Privacy Policy
Effective Date: 17 April 2026
This Privacy Policy applies if you use any of our Platforms, which may include Student Beans, GradBeans, Beans iD, our websites, mobile applications, or any other related services (the "Platforms").
This policy explains what personal data we collect, how we use it, who we share it with, and how we keep it safe. It applies to all users of our websites, mobile applications, and related services, regardless of location.
1. Who We Are and What We Do
The Platforms are operated by us and our affiliated companies. Depending on your location, one of these companies is the data controller of your personal data.
- If you are located in the UK or the EU, The Beans Group Limited is your data controller
- If you are located in the United States, The Beans Group Inc. is your data controller
- If you are located in Australia, Student Beans Pty Ltd is your data controller
- For users in other regions, The Beans Group Limited acts as data controller
2. What Information We Collect
We collect the following categories of data:
a. Information you provide directly
- Name
- Email address
- Mobile phone number
- Platform password
- Date of birth
- Gender
- Country
- School, university, or workplace details (for eligibility verification)
- Expected year of graduation (students only)
- Expiry of your closed consumer status
- Any documents or data you upload for verification (e.g. student ID, proof of employment)
- Preferences, feedback, and support queries
b. Information we collect automatically
- Account creation time and activity
- Code issuance activity
- IP address, device ID, browser type
- Location data (if permitted)
- Log data and usage analytics (e.g. page views, clicks, interactions)
- Cookie data and advertising identifiers
c. Information we receive from third parties
- Verification partners or educational institutions: We may receive information confirming your eligibility for membership or verifying your status within a consumer group.
- Affiliate networks and marketing partners: When you activate or redeem a code, we may receive confirmation of the transaction (e.g. brand name, time/date, products purchased).
- Brands when you redeem codes: Brands do not routinely share personal data with us, but may contact us in limited cases (for example, if they suspect misuse of an offer) to assist with investigation.
- Single sign-on providers: If you choose to register or log in using a third-party account (such as Google or Apple), we will receive certain information from that provider, such as your name and email address, in accordance with the permissions you grant at the time. We do not receive your password from these providers.
3. How We Use Your Information
We use your personal data to:
- Verify your eligibility for our Platforms and on behalf of the brands we work with
- Verify your identity and protect your account, including by sending one-time passwords (“OTPs”) or security codes to your mobile phone number
- Provide you with access to offers and benefits
- Personalise content, emails, and in-app experiences
- Prevent fraud and unauthorised code/discount sharing
- Administer surveys, competitions, and marketing campaigns
- Analyse Platform usage and improve functionality
- Comply with legal and regulatory obligations
- Communicate with you, for example to respond to questions you've asked us or to contact you with important updates about the Platforms
- Investigate suspected misuse, fraud, or unauthorised sharing of codes or offers, including reviewing account history, submitted documentation, and activity logs, and, where relevant, sharing information with affected brand partners.
Some of the personal data we collect is necessary for us to provide the Verification Service to you. In particular, providing your mobile phone number is required to receive OTPs, which are integral to verifying your identity. Providing eligibility documentation is required to obtain and maintain verified status. If you choose not to provide this data, we may not be able to verify your eligibility or deliver the service to you. Other data, such as preferences and feedback, is optional.
Breach of Member Terms
We actively monitor for misuse. If we believe you have breached the Member Terms, including through fraudulent activity, submitting false information, unauthorised code sharing, or attempts to circumvent our systems, we may suspend or permanently disable your access to the Platforms, with or without notice, and take further action where appropriate.
Use of mobile numbers for security and verification
We may use your mobile phone number to send OTPs or similar security codes to help confirm that you are the account holder, prevent fraud, and maintain the security of our Platforms.
The legal basis for this processing of this data is the performance of our contract with you. OTPs are an integral part of the service we provide and cannot be disabled without impairing our ability to deliver that service to you.
