewards.com.
If your request concerns data processed on behalf of one of our business customers, pleasecontact that client directly (they are the Data Controller).
If you are not satisfied with our response, you may contact the Information Commissioner’sOffice (ICO) at www.ico.org.uk or your local supervisory authority in the EU
11. Changes to This Privacy Statement
We may update this statement from time to time. Any material changes will be posted on thispage with a revised effective date.
© 2026 Totally Rewards Ltd. All rights reserved.
