Privacy Notice

Last updated: 19 June 2026

1. Who we are

Recognise Card ("we", "us", "our") is the data controller for the personal information we hold about you. We provide an exclusive discount programme for Ireland's healthcare workers, emergency services and carers.

You can contact our Data Protection contact at privacy@recognisecard.ie.

2. The information we collect

We collect personal information when you apply for or use a Recognise Card. This includes:

  • Account details — your name, date of birth, email address, phone number and password.
  • Eligibility details — your profession, employer, county.
  • Verification documents — see section 5 below; these are handled with extra care.
  • Membership details — your Recognise card number, verification status and renewal dates.
  • Payment details — limited transaction information from our payment provider (Stripe). We never see or store your full card number.
  • Usage information — first-party page views and offer engagement, collected only after you accept "Statistics" cookies (see section 11).

3. How we use your information

We use your personal information to:

  • verify your eligibility and issue your Recognise Card;
  • provide and improve the Service, including showing you relevant offers;
  • process payments and manage your membership;
  • send service emails (verification, receipts, renewal reminders);
  • send marketing emails about new offers if you have opted in;
  • investigate misuse of the Service and protect our partner brands and members from fraud;
  • comply with our legal and regulatory obligations.

5. Verification documents (ID documents)

To verify eligibility we ask you to upload a work-related document — for example a payslip, a professional registration card, a work ID badge or a Garda/Defence Forces ID. We treat these documents with extra care because they often contain government-issued identifiers or employment information that, while not formally a "special category" under GDPR Art. 9, is sensitive and adjacent to it.

  • Purpose: solely to confirm your eligibility for the Recognise Card.
  • Legal basis: our legitimate interest in preventing fraud and protecting partner brands (Art. 6(1)(f)).
  • Storage: encrypted in a private, access-controlled storage bucket inside our EU database (Dublin, Ireland). Only members of our verification team can read these files.
  • Retention: the uploaded file is deleted from storage immediately after a verification decision (approve or reject). The audit record (without the file) is hard-deleted from our database 30 days later. Documents that remain "pending" for more than 90 days are automatically rejected and purged.
  • Sharing: we never share verification documents with partner brands or any other third party. They are only ever seen by our internal verification team.

We recommend redacting any information you do not need to share — for example salary figures on a payslip or your PPSN.

6. Who we share your information with (subprocessors)

We use a small number of carefully chosen subprocessors to operate the Service. We have a written Data Processing Agreement (Art. 28 GDPR) in place with each of them, and each is bound to act on our instructions and to apply appropriate technical and organisational security measures.

SubprocessorPurposeData locationDPA
Lovable Cloud / SupabaseDatabase, authentication, file storage, server functionsEU — Ireland (eu-west-1, Dublin)Yes
Stripe Payments Europe LtdCard payments and subscription billingEU, with onward transfer to the US under SCCsYes
Mailgun (via Lovable Emails)Transactional and account emailsEU regionYes
Cloudflare, Inc.Edge delivery, DDoS protection, TLS terminationGlobal edge; EU-first routing for EU visitors. SCCs in place.Yes

We also share data with partner brands only to the extent needed to redeem an offer you choose to use with them (for example, if you click through to a brand's website with a tracking link, the brand may see that the visit came from Recognise Card). We never share your verification documents, date of birth or password. We do not sell your personal information.

A current list of subprocessors is maintained on this page. We will give reasonable advance notice on this page before adding or replacing a subprocessor that processes member data.

7. How long we keep your information

  • Account & membership data: kept for as long as you are a member, and for up to 6 years after your membership ends to meet our legal and accounting obligations.
  • Verification documents: the file is deleted immediately after the verification decision; the audit row is hard-deleted 30 days later (see section 5).
  • Payment records: retained for 6 years for tax/accounting purposes (we hold transaction metadata only, not card details).
  • Marketing preferences: kept until you withdraw consent.
  • First-party analytics (page views, discount events): retained for up to 13 months and only collected if you consent to "Statistics" cookies.
  • Server access logs: retained by our hosting provider for up to 30 days for security and abuse-prevention purposes.

8. Your rights

Under the GDPR you have the right to:

  • request a copy of the personal data we hold about you (you can do this yourself from the "Your data & privacy" section of your account);
  • ask us to correct inaccurate information;
  • ask us to delete your account and personal data (you can do this yourself from the same section), subject to our legal obligations;
  • object to or restrict certain processing;
  • request portability of the data you provided to us;
  • withdraw consent for marketing or non-essential cookies at any time.

To exercise any of these rights, email privacy@recognisecard.ie. You can also lodge a complaint with the Data Protection Commission ( dataprotection.ie).

9. International transfers

Our primary database, authentication system and file storage are hosted in Ireland (EU — eu-west-1, Dublin) by Supabase via Lovable Cloud. Your account data and verification documents therefore remain in the European Economic Area at rest.

Some of our subprocessors (notably Stripe and Cloudflare) operate globally and may transfer limited data to the United States. Where that happens we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.

10. Keeping your information secure

We use industry-standard security measures including:

  • TLS encryption for all data in transit;
  • encryption at rest for our database and storage buckets;
  • Row Level Security policies so members can only ever read their own data;
  • strict role-based access controls for our verification team;
  • Have I Been Pwned password screening on every sign-up;
  • full audit logging of every administrative action;
  • automated retention/purge jobs (see section 5).

No system is ever completely secure, so please use a strong password and let us know immediately if you suspect unauthorised access to your account.

11. Cookies & analytics

We use a small number of strictly necessary cookies that the site needs to function (sign-in, checkout, security). For our first-party analytics (page views and discount engagement events) we ask for your consent first via our cookie banner — until you accept "Statistics" cookies, no analytics events are recorded.

We currently load no third-party advertising or marketing trackers (no Google Analytics, Meta Pixel, TikTok Pixel, etc.). You can review and change your preferences at any time using the "Cookie settings" link in the site footer.

12. Changes to this notice

We may update this Privacy Notice from time to time. The "Last updated" date below shows when changes were last made. Where changes are significant we will notify you by email or through the Service.

13. Contact us

For any questions about this Privacy Notice or how we handle your data, please email privacy@recognisecard.ie.