Privacy Policy
Betty Data – Your privacy matters to us
Quick Summary
✅ You stay in control. We collect data only after you grant explicit consent and you can revoke at any time.
✅ No selling of personal data. We never monetise your raw personal data.
✅ Minimum data. We ask only for the fields needed to deliver the benefit you choose.
✅ Transparent partners. We name every partner and purpose before any sharing occurs.
✅ EU hosting first. Primary storage is in AWS EU clusters (Paris). Transfers outside the EEA are safeguarded by SCCs or equivalent.
About Betty Data
This is the master privacy notice for Betty Data Ltd. ("Betty Data", "we", "us", "our"). It applies to all visitors to https://www.ritapersonaldata.com (the "Website"), users of our mobile or web applications, and anyone who engages with our data‑sharing flows (collectively the "Services").
Betty Data helps you retrieve copies of your personal data from major digital platforms and – only with your permission – use that data for personalised insights, rewards, and partner experiences. We take privacy seriously and design every feature with "privacy‑by‑design" principles.
Controller (EU/UK GDPR)
Betty Data Ltd.
86‑90 Paul Street
London, EC2A 4NE
United Kingdom
Company no. 15804560
Contact Information
Data Protection Officer: info@ritapersonaldata.com
EU representative (Art. 27 GDPR): Anthony Talal, Director
1. What We Collect
We collect personal information in the following contexts:
| Category | Examples | Source | Optional? |
|---|---|---|---|
| Account data | Email, password hash / SSO token, locale, device identifiers | You | Email required; rest optional |
| Connected‑platform data | Google Search queries, Website visits, YouTube interests | You → via Google Data Portability API | Yes – scope toggles shown at connection |
| Partner‑specific IDs | Loyalty ID at your chosen partner | Partner or you | Yes |
| Usage & log data | App interactions, crash reports | Automatically collected | Yes (see §11 cookies) |
| Developer / partner contact data | Name, job title, business email | You | Yes |
Special‑category data (e.g., health, religion) is processed only if you knowingly connect it (for example, medical travel receipts) and you give explicit consent.
Google Data Portability API compliance
Our use of data obtained via Google's API adheres to Google's Limited Use Requirements. We cannot access your Google data until you complete Google's OAuth consent screen. You may revoke access at https://myaccount.google.com/permissions or in the Betty Data app.
2. How We Use Your Data
Below is a concise overview of the main ways we handle your personal data—why we need it, what we do with it, and the legal grounds that apply.
| Purpose | Typical activities | Lawful basis |
|---|---|---|
| Operate & secure the Services | Authentication, fraud detection, bug‑fixing | Contract (Art. 6 (1)(b)) |
| Import and normalise platform data | Pull Google Takeout export, parse receipts | Consent (Art. 6 (1)(a)) |
| Provide insights in the app | Dashboards, personal spending trends | Consent |
| Share selected data/tags with partner | Loyalty points, tailored offers, recommendations | Consent (separate toggle) |
| Marketing communications | Product updates, newsletters | Consent (opt‑in) or Legitimate Interests |
| Improve & develop new features | Aggregate analytics, A/B testing | Legitimate Interests (Art. 6 (1)(f)) – minimal, pseudonymised |
| Legal & compliance | Recordkeeping, dispute handling | Legal obligation (Art. 6 (1)(c)) |
Partner Data Sharing
When you activate a partner integration, we share only the data points and technical identifiers needed to deliver the integration, as shown in the consent flow and under the explicit consent you provide.
Who are partners? Third‑party organisations you deliberately link to receive rewards, insights, or personalised experiences.
Lawful basis: Consent (Art. 6 (1)(a)) for each partner connection, and Contract (Art. 6 (1)(b)) where the partner supplies a service you request.
3. Sharing Your Data
We share personal information only in these circumstances:
At your request
You activate an integration and consent to share specified fields with the named partner.
Example: You opt in to your chosen partner; we share "Favourite brands: Patagonia, Camel" so they can award points and make recommendations.
Service providers
Cloud hosting, email delivery, authentication, analytics. All are bound by GDPR‑compliant DPAs and process data on our behalf (Art. 28 processors). Current list: ritadata.com/legal/subprocessors.
Other circumstances
- • Professional advisers: Lawyers, auditors, accountants—only under confidentiality
- • Legal or regulatory: If required to comply with law or valid legal request
- • Affiliates: If we establish subsidiaries or group companies, they may process data under this Policy
❌ We do not share data with advertisers or data brokers.
4. Security & International Transfers
International Transfers
Primary storage is in the EU/EEA (AWS Paris & Frankfurt). When we must transfer data outside the EEA/UK (e.g., US support ticket system), we rely on one or more of:
- • Standard Contractual Clauses (SCCs) or UK IDTA
- • Adequacy decisions
- • Additional encryption & access controls
Security Measures
We implement organisational & technical safeguards including:
- • TLS 1.2+ for data in transit; AES‑256 for data at rest
- • Segregated encryption keys and access‑control lists
- • Role‑based access & zero‑trust network segmentation
- • Continuous monitoring & anomaly detection
- • Independent penetration tests at least annually
- • Incident‑response playbook—users and regulators notified within 72 hours where required
5. Data Retention
We keep personal data only as long as necessary for the purposes listed above, unless a longer period is required by law (e.g., tax records).
| Data set | Standard retention | Deletion trigger |
|---|---|---|
| Account data | Life of account + 24 months | Account deletion or 24 m inactivity |
| Connected‑platform raw exports | Parsed then deleted within 30 days | Immediate on revocation |
| Derived tags | Until revocation or 24 m | Revocation or expiry |
| Partner‑sharing logs | 6 years (accountability) | Legal limit reached |
You may delete your data sooner via in‑app "Delete Account" (see Your Privacy Rights section).
6. Your Privacy Rights
You have the following rights under the EU/UK GDPR (with conditions & exceptions):
How to exercise your rights:
- • In‑app privacy controls (preferred)
- • Email: info@ritapersonaldata.com
We may ask for verification of identity before acting. We aim to respond within 30 days.
7. Marketing & Cookies
Marketing Communications
You may receive product updates or newsletters only if you have opted‑in or if you are an existing customer and we rely on legitimate interests. You can opt‑out at any time by:
- • Clicking "unsubscribe" in the email footer
- • Changing your preference in Settings → Notifications
- • Emailing info@ritapersonaldata.com
Cookies & Similar Technologies
We use privacy‑centric analytics (self‑hosted PostHog) and essential cookies only. A detailed cookie banner and preference centre is displayed to EU/UK visitors on first visit.
8. Contact & Complaints
Questions, concerns, or complaints?
Email: info@ritapersonaldata.com
Or write to:
Betty Data Ltd.
86‑90 Paul Street
London EC2A 4NE
United Kingdom
Supervisory Authority
If you are not satisfied, you may complain to your local Data Protection Authority. In the UK this is the Information Commissioner's Office (ICO). In the EU, see the list at https://edpb.europa.eu.
Glossary (Quick Reference)
Controller
Entity that decides why/how personal data is processed.
Processor
Entity that processes data on behalf of a controller.
Personal data
Any information that can identify a living person.
Special‑category data
Sensitive data such as health, religion, political views.
SCCs
Standard Contractual Clauses for international data transfers.
9. Changes to This Policy
We update this Policy from time to time. The "Last updated" date reflects the latest revision. If changes materially affect your rights or the way we process data, we will notify you via email and/or in‑app and, where needed, seek new consent.
Links to Other Sites
Our Services may contain links to third‑party websites or services that we do not control. This Policy does not cover those third parties. We encourage you to review the privacy policies of every site you visit.