Privacy Notice

Effective Date: 14 August 2025

This Privacy Notice applies if you use any of our Platforms, which may include Student Beans, GradBeans, Beans ID, our websites, mobile applications, or any other related services (the "Platforms").

This notice explains what personal data we collect, how we use it, who we share it with, and how we keep it safe. It applies to all users of our websites, mobile applications, and related services, regardless of location.

1. Who We Are and What We Do

The Platforms are operated by The Beans Group and its affiliated companies:

  • The Beans Group Limited (UK)
  • The Beans Group Inc. (US)
  • Student Beans Pty Ltd (Australia)

Depending on your location, one of these entities is the "data controller" of your personal data. We operate verification-based marketplaces providing exclusive offers to members of closed consumer groups (e.g. students, grads, key workers), in partnership with global brands.

2. What Information We Collect

We collect the following categories of data:

a. Information you provide directly

  • Name
  • Email address
  • Platform password
  • Date of birth
  • Gender (optional)
  • Country
  • School, university, or workplace details (for eligibility verification)
  • Expected year of graduation (students only)
  • Expiry of your closed consumer status
  • Any documents or data you upload for verification (e.g. student ID, proof of employment)
  • Preferences, feedback, and support queries

b. Information we collect automatically

  • Account creation time and activity
  • Code issuance activity
  • IP address, device ID, browser type
  • Location data (if permitted)
  • Log data and usage analytics (e.g. page views, clicks, interactions)
  • Cookie data and advertising identifiers

c. Information we receive from third parties

  • Verification partners or educational institutions: We may receive information confirming your eligibility for membership or verifying your status within a consumer group.
  • Affiliate networks and marketing partners: When you activate or redeem a code, we may receive confirmation of the transaction (e.g. brand name, time/date, products purchased).
  • Brands when you redeem codes: Brands do not routinely share personal data with us, but may contact us in limited cases (e.g. suspected misuse) to help us review and address issues.

3. How We Use Your Information

We use your personal data to:

  • Verify your eligibility for our Platforms and on behalf of the brands we work with
  • Provide you with access to offers and benefits
  • Personalise content, emails, and in-app experiences
  • Prevent fraud and unauthorised code/discount sharing
  • Administer surveys, competitions, and marketing campaigns
  • Analyse Platform usage and improve functionality
  • Comply with legal and regulatory obligations
  • Communicate with you, for example to respond to questions you've asked us or to contact you with important updates about the Platforms

Use of Automated Tools and AI in Verification

We use automated tools, including AI, to help assess whether users are eligible for closed consumer group offers, based on the information and documentation they provide. This includes checks designed to detect fraudulent, invalid, or AI-generated submissions.

This processing supports our legitimate interest in maintaining the security and integrity of our services, and ensuring that offers are only made available to eligible users. We do not make decisions based solely on automated processing. Where a tool flags a potential issue, a trained member of our team will always review the case before any final decision is made.

In future, we may also use image-based verification tools to help identify falsified or inauthentic ID documents. These tools may involve the processing of facial imagery and other features that could constitute biometric data under data protection law. Where this applies, we ensure additional safeguards are in place, including appropriate legal justification, human oversight, and strict documentation of how the tool is used.

If we believe, in our sole discretion, that you have breached these Terms, including through the submission of fraudulent information, unauthorised code sharing, or misuse of offers, we may suspend or permanently disable your access to the Platforms, with or without notice.

4. Marketing and Membership Programmes

With your consent, we may:

  • Share your personal data (e.g. name, email, consumer group, verified/non-verified status, country, verification expiry date, your consumer ID) with selected brand partners.

Brands we share your data with become independent data controllers. You can withdraw your consent and request deletion of your personal data with them, or manage your preferences via your account.

In some cases, brands may offer loyalty or membership programmes only for certain consumer groups. If you want to access one of these offers, we may ask for your permission to share limited tokenised information with the brand (this means sharing coded information that confirms your eligibility, not your full personal details), including:

  • Your consumer ID
  • Your consumer group and verified/non-verified status
  • The verification expiry date

If you choose not to share this information, you may not be able to access the brand's membership programme.

5. Sharing Your Data

We may share your personal data with trusted third parties when necessary to operate our services or meet legal obligations. This includes:

  • Brand and affiliate partners (e.g. to validate eligibility or investigate misuse)
  • Advertising and analytics providers (to improve your experience)
  • Technical service providers (e.g. email platforms, hosting providers, fraud detection tools)
  • Legal, regulatory, or enforcement authorities (where required by law)

Some of these partners may be located outside the UK or EU. Where this happens, we ensure your data remains protected through safeguards such as standard contractual clauses or the UK International Data Transfer Agreement.

We only share what's necessary, and never more than is required to deliver the service or comply with the law.

We rely on the following legal grounds to process your data:

  • Performance of a contract: To provide services under our Member Terms
  • Legitimate interests: To run, improve, and secure our services
  • Consent: For sending you marketing and sharing data with brand partners
  • Legal obligation: Where required by law

Where we rely on legitimate interests, you have the right to object to this processing. We will assess your request and stop processing your data unless we can demonstrate compelling grounds to continue.

7. How Long We Keep Your Data

We retain your data only as long as necessary:

  • For the purpose it was collected
  • To comply with legal obligations
  • To resolve disputes and enforce our rights

Dormant accounts may be flagged or deleted after 12 months of inactivity. Some data may be anonymised and kept for longer, for example, to help improve fraud detection tools or support system training.

8. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or outdated data
  • Delete your data (unless we have a valid reason to keep it)
  • Object to or restrict how your data is used
  • Withdraw consent where that was the basis for processing
  • Request a copy of your data (data portability)

To exercise any of these rights, contact us at infosec@wearepion.com. We may need to confirm your identity before responding.

You also have the right to lodge a complaint with your national data protection authority.

9. Cookies and Tracking

We use cookies and similar technologies to:

  • Help you stay logged in
  • Measure how people use our Platforms
  • Show relevant ads and offers

You can manage cookie preferences in your browser settings.

10. Data Security

We take steps to protect your data, including:

  • Encryption and secure storage
  • Access controls and audit logs
  • Staff training and incident response plans

No system is 100% secure, but we take these risks seriously. Please contact us immediately if you believe your data may have been compromised.

11. Children's Privacy

We don't knowingly collect data from children under 13. If you think a child has given us personal data, please contact us and we will delete it.

12. Changes to This Notice

We may update this Privacy Notice occasionally. If the changes are significant, we'll notify you on the Platform or by email. Using the Platform after an update means you accept the changes.

13. Contact Us

DPO

The Beans Group 1 Vincent Square, London, SW1P 2PN

Email: infosec@wearepion.com