Privacy Policy
INTRODUCTION
We, The Right Fuel Card (‘RFC’), respect your privacy and are committed to protecting your personal data. This Privacy Policy (‘Policy) outlines how RFC processes your personal data when you visit our website (Fuel Cards | Efficient Solutions for Your Business (rightfuelcard.co.uk)) (‘Website’), purchase a product or subscribe to our services (altogether ‘Services’).
This Policy explains RFC’s approach to any Personal Data that we might collect from you, or which we have obtained about you from a third party, and the purpose for which we process your Personal Data in our capacity as a Controller. It also describes your rights in respect of our processing of your Personal Data.
We process Personal Data in the countries in which we are established, including the United Kingdom and the European Economic Area (‘EEA’) and in other countries, where third parties that we may use are based.
While processing the Personal Data, we comply with the principles and rules of the UK GDPR.
By transferring Personal Data to a third party where RFC is acting as a controller, we have the full responsibility that the processing of the third party as a processor takes place under the GDPR principles. RFC shall remain liable under the GDPR Principles if its processors process Personal Data in a manner inconsistent with the GDPR Principles, unless RFC proves that it is not responsible for the event giving rise to the damage.
This Notice only applies to the use of your Personal Data by us or on our behalf; it does not apply to:
Personal Data collected by third parties during your communications / dealings with those third parties or your use of their products or services (for example, where you allow links to third-party websites over which we have no control).
Personal Data processed, stored, or hosted by us when we act as a Processor on behalf of our customers in the course of providing our Services, in which case the privacy statement of the relevant Customer will apply, and our data processing agreement with such Customer will govern our processing of your Personal Data.
In this Policy, the terms ‘Commission’, ‘cross-border transfer’ ‘, data breach’, ‘(data) controller’, ‘(data) processor’, ‘data subject’, ‘(personal) data’, ‘processing’, ‘supervisory authority’ shall have the meaning attributed under GDPR.
The terms below shall have the following meaning when used in this Policy:
Cookie Policy
Our Website cookie policy, available here
DPO
Data Protection Officer
EEA
European Economic Area
EU
European Union
GDPR
General Data Protection Regulation of the EU no 2016/679
Group
Edenred group to which RFC belongs
RFC
The Right Fuelcard Company, including its affiliates and subsidiaries
Terms and Conditions
Our online terms and conditions in their latest published version available here
We, our, us
RFC
Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Processor
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller
UK
The United Kingdom
Website
Fuel Cards | Efficient Solutions for Your Business (rightfuelcard.co.uk)
Principal
TRFC (an issuer of fuel cards which provide a convenient way for businesses to pay for their fuel by allowing them to buy fuel and pay for it later)
Introducer or Introducer Appointed Representative
An external, third-party provider who introduces its members to the principal with a view to them entering a Relevant Contract for the issuance of a Fuel Card
WHO ARE WE?
RFC is based in the UK. Our parent company, Edenred, is based in France with subsidiaries worldwide, and limited personal data may be accessed from those locations, too. In both cases, the personal data used in those locations is protected by UK and European data protection standards.
RFC acts as a data controller for your personal data and has appointed a DPO, who can be contacted at:
The Right Fuelcard Company
DPO
One The Embankment, Neville Street, Leeds, LS1 4DW
DPO@rightfuelcard.co.uk
or via this form
WHAT PERSONAL DATA DOES RFC COLLECT AND WHO WE COLLECT PERSONAL DATA ABOUT
We only collect the following personal data of a professional nature (as our Services are solely intended for businesses):
Purpose
Type of Data
Legal Basis
Identity of contact person (full name, title, email, signature, date of birth)
Contact (telephone numbers, email, preferences)
Company details (legal name, registered and billing address, registration number, type)
Fleet information (fuelcards, type, mileage, vehicle registration, drivers’ names)
Company banking details
Performance of a contract (our Terms and Conditions):
For fraud prevention and risk control
Proof of identity and address
Creditworthiness (balance sheets, credit checks)
Debt recovery tracing
Our legitimate interests (to control our financial risks)
For payment collection
Identity
Contact details
Company banking details
Transaction details (drawings)
Company information
Performance of a contract (our Terms and Conditions)
To provide you with the necessary information (ie. about policies or legal changes
Identity
Contact
Customer profile (active / inactive)
Performance of our legal or contractual obligation (to inform you)
For review and survey
Identity
Contact details
Review or feedback message content
Our legitimate interest (to improve our services, offers and customer experience)
To partake in a prize draw or competition
Identity
Contact
Customer profile
Services use
Transaction
Marketing preferences
Our legitimate interest (to offer you to join in)
