Stavi Ltd Privacy Policy
Last updated: June 2026
This privacy policy explains how Stavi Ltd collects and uses your personal data through your use of our website at www.stavi.uk (the Website) and the Stavi mobile application (the App), together with any services accessible through them (the Services). References to “we”, “us” or “our” are to Stavi Ltd throughout.
This policy is provided in a layered format so you can click through to the specific areas below.
1. IMPORTANT INFORMATION AND WHO WE ARE
Controller
Stavi Ltd (company number 16910785), whose registered office is at 20 Western Lane, Mumbles, Swansea, Wales, SA3 4EY, is the controller and responsible for your personal data.
If you have any questions about this privacy policy, including requests to exercise your legal rights (see section 9), please contact us using the details in section 10.
Age restriction
This Website and App are not intended for children under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a person under 18, we will delete that data and close the relevant account promptly. If you believe we have inadvertently collected data from someone under 18, please contact us at privacy@stavi.uk.
2. THE TYPES OF PERSONAL DATA WE COLLECT ABOUT YOU
Personal data means any information about an individual from which that person can be identified. We collect, use, store and transfer different kinds of personal data about you, which we have grouped as follows:
App and account data
• Identity Data — your name, username, date of birth and student status (verified through your university email address).
• Contact Data — your email address and telephone number.
• Profile Data — your university, year of study, redemption history, offer interactions, preferences and feedback.
• Transaction Data — details of offers and deals redeemed through the App and your subscription with us.
• Device Data — your device ID, operating system, app version and other technology on the devices you use to access the App.
• Technical Data — internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform (collected through use of the Website).
• Usage Data — information about how you interact with and use the App, Website and Services.
• Location Data — foreground location data collected when you are actively using the App (GPS coordinates used to display relevant local offers near your current location).
• Marketing and Communications Data — your preferences for receiving marketing from us and your communication preferences.
Website enquiry and contact data
• Enquiry Data — where you submit a business enquiry through our Website, we collect your name, business name, email address, telephone number and the content of your message.
• Ambassador Data — where you apply to become a Stavi brand ambassador through our Website, we collect your first name, last name, email address, telephone number (optional) and the content of your application message.
• Launch Update Data — where you sign up to receive updates about the Stavi launch through our Website, we collect your email address.
We do not store your payment card details. Subscription payments are processed by our third-party payment provider, RevenueCat, who process your payment data on our behalf. Please refer to RevenueCat’s privacy policy at revenuecat.com/privacy for further information.
We display certain information about our business partners (such as business name, address and contact details) within the App. Where this constitutes personal data, it is provided to us by those businesses for the purpose of display to App users.
We do not collect any special categories of personal data (including data revealing racial or ethnic origin, religious beliefs, health data, biometric data or sexual orientation), nor do we collect data relating to criminal convictions or offences.
3. HOW IS YOUR PERSONAL DATA COLLECTED?
Registration. We collect your Identity Data and Contact Data when you register for an account on the App or Website, including when you verify your student status using your university email address (.ac.uk).
Subscription and payments. When you take out a subscription, your Transaction Data is collected and your payment is processed by RevenueCat on our behalf. We do not receive or store your payment card details directly.
Your use of the App and Website. Each time you access and use the App or Website, we collect Usage Data, Device Data and Technical Data about how you interact with our Services, including offers viewed and deals redeemed.
Website contact forms. When you submit an enquiry, brand ambassador application or launch update sign-up through our Website, we collect the information you provide in those forms. These forms are hosted and processed by Squarespace, our website provider.
Communications. When you contact us by email, telephone or through any online form or chat function, we collect your Contact Data and any other information you provide to us.
Automated technologies and cookies. Our Website uses cookies set by Squarespace, our website provider. These include strictly necessary cookies (required for the Website to function, including session management and secure form submission) and analytics cookies (used to understand how visitors interact with our Website). Strictly necessary cookies do not require your consent. Analytics cookies are only placed with your consent, which you will be asked for when you first visit the Website. You can withdraw consent at any time by adjusting your browser settings. Our App does not use cookies. If we introduce additional cookies or tracking technologies in the future, we will update our cookie policy accordingly.
Location data. We collect foreground location data when you are actively using the App, for the purpose of displaying relevant local offers near your current location. Your device will prompt you to grant location permission before we collect this data. You can withdraw or adjust this permission at any time through your device settings.
