Privacy Policy

We, The Right Fuel Card (‘RFC’) respect your privacy and is committed to protecting your personal data. This Privacy Policy (‘Policy) outlines how RFC processes your personal data when you visit our website (Fuel Cards | Efficient Solutions for Your Business (rightfuelcard.co.uk)) (‘Website’), purchase a product or subscribe to our services (altogether ‘Services’).

This Policy explains RFC’s approach to any Personal Data that we might collect from you, or which we have obtained about you from a third party, and the purpose for which we process your Personal data in our capacity as a Controller. It also describes your rights in respect of our processing of your Personal Data.

We process Personal Data in the countries in which we are established, including the United Kingdom and the European Economic Area (‘EEA’) and in other countries, where third parties that we many use, are based.

While processing the Personal Data we comply with the principles and rules of the UK GDPR.

By transferring Personal Data to a third party where RFC is acting as a controller, we have the full responsibility that the processing of a third party as a processor takes place under the GDPR principles. RFC shall remain liable under the GDPR Principles if its processors process Personal Data in a manner inconsistent with the GDPR Principles, unless RFC proves that it is not responsible for the event giving rise to the damage.

This Notice only applies to the use of your Personal Data by us or on our behalf, it does not apply to:

Personal Data collected by third parties during your communications / dealings with those third parties or your use of their products or services (for examples, where you allow links to third party websites over which we have no control).
Personal Data processed, stored, or hosted by us when we act as a Processor on behalf of our customers in the course of providing our Services, in which case the privacy statement of the relevant Customer will apply, and our data processing agreement with such Customer will govern our processing of your Personal Data.

In this Policy, the terms ‘Commission’, ‘cross-border transfer’ ‘data breach’, ‘(data) controller’, ‘(data) processor’, ‘data subject’, ‘(personal) data’, ‘processing’, ‘supervisory authority’ shall have the meaning attributed under GDPR.

The terms below shall have the following meaning when used in this Policy:

Cookie Policy	Our Website cookie policy, available here
DPO	Data Protection Officer
EEA	Data Protection Officer
EU	European Union
GDPR	General Data Protection Regulation of the EU n^o2016/679
Group	Edenred group to which RFC belongs
RFC	The Right Fuelcard Company including its affiliates and subsidiaries
Terms and Conditions	Our online terms and conditions in their latest published version available here
We, our, us	RFC
Controller	The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Processor	A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller
UK	The United Kingdom
Website	Fuel Cards \| Efficient Solutions for Your Business (rightfuelcard.co.uk)

Who are we?

RFC is based in the UK. Our parent company, Edenred, is based in France with subsidiaries worldwide and limited personal data may be accessed from those locations too. In both cases, the personal data used in those locations is protect by UK and European data protection standards.

RFC acts as a data controller for your personal data and have appointed a DPO, who can be contacted at:

The Right Fuelcard Company
DPO
One The Embankment,
Neville Street,
Leeds,
LS1 4DW

data@rightfuelcard.co.uk or via this form

What personal data does RFC collect and who we collect personal data about

We only collect the following personal data of a professional nature (as our Services are solely intended for businesses):