We will always notify you at the point you provide your mobile number that it will be used for this purpose. Message frequency will vary depending on your account activity. Message and data rates may apply. Because OTP messages are an integral part of the service we provide under our contract with you, they cannot be disabled while you hold an active account. For assistance, reply HELP to the number from which you received the message, or contact us at help@studentbeans.com. To stop receiving messages, reply STOP at any time. Please note that because OTP messages are integral to the Verification Service, opting out may mean we are unable to deliver verification to you. Carriers are not liable for delayed or undelivered messages.
Your agreement to receive OTPs as part of our service does not constitute consent to receive marketing communications by SMS, nor does it constitute consent to share your mobile number with any brand partner.
Use of automated tools and AI in Verification
We may use automated tools, including AI, to help assess whether users are eligible for closed consumer group offers, based on the information and documentation they provide. This includes checks designed to detect fraudulent, invalid, or AI-generated submissions.This processing supports our legitimate interest in maintaining the security and integrity of our services and ensuring that offers are only made available to eligible users. We do not make final decisions based solely on automated processing. Where an automated tool flags a potential issue, a trained member of our team will always review the case and assess the outcome before any action is taken, including any decision to suspend or restrict your account.
In future, we may also use image-based verification tools to help identify falsified or inauthentic ID documents. These tools may involve the processing of facial imagery and other features that could constitute biometric data under data protection law. Where this applies, we ensure additional safeguards are in place, including appropriate legal justification, human oversight, and strict documentation of how the tool is used.
4. Marketing and Membership Programmes
This section covers marketing and promotional communications only.
It does not apply to OTPs or account security messages, which are described in Section 3 and cannot be opted out of while you hold a verified account with us.
How we contact you about products and services
We may send you marketing emails about our products, services, and offers. We will always give you a clear opportunity to opt out of these emails when you first register. Every marketing email we send will include an unsubscribe link, and you can also opt out at any time by updating your preferences in your account settings or by contacting us at help@studentbeans.com. Once you opt out, we will stop sending marketing emails to you promptly.
For users in the UK, we may send marketing emails about our own similar products and services on the basis of our legitimate commercial relationship with you (known as the "soft opt-in" under UK PECR), where: (a) you provided your email address when registering for or using our Platforms; (b) the marketing relates to products and services similar to those you signed up for; and (c) you were given a clear and simple opportunity to opt out when you provided your email address and in every subsequent marketing message.
You can opt out at any time by clicking the unsubscribe link in any marketing email, or by updating your preferences in your account settings
Where we ask for your consent
For certain cohorts or communication channels, including SMS and WhatsApp marketing, we will ask for your specific consent before contacting you. Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of any marketing sent before withdrawal.
When you withdraw consent or opt out of marketing:
- We will stop sending marketing communications promptly
- We will retain a minimal suppression record to ensure we do not contact you again
- This will not affect service communications or OTP messages linked to your account
Where we use SMS or other mobile messaging channels for marketing purposes, we will always ask for your specific consent before doing so. Any such programme will be clearly described at the point of opt-in, including the types of messages you can expect to receive, how frequently we may contact you, and how to opt out at any time by replying STOP. We will never use your mobile number for marketing SMS without your prior express consent, and your consent to receive OTP messages does not extend to marketing communications.
We do not sell, share, transfer, or otherwise disclose to any third party any mobile phone number collected for the purpose of delivering OTPs, nor any record of a user's consent to receive text messages through our messaging programmes.
Sharing data with brand partners
With your consent, we may also share your personal data (such as your name, email address, consumer group, verified status, country, and verification expiry date) with selected brand partners so they can contact you directly about their products and services. We will ask you for your specific consent at the point of your interaction with that brand, for example, when you activate an offer or access a brand's membership programme.
Brands we share your data with in this way become independent data controllers of that data. We are not responsible for how they use it once shared, please refer to their own privacy policies. You can withdraw your consent to this sharing, and request deletion of your data from a brand, by contacting them directly.
Membership programmes
Some brands offer loyalty or membership programmes exclusively for certain consumer groups. To access these, we may ask your permission to share limited tokenised information confirming your eligibility, specifically your consumer ID, consumer group and verified status, and verification expiry date. This is coded information confirming eligibility only; we do not share your full personal details in this context. If you choose not to share this information, you may not be able to access the relevant programme.
5. Sharing Your Data
We may share your personal data with trusted third parties when necessary to operate our services or meet legal obligations. This includes:
- Brand and affiliate partners (to validate eligibility or investigate misuse);
- Advertising and analytics providers (improve your experience);
- Technical service providers ( email platforms, hosting providers, fraud detection tools);
- SMS delivery and identity verification providers (these providers process your mobile phone number for the purpose of delivering OTPs and for related security and anti-spam monitoring purposes, in accordance with their own acceptable use policies. They are prohibited from using your data for their own marketing purposes.); and
- Legal, regulatory, or enforcement authorities (where required by law)
For UK and EU Citizens: Some of our service providers and partners may be located outside the UK or EU. Where we transfer your personal data internationally, we ensure it remains protected through appropriate safeguards, which may include: transfers to countries that have received a UK adequacy decision; the use of the UK International Data Transfer Agreement or standard contractual clauses; or other lawful transfer mechanisms approved by the ICO.
Where required, we carry out transfer impact assessments to satisfy ourselves that your data will be adequately protected in the destination country.
We only share what's necessary, and never more than is required to deliver the service or comply with the law.
6. Legal Basis for Processing
We rely on the following legal grounds to process your data:
- Performance of a contract: To provide and secure our services under our Member Terms, including for account authentication and one-time passcode delivery, which are integral to service delivery.
- Legitimate interests: To run, improve, and secure our services.
- Consent: For sending you marketing and sharing data with brand partners.
- Legal obligation: Where required by law.
Where we rely on legitimate interests, you have the right to object to this processing. We will assess your request and stop processing your data unless we can demonstrate compelling grounds to continue.
Legitimate interests: We rely on legitimate interests for the following activities, having assessed that our interests are not overridden by your rights and freedoms:
- Preventing fraud, abuse, and unauthorised use of our Platforms and the offers we provide
- Using automated tools (including AI) to verify eligibility and detect fraudulent submissions
- Analysing how our Platforms are used, in order to improve functionality and user experience
- Sharing information with brand partners where misuse of a code or offer is suspected
- Retaining anonymised data to improve and train our fraud detection tools
You have the right to object to processing carried out on the basis of legitimate interests.
7. How Long We Keep Your Data
We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by law.
The table below sets out our standard retention periods by data category. Where no specific period is listed, we apply the criteria set out below.
1. Account and Profile Data
| Data Category | Retention Period | Basis |
|---|---|---|
| Student member (verified as a student, whether currently active or lapsed) | 6 years from the date of first verification as a student, reflecting 1 year of active student verification plus a 5-year graduate transition window. | Contract performance; legitimate interests (fraud prevention and graduate transition). |
| Graduate member (previously verified as a student with us) | 6 years from the date of first student verification. Student and graduate records are held on the same profile. | Contract performance; legitimate interests (fraud prevention and continuity of service). |
| Graduate member (first verified as a graduate, with no prior student verification with us). | 2 years from the date of graduate verification, reflecting 1 year of active verification plus 1 year post-expiry. | Legitimate interests (fraud prevention and post-expiry investigation). |
| Other closed consumer groups (excluding students and graduates). | 2 years from the date of verification, reflecting 1 year of active verification plus 1 year post-expiry. | Legitimate interests (fraud prevention and post-expiry investigation). |
| Incomplete registration (registered but verification not completed) | 1 year from the date of registration | Legitimate interests (data minimisation). |
2. Verification Data
| Data Category | Retention Period | Basis |
|---|---|---|
