There is a scene in every good thriller where a bureaucrat in a tailored suit slides a manila folder across an oak desk. The room is quiet. The lighting is deliberate. The subject — seated on the other side — assumes they are there to discuss something routine. An administrative matter. A formality.

The folder opens. Inside: a full dossier. Not a summary. A life in cross-referenced detail. Movements recorded over months. Financial patterns. Known associates. The coffee shop visited every Tuesday at 7.43am, reliably, for eleven weeks. The longer commute taken on Fridays. The change in routine in September — a new job, perhaps, or a different station. The bureaucrat has not asked a single question. Everything he needed was already there, assembled gradually, through the ordinary business of a person going about their day.

The subject looks up from the folder and says the only thing there is to say: "How long have you known?"

The answer, in the thriller, is always the same. "Long enough."

This is not a metaphor. If you use one of the major coffee-chain ordering apps available on the British high street today, that folder exists. It is not in a manila envelope. It is in a data centre — probably in Dublin or Oregon — and it is considerably more detailed than anything assembled in a thriller's opening act. The subject, in this version, is you. The bureaucrat across the desk is a marketing technology platform you have never heard of. And the Tuesday coffee was, among other things, a data point.

What the app actually collects

When you download a franchise ordering app and tap accept, most people assume they are handing over their coffee order. In practice, account creation alone captures your name, email address, phone number, birthday, and a loyalty ID attached to every transaction you make from that moment forward. Before you have ordered a single flat white, the app knows who you are.

From there, location tracking begins. Most apps request "while using the app" permissions, but several operate with background access — meaning the app can note your proximity to a store even when you are doing something else entirely. Wi-Fi and Bluetooth beacon data adds indoor precision: the app can often determine which queue you stood in, how long you waited, and whether you sat in or left immediately. This is not presented as surveillance. It is presented as convenience.

Device identifiers go further. Your advertising ID — a unique string assigned by Apple or Google specifically so advertisers can track you across applications — is typically collected alongside your IP address, mobile carrier, device model, and app version. These are not operational necessities. They are marketing infrastructure, assembled quietly by design.

Behavioural analytics are logged throughout every session: which items you viewed but did not order, how long you spent on the customisation screen, what you searched for, whether you abandoned your cart. This is the data that advertising platforms prize most — high-intent, temporally precise, and updated every time you open the app. Loyalty app data is, in this sense, among the most valuable categories of on-device location privacy data available to the ad-tech industry.

What it is worth

The honest answer is: more than the coffee.

Data economics

Estimated data value per loyalty app user per year

Data categoryEst. value / user / yr
Location & movement historyBackground GPS, beacon proximity, dwell time, commute pattern inference £4–9per user
Purchase & transaction historyItem-level spend, frequency, basket size, payment method, timestamp £6–14per user
Behavioural & intent signalsItems viewed, cart abandonment, search queries, session depth, A/B exposure £3–8per user
2 more categories — device identity graph, audience segment licensing

No major coffee chain will tell you in plain English that it sells your data. They do not have to. Privacy policies run to the effect of "sharing with partners," "engaging analytics vendors," or "working with business affiliates." Under UK GDPR, some of this sharing can legally constitute a sale of personal data — even where no direct payment changes hands.

The commercial reality is straightforward. An analytics platform receives your behavioural data. An ad network derives an audience segment from it. A data broker acquires that segment, merges it with data from other apps and sources, and licenses the resulting profile onward. The process repeats. The profile deepens. The person who placed the order — tapping their phone in the queue near Fenchurch Street — has become, without ever being asked, a revenue line in someone else's annual report.

"They call it a loyalty programme. It is, more accurately, a loyalty extraction programme — where the currency being extracted is not points. It is you."

The categories that should concern you

Most data collection in this space sits under six headings. Understanding them is useful — not because you will read every privacy policy in full, but because it clarifies what you are actually trading for the occasional free coffee.

Loyalty and rewards profiling is where behavioural analysis becomes commercially aggressive. Apps categorise their users — "morning commuter," "high-value customer," "weekend visitor," "lapsed customer." These labels are not operational shorthand. They are audience segments, built to be sold to, or sold.

Marketing and ad tracking is where third-party software enters uninvited. Facebook's tracking code, TikTok's equivalent, and Google Ads attribution are embedded — with varying degrees of disclosure — into many of the most popular loyalty apps. Their function is to connect your in-app behaviour to your activity elsewhere. The flat white you bought on a Wednesday morning can, in principle, influence what you are shown on your phone by Thursday.

There is a term in the intelligence world for information that has passed through several hands before reaching its destination. It is called "sanitised." The data industry prefers a different word for the same process. They call it "enriched."

The regulatory picture — and why it is tightening

The UK's Information Commissioner's Office has the power to fine organisations up to £17.5 million — or four percent of global annual turnover — for serious data protection failures. In 2025, that power was deployed with considerably more force than in prior years, even as the number of formal investigations declined sharply.

Regulatory · ICO

ICO Enforcement 2025 — key figures

£17.5m
Maximum fine per infringement
Or 4% of global annual turnover — whichever is higher
↓ 34%
Formal investigations opened vs prior year
Fewer cases — but larger, more concentrated enforcement action
↑ 2×
Average fine value for cases concluded
2025 settlements materially larger than 2023–24 comparators
Largest single fine issued, 2025£3.07m — Capita plc (Oct 2025)
Primary enforcement triggerInadequate technical & organisational measures
Sectors with active enforcement interestFinancial services · Retail · AdTech
Lawful basis most frequently contestedLegitimate interests & consent validity
ICO stated enforcement priority, 2025–26Location data & online tracking

Sources: URM Consulting ICO enforcement analysis 2025; ICO Annual Report 2024–25; Clifford Chance briefing, October 2025; Skadden ICO enforcement review, February 2026. Fine quantum reflects concluded cases; investigations ongoing as at May 2026 not included.

The direction of travel is clear. Fewer investigations does not mean diminished risk — it means concentrated risk. When the ICO acts, the consequences are material. Companies whose business models depend on broad, permissive data collection face a period of genuine uncertainty as these powers mature. Companies whose architecture does not collect the data in the first place face something different: a structural competitive advantage, written into their codebase from day one.

Refueler does not do any of this

This is not a soft claim. It is an architectural one — and for the technically minded, it is verifiable. Open your browser developer tools on the Refueler web app. Navigate to Application → Cookies. You will find one token: a short-lived session identifier that expires when you close the tab. Nothing else. No advertising trackers. No third-party pixels. No location column in the orders database — by design, not policy.

Architecture

Standard loyalty app vs Refueler — key architectural differences

Standard loyalty app Refueler
Location
data		 Collected server-side; background access common; stored against user profile indefinitely Processed on-device only. Geofence logic local. No location transmitted to servers. Ever.
Payment
rail		 Card networks or preloaded balance; transaction metadata retained by issuer and card network Bitcoin Lightning Network. Payment settles peer-to-peer. No merchant-enriched metadata passes to third parties.
Rewards
custody		 Points held by operator; can be devalued, expired, or withheld at operator discretion Satoshis issued to user's ecash wallet at point of earning. On-device. Operator cannot freeze, reverse, or access.
5 more dimensions — trackers, profiling, float, GDPR, cookies
Location data
Standard app
Collected server-side; background access common; stored against user profile indefinitely
Refueler
Processed on-device only. Geofence logic local. No location transmitted. Ever.
Structural · not contractual
Payment rail
Standard app
Card networks or preloaded balance; transaction metadata retained by issuer and card network
Refueler
Bitcoin Lightning Network. Settles peer-to-peer. No merchant-enriched metadata to third parties.
Rewards custody
Standard app
Points held by operator; can be devalued, expired, or withheld at operator discretion
Refueler
Satoshis to your ecash wallet at point of earning. Operator cannot freeze, reverse, or access.
Third-party trackers
Standard app
Facebook pixel, Google Ads, TikTok attribution SDK typically embedded; data shared under "partner" consent
Refueler
None. No advertising SDK. No third-party pixel. Verifiable via browser developer tools.
User profiling
Standard app
Behavioural segments built and licensed: "morning commuter," "high-value," "lapsed." Revenue line.
Refueler
No profile constructed. No segment sold. What we do not collect, we cannot license.
Float income
Standard app
Preloaded customer balances earn interest for the operator. Breakage captured as revenue on expiry.
Refueler
No preloaded balance model. No float. No breakage. No FCA safeguarding obligation.
GDPR exposure
Standard app
High — broad data collection, third-party sharing, location processing, consent chain complexity
Refueler
Structurally minimal. No location column in orders database. Architecture, not policy.
Cookies (web)
Standard app
Typically 15–40 cookies on page load; advertising, analytics, and personalisation trackers
Refueler
One short-lived session token. Expires on tab close. Verifiable in Application → Cookies.

The passive ambient awareness feature — the mechanism that detects when you have boarded your train and sends a quiet prompt to confirm your order — runs entirely on your device. The geofence logic, the velocity check, the trigger: all local. Nothing is transmitted to Refueler's servers until the moment you confirm your order, at which point only the item and vendor are sent — no location, no route, no timing data.

What we know is what you tell us when you place an order: what you want, and where to collect it. The feature requires explicit opt-in at onboarding, with a toggle in settings withdrawable at any time. This is not a novelty — it is a minimum standard. What is less common is that the architecture makes the privacy promise structurally true, rather than contractually asserted. You are not trusting Refueler not to misuse your location data. You are relying on the fact that we do not have it.

"Your phone works it out locally. We never see where you are."

The payment rail — and why money matters here too

Most payment systems are, on closer inspection, also data systems. Every card transaction leaves a trace: merchant category, amount, timestamp, location. That trace is valuable to card networks, to banks, and to the data-brokerage industry that processes it downstream. It is the loyalty-app extraction problem, running quietly in the background of every contactless payment.

Refueler's payment rail is built on Bitcoin's Lightning Network, with rewards settled in satoshis — the smallest denomination of the hardest, scarcest money ever created. Bitcoin does not ask for your birthday. It does not maintain a behavioural profile. A Lightning payment carries no merchant-enriched metadata to a third party. The transaction settles. The satoshis move. There is nothing left to license.

Lightning addresses — used solely to push your reward payment — are held in transient memory for the duration of that payment and are never written to the database. Your ecash balance lives on your device. We cannot freeze it, reverse it, or access it. The rewards are yours from the moment they are issued — not a promise, a technical fact.

A sealed room

In the thriller's second act, the subject returns to the oak-panelled room. This time, they are not handed a folder. Instead, the bureaucrat — looking faintly embarrassed — informs them that the operation has been wound down. The pipeline was discontinued. The data, it turned out, had never been collected.

There was nothing to intercept. Nothing to protect against. Nothing to explain to a regulator, a journalist, or a customer who eventually, inevitably, asked the question.

Refueler made a deliberate decision. We could have built the folder. Every app in this space has the opportunity to earn twice — once from the merchant, and once from the quiet commerce of knowing who you are. We declined, not out of sentiment, but out of design. Some intelligence services describe their most sensitive assets as being held "in a sealed room" — a place where access is controlled not by policy, but by the structure of the room itself. Nobody enters without clearance. Nothing leaves without need.

That is, more or less, how Refueler handles your data. The room is sealed. What is inside belongs to you.