Already have an account? Log in now

Reward Gateway (USA) Inc (“we”, “us” or “our”) is committed to upholding your privacy and respect your rights under the Privacy Act 1974 and other applicable laws.

This Privacy Notice ("Notice") describes how any personally identifiable information (“PII”, “personal information”) we collect from you or from third parties, including NLMK USA (the “administrator”) who we have entered into a License Agreement with, about you on this website (the “portal”, “NLMK Rewards and Recognition”) will be processed by us.

In the event of a conflict between the terms of this Notice and the terms of the License Agreement, the License Agreement shall prevail.

The Type of Information We Collect From you and How We Use It

We will collect various types of personal information from you when you use NLMK Rewards and Recognition, depending on the services which you use. Further details of how we use your personal data are set out below.

Before you register

Before you register on NLMK Rewards and Recognition, to allow us to carry out our eligibility checks we will ask the administrator to provide two pieces of information about you (such as your ZIP code, payroll ID, start date or date of birth).

The administrator will provide your Last 6 of SSN and Date of Birth to us to allow us to establish that you are eligible to register on NLMK Rewards and Recognition**.

When you register

In addition to the personal data provided to us by the administrator, when you register on NLMK Rewards and Recognition we will also collect and store personal information about you, such as your name, company identifier, email address, password, ZIP code, a contact telephone number, gender and date of birth. At the administrator’s choice, we may also collect additional information about you such as your office location.

You will also need to provide the information necessary to allow us to carry out our eligibility check (which will vary dependent on the information provided by the administrator, see above).

This information will be used in order to complete your registration and to allow you to use NLMK Rewards and Recognition. You will not be able to register without at least providing your name, email address, password and ZIP code or date of birth, as these are used to secure your account and to allow us to confirm your identity if you contact the support team. Your date of birth is also used to confirm your identity if you contact the support team.

When you login

Each time you log in to NLMK Rewards and Recognition, we automatically conduct checks against your Internet Protocol (IP) address to ensure your security. This includes looking up your IP address against a “proxy denylist” to check that someone is not using your credentials and trying to hide their location. This proxy denylist is operated by MaxMind, Inc. If your IP address appears on it, we will not allow you to login.

We also look up the IP address in a static database we download from MaxMind Inc. to check which country the IP is affiliated with. This helps us to further protect your account against people who may have access to your credentials. If we do spot a change, we will alert you and ask you to confirm your login in order to verify your identity before continuing.

This information along with time and event data (such as successful or failed logins) are also recorded in our database for audit purposes.

Depending on the services you use on NLMK Rewards and Recognition, we may collect and process additional PII about you, as set out below.

When you send an eCard or when you make a nomination

If you ask us to send an eCard, you will need to provide us with the name of the person you are sending the eCard to (“the recipient”). If the recipient has already registered on NLMK Rewards and Recognition, we will send the eCard on your behalf to their registered email address.

If they have not already registered, you will also need to provide an email address which we will send the eCard on your behalf to. The recipient will be asked to confirm that they have read and understood this notice and agree to our Terms & Conditions before being able to view your message.

You must have the consent of the recipient to give us their name and, if applicable, email address and any personal information you disclose in your message to them. This information will also be disclosed to the administrator for the purposes of performance management.

When you contact us

If you contact us for support purposes, we will require some information to handle your query. The following data are saved in Zendesk to enable processing: your name, email address, telephone number, and any other personal information you provide to us for the purpose of dealing with your query.

When you visit NLMK Rewards and Recognition

When you visit NLMK Rewards and Recognition we will automatically collect information about your visit, such as the pages you viewed, offers or services you viewed or searched for, length of visits to certain pages, the times and dates of these actions, details of page response times and any download errors that occurred.

We will also collect data from the device and application that you use to access our services, including your IP address (from which we may infer your geographic location), login information and browser type.

If you arrive at our website from an external source (such as a link on another website or in an email) we record information about that source.

We will use the above information in order to:

  • to administer NLMK Rewards and Recognition and for internal operations, including troubleshooting, data analysis (including analysing the use of the various services available on NLMK Rewards and Recognition and measuring their popularity and effectiveness), testing, research, statistical and survey purposes, and to comply with our legal obligations;
  • to improve NLMK Rewards and Recognition to ensure that content is presented in the most effective manner for you and for your computer / device;
  • as part of our efforts to keep NLMK Rewards and Recognition safe and secure to comply with our legal obligations;

Other information and uses

We will also collect the PII you provide when you use NLMK Rewards and Recognition:

  • To notify you about changes (permanent or temporary) to our service.
  • To ensure that content from our website is presented in the most effective manner for you and your computer.
  • To administer our website and for internal operations, including troubleshooting, data analysis, testing, research and statistical purposes, and as part of our efforts to keep our website safe and secure.

