FLURZI COMMIT
Privacy Policy
Flurzi Mobile App Limited
Company No. 16640198
16 Honiley Way, Coventry, CV2 1SN, United Kingdom
Version 1.0 | Effective Date: March 4, 2026
INTRODUCTION AND SCOPE
Flurzi Mobile App Limited ("Flurzi", "we", "us", or "our") is committed to protecting and respecting the privacy of all individuals who use the Flurzi Commit platform. This Privacy Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. It applies to all users of the Flurzi Commit web application, mobile application, and associated services (collectively, the "Platform").
This Policy is written in compliance with the UK General Data Protection Regulation ("UK GDPR") as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018. It should be read alongside our Terms and Conditions of Service.
Please read this Policy carefully to understand our practices regarding your personal data and how we will treat it. If you have any questions about how we handle your personal data, please contact us using the details provided in Section 2.
TABLE OF CONTENTS
1. Introduction and Scope
2. Data Controller Details and Contact Information
3. Definitions
4. Categories of Personal Data We Collect
5. How We Collect Personal Data
6. Legal Bases for Processing Under UK GDPR
7. Purposes of Processing
8. Automated Decision-Making and Profiling
9. Sharing Personal Data with Third Parties
10. Data Processors
11. International Transfers of Personal Data
12. Data Retention Schedule
13. Security Measures
14. Data Subject Rights
15. Cookies and Tracking Technologies
16. Children's Data
17. Changes to This Privacy Policy
18. How to Complain — ICO Reference
2. DATA CONTROLLER DETAILS AND CONTACT INFORMATION
2.1 For the purposes of the UK GDPR and the Data Protection Act 2018, the Data Controller in respect of the personal data processed in connection with the Platform is:
Flurzi Mobile App Limited
Company Number: 16640198
Registered Office: 16 Honiley Way, Coventry, CV2 1SN, United Kingdom
Email: [INSERT DATA PROTECTION CONTACT EMAIL]
2.2 We have appointed a responsible person within our organisation to oversee compliance with data protection obligations. Queries, requests relating to your data subject rights, and complaints regarding our data processing practices should be directed to the contact address above.
2.3 We are registered with the Information Commissioner's Office (ICO). Our ICO registration number is [INSERT ICO REGISTRATION NUMBER]. The ICO is the UK's independent supervisory authority for data protection.
3. DEFINITIONS
3.1 "Data Controller" means the natural or legal person who determines the purposes and means of the processing of personal data. In relation to the Platform, the Data Controller is Flurzi Mobile App Limited.
3.2 "Data Processor" means a natural or legal person who processes personal data on behalf of the Data Controller.
3.3 "Data Subject" means the identified or identifiable natural person to whom personal data relates. In the context of this Policy, this includes all Members and users of the Platform.
3.4 "Personal Data" has the meaning given under the UK GDPR: any information relating to an identified or identifiable natural person.
3.5 "Processing" has the meaning given under the UK GDPR: any operation or set of operations performed on personal data, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, alignment or combination, restriction, erasure, or destruction.
3.6 "Special Category Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for the purpose of uniquely identifying a natural person), data concerning health, or data concerning a natural person's sex life or sexual orientation.
3.7 "UK GDPR" means the retained version of Regulation (EU) 2016/679 of the European Parliament and of the Council as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
4. CATEGORIES OF PERSONAL DATA WE COLLECT
4.1 Identity and Contact Data
4.1.1 We collect and process the following categories of identity and contact data: full legal name; date of birth; home address (including postcode); email address; telephone number; and any other contact information provided by the Member during registration or in the course of using the Service.
4.2 Financial and Payment Data
4.2.1 In connection with the operation of Commit Plans, we collect and process the following financial and payment data: bank account details (where Direct Debit is used); payment card details (processed and stored by our Payment Processors on our behalf — we do not store full card numbers); transaction records, including payment dates, amounts, and status; Contribution Balance records; fee payment records; and payment failure and chargeback records.
4.2.2 Full payment card numbers are not stored by us. Card data is tokenised and managed by Stripe in accordance with PCI DSS standards. We store only a tokenised reference that enables us to instruct Stripe to collect payments from the Member's card.
4.3 Account and Usage Data
4.3.1 We collect and process account and usage data, including: account login credentials (passwords stored in hashed and salted form); login timestamps and authentication records; device identifiers and browser information; IP addresses; session activity logs; Platform feature usage data; and support correspondence and complaint records.
4.4 Plan Activity Data
4.4.1 We collect and process data related to Commit Plan activity, including: Plan election details (term, payment frequency, amount); payment schedule records; Late Payment and Missed Payment records; Suspension and Cancellation records; Completion records; and Plan Cap status records.