4. HOW WE USE YOUR PERSONAL DATA
Legal bases
The law requires us to have a legal basis for collecting and using your personal data. We rely on the following:
• Performance of a contract — where processing is necessary to provide the Services you have signed up to, or to take steps at your request prior to entering into a contract.
• Legitimate interests — where it is necessary for our legitimate business interests, provided those interests are not overridden by your rights. We always consider and balance any potential impact on you before relying on this basis.
• Legal obligation — where processing is necessary to comply with a legal or regulatory obligation.
• Consent — where you have given us your active agreement to use your personal data for a specific purpose. You may withdraw consent at any time by contacting us at privacy@stavi.uk or by using the opt-out mechanism in any marketing communication.
Purposes for which we use your personal data
Purpose
Data used
Legal basis
To register you as a new user and verify your student status
Identity; Contact
Performance of a contract
To manage your subscription, process payments and deliver the Services
Identity; Contact; Transaction
Performance of a contract
To display relevant local offers and deals to you through the App
Identity; Profile; Location; Usage
Performance of a contract
To manage our relationship with you, including notifying you of changes to our terms or this policy
Identity; Contact; Marketing and Communications
Performance of a contract; Legal obligation
To respond to business enquiries submitted through the Website and to take steps towards entering into a contract with a merchant
Enquiry Data
Performance of a contract (or pre-contractual steps)
To consider and respond to brand ambassador applications submitted through the Website
Ambassador Data
Legitimate interests (identifying and engaging potential brand ambassadors to support our launch and marketing activities)
To send launch update emails to users who have signed up through the Website
Launch Update Data
Consent
To administer and protect our business, App and Website, including troubleshooting, data analysis, testing and security
Identity; Contact; Device; Technical
Legitimate interests (running our business, IT security, fraud prevention)
To use data analytics to improve our App, Website and Services
Usage; Device; Technical
Legitimate interests (improving our Services and user experience)
To send you marketing communications about Stavi and offers available through the App by email and SMS
Identity; Contact; Marketing and Communications
Legitimate interests (UK GDPR); soft opt-in under PECR Regulation 22 (electronic marketing permission), subject to your right to opt out at any time
To send you push notifications about Stavi and offers available through the App
Identity; Device; Marketing and Communications
Legitimate interests (UK GDPR); soft opt-in under PECR Regulation 22 (electronic marketing permission), subject to your right to opt out at any time via your device settings
To analyse your usage and preferences in order to personalise the offers, content and recommendations we show you through the App
Identity; Profile; Usage; Transaction; Location
Legitimate interests (to improve and personalise our Services and grow our business)
To comply with legal and regulatory obligations
All relevant data
Legal obligation
Direct marketing
We may contact you by email, SMS and push notification with information about Stavi and offers available through our partner businesses. We process your personal data for direct marketing purposes on the basis of our legitimate interests under the UK GDPR. Separately, we rely on the soft opt-in provision under Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR) as our permission to contact you by electronic means — this applies because your contact details were obtained in the course of your subscription to our Services and we are marketing similar services. These are two distinct legal frameworks operating in parallel: UK GDPR governs the processing of your personal data; PECR governs the transmission of electronic marketing messages.
We will also send launch update emails to users who have signed up through the Website, on the basis of your consent. You may withdraw consent at any time using the unsubscribe link in any email we send you.
You have the right to opt out of receiving marketing communications from us at any time by:
• clicking the unsubscribe link in any email or SMS we send you;
• adjusting your notification settings on your device; or
• contacting us at privacy@stavi.uk.
We will action any opt-out request promptly. Once you have opted out, we will not send you further marketing communications unless you subsequently opt back in.
Personalisation and profiling
We may analyse the personal data we hold about you, including your usage patterns, redemption history and location, to build a profile of your preferences and interests. We use this to personalise the offers and content we show you through the App. This does not involve any automated decision-making that produces legal or similarly significant effects on you. You have the right to object to this processing at any time by contacting us at privacy@stavi.uk.
5. DISCLOSURES OF YOUR PERSONAL DATA
We may share your personal data with the following categories of third parties:
Service providers
We use carefully selected third-party service providers who process personal data on our behalf and on our instructions as processors. These include:
• RevenueCat — who process subscription and payment data on our behalf to manage your Stavi subscription. RevenueCat do not receive your full payment card details; those are handled directly by the relevant app store (Apple or Google). For further information see RevenueCat’s privacy policy at revenuecat.com/privacy.
• Amazon Web Services (AWS) — who provide the cloud infrastructure on which the App is hosted. Data is stored in the UK (London) region. We have a Data Processing Agreement in place with AWS.
