Privacy Policy

Last Updated 07 October 2024

We are committed to safeguarding the privacy of our website visitors. This Privacy Policy describes the ways we collect information from and about you, and what we do with the information, so that you may decide whether or not to provide information to us. By accessing our website or purchasing our services, you agree to this Privacy Policy in addition to CitizenCard Terms and Conditions.

1. Collection of Your Personal Data

If you act as our customer, the information we collect may include the following:

  • Personal Identifiers: Title, full name (given names and surname), date of birth, gender, photo, signature, and, following verification of your application, card number, card issue date, and card expiry date.
  • Verification Documents: copy of document(s) confirming your identity (e.g., passport, driving licence). We may also use Yoti's Electronic Identity Verification to assess and verify the authenticity of your submitted photo ID documents as part of our identity validation processes.
  • Contact Information: Address, email address, phone number, mobile number.
  • Login Credentials and Transaction Information: Information about your online account, login credentials, transaction details, order tracking number, product and service selections.
  • Technical Data: IP address, browser details, device information, web server logs, error and analytics data, including website traffic and usage patterns. We may also use automated services such as Google Vision API and CitizenCard Machine Learning (ML) to analyse uploaded photos for compliance with application photo requirements. These image analysis features do not directly identify individuals or tie the data to a specific identity.
  • Guardian Information: For applicants under 16, we may collect the guardian's title, first name, surname, telephone (mobile or landline), and email address to ensure applicant has their parent/guardian consent to make an application.
  • Marketing Data: Email marketing opt-in status, marketing preferences.
  • Correspondence Data: Content of emails, support ticket details, any attachments provided by you, and customer service call recordings (the caller is informed at the start of the call that their call is being recorded).
  • Survey Data: Includes shopping behaviour, card usage behaviour, age, card type, employment status, educational status, living arrangements, etc. This data is collected only from cardholders who consent to participate in surveys.

We collect personal data from you at several different points, including but not limited to the following:

  • when you visit our site (including through web server logs, cookies and tracking technologies such as Google Analytics if you provide consent for this)
  • when you correspond with us as a customer or prospective customer
  • when you register as a user of our services and an account is created for you at online.citizencard.com
  • when you use our services and apply for a Proof of Age and ID card, whether through a postal (paper) form, our online application process for individuals at online.citizencard.com, or utilising our paperless application scheme for registered organisations (available only to schools, universities, councils, prisons and charities) at ebulk.citizencard.com
  • when you contact us either via email or via our Support Centre at support.citizencard.com
  • when the site sends us error reports or analytics data
  • when we verify that a card has been issued by us, either through our API, at verify.citizencard.com, or via the PASS Card Verify app, available on both the Google Play Store and Apple App Store
  • when you use our e-IDVT (Electronic ID Validation Technology) service you will have to agree to your data (photo ID document, liveness check and selfies) being assessed by Yoti Identity Verification for the purpose of document and identity validation
  • when you upload your photo during the application process, we use automated services such as Google Vision API and CitizenCard Machine Learning (ML) to analyse it for compliance with application photo requirements; these image analysis features do not directly identify individuals or tie the data to a specific identity; we may use your uploaded photo to anonymously train our Machine Learning model to improve our application process.
  • when you purchase third-party products or services from SimpleSavings Offers, hosted at online.citizencard.com/discounts on behalf of those third parties; CitizenCard Limited does not receive or store any financial information from these transactions
  • when you interact with our social media, for example via comments, shares and likes on our social media posts, or when you visit our website by following a link from social media
  • when you consent to participate in online surveys that are created and distributed via email to cardholders who have opted in to receive marketing communications; responses are collected and analysed to enhance the effectiveness of our marketing strategies and better understand the needs of our cardholders
  • when you open an email from CitizenCard; we use technology to tailor the communications that you receive, and to ensure that you don't receive emails that are not interesting to you or that you have opted out of; you can unsubscribe from our emails and manage your preferences at any time and this will not affect the validity of your CitizenCard.

