Maxxed

Privacy Policy

Last updated: 23 June 2026

This Privacy Policy explains how Maxxed ("we", "us", "our") collects, uses, and protects your personal data when you use our service. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data we collect

  • Account data: name, email address, password (encrypted), and profile preferences.
  • Bank transaction data: when you connect a bank account, we receive transaction details (merchant name, amount, date) through our open-banking partner TrueLayer.
  • Payment data: when you subscribe, payment is processed by Stripe. We do not store your card details — Stripe holds these on our behalf.
  • Reviews & ratings: star ratings, written reviews, and complaints you submit about businesses.
  • Usage data: log data, device information, IP address, and analytics about how you use the service.
  • Cookies: see our Cookie Policy.

2. How we use your data

  • To operate and maintain the Maxxed service, including awarding points for verified spend.
  • To detect bank transactions that trigger rating prompts.
  • To process subscription payments and manage your membership.
  • To publish reviews, ratings, and complaints you submit.
  • To send service notifications (e.g. rating reminders) where you have opted in.
  • To prevent fraud, abuse, and to comply with legal obligations.
  