MHA Cares for You Privacy Statement
Reward Gateway (UK) Ltd ("we", "us" or "our") is committed to protecting and respecting your privacy.
We will be the Data Controller of your personal data which you provide to us or which is collected by us via MHA Cares for You. This means that we are responsible for deciding how we hold and use personal information about you and that we are required to notify you of the information contained in this Privacy Statement ("Statement"). It is important that you read this Statement so that you are aware of how and why we are using your personal information and how we will treat it.
We have appointed a Data Protection Team, who can be contacted using the details at the end of this Notice should you have any questions, complaints or feedback about your privacy.
The Type of Information We Collect From You and How We Use It
We will collect various types of personal information from you when you use MHA Cares for You, depending on the services which you use. Further details of how we use your personal data are set out below.
In this section, we have indicated with asterisks whether we need to process your personal data:
- * to enter into and/or to perform our contract with you to provide the services via MHA Cares for You;
- ** to pursue legitimate interests of our own or of third parties, provided that your interests and fundamental rights do not override those interests;
- *** to enable us to comply with our legal obligations; and/or
- **** with your consent.
Before you register
Before you register on MHA Cares for You, to allow us to carry out our eligibility checks* we will ask the administrator to provide two pieces of information about you (such as your postcode, payroll ID, start date or date of birth).
The administrator will provide your Payroll number and Date of Birth to us to allow us to establish that you are eligible to register on MHA Cares for You**.
The administrator will sometimes also provide the information necessary to allow us to conduct National Minimum Wage and Basic Earnings assessments automatically on their behalf when we are required to do so***/** (see When you enter into a salary deduction agreement with the administrator section below for more details).
When you register
In addition to the personal data provided to us by the administrator, when you register on MHA Cares for You we’ll also collect and store some personal information about you, such as your name, company identifier, email address, password, postcode, contact telephone number, gender and date of birth. At the administrator’s choice, we may also collect additional information about you such as your office location.
You will also need to provide the information necessary to allow us to carry out our eligibility check (which will vary dependent on the information provided by the administrator, see above).
This information will be used in order to complete your registration and to allow you to use MHA Cares for You*. You will not be able to register without at least providing your name, email address, password and postcode or date of birth, as these are used to secure your account and to allow us to confirm your identity if you contact the support team. Your date of birth is also used to confirm your identity if you contact the support team*.
When you login
Each time you log in to MHA Cares for You, we automatically conduct checks against your Internet Protocol (IP) address to ensure your security. This includes looking up your IP address against a “proxy blacklist” to check that someone is not using your credentials and trying to hide their location**. This proxy blacklist is operated by MaxMind, Inc. If your IP address appears on it, we will not permit the login.
We also look up the IP address in a static database we download from MaxMind Inc. to check which country the IP is affiliated with. This helps us to further protect your account against people who may have access to your credentials**. If we do spot a change, we’ll alert you and ask you to confirm your login in order to verify your identity before continuing.
This information along with time and event data (such as successful or failed logins) are also recorded in our database for audit purposes**.
Depending on the services you use on MHA Cares for You, we may collect and process additional personal data about you, as set out below.
When you use Cashback
If you visit a Cashback retailer on MHA Cares for You, we will record that you clicked and visited their site for the purpose of tracking the Cashback earned*. Each of these retailers are independent on MHA Cares for You so you should check their privacy terms to make sure you are happy with them before providing any other details to them.
If you have a problem with the retailer and your Cashback, we may need to provide them with additional information about your order to help**. We will ask you for the minimum information we need to do this, but you will be responsible for the accuracy and level of detail it contains.
When you withdraw your Cashback
If you make a request for a Cashback withdrawals to your bank account, you will need to provide your bank details for us to process the withdrawal but we will only store your bank details until the withdrawal is processed*. They will be shared with our bank, HSBC, to process your request after which all the details will be destroyed.
Alternatively you will be able to withdraw your Cashback as part or full payment for goods on MHA Cares for You or ask us to donate it to the nominated charity on MHA Cares for You*.