Your consent (your marketing preferences)
For our Website administration and security
Digital data (credentials, IP addresses, website interactions)
Technical data (incidents, support requests, etc)
Our legitimate interests (to secure our Website and provide you with technical support)
To personalise our Website’s content and advertisements
Digital data (analytics, browsing, interests, IP addresses or credentials)
Technical data
Marketing preferences
Our legitimate interests (to improve customers experience and offer your personalised content)
Your consent (see our Cookie Policy)
To improve our Website
Technical data
Website usage
Our legitimate interests (to improve our Website)
Your consent (see our Cookie Policy)
To send you offers
Identity
Contact
Technical data
Usage data
Customer profile
Our legitimate interests (to develop our business)
Your consent (opt-in, absence of opt-out or soft opt-in)
To access and manage your account
Identity
Contact
Identity
Registration and login dates
Account information
Balances
Transaction data (statement history, drawings, balance)
Invoicing data (invoices, billing address)
Dispute and complaint handling
Performance of a contact (our Terms and Conditions)
To contact us
Identity
Email
Account number
Enquiry type and content
Any attachments you may submit
Your consent (to this Privacy)
Our legitimate interest (to address your enquiry)
WHAT IF YOU FAIL TO PROVIDE PERSONAL DATA?
Please note that where we need to collect personal data by law or contract, if you fail to provide the necessary data, we will not be able to provide you with our services and products without liability or costs for us. It is essential that you ensure that your personal data is accurate and current. Please keep us informed of any changes by clicking here.
HOW IS YOUR PERSONAL DATA COLLECTED?
We use different methods to collect data from and about you, through:
Direct interactions - when you apply for our Services, subscribe to marketing communications, etc.
Automated technologies or interactions - when you interact with our Website;
Third parties or publicly available sources - financial data from providers, identity data from Companies House.
HOW DO WE USE YOUR PERSONAL DATA AND WHAT LEGAL BASIS DO WE RELY ON?
The UK’s data protection laws allow the use of personal data where its purpose is legitimate and is not outweighed by the interests, fundamental rights or freedoms of data subjects. The law calls this the Legitimate Interests condition for personal data processing. The Legitimate Interests being pursued by RFC are:
To validate that an identity exists and verify that an individual presenting an identity is the true owner of that identity.
Verifying that information, such as age, residency, address history, and financial details supplied, is accurate.
Detecting and presenting criminal activity, fraud and money laundering.
Profiling, statistical analysis and fraud detection and prevention.
Other purposes for which you have given your consent or where required / permitted by law.
In addition, RFC may obtain your consent to contact you regarding new products or other marketing activities.
The use of personal data is subject to an extensive framework of safeguards that balance the legitimate interests set out above with the fundamental rights and freedoms of the people whose data is used and shared. The framework includes information given to people about how their personal data will be used and how they can exercise their rights to obtain their personal data, have it corrected, erased, or restricted, object to it being processed and complain if they are dissatisfied. It also includes extensive due diligence checks on clients, robust contractual arrangements, and internal data management processes. These safeguards help sustain a fair and appropriate balance and to protect the rights and freedoms of individuals.
LEGAL OBLIGATIONS
In some circumstances, we are required by law to use or share personal data in particular ways. This happens, for example, when a court, law enforcement agency or regulator makes a legally binding request or order for disclosure of personal data. It also happens if you choose to exercise your rights, for example, by requesting a copy of your own personal data from us.
WITH WHOM DO WE SHARE PERSONAL DATA?
Processors, where RFC uses other organisations to perform tasks on their behalf (eg. Fuel Suppliers Independent controllers, IT service providers, fulfilment providers).
You are entitled to request a list of the processors used by RFC. We have listed these out in the section entitled Who Are The Recipients Of Your Data.
Joint Controllers such as Fraud Prevention Agencies and Third-Party ID&F Solution Providers.
You are entitled to request a list of the Joint Controllers used by RFC. You can find out how to do this in the section What Are Your Rights And How To Exercise Them.
Public bodies, law enforcement and regulators where there is a legal basis.
Individuals.
People are entitled to obtain copies of the personal data RFC hold about them. You can find out how to do this in the section What Are Your Rights And How To Exercise Them.
HOW DOES RFC KEEP PERSONAL DATA SECURE?
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, altered, disclosed, used, or accessed in an unauthorised way. Only recipients with a need-to-know (according to the above-mentioned purposes) may access your data and are subject to confidentiality undertakings.
