The data controller for personal data processed through the Rewardo service is B-SQUARED IT CONSULTING LTD, registered in England and Wales under company number 16663585, with registered address at 196 Noak Hill Road, Billericay, England, CM12 9UX.

We are registered with the Information Commissioner's Office (ICO) under registration number 00013592042.

You can contact us about privacy matters at: privacy@rewardo.travel

This policy explains what personal data we collect when you use Rewardo, the lawful basis on which we process it, how long we retain it, and the rights available to you under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For information about the cookies we use, please see our Cookie Policy.

For a focused privacy notice covering the browser extension specifically, see our Extension Privacy Notice.

The table below sets out every category of personal data we process, the lawful basis under Article 6 of the UK GDPR, and our retention period. Where we rely on consent (Art. 6(1)(a)), you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We do not process any special category data (as defined in Article 9 of the UK GDPR), nor do we carry out solely automated decision-making that produces legal or similarly significant effects.

The core value proposition of Rewardo is that award pricing data grows fresher as more people use the service. When you search for hotel award availability, our backend fetches live results, caches them, and makes them available to all users. This cache contains only hotel and pricing information — it contains no personal data about the user who triggered the search.

Contributed pricing data (submitted via the browser extension or the search function) is therefore not personal data and is shared with the community without restriction. By contributing data, you grant Rewardo a perpetual, worldwide, royalty-free licence to store, display, and distribute that pricing information as part of the community database.

Your identity is never attached to a specific search result visible to other users. We do, however, maintain internal records of who submitted which data point for the purposes of calculating contribution points and detecting fraud or manipulation.

The Rewardo browser extension operates on the following websites when you visit them in your browser: Hilton.com, IHG.com, Hyatt.com, Marriott.com, BritishAirways.com, Americanexpress.com, VirginAtlantic.com, and Accor.com.

Award pricing capture: When you view hotel award availability on a supported booking page, the extension reads the pricing data displayed on screen (hotel name, dates, point costs, room category, availability) and transmits it to Rewardo's servers. This enriches the community cache.

Balance reading: When you visit the loyalty dashboard of a supported programme while logged in, the extension may read your points balance, tier status, and expiry information and sync it to your Rewardo wallet (if you have this feature enabled). This requires your explicit consent at extension installation.

Worker mode: The extension includes an autonomous worker mode. When enabled, the extension may open hotel booking pages in the background to collect award pricing data proactively. You will be informed within the extension when this mode is active. No interaction with your booking sessions occurs; the extension reads publicly visible pricing data only.

What the extension does NOT collect: passwords or login credentials, payment card details, booking confirmation numbers, personal correspondence, or any data from websites not listed above.

For full detail, see our Extension Privacy Notice.

Rewardo offers an optional integration with AwardWallet, a third-party loyalty programme aggregator. If you connect your AwardWallet account, you grant Rewardo permission to retrieve your loyalty programme balances, tier status, and expiry dates via the AwardWallet API. This synchronisation occurs approximately every six hours while your connection remains active.

We receive only the balance and status data returned by AwardWallet; we do not receive your AwardWallet password or any credentials for your individual loyalty programmes.

You may disconnect the AwardWallet integration at any time from your profile settings. Disconnecting will stop future synchronisation; data already synced to your wallet will remain until you delete it or close your account.

AwardWallet processes your data under their own privacy policy, available at awardwallet.com/privacy.

Rewardo's AI Chat feature (available on the AI_AGENT subscription tier) is powered by AWS Bedrock, which provides access to Claude language models operated by Anthropic. When you use AI Chat, your messages and the AI's responses are:

• Transmitted to AWS Bedrock for real-time inference
• Stored in our PostgreSQL database (hosted on AWS RDS) for conversation continuity
• Retained for 90 days from each message, then permanently deleted

Conversation data is not used to train AI models. AWS processes inference requests under their data processing terms and, for AWS Bedrock, Anthropic does not store or use your prompts for model training.

