Privacy Policy

1. Definitions

“We”, “us”, “our”, “the Platform” means MyGreenReferrals Ltd.
“Customer” means a business, organisation, sole trader, or other entity that registers for and uses the Platform to create or operate a referral program.
“User” means an individual authorised by a Customer to access or use the Platform on the Customer’s behalf (including the Customer’s staff, contractors, or representatives).
“Participant” means a person granted access to participate in a Customer Referral Program on the Platform (for example, a “referrer” or a “referred friend”).
“Customer Referral Program” means any referral program, rules, incentives, communications, landing pages, forms, and workflows created, configured, or operated by a Customer using the Platform.
“Unique Link” means a unique URL or code generated by the Platform for tracking referrals in a Customer Referral Program.
“Customer Content” means all content, text, offers, reward descriptions, criteria, images, policies, and other materials provided by or on behalf of a Customer to be displayed or sent via the Platform.

2. Access & acceptance

In this Privacy Policy, “Personal Data” means information that relates to an identified or identifiable natural person, including a Customer, a User, or a Participant.

The Platform may collect:

Personally identifiable information (information that can be used to identify you as a unique person), such as your name, email address, or payout details.
Non-personally identifiable information (information that cannot, on its own, be used to identify you as a unique person), such as aggregated usage statistics or certain technical logs.

We process Personal Data in accordance with UK data protection laws, including the UK General Data Protection Regulation (the UK GDPR) and the Data Protection Act 2018.

By accessing, registering for, or using the Platform as a Customer, User, or Participant, you acknowledge that you have read and understood this Privacy Policy and that Personal Data will be collected, used, and processed as described here.

3. Data roles (Customer vs MyGreenReferrals)

The Platform enables Customers to run their own Customer Referral Programs. This affects who is responsible for different categories of data:

Customer-controlled program data: Where the Customer decides what Participant information is collected, why it is collected, and how it is used for the Customer Referral Program, the Customer acts as the data controller for that program-related data. In those cases, MyGreenReferrals acts as a data processor, processing that data on the Customer’s behalf to provide the Services.
Platform operational data (including Platform usage data): MyGreenReferrals acts as a data controller for Personal Data we need to operate, secure, support, and improve the Platform. This can include account administration, authentication logs, Platform usage/activity logs, security/audit logs, support communications, and (where applicable) billing records.

The Customer is responsible for ensuring that any additional information collected from Participants through a Customer Referral Program is relevant to the service being provided and that the Customer provides appropriate privacy notices and obtains any required consents under applicable law.

If you are a Participant and you have questions about what a Customer collects and why, you should contact the relevant Customer directly. See Section 8 (Your rights).

4. Data we collect

Depending on whether you are a Customer, a User, or a Participant, we may process different categories of data in the contexts described below.

Role	Personal Data collected	Context	Who controls it
Customer	First name Last name Email address Job title	When the Customer creates a Platform account.	MyGreenReferrals (Platform operational/account administration data)
User (Customer team member)	First name Last name Email address Password (stored in hashed/secured form)	When the Customer (or an authorised User) creates a team member account and grants Platform access.	MyGreenReferrals (Platform operational/access management data)
Participant (existing client of the Customer)	First name Last name Email address	When the Customer (or an authorised User) adds the Participant as a customer referral program member on the Platform.	The Customer (Customer-controlled program data), processed by MyGreenReferrals as a processor.
Participant (referred friend)	First name Last name Email address	When the referred friend signs up through the referred friend landing page of a Customer Referral Program.	The Customer (Customer-controlled program data), processed by MyGreenReferrals as a processor.
Participant (Customer-determined lead fields)	Additional information determined by the Customer may be collected, for example: Address Services the referred friend is interested in Other onboarding/lead information configured by the Customer The exact fields vary by Customer and by Customer Referral Program and are configured by the Customer.	When the Customer configures a lead capture form or onboarding flow and a Participant completes it.	The Customer (Customer-controlled program data), processed by MyGreenReferrals as a processor.
Participant (reward fulfilment details)	Reward payout details, such as: PayPal email address Zelle email address and/or contact number Cash App cashtag	When a Participant earns a reward and payout details are required so the Customer can fulfil a reward under the Customer Referral Program.	The Customer (Customer-controlled program data), processed by MyGreenReferrals as a processor.
All roles (Customers, Users, Participants)	Platform usage and technical data, which may be personally identifiable in some cases (e.g. IP address), including: Sign-in events and timestamps Actions performed in the Platform (e.g., making a referral, viewing referral status) Pages viewed and features used IP address, device/browser log data Security and audit logs	When the Platform is used.	MyGreenReferrals for Platform operation/security/monitoring, and the Customer for program records within a Customer Referral Program (depending on the specific data and purpose).

5. How we use data

We use Personal Data to:

provide and operate the Platform and Services (including enabling Customers to run Customer Referral Programs);
authenticate Customers, Users, and Participants and manage access permissions;
record and display referral activity, statuses, and related program interactions;
provide reward fulfilment support workflows (for example, capturing payout details for the Customer’s reward fulfilment process);
respond to support requests and send service-related notices;
monitor, prevent, and investigate fraud, abuse, and security incidents;
maintain and improve the Platform (including debugging, analytics, and performance); and
comply with legal obligations and enforce our Terms.