If you act as a referee or verifier supporting a CitizenCard application, we collect information such as

  • Referee Data: Title, full name (given names and surname), signature, job title, professional registration number (if applicable), business address, email address, phone number and mobile number.
  • Verification Information: name of document(s) you have seen to confirm applicant's identity (if any), type of records you are confirming data from, the applicant's personal details (names, date of birth) according to the documents you have seen or records you hold, your relationship with the applicant (how you know them and how long have you known them) and any comments or concerns you might have regarding the application.
  • Technical Data: IP address, browser details, device information, web server logs, error and analytics data, including website traffic and usage patterns.
  • Correspondence Data: Content of emails, support ticket details, and any attachments provided by you.

We collect referee or verifier data from you at several different points, including but not limited to the following:

  • when you visit our site (including through web server logs, cookies and tracking technologies such as Google Analytics if you provide consent for this)
  • when you complete the Digital Referee Declaration Form or the Statement of Truth to support an online application
  • when you sign up to be a verifier for our Bulk program or the paperless application scheme at ebulk.citizencard.com, which are available only to schools, universities, councils, prisons, and charities
  • when you support and countersign a postal (paper) application or a batch of applications through our Bulk or paperless application scheme programs
  • when you correspond with us as a referee, verifier, or prospective referee/verifier
  • when you contact us either via email or via our Support Centre at support.citizencard.com
  • when the site sends us error reports or analytics data
  • when we contact you to verify the information provided.

2. Use of Your Personal Data

CitizenCard may use information that we collect about you to:

  • deliver the products and services that you have requested as our customer e.g., process your transaction, verify your identity to issue you with an ID card or confirm applicant's identity if you acted as a referee to support an application
  • confirm that you are a legitimate cardholder if a retailer or other organisation needs to verify your card as valid or confirm your age and likeness via our API, at verify.citizencard.com, or using the PASS Card Verify app available on the Google Play Store and Apple App Store
  • provide SimpleSavings Offers of discounted products and services; when you click on a SimpleSavings Offer, you are redirected to a third-party website where the product or service is offered; CitizenCard does not process transactions for these offers but acts as an affiliate, partnering with third-party providers to bring you discounted offers
  • maintain and manage your account details, including login credentials, transaction history and service preferences
  • manage your customer relationship and provide you with customer support
  • record and analyse customer service calls (where consented), email correspondence, and support tickets to ensure a high level of service
  • track your support requests through our Support Centre at support.citizencard.com
  • confirm that the applicant has parental/guardian consent for their application if the applicant is under 16
  • collect and process referee information to establish eligibility and verify applicant details where a referee or verifier is involved
  • use analytics data, including website traffic and usage patterns, as well as data from technical services like web server logs, cookies, error reporting and tracking technologies (e.g., Google Analytics) to improve website functionality and user experience
  • analyse customer interactions, feedback, and survey data to enhance product offerings (including SimpleSavings Offers), marketing strategies, and services, tailoring content to the preferences and needs of our cardholders
  • conduct research and analysis to better understand customer use of our products and services
  • perform image analysis to improve service performance, including training CitizenCard's Machine Learning models to enhance photo verification and application processes; using automated services such as Google Vision API and CitizenCard Machine Learning to analyse uploaded photos for compliance with application photo requirements; all data is processed anonymously and does not directly identify individuals - no profiling or face mapping is involved
  • contact you via email, postal mail or SMS with information related to products or services that may be of interest to you (based on your marketing preferences and opt-in status)
  • send you service updates, order confirmations and important notifications relating to your cardholder status or the services you have subscribed to
  • tailor content on our website and communications (such as emails) based on your preferences and interests, ensuring relevant information is delivered
  • provide marketing content only to those who have opted in, ensuring compliance with user preferences
  • manage our internal operations, such as accounting, audits, reporting, and statistics, for regulatory and compliance purposes
  • manage and track interactions on social media platforms, including comments, likes, and shares, for those who engage with us through those channels
  • understand how users are referred to our website from social media sources to improve engagement strategies
  • comply with legal requirements or obligations including fraud prevention, responding to law enforcement requests, and upholding our Terms and Conditions.

3. Disclosure of Your Personal Data to Third Parties

We may share your personal data with third parties only in the ways that are described in this Privacy Policy:

  • we provide Yoti, a digital identity company, 1Account, an online age verification company, and Arissian, via their Luciditi digital identity platform, with the ability to confirm electronically the validity of a cardholder through our secure API, provided that the cardholder has given Yoti, 1Account or Arissian their consent to this
  • we use Yoti Identity Verification to power our e-IDVT (Electronic ID Validation Technology) service which enables Yoti to submit the ID documents and selfies of suspected fraudsters to law enforcement bodies to help authorities in detection and prevention of fraud
  • we provide retailers and other organisations with the ability to confirm that you are a legitimate cardholder at verify.citizencard.com or by using the PASS Card Verify app available on the Google Play Store and Apple App Store, provided that you have given them your consent either by sharing your card details with them, allowing them to scan the QR code on the reverse of your card, or by permitting them to take a photo of the front of your card
  • we use Google Cloud Vision API together with our own machine learning technology to ensure a photo you upload to support your online application complies with passport quality standards; Google does not use an anonymous photo it receives for any other purpose nor share it with third parties, and the photo is deleted right after processing
  • we use Google Cloud Vision API to extract full card details from photos taken by the PASS Card Verify app to verify whether the card is genuine or not; Google does not use a photo of a card it receives for any other purpose nor share it with third parties, and the photo is deleted right after processing
  • we share your full name and address with our delivery provider, Royal Mail, who deliver your card to you
  • we share anonymised analytics data with Google Analytics to help us understand website usage, gather insights into user behaviour and improve website performance; additionally, we may track registered users across devices and sessions using Google Analytics User-ID feature on online.citizencard.com which provides a more accurate analysis of customer interactions; both Google Analytics features are contingent on your consent to use 'Analytics' cookies
  • we may use SurveyMonkey to conduct surveys as part of our email campaigns, which you may receive if you have consented to marketing communications
  • we may disclose your personal information to law enforcement agencies to the extent that we are required to do so by law.

CitizenCard data is not used for any other purpose.

4. Security Measures to Protect Your Personal Data

We take all reasonable technical and organisational measures to safeguard your personal data from loss, misuse or unauthorised alteration. All personal data you provide is stored in encrypted databases on secure and firewall-protected servers located in world-class UK data centres. When you submit personal information through online forms on our website (such as registration or order forms), the data is encrypted using SSL/TLS technology to ensure secure communication between your browser and our servers.

For payment transactions on online.citizencard.com, we use Braintree to process application fees and manage refunds. Braintree securely handles debit or credit card payments and integrates PayPal, Google Pay and Apple Pay. Your payment details are always secure, and we do not store your credit or debit card information.

The CitizenCard site contains links to other websites. We are not responsible for the privacy policies or practices of third-party websites you may visit once you have left our website.

International Transfers of Your Personal Data

Some of the third-party service providers we use may process your personal data outside the UK or the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place to protect your data in line with UK GDPR requirements.

  • Braintree (a PayPal service) may process payment information outside the UK or EEA, particularly in the United States. Data transfers are safeguarded by PayPal's adherence to Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Google Cloud Vision API and Google Analytics may process data outside the UK or EEA. Google protects international transfers using Standard Contractual Clauses (SCCs) and has been certified under the EU-U.S. Data Privacy Framework.
  • SurveyMonkey may transfer personal data outside of the UK and EEA to countries like the United States, where their servers are located. However, they have mechanisms in place, such as Standard Contractual Clauses (SCCs), to ensure that your personal data remains protected and that international transfers comply with applicable data protection laws.

Where data is transferred internationally, we take steps to ensure that it is processed securely, and we only work with providers who can demonstrate their commitment to safeguarding your data.

5. Use of Cookies and Web Analytics Services

Cookies

Cookies are essential to the proper functioning of this site and enhance your experience by storing certain information during your visits. By using the CitizenCard site and any linked subdomains on citizencard.com, you agree to the use of 'Necessary' cookies, which are essential for the functioning of the site and cannot be disabled. You have the ability to manage your cookie preferences through our cookie banner. If you wish to disable cookies, further details are provided below on how to do so. However, please note that certain features, such as the online CitizenCard application process, may not function correctly if cookies are disabled.

Cookies are small text files placed on your device by websites you visit, including citizencard.com and its subdomains such as support.citizencard.com, online.citizencard.com and verify.citizencard.com. These files are linked to your device, not directly to you, and do not store any personal data unless you explicitly provide it.

