Terms of Service
Example H3
Last Updated: Feb 16, 2026

Privacy Policy

1. INTRODUCTION

Zeal IO Ltd. ("Zeal", "we", "us", or "our") is committed to protecting your privacy and ensuring transparency in how we collect, use, and share your personal data.

This Privacy Policy explains how we process personal data when you:

  • Use our value-added services platform as a merchant
  • Interact with our services as a consumer making purchases at merchant locations
  • Partner with us as a payment service providerThis policy applies to all personal data we process through:
  • Our proprietary software installed on point-of-sale (POS) payment terminals
  • Our Merchant Dashboard and mobile applications
  • Our Partner Portal for payment service providers
  • Our websites and related servicesAbout Zeal:
  • Company Name: Zeal IO Ltd.
  • Company Number: 11998285 (England and Wales)
  • Registered Office: 85 Great Portland Street, First Floor, London, W1W 7LT, United Kingdom
  • Email: privacy@getzeal.io

2. IMPORTANT INFORMATION AND WHO WE ARE

2.1 Data Controller

Zeal acts as a data controller for the personal data we process. This means we determine the purposes and means of processing your personal data.

2.2 Contact Details

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

Data Protection Officer Zeal IO Ltd. 85 Great Portland Street, First Floor London, W1W 7LT United Kingdom Email: privacy@getzeal.io

2.3 Supervisory Authority

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). However, we would appreciate the opportunity to address your concerns before you approach the ICO.

2.4 Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by:

  • Posting the updated policy on our website
  • Sending an email notification to registered merchants
  • Displaying a prominent notice in the Merchant DashboardThe "Last Updated" date at the top of this policy indicates when it was last revised.

3. THE DATA WE COLLECT ABOUT YOU

We collect, use, and process different types of personal data depending on your relationship with Zeal:

3.1 For Merchants

When you use our platform as a merchant, we collect:

Business Information:

  • Legal business name and trading name
  • Business registration number
  • Business address and contact details
  • Merchant Identification Number (MID)
  • Merchant Category Code (MCC)
  • Industry sector and business type
  • Number of locations and staff count
  • Years in operationContact Information:
  • Names of business owners, directors, and key personnel
  • Email addresses
  • Telephone numbers (mobile and landline)
  • Business correspondence addressesFinancial and Transaction Information:
  • Transaction volumes and values
  • Average transaction amounts
  • Payment processing history
  • Revenue and sales data
  • Payment patterns and trends
  • POS terminal configuration detailsTechnical Information:
  • IP addresses
  • Device identifiers
  • Log files and usage data
  • POS terminal type and software version
  • Browser type and version (for Merchant Dashboard)Account Information:
  • Login credentials
  • Dashboard usage data
  • Preferences and settings
  • Communication preferences

3.2 For Consumers

When you make purchases at participating merchant locations, we may collect:

Transaction Data:

  • Date, time, and location of purchase
  • Transaction amount
  • Items purchased (basket composition)
  • Payment method and card type (last 4 digits only)Card-Based Identification:
  • Tokenized payment card identifier (not full card number)
  • Card scheme (Visa, Mastercard, etc.)Loyalty Program Data (if you participate):
  • Points earned and redeemed
  • Program membership number
  • Rewards preferences
  • Purchase history for loyalty purposesDevice Information (if you use our mobile app):
  • Device type and model
  • Operating system
  • Mobile device identifiers
  • App version
  • Location data (with your consent)Communications:
  • Email address (if provided for receipts or marketing)
  • Mobile phone number (if provided for SMS notifications)
  • Communication preferences

3.3 For Payment Service Providers

When you partner with us, we collect:

Business Information:

  • Company name and registration details
  • Registered office address
  • Contact details of authorized representatives
  • VAT registration numberCommercial Information:
  • Banking details for payments
  • Performance metrics and reports
  • Merchant portfolio data
  • Upload and activation statisticsAccount Access Information:
  • Partner Portal login credentials
  • Usage logs and activity data
  • IP addresses