Customers are responsible for ensuring appropriate lawful bases and consents for Participant communications and data collection within their Customer Referral Program.

We may share Personal Data in the following circumstances:

With the relevant Customer and the Customer’s Users: Participant data and activity within a Customer Referral Program may be visible to the Customer and authorised Users so the Customer can administer referrals, rewards, and program rules.
With service providers (sub-processors): We may use trusted service providers to help us operate the Platform (for example, hosting, analytics, error monitoring, email delivery, and customer support tooling). They may access Personal Data only as needed to provide services to us.
Reward fulfilment (third-party platforms): Where the Customer uses third-party platforms to fulfil rewards, we may share certain Participant details with those third parties to enable fulfilment, such as first name, last name, email address and, where applicable, payout details like PayPal email, Zelle email/contact number, or Cash App cashtag. When we do this, we do so to provide the Services and, where applicable, on the Customer’s instructions for the Customer Referral Program.
Legal and safety reasons: We may disclose data if required by law or if we reasonably believe disclosure is necessary to protect rights, safety, or security.
Business transfers: If we are involved in a merger, acquisition, financing, reorganisation, or sale of assets, data may be transferred as part of that transaction.

7. Retention & deletion

We retain Personal Data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, prevent abuse, and enforce our agreements.

7.1 Participant deletion and retention

If a Participant profile is deleted from the Platform, the Participant profile will be removed from active view and use. However, the Participant’s data may be retained on our servers and backups for up to 90 days after deletion, after which it will be deleted or anonymised (unless we are required to retain it longer by law).

7.2 User (team member) deletion and retention

If a User (team member) profile is deleted from the Platform, the User profile will be removed from active view and use. However, the User's data may be retained on our servers and backups for up to 90 days after deletion, after which it will be deleted or anonymised (unless we are required to retain it longer by law).

7.3 Customer account deletion and retention

If a Customer closes or deletes a Customer account, access to the Platform for that Customer, its Users, and its Participants will end (unless we expressly agree otherwise in writing, for example to allow a limited export period).

Following closure/deletion of a Customer account, Customer account information (including account owner details and account configuration data) may be retained on our servers and backups for up to 90 days, after which it will be deleted or anonymised, unless:

we are required to retain it to comply with applicable law (for example, tax/accounting or regulatory obligations);
it is reasonably necessary to establish, exercise, or defend legal claims; or
it is reasonably necessary for fraud prevention, security investigations, or abuse prevention.

8. Your rights & how to exercise them

8.1 Participants

Participant requests go to the Customer. If a Participant wants access to their data stored on the Platform, wants corrections, or wants their data removed, the Participant must contact the Customer operating the relevant Customer Referral Program. The Customer is responsible for administering those requests for Customer Referral Program data.

8.2 Users

If a User wants access to, correction of, or removal of User data associated with the Customer account to which the User was added, the User should contact the relevant Customer administrator in the first instance.

8.3 Customers

Customers may contact us to request access, correction, deletion, or other rights requests relating to data we control as part of operating the Platform (for example, account administration, Platform usage logs, and security logs), subject to applicable law and lawful exemptions.

9. Security

We implement technical, organisational, and (where appropriate) physical security measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, and unauthorised access.

However, no method of transmission over the internet and no system of storage can be guaranteed to be completely secure.

If a personal data breach occurs that is likely to result in a risk to individuals’ rights and freedoms, we will notify the Customer without undue delay and provide, where reasonably possible: (i) a summary description of the breach, (ii) the likely consequences, and (iii) recommended measures to reduce potential adverse effects.

To the extent permitted by law, we are not responsible for losses arising from unlawful acts of third parties (for example, where a third party gains access through a compromised email account, device, or credentials), except where such losses result from our failure to implement appropriate security measures as required by applicable law.

Customers, Users, and Participants also share responsibility for Platform security, for example by keeping their account secure, ensuring credentials remain confidential, granting access only to those who genuinely need it, and promptly removing access that is no longer required.

10. International transfers

Depending on where our systems and service providers are located, Personal Data may be processed in countries outside the UK. Where required, we implement appropriate safeguards for international transfers (for example, contractual protections).

11. Children

The Platform is intended for business use and is not directed at children. Customers must not knowingly invite or collect Personal Data from children through a Customer Referral Program unless the Customer has a lawful basis to do so and provides appropriate notices and protections.

12. Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we will take reasonable steps to notify the Customer using the primary email address associated with the Customer’s account (or via an in-app notice). Customers are responsible for informing their Users and Participants of changes that may affect them.

13. Contact

If you have questions about this Privacy Policy, contact:

Email: support@mygreenreferrals.com
Post: MyGreenReferrals Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, UNITED KINGDOM

If you are a Participant, please direct data access/deletion requests to the Customer operating the referral program you joined.