When you make a debit or credit card purchase
If you choose to purchase goods using a credit or debit card through MHA Cares for You, we will collect your payment details from you and pass them to Cybersource and/or Checkout.com, our secure payment processors, who will use them to process the payment*. We do not store or process your credit or debit details on our servers.
We will also collect your delivery address from you, and use the contact details previously provided, to allow us to process the order*.
If you opt-in to saving your credit or debit details for future use on MHA Cares for You, your information will be stored securely by our payment processor. You can update or remove these at any time.
Where goods are dispatched by a third-party supplier, we may need to share your information with them to fulfil your order, such as your contact details and delivery address*. This will be clearly indicated to you at the point of purchase. You will be able to review these suppliers’ privacy terms before any information is shared with them.
We will also carry out a fraud check during the order process. This check is carried out by our third party provider, Sift Science (“Sift Science”)**. Sift Science will only act in accordance with our instructions and how they will process your personal data is set out below.
Sift Science will collect information about your behaviour on the programme (such as the length of time between logging in and reaching checkout), technical information about the device used (such as your browser version and IP address) and the details you enter at checkout (such as your contact details and delivery and billing address).
After you have placed your order and before goods are dispatched, Sift Science will use this information to provide us with a score based on the likelihood of fraud. The score provided determines whether your order is automatically accepted by us or queued for our human review. If it is queued for human review, we will carry out a manual fraud check to decide whether to accept or refuse your order or, in some circumstances, require payment to be made by an alternative, more secure mechanism such as a bank transfer. For more information about this processing activity, please contact us using the details provided at the end of this Policy in the “Contacting Us” section.
After too many failed orders
If too many failed orders originate from your account, we will automatically restrict access to your account. Before allowing you to access your MHA Cares for You account again, we will notify you and ask you for further supporting documents such as your driving licence, council tax bill or statement, bank or credit card statement, utilities bill or payslip, as evidence that it is you attempting these orders**. If these documents are not to our satisfaction, we may contact the administrator with the intention of verifying that it is you using your account in this way**.
These supporting documents will only be used for the purpose of verifying your identity, will not be shared with any third parties and will only be retained by us until we have reviewed them, even if we are not satisfied with their legitimacy or authenticity.
You do not need to provide these supporting documents to us but, if you choose not to, then we will not be able to provide you with access to your MHA Cares for You account.
When you enter into a salary deduction agreement with the administrator
If you choose to purchase goods through MHA Cares for You and enter into a salary deduction agreement with the administrator, such as Childcare Vouchers, Cycle to Work, Smart Tech or Holiday Trading, we will collect your name, address, IP address, browser details, payroll information, and deduction amount. This information will be provided to the administrator as proof of your electronic signature of the salary deduction agreement and to enable them to administer the deduction and pay us for the goods on your behalf*.
Additionally, if the administrator has provided us with the information necessary such as your payroll and salary information (see National minimum wage and national living wage for more details), we’ll use this information to conduct the National Minimum Wage check on their behalf in line with the parameters they have provided***. The employer is legally obliged to conduct such as check.
If they have not provided us with this information, we’ll ask you to provide it instead.
If the administrator provided us with the information necessary to conduct the National Minimum Wage check, we will conduct the check and automatically approve or forward your application for salary sacrifice benefits to them for review. For more information about this processing activity, please contact us using the details provided at the end of this Policy in the “Contacting Us” section.
If you provide us with the information necessary to conduct the National Minimum Wage check, then we will conduct the check but the results of all checks will be forwarded for review by the administrator before your application is approved or rejected. If you are not eligible, you can contest the assessment with the administrator.
You will not be able to purchase goods through MHA Cares for You via a salary deduction agreement unless you or the administrator provide this information to us.
We will also provide the information necessary to the relevant third party benefit provider (see the Disclosures of Your Information section) to allow them to provide the benefit to you. This information will vary by benefit provider but will usually contain at least your name and application amount.
Special Information for Cycle to Work
When you use Cycle to Work to purchase a bike and/or safety equipment, in addition to processing your personal data as set out in the ‘When you enter into a salary deduction agreement with the administrator’ section above, we will also process your personal data as set out below.