4. HOW WE COLLECT YOUR DATA

We collect personal data through various methods:

4.1 Direct Collection

  • When you sign up for our services as a merchant
  • When you use our Merchant Dashboard or mobile app
  • When you contact our customer support
  • When you attend our events or webinars
  • When you subscribe to our newsletters or marketing communications

4.2 Automated Collection

  • Through software installed on POS terminals at merchant locations
  • Through cookies and similar technologies on our websites and applications
  • Through log files and analytics tools

4.3 From Third Parties

  • Payment Service Providers: We receive merchant data from our payment provider partners when they refer merchants to our platform
  • Payment Networks: We may receive transaction authorization and processing data from Visa, Mastercard, and other payment networks
  • Publicly Available Sources: We may obtain business information from Companies House and other public registers
  • Data Partners: We may receive aggregated or anonymized benchmark data from industry partners

5. HOW AND WHY WE USE YOUR DATA

5.1 Legal Bases for Processing

Under the UK GDPR, we must have a legal basis to process your personal data. We rely on the following legal bases:

Consent: Where you have given clear consent for us to process your personal data for a specific purpose (e.g., marketing communications, location tracking).

Contract: Where processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract.

Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party, provided your interests and fundamental rights do not override those interests.

Legal Obligation: Where we need to process your data to comply with legal or regulatory obligations.

5.2 Purposes of Processing

We use your personal data for the following purposes:

For Merchants:

Purpose Data Used Legal Basis
Service Provision: To provide our loyalty platform, customer identification, and data analytics services All merchant data categories Contract performance
Account Management: To create and manage your merchant account Business and contact information Contract performance
Customer Support: To respond to inquiries and provide technical assistance Contact information, technical data Contract performance and legitimate interests
Service Improvement: To analyze usage patterns and improve our platform Technical and usage data Legitimate interests
Business Analytics: To provide you with insights about your business performance Transaction and financial data Contract performance
Payment Processing: To calculate and process subscription fees Financial information Contract performance
Compliance: To verify your business identity and comply with anti-money laundering regulations Business information Legal obligation
Marketing: To send you information about new features, services, and updates Contact information Consent or legitimate interests (with opt-out option)

For Consumers:

Purpose Data Used Legal Basis
Card-Based Identification: To recognize you when you make purchases at participating merchants Tokenized card identifier Legitimate interests (enabling loyalty programs)
Loyalty Programs: To track and manage your loyalty points and rewards Transaction data, loyalty program data Contract performance (if you've enrolled) or legitimate interests
Personalized Offers: To provide targeted promotions and recommendations Purchase history, preferences Consent
Transaction Analysis: To generate insights about consumer behavior Transaction data (anonymized/aggregated) Legitimate interests
Fraud Prevention: To detect and prevent fraudulent transactions Transaction data, device information Legitimate interests and legal obligation
Service Communications: To send receipts, loyalty updates, and service messages Email address, phone number Contract performance or consent

For Payment Service Providers:

Purpose Data Used Legal Basis
Partnership Management: To manage our commercial relationship Business and contact information Contract performance
Compensation Calculation: To calculate and pay revenue share and bonuses Performance metrics, merchant portfolio data Contract performance
Portal Access: To provide access to our Partner Portal Account access information Contract performance
Reporting: To provide performance reports and analytics Commercial information, metrics Contract performance

5.3 Data Monetization

Important Notice: We use transaction data and merchant data for commercial purposes, including sharing with and licensing to third parties. This is a core part of our business model.

