MICard Privacy Policy (v2.0 – June 2025)
Last updated: 24th June 2025
1. About This Policy and Who We Are
This Privacy Policy is issued by MICard Industries Ltd (referred to as "MICard", "we", "us" or "our"). We are a company registered in England and Wales under company number 16325430. Our registered office is at 40 Shirdley Road, Eynesbury, St Neots, Cambs, UK, PE19 2DR.
MICard is the controller of your personal data, which means we are responsible for how your data is collected, used and protected. We are registered with the Information Commissioner's Office (ICO), the UK's data protection regulator.
This policy outlines our commitment to protecting your privacy and explains how we handle your personal data when you use our products and services:
- MIPass Vault: Your secure, personal data wallet.
- MICard SSO: Our single sign-on solution for seamless and secure access to other services.
- ReX: Our browser extension that helps you manage your data online.
Our mission is to empower you to control, share and benefit from your data securely and on your terms.
2. The Personal Data We Collect and How We Use It
We are committed to data minimisation and only collect the data that is necessary for the services you use. The data we collect is either provided directly by you or is generated through your use of our services. All of your personal data is stored in your MIPass Vault, to which you, and only you, have the primary control.
The types of personal data we may process include:
- Identity and Contact Data: Including your full name, date of birth, postal address, email address and telephone number.
- Special Category Data: This is more sensitive data and includes:
- Health and Lifestyle Data: Information you choose to add about your health, fitness and general well-being.
- Biometric Data: For example, if you use facial recognition or a fingerprint to secure your MIPass Vault. We will always ask for your explicit consent before collecting and using biometric data for identification purposes.
- Behavioural Data: Information on how you interact with our services to help us improve them.
- Technical Data: When you use ReX or MICard SSO, we may collect information about your device and browser, including your IP address, browser type and version and operating system.
- Usage Data: This includes information about the services you use through MICard, the permissions you grant to third parties and a log of data sharing activities.
3. The Legal Basis for Processing Your Data
We will only use your personal data when the law allows us to. Our legal bases for processing your data are:
| Purpose of Processing | Type of Data | Legal Basis under UK GDPR |
|---|---|---|
| Creating and managing your MICard account and MIPass Vault | Identity, Contact, Technical | Performance of a Contract |
| Providing MICard SSO and ReX autofill functionalities | Identity, Contact, Technical | Performance of a Contract |
| Storing your data securely in your MIPass Vault | All categories | Performance of a Contract |
| Research and analytics for service improvement | Anonymised and aggregated Usage Data | Legitimate Interests (to improve our services for all users) |
| Sharing your data for commercial insights with third parties | As selected by you | Explicit Consent |
| Sharing your data for research purposes with third parties | As selected by you | Explicit Consent |
Your Consent: Where we rely on your consent, particularly for sharing special category data (like health information) or for marketing and commercial purposes, we will always ask for your explicit, opt-in consent. This means you will be asked to take a clear, affirmative action (such as ticking a box) to agree. You can view and manage your consents at any time in your MICard settings. Withdrawing consent is as easy as giving it and can be done at any time.
4. Your Data, Your Control: Data Sharing and Disclosures
You are in control of who accesses your data. No data is shared with any third-party service without your explicit permission. For every data sharing request, you will be informed of:
- Who is requesting the data.
- What specific data they are requesting.
- Why they need it (the purpose).
This creates a clear, auditable trail of consent which you can review and revoke at any time through your MIPass Vault dashboard.
5. International Data Transfers
Your core data is stored on secure servers located in the region where you are based (e.g. UK, European Union). Some of our services, or third parties you choose to interact with, may be based outside the UK.
When we transfer your data to the United States, we rely on the UK-US Data Bridge, which ensures that US companies certified under this framework provide a level of data protection equivalent to that in the UK. For transfers to other countries, or to US companies not certified under the Data Bridge, we will use other legally-approved safeguards, such as Standard Contractual Clauses (SCCs) and conduct a thorough Transfer Risk Assessment to ensure your data remains protected.
6. Data Security
We have implemented robust technical and organisational security measures to protect your personal data from being accidentally lost, used or accessed in an unauthorised way. These measures include:
- Encryption: Your data is encrypted both in transit and at rest.
- Access Controls: Strict access controls are in place to limit who can access your data.
- Regular Security Testing: We regularly test our systems for vulnerabilities.
We also have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
7. Data Retention
We will only retain your personal data for as long as you maintain an active MICard account or as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.
If you choose to delete your MICard account, all of your personal data will be permanently and securely deleted from our systems within a specified period, unless we are required by law to retain it for a longer period.
8. Your Legal Rights
Under UK data protection law, you have the following rights in relation to your personal data:
- The right to be informed: To be provided with clear and transparent information about our processing activities.
- The right of access: To request a copy of the personal data we hold about you.
- The right to rectification: To have inaccurate personal data corrected.
- The right to erasure: To have your personal data deleted.
- The right to restrict processing: To limit how we use your data.
- The right to data portability: To receive your data in a machine-readable format and to have it transferred to another controller.
- The right to object: To object to certain types of processing, such as for direct marketing.
- Rights in relation to automated decision-making and profiling: You have the right not to be subject to a decision based solely on automated processing.
You can exercise these rights at any time through your MICard account settings or by contacting our Data Protection Officer.
9. Children's Privacy
MICard's services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. Child profiles can only be created and managed by a verified parent or legal guardian, who will be responsible for consenting to the processing of the child's data.
10. Cookies and Similar Technologies
Our website and the ReX browser extension use cookies and local storage to:
- Ensure our services function correctly (e.g. session management).
- Enhance security.
- Gather anonymised performance analytics to help us improve our services.
- Remember your preferences and autofill history.
You have control over these technologies through your browser settings. For more detailed information, please see our separate Cookie Policy.
11. Your Right to Complain
If you have any questions or concerns about this privacy policy or our data protection practices, please contact our Data Protection Officer in the first instance.
You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.
12. Contact Us
For any privacy-related enquiries, please contact our Data Protection Officer:
Email: dpo@thisismicard.com