Under EU and UK GDPR regulations, we ensure compliance with the law regarding the use of cookies on citizencard.com and its subdomains. Cookies serve various functions, such as remembering your preferences and improving your user experience. We use both session cookies (which are deleted when you close your browser) and persistent cookies (which remain on your device until deleted or until they expire).

Local Storage

We use Local Storage in addition to cookies to store specific information necessary for the functioning of our payment services. For example, items like '__paypal_storage__' are stored to facilitate transactions with PayPal and ensure a secure checkout process on online.citizencard.com. Unlike cookies, Local Storage data persists across browser sessions unless manually cleared, helping to maintain a smooth and secure payment experience.

Google Consent Mode (GCM) Usage

We have implemented Google Consent Mode (GCM), which ensures that no 'Analytics' cookies are set unless you provide consent. This means we respect your privacy choices by dynamically adjusting how Google Analytics and other tracking technologies operate, based on your preferences.

Categories of Cookies

On citizencard.com and its related subdomains, we use the following categories of cookies:

  • Necessary cookies: Essential for the website's operation, these cookies enable core functionalities such as security, session management, and adjusting your consent preferences. They also ensure that discount codes or referral commissions earned through recommending CitizenCard ID can be correctly attributed to you (where relevant). These cannot be disabled through the site.
  • Functional cookies: These cookies enable essential features such as affiliate tracking, playing embedded content, tracking interactions with media, sharing on social media, collecting feedback, and supporting other third-party functionalities.
  • Analytics cookies: With your consent, we use these cookies to understand how visitors interact with the website. Google Analytics helps us measure metrics such as page visits, traffic sources and site performance. Additionally, we may track registered users across devices and sessions using Google Analytics User-ID feature on online.citizencard.com to provide a more accurate analysis of customer interactions. Google Consent Mode ensures that these cookies are only set if you provide consent.

List of Cookies

Necessary:

Cookie Duration Description
discountareaviewed session

This cookie is necessary to enable navigation features within the CitizenCard SimpleSavings section, allowing users to go back to previously viewed pages.
dpsid-portal session

This session cookie is necessary for the CitizenCard Support Centre to manage and maintain user sessions while interacting with support services.
dp_last_lang session

This cookie ensures the CitizenCard Support Centre is displayed in the correct language during a session.
dp__v 1 year 1 month 4 days

This persistent cookie is used to retain user settings and preferences across visits, enhancing the user experience in the CitizenCard Support Centre.
_dp_csrf_token session

This cookie provides security by preventing Cross-Site Request Forgery (CSRF) attacks while using the CitizenCard Support Centre.
rc::a Never Expires This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
rc::c session This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
rc::f Never Expires This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
rc::b session This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
_GRECAPTCHA 6 months Google Recaptcha service sets this cookie to identify bots to protect the website against malicious spam attacks.
isloggedin 30 days

This cookie is used to detect whether a user is logged in to the web application.
REMEMBERME 30 days

This cookie is used to save the user's password, allowing them to remain logged in for 30 days without re-entering their credentials.
[session_id] session

This cookie is generated by the CitizenCard website to manage user sessions. An example of the cookie ID is fb01974aa746aa6e5efa9bcf5fcdd4c6. It stores a unique session ID to track the user's session and ensure continuity during browsing. This cookie is essential for maintaining session state across the website, does not store any personal information and is deleted when you close your browser.
cookieyes-consent 1 year

This cookie is set by CookieYes to remember users' consent preferences so that their choices are respected on their subsequent visits to our website. It does not collect or store any personal information of the site visitors.
PromoCode 30 days

This cookie stores the promotional code used by the user, enabling the application of discounts to reduce the prices of CitizenCards. It is set when a user accesses a promotional URL, ensuring that the discount is correctly applied during the application process.
__cflb 1 day

This cookie is used by Cloudflare for load balancing to ensure the visitor page requests are routed to the correct server.
PHPSESSID session

This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website.
enforce_policy 1 year

This cookie ensures that PayPal's policies regarding data protection and GDPR are enforced during the transaction process.
l7_az 1 day

This cookie is used by PayPal to manage user sessions and distribute traffic across different data centers to improve performance.
LANG 1 year

This cookie stores language preferences to ensure the PayPal interface is displayed in the user's preferred language.
ts_c 3 years

This cookie helps maintain secure transactions and ensures the safe transfer of payment information between users and PayPal.
tsrce 1 year

This cookie tracks the source of a transaction and is used for analytics and attribution by PayPal.
ts 3 years

This cookie is set by PayPal to provide fraud prevention and risk management functionality.
x-pp-s session

This cookie is used by PayPal to manage user sessions during the transaction and ensure a seamless payment experience.
__cfruid session

This cookie is used by CardinalCommerce to provide secure payments and prevent fraud during the transaction process.
BIGipServerCentinel* session

This cookie is used by CardinalCommerce to maintain session information and distribute traffic across servers.
JSESSIONID session

This cookie is used by CardinalCommerce to maintain user's session during the payment transaction for device fingerprinting.
TS* session

This cookie is used for security purposes to ensure the safety and integrity of transactions on CardinalCommerce.
NID 6 months

This cookie is used by Google Pay as part of the Braintree payment integration. It is used by Google to store user preferences and other information, such as the user's preferred language. It may also be involved in security measures to protect user accounts and data on Google Pay.
nsid session

This cookie is used by PayPal to manage user sessions during the payment process, ensuring secure and continuous interaction between the user and PayPal servers. It is essential for processing transactions through PayPal's integration.

Functional (only set if you consent):

Cookie Duration Description
YSC session Youtube sets this cookie to track the views of embedded videos on Youtube pages.
VISITOR_INFO1_LIVE 6 months YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA 6 months YouTube sets this cookie to store the user's cookie consent state for the current domain.
aw86999 30 days

This cookie is used by AWIN to track affiliate marketing activity and attribute sales to referring partners. It helps ensure that commissions are properly attributed to affiliates.
bId 1 year

This cookie assigns a unique identifier to the user, which helps AWIN track affiliate-related activity over an extended period. It ensures accurate tracking and attribution for affiliate commissions.
_aw_j_86999 3 months

This cookie tracks user sessions for affiliate marketing purposes, enabling AWIN to attribute activity on CitizenCard website to the correct affiliate partner.
_aw_sn_86999 1 year

This cookie stores session and affiliate tracking information, ensuring that activity on CitizenCard website is properly attributed to the referring AWIN affiliate.
_D9J 1 year

This cookie is used by Awin for performance optimisation to match requests containing device attribution to the same edge node. It helps in ensuring that user requests are processed efficiently by maintaining context across sessions.
awc 1 year

This cookie tracks affiliate activity and is used for proper attribution of sales to Awin affiliate partners.

Analytics (only set if you consent):

Cookie Duration Description
_ga_* 1 year 1 month 4 days Google Analytics sets this cookie to store and count page views.
_ga 1 year 1 month 4 days Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_user_id 1 year 1 month 4 days

This cookie is used by Google Analytics 4 to track registered users' interactions across sessions and devices using User-ID for analytics purposes.

How to Manage and Turn Off Cookies

You can manage your cookie preferences using our cookie banner that appears when you visit our site. If you clear your cookies or access our site from a new browser or device, the cookie banner will reappear. Additionally, you can disable cookies entirely through your browser settings. For detailed instructions, visit allaboutcookies.org or consult your browser's 'Help' section. Please note that disabling cookies might impair your experience on the site.

Our cookie banner also respects the 'Do Not Track' (DNT) setting of your browser. If DNT is enabled, our banner will prevent the placement of any tracking cookies, even if you have previously given consent to cookies on this site. This ensures that your preference for enhanced privacy is maintained.

Web Analytics Services

We use Google Analytics to better understand how visitors engage with citizencard.com and its subdomains. Google Analytics uses cookies to help us analyse site traffic and usage patterns, which in turn helps us improve your experience. Additionally, we may track registered users across devices and sessions using Google Analytics User-ID feature on online.citizencard.com which provides a more accurate analysis of customer interactions.

Google Analytics includes machine learning algorithms that generate automated insights about user behaviour and preferences. This can involve complex data processing, such as predicting trends, segmenting audiences, and identifying patterns that help us tailor our services and content. Machine learning in Google Analytics analyses data points automatically, offering insights without requiring human intervention. While this aids in improving our services, we understand the complexity of such processes, and we are committed to transparency.

Google Consent Mode (GCM) ensures that no 'Analytics' cookies are set until you provide consent. This respects your privacy choices by dynamically adjusting how Google Analytics operates based on your preferences.