How We Monetize Data:

We may share, license, or sell data to:

  • FMCG Brands and Retailers: For targeted promotions, campaign measurement, and market insights
  • Loyalty Program Providers: For coalition loyalty programs and points-based promotions
  • Market Research Firms: For aggregated market trends and consumer behavior analysis
  • Financial Institutions and Payment Networks: For fraud prevention, network optimization, and data insights
  • Data Analytics Platforms: For business intelligence and benchmarking services
  • Investment Firms: For aggregated economic indicators and market intelligenceData Protection Measures:
  • When possible, we anonymize and aggregate data before sharing with third parties
  • We enter into data processing agreements with recipients requiring them to protect the data
  • We conduct data protection impact assessments for high-risk processing activities
  • Merchants receive a share of monetization revenue through their payment service provider partnersLegal Basis: Legitimate interests (generating revenue to provide and improve our services) for merchants under contract, and explicit consent for consumers. Where required by law, we obtain explicit consent before monetizing personal data.

6. WHO WE SHARE YOUR DATA WITH

6.1 Categories of Recipients

We may share your personal data with the following categories of recipients:

Service Providers:

  • Cloud hosting providers (e.g., AWS, Microsoft Azure)
  • Data analytics and business intelligence platforms
  • Customer support software providers
  • Email and SMS communication services
  • Payment processing services
  • Cybersecurity and fraud prevention servicesBusiness Partners:
  • Payment service providers who referred your business to us
  • Payment networks (Visa, Mastercard, etc.)
  • Loyalty program providers
  • FMCG brands and retailers (for data monetization)
  • Market research and data analytics firmsProfessional Advisors:
  • Lawyers, accountants, and auditors
  • Business consultants
  • Insurance providersRegulatory and Law Enforcement:
  • UK Information Commissioner's Office (ICO)
  • HM Revenue & Customs (HMRC)
  • Financial Conduct Authority (FCA)
  • Law enforcement agencies
  • Courts and dispute resolution bodiesCorporate Transactions:
  • Potential buyers, investors, or merger partners (under confidentiality obligations)

6.2 Data Sharing Principles

When we share your data with third parties, we:

  • Only share what is necessary for the specific purpose
  • Ensure appropriate contractual protections are in place (data processing agreements)
  • Require recipients to maintain appropriate security measures
  • Conduct due diligence on recipients' data protection practices
  • Monitor compliance with data protection requirements

6.3 Payment Service Provider Access

Your payment service provider partner has limited access to data about your account, including:

  • Upload and activation status
  • Payment and subscription status
  • Performance metrics related to their referrals
  • Aggregated anonymized data about merchant portfoliosPayment providers do not have access to:
  • Detailed transaction data
  • Consumer personal data
  • Sensitive business information
  • Your merchant dashboard account

7. INTERNATIONAL TRANSFERS

7.1 Transfers Outside the UK/EEA

We primarily store and process data within the United Kingdom. However, some of our service providers and data monetization partners are located outside the UK and European Economic Area (EEA), including in the United States.

When we transfer your personal data outside the UK/EEA, we ensure an adequate level of protection through one or more of the following safeguards:

Adequacy Decisions: We transfer data to countries that have been deemed by the UK Government or European Commission to provide an adequate level of data protection (e.g., EU member states).

Standard Contractual Clauses (SCCs): We use the UK International Data Transfer Agreement or EU Standard Contractual Clauses approved by the UK Information Commissioner's Office and European Commission.

Binding Corporate Rules: Some of our service providers operate under approved binding corporate rules.

US Data Privacy Framework: For transfers to the United States, we may rely on the EU-U.S. Data Privacy Framework and UK Extension to the EU-U.S. DPF where applicable.

7.2 Details of Transfers

The countries to which we may transfer your data include:

  • United States (cloud hosting, data analytics)
  • European Economic Area countries (various service providers)
  • Other countries with adequacy decisionsYou may contact us at privacy@getzeal.io to obtain:
  • A list of countries to which your data may be transferred
  • Copies of the safeguards we have put in place
  • Further information about specific transfers

8. DATA SECURITY

8.1 Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Technical Measures:

  • Encryption of data in transit (TLS 1.2 or higher)
  • Encryption of data at rest (AES-256 or equivalent)
  • Multi-factor authentication for account access
  • Regular security vulnerability assessments and penetration testing
  • Intrusion detection and prevention systems
  • Firewalls and network segmentation
  • Secure software development practices
  • Regular security patches and updatesOrganizational Measures:
  • Access controls limiting data access to authorized personnel on a need-to-know basis
  • Confidentiality agreements for all employees and contractors
  • Regular data protection and security training
  • Incident response and breach notification procedures
  • Business continuity and disaster recovery plans
  • Regular security audits and assessments
  • Data Protection Impact Assessments for high-risk processingCertifications and Compliance:
  • PCI DSS Level 1 certification (or higher)
  • ISO 27001 certification (or working towards it)
  • Annual third-party security audits
  • Cyber insurance coverage (minimum £5,000,000)

8.2 Data Breach Response

In the event of a personal data breach, we will:

  • Notify the ICO within 72 hours where required by law
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Take immediate steps to contain and remediate the breach
  • Investigate the cause and implement measures to prevent recurrence
  • Maintain records of all breaches

9. DATA RETENTION

9.1 Retention Periods

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

Merchants:

Data Type Retention Period Reason
Account information Duration of contract + 7 years Contract performance, legal obligations (tax, accounting)
Transaction data 7 years (anonymized after 7 years for data monetization) Data monetization, analytics, legal obligations
Financial records 7 years from end of financial year Legal obligations (tax, accounting)
Support communications 3 years from last contact Legitimate interests (service improvement)
Marketing data Until consent withdrawn + 3 years Consent, legitimate interests

Consumers:

Data Type Retention Period Reason
Transaction data (identifiable) 7 years Legal obligations, fraud prevention
Transaction data (anonymized) 7 years (for data monetization and analytics) Data monetization, analytics
Loyalty program data Duration of program participation + 3 years Contract performance
Marketing preferences Until consent withdrawn + 1 year Consent
Device data 2 years Legitimate interests (fraud prevention)

Payment Service Providers:

Data Type Retention Period Reason
Contract and commercial data Duration of agreement + 7 years Contract performance, legal obligations
Performance metrics Duration of agreement + 3 years Contract performance (revenue share)
Portal access logs 2 years Security, audit purposes

9.2 Anonymization

Where possible, we anonymize personal data after the retention period expires rather than deleting it. Anonymized data cannot be used to identify you and is not considered personal data under data protection laws.

9.3 Deletion Requests

You may request deletion of your personal data before the retention period expires (see Section 10.7). We will honor such requests unless we have a legal obligation or legitimate interest to retain the data.

10. YOUR RIGHTS

10.1 Overview of Rights

Under the UK GDPR, you have the following rights:

  • Right to be Informed: You have the right to clear, transparent information about how we use your data (this Privacy Policy).
  • Right of Access: You have the right to request a copy of the personal data we hold about you.
  • Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.
  • Right to Erasure ("Right to be Forgotten"): You have the right to request deletion of your personal data in certain circumstances.
  • Right to Restrict Processing: You have the right to request that we restrict processing of your personal data in certain circumstances.
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.
  • Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
  • Rights Related to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

10.2 Right of Access (Subject Access Request)

You may request access to your personal data by contacting us at privacy@getzeal.io.

What we'll provide:

  • Confirmation that we process your personal data
  • A copy of the personal data we hold
  • Information about processing purposes, categories, and recipients
  • Retention periods or criteria
  • Information about your rightsResponse time: Within one month (may be extended by two months for complex requests)

Fee: Free, unless the request is manifestly unfounded or excessive

10.3 Right to Rectification

If you believe any personal data we hold about you is inaccurate or incomplete, you may request correction.

