Privacy Policy

Last updated: April 2026

1. Who We Are

IRLs is a UK-based SaaS and NFC platform. We are the data controller for personal data collected through our Service. Contact: daryl@irls.xyz.

2. Data We Collect

  • From customers tapping NFC chips: email address only
  • From merchants: name, business name, email, billing details
  • Usage data: taps, visits, redemptions, device/browser info

3. How We Use Your Data

  • To deliver the Service (issue stamps, track rewards, send confirmations)
  • To process payments (via Stripe)
  • To send merchants product updates and service emails
  • To improve the Service through anonymised analytics

We do not sell your data. Customer emails belong to the merchant whose IRL was collected and are used solely for that merchant's reward programme. IRLs acts as a data processor for customer data collected on behalf of merchants.

4. Legal Basis (GDPR)

We process personal data under the following lawful bases:

  • Contract: to deliver the Service you signed up for
  • Consent: when you submit your email to collect an IRL
  • Legitimate interest: to improve and secure the Service

5. Third Parties

We share data with trusted processors only as needed to run the Service:

  • Stripe — payment processing
  • Supabase — database and authentication
  • Email providers — transactional emails

6. Data Retention

We retain personal data for as long as your account is active or as required to fulfil the purposes outlined here. You can request deletion at any time.

7. Your Rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion ("right to be forgotten")
  • Object to or restrict processing
  • Data portability
  • Lodge a complaint with the ICO (ico.org.uk)

To exercise any of these rights, email daryl@irls.xyz.

8. Cookies

We use essential cookies to keep the Service running and minimal analytics cookies to understand usage. No advertising or cross-site tracking cookies are used.

9. Security

We use industry-standard encryption (HTTPS, encrypted databases) and limit access to personal data to authorised personnel only.

10. Changes

We may update this policy. Material changes will be notified via email or the Service.