Purpose	Type of Data	Legal Basis
To apply for fuelcards	Identity of contact person (full name, title, email, signature, date of birth) Contact (telephone numbers, email, preferences) Company details (legal name, registered and billing address, registration number, type) Fleet information (fuelcards, type, mileage, vehicle registration, drivers’ names) Company banking details	Performance of a contact (our Terms and Conditions)
For fraud prevention and risk control	Proof of identity and address Creditworthiness (balance sheets, credit checks) Debt recovery tracing	Our legitimate interests (to control our financial risks)
For payment collection	Identity Contact details Company banking details Transaction details (drawings) Company information	Performance of a contact (our Terms and Conditions)
To provide you with necessary information (ie. about policies or legal changes	Identity Contact Customer profile (active / inactive)	Performance of our legal or contractual obligation (to inform you)
For review and survey	Identity Contact details Review or feedback message content	Our legitimate interest (to improve our services, offers and customer experience)
To partake in prize draw or competition	Identity Contact Customer profile Services use Transaction Marketing preferences	Our legitimate interest (to offer you to join in) Your consent (your marketing preferences)
For our Website administration and security	Digital data (credentials, IP addresses, website interactions) Technical data (incidents, support requests, etc)	Our legitimate interests (to secure our Website and provide you with technical support)
To personalise our Website’s content and advertisements	Digital data (analytics, browsing, interests, IP addresses or credentials) Technical data Marketing preferences	Our legitimate interests (to improve customers experience and offer your personalised content) Your consent (see our Cookie Policy)
To improve our Website	Technical data Website usage	Our legitimate interests (to improve our Website) Your consent (see our Cookie Policy)
To send you offers	Identity Contact Technical data Usage data Customer profile	Our legitimate interests (to develop our business) Your consent (opt-in, absence of opt-out or soft opt-in)
To access and manage your account	Identity Contact Identity Registration and login dates Account information Balances Transaction data (statement history, drawings, balance) Invoicing data (invoices, billing address)	Performance of a contact (our Terms and Conditions)
To contact us	Identity Email Account number if any Enquiry type and content Any attachments you may submit	Your consent (to this Privacy) Our legitimate interest (to address your enquiry)

What if you fail to provide personal data?

Please note that where we need to collect personal data by law or contract, if you fail to provide the necessary data, we will not be able to provide you with our services and products at no liability or costs for us. It is essential that you ensure that your personal data is accurate and current. Please keep us informed of any change by clicking here.

How is your personal data collected?

We use different methods to collect data from and about you through:

Direct interactions - when you apply for our Services, subscribe to marketing communications, etc.
Automated technologies or interactions - when you interact with our Website;
Third parties or publicly available sources - financial data from providers, identity data from Company House.

How do we use your personal data and what legal basis do we rely on?

The UK’s data protection laws allow the use of personal data where its purpose is legitimate and is not outweighed by the interests, fundamental rights or freedoms of data subjects. The law calls this the Legitimate Interests condition for personal data processing. The Legitimate Interests being pursued by RFC are:

To validate that an identity exists and verify that an individual presenting an identity is the true owner of that identity.
Verifying that information, such as age, residency, address history and financial details supplied by accurate.
Detecting and presenting criminal activity fraud and money laundering.
Profiling statistical analysis and fraud detection and prevention.
Other purposes where you have given your consent or where required / permitted by law.

In addition, RFC may obtain your consent to contact you regarding new products, or other marketing activities.

The use of personal data is subject to an extensive framework of safeguards that balance the legitimate interests set out above with the fundamental rights and freedoms of the people whose data is used and shared. The framework includes information given to people about how their personal data will be used and how they can exercise their rights to obtain their personal data, have it corrected, erased, or restricted, object to it being processed and complain if they are dissatisfied. It also includes extensive due diligence checks on clients, robust contractual arrangements, and internal data management processes. These safeguards help sustain a fair and appropriate balance and to protect the rights and freedoms of individuals.

Legal obligations

In some circumstances we are required by law to use or share personal data in particular ways. This happens, for example, when a court, law enforcement agency or regulator makes a legally binding request or order for disclosure of personal data. It also happens if you chose to exercise your rights, for example by requesting a copy of your own personal data from us.

With whom do we share personal data?

Processors, where RFC uses other organisations to perform tasks on their behalf (eg. Fuel Suppliers, IT service providers, fulfilment providers).
You are entitled to request a list of the processors used by RFC. We have listed these out in the section entitled Who Are The Recipients Of Your Data found on page 7.
Joint Controllers such as Fraud Prevention Agencies and Third-Party ID&F Solution Providers.
You are entitled to request a list of the Joint Controllers used by RFC. You can find out how to do this below.
Public bodies, law enforcement and regulators where there is a legal basis.
Individuals.
People are entitled to obtain copies of the personal data RFC hold about them. You can find out how to do this below.