For Merchants: You can update most information directly in your Merchant Dashboard, or contact support@getzeal.io

For Consumers: Contact privacy@getzeal.io with details of the correction needed

For Payment Providers: Update information in the Partner Portal or contact your account manager

Response time: Within one month

10.4 Right to Erasure

You may request deletion of your personal data in the following circumstances:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent (where processing is based on consent)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligationLimitations: We may refuse erasure if we need the data to:
  • Comply with legal obligations
  • Establish, exercise, or defend legal claims
  • Fulfill other legal grounds under data protection lawNote for Merchants: If you request deletion, we will close your account and cease providing services. Transaction data may be anonymized rather than deleted if required for legal compliance or data monetization agreements.

10.5 Right to Restrict Processing

You may request that we restrict processing of your personal data in the following circumstances:

  • You contest the accuracy of the data (during verification)
  • Processing is unlawful but you don't want erasure
  • We no longer need the data but you need it for legal claims
  • You have objected to processing (pending verification of grounds)

10.6 Right to Data Portability

You may request that we provide your personal data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) so you can:

  • Store it for your own purposes
  • Transmit it to another service providerApplies to:
  • Data provided to us with your consent or for contract performance
  • Data processed by automated meansDoes not apply to:
  • Data processed for public interest or official authority
  • Paper records

10.7 Right to Object

Objection to Direct Marketing: You have an absolute right to object to processing for direct marketing purposes at any time. We will stop processing your data for marketing immediately upon request.

How to opt-out:

  • Click "unsubscribe" in marketing emails
  • Update preferences in your account settings
  • Contact privacy@getzeal.io
  • Reply "STOP" to SMS messagesObjection to Processing Based on Legitimate Interests: You may object to processing based on legitimate interests (including data monetization). We will stop processing unless we demonstrate compelling legitimate grounds that override your interests, or we need the data for legal claims.

10.8 Rights Related to Automated Decision-Making

We do not currently use automated decision-making that produces legal or similarly significant effects on you. If we do so in the future, you will have the right to:

  • Obtain human intervention
  • Express your point of view
  • Contest the decision

10.9 Exercising Your Rights

To exercise any of your rights:

Email: privacy@getzeal.io Post: Data Protection Officer, Zeal IO Ltd., 85 Great Portland Street, First Floor, London, W1W 7LT, United Kingdom

What we need from you:

  • Sufficient information to identify you (to protect your privacy)
  • Specific details of your request
  • Proof of identity (if requested)Response time: Within one month (may be extended by two months for complex requests—we'll inform you if we need more time)

No fee: In most cases, unless the request is manifestly unfounded or excessive

11. COOKIES AND SIMILAR TECHNOLOGIES

11.1 What Are Cookies?

Cookies are small text files placed on your device when you visit our website or use our applications. They help us provide and improve our services.

11.2 Types of Cookies We Use

Strictly Necessary Cookies:

  • Essential for website operation
  • Enable security features and authentication
  • Cannot be disabled
  • Legal basis: Legitimate interests (essential for website functionality)Performance Cookies:
  • Collect information about how you use our services
  • Help us improve website performance and user experience
  • Examples: Google Analytics
  • Legal basis: Consent (required for non-essential analytics)Functionality Cookies:
  • Remember your preferences and settings
  • Enable personalized features
  • Examples: Language preferences, dashboard customization
  • Legal basis: ConsentMarketing Cookies:
  • Track your activity across websites
  • Enable targeted advertising
  • Measure advertising effectiveness
  • Examples: Google Ads, Facebook Pixel
  • Legal basis: Consent

11.3 Managing Cookies

Cookie Banner: When you first visit our website, we'll show you a cookie banner allowing you to accept or reject non-essential cookies.

Browser Settings: You can control cookies through your browser settings:

  • Chrome: Settings > Privacy and Security > Cookies
  • Firefox: Preferences > Privacy & Security > Cookies
  • Safari: Preferences > Privacy > Cookies
  • Edge: Settings > Cookies and site permissionsCookie Preference Center: You can update your cookie preferences at any time by clicking the "Cookie Settings" link in our website footer.

Note: Disabling essential cookies may prevent you from using certain features of our services.