AI Chat outputs are AI-generated and may be inaccurate. They do not constitute financial, booking, or investment advice. Always verify award availability and pricing directly with the relevant loyalty programme before making any booking decision.

Rewardo operates a public leaderboard that ranks users by their contribution score (XP). The following information is visible to all users of the service, including visitors who are not logged in:

• Your display name (as set in your profile)
• Your XP score and level
• Your total contribution count

Before your first data submission that earns contribution points, we will notify you that your display name will appear publicly on the leaderboard. You may opt out of the leaderboard at any time from your profile settings; opting out removes your entry within 24 hours. Your contribution history and earned subscription credit are not affected by opting out.

We share personal data with the following processors, each of whom processes data only on our instructions under a data processing agreement:

Several of our processors are headquartered in, or route data through, the United States. The UK has not made an adequacy decision in respect of the US as a whole. Where transfers to the US are necessary, we rely on UK International Data Transfer Agreements (IDTAs) or, where applicable, the UK Extension to EU Standard Contractual Clauses, to provide appropriate safeguards.

Our primary application data (database, application servers) is hosted in AWS eu-west-1 (Ireland), which benefits from the UK Adequacy Regulations for EEA countries.

You may request a copy of the relevant transfer mechanisms by contacting us at privacy@rewardo.travel.

We use cookies and similar technologies for the following purposes:

• Strictly necessary: Auth0 session cookies required for authentication; our cookie consent preference cookie.
• Functional: Theme preference stored in localStorage.
• Analytics: Google Analytics 4 cookies (_ga, _ga_*, _gid) — only placed with your consent.
• Advertising: Google AdSense cookies — only placed with your consent.

For a full cookie table, your preference controls, and guidance on managing cookies via your browser, please see our Cookie Policy.

Under the UK GDPR and the Data Protection Act 2018, you have the following rights:

• Right of access (Article 15): You may request a copy of the personal data we hold about you, together with supplementary information about how we process it.
• Right to rectification (Article 16): If any data we hold is inaccurate or incomplete, you may ask us to correct it.
• Right to erasure (Article 17): You may ask us to delete your personal data where there is no compelling reason for its continued processing. Note that we may be required to retain some data for legal obligations (e.g. financial records).
• Right to restriction of processing (Article 18): You may ask us to pause processing of your data in certain circumstances, for example while a rectification request is being resolved.
• Right to data portability (Article 20): Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
• Right to object (Article 21): You may object to processing based on legitimate interests (Art. 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent: Where we rely on consent as the lawful basis, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us at privacy@rewardo.travel. We will respond within one calendar month. We may ask you to verify your identity before acting on a request.

You also have the right to lodge a complaint with the ICO if you believe we have not handled your data in accordance with the law. The ICO can be contacted at ico.org.uk/make-a-complaint or by telephone on 0303 123 1113. We do ask that you contact us in the first instance so that we have the opportunity to address your concern.

The Rewardo service is not directed at children under the age of 16 and we do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us at privacy@rewardo.travel and we will take steps to delete that data promptly.

We implement technical and organisational measures appropriate to the risk presented by our processing activities. These include:

• HTTPS encryption in transit for all web and API traffic
• Encryption at rest for database storage on AWS RDS
• IAM authentication for database access (no static database passwords)
• Secrets managed via AWS Secrets Manager (no credentials in source code)
• Access controls limiting personal data access to authorised personnel
• Regular dependency and security updates

No method of electronic transmission or storage is entirely secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and report to the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33.

We may update this privacy policy from time to time. Where changes are material (for example, where we introduce a new purpose for processing or a new category of data), we will notify registered users by email at least 30 days before the change takes effect.

The “Last updated” date at the top of this page indicates when it was last revised. We encourage you to review this page periodically.

For any questions, concerns, or to exercise your data subject rights, please contact our privacy team:

• Email: privacy@rewardo.travel
• Post: B-SQUARED IT CONSULTING LTD, 196 Noak Hill Road, Billericay, England, CM12 9UX

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF