Privacy Policy – Last Updated 10 November 2025

Student Discount Cards Limited (Company Number 08873775)

The privacy and security of your personal information is extremely important to us. This privacy policy explains how and why we use your personal data, to make sure you stay informed and can be confident about giving us your information. Your personal data is in safe hands with us.

1. Definitions

To help you understand this policy, we use the following terms:

• Alive Profile: Your personal account within the Alive App.
• Alive App: The mobile application used to display your ID or card and to provide additional features.
• Holder: The individual to whom the ISIC, IYTC, or ITIC card is issued.
• ISIC Card: The International Student Identity Card, endorsed by UNESCO.
• IYTC Card: The International Youth Travel Card, available to individuals under 35 who are not full-time students.
• ITIC Card: The International Teacher Identity Card, available to full-time teachers or teaching assistants.
• Data Controller: The organisation that determines how and why your personal data is processed.
• Data Processor: A third party that processes your personal data on behalf of the data controller.
• Personal Data: Any information that relates to an identified or identifiable individual.

2. Privacy Principles

We take your privacy seriously. The following principles underpin our approach to respecting your privacy:

• We value the trust that you place in us by giving us your personal information. We will always use your personal information in a way that is fair and worthy of that trust.
• We will provide clear guidance on how we use your personal information. We shall always be transparent with you about what information we collect, what we do with it, with whom we share it and who you should contact if you have any concerns.
• We will take all reasonable steps to protect your information from misuse and keep it secure.
• We will comply with all applicable data protection laws and regulations, and we will co-operate with data protection authorities. In the absence of data protection legislation, we will act in accordance with generally accepted principles governing data protection.
• We will always protect your personal data and, as part of this, we regularly review our privacy notice so that you can see how we use your data and what your options are. If there are any further changes to the ‘UK General Data Protection Regulation’ (UK GDPR) or related laws, we may need to amend this statement in the future.

A few quick notes:

• This privacy policy explains what data we collect as well as how and why we use your personal data.
• The policy applies to you if you’re a card holder, student, if you are an organisation we have a working relationship with (e.g. supplier), if you visit our websites or email, call or write to us.
• We will never sell your personal data. We will only share it with organisations we work with who meet our high privacy standards.

3. Index

• Who ‘we’ are
• Personal Data We Hold About You
• Online Identity Verification and Processing of Minors’ Data
• How we use your personal data
• How we secure your data
• Where your personal data may be processed
• Events
• Disclosing and sharing information
• Data Retention
• Your data protection rights
• When we use Legitimate Interest
• Contact for Alive App Data Requests
• What to do if you are not happy?
• Changes to this Privacy Policy

4. Who ‘We’ are

In this policy, whenever you see the words ‘we’ it refers to Student Discount Cards Limited (Company Number 08873775).

Our registered office address is Merseyway Innovation Centre, 21-23 Merseyway, Stockport, SK1 1PN.

We operate the following sites:
https://www.isic.org.uk

If you have any questions relating to this privacy policy or how we use your personal data, please send them to dpo@isic.org.uk or post them to the Data Protection Officer, Student Discount Cards Limited, Merseyway Innovation Centre, 21-23 Merseyway, Stockport, SK1 1PN.

5. Personal Data We Hold About You

5.1 We collect personal data from you when you voluntarily submit information directly to us or our application. This can include information you provide when you register to use the application, login to the application, complete a form, correspond with us, use discounts via our application or subscribe to our email lists.

5.1.1. Verifying ISIC Card:
When you register to use our application, it may be necessary to verify the validity of your ISIC Card. We will also on a regular basis verify the validity of your ISIC Card, either at our own initiative or by your request. If your ISIC Card goes through a validation process, we will process your name, ISIC Card number, date of verification and IP Address. The verification, including the personal data necessary for it, will be stored for 5 years from the date of verification.

5.1.2. Application Profile:
When you have completed your registration to our application, a profile will be created for you in our application. For managing your profile and enabling use of our application, we will process the personal data belonging to your ISIC Card and/or data you have provided us. The personal data collected and processed are your name, date of birth, ISIC Card Number, contact details, photo, country of residence, issuer organisation of your ISIC Card, ISIC Card type, ISIC Card validity, ISIC Card status, your preferences and information about how you use and connect to the application, favourite discounts and password.