At the end of the Hire Period, when you have finished paying via the salary deduction agreement, the administrator cannot simply give you the equipment as this may turn the purchase into a benefit in kind. Instead you will be offered, depending on the administrator, either to make a final payment through a P11D or to continue the agreement with our chosen supplier until the equipment has no residual value (you can read more about this in the Employment Income Manual - see Employment Income Manual.)
If the administrator has selected to allow you to continue the agreement, your application details, including your name, email address, telephone number, and postal address must be transferred to our supplier*. We will contact you about this process.
Special information for Childcare Vouchers
When you enter in to a salary deduction agreement with the administrator for Childcare Vouchers, in addition to processing your personal data as set out in the ‘When you enter into a salary deduction agreement with the administrator’ section above, we will also process your personal data as set out below.
We are under a statutory obligation to conduct an ongoing eligibility check on you based on the age of your youngest child*** and we will require you to provide their date of birth for us to carry out that check. This information is only used to perform this check and to remind you when they enter their last school year that your eligibility is coming to an end.
Additionally, if the administrator has provided us with the information necessary such as your payroll and salary information (see Employer-supported Childcare - guidance and FAQs for employers for more details), we’ll use this information to conduct a Basic Earnings Assessment check on their behalf***. The employer is legally obliged to conduct such a check.
If the employer provided us with the information necessary to conduct the Basic Earning Assessments check, we will conduct the check and automatically approve or forward your application for Childcare Vouchers for review by the administrator. For more information about this processing activity, please contact us using the details provided at the end of this Policy in the “Contacting Us” section.
If you provide us with the information necessary to conduct the Basic Earning Assessments check instead, then we will conduct the check but the results of all checks will be forwarded for review by the administrator before your application is approved or rejected.
You will not be able to purchase Childcare Vouchers through MHA Cares for You via a salary deduction agreement unless you or the administrator provide this information to us.
When you take out a gym subscription
If you decide to purchase a gym subscription through MHA Cares for You, we will ask for your credit card information and bank account details. These are used to:
- Take the first month’s payment on behalf of your gym and pay them ourselves*.
- Allow your chosen gym to set up a Direct Debit using the bank details you provide for all future payments after the first month*. We will pass your bank details directly to the gym to allow them to set up the Direct Debit.
We will also ask for you to confirm your name, email address, date of birth, phone number and home address. This will be provided to your chosen gym supplier so that they can establish your membership and recognise you when you first visit*.
If you ask us to process your request through a salary sacrifice arrangement, we will conduct a National Minimum Wage check (as explained above) before accepting your application. We will not need to collect your credit card information and bank account details in those circumstances.
When you take out a Healthcare Cashplan
If you decide to purchase a Healthcare Cashplan through MHA Cares for You, we will ask for your bank account details. These are used to allow our Healthcare Cashplan provider to set up a Direct Debit for all future payments*. We will pass your bank details directly to the provider to allow them to set up the Direct Debit. We will also provide the Healthcare Cashplan provider with your name, telephone number, date of birth, gender, details of any existing medical conditions and selected plan (and your partner’s if you choose this option) to allow them to provide the benefit to you.
When you send an eCard or when you make a nomination
If you ask us to send an eCard, you will need to provide us with the name of the person you are sending the eCard to (“the recipient”). If the recipient has already registered on MHA Cares for You, we will send the eCard on your behalf to their registered email address****.
If they have not already registered, you will also need to provide an email address which we will send the eCard on your behalf to****. The recipient will be asked to confirm that they have read and understood this Privacy Statement and agree to our Terms & Conditions before being able to view your message.
You must have the consent of the recipient to give us their name and, if applicable, email address and also any personal information you disclose in your message to them. This information will also be disclosed to the administrator for the purposes of performance management.
When you write a blog or comment / react to content
When you write a blog or comment / react to content on the site, we will collect your name and any other personal information you choose to share via your blog or comment**. This information will be visible to us and other users of the programme but will not be used for any other purpose.