• Squarespace — who host our Website and process form submissions made through it, including business enquiries, brand ambassador applications and launch update sign-ups. We have a Data Processing Agreement in place with Squarespace. For further information see Squarespace’s privacy policy at squarespace.com/privacy.
• Anthropic — who provide AI tools that we use to assist with the handling of customer communications, including emails and support queries. Where your personal data is included in a communication processed through these tools, Anthropic acts as a processor on our behalf. We have a Data Processing Agreement in place with Anthropic via their API terms. For further information see Anthropic’s privacy policy at anthropic.com/privacy.
Partner businesses (merchants)
When you redeem an offer through the App, we share limited transaction information with the relevant merchant, confirming that a redemption has taken place, the date and time, and the offer redeemed. This information does not identify you personally to the merchant.
App store providers
The App is distributed through the Apple App Store and Google Play Store. Each app store provider processes certain data in connection with the distribution and installation of the App in accordance with their own privacy policies, over which we have no control. For further information see Apple's privacy policy at apple.com/legal/privacy and Google's privacy policy at policies.google.com/privacy.
Professional advisers
Including lawyers, bankers, auditors and insurers who provide professional services to us.
Regulatory and law enforcement authorities
We may disclose your personal data where required by law, court order or where we believe disclosure is necessary to protect the rights, property or safety of Stavi, our users or others.
Business transfers
In the event that we sell or transfer any part of our business or assets, personal data held by us may be among the assets transferred. We will notify you of any such transfer and any choices you may have regarding your personal data.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our service providers to use your personal data for their own purposes.
6. INTERNATIONAL TRANSFERS
Some of our third-party service providers are based outside the UK, which means that when we share your personal data with them, it may be transferred to and processed in countries outside the UK. Whenever we transfer your personal data outside the UK, we ensure that appropriate safeguards are in place to protect it, in accordance with the UK GDPR.
The transfers we currently make, or anticipate making, outside the UK are as follows:
RevenueCat and Anthropic
RevenueCat, Inc. and Anthropic PBC are both based in the United States. Neither is currently certified under the UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge). The applicable transfer mechanism for both vendors is the EU Standard Contractual Clauses as supplemented by the UK Addendum (ICO Addendum B1.0), incorporated by reference into each vendor’s standard terms.
Squarespace
Squarespace, Inc. is based in the United States. We have a Data Processing Agreement in place with Squarespace. Transfers of personal data to Squarespace are made subject to the EU Standard Contractual Clauses as supplemented by the UK Addendum (ICO Addendum B1.0), incorporated by reference into Squarespace's standard terms.
Amazon Web Services
The App is hosted on AWS infrastructure located in the UK (London) region and data is stored in that region. To the extent that AWS personnel located outside the UK may access data remotely for support, maintenance or incident response purposes, such access is governed by our Data Processing Agreement with AWS, which incorporates appropriate safeguards under AWS's standard customer terms.
Apple and Google
The Apple App Store and Google Play Store operate globally and may process data outside the UK. Each is subject to their own privacy policies and transfer mechanisms.
Where we rely on contractual safeguards such as the EU Standard Contractual Clauses as supplemented by the UK Addendum, you may request a copy of the relevant transfer documentation by contacting us at privacy@stavi.uk.
7. DATA SECURITY
We have put in place appropriate technical and organisational measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures include encryption of data in transit and at rest, access controls, and two-factor authentication on all accounts with access to personal data. We limit access to your personal data to those within our organisation who have a legitimate need to know it, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach. In the event of a breach, our designated lead (Daniel Lewis, Director) will be notified immediately, will assess the breach within 24 hours, and will notify the Information Commissioner’s Office and affected individuals where we are legally required to do so. We maintain monitoring and alerting systems to support the prompt detection of any security incidents.
Whilst we take appropriate technical and organisational measures to safeguard your personal data, please note that no transmission over the internet or storage of data can be guaranteed to be completely secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at privacy@stavi.uk.
8. DATA RETENTION
We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting or reporting obligations.
