Legal & privacy.

Our Privacy Policy, Terms of Service, Cookie Notice, and Data Processing Agreement. Each is currently being finalised with our legal counsel ahead of public launch. For the current draft of any document, email hello@phygitalux.io and we will send it within hours.

Privacy Policy

In review · Final version expected before public launch

The Phygital UX Privacy Policy describes the personal data we collect on behalf of our partner brands, how that data is stored on Cloudflare's EU edge infrastructure, the rights of data subjects under the EU GDPR, and the brand-isolated architecture that prevents any cross-brand data access.

Summary of how we handle data: Visitor events (tap, win, redeem) and email addresses are stored on Cloudflare D1 (EU). User-generated content uploads are stored on Cloudflare R2 (EU). Each brand's data is keyed by brand slug and never readable by another brand. Brands own all data captured during their subscription, exportable as CSV at any time.

Request current draft →

Terms of Service

In review · Final version expected before public launch

The Phygital UX Terms of Service describe the scope of the partnership between Phygital UX and a paying brand: production lead times, software access, kit reorder economics, cancellation rights, intellectual property handling, and acceptable use of the platform.

Brands can cancel anytime from their dashboard with the subscription stopping at the end of the current month. The Brand Challenge Page, integrations, and UGC remain accessible for 30 days post-cancellation for data export.

Request current draft →

Cookie Notice

In review · Final version expected before public launch

Phygital UX does not use tracking cookies on the marketing site or on brand Challenge Pages. Visitor identification on brand pages relies on a single browser-stable anonymous UUID, never tied to personal data without explicit consent (the customer entering their email to claim a reward).

Authentication on the brand dashboard uses a session-scoped opaque bearer token stored in the browser's session storage, cleared automatically when the brand closes the tab.

Request current draft →

Data Processing Agreement

Available on request

For brands subject to the EU GDPR, Phygital UX acts as a Data Processor on behalf of the brand (Data Controller). Our Data Processing Agreement covers sub-processors (Cloudflare, our chosen email and store integration providers), security measures, data subject rights handling, breach notification timelines, and data return / deletion obligations.

The DPA is provided as a counter-signable document on partnership confirmation, separately to the main Terms of Service. Some brand-side legal teams will require it before connecting Shopify or Klaviyo — we send it within hours of a request.

Request DPA →