Legal

Privacy Policy

Last updated: April 2026

1. Data controller

The data controller for BenefitMap is BenefitMap Ltd (company number pending registration), registered address to be confirmed. You can contact us about privacy matters at privacy@benefitmap.co.uk.

We are in the process of registering with the Information Commissioner's Office (ICO) as required under UK GDPR. Our ICO registration is pending; this notice will be updated with the registration number once issued.

2. What data we collect

We collect the following categories of personal data:

  • Account data: your email address and, optionally, your name.
  • Location data:your partial postcode (e.g. “SW1A”) and local authority area, used to filter geographically restricted benefits.
  • Demographic data:your age band (e.g. “25–59”). We do not collect your date of birth.
  • Usage preferences: whether you have a vehicle, how many vehicles, which airports you use, which travel zones you use, and whether you travel with a companion or carer. These are used solely to calculate estimated benefit values.
  • Disability-related credential data (special category):the credentials you hold or have applied for, such as a Blue Badge, Personal Independence Payment (PIP), Attendance Allowance, Disabled Railcard, Disabled Students' Allowance, CEA Card, or Motability scheme membership — together with their status and optional expiry dates. See section 4 for how we handle this data.

We do not collect payment card details, National Insurance numbers, medical records, or diagnosis information.

3. How we use your data

We use your data to:

  • Match your profile against the benefits in our database and display your results.
  • Estimate the annual financial value of each matched benefit.
  • Send renewal reminders for credentials and benefits with expiry dates (if you opt in).
  • Improve the accuracy of our matching logic using aggregated, anonymised statistics.

We do not use your data for advertising, behavioural profiling, or sale to third parties.

4.1 Standard personal data (Article 6 UK GDPR)

For your account data, location data, demographic data, and usage preferences, our legal basis is legitimate interests (Article 6(1)(f)). Our legitimate interest is to provide you with an accurate, personalised benefits-matching service. We have assessed that this interest does not override your rights and freedoms, given that:

  • you actively choose to create an account and provide this data;
  • the data is used only to deliver the service you requested; and
  • you can delete your account and all associated data at any time.

4.2 Special category data — disability credentials (Article 9 UK GDPR)

The credential data you enter (Blue Badge, PIP, Attendance Allowance, CEA Card, and similar) constitutes health and disability data as defined under Article 9 UK GDPR. Processing this data requires an additional legal basis beyond Article 6.

Our legal basis for processing special category credential data is your explicit consent (Article 9(2)(a)), given when you add a credential to your profile. You may withdraw this consent at any time by removing a credential from your profile or deleting your account. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

5. How long we keep your data

  • Account and profile data is retained while your account is active.
  • Benefit match results are not stored permanently; they are recalculated fresh each time you view your dashboard, so they always reflect your current profile.
  • After you delete your account, all personal data is permanently deleted within 30 days. Anonymised aggregate statistics (e.g. total number of users who have a Blue Badge) may be retained indefinitely.

6. Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Right of access: you can request a copy of the personal data we hold about you.
  • Right to rectification: you can correct inaccurate data via your profile settings.
  • Right to erasure: you can permanently delete your account and all associated data from your account settings page. We will complete deletion within 30 days.
  • Right to data portability: you can download all your personal data in machine-readable JSON format directly from your profile page, or by emailing privacy@benefitmap.co.uk.
  • Right to restriction: you can ask us to restrict processing of your data in certain circumstances.
  • Right to object: you can object to processing based on legitimate interests. If you do so, we will stop processing unless we can demonstrate compelling legitimate grounds.
  • Right to withdraw consent: where processing is based on consent (see section 4.2), you can withdraw consent at any time by removing individual credentials from your profile page (click the × next to any credential), or by deleting your account entirely. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, email privacy@benefitmap.co.uk. We will respond within one calendar month.

7. Cookies

BenefitMap uses a single session cookie to keep you signed in. This cookie is set by NextAuth.js and contains a cryptographically signed JWT (JSON Web Token) that identifies your session. It is:

  • strictly necessary for the service to function;
  • not used for advertising or behavioural tracking; and
  • automatically deleted when you sign out or when it expires (30 days).

We do not use analytics cookies, advertising cookies, or any third-party tracking technologies. We do not use Google Analytics or any similar service.

8. Third parties and data transfers

We share your data with the following sub-processors:

  • Neon (database hosting): our PostgreSQL database is hosted on Neon. Data may be stored in the EU and/or US. Transfers to the US are protected by Standard Contractual Clauses (SCCs) under UK GDPR adequacy provisions.
  • Vercel (application hosting):our Next.js application is hosted on Vercel's edge network. Vercel acts as a data processor under a Data Processing Agreement. Data is processed in the EU and US under SCCs.
  • Postcodes.io (postcode lookup): when you enter your postcode during onboarding, we send it to postcodes.io — a free, open-source UK postcode API — to automatically detect your local authority. Postcodes.io does not store or log postcode lookups and does not receive any other personal data. See postcodes.io.

We do not sell, rent, or share your personal data with any other third parties for their own purposes.

9. Complaints

If you are unhappy with how we handle your data, please contact us first at privacy@benefitmap.co.uk. If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated to registered users by email. The “Last updated” date at the top of this page will always reflect the most recent revision.