| Verification documents (e.g. student ID, proof of employment submitted for manual review) | Not retained beyond the review period. Documents are permanently deleted. We retain only the outcome of verification: whether your status was confirmed and when it expires. | Data minimisation: no longer required post-verification. |
3. Communications and Messaging Data
| Data Category | Retention Period | Basis |
|---|---|---|
| Mobile number (OTP and security use) | Retained for the duration of your account (whether active or inactive), then deleted on account closure in accordance with the account and profile data periods above. | Contract performance: integral to service delivery. |
| Email marketing records (including content, send date, and engagement data) | 395 days from the date of your last active verification or last marketing engagement, whichever is later, after which you will be removed from our active marketing lists | Legitimate interests (compliance with marketing regulations, honouring opt-outs, and investigating complaints). |
| Marketing preferences and consent records (including records of opt-in to email, SMS, or brand partner data sharing, and any subsequent opt-out or withdrawal) | Duration of active account plus 3 years following account closure. | Legal obligation: evidence of consent and legal basis for marketing communications sent. |
| Suppression records (record of opt-out from marketing communications). | Retained indefinitely following opt-out, to ensure we do not contact you again even after account closure. | Legal obligation; legitimate interests. |
4. Support Data
| Data Category | Retention Period | Basis |
|---|---|---|
| Support ticket data and associated personal data | 3 years from the date of resolution, unless subject to a legal hold or linked to an active fraud investigation. | Legitimate interests (dispute resolution). |
5. Security, Fraud and Legal Data
| Data Category | Retention Period | Basis |
|---|---|---|
| Fraud flags, investigation records, and suspension logs | 6 years from the date of the relevant event. | Legitimate interests (fraud prevention and potential legal claims). |
6. Analytics and System Data
| Data Category | Retention Period | Basis |
|---|---|---|
| Anonymised analytics and fraud model training data | Retained indefinitely. This data no longer constitutes personal data and cannot be used to identify you. | N/A |
Post-closure retention
Following account closure, whether voluntary, following a dormancy review, or at our request, we retain certain categories of data for the periods set out above. This enables us to deal with queries, disputes, or legal claims arising after closure, and to meet our legal and regulatory obligations.
Can I request deletion of my personal data?
Yes. You may request deletion of your personal data at any time by contacting us at infosec@wearepion.com. We will action valid requests promptly, subject to any legal or legitimate basis to retain certain data, including any applicable legal hold. Deletion will complete within 30 days of your request being actioned.
8. Your Rights
You have the right to:
- Access the personal data we hold about you
- Correct inaccurate or outdated data
- Delete your data (unless we have a valid reason to keep it)
- Object to or restrict how your data is used
- Withdraw consent where that was the basis for processing
- Request a copy of your data (data portability)
To exercise any of these rights, contact us at infosec@wearepion.com. We may need to confirm your identity before responding.
You also have the right to lodge a complaint with your national data protection authority.
In the UK: the Information Commissioner's Office (ICO): www.ico.org.uk
In the EU: your national supervisory authority
In Australia: the Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au
In the US: see Section 12 for California-specific rights and the contact for the California Privacy Protection Agency
9. Cookies and Tracking
We use cookies and similar technologies to help you stay logged in, understand how our Platforms are used, and show you relevant ads and offers.
Some cookies are essential to the operation of our Platforms.
For non-essential cookies (including analytics and advertising cookies), we will ask for your consent before placing them. You can manage or withdraw your cookie consent at any time using our cookie settings tool.
10. Data Security
We take steps to protect your data, including:
- Encryption and secure storage
- Access controls and audit logs
- Staff training and incident response plans
Where a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with our obligations under applicable data protection law.
No system is 100% secure, but we take these risks seriously. Please contact us immediately if you believe your data may have been compromised.
11. Children's Privacy
We do not knowingly collect personal data from children under 13, and we do not direct any of our own Platforms at children.
If you believe a child under 13 has provided us with personal data, please contact us at infosec@wearepion.com and we will promptly delete it.
Users registering directly on our own Platforms must be at least 16 years old, in accordance with our Member Terms. Where our Verification Services are embedded within a partner platform that permits users aged 13 and above, we collect and process only the data necessary to confirm eligibility.