For details on how Google's third-party cookies handle your data, see the Google Privacy Policy.

If you prefer not to have your data tracked by Google Analytics, you can opt out by adjusting your preferences in the cookie banner or by installing the Google Analytics Opt-out Browser Add-on.

AWIN Advertiser Program

We participate in the AWIN affiliate marketing program as an Advertiser. This means other brands and websites may publish links to our site to help promote our products and services. When you visit our site through an AWIN link, a cookie may be placed on your device to track your visit and any purchases you make, provided you consent to 'Functional' cookies. This tracking is necessary for us to attribute sales and pay commissions to the affiliates who refer customers to us.

The AWIN cookies may collect data like:

  • pages you visit on our site
  • purchases you make, including reference numbers
  • IP address, device information, and browser type
  • referring URLs and timestamps.

This data is used by AWIN to:

  • track the effectiveness of affiliate links
  • ensure proper attribution of sales and commissions to affiliates
  • provide us with aggregated reports on affiliate performance
  • improve the functionality of their tracking system.

For more details, see 'Consumers' section of AWIN Privacy Policy.

6. Legal Basis for Processing Your Personal data

With respect to personal data collected from individuals resident in the United Kingdom, our legal basis for collecting and using the personal data will depend on the personal data concerned and the specific context in which we collect it. CitizenCard will normally collect personal data from you only where:

  • we have your consent to do so
  • we need the personal data to deliver the services you have requested (e.g., process your application for a CitizenCard Proof of Age and ID card)
  • the processing is in our legitimate interests (and not overridden by your data protection interests or fundamental rights and freedoms), such as improving website functionality, analytics, and user experience (where consent is required, such as for Analytics, we will obtain it).

7. Limiting Use, Disclosure, Retention

CitizenCard identifies the purposes for which the information is being collected before or at the time of collection. The collection of your personal data will be limited to that which is needed for the purposes identified by our company. Unless you consent or we are required by law, we will only use the personal data for the purposes for which it was collected. If CitizenCard will be processing your personal data for another purpose later on, we will seek your further legal permission or consent; except where the other purpose is compatible with the original purpose. We will keep your personal data only as long as required to serve those purposes.

Retention of Personal Data

We take data retention seriously and ensure that we retain personal data only for as long as is necessary to fulfil the purposes for which it was collected or as required by applicable law. After the retention period has expired, we securely delete or anonymise personal data.

The following outlines the retention periods for different types of records:

1. Paper Records

Paper records are retained for the following maximum periods, after which they are securely shredded:

  • Successful and failed applicant records:
    Retained for 3 months after an application has been received.
  • Pending applicant records:
    Retained for 12 months after the initial application has been received.
  • Verifier registration records for Bulk scheme (available only to schools, universities, councils, prisons and charities):
    Retained for 12 months after registration has been completed.

2. Digital records

Digital records are retained for varying periods depending on the type of data. The following outlines these retention periods:

