Privacy & Data Protection Policy

1. Who We Are

GlobalCharge Limited (company number 06058897), registered at 9 Market Row, Saffron Walden, Essex, CB10 1HB, United Kingdom, is the data controller for personal data processed in connection with the Perkly platform.

Our designated data protection contact can be reached at privacy@globalcharge.com.

2. Data We Collect

2.1 Client Account Data

When a company applies for API access, we collect:

• Company name, registration number, VAT number, registered address
• Contact person name, job title, business email address, phone number
• Technical contact details
• Business profile information (type, use case, expected volumes)

2.2 API Usage Logs

Our servers automatically record the following with each API request:

• Timestamp and request path
• HTTP response code and latency
• Hashed API token identifier (we do not log raw tokens)
• Client IP address (used for rate limiting and fraud prevention)
• User-Agent string (where provided by the client application)

2.3 Request Body Parameters

API calls to /assets include a dob_year, mcc_codes, and client_id field. These are used transiently to select Offers and are not persisted to storage. We do not associate these parameters with any individual.

3. No End User PII Stored

The Perkly API is deliberately architected to avoid collecting personally identifiable information about End Users (cardholders). Specifically:

• We do not require or accept names, email addresses, phone numbers, or government IDs
• The client_id field is a Client-generated opaque identifier — we cannot and do not attempt to re-identify individuals from it
• Click-through tracking uses short codes that are not linked to End User identities in our database
• No cookies are set on End Users' browsers

Clients are responsible for ensuring their own use of Offer data and End User presentation complies with applicable privacy laws (including GDPR where applicable to their End Users).

4. Purpose & Legal Basis for Processing

Data	Purpose	Legal Basis
Client account data	Account management, onboarding, billing communications	Contract performance (Art. 6(1)(b))
API usage logs	Security monitoring, rate limiting, fraud prevention, debugging	Legitimate interests (Art. 6(1)(f))
Contact details	Service notifications, policy updates, support	Contract performance / Legitimate interests

5. Data Storage & International Transfers

By default, all personal data processed by GlobalCharge Limited in connection with the Perkly platform is stored on servers located in the European Union:

• Primary: Hetzner Online GmbH data centres, Nuremberg & Falkenstein (Germany)
• Secondary: Hetzner Online GmbH data centres, Helsinki (Finland)

Clients on the Scale tier may opt for infrastructure hosted outside the EEA:

• US region: Servers located in the United States (East Coast). Data transfers from the UK/EEA are covered by the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) as applicable.
• SG region: Servers located in Singapore. Data transfers are covered by appropriate transfer mechanisms under UK GDPR Chapter V and the Singapore Personal Data Protection Act (PDPA).

Where international transfers occur, GlobalCharge Limited implements appropriate safeguards, including Standard Contractual Clauses or equivalent mechanisms. Clients selecting non-EU regions acknowledge that their Client account data and API logs may be processed in those jurisdictions.

6. Retention Periods

• Client account data: Retained for the duration of the contract plus 2 years after termination (for legal and audit purposes)
• API access logs: Retained for 90 days, then automatically purged
• Application data (signup forms): If your application is unsuccessful, data is deleted after 12 months

7. Third Parties

We share data with the following categories of third parties as data processors acting on our instructions:

• Hetzner Online GmbH — cloud infrastructure and object storage (EU)
• US / SG hosting providers — dedicated cloud infrastructure for Scale-tier Clients who select non-EU regions; data processing agreements in place
• Sentry — error monitoring (errors may contain request metadata; PII scrubbing enabled)

We do not sell or rent personal data to any third party for their own marketing purposes.

8. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

• Access — request a copy of the data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion, subject to legal obligations
• Restriction — request that we restrict processing
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests

To exercise any of these rights, contact us at privacy@globalcharge.com. We will respond within 30 days.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data has been processed unlawfully.

9. Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

• TLS 1.2+ encryption in transit on all endpoints
• API credentials hashed before storage; raw tokens are never logged
• Role-based access control to internal systems
• Automated error monitoring and alerting
• Two-factor authentication required for administrative access
• Regular dependency and security patching

10. Changes to This Policy

We may update this policy from time to time. Where changes are material, we will notify registered Clients by email at least 30 days before the new policy takes effect. The current version is always available at perkly.dev/privacy.

Contact

For any privacy-related queries or to exercise your rights: