Privacy Policy

This Privacy Policy (“Policy”) describes how Tickle Global LTD, a company incorporated in England and Wales with registered address at 167–169 Great Portland Street, London, W1W 5PF, United Kingdom, and Tickle Inc., a corporation incorporated in Delaware with registered office at 447 Broadway, 2nd Floor #569, New York, NY 10013, United States (together, “Tickle,” “we,” “our,” or “us”), collect, use, disclose, and otherwise process personal data and personal information (“Data”) of users (“you,” “your,” “Data Subject(s)”) in connection with the operation of our products and services.

This Policy is intended to satisfy the requirements of the UK General Data Protection Regulation (“UK GDPR”), the EU General Data Protection Regulation (“EU GDPR”), the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), and other applicable U.S. state and international data protection laws.

1. Scope of Application

This Policy applies to all personal data processed by Tickle in connection with:

• The Tickle App (iOS and Android applications);

• The Tickle Browser Extension;

• Tickle-Powered Ads saved by users into mobile wallets (Apple Wallet or Google Wallet), also referred to as “Infinite Ads”;

• Tickle Flashcards, being digital passes saved by users into mobile wallets (Apple Wallet or Google Wallet) issued by brands or by Tickle directly; and

• Any websites, domains, or subdomains operated by Tickle where this Policy is made available.

2. Roles of the Parties

1. Tickle as Controller / Business
   Tickle acts as a Data Controller (for UK/EU/EEA users) and as a Business (for California and other U.S. state users) with respect to personal data processed in the App, Extension, Infinite Ads, and Flashcards.

2. Brands as Joint Controllers
   For Infinite Ads and Flashcards saved into mobile wallets, Tickle and the relevant brand advertiser (the “Brand”) act as Joint Controllers (under GDPR/UK GDPR) for the limited purpose of delivering wallet notifications and processing related engagement data.

3. Brands as Independent Controllers
   Brands may act as independent controllers where they use device identifiers supplied by Tickle to match against their existing CRM databases, provided such use is limited to consumers who have separately provided consent to the Brand for such channels (e.g., email, SMS).

3. Categories of Data Processed

3.1 Tickle App and Extension

• Account details (if supplied): email address, username, authentication credentials.

• Device identifiers, IP address, and related metadata.

• Application telemetry, crash reports, and diagnostics.

• User interactions, including ads saved, links clicked, and offer redemptions.

3.2 Infinite Ads and Flashcards (Wallet Passes)

• Engagement data: swipe, save, notification delivery, click-throughs, pass deletions.

• Device identifier (UDID/Device ID) for the purposes of notification delivery and deduplication.

• Technical metadata: source URL, timestamp, device/OS/browser type.
  
  

Not collected through wallet passes: names, email addresses, phone numbers, demographic information, or payment card details unless explicitly stated.

4. Purposes of Processing

Tickle processes Data for the following purposes:

• Provision of services requested by the Data Subject, including the saving of ads or passes to Wallet and the delivery of associated notifications.

• Measurement of engagement, campaign performance, and service functionality.

• Security, fraud prevention, and abuse detection.

• Compliance with legal and regulatory obligations.

• Where applicable, marketing communications and promotional activities, subject to consent.

5. Lawful Bases for Processing (GDPR/UK GDPR)

• Contractual necessity: Processing required to perform services requested by saving a pass or using the App/Extension.

• Consent: Express or implied consent provided by saving a Wallet pass or explicitly opting into App/Extension permissions.

• Legitimate interests: Ensuring security, conducting analytics, product improvement, subject always to balancing tests.

• Legal obligations: Responding to regulatory, audit, or compliance requirements.

6. Data Sharing and Disclosure

Tickle may disclose Data to:

1. Brands (Joint Controllers): For Wallet passes, limited engagement data and device identifiers are shared to enable Wallet notifications and measure interaction.

2. Service Providers / Processors: Cloud hosting, analytics, support, and security partners.

3. Professional Advisors: Legal, accounting, audit, and consultancy services.

4. Authorities: Where compelled by law, regulation, or valid legal process.

5. Corporate Transactions: In connection with a merger, acquisition, financing, or sale of assets.
   
   

Restrictions on Brands: Brands may use device identifiers solely for recognised CRM matching where the consumer has separately opted in. Brands are prohibited from reselling data, combining identifiers with unrelated datasets, or conducting cross-context profiling outside the scope of Wallet notifications.

7. Retention

• Wallet engagement data and device identifiers are retained for no longer than 24 months from the last activity or until deletion/opt-out, whichever occurs first.

• Security logs retained up to 12 months, subject to extension for investigations.

• Account data (App/Extension) retained while active and thereafter in accordance with statutory requirements (generally up to 6 years).

8. Security

Tickle implements technical and organisational measures appropriate to the risks, including encryption, access controls, and monitoring. While no system is entirely secure, Tickle maintains incident response procedures and will notify regulators and affected Data Subjects where required by law.

Wallet passes operate within the technical infrastructure of Apple Wallet and Google Wallet; consumers are encouraged to review their security statements.

For information on how Apple Wallet protects pass data, including encryption and secure element safeguards, see https://support.apple.com/en-afri/guide/security/secb569bf393/web.

For an overview of Google Wallet’s security, tokenization, and user privacy safeguards, see https://safety.google/pay/.

9. Data Subject Rights

UK/EU/EEA Users (GDPR/UK GDPR)

Rights to access, rectification, erasure, restriction, objection, portability, and withdrawal of consent. Complaints may be lodged with the Information Commissioner’s Office (ICO) or the relevant supervisory authority.

California Users (CCPA/CPRA)

Rights to know, access, correct, delete, and opt out of the sale or sharing of personal information. Non-discrimination for exercising rights. Tickle recognises Device IDs as personal information under CPRA.

Other U.S. State Users

Tickle will extend comparable rights in jurisdictions such as Virginia, Colorado, and Connecticut.

Exercise of rights: Contact privacy@JoinTickle.com or utilise the “Do Not Sell or Share My Personal Information” mechanism accessible from Wallet passes and our website.

10. Children’s Privacy

Tickle services are not directed at children under the age of 13 in the U.S. or under the age of 16 in the UK/EU. Data inadvertently collected will be deleted upon request.

11. International Data Transfers

All Wallet pass data and related engagement information are currently hosted and processed within the United Kingdom under the control of Tickle Global LTD. At present, no Wallet data are transferred outside the United Kingdom or the European Economic Area.

In the event that Tickle Inc. or another Tickle affiliate outside the UK/EEA processes such data in the future, Tickle will ensure compliance with applicable law by implementing appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA), together with supplementary measures as necessary.

Where Data is transferred outside the UK or EEA, Tickle relies on adequacy decisions, Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA), and supplementary safeguards as required.

12. Amendments

Tickle may revise this Policy from time to time. Material changes will be notified via our website, and where appropriate, in-app or via email. Continued use of our services following such changes constitutes acceptance.

13. Contact

• Tickle Global LTD (UK): 167–169 Great Portland Street, London, W1W 5PF

• Tickle Inc. (US): 447 Broadway, 2nd Floor #569, New York, NY 10013

• Email: privacy@JoinTickle.com