4.5 Verification Data
4.5.1 For the purposes of identity verification and fraud prevention, we may collect and process: government-issued identification documents (where identity verification is required); biometric data (where applicable and only to the extent permitted by law and with explicit consent); data obtained from third-party identity verification providers; and fraud prevention database search results.
4.6 Special Category Data
4.6.1 We do not seek to collect Special Category Data as part of the ordinary operation of the Platform. In the event that a Member voluntarily discloses Special Category Data in the course of using the Platform (for example, in a support communication), we will process such data only to the extent necessary to respond to the Member's enquiry and will not retain it beyond the duration of that interaction unless required by law.
5. HOW WE COLLECT PERSONAL DATA
5.1 We collect personal data through the following means:
5.1.1 Directly from Members: the majority of personal data we process is provided directly by Members during Account registration, Plan establishment, payment method setup, and in communications with our customer support function.
5.1.2 Automatically through the Platform: we collect certain technical and usage data automatically when Members access and interact with the Platform, including through cookies, web analytics tools, and server log files.
5.1.3 From third-party sources: we may receive personal data from third-party sources, including our Payment Processors (Stripe and GoCardless), identity verification providers, fraud prevention agencies, and credit reference agencies, to the extent necessary for the legitimate operation of the Service.
6. LEGAL BASES FOR PROCESSING UNDER UK GDPR
We process personal data only where we have a lawful basis for doing so under Article 6 of the UK GDPR. The lawful bases we rely upon are as follows:
Processing Activity
Legal Basis (Article 6 UK GDPR)
Details
Account registration and identity verification
Article 6(1)(b) — Performance of a contract
Necessary to establish the contractual relationship with the Member.
Processing payments and managing Commit Plans
Article 6(1)(b) — Performance of a contract
Core to the delivery of the Service.
Fraud prevention and security monitoring
Article 6(1)(f) — Legitimate interests
We have a legitimate interest in protecting the integrity of the Platform and our business from fraud and misuse.
Compliance with legal obligations
Article 6(1)(c) — Legal obligation
We process data to meet our legal obligations under applicable UK law, including financial record-keeping and co-operation with regulatory authorities.
Marketing communications (where opted in)
Article 6(1)(a) — Consent
Where Members have opted in to receiving marketing communications. Consent may be withdrawn at any time.
Service improvement and analytics
Article 6(1)(f) — Legitimate interests
We have a legitimate interest in improving the quality and functionality of the Platform.
Dispute resolution and legal claims
Article 6(1)(f) — Legitimate interests; Article 6(1)(c) — Legal obligation
Processing is necessary for the establishment, exercise, or defence of legal claims.
6.1 Where we rely on legitimate interests as our legal basis, we have conducted a legitimate interests assessment to ensure that our interests do not override the fundamental rights and freedoms of the Data Subject. Members may object to processing based on legitimate interests at any time in accordance with Section 14.
6.2 Where we rely on consent as our legal basis, Members have the right to withdraw consent at any time by contacting us or by using the opt-out functionality available on the Platform. Withdrawal of consent shall not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.
7. PURPOSES OF PROCESSING
7.1 We use personal data for the following purposes:
7.1.1 To establish and administer Members' Accounts, including identity verification and authentication.
7.1.2 To deliver the Service, including the establishment, management, and administration of Commit Plans.
7.1.3 To process payments and collect fees in connection with Commit Plans, including through our Payment Processors.
7.1.4 To maintain accurate financial records, including the Internal Ledger tracking of Contribution Balances.
7.1.5 To detect, prevent, and investigate fraud, money laundering, and other unlawful activities in connection with the Platform.
7.1.6 To communicate with Members regarding their Account, Plans, and the Service generally, including sending notifications regarding payment status, Plan Completion, Missed Payments, and account updates.
7.1.7 To respond to Member enquiries, complaints, and requests.
7.1.8 To comply with our legal and regulatory obligations, including applicable financial record-keeping requirements, anti-money laundering obligations, and obligations arising from court orders or regulatory requests.
7.1.9 To improve, develop, and maintain the Platform and its features.
7.1.10 To conduct statistical analysis and internal reporting for business management purposes, using anonymised or pseudonymised data where feasible.
