Privacy Policy

Last updated: 15 July 2026

Contents
1.Who we are 2.What data we collect 3.How & why we use it 4.Instagram data 5.Who we share it with 6.International transfers 7.How long we keep it 8.Your rights 9.Security 10.Cookies & storage 11.Changes & contact

This policy explains how Cirqle Ltd ("Cirqle", "we", "us") collects, uses, and protects your personal data when you use cirqle.co.uk and our services. We are the "data controller" for this data under the UK GDPR and the Data Protection Act 2018.

1. Who we are

Cirqle Ltd is a company registered in England and Wales [company number — to be added], registered office [registered address — to be added]. We are registered with the Information Commissioner's Office (ICO) under registration [ICO registration number — to be added].

For any privacy question or to exercise your rights, contact privacy@cirqle.co.uk.

2. What data we collect

  • Account data: your first and last name, email address, password (stored only as a secure bcrypt hash — never in plain text), your Instagram handle, and the date you signed up.
  • Cashback claims: photos of receipts you upload (stored privately), the deal you claimed against, the Instagram post linked to the claim, and the cashback amount and its status (pending, confirmed, paid, or rejected).
  • Instagram post data: where you provide an Instagram handle and refresh your feed, we collect public posts that tag our brand account — see section 4.
  • Technical data: our website is hosted on GitHub Pages and our API on Amazon Web Services (AWS). As part of normal operation and security, those providers process standard request data such as your IP address, the time of the request, and your browser type. We do not run our own advertising or analytics tracking.
  • Brand / partnership data: if you apply to partner with us as a brand, we collect the business and contact details you submit in that form.

We do not collect payment card numbers, and we do not buy personal data or track you across other websites.

3. How & why we use it

Under UK GDPR we must have a "lawful basis" for each use of your data:

What we doLawful basis
Create and run your account and provide the cashback servicePerformance of our contract with you
Verify claims and prevent fraud, abuse, and duplicate accountsOur legitimate interests
Keep the service secure, working, and debuggedOur legitimate interests
Send service emails (claim received/confirmed/paid, sign-in codes, password resets)Performance of our contract
Send marketing emails, if you opt inYour consent (you can withdraw it any time)
Keep financial and tax recordsCompliance with a legal obligation

We only send marketing if you have opted in, and every marketing email has an unsubscribe link.

4. Instagram data

Cirqle's cashback model asks you to post about a purchase on Instagram and tag our account. To check that a qualifying post exists, we retrieve public Instagram posts that tag our brand account and match them to the Instagram handle on your account. For those posts we may process the post's URL, caption, timestamp, the posting account's username and display name, and public like/comment counts.

We use this only to verify your cashback claim. You control which handle is on your account, and you can remove or change it at any time. This retrieval is performed for us by a third-party provider (see section 5). We are reviewing this mechanism and may change how post verification works in future; we will update this policy if we do.

5. Who we share it with

We do not sell your personal data. We share it only with service providers ("processors") who act on our instructions, and where the law requires:

  • Amazon Web Services (AWS) — hosting, database, private receipt storage, and email delivery. Your data is stored in AWS's UK (London) region.
  • Apify — retrieves the public Instagram post data described in section 4.
  • GitHub (GitHub Pages) — serves our website.
  • Google Fonts — serves the fonts our pages use; this may involve your browser's IP address being seen by Google.
  • Brand partners: if and when we settle cashback with a partner brand, we may share the minimum information needed to confirm a qualifying purchase — never more than necessary.
  • A payment provider — when cashback withdrawals go live, to pay out your balance (not active yet).
  • Authorities or advisers — where we are legally required to disclose, or to protect our rights.

6. International transfers

Your account and cashback data is stored in the UK (AWS London region). Some of our providers (for example Apify, Google, and GitHub) may process limited data outside the UK. Where they do, we rely on appropriate safeguards — such as UK "adequacy" decisions or the International Data Transfer Agreement — to keep your data protected to UK standards.

7. How long we keep it

  • Account data — while your account is open, and for a short period after closure to handle any final queries.
  • Cashback and financial records — up to 6 years, to meet UK tax and accounting requirements.
  • Sign-in codes and password-reset links — minutes only (they expire quickly by design).
  • Cached Instagram posts — until you refresh them or close your account.

You can ask us to delete your account and associated data at any time (subject to records we must keep by law).

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data erased ("right to be forgotten").
  • Restrict or object to certain uses of your data.
  • Receive a portable copy of the data you gave us.
  • Withdraw consent (for anything based on consent) at any time.

To exercise any of these, email privacy@cirqle.co.uk. We aim to respond within one month. If you're unhappy with how we handle your data, you can complain to the ICO at ico.org.uk.

9. Security

We protect your data with measures including: passwords stored only as bcrypt hashes; receipt images held in private storage and viewable only through short-lived, signed links; encrypted connections (HTTPS/TLS); and hosting on AWS's UK infrastructure. No system is ever completely secure, so please use a strong, unique password for your Cirqle account and keep it private.

10. Cookies & storage

We do not use advertising or tracking cookies. To keep you signed in and remember a few preferences, we use your browser's local storage. Full details are in our Cookie Policy.

11. Changes & contact

We may update this policy from time to time. If we make a material change, we'll post a notice on the site and, where appropriate, email you. Questions or requests: privacy@cirqle.co.uk, or via our contact page.