Privacy Policy

At Rewordin (“we”, “our”, or “us”), we are committed to protecting your privacy and ensuring the security of your data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our global employee rewards and recognition platform, available at rewordin.com and through our integrations.

This policy applies to all Rewordin customers, end-users (employees who receive rewards), and visitors of our website. By using Rewordin, you agree to the practices described below.

1. Information We Collect

We collect four categories of information. Each is handled according to the legal basis described in Section 3.

2. How We Use Your Information

We use the collected information to:

• Deliver, fulfil, and track employee rewards across 150+ countries
• Process reward transactions and manage multi-currency conversions
• Generate tax-compliance reports (1099, P11D, VAT, and other regional forms)
• Sync employee data with your connected HRIS and collaboration platforms
• Send reward notifications and service-related communications
• Provide customer support and resolve issues
• Detect and prevent fraud, abuse, and security incidents
• Improve our platform through aggregated, anonymized analytics
• Comply with legal and regulatory obligations

3. Legal Basis for Processing (GDPR)

Under the EU General Data Protection Regulation, we process your personal data on the following legal bases:

• Contract performance — to deliver the service you signed up for
• Legitimate interests — to secure the platform, prevent fraud, and improve it
• Legal obligation — to meet tax, accounting, and regulatory requirements
• Consent — for analytics cookies, marketing communications, and optional features

4. Data Security

We implement enterprise-grade security controls to protect your data, organized around the principle of defense in depth:

• Encryption: TLS 1.3 in transit; AES-256 at rest
• Infrastructure: Hosted on SOC 2 Type II aligned cloud providers
• Access controls: Role-based access control (RBAC), SSO/SAML, multi-factor authentication
• Payment handling: All payment data handled by PCI-DSS compliant payment processors and gift card suppliers; Rewordin does not store payment card numbers on our infrastructure
• Data isolation: Each organisation’s data is logically isolated in a multi-tenant architecture; no customer can access another customer’s data
• Audit logging: All administrative and data-access actions are logged and retained for compliance review
• Penetration testing: Annual third-party security assessments and continuous vulnerability scanning
• Incident response: Documented breach-notification process aligned with GDPR’s 72-hour requirement

5. International Data Transfers

Rewordin is headquartered in Wrocław, Poland, in the European Union. Your data is primarily processed and stored within the EU. When a reward delivery requires sharing limited information (such as a recipient email address) with a supplier or processor outside the EU, we ensure appropriate safeguards are in place, including:

• European Commission Standard Contractual Clauses (SCCs)
• EU-U.S. Data Privacy Framework certification, where applicable
• Adequacy decisions for transfers to whitelisted jurisdictions
• Encryption in transit and at rest for all cross-border transfers

A copy of our current transfer safeguards is available on request to dpo@rewordin.com.

6. Data Retention

We retain personal data for as long as needed to provide the service and meet our legal obligations:

• Account data: While your account is active, plus 30 days after deletion for recovery
• Reward transaction records: 7 years from transaction date (required by most tax authorities)
• Audit logs: 2 years from the action date
• Tax reports: 10 years where local law requires (e.g., Poland’s 5-year retention plus buffer)
• Backups: 90 days rolling, after which they are deleted automatically

You may request deletion of your account and data at any time. We will remove your data within 30 days, except where retention is required by law (e.g., tax records).

7. Your Rights

Under the GDPR, UK GDPR, CCPA, and other applicable data protection laws, you have the right to:

To exercise any of these rights, email dpo@rewordin.com. We respond within 30 days at no cost. EU residents may also contact the Polish Data Protection Authority (UODO) at uodo.gov.pl.

8. Cookies & Tracking

We use a small number of cookies, classed into three categories:

• Essential cookies — required for authentication, security, and the site to function. Cannot be disabled.
• Analytics cookies — PostHog, set only after consent. Used to understand aggregate usage patterns; no personal targeting, no data sold to third parties.
• Marketing cookies — not currently used on rewordin.com. We do not run third-party advertising trackers on this site.

You can manage cookie preferences in your browser settings or through the cookie banner on your first visit.

9. Third-Party Services

We work with a small number of vetted sub-processors to deliver the service. The full current list, with the data they process and where they are based, is available at /privacy/sub-processors on request. All sub-processors are bound by data processing agreements aligned with GDPR Article 28.

Common categories of sub-processor include:

• Cloud infrastructure providers (hosting, database, storage)
• Gift card and reward suppliers (fulfilment, redemption)
• Payment processors (PCI-DSS compliant)
• Email and notification providers (transactional email)
• Analytics tools (only with consent)

10. Children’s Privacy

Our services are intended for business use by adult employees and contractors. We do not knowingly collect personal information from anyone under 16, or under 13 with verifiable parental consent where local law requires. If you believe we have collected information from a minor in error, contact dpo@rewordin.com and we will delete it within 7 days.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The version number and “Last Updated” date at the top of this page indicate the current revision. For material changes (changes that affect your rights or how we process your data), we will notify you at least 30 days in advance by email and by a banner in the platform.

Previous versions are archived and available on request.

12. Contact Us

For any questions about this Privacy Policy, to exercise your data rights, or to contact our Data Protection Officer:

You may also review our Terms of Service for additional information about using the Rewordin platform.