7.1.11 To send marketing communications to Members who have opted in to receive them.
8. AUTOMATED DECISION-MAKING AND PROFILING
8.1 Nature of Automated Processing
8.1.1 The Platform employs automated processes to perform certain administrative and risk management functions in connection with the operation of Commit Plans. These automated processes include: (a) assessing whether a Member satisfies the eligibility conditions for elevation to the Elevated Plan Cap pursuant to Clause 9.2 of the Terms and Conditions; (b) monitoring payment activity to detect Late Payments and Missed Payments and to trigger automated notifications and threshold alerts; (c) automated fraud and anomaly detection screening applied to account activity and transactions; and (d) automated assessment of whether a Suspend or Cancel threshold has been met in accordance with the Terms and Conditions.
8.1.2 The automated processes described in Clause 8.1.1 produce outcomes that may have legal or similarly significant effects on Members. In particular, the automated application of Suspension or Cancellation triggers based on payment history constitutes automated decision-making within the meaning of Article 22 of the UK GDPR.
8.2 Your Rights Regarding Automated Decisions
8.2.1 Where a decision is made about a Member's Account or Plans through a solely automated process and that decision produces a significant effect on the Member, the Member has the right to: (a) request human review of the automated decision by a member of the Company's staff; (b) express their point of view in relation to the decision; and (c) contest the decision.
8.2.2 Members who wish to exercise their rights in connection with an automated decision should contact the Company using the contact details in Section 2. The Company will respond to such requests within thirty (30) calendar days.
8.3 Profiling
8.3.1 We may use payment activity data and Plan history data to create a profile of each Member's payment behaviour for the purpose of assessing risk, applying the Plan Cap and Elevated Cap rules, and conducting fraud detection. This profiling is carried out in accordance with the legal bases described in Section 6 and does not involve the use of sensitive characteristics or discriminatory profiling.
9. SHARING PERSONAL DATA WITH THIRD PARTIES
9.1 We do not sell personal data to third parties. We will not share personal data with third parties for their own marketing purposes without the explicit consent of the Member. We share personal data with third parties only in the following circumstances:
9.1.1 Payment Processors: We share necessary personal and payment data with Stripe and GoCardless for the purpose of processing payments in connection with Commit Plans. Each of these processors acts as a Data Processor on our behalf under appropriate data processing agreements.
9.1.2 Identity Verification Providers: Where identity verification is required, we may share relevant personal data with third-party identity verification providers for the purpose of verifying a Member's identity. These providers act as Data Processors on our behalf.
9.1.3 Fraud Prevention Agencies: We may share data with fraud prevention agencies and databases where we have reasonable grounds to suspect fraudulent activity, or as part of our routine fraud screening measures.
9.1.4 Legal and Regulatory Authorities: We may disclose personal data to law enforcement authorities, regulatory bodies, courts, or other government authorities where we are required to do so by law, court order, or regulatory requirement, or where disclosure is necessary for the prevention or detection of crime.
9.1.5 Professional Advisers: We may share data with our legal advisers, auditors, accountants, and insurers where necessary for the provision of their professional services to us.
9.1.6 Business Transfers: In the event of a merger, acquisition, business sale, or restructuring, personal data held by us may be transferred to the relevant third party, subject to that party agreeing to treat the data in accordance with this Policy or an equivalent standard of protection.
10. DATA PROCESSORS
10.1 We engage the following principal Data Processors in connection with the operation of the Platform and the Service. All Data Processors are engaged under written data processing agreements that comply with the requirements of Article 28 of the UK GDPR:
Processor
Purpose
Data Categories
Location
Stripe Payments Europe, Ltd
Primary payment processing, card tokenisation, transaction management
Payment data, transaction records, identity data
Ireland / EEA (with global infrastructure)
GoCardless Ltd
Direct Debit processing and mandate management
Bank account details, transaction records
United Kingdom
[Identity Verification Provider — to be inserted]
Identity verification and KYC screening
Identity documents, biometric data (where applicable)
[To be confirmed]
[Cloud Hosting Provider — to be inserted]
Platform hosting and data storage
All categories of personal data held on the Platform
[To be confirmed]
10.2 We review our Data Processor relationships on a regular basis to ensure that they continue to provide adequate levels of data protection. We do not appoint sub-processors without appropriate contractual safeguards being in place.
11. INTERNATIONAL TRANSFERS OF PERSONAL DATA
11.1 As a UK-based service, we process personal data primarily within the United Kingdom. However, some of our Data Processors, including Stripe, operate infrastructure globally, which may result in personal data being transferred to countries outside the United Kingdom.
11.2 We will only transfer personal data to a country or territory outside the United Kingdom where one of the following safeguards is in place: (a) the country or territory has been designated by the UK Secretary of State as providing an adequate level of protection for personal data under Section 17A of the Data Protection Act 2018 (an "Adequacy Regulation"); (b) the transfer is governed by the UK International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum (UK Addendum) to the EU Standard Contractual Clauses, as approved by the Information Commissioner; (c) the transfer is covered by a binding corporate rules arrangement approved by the ICO; or (d) an applicable exception under UK GDPR Schedule 4 applies.
