1. Introduction
   
   This Privacy Policy applies to everything at gfclubcard.com (“we,” “our,” or “the website”). It explains how we collect, use, disclose, store, and protect your personal data when you visit or interact with our site. GF Clubcard is a trading name of Ginger Fig Club Limited, registered in England No. 13581581

2. Data We Collect
   
   We may collect:

• Personal information you provide (e.g. name, email, postal address, telephone number, date of birth, Clubcard number, account login credentials)
• Transaction data including purchase history, store location, payment method, rewards or points redeemed, coupons used
• Technical & usage data such as IP address, browser type, device, pages visited, cookies and tracking data

3. How We Use Your Data
   
   We process your personal data to:

• Provide and manage your Clubcard account and deliver benefits
• Monitor usage to detect and prevent card misuse
• Analyse anonymised data for marketing insights and to improve our loyalty scheme
• Communicate with you (e.g. account updates, service information, tailored offers)

Legal bases include: contractual necessity, legitimate interests, and— where applicable—your consent.

4. Cookies & Tracking Technologies
   
   We use cookies, web beacons, and analytics tools (e.g. Google Analytics) to monitor and improve website performance and tailor content. You can manage cookies via your browser settings, though this may limit full functionality.
   
   
5. Data Sharing & Third Parties
   We may share your data with trusted third-party service providers who help operate our services (e.g. IT providers, analytics partners, customer support). These partners only use your data to perform their tasks and are bound by confidentiality. Data may also be shared if required by law, or to protect legal rights.
   
   
6. International Transfers
   Where necessary, your data may be transferred outside the UK / EU. In such cases, proper safeguards (e.g. standard contractual clauses) will be used to ensure continued data protection.
   
   
7. Data Retention
   We retain your data for as long as your account is active or for legal obligations. Inactive accounts may be anonymised or deleted after a defined period since last activity.
   
   
8. Security
   We maintain appropriate technical and organisational measures (e.g. encryption, access controls, SSL/TLS) to protect your data against unauthorised access or loss.
   
   
9. Your Rights
   
   Under UK GDPR and the Data Protection Act you have rights to:

• Access, correct or update your personal data
• Request deletion or restriction of processing
• Object to processing based on legitimate interest or direct marketing
• Withdraw consent (if used) at any time
• Request data portability

To exercise any rights, please contact us at the address below.

10. Children & Age Restrictions
    
    Our services are not intended for individuals under 18. We do not knowingly collect data from minors. If we learn that we have unintentionally gathered such data, we will promptly delete it.
    
    
11. Changes to This Policy
    
    We may update this Privacy Policy periodically. The updated version and its effective date will be posted on our website. Please review this page periodically.
    
    
12. Contact Us
    
    For any inquiries or to exercise your rights, please contact our Data Protection Officer (DPO) at:
    7a Truss Hill Road Ascot England SL5 9AL

Effective date: August 1, 2025