Privacy Policy
Last updated: 8 May 2026
1. Who we are
VeryVert ("we", "us", "our") operates the VeryVert platform, including the mobile app and web portal at veryvert.com. We connect employees of participating businesses with sustainable local stores, restaurants, and services.
For the purposes of UK data protection law, VeryVert is the data controller. You can contact us about data matters at privacy@veryvert.com.
2. Data we collect
Individual users (employees)
When you create an account or use the VeryVert app, we may collect:
- Name, email address, username, and profile picture
- Your employer and associated office location (used to determine your discount radius)
- QR code redemption history — which stores you have visited and discount amounts applied
- Subscription status and billing information (processed by RevenueCat and Apple/Google)
- Device identifiers and push notification tokens (used to send you app notifications)
- App usage data and interactions (if analytics are enabled — see section 5)
Business accounts
If you register a business account, we also collect:
- Company name, address, and contact details
- Employee email addresses uploaded for seat provisioning
- Billing and payment information (processed by Stripe)
- Subscription tier and usage metrics
Store partners
If your business is listed as a store partner, we collect:
- Business name, address, category, and contact information
- Sustainability credentials and ESG rating
- Redemption data (how many discounts have been applied at your venue)
Website visitors
When you visit veryvert.com we collect standard server logs (IP address, browser type, pages visited). We do not use third-party advertising trackers.
3. How we use your data
We use personal data to:
- Create and manage your account
- Verify your eligibility for discounts based on your employer
- Process payments and manage subscriptions
- Send transactional emails (account invites, OTP codes, receipts)
- Display nearby stores and apply QR-code discounts
- Provide customer support
- Improve the platform through aggregated analytics
- Comply with legal obligations
Our legal bases under UK GDPR are: contract performance (providing the service you signed up for), legitimate interests (improving the platform, fraud prevention), and consent (marketing communications, where applicable).
4. Third-party processors
We share data with the following third parties only to the extent necessary to operate the platform:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and file storage | EU (Ireland) |
| Stripe | Business subscription payments and billing | USA / EU |
| RevenueCat | In-app purchase management (individual subscriptions) | USA |
| Apple App Store | iOS app distribution and in-app purchases | USA |
| Google Play | Android app distribution and in-app purchases | USA |
| Resend | Transactional email delivery | USA / EU |
| Vercel | Web hosting and serverless functions | USA / EU |
| Expo (EAS) | Mobile app builds and over-the-air updates | USA |
| Google (Places API) | Store location data enrichment (backend only) | USA |
Where providers are based outside the UK/EU, transfers are covered by Standard Contractual Clauses or equivalent adequacy mechanisms.
5. Analytics and tracking
We may use a privacy-respecting analytics service (such as PostHog or similar) to understand how the platform is used. This involves collecting aggregated, anonymised usage data. We do not sell data to advertisers or build ad profiles.
Push notifications require storing a device token. You can opt out of notifications at any time through your device settings.
6. Data retention
- Account data is retained while your account is active and for 2 years after deletion, unless you request earlier removal
- Redemption history is retained for 7 years for financial record-keeping purposes
- Business billing records are retained for 7 years to comply with HMRC requirements
- Server logs are retained for 90 days
7. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data (subject to legal retention obligations)
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests
- Restriction — ask us to pause processing while a dispute is resolved
To exercise any of these rights, email privacy@veryvert.com. We will respond within 30 days. You also have the right to lodge a complaint with the ICO.
8. Cookies
The VeryVert web app uses a single session cookie set by Supabase to maintain your login. We do not use advertising cookies or third-party tracking cookies. No cookie consent banner is required beyond this notice.
9. Children
VeryVert is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. Changes to this policy
We may update this policy as the platform evolves. Material changes will be communicated by email or in-app notification. Continued use of VeryVert after changes take effect constitutes acceptance of the updated policy.
11. Contact
For any privacy-related queries: privacy@veryvert.com