11.3 Where personal data is transferred to the United States or other countries that do not have an applicable adequacy designation, we will ensure that appropriate safeguards are implemented in accordance with the requirements of the UK GDPR and the Data Protection Act 2018.
11.4 In anticipation of future EU and international expansion, the Company will put in place appropriate transfer mechanisms for any new jurisdictions in which it processes personal data, including where necessary the use of EU Standard Contractual Clauses (Module 1 or Module 2 as applicable) in addition to UK-specific transfer mechanisms.
11.5 Members may request a copy of the relevant transfer safeguards applicable to their personal data by contacting us using the details in Section 2.
12. DATA RETENTION SCHEDULE
12.1 We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention schedule sets out our standard retention periods for principal categories of personal data:
Category of Data
Retention Period
Legal / Operational Basis for Retention
Account registration data (name, DOB, address, email)
Duration of Account + 7 years after Account closure
Contractual obligation and statutory financial record-keeping requirements under the Companies Act 2006 and HMRC guidelines.
Financial transaction and payment records
7 years from the date of the transaction
Statutory requirements under the Companies Act 2006, HMRC guidelines, and applicable anti-money laundering regulations.
Commit Plan records (schedules, Contribution Balances, fees)
Duration of Plan + 7 years after Plan closure
Contractual obligation; statutory record-keeping; potential litigation limitation period.
Identity verification documents
Duration of Account + 5 years after Account closure
Anti-Money Laundering requirements; fraud prevention; legal claims.
Payment failure and chargeback records
7 years from the date of the event
Fraud prevention; legal claims; statutory record-keeping.
Correspondence and support communications
3 years from the date of correspondence
Operational records; potential legal claims.
Complaint records
7 years from the date of complaint resolution
Regulatory obligation; potential legal claims; audit trail.
Marketing consent records
Until consent withdrawn + 3 years thereafter
Evidential record of consent under UK GDPR Article 7.
System access logs and security audit logs
12 months from date of generation
Security monitoring; fraud detection; incident investigation.
12.2 Upon expiry of the applicable retention period, personal data will be securely deleted or anonymised in a manner that prevents the identification of the individual to whom the data relates. Where data is anonymised, it may be retained indefinitely for statistical and analytical purposes.
12.3 Where a legal dispute, investigation, or regulatory inquiry is ongoing at the time a retention period would otherwise expire, we will retain the relevant data until the matter is resolved and any applicable limitation period for related claims has passed.
13. SECURITY MEASURES
13.1 We take the security of personal data seriously and have implemented appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction. Our security measures include, but are not limited to, the following:
13.1.1 Encryption: personal data in transit is protected using Transport Layer Security (TLS) encryption. Personal data at rest is encrypted using industry-standard encryption algorithms.
13.1.2 Access Controls: access to personal data is restricted on a need-to-know basis. Role-based access controls are implemented to ensure that only authorised personnel can access sensitive data. All access is logged and audited.
13.1.3 Password Security: Member passwords are stored in hashed and salted form using a secure hashing algorithm. We do not store passwords in plain text.
13.1.4 Multi-Factor Authentication: where available, we support and encourage the use of multi-factor authentication for Member Accounts.
13.1.5 Payment Card Data Security: we comply with the Payment Card Industry Data Security Standard (PCI DSS) requirements applicable to our level of card data handling. Full card numbers are tokenised by Stripe and are not stored in our systems.
13.1.6 Third-Party Security Assessments: we conduct or commission periodic security assessments of our infrastructure and review the security posture of our principal Data Processors.
13.1.7 Personnel Training: all personnel with access to personal data receive appropriate training on data protection obligations and security procedures.
13.1.8 Incident Response: we maintain a data breach and security incident response procedure, as further described in our Compliance and Risk Governance Framework.
13.2 In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Information Commissioner's Office (ICO) without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals directly in accordance with Article 34 of the UK GDPR.
13.3 Notwithstanding our security measures, no method of electronic transmission or storage is completely secure. Members are responsible for maintaining the security of their own devices and Account credentials.
14. DATA SUBJECT RIGHTS
Under the UK GDPR, Members have the following rights in respect of their personal data:
14.1 Right of Access (Article 15 UK GDPR): You have the right to request a copy of the personal data we hold about you and information about how we process it. We will respond to Subject Access Requests within one (1) calendar month of receipt. We may extend this period by a further two (2) months for complex or numerous requests, in which case we will inform you of the extension within one month of receipt of your request.