5.1.3. Displaying ISIC Card:
For physically displaying and using your ISIC Card in the application, an image of your ISIC Card will be generated and temporarily stored, including any information found on your ISIC Card.

5.1.4. Direct Marketing:
So that we can ensure that you get the best from your ISIC proposition, we will send out newsletters and other electronic direct marketing under legitimate interests. We will process your name, e-mail address and phone number. You can unsubscribe from this processing at any time from the footer of any email from us.

5.2 We also collect personal data indirectly from you, such as information about the pages you look at on the application and the device you connect to the application with.

5.4 We will now describe a few of the aforementioned categories of personal data we collect in more detail:

• (a) Contact details: Include data such as your name, your email address and your telephone number associated with your account.
• (b) Account information: Include data such as your contact details (as above) and any other information you share when creating an account with our application.
• (c) Your preferences: Choices you make such as notification and messaging preferences or choices about how the application is set up.
• (d) Information about how you use and connect to the application:
  • (i) We collect information about how you use the application such as the pages and links you access, the discounts you have selected, the time you access the application and duration you are on it, the website you come to the application from or go to after leaving the application and selections and choices you make when using the application.
  • (ii) We also collect information about the computer or other electronic devices you use to connect to the application such as details about the type of device (which can include unique device identifying numbers), its operating system, browser and applications connected to the application through the device, your Internet service provider or mobile network, your IP address and your device’s telephone number (if it has one).
• (e) Information about your location: Subject to your consent, we may collect your location or an approximation thereof to show nearby discounts/benefits or location on the map. We do not connect location data to concrete users.
• (f) Information provided by other organisations: Other organisations may provide information that we associate with you where they are lawfully permitted to share it, such as contact details, demographic data, or Internet navigation information.

6. Online Identity Verification and Processing of Minors’ Data

6.1 Online Verification and Check of the ID/Card Holder’s Identification

If you give your voluntary and express consent, we will verify and check your identification when you purchase your ID online (or for the creation of a digital ID) by comparing your details against a scan of your identity document. The scan must be made solely by the Holder to whom the identity document belongs, and will be used only for the purpose of verifying your identity. This process includes checking your photograph and the details on your ID against those on your identity document.

Following verification, GTS ALIVE Group s.r.o. will securely destroy the copy (scan) of your identity document. The retention period for the identity confirmation scan is no longer than 14 days from the verification of your identity, after which the copy is securely destroyed.

The legal basis for this processing is your consent, which you may withdraw at any time.
You are not required to give your consent to this process. If you do not agree, your identity may be verified by means of a scan of a notarial deed or a notary’s statement confirming that the Holder shown in the photograph and their personal data correspond to the details on the relevant identity document. In this case, the legal basis for retaining the certificate is legitimate interest. The certificate will be retained for a maximum period of 5 business days after the identity check has been performed. You have the right to object to this processing.

Without a verified identity, it is not possible to use the services of a digital ID.

6.2 IDs and Other Activities of Holders Under the Age of 15 – Confirmation by a Legal Guardian

If a Holder under the age of 15 applies for an ID/Card (including a digital ID/Card) or plans to use any of GTS ALIVE Group s.r.o.’s information society services, the processing of personal data is lawful only if the relevant consent has been expressed or approved by a person with parental responsibility over the child. GTS ALIVE Group s.r.o. therefore requires the consent of the legal guardian of such Holder. The personal data of the legal guardian are retained for the purpose of verifying their identity and recording the consent.

Legal basis for processing: Performance of a contract, performance of a legal obligation, and legitimate interest.

Legitimate interests: Selected important data or documents (e.g., records of the consents given) are retained for potential inspection by a supervisory authority, to defend against claims, or to exercise our rights.

Recipients: The categories of processors specified in the provisions of Section 2.2.

Where personal data are transferred outside the EU, standard protection is provided by an adequacy decision or, where applicable, by standard contractual clauses on the protection of personal data adopted by the EU Commission.

Retention period: Until the Holder reaches the age of 15 years, and for 3 years thereafter.

Categories of personal data concerned: Identification and contact data, approval-related logs and/or documents, and related documentation (if any).

Voluntary disclosure of data: The provision of personal data is voluntary; however, without providing personal data, it is not possible to conclude and perform a contract for these services or to issue an ID pass.

6.3 Verifying Photographs Online

When a Holder provides a photograph for display on their ID, we will check the photograph to ensure it meets specific requirements. This includes verifying that the photograph shows the Holder, that the person in the photograph is not wearing sunglasses or headgear, that the quality of the photograph is sufficient to identify and verify the person when using the ID, and that the head is not hidden. For this purpose, we process the Holder’s personal data.

We also use the services of a supplier to check photographs, specifically Google Ireland Limited (incorporated under the laws of Ireland, identification number: 368047, registered office: Gordon House, Barrow Street, Dublin 4, Ireland). We have entered into a data processing agreement with Google. The service used is called Google Cloud Vision. This service verifies, among other things, that there is a person in the photograph, that the person is not wearing sunglasses or headwear, and that the photograph quality is sufficient for its intended use. The verification process does not involve identity checks or the processing of biometric personal data or other special categories of data.

Categories of personal data concerned:
Photographs and parameters to evaluate photographs (compliance with ID photograph conditions such as face and head rotation, headgear, etc.), network identifiers, logs, verification results, data relating to internal control, and data relating to the use of Google Cloud Vision.

Retention period:
Data used for internal verification and checks are deleted immediately after validation and in any case within 24 hours. The retention period of a photograph is the same as the period for which the photograph is used on your ID, which corresponds to the retention period of the personal data on the ID according to this Policy. Access by the service provider, Google, to the photograph is limited to the time necessary to use the service and check the photograph according to the specified criteria.

Legal basis:
Performance of a contract and legitimate interest. You have the right to object to processing based on legitimate interest.

Legitimate interests:
Selected important data or documents (e.g., records of consents given) are retained for potential inspection by a supervisory authority, to defend against claims, or to exercise our rights.

Recipients:
Categories of processors specified in the provisions of Section 2.2.

International transfers:
Where personal data are transferred outside the EU, standard protection is provided by an adequacy decision or, where applicable, by standard contractual clauses on the protection of personal data adopted by the EU Commission. The Google Cloud Vision service is provided by Google Ireland Limited. Access from outside the EU is possible for use of the service, with standard contractual clauses used to ensure sufficient safeguards. Where third countries are subject to adequacy decisions, such decisions also apply.

Source of personal data:
Personal data are always collected from the Holder.

Voluntary disclosure of data:
The provision of personal data is voluntary; however, without providing personal data, it is not possible to conclude and perform a contract for these services. It is not possible to issue an ID pass without providing personal data. The provision of a photograph is voluntary; however, without its provision and verification, it is not possible to use an ID.

7. How we use your personal data

We will use your personal data for the purposes outlined at the time you provided it to us. Examples include:

• Administering your discount membership and our relationship with you as a cardholder, as well as providing you with information about discount offers and other related purposes.
• Responding to your requests and fulfilling our contractual obligations with you.
• Under legitimate interest, we will share information with the National Union of Students (United Kingdom), Company number 08015198 and/or NUS Students’ Union Charitable Service. As a student, we want to ensure you have access to the latest information about campaigns and competitions for students. You can opt out at any time by emailing dpo@isic.org.uk
• We may also need to provide your personal data if we are asked by the police, or any other regulatory or government authority in relation to safeguarding.

8. How we secure your data

We want to keep our customers and suppliers safe, so the security of your data and of our information systems is incredibly important to us. When you entrust your personal information to us, we take care of it as if it were our own. We spend a lot of time, money and resources on ensuring that the personal details you entrust to us are protected from loss, misuse and abuse.

External threats to our data security are changing all the time, so we have a robust process for assessing, managing and protecting all of our new and existing systems to ensure they are up to date and secure.

Our staff complete mandatory information security and data protection training when they start with us and every year afterwards, to reinforce their responsibilities and requirements and ensure they understand and comply with their obligations under the Data Protection Act 2018 and UK GDPR. We carefully control who has access to your information and ensure that it is only used in the way you would expect.

When you trust us with your data we will keep your information secure to maintain your confidentiality.

9. Where your personal data may be processed

Whenever we transfer personal data out of the EEA or the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer personal data to countries that have been deemed to provide an adequate level of protection for personal data by the ICO. For further details, see ICO A guide to international transfers.
• Where we use certain service providers, we may use specific contracts approved by the ICO which give personal data the same protection it has in the UK.
• Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the UK and the US.
• We also take regular encrypted backups.

We use GTS ALIVE Group s.r.o. (ID No. 09296727), with its registered office at Na Maninách 1092/20, Holešovice, 170 00 Prague 7, registered in the Commercial Register maintained by the Municipal Court in Prague, section C, entry no. 334013, as a data processor for certain services. As GTS ALIVE Group s.r.o. is located outside the UK, we have a written agreement in place that ensures your personal data is protected in line with UK data protection law. This agreement includes obligations to maintain confidentiality and implement appropriate security measures. We only transfer your data to GTS ALIVE Group s.r.o. using approved safeguards such as the UK International Data Transfer Agreement (IDTA) or other mechanisms recognised by UK data protection law.

10. Events

We may collect and process your data in connection with events, for example to register your attendance or provide event information. The legal basis for this is our legitimate interest or your consent.

11. Disclosing and sharing information

We do not sell your personal data. We may share it with trusted partners, such as IT service providers or mailing houses, to achieve the purposes set out in this policy.

12. Data Retention

We will only use and store your information for as long as it is required for the purposes it was collected, or as required by law.

13. Your data protection rights

You have the following rights:

• Right of access: You can request a copy of your data.
• Right to rectification: You can ask us to correct inaccurate or incomplete data.
• Right to restrict processing: You can ask us to limit how we use your data.
• Right to object: You can object to certain processing.
• Right to erasure: You can ask us to delete your data.

To exercise these rights, please email dpo@isic.org.uk. We aim to respond within 30 days.

14. When we use Legitimate Interest

We process your data under legitimate interest when it is necessary for our business, provided your rights and interests do not override ours. You can object to this processing.

We may also process special categories of data (such as health or ethnicity) with your explicit consent or to comply with legal obligations.

15. Contact for Alive App Data Requests

For requests related to the Alive App, please contact:

GTS ALIVE Group s.r.o.
Na Maninách 1092/20, 170 00 Prague 7, Czech Republic
Tel: +420 226 222 336
Fax: +420 226 222 300
Email: legal@gtsalive.com

This contact is for matters relating specifically to the Alive App, which is operated by GTS ALIVE Group s.r.o. as data controller.

16. What to do if you are not happy?

If you have concerns about how we use your data, please contact us at dpo@isic.org.uk. You can also complain to the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: https://www.ico.org.uk

17. Changes to this Privacy Policy

We keep our privacy policy under regular review and will update it as needed.

Summary of Changes Implemented

1. Definitions Section Added
   A dedicated section listing clear definitions for key terms such as Alive Profile, Alive App, Holder, ISIC/IYTC/ITIC Card, Data Controller, Data Processor, and Personal Data.
2. Online Identity Verification and Processing of Minors’ Data
   A new section detailing how online identity verification works for Holders, including the process for digital ID creation, data retention, and the legal basis for processing. This section also covers the special requirements for Holders under the age of 15, including guardian consent and data retention periods.
3. Verifying Photographs Online
   A new section explaining the process for verifying photographs uploaded for ID purposes, including the use of Google Cloud Vision for automated checks. Details are provided on data categories, retention, legal basis, and international data transfers.
4. GTS ALIVE Group s.r.o. as Data Processor
   Clear information on GTS ALIVE Group s.r.o. as a data processor, including its role, location, and the legal agreements in place to protect your personal data during international transfers.
5. Contact for Alive App Data Requests
   A new section providing specific contact details for Alive App-related data requests, ensuring users know who to contact for issues relating to the Alive App.
6. Updated International Transfers Section
   Enhanced information on international data transfers, including safeguards such as UK International Data Transfer Agreements (IDTA), standard contractual clauses, and adequacy decisions.