WHO ARE THE RECIPIENTS OF YOUR DATA?
We may need to share your data internally (to affiliates and subsidiaries as well as with other entities of the Group) and externally (to third parties) with our providers and partners:
Purposes
Processors (Links to individual Privacy Policies)
Communication and Document Storage
IT Support
Website tracking and analytics
Surveys and feedback
External counsel
Credit check, fraud prevention and cash collection*
Payment Solutions
ID verification
Fuel Suppliers
EV Solutions
GDPR Requests
Vehicle Tracking Solutions
Marketing Campaigns
Nest4Innovation International LDA
Incentives
*For credit check, fraud prevention and cash collection: with credit reference agencies, which may also share information about your settled accounts and late payments with other organisations. For more information, please click here.
In all instances, our providers and partners are required to process your data solely for the purposes indicated and according to our instructions and all applicable data protection laws and to implement all necessary security measures to protect your personal data.
Sometimes we will need to send or allow access to personal data from elsewhere in the world. This might be the case, for example, when one of our processors or a client based overseas uses overseas data centres.
While the UK and countries in the EEA all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when we do send personal data overseas, we will make sure suitable safeguards are in place in accordance with UK data protection requirements to protect the data. For example, these safeguards might include:
Sending the data to a country that has been approved by UK authorities as having a suitably high standard of data protection law. Examples include the Isle of Man, Switzerland, and Canada.
Putting in place a contract with the recipient containing terms approved by UK authorities as providing a suitable level of protection.
Sending the data to an organisation which is a member of a scheme that has been approved by UK authorities as providing a suitable level of protection.
TRFC acting as an Introducer or Introducer Appointed Representative
Please note that with the following products, TRFC does not provide, manage, or regulate these products directly. Instead, we connect customers with third-party providers, who are fully responsible for the products and services they offer.
Your data will only be sent to these external providers upon receiving your explicit consent.
TRFC acting as a Principal
TRFC works with several external third parties who will act as an introducer (these parties will facilitate introductions to TRFC). Information provided by these parties will be supplied from privately held sources, such as employee or customer list.
Depending on the type of introducer agreement in place, your data will either be sent from the introducer to RFC or you will be asked to contact RFC directly to discuss your needs.
Facilitated introductions can take place via several platforms:
Introducer portals
QR code
Emails
RFC works with introducers within the (but not limited to) the following industry sectors:
Construction
Retail
Transportation and Storage
Automotive
Information and Communications Technology
Further information regarding which organisations act as Introducers is available on request at DPO@rightfuelcard.co.uk.
Shared Data
Personal data will be shared both ways between the Introducer and Principal and shall include, but not be limited to, the following categories of information relevant to the following categories of data subject:
Contact information (name, address, telephone number, email address)
Information about contractual arrangements (contract start dates, termination dates, account number)
Financial information relating to usage of Fuel Cards (litres drawn)
MARKETING OPTING OUT PROCEDURE.
You can opt-out from marketing messages at any time.
Following the unsubscribe links on any marketing message you receive.
Via this web form.
Contact us at any time.
WHAT ABOUT COOKIES?
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy.
RETENTION OF PERSONAL DATA
Identifiers: Identification data like names and addresses are kept while there is a continuing business need to keep it, eg. Where there are applicable financial or other legal regulations. This need will be assessed on a regular basis, and data that is no longer needed for any purposes will be disposed of.
Fraud Data: Records that have been confirmed as relating to fraudulent applications or accounts are retained for up to 6 years since the time of update.
Other Data: Other third-party supplied data, such as client-provided applications data, will be stored for a period determined by criteria such as the agreed contractual terms.
Archived Data: RFC may hold data in an archived form for longer than the periods described above, for things like research and development, analytics, and analysis (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting). For audit purposes, and as appropriate for establishments, exercise or defence or legal claims. The criteria used to determine to storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements, and industry standards.
WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE THEM
You have a right to:
access,
rectification,
erasure,
portability of your personal data,
right to restrict or object a data processing,
a right not to be subject to automated decision-making and be notified in case of a data breach,
a right to complain to the competent supervisory authority.
Please note, however, that each request will be subject to prior analysis as to its legitimacy and to prior identity verification, for which we may require you to provide proof of identity.
We may also require you to precise your request and provide complementary information.
To exercise your rights, click here to contact our DPO at DPO@rightfuelcard.co.uk.
To inform us about a change of address, please click here.
To update your marketing preferences, please click here.
For any other request, click on Contact.
Last Updated: 29/05/2025