Refueler (incorporating as Refueler Ltd, England & Wales) is the data controller for all personal data processed through the Refueler platform — including refueler.io, the mobile app, and the Command Centre merchant dashboard.
We are registered with the Information Commissioner's Office. Our ICO registration number will be displayed here prior to this policy going live.
Third-party processors
| Processor | Role | Region |
|---|---|---|
| Supabase | Database infrastructure and authentication | EU |
| Cloudflare | Content delivery, DNS, Pages hosting, and Workers API layer | Global edge / DPA |
Both processors operate under signed Data Processing Agreements. No other third-party processors handle personal data at this time. Cloudflare's global edge network may route traffic through non-EU nodes; this is governed by Cloudflare's standard contractual clauses under their DPA.
We collect only what is necessary to operate the service. The table below covers every category of personal data we process.
| Data | Purpose | Stored | Shared with |
|---|---|---|---|
| Email address | Magic link authentication only | Supabase (EU) | Nobody |
| Order content (item, vendor, timestamp) | Fulfilment, vendor queue, reward calculation | Supabase (EU) | Named vendor only |
| Ecash reward amount | Issuance record | Supabase (EU) | Nobody |
| Push subscription token | Order-ready notification | Supabase (EU) | Nobody |
| Passkey credential (WebAuthn public key) | Biometric re-authentication | Supabase (EU) | Nobody |
| Webhook source IP | Security audit — HMAC signature verification log only | Supabase (EU) · 90 days | Nobody |
| Location data | On-device geofence — never transmitted | Your device only | Nobody |
We do not collect: name, phone number, age, gender, payment card details, browsing behaviour beyond the order flow, or biometric data beyond the Passkey public key (which cannot reconstruct a biometric).
The Passive Ambient Awareness feature — which detects when your train is approaching and prepares your order — runs entirely on your device. No location data is ever transmitted to our servers.
How it works, step by step:
- Geofence boundaries are registered locally on your phone's OS — no coordinates are sent to our servers
- Your phone's OS detects train movement locally (velocity + location) — no data leaves the device at this step
- A local prompt fires: "Your flat white will be ready in 4 mins, confirm?"
- If you confirm, your phone sends only: item + vendor ID + session token — no location data
- Our database has no location column — this is an architectural guarantee, not a policy promise
Opt-in required. You choose whether to enable this feature during onboarding. You can toggle it off at any time in Settings → Location. Disabling it has no effect on ordering, reward earning, or any other app feature.
Every processing activity has a lawful basis under Article 6 of the UK GDPR. We do not rely on legitimate interests for anything where consent or contract is the appropriate basis.
| Activity | Legal basis |
|---|---|
| Place an order | Art. 6(1)(b) — performance of contract |
| Sign in via magic link | Art. 6(1)(b) — performance of contract |
| Earn a reward | Art. 6(1)(b) — performance of contract |
| Allow push notifications | Art. 6(1)(a) — consent |
| Enable train geofence | Art. 6(1)(a) — explicit consent, withdrawable anytime |
| Register a Passkey | Art. 6(1)(a) — consent |
| Security & fraud prevention (incl. webhook IP log) | Art. 6(1)(f) — legitimate interests |
| Newsletter (opt-in only) | Art. 6(1)(a) — consent |
We keep data only as long as necessary. Auto-purge runs automatically for all expired categories — you do not need to request deletion for routine expiry.
| Data | Retention | Reason |
|---|---|---|
| Order records | 13 months from order date | Dispute resolution window |
| Email address | Duration of account | Authentication |
| Push subscription token | Until withdrawn, or 90 days inactive | Notification delivery |
| Ecash reward records | 6 years | HMRC financial compliance |
| Passkey public key | Duration of account | Authentication |
| Webhook security log (source IP) | 90 days — auto-purged | Security audit only · not linked to user identity · not used for profiling |
Ecash reward records are retained for six years under HMRC financial compliance obligations. This applies even if you delete your account. All other data is deleted upon account closure.
The webhook security log records the source IP of incoming payment settlement webhooks solely to detect forged or replayed requests. It is not linked to any user identity and is never used for profiling.
