Privacy Policy
Last updated: 1 July 2026
This policy explains what personal data Vouchernaut (“we”, “us”) collects, why, how we protect it, and the rights you have under UK data protection law (the UK GDPR and the Data Protection Act 2018). Vouchernaut is a UK verification-gated commerce service — a voucher and cashback destination with its own eligibility-verification rail and browser extension. We are the data controller for the personal data described here. Contact us any time at control@vouchernaut.com.
The short version
- We collect the minimum we need to run your account, offers and cashback.
- Our verification rail is built privacy-first: we store a one-way hash of your verification email, never the address itself, and never any document or image.
- The browser extension does not track your browsing or read page content — it matches store names locally on your device.
- We do not sell your personal data.
- You can export or erase your data from your account at any time.
Who we are
Vouchernaut is the controller responsible for your personal data. For any privacy question, data request, or to reach our data protection contact, email control@vouchernaut.com or use our contact page.
What we collect
Account & profile
- Your email address and name, and authentication data used to sign you in (passwords are stored only as salted hashes by our authentication provider — we never see them in plain text).
- Your preferences: market/country, locale, display currency, and communication opt-ins.
- The brands you follow and offers you favourite.
- If you take part in the community, a public contributor profile (a handle and optional display name). This public profile is deliberately kept separate from your verification identity — a byline shows only a boolean “verified” badge, never which segment you belong to.
Eligibility verification
If you choose to verify eligibility for members-only offers, our rail holds as little personal data as possible:
- Blind-indexed identifiers. We never store your verification email in readable form. We store a one-way keyed hash (HMAC) of the normalised address, so we can recognise a repeat without being able to reverse it to the original address.
- Hash-chained, append-only claims. Each verification writes an audit record linked to the previous one by a cryptographic hash, forming a tamper-evident chain. These records contain only digests and metadata — never a document or image.
- Segment membership. A record that you currently qualify for a given segment, with a status and expiry.
- Explicit consent for special-category data. Some eligibility (for example, health-service or similar status) is special-category data under UK GDPR Article 9. We record your explicit consent before any such claim is made, and you can withdraw it at any time.
- Anti-enumeration.Verification responses are deliberately indistinguishable whether or not an address is eligible, so the system can’t be used to probe who holds an account.
Shopping, cashback & community activity
- Click-outs you make to retailers (the offer, brand, country and time), so cashback and codes can be attributed and confirmed.
- Cashback and reward entries recorded to your wallet, and their status.
- Any comments, deals, reviews or votes you submit to the community.
- If you join a waitlist, your email address and where you signed up from.
Technical data
- A country inferred from your connection (used to show the right market) and essential session cookies.
- Standard security and diagnostic logs.
The browser extension
The Vouchernaut browser extension is privacy-first. It detects when you’re on a store we support by matching the site’s domain locally on your device against a cached list it downloads from us. It does not read the content of the pages you visit, does notrecord your browsing history, and sends no page or browsing data to us or anyone else. The only network requests it makes are to Vouchernaut’s own domain — to refresh that cached store list and to open a disclosed activation link when you choose to use an offer.
Why we use your data (legal bases)
- To perform our contract with you — creating your account, showing eligible offers, and recording cashback.
- With your consent — special-category verification (Article 9(2)(a)), marketing or waitlist emails, and any non-essential processing. You can withdraw consent at any time.
- For our legitimate interests — keeping the service secure, preventing fraud and abuse, attributing affiliate clicks, and improving the product — balanced against your rights.
- To meet legal obligations — for example, retaining limited records for compliance and fraud-prevention.
Who we share it with
We do not sell your personal data. We share it only with service providers who process it on our behalf under contract, and only as needed to run the service:
- Hosting & infrastructure — our cloud hosting, database, cache, content-delivery and email-routing providers.
- Email delivery — to send you account, verification and (if you opt in) alert emails.
- Affiliate networks & retailers — when you click out to a store, we pass a click identifier through a disclosed first-party redirect so the sale can be attributed. See our affiliate disclosure.
- Payment & payout providers — only if and when you use paid or cash-out features, to process those transactions.
Some providers may process data outside the UK. Where they do, we rely on an adequacy decision or appropriate safeguards (such as the UK International Data Transfer Agreement or Standard Contractual Clauses).
How long we keep it
We keep account and profile data for as long as your account is active. Verification memberships expire on their own schedule. When you erase your account we scrub your reversible personal data and revoke your sessions; the tamper-evident verification audit record is retained without your personal details, as permitted for compliance and fraud-prevention. We keep limited transaction and security records for as long as the law requires.
How we protect it
We apply privacy-by-design: blind-indexed identifiers instead of readable emails, hash-chained tamper-evident audit records, encryption in transit, and least-privilege access controls. No system is perfectly secure, but we work to protect your data and to hold as little of it as possible.
Your rights
Under UK data protection law you have the right to:
- access a copy of your data, and correct it if it’s wrong;
- erase your data, and restrict or object to certain processing;
- data portability, and to withdraw any consent you’ve given.
You can download all your data (access) or erase it (erasure) from your account at any time, or email control@vouchernaut.com. If you’re unhappy with how we handle your data, you can complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk — though we’d appreciate the chance to put things right first.
Cookies
We use only essential cookies — to keep you signed in and remember your preferences. When you click out to a retailer we pass you through a disclosed first-party redirect so attribution is transparent; see our affiliate disclosure.
Children
Vouchernaut is intended for adults (18+) in the United Kingdom. We do not knowingly collect data from children.
Changes to this policy
We may update this policy as the service grows. We’ll change the “last updated” date above and, for material changes, tell you in the app or by email.
Contact
Questions about your data, or want to exercise a right? Email control@vouchernaut.com or use our contact page.