14.2 Right to Rectification (Article 16 UK GDPR): You have the right to require us to correct any inaccurate personal data we hold about you and to complete any incomplete personal data. Members may update certain Account details directly through the Platform.
14.3 Right to Erasure (Article 17 UK GDPR): You have the right to request the deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected, or where you withdraw consent (where consent is the lawful basis for processing). The right to erasure is not absolute and does not apply where we are required to retain the data to comply with a legal obligation, for the establishment, exercise, or defence of legal claims, or for other reasons specified in the UK GDPR.
14.4 Right to Restriction of Processing (Article 18 UK GDPR): You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data, where processing is unlawful but you oppose erasure, or where we no longer need the data but you require it for the establishment, exercise, or defence of legal claims.
14.5 Right to Data Portability (Article 20 UK GDPR): Where processing is based on your consent or on a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that we transmit the data to another controller where technically feasible.
14.6 Right to Object (Article 21 UK GDPR): You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing for that purpose immediately. Where you object to processing based on legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless processing is necessary for the establishment, exercise, or defence of legal claims.
14.7 Rights in Relation to Automated Decision-Making: As described in Section 8, you have the right to request human review of automated decisions that significantly affect you, to express your point of view, and to contest the decision.
14.8 Right to Withdraw Consent: Where we process your personal data on the basis of your consent, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
14.9 To exercise any of the rights described in this Section, please contact us using the details provided in Section 2. We may need to verify your identity before processing your request. We will not charge a fee for exercising data subject rights unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to act on the request.
15. COOKIES AND TRACKING TECHNOLOGIES
15.1 The Platform uses cookies and similar tracking technologies to enhance the user experience, maintain session state, conduct analytics, and support security functions. A cookie is a small text file placed on your device when you access the Platform.
15.2 We use the following categories of cookies on the Platform:
15.2.1 Strictly Necessary Cookies: These cookies are essential for the operation of the Platform and cannot be disabled. They include session cookies necessary for authentication, security, and the basic functionality of the Platform. No consent is required for strictly necessary cookies.
15.2.2 Analytical/Performance Cookies: These cookies allow us to measure and analyse how Members use the Platform in order to improve its performance and functionality. These cookies are only set where you have provided your consent.
15.2.3 Functionality Cookies: These cookies enable the Platform to remember your preferences and settings to provide a more personalised experience.
15.3 When you first access the Platform, you will be presented with a cookie consent notice that allows you to manage your cookie preferences. You may withdraw or update your consent at any time through the Platform's cookie settings. Please note that disabling certain categories of cookies may affect the functionality of the Platform.
15.4 A full list of the cookies used on the Platform, including their names, purposes, and retention periods, is set out in our Cookie Policy, which is available on the Platform.
16. CHILDREN'S DATA
16.1 The Platform and the Service are intended exclusively for adults aged eighteen (18) years and over. We do not knowingly collect, process, or retain personal data from persons under the age of eighteen (18).
16.2 By registering for an Account, Members warrant that they are aged eighteen (18) or over. If we become aware that we have inadvertently collected personal data from a person under the age of eighteen (18), we will take immediate steps to delete that data from our systems.
16.3 If you are a parent or guardian and you believe that your child has provided personal data to us without your consent, please contact us immediately using the details in Section 2.
17. CHANGES TO THIS PRIVACY POLICY
17.1 We reserve the right to update or amend this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or the features of the Platform.
17.2 Where changes are material, we will notify Members by email and through the Platform, with at least thirty (30) calendar days' notice of the change taking effect. Non-material changes, such as corrections of typographical errors or minor clarifications, may be made without prior notice.
17.3 The current version of this Privacy Policy is always available on the Platform. The date of the last update is shown at the foot of this Policy. Members are encouraged to review this Policy periodically.
18. HOW TO COMPLAIN — ICO REFERENCE
18.1 If you have concerns about how we handle your personal data and you are not satisfied with our response to your complaint, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), which is the UK's independent supervisory authority for data protection.
18.2 The ICO's contact details are as follows:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk
18.3 Before lodging a complaint with the ICO, we encourage Members to contact us directly to allow us the opportunity to address any concerns. We will always endeavour to resolve data protection complaints promptly and in good faith.
18.4 Members resident in EU member states following future expansion will additionally have the right to lodge complaints with the relevant supervisory authority in their member state of habitual residence.
——————————————————————————————————————————————
Flurzi Mobile App Limited | Company No. 16640198 | 16 Honiley Way, Coventry, CV2 1SN
Privacy Policy Version 1.0 | Last Updated: March 4, 2026Flurzi Commit Legal