If you are under 18, we encourage you to read this policy with a parent or guardian.
12. California Residents
If you are a resident of California, this section applies to you and supplements the rest of this Privacy Notice.
It is provided in accordance with the California Consumer Privacy Act 2018 and the California Privacy Rights Act 2020 (together, "CCPA/CPRA").
What personal information we collect and why
In the preceding 12 months, we have collected the following categories of personal information about California residents:
What personal information we collect and why
| Category | Examples | Purpose |
|---|---|---|
| Identifiers | Name, email address, mobile number, IP address, device ID, account ID | Account creation, verification, security, marketing |
| Personal records | Date of birth, gender, school or university details, proof of eligibility | Eligibility verification, service delivery |
| Commercial information | Offer redemptions, code activations, transaction history | Service delivery, fraud prevention |
| Internet or network activity | Browsing activity on our Platforms, page views, clicks, cookie data | Analytics, personalisation, advertising |
| Geolocation data | Approximate location derived from IP address or, where permitted, device location | Service localisation, fraud prevention |
| Inferences | Consumer group membership, verified status, interests inferred from Platform activity | Personalisation, eligibility confirmation, marketing |
We collect this information from you directly, automatically through your use of our Platforms, and from third parties such as verification partners, affiliate networks, and brand partners (as described in Section 2).
Sale and sharing of personal information
We sell and share personal information about California residents as follows:
Sale: We disclose personal information (including your name, email address, mobile number, consumer group, and verified status) to brand and affiliate partners in exchange for monetary or other valuable consideration. This constitutes a "sale" under California law.
Sharing for cross-context behavioural advertising: We share personal information with third-party advertising partners (including through tools such as the Meta Pixel and Google Ads tags) to enable targeted advertising outside of our own Platforms. This constitutes "sharing" under California law.
In the preceding 12 months, we have sold or shared the following categories of personal information: identifiers, commercial information, internet or network activity, and inferences.
Your California privacy rights
As a California resident, you have the following rights:
- Right to know: You may request details of the personal information we have collected about you, the sources of that information, our purposes for collecting it, and the categories of third parties with whom we have shared or sold it.
- Right to delete: You may request that we delete personal information we hold about you, subject to certain exceptions (for example, where we need the data to complete a transaction or comply with a legal obligation).
- Right to correct: You may request that we correct inaccurate personal information we hold about you.
- Right to opt out of sale and sharing: You have the right to direct us not to sell or share your personal information with third parties. To exercise this right, contact us using the details in Section 13. Note that opting out of sale and sharing may limit your ability to access certain brand partnerships or membership programmes that depend on eligibility verification.
- Right to limit use of sensitive personal information: Where we process sensitive personal information (such as identity documents used for verification), you may request that we limit our use of that information to what is necessary to provide the service.
- Right of non-discrimination: We will not discriminate against you for exercising any of your California privacy rights. We will not deny you services, charge you a different price, or provide a lower quality of service because you exercised a right under this section.
Responding to your rights request
We will respond to verified rights requests within 45 days. If we need additional time (up to a further 45 days), we will notify you and explain the reason for the extension. We will not charge you for making a rights request, but may limit or decline requests that are excessive or unfounded.
13. Changes to This Notice
We may update this Privacy Notice occasionally. If the changes are significant, we will provide you with reasonable advance notice by email or on the Platform before they take effect.
14. Contact Us
Our Data Protection Officer is responsible for overseeing our approach to privacy and data protection.
You can contact our DPO directly
Email: infosec@wearepion.com (subject line: "FAO Data Protection Officer")
Post: Data Protection Officer, The Beans Group Limited, 3rd Floor The Coade, 98 Vauxhall Walk, London SE11 5EL.
For general data rights requests (access, deletion, correction, objection, portability), you can also contact us at the same address with the subject line "Privacy Rights Request".We aim to acknowledge all requests within 5 working days and provide a full response within one calendar month.