- Magic link — passwordless, single-use, expires after 10 minutes
- Passkey (WebAuthn) — biometric re-authentication for returning users; only the public key is stored; your private key never leaves your device
- Sessions — short-lived JWT (1 hour); stored in memory only, never in localStorage or persistent cookies
- Sensitive actions — linking a new wallet or deleting your account always requires a fresh magic link confirmation, regardless of active session
- Encryption — AES-256 at rest for all Supabase data; TLS 1.3 in transit
- Webhook security — incoming payment confirmations are verified using HMAC-SHA256 signatures; unverified requests are silently rejected and the source IP is logged for 90 days (audit only — see §05)
Refueler uses the Cashu ecash protocol for payments. When you pay for an order, your wallet generates an ecash token. Settlement is confirmed via a webhook from the mint — a server-to-server message that tells us your payment has cleared, without revealing your wallet identity.
We never see your wallet address, Lightning invoice, or on-chain address. The mint confirms payment to us. We do not query the mint about you.
Payment confirmation fallback. In exceptional cases where payment webhook delivery fails after three retries over two minutes, our backend may query the mint directly to verify payment status. This is a last-resort mechanism only.
This fallback (NUT-07) is the only instance where our backend initiates contact with the mint about a specific order. It is logged in our webhook failure audit table for ICO compliance. The log records only: order reference, timestamp, and outcome — never wallet identity.
Lightning addresses are held in transient memory for the duration of the payment push only — they are never written to our database.
Refueler offers two reward tracks. You choose during onboarding and can switch at any time in Settings.
Sats track (default). Rewards are issued as ecash tokens denominated in Bitcoin satoshis. Tokens are bearer instruments — they live on your device from the moment of issuance. We record: amount in sats, timestamp, and vendor — for financial records only. We do not record your wallet address or node pubkey.
Loyalty stamp track. A digital stamp card mirroring the participating venue's own scheme. Stamp progress is stored locally on your device and synchronised with our servers solely for continuity across devices. The same access, correction, and deletion rights apply to your stamp record as to any other personal data we hold.
A note on stamp data classification. Whether locally stored loyalty stamp progress constitutes personally identifiable data under FCA and ICO frameworks is a question we have raised formally. Until we receive guidance, stamp data is treated as potentially personal data in this policy, and all GDPR rights apply to it accordingly.
FCA pre-application meetings open July 2026. This section will be updated following formal guidance on loyalty stamp classification. If guidance confirms stamps are not PII, the stamp track data section will be updated at v2.0 with email notification to affected users.
We use one strictly necessary cookie:
Supabase session token — a short-lived JWT that expires when you close the tab, or within 1 hour. That is all.
No advertising cookies. No analytics cookies. No third-party cookies. No cookie banner is required — nothing here needs separate consent beyond what you agreed at sign-up.
Verify this yourself: browser developer tools → Application → Cookies. One token. Nothing else.
We send a weekly or fortnightly newsletter — Bitcoin news, platform updates, and event announcements.
Newsletter subscription requires a separate, explicit opt-in from account creation. You will never be subscribed automatically.
Unsubscribe at any time via the footer link in any newsletter, or by emailing [email protected]. We do not sell, rent, or share your email address with third-party marketing companies.
You have the following rights over your personal data. We will acknowledge any request within 24 hours and respond in full within 30 days.
To exercise any of these rights, email [email protected]. We will acknowledge within 24 hours and respond in full within 30 days.
Right to complain to the ICO
If you believe we have handled your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) under Article 77 of the UK GDPR.
ICO website: ico.org.uk · Helpline: 0303 123 1113
We would always prefer the opportunity to put things right first — please contact us at [email protected] and we will respond promptly.
We will notify you of any material changes by email before they take effect. The current version is always available at refueler.io/privacy.
Material changes include: new categories of data collected, new processors, new legal bases, or changes to retention periods.
Minor corrections (wording, address updates) increment the minor version number only and do not trigger email notification.
Versioning: MAJOR.MINOR — e.g. 1.0 (launch) → 1.2 (minor additions) → 2.0 (material change). Version history is maintained in a private Git repository.
For any data-related enquiries, requests, or concerns:
Email: [email protected]
Post: [Registered address — to be confirmed at incorporation]
ICO registration: [Number to be added prior to publication]
We are a small, committed team. Every privacy enquiry is read and responded to personally.