11.4 Third-Party Cookies

Some cookies are placed by third parties (e.g., analytics providers, advertising platforms). We do not control these cookies. Please review the privacy policies of these third parties for more information.

11.5 Other Tracking Technologies

We also use similar technologies such as:

  • Web beacons (pixels): Small graphics in emails to track opens and clicks
  • Local storage: Storing data in your browser for performance purposes
  • Device fingerprinting: Collecting device information for fraud prevention

12. CHILDREN'S PRIVACY

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16.

For Consumers: Our loyalty programs and consumer-facing services are intended for individuals aged 16 and over.

For Merchants: If you are under 18, you must have parental or guardian consent to use our merchant services. We recommend that businesses using our services have appropriate policies for handling transactions involving minors.

If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information as soon as possible.

If you believe we have collected data from a child, please contact us immediately at privacy@getzeal.io.

13. MARKETING COMMUNICATIONS

13.1 Types of Marketing

We may send you marketing communications about:

  • New features and product updates
  • Industry insights and best practices
  • Webinars, events, and training
  • Special offers and promotions
  • Company news and updates

13.2 Legal Basis

We send marketing communications based on:

  • Consent: Where you have explicitly opted in to receive marketing
  • Legitimate Interests: For existing customers, where we have a legitimate interest (soft opt-in), provided you can easily opt out
  • Contract: Service-related communications about your account

13.3 Opt-Out Rights

You can opt out of marketing at any time:

  • Click "unsubscribe" in email footers
  • Reply "STOP" to SMS messages
  • Update preferences in your account dashboard
  • Contact privacy@getzeal.io
  • Contact our customer supportService Communications: You cannot opt out of essential service communications (e.g., account notifications, security alerts, billing updates) while using our services.

13.4 Frequency

We respect your inbox and will not overwhelm you with emails. Typical frequency:

  • Product updates: Monthly
  • Industry insights: Bi-weekly
  • Promotional offers: As appropriate
  • Event invitations: As scheduled

14. THIRD-PARTY LINKS AND SERVICES

Our website and services may contain links to third-party websites, applications, or services that are not operated by us.

We are not responsible for:

  • The privacy practices of third parties
  • The content of third-party websites
  • Any data you provide to third partiesBefore providing personal data to third parties:
  • Review their privacy policies
  • Understand how they will use your data
  • Ensure you're comfortable with their practicesExamples of third-party services we may link to:
  • Payment processing partners
  • Social media platforms
  • Industry resources and publications
  • Partner websites

15. DATA PROTECTION IMPACT ASSESSMENTS

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risks to individuals' rights and freedoms.

When we conduct DPIAs:

  • Large-scale systematic monitoring
  • Processing special categories of data
  • Data monetization involving sensitive information
  • New technologies or innovative uses of data
  • Automated decision-making with significant effects
  • Large-scale processing of children's dataWhat our DPIAs include:
  • Description of processing operations
  • Assessment of necessity and proportionality
  • Identification of risks to individuals
  • Measures to address and mitigate risks
  • Consultation with Data Protection Officer
  • Review and approval proceduresWe maintain records of all DPIAs and review them regularly.

16. YOUR CALIFORNIA PRIVACY RIGHTS (CCPA)

While we are a UK-based company, we recognize the rights of California residents under the California Consumer Privacy Act (CCPA).

16.1 Categories of Personal Information

We collect the categories of personal information described in Section 3 of this policy.

16.2 Your CCPA Rights

California residents have the right to:

  • Know: Request disclosure of personal information collected, sold, or disclosed
  • Delete: Request deletion of personal information
  • Opt-Out: Opt out of the "sale" of personal information
  • Non-Discrimination: Not receive discriminatory treatment for exercising CCPA rights

16.3 Sale of Personal Information

Under CCPA, "sale" includes sharing personal information for monetary or other valuable consideration. Our data monetization activities may constitute "sales" under this definition.

