Vircarda Privacy Notice

Reference Point Limited (we) are committed to protecting your personal information and respecting your privacy.  Our address is Shire House, West Common Gerrards Cross, Bucks SL9 7QN and you may email us at


This policy, together with our Vircarda end-user licence terms (Licence Terms), applies to your use of:

  • Our Vircarda mobile application software (App), once you have downloaded a copy of the App onto your mobile telephone or handheld device (Device).

  • Our service accessible through the App (Service).

This policy describes the types of "personal Information” (information that is capable of identifying a particular person) we collect from you or that you provide to us, and explains the basis on which we will process that personal information and how we safeguard your privacy as a user of Vircarda and its back-end services. For more details on what your rights and obligations are when using the Service, please refer to the Licence Terms.

This policy does not seek to cover the personal information supplied by you to your card issuer in order to obtain a virtual smartcard or how your card data is used in relation to which a separate privacy policy should be available from your card issuer. The App is not intended for children and we do not knowingly collect data relating to children.

For the purpose of the General Data Protection Regulation (GDPR (EU) 2016/679) and any implementing or successor legislation or equivalent legislation in other jurisdictions (“data protection legislation”), the data controller (or its equivalent, if any, in other jurisdictions) is Reference Point Limited

If you are in Australia: We treat your personal information collected by us, or that you may provide to us, in accordance with the Australian Privacy Principles as contained in Schedule 1 of the Privacy Act 1988 (“the Privacy Laws”).

Questions, comments and requests regarding this policy are welcomed and should be addressed for the attention of our Data Protection Officer at

How does the service work?

Vircarda is an app that holds virtual smartcards (“cards”). Before you can use the App, you have to register via the App. Once you have registered, you can download virtual cards that have been issued to you by card issuers authorised by us. Virtual cards downloaded by you into Vircarda can be read by other parties using software or application protocol interfaces (APIs) supplied by us. Such parties can only read your cards with your permission. Your permission is given by you presenting them with card credentials such as a code generated by your card.


You must use a secure password for your use of the App and Service and it is your responsibility to keep your password confidential.

What types of personal information we collect

The personal information that you give us or we collect from or about you may include:

  • Contact information such as name, telephone numbers and e‐mail addresses;

  • Information such as date of birth to help verify your identity;

  • Details of any ancillary services to which you have subscribed to via the Service;

  • What you have used the Service for;

  • Notifications sent to you;

  • What cards are held or have been held in your app but not details of the card contents;

  • Information to help authenticate your access to the Service;

  • Technical information, including the type of mobile device you use, a unique device identifier (for example, your Device's IMEI number, the MAC address of the Device's wireless network interface, or the mobile phone number used by the Device), mobile network information, your mobile operating system, the type of mobile browser you use, time zone setting and other information about your device;

  • If you contact us, a record of that correspondence.

How and from whom we collect your information

The Service may collect personal information about you:

  • Directly through your entry of information for the Service (for example, when you fill in forms to register);

  • From card scheme operators or service providers whose virtual cards you download;

  • From other third parties (including, for example, sub-contractors in technical services, analytics providers, search information providers, and so on);

  • From geolocation services utilised by your device;

  • From backend services integral to the Service.

How we use your personal information

We treat your personal information as confidential. We do not sell or rent your personal information. We do not use or share your personal information in a manner that differs from what is described in this policy without your prior consent.

We may use and disclose your personal information for the following purposes, including limited disclosures to our affiliates, to non‐affiliated third party service providers performing services on our behalf, to card scheme operators and to certain other non-affiliated entities as described below:

  • To provide services authorised by you (such as to share information about your virtual cards with people reading your cards and to send messages to you related to authorised services, including sending notifications to your device from us or your card scheme operator);

  • To verify your identity and perform fraud screening by comparing details you give us about yourself with information from third parties including card scheme operators;

  • To share details of your card usage with the relevant card scheme operator;

  • To prevent fraudulent or other abusive use of a card in your app or the Service;

  • To comply with laws and regulations, including compliance with court orders or lawful instructions from a governmental or regulatory body, to protect the personal safety of card holders or the public, to defend the Service against legal claims and to protect the Service’s rights and property, as permitted by applicable law;

  • To support your use of the App;

  • To provide you with information, products or services that you authorise us to provide;

  • To carry out our obligations arising from any contracts entered into between you and us;

  • To allow you to participate in interactive features of our service, when you choose to do so;

  • To notify you about changes to our service;

  • In the event that we sell or buy any business or assets, in which case we will disclose your personal information to the prospective seller or buyer of such business or assets;

  • If  Reference Point Limited  or substantially all of its assets are acquired by a third party, in which case personal information held by it about its customers will be one of the transferred assets;

  • To complete a change of control transaction in which all or a portion of our operations and business are purchased or acquired by a third party;

  • In order to enforce or apply the Licence Terms and other agreements or to investigate potential breaches; 

  • To protect the rights, property or safety of Reference Point Limited, our customers, or others; or

  • As otherwise authorised by you.

We will only use your personal information when the law allows us to.  Under the data protection legislation our lawful basis for processing is as follows:

  • We may use your personal information to perform the contract we have entered into with you or in order to take steps at your request to enter into a contract with you.

  • Where we need to comply with a legal or regulatory obligation.

  • We and any third parties with whom we share your personal information may also find it necessary to process your data for legitimate interests we pursue, for example, to maintain the security of our services or improve them.  This basis only applies where your interests and fundamental rights do not override those legitimate interests.

  • Where we do not rely on another lawful basis, we may process your personal information based on consent you provide.

How we keep your information secure

To ensure your personal information remains confidential, the Service maintains physical, electronic, and procedural safeguards to help prevent unauthorised access to your personal information.

The Service has policies and procedures that limit employee access to your personal information to those with a business reason to have such information and we educate our employees about the importance of confidentiality and customer privacy.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of the information you transmit to us; any transmission is at your own risk. Once we have received your information, we will use reasonable procedures and security features to try to prevent unauthorised access.

Where we store your personal information


The personal information that we collect from you will be stored in the UK.  It will only be processed by staff operating inside the UK who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the provision of support services.

We will not transfer any data that we collect or receive from you that constitutes personal information outside of the EEA unless there are appropriate safeguards or an adequacy decision in relation to the transfer as set out in the data protection legislation or the transfer otherwise complies with the data protection legislation. Such transfers may involve, for example, our use of third party services allowing us to send emails or automated SMS messages which make use of facilities in third countries to process and store data.

If you are in Australia:  The personal information that we collect from you will be stored in Australia. It will only be processed by staff operating inside Australia or the UK who work for us or for one of our suppliers.  Such staff may be engaged in, among other things, the provision of support services.

We will not transfer any information that we collect or receive from you that constitutes personal information outside of Australia (save for any processing that occurs by us/our staff in the UK) unless we have taken such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Principle 1) in relation to the information. Such transfers may involve, for example, our use of third party services allowing us to send emails or automated SMS messages which make use of facilities overseas to process and store data.

For how long do we keep your personal information?

Information collected will be retained for a period no longer than is necessary to support the purpose of processing personal information set out above.

We will retain encrypted back up tapes for a maximum of 3 years from the termination of our contract with you, if any, or from when you cease to use our services. This time limit is set in line with the limitation period for possible legal claims which may require such data in order to be investigated and defended against.

Your rights

You have the right to:

  • Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected, although we may need to verify the accuracy of the new personal information you provide to us.

  • Request erasure of your personal information (commonly known as “the right to be forgotten”). This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

  • Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.


Where our processing is based on your explicit consent to our processing, you have the right to withdraw such consent (this will not affect the lawfulness of processing prior to the withdrawal of your consent).

If you wish to exercise any of these rights, please contact our Data Protection Officer at


If you are in the EEA: You have the right to lodge a complaint about our processing with the Information Commissioner’s Office (ICO), the UK’ supervisory authority for data protection issues or other competent supervisory authority of an EU member state if the App is downloaded outside the UK.

Rest of world: If you believe that we have at any time failed to keep one of our commitments to you to handle your personal information in the manner required by the Privacy Laws, then we ask that you contact us immediately at


You have the right to ask us not to process your personal information for marketing purposes. We will inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes and you can withhold your consent to and prevent such processing by not checking certain boxes on the forms we use to collect your data.  You can also exercise the right to prevent such processing at any time by contacting us at

Consequences of failing to provide personal information

Your provision of personal information to us may be a requirement necessary for you to enter into a contract with us. If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you.

Third party links

The App or any related website of ours may, from time to time, contain links to third party websites. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal information that may be collected through these websites or services, such as contact and location data. Please check these policies before you submit any personal information to these websites or use these services.

Changes to this privacy policy

We keep our privacy policy under review. Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by SMS or by e-mail or when you next start the App. The new privacy policy may be displayed on-screen and you may be required to read and accept the changes to continue your use of the App or the Service.

It is important that the personal information we hold about you is accurate and current. Please correct your registration details in the App if your personal information changes during our relationship with you.