When you contact us
If you contact us for support purposes, we will require some information to handle your query. Where possible, this activity will be linked to your account but this depends on the method you choose:
By calling our helpline
When you call our helpline we will collect:
- your name, date of birth and postcode for the purpose of verifying your identity**;
- any other personal information you provide to us for the purpose of dealing with your query*; and
- Calling Line Identification (CLI) information which we use to help improve our efficiency and effectiveness**.
- recordings for the purposes of training, quality checking and dealing with any disputes that arise**.
By emailing us
Any email sent to us, including any attachments, will be used by us:
- for reasons of security and for monitoring compliance with company Statement**;
- to verify your identity**; and
- to provide any assistance you have requested to you*.
By using our LiveChat service
We use a third party provider, LiveChat Inc, to supply and support our LiveChat service, which we use to handle customer enquiries in real time.
If you use the LiveChat service we will collect your name, email address (optional) and the contents of your LiveChat session.
These details will be used to verify your identity**, handle your enquiry*, for training and quality checking purposes** and to deal with any disputes that arise**.
You can request a transcript of your LiveChat session if you provide your email address at the start of your session or when prompted at the end.
When you visit MHA Cares for You
When you visit our MHA Cares for You we will automatically collect information about your visit such as the pages you viewed, offers or services you viewed or searched for, length of visits to certain pages, the times and dates of these actions, details of page response times and any download errors that occurred.
We will also collect data from the device and application that you use to access our services, including your IP address (from which we may infer your geographic location), login information and browser type.
If you arrive at our website from an external source (such as a link on another website or in an email) we record information about that source.
We will use the above information in order to:
- to administer MHA Cares for You and for internal operations, including troubleshooting, data analysis (including analysing the use of the various services available on MHA Cares for You and measuring their popularity and effectiveness), testing, research, statistical and survey purposes, and to comply with our legal obligations**/***;
- to improve MHA Cares for You to ensure that content is presented in the most effective manner for you and for your computer / device**;
- as part of our efforts to keep MHA Cares for You safe and secure to comply with our legal obligations**/***;
- to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you. We, or our third party advertisers, may use your age or gender to determine whether advertising is relevant to you**; and
- to make suggestions and recommendations to you and other users of MHA Cares for You about goods or services that may interest you or them**/****.
Other information and uses
We will also collect the personal data you provide when you use MHA Cares for You:
- To provide you with our newsletter and with information about other third party benefits we offer that are similar to those you have already used or enquired about or that we feel may interest you****/**.
- To notify you about changes (permanent or temporary) to our service*.
- To ensure that content from our website is presented in the most effective manner for you and your computer*.
- To administer our website and for internal operations, including troubleshooting, data analysis, testing, research and statistical purposes, and as part of our efforts to keep our website safe and secure**.
Information we receive from other sources
We will combine information we receive from other sources (as set out in this Statement) with information you give to us. We will use this information and the combined information for the purposes set out in this Statement (depending upon the services you access).
Change of Purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and permitted under data protection laws. If we need to use your personal information for an unrelated purpose, in most cases we will notify you and we will explain the legal basis which allows us to do so.
Disclosures of Your Information
We use service providers to help us to provide the MHA Cares for You, such as data storage providers, marketing email providers, analysis providers and benefit providers:
- The Bunker Ultra Secure Ltd., a managed IT infrastructure & support provider;
- Emailcenter UK, a transactional and bulk email gateway;
- Google Inc., a web analytics tool;
- FullStory Inc., an analytics service provider;
- SessionCam Ltd., an analytics service provider;
- New Relic Inc., a performance measurement tool;
- Twilio Inc., a SMS / text-messaging gateway;
- Formstack, LLC, a configurable data-capture provider;
- Rackspace Inc., a email inbox provider;
- Atlassian Pty Ltd., a ticketing system for our internal teams;
Depending on the service you request, we may also share your personal information with childcare providers, gym providers, voucher providers and Cashback retailers, who may change from time to time, to the extent necessary to provide the services to you. You will be informed of this at the time you decide to take the service.
We also share your personal information with:
Because the administrator pays us to operate MHA Cares for You for you, they’ll want to know how the site is performing. Except as set out elsewhere in this Statement, we’ll only share information with the administrator on an aggregated and anonymous basis about how often you’ve used the site and what services you used. We will not share information with the administrator about how much you’ve spent, where you shop, and how much you’ve saved as an individual, as we treat this as confidential.