  • Customer and applicant records (including referees' data and technical data such as IP address, browser details, device information):
    Personal data related to customers and their digital applications is retained for 20 years following record creation. This allows us to facilitate replacement card applications without the need for re-verification, to enable customers to continue pending applications, and to verify the validity of cards through our verification services such as verify.citizencard.com and the PASS Card Verify app. After 20 years, the data is moved to a Secure Archive with restricted access, where it may be retained for an extended period to cooperate with law enforcement agencies if necessary.
  • Electronic communications (e.g., emails, Support Centre tickets, and any attachments):
    Communications, including emails or Support Centre messages exchanged with applicants or referees, are retained for 10 years following the most recent contact. After this period, these communications are securely deleted.
  • Photos of cards processed via the PASS Card Verify mobile app:
    Photos are stored for 30 days after image creation and are automatically deleted thereafter.
  • Card verification web-pages:
    Verification pages created through verify.citizencard.com are retained for 2 minutes after page creation, after which they are automatically deleted.
  • Card Verification results:
    Results from card verification checks, whether conducted via our secure API, on verify.citizencard.com, or through the PASS Card Verify app, are retained for 30 days following a check. After this period, all personal data associated with the verification is anonymised, meaning all identifying information is permanently removed.
  • Yoti Identity Verification (our Electronic ID Validation Technology supplier):
    For applicants using Yoti's electronic Identity Verification service, data is retained for 28 days following the completion of the verification session. After this period, the data is securely deleted.
  • Royal Mail:
    Data used by Royal Mail for delivery purposes is retained for only as long as required to provide the service, after which it is deleted.
  • Survey Data:
    Any survey responses or customer feedback used to improve our services and offerings (such as through SimpleSavings Offers or other product-related feedback) will be retained for a maximum of 1 year from the date of collection. After this period, the data will be deleted or anonymised.
  • AWIN Advertiser:
    AWIN affiliate tracking data related to referrals and commissions for customers using referral links will be retained for up to 3 years to ensure proper commission tracking and attribution. After this period, data is anonymised or deleted.
  • Analytics data:
    Technical data, including IP addresses, browser details, and device information collected via analytics tools (such as Google Analytics), is retained for up to 14 months. This includes all data, such as registered users tracked across devices via the Google Analytics User-ID feature. After this period, the data is either anonymised or deleted.
  • Payment Transaction data:
    Payment information processed through Braintree (a PayPal service), our secure payment provider, is retained in accordance with the provider's policies. This data is kept only for as long as necessary to fulfil the transaction and comply with legal obligations.
  • Phone Recordings:
    Recordings of customer service calls (where consented) are retained for 3 months after the call, after which they are automatically deleted.
  • Web server logs:
    Logs generated from web server activity, including applicant and referee data, are retained for 14 days after creation. These logs are used to monitor website security, analyse performance, detect and prevent fraudulent activity, and troubleshoot technical issues.

8. Your Access to and Updating of Your Personal Data

Reasonable access to your personal data may be provided upon request made to CitizenCard via email at This email address is being protected from spambots. You need JavaScript enabled to view it.. If access cannot be provided within that time frame, CitizenCard will provide the requesting party a date when the information will be provided. If for some reason access is denied, we will provide an explanation as to why access has been denied.

If you are a CitizenCard cardholder, you can update your information e.g., address or contact details, and we encourage you to do so on Update Your Personal Details page.

If you would like us to delete any personal data held about you, we will do so on request unless we need to hold the information as part of the provision of products and services to you. Data removal requests should be sent (include your name and CitizenCard card number) via email to This email address is being protected from spambots. You need JavaScript enabled to view it..

9. Communications Preferences

We offer those who provide personal contact information a means to choose how we use the information provided (for instance to enable us to communicate via email, letter and/or SMS). You may manage your receipt of communications by clicking on the 'unsubscribe' link located on the bottom of our emails.

Users of our services registered at online.citizencard.com can manage their communication preferences in the 'Update Communication Preferences' section of their online account.

10. Additional Rights

You may have the right to exercise additional rights available to you under UK applicable laws, including:

Right of erasure

You may have a broader right to erasure of personal data that we hold about you. For example, if it is no longer necessary in relation to the purposes for which it was originally collected. Please note, however, that we may need to retain certain information for record keeping purposes or to comply with our legal obligations.

Right to object to processing

You may have the right to request that we stop processing your personal data and/or to stop sending you marketing communications.

Right to restrict processing

You may have the right to request that we restrict processing of your personal data in certain circumstances. For example, where you believe that the personal data we hold about you is inaccurate or unlawfully held.

Right to data portability

In certain circumstances, you may have the right to be provided with your personal data in a structured, machine-readable and commonly used format and to request that we transfer the personal data to another data controller without hindrance.

If you would like to exercise any of the above rights, please contact our support team via email at This email address is being protected from spambots. You need JavaScript enabled to view it.. We will consider your request in accordance with applicable laws. To protect your privacy and security, we may take steps to verify your identity before complying with the request. You also have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please contact your local data protection authority.

11. Changes to Our Privacy Policy

We may amend this Privacy Policy at any time by posting a new version. Your continued use of this site and our products and services represents your agreement with the then-current Privacy Policy. Changes to the Privacy Policy will take effect immediately, but we will notify you of significant changes through a prominent notice on our website.

12. Contacting Us

If you have any questions about this Privacy Policy, the practices or concerns of this site, please contact our support team via email at This email address is being protected from spambots. You need JavaScript enabled to view it..