How does RFC keep personal data secure?

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, altered, disclosed, used, or accessed in an unauthorised way. Only recipients with a need-to-know (according to the above-mentioned purposes) may access your data and are subject to confidentiality undertakings.

Who are the recipients of your data?

We may need to share your data internally (to affiliates and subsidiaries as well as with other entities of the Group) and externally (to third parties) with our providers and partners:

Purposes	Processors (Links to individual Privacy Policies)
Communication and Document Storage	Office 365 Vodafone
IT Support	Freshworks Inc
Website tracking and analytics	Google Analytics Piano
Surveys and feedback	Trustpilot Limited Medallia Limited (UK)
External counsel	Harper James KPMF LLP LMP Legal Limited Morrish Solicitors LLP Pannone Corporate LLP
Credit check, fraud prevention and cash collection*	HCCI Credit Services Limited LCF Law Limited UK Search Limited
Payment Solutions	Adflex Limited Bottomline Technologies Limited Worldline IT Services Limited Opayo
ID verification	GB Group PLC ID Pal Limited The ID Co. Limited Experian Data8

*For credit check, fraud prevention and cash collection: with credit reference agencies which may also share information about your settled accounts and late payments with other organisations. For more information, please click here.

Our providers and partners are required to process your data solely for the purposes indicated and according to our instructions and all applicable data protection laws and to implement all necessary security measures to protect your personal data.

Sometimes we will need to send or allow access to personal data from elsewhere in the world. This might be the case for example when one of our processors or a client based overseas or uses overseas data centres.

While the UK and countries in the EEA all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when we do send personal data overseas, we will make sure suitable safeguards are in place in accordance with UK data protection requirements to protect the data. For example, these safeguards might include:

Sending the data to a country that has been approved by UK authorities as having a suitably high standard of data protection law. Examples include the Isle of Man, Switzerland, and Canada.
Putting in place a contract with the recipient containing terms approved by UK authorities as providing a suitable level of protection.
Sending the data to an organisation which is a member of a scheme that has been approved by UK authorities as providing a suitable level of protection.

Marketing opting out procedure.

You can opt-out from marketing messages at any time by:

Clicking here to update your marketing preferences.
Following the unsubscribe links on any marketing message you receive.
Via this web form.
Contacting us at any time.

What about cookies?

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy.

Retention of personal data

Identifiers: Identification data like names and addresses are kept while there is a continuing need to keep it, eg. Where there are applicable financial or other legal regulations. This need will be assessed on a regular basis, and data that is no longer needed for any purposes will be disposed of.
Fraud Data: Records that have been confirmed as relating to fraudulent applications or accounts are retained for up to 6 years since the time of update.
Other Data: Other third party supplied data such as client provided applications data will be stored for a period determined by criteria such as the agreed contractual terms.
Archived Data: RFC may hold data in an archived form for longer than the periods described above, for things like research and development, analytics, and analysis (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting). For audit purposes, and as appropriate for establishments, exercise or defence or legal claims. The criteria used to determine to storage period will include the legal limitation of liability period, Agreed contractual provisions, applicable regulatory requirement, and industry standards.

What are your rights and how to exercise them

You have a right to:

access,
rectification,
erasure,
portability of your personal data,
right to restrict or object a data processing,
a right not to be subject to automated decision-making and be notified in case of a data breach,
a right to lodge a complaint to the competent supervisory authority.

Please note however that each request will be subject to prior analysis as to its legitimacy and to prior identity verification for which we may require you to provide a proof of identity.

We may also require you to precise your request and provide complementary information.

To exercise your rights, click here to contact our DPO at data@rightfuelcard.co.uk.

To inform us about a change of address, please click here.

To update your marketing preferences, please click here.

For any other request, click on Contact.

Last Updated : 04/06/2024