We have set out below the retention periods we apply to the different categories of personal data we hold:
Data type
Retention period
Basis
Account, Identity and Contact Data
6 years from the date your account is closed or your subscription ends
Legitimate interests (limitation period for contractual and tortious claims under the Limitation Act 1980; evidencing compliance with our contractual and regulatory obligations)
Transaction and redemption data
6 years from the date of the relevant transaction
Legal obligation (HMRC and tax record-keeping requirements)
Financial and subscription data
6 years from the date of the relevant transaction
Legal obligation (HMRC and tax record-keeping requirements)
Device, Technical and Usage data
2 years from collection, following which it will be anonymised
Legitimate interests (product improvement and analytics)
Marketing preferences and opt-out records
3 years from the date of opt-out or last interaction
Legitimate interests (evidencing marketing consent status and compliance with PECR)
Communications and support records
3 years from the date of the relevant communication
Legitimate interests (limitation period for potential claims)
Enquiry Data (business enquiries)
2 years from last contact, or until the business relationship ends, whichever is later
Legitimate interests (managing potential and existing merchant relationships)
Ambassador Data (brand ambassador applications)
12 months from the date of application
Legitimate interests (identifying and engaging potential brand ambassadors)
Launch Update Data
Until you unsubscribe, following which a suppression record will be retained
Consent; legitimate interests (evidencing opt-out status)
Where we no longer need to retain personal data in identifiable form, we will anonymise it so that it can no longer be associated with you. Anonymised data may be retained and used indefinitely for analytical, research and business development purposes.
If you request deletion of your account, we will delete or anonymise your personal data within 30 days, subject to any legal obligation requiring us to retain it for a longer period (for example, financial records which must be retained for 6 years).
9. YOUR LEGAL RIGHTS
Under the UK GDPR, you have a number of rights in relation to your personal data. These are summarised below. You can exercise any of these rights by contacting us at privacy@stavi.uk. We will respond to all legitimate requests within one month, though we may extend this by a further two months where the request is complex or you have made a number of requests, in which case we will notify you.
You will not usually be required to pay a fee to exercise any of these rights. However, we may charge a reasonable fee or refuse to comply if a request is manifestly unfounded, repetitive or excessive.
• Right to access. You have the right to request a copy of the personal data we hold about you and information about how we process it (commonly known as a subject access request or SAR).
• Right to rectification. You have the right to request that we correct any personal data we hold about you that is inaccurate or incomplete. You can update certain information directly through your account settings in the App.
• Right to erasure. You have the right to request that we delete your personal data where there is no good reason for us to continue processing it. Please note that this right is not absolute — we may need to retain certain data to comply with our legal obligations (for example, financial records). Where we cannot delete data, we will explain why.
• Right to restriction of processing. You have the right to ask us to suspend processing of your personal data in certain circumstances, for example while the accuracy of data is being verified or while an objection is being considered.
• Right to data portability. Where we process your personal data on the basis of your consent or performance of a contract, and that processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to have it transferred to another organisation where technically feasible.
• Right to object. You have the right to object to processing of your personal data where we rely on legitimate interests as our legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds which override your interests, or the processing is necessary for legal claims. You have an absolute right to object to processing of your personal data for direct marketing purposes, which we will always honour.
• Right to withdraw consent. Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of any processing carried out before the withdrawal.
• Right not to be subject to automated decision-making. You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects on you. Where we use profiling to personalise your experience of the App, this does not produce legal or similarly significant effects and a human remains able to review decisions on request.
We may need to verify your identity before processing a request. This is a security measure to ensure your personal data is not disclosed to anyone who does not have the right to receive it.
10. CONTACT DETAILS
If you have any questions about this privacy policy, wish to exercise any of your legal rights, or have any concerns about how we handle your personal data, please contact us using the details below:
Full name of legal entity: Stavi Ltd
Company number: 16910785
Registered address: 20 Western Lane, Mumbles, Swansea, Wales, SA3 4EY
Email address: privacy@stavi.uk
Website: www.stavi.uk
We will endeavour to respond to all queries within 5 business days and will respond to all subject access requests and other formal rights requests within one month as required by law.
11. COMPLAINTS
We take privacy concerns seriously and would always encourage you to contact us in the first instance at privacy@stavi.uk so that we can attempt to resolve any concern you may have.
You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113
However, we would appreciate the opportunity to address your concerns before you approach the ICO and ask that you contact us in the first instance.
12. CHANGES TO THIS PRIVACY POLICY
We keep this privacy policy under regular review and may update it from time to time. Any changes will be posted on this page and, where appropriate, notified to you by email or push notification. The date at the top of this policy indicates when it was last updated. We encourage you to review this policy periodically.
13. THIRD-PARTY LINKS
Our App and Website may from time to time contain links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party platforms and are not responsible for their privacy practices. We encourage you to read the privacy policy of every third-party platform you visit or use.