Last updated: 15 July 2026
This policy explains how Cirqle Ltd ("Cirqle", "we", "us") collects, uses, and protects your personal data when you use cirqle.co.uk and our services. We are the "data controller" for this data under the UK GDPR and the Data Protection Act 2018.
Cirqle Ltd is a company registered in England and Wales [company number — to be added], registered office [registered address — to be added]. We are registered with the Information Commissioner's Office (ICO) under registration [ICO registration number — to be added].
For any privacy question or to exercise your rights, contact privacy@cirqle.co.uk.
We do not collect payment card numbers, and we do not buy personal data or track you across other websites.
Under UK GDPR we must have a "lawful basis" for each use of your data:
| What we do | Lawful basis |
|---|---|
| Create and run your account and provide the cashback service | Performance of our contract with you |
| Verify claims and prevent fraud, abuse, and duplicate accounts | Our legitimate interests |
| Keep the service secure, working, and debugged | Our legitimate interests |
| Send service emails (claim received/confirmed/paid, sign-in codes, password resets) | Performance of our contract |
| Send marketing emails, if you opt in | Your consent (you can withdraw it any time) |
| Keep financial and tax records | Compliance with a legal obligation |
We only send marketing if you have opted in, and every marketing email has an unsubscribe link.
Cirqle's cashback model asks you to post about a purchase on Instagram and tag our account. To check that a qualifying post exists, we retrieve public Instagram posts that tag our brand account and match them to the Instagram handle on your account. For those posts we may process the post's URL, caption, timestamp, the posting account's username and display name, and public like/comment counts.
We use this only to verify your cashback claim. You control which handle is on your account, and you can remove or change it at any time. This retrieval is performed for us by a third-party provider (see section 5). We are reviewing this mechanism and may change how post verification works in future; we will update this policy if we do.
Your account and cashback data is stored in the UK (AWS London region). Some of our providers (for example Apify, Google, and GitHub) may process limited data outside the UK. Where they do, we rely on appropriate safeguards — such as UK "adequacy" decisions or the International Data Transfer Agreement — to keep your data protected to UK standards.
You can ask us to delete your account and associated data at any time (subject to records we must keep by law).
Under UK GDPR you have the right to:
To exercise any of these, email privacy@cirqle.co.uk. We aim to respond within one month. If you're unhappy with how we handle your data, you can complain to the ICO at ico.org.uk.
We protect your data with measures including: passwords stored only as bcrypt hashes; receipt images held in private storage and viewable only through short-lived, signed links; encrypted connections (HTTPS/TLS); and hosting on AWS's UK infrastructure. No system is ever completely secure, so please use a strong, unique password for your Cirqle account and keep it private.
We may update this policy from time to time. If we make a material change, we'll post a notice on the site and, where appropriate, email you. Questions or requests: privacy@cirqle.co.uk, or via our contact page.