About This Policy

This Privacy Notice explains how Secure Refunds Limited (“we”, “our”, “us”) collects, uses, shares, and stores personal information in our capacity as a Data Controller.

We comply with the following data protection laws, as applicable to your location:

  • The UK General Data Protection Regulation (UK GDPR) and the EU GDPR

  • The California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act (CPRA)

  • The Data Use and Access Act 2025 (DUAA)

  • The Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada)

This notice explains your rights and our obligations when we process your personal information.

What Personal Data Do We Process?

We collect and use personal data that is necessary to perform our services as a refund administrator. This may include:

  • Your name, address, and contact details

  • Financial information (for example, bank account details)

  • Health information where essential to assess and process your refund application

  • Other details relevant to your ticket refund protection or related services

We always collect the minimum amount of personal information required for these purposes.

How Do We Collect Your Personal Information?

We collect information:

  • Directly from you through online submissions, emails, telephone calls, or written correspondence

  • From third parties (such as ticketing partners or venues) where necessary to fulfil our contractual and legal obligations

  • Automatically, through limited website analytics or operational systems that support our services

How We Use Your Information

Your information is used to enable us to provide services associated with your ticket refund protection purchase, including:

  • Processing, managing, or defending a refund application

  • Complying with our legal and regulatory obligations

  • Establishing, exercising, or defending legal rights

  • Pursuing legitimate business interests, provided they do not override your data privacy rights

If we process sensitive data such as health information, we do so only when it is essential to provide our service and under lawful bases defined by data protection laws.

If you choose not to provide certain personal data, we may not be able to deliver the related service.

Who We Share Your Information With

To provide our services, your information may be shared with trusted third parties, such as:

  • Agents or brokers

  • Reinsurers

  • Loss adjusters

  • Sub-contractors and service providers

  • Regulators or law enforcement agencies

  • Fraud prevention and detection organisations

  • Compulsory insurance databases

We only share your information where necessary for legitimate purposes and as permitted by law.

We do not sell your personal data or share it for marketing purposes.

For more information on how personal data is used within the insurance sector, you may review the London Market Group Information Notice.

International Data Transfers

The personal data we collect may be transferred to and processed in countries outside the UK, EEA, Gibraltar, or your country of residence, including the United States or Canada.

We ensure that appropriate safeguards, such as Standard Contractual Clauses, UK Addenda, or other legally recognised transfer mechanisms, are in place to protect your data.

All data is stored on secure servers, and any financial information is encrypted. While no system is entirely secure, we use strong procedures, firewalls, and access controls to protect your information.

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes set out in this notice, meet our regulatory obligations, or establish and defend legal claims.

Typically, we retain data for six years after the end of our business relationship unless a longer period is legally required.

Jurisdiction-Specific Privacy Rights

1. GDPR (UK, EU, and Gibraltar)

If you are located in the UK, EU, or Gibraltar, you have the following rights under the GDPR:

  • The right to access your personal data

  • The right to correct inaccurate or incomplete data

  • The right to have your data erased (“right to be forgotten”)

  • The right to restrict or object to processing

  • The right to data portability

  • The right to withdraw consent (where applicable)

We process data on lawful bases such as contractual necessity, legal obligation, legitimate interest, and, in limited cases, consent.

To exercise your rights, contact our Data Protection Officer via the contact form on our website.

If you wish to lodge a complaint, you may contact the Gibraltar Regulatory Authority or the Information Commissioner’s Office (ICO) at www.ico.org.uk.

2. CCPA (California, USA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

  • The right to know what personal data we collect, use, or disclose

  • The right to request deletion of your personal information

  • The right to correct inaccurate personal information

  • The right to opt out of the sale or sharing of your personal data

  • The right not to be discriminated against for exercising your rights

We do not sell or share your personal data for marketing purposes.

You may exercise your rights by contacting us through our Contact Form (or equivalent page). We may need to verify your identity before processing requests.

If an authorised agent submits a request on your behalf, evidence of that authority will be required.

3. DUAA (Data Use and Access Act 2025)

For individuals covered by the Data Use and Access Act 2025 (DUAA) in the United States, you have the following rights:

  • The right to access your personal data and understand how it is used

  • The right to opt out of automated decision-making or profiling

  • The right to appeal automated or algorithmic decisions

  • The right to restrict use of your data for secondary purposes

  • The right to receive clear information about how automated tools process your data

We do not currently make automated refund decisions without human involvement. Any future automated tools will operate under strict human oversight and transparency measures.

4. PIPEDA (Canada)

If you are located in Canada, under PIPEDA you have the right to:

  • Know why your data is collected and how it is used

  • Access and correct your personal information

  • Withdraw consent where applicable

  • Challenge our compliance with privacy obligations

Complaints may be directed to the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

Automated Decision-Making

We do not use automated systems that make decisions producing legal or significant effects on individuals. All refund applications undergo human review.

Children’s Privacy

Our services are not directed at children under the age of 16. We do not knowingly collect information from minors, and any such data discovered will be deleted.

Contact Information

Data Controller:
Secure Refunds Limited
Gibraltar Heights, Bishop Rapallo’s Ramp, GX11 1AA, Gibraltar

Data Protection Officer:
Contact via our website form at www.securerefunds.com/help/

Supervisory Authorities

Updates to This Notice

We may update this Privacy Notice periodically to reflect legal or operational changes. The latest version will always be available on our website.

Last Updated: October 2025

This website is operated by Secure Refunds Limited
Registered office Gibraltar Heights, Bishop Rapallo's Ramp, GX11 1AA, Gibraltar Registered Company Number 106563