Your Right to Opt-Out: California residents can opt out of data sales by:

  • Visiting our "Do Not Sell My Personal Information" page
  • Emailing privacy@getzeal.io with "CCPA Opt-Out" in the subject

16.4 Exercising CCPA Rights

To exercise your CCPA rights:

Response Time: Within 45 days (may be extended by 45 days for complex requests)

Authorized Agents: You may designate an authorized agent to make requests on your behalf. We will require proof of authorization.

17. SPECIFIC INFORMATION FOR DIFFERENT USERS

17.1 For Merchants

What makes you unique:

  • You have a direct contractual relationship with us
  • You control the merchant dashboard account
  • You can access, update, and delete most of your data through the dashboard
  • You receive detailed transaction and business analytics
  • Your data is monetized, and your payment provider partner receives a revenue shareKey points:
  • Review and accept our Terms of Service alongside this Privacy Policy
  • Ensure your own privacy policy covers data collection at your premises
  • Comply with PCI DSS and data protection requirements for your business
  • Notify us of any data breaches affecting consumer data
  • Update your information promptly when it changes

17.2 For Consumers

What makes you unique:

  • You interact with our services through merchant locations
  • Your transaction data is collected automatically during purchases
  • Your participation in loyalty programs is optional
  • Your data may be anonymized and used for analytics and data monetizationKey points:
  • You can opt out of loyalty programs at any time
  • You control whether your data can be used for data monetization purposes
  • Your payment card data is tokenized (we never see full card numbers)
  • You can request details of transactions we've recorded
  • Anonymized data may still be used after you opt outHow to identify Zeal at merchant locations:
  • Look for Zeal branding on POS terminals
  • Check for notices about loyalty programs
  • Ask merchant staff about loyalty and data practices
  • Review merchants' privacy policies

17.3 For Payment Service Providers

What makes you unique:

  • You have a commercial partnership agreement with us
  • You refer merchants to our platform
  • You receive compensation and data monetization revenue share
  • You access the Partner PortalKey points:
  • You must obtain proper merchant consents before referring merchants
  • You're responsible for data protection compliance in your merchant relationships
  • You have audit rights regarding data monetization calculations
  • Your access to merchant data is limited and controlled
  • You must maintain confidentiality of commercial terms

18. DATA PROTECTION BY DESIGN AND BY DEFAULT

We implement data protection by design and by default in all our processing activities:

Privacy by Design:

  • Privacy considerations from the earliest design stages
  • Privacy impact assessments for new projects
  • Security controls built into systems and processes
  • Regular security testing and auditsPrivacy by Default:
  • Minimal data collection by default
  • Strongest privacy settings by default
  • No personal data processed beyond what's necessary
  • Automatic deletion of data when no longer needed
  • Pseudonymization and anonymization where possible

19. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

General Privacy Inquiries: Email: privacy@getzeal.io Post: Data Protection Officer, Zeal IO Ltd., 85 Great Portland Street, First Floor, London, W1W 7LT, United Kingdom

Merchant Support: Email: support@getzeal.io

Payment Provider Support: Email: partners@getzeal.io

Legal Department: Email: legal@getzeal.io

Response Time: We aim to respond to all privacy inquiries within 5 business days.

20. COMPLAINTS

If you're not satisfied with how we've handled your personal data or responded to your concerns, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO) Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF United Kingdom

Phone: 0303 123 1113 Website: www.ico.org.uk Online reporting: https://ico.org.uk/make-a-complaint/

Before contacting the ICO: We encourage you to contact us first at privacy@getzeal.io so we can try to resolve your concerns directly.

21. UPDATES TO THIS POLICY

Version History:

Version Date Key Changes
1.0 October 15, 2025 Initial policy

We will update this section whenever we make material changes to this Privacy Policy.

By using our services, you acknowledge that you have read and understood this Privacy Policy.

END OF PRIVACY POLICY

This Privacy Policy was last updated on October 15, 2025 and is effective as of October 15, 2025.