1. Introduction and scope
This policy outlines how Blackboard Deals Ltd ("BlackBoard", "we" or "us") collects, processes, stores and protects personal data related to our two user groups: App Users (deal seekers) and Venue Partners (venue owners and staff).
We are dedicated to operating in full compliance with the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR), particularly regarding electronic marketing and the use of location data within the UK. We are committed to robust security and absolute transparency in our data processing activities.
2. Categories of personal data processed
| Data Subject | Category of Data | Purpose of Processing | Lawful Basis |
|---|---|---|---|
| App Users (Consumers) | Identity Data: name, email, hashed password, social sign up ID (Google or Apple). | Account creation, login security and user identification. | Contractual Necessity |
| Transaction Data: records of claimed deals, unique QR code generation and successful redemption logs. | Validation of the core service and proving ROI for venue partners (liquidity KPI). | Contractual Necessity and Legitimate Interest | |
| Usage Data: app activity, search queries, filter use and crash reports. | Improving app performance, feature prioritisation and measuring stickiness ratio. | Legitimate Interest (product improvement) | |
| App Users (crucial) | Location Data: GPS or network based geographical position used for map and search. | Providing the value added service of displaying hyper local deals. | Explicit Consent (PECR / UK GDPR) |
| Venue Partners (B2B) | Venue Staff / Owner Identity: name, work email, staff role and phone number. | Account management, B2B communication and access control (role testing). | Contractual Necessity |
| Venue Profile Data: address, business licence info, trading name and uploaded deal imagery. | Verification of venue identity and publishing listings on the platform. | Contractual Necessity |
3. Special requirement: processing of location data (PECR compliance)
Two strict rules. We process location data only if it is strictly necessary for the value added service, and only with your prior, explicit consent.
The rules in the UK governing the use of location data are very strict under PECR, particularly when providing a "value added service" such as local deal mapping.
We only process a user's location data if:
- It is strictly necessary for the value added service (mapping local deals).
- We have obtained the user's prior, explicit consent.
Mandatory consent flow
Our consent mechanism is integrated into the onboarding flow and adheres to the following PECR principles:
- Explicit opt in: consent must be given via a clear, positive action from the user.
- Default state: geo location options will be switched off by default upon installation. Access is only activated when the user actively requests the map or local search feature.
- Transparency: users are clearly and specifically informed before consent is requested about the exact types of location data we process, what we use the data for (accurate mapping of local deals), how long the data will be kept, and whether the data will be passed to a third party (for example map providers) to provide the value added service.
- Right to withdraw: users can revoke location permissions at any time via the in app permissions dashboard or device settings.
4. Data minimisation and retention
We apply the UK GDPR principle of data minimisation, ensuring we only collect the personal data strictly necessary to provide the core search, posting and redemption functionality.
- Retention: personal data is retained only for as long as necessary to fulfil the purposes for which it was collected. User accounts and associated personal data will be permanently erased upon a formal request submitted via the in app Delete Account route.
5. Third party data processors
BlackBoard relies on third party providers (Data Processors) for essential services such as cloud hosting, crash logging and push notification delivery.
We ensure a written contract is in place with every Data Processor, detailing what they are permitted to do with the data. To comply with PECR, these contracts must cover the location data of corporate users (Venue Partners and Staff) as well as the personal data of individuals.
6. User rights (data subject rights)
All users have the following rights under UK GDPR:
- Right to access: the right to request a copy of the personal data we hold about them.
- Right to rectification: the right to have inaccurate personal data corrected.
- Right to erasure (right to be forgotten): the right to request the deletion of their personal data.
- Right to restrict processing: the right to limit how we use their personal data.
- Right to object: the right to object to processing based on legitimate interest or for direct marketing purposes.
7. Direct marketing and communications (PECR)
Any push notifications or emails for direct marketing will respect a user's right to opt out. We will not send promotional communications to users or venue partners who have clearly exercised their right to opt out via the app or email preferences, ensuring full compliance with PECR rules on electronic marketing.
Exercise your data rights
To submit a data subject access request, request erasure or ask any other GDPR question, contact us at privacy@blackboarddeals.com.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.