Our Internal Teams and Prospective Retailers
We also use information about you on an aggregated and anonymised basis for internal management purposes, to, share it with current or prospective retailers and to use it to target offers that are made to users of MHA Cares for You. This type of information includes, for example, the types of product that you purchase and the value of those purchases. However, you can’t be identified from this information.
Members of our Group
We share personal information with members of our group for the purposes of providing the benefits to you and managing our business: RG Engagement Group Ltd, Reward Gateway Pty Ltd, Reward Gateway (USA) Inc, Reward Gateway (UK) Ltd Branch, SEO Reward Gateway DOOEL Skopje, International Benefits Holdings Ltd., Asperity Employee Benefits Group Ltd
We will also disclose your personal information to third parties:
- in the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets;
- if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets; and/or
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms and Conditions and other agreements; or to protect the rights, property, or safety of us, our users, customers and providers. This will include sharing your information as part of a legal or official investigation if we have evidence or reason to suspect that purchases on your account could be fraudulent.
International Transfers of Your Personal Data
A number of the service providers listed above are based outside the European Economic Area and your personal information may therefore be transferred to or accessed from outside of the European Economic Area.
Twilio, Sift Science, FullStory, MaxMind Inc, Salesforce, Formstack LLC, New Relic Inc and Google Inc are all based outside of the European Economic Area, meaning that they are not governed by European data protection laws. However, all of these providers are certified under the EU-U.S. Privacy Shield Framework which means they are required to protect your personal information in accordance with the Privacy Shield Framework.
You can view their certifications at www.privacyshield.gov.
Data protection laws provide you with the following rights to:
- request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
- request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
- request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
- request the restriction of processing of your personal information, for example if you want to establish its accuracy or the reason for processing it; and
- request the transfer of your personal information to another party.
You also have the right to object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We or the administrator may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Where we rely on your consent to process your personal data, for example in relation to any direct marketing we provide to you, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent in relation to direct marketing, please contact us using any of the details set out below in the “Contacting Us” section or change your preferences in the “My Account” section of MHA Cares for You.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.
Please note that as the administrator may store other information from your use of this service, you should also contact them directly if you would like to exercise your rights in relation to the data held by them.
Updating Your information
It is important that the personal information we hold about you is accurate and current. Please keep your records on MHA Cares for You up-to-date. If you wish to update or amend your personally identifiable information or data you may do so by making the change within your account once logged in or by contacting our Helpdesk. We will respond to your request within 5 working days.
Storage of your information
Unless we need to keep your data for legal purposes, we will only retain your personal information for 60 days after the administrator lets us know you no longer work for them or they decide to use a different service.
If you do not use your account or our services for 22 months consecutively we will only retain your perform data for 60 days after giving you notice that your data will be deleted. During this 60 day period you will only have limited access to your account and be able to withdraw any funds you have accrued (see our Terms & Conditions.)
The legal purposes for which we may need to retain your data for include:
- retaining payment records for one year to comply with PCI DSS regulations;
- retaining backups for up-to 180 days after deprovisioning; and
- retaining your order history for two years from the date of your order in case of a dispute.
We may also retain anonymised data about you for longer periods for integrity and financial reporting purposes.
Recordings of calls are retained for 40 days and chat transcripts are retained for 90 days.
We take the security and confidentiality of your personal information very seriously. We will use strict procedures and security features to aim at preventing unauthorised access, such as being ISO 27001 and ISMS certified, access controls, penetration testing, the use of encryption and hashing and robust physical security controls. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our MHA Cares for You; any transmission is at your own risk.
Changes to our Privacy Statement
Any changes we make to our Statement in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our Statement.
If you have any queries, comments or requests regarding this Statement, or you would like to exercise any of your rights set out above, or contact our Data Protection Team, you can contact us in the following ways:
- by email at email@example.com or;
- by post at Reward Gateway (UK) Ltd, 265 Tottenham Court Road, London, W1T 7RQ.