Privacy Policy
Last updated: May 2026 — GDPR compliant
1. Who We Are
Return It To Me (trading as RtnIt2.me) is the data controller responsible for your personal data collected through this website. We are committed to protecting your privacy in line with the General Data Protection Regulation (GDPR) and applicable data protection laws.
Contact our Data Protection Officer: privacy@rtnit2.me
2. What Personal Data We Collect
Account Holders (registered users):
- Name and email address (used to create your account and send notifications)
- Phone number (optional)
- Password hash (we never store your raw password)
- Billing address (collected by Stripe for payment processing)
- QR profile names and descriptions you create
Finders (non-registered users who scan a QR code):
- Name, phone number, email address (provided voluntarily when reporting a found item)
- Message and optional photo of the found item
- Approximate location (if provided or derived from IP)
- IP address and browser/device type (for security and abuse prevention)
- Anonymous chat token (generated to enable identity-protected communication)
All visitors:
- IP address, browser type, operating system (server logs, kept for up to 30 days)
- Session cookies (for authentication and CSRF protection)
3. Lawful Basis for Processing (GDPR Article 6)
| Purpose | Lawful Basis |
|---|---|
| Creating and managing your account | Contract (Article 6(1)(b)) |
| Sending found-item notifications | Contract (Article 6(1)(b)) |
| Processing payments via Stripe | Contract (Article 6(1)(b)) |
| Detecting and preventing fraud/abuse | Legitimate Interest (Article 6(1)(f)) |
| Improving and securing our service | Legitimate Interest (Article 6(1)(f)) |
| Marketing emails (if you opt in) | Consent (Article 6(1)(a)) |
| Legal compliance and record-keeping | Legal Obligation (Article 6(1)(c)) |
4. How We Use Your Data
- To create and maintain your QR profile and dashboard
- To notify you via email when a finder reports your item
- To facilitate communication between you and a finder through email through our system
- To process your payment for physical or digital products
- To send account-related transactional emails (receipts, password resets, plan renewals)
- To comply with legal or regulatory obligations
- To protect against fraudulent use of the platform
We do not use your data for advertising profiles, we do not sell your data to third parties, and we do not use it for any purpose incompatible with the above.
5. Finder Data and Anonymity
When a finder submits their details through a QR scan, we share only the minimum necessary information with the item owner (you). If a finder chooses to remain anonymous, their personal contact details are hidden from you — only communication through email through our system is accessible. Finder data is never sold or shared beyond what is needed to facilitate the return of your item.
6. Data Retention
- Account data: Retained for as long as your account is active, or up to 30 days after a deletion request
- Finder submissions: Retained for 24 months, or until the item is marked as returned, whichever is sooner
- Chat messages: Retained for 12 months after the last message or return closure
- QR scan logs: Retained for 12 months
- Payment records: Retained for 7 years (legal obligation)
- Server access logs: Automatically purged after 30 days
7. Third-Party Processors
We use the following trusted third-party processors, each bound by data processing agreements:
- Stripe: Payment processing — stripe.com/privacy
- ipapi.co: IP-based geolocation for scan analytics (anonymised after processing)
- Email provider (SMTP): Transactional email delivery
We do not share your data with any other third parties unless required by law.
8. International Data Transfers
Some of our processors may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data to an equivalent standard.
9. Your Rights Under GDPR (Articles 15–22)
| Right | What It Means |
|---|---|
| Right of Access | Request a copy of all personal data we hold about you |
| Right to Rectification | Correct inaccurate or incomplete personal data |
| Right to Erasure | Request deletion of your data ("right to be forgotten") where no legal obligation requires retention |
| Right to Restrict Processing | Ask us to pause processing of your data in certain circumstances |
| Right to Data Portability | Receive your data in a structured, machine-readable format |
| Right to Object | Object to processing based on legitimate interests or for direct marketing |
| Right to Withdraw Consent | Withdraw consent at any time (e.g. for marketing emails) without affecting prior lawful processing |
To exercise any of these rights, email: privacy@rtnit2.me. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK or the relevant DPA in your country).
10. Cookies
We use only essential cookies required for the Service to function — specifically session authentication cookies and CSRF protection tokens. We do not use advertising or tracking cookies. For full details, see our Cookie Policy.
11. Children's Privacy
The Service is not directed to children under 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
12. Security
We implement industry-standard security measures including HTTPS encryption, hashed password storage, CSRF protection, and access controls. While we take reasonable precautions, no internet transmission is 100% secure, and we cannot guarantee absolute security.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users via email or a prominent website notice before the change takes effect. The "last updated" date at the top of this page reflects the most recent revision.
14. Contact
For privacy-related questions or to exercise your rights, contact our Data Protection Officer: privacy@rtnit2.me