Interaction with Children Online

We do not knowingly collect personal information on children. The content of our website and the products and services available are not intended for, or directed to, children. If you are under 13 years of age, then please do not use or access our website at any time or in any manner.

Information we receive from other sources

We will combine information we receive from other sources (as set out in this Notice) with information you give to us. We will use this information and the combined information for the purposes set out in this Notice (depending upon the services you access).

Change of Purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and permitted under applicable laws. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Disclosures of your Information

We use service providers to help us to provide the website, such as data storage providers, marketing email providers, analysis providers and benefit providers:

  • Amazon Web Services EMEA SARL, a cloud hosting provider;
  • Emailcenter UK, a transactional and bulk email gateway;
  • Google Inc., a web analytics tool;
  • FullStory Inc., an analytics service provider;
  • Heap, Inc., an analytics service provider;
  • New Relic Inc., a performance measurement tool;
  • Twilio Inc., a SMS / text-messaging gateway;
  • Formstack, LLC, a configurable data-capture provider;
  • Zendesk Inc., a customer support platform;
  • Atlassian Pty Ltd., a ticketing system for our internal teams;
  • Mailgun Technologies Inc., a transactional and bulk email gateway;
  • WalkMe, Inc., Contextual help, support and assistance for administrators.

Use of Braze for Marketing and Customer Engagement

We use Braze, a customer engagement platform, to help us deliver personalized communications and improve the relevance of our marketing efforts. Braze allows us to analyse and understand how you interact with our communications and services, helping us create a more tailored experience.

Data Collected and Processed

In connection with our use of Braze, we may collect and process the following types of personal information:

  • Contact information (e.g. email address, name, unique identifier, company name)
  • Interaction data (e.g. open rates, clicks, or engagement with messages we send you)
  • Usage data (e.g. information about how you use our website or app, if applicable)

Purpose of Processing

We use Braze to

  • Deliver personalised email, SMS, and in-app messages based on your preferences and activity.
  • Track engagement and interaction to improve our messaging and enhance your experience.
  • Conduct analytics to better understand the effectiveness of our communication and make improvements.

Data Sharing and Privacy Protections

Braze processes this data on our behalf and is obligated to comply with applicable data protection laws. We have a data processing agreement with Braze to ensure that your personal information is handled securely, and we regularly review their data protection practices.

Opting Out of Marketing Communications

You can opt out of receiving marketing communications at any time by following the unsubscribe link in any email we send or by contacting us directly. If you opt out, Braze will no longer process your data for marketing purposes on our behalf.

We also share your personal information with:

The Administrator

Because the administrator pays us to operate NLMK Rewards and Recognition for you, they’ll want to know how the website is performing. Except as set out elsewhere in this Notice, we will only share information with the administrator on an aggregated and anonymous basis about how often you’ve used the website and what services you used.

Our Internal Teams

We also use information about you on an aggregated and anonymized basis for internal management purposes. This type of information includes, for example, the number of activities you complete. However, you can’t be identified from this information.

Members of our Group

We share personal information with members of our group for the purposes of providing the benefits to you and managing our business: RG Engagement Group Ltd, Reward Gateway Pty Ltd, Reward Gateway (USA) Inc, Reward Gateway (UK) Ltd Branch, International Benefits Holdings Ltd., Asperity Employee Benefits Group Ltd

Other Parties

We will also disclose your personal information to third parties:

  • in the event that we sell or buy any business or assets, in which case we will disclose your personal information to the prospective seller or buyer of such business or assets;
  • if we or substantially all of our assets are acquired by a third party, in which case PII held by us about our customers will be one of the transferred assets; and/or
  • if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, or in order to enforce or apply our Terms and Conditions and other agreements; or to protect the rights, property, or safety of us, our users, customers and providers. This will include sharing your personal information as part of a legal or official investigation if we have evidence or reason to suspect that purchases on your account could be fraudulent.

Transfers of your Information

Your information, including PII, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this notice, and applicable law, and no transfer of your personal information will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

We remain fully accountable for these transfers.

Your Choices

California Privacy Rights

Under California law you are entitled to certain rights and disclosures. Please read our California Privacy Policy for more information.

Residents of the European Economic Area (EEA) and The United Kingdom (UK)

If you are located in the EEA and UK, applicable EU/UK and Member State data protection laws provide certain rights to you. These include the rights to:

  • Request details about the personal data that we process, and obtain a copy of the data that we hold about you;
  • Correct or update your personal data;
  • Port personal data that has been provided by you, in machine readable format, to another supplier
  • Erase the data that we hold about you in some cases;
  • Restrict processing in some cases;
  • Object to processing based on grounds relating to the individual’s particular situation, where the processing is based on legitimate interest;

These rights are not absolute and are subject to various conditions under applicable data protection and privacy legislation and the laws and regulations to which we are subject.

We will only collect personal information from you where we need the personal information to enter into a contract or perform a contract with you (e.g. to provide you with a service), where the processing is in our legitimate interests when your interests and fundamental rights do not override those interests, where we have your consent, or where we have a legal obligation to collect and process personal information.

Where the provision of data is necessary to enter into a contract with us or for us to perform a contract with you and you choose not to provide the information we will not be able to provide our services to you.

You have the right to object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party), which is not overridden by your data protection interests or fundamental rights and freedoms. In particular we process your personal data to pursue the following legitimate interests:

  • To prevent fraud on our platform;
  • To provide reporting and analytics;
  • To provide troubleshooting, technical support, or to answer questions;
  • To trial new features or additional services; and
  • To help improve our services, applications, and websites.

Where we rely on your consent to process your personal data, you may decline to give your consent, or withdraw your consent for that specific processing at any time.

In some cases, we may also have a legal obligation to collect personal information from you.

If you have questions about the legal basis on which we collect and use your personal information or if you wish to assert your rights, please contact us using the contact details provided under the “Contact Us” section below.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We or the administrator may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Please know that you also have the right to submit a complaint concerning our processing of your personal data to the appropriate supervisory authority.

Resolving your privacy concerns and complaints

If you have a question or complaint about how your personal information is being handled by us, our affiliates or contracted service providers, please contact us using the contact details provided below.

Please note that as the administrator may store other information from your use of this service, you should also contact them directly if you would like to exercise your rights in relation to the data held by them.

Updating your information

It is important that the personal information we hold about you is accurate and current. Please keep your records on NLMK Rewards and Recognition up-to-date. If you wish to update or amend your personally identifiable information or data you may do so by making the change within your account once logged in or by contacting our Helpdesk. We will respond to your request within 5 working days.

Storage of your information

Unless we need to keep your data for legal purposes, we will only retain your personal information for 60 days after the administrator lets us know you no longer have a relationship with them or they decide to use a different service.

The legal purposes for which we may need to retain your data for include:

  • retaining payment records for one year to comply with PCI DSS regulations;
  • retaining backups for up-to 180 days after deprovisioning; and
  • retaining your order history for two years from the date of your order in case of a dispute.

We may also retain anonymized data about you for longer periods for integrity and financial reporting purposes.

Recordings of calls are retained for 40 days and chat transcripts are retained for 90 days.

We take the security and confidentiality of your personal information very seriously. We will use strict procedures and security features to aim at preventing unauthorized access, such as implementing ISO 27001 standards, access controls, penetration testing, the use of encryption and hashing and robust physical security controls.

EU-U.S. Data Privacy Framework

Reward Gateway US Inc complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce.

Reward Gateway US Inc has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit Data privacy framework website.

Reward Gateway US Inc is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC),

Reward Gateway US Inc is obligated to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that an individual has invoked binding arbitration by delivering notice to your organization and following the procedures and subject to conditions set forth in Annex I of Principles

Reward Gateway US Inc is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Reward Gateway US Inc is liable in cases of onward transfers to third parties.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Reward Gateway US Inc commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

Changes to this notice

Any changes we make to our Notice in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our Notice.

Contacting Us

If you have any queries, comments or requests regarding this Notice, or you would like to exercise any of your rights set out above, or contact our Data Protection Team, you can contact us in the following ways:

  • by email at dpo.uk@edenred.com or:
  • by post at Reward Gateway (USA) Inc., 141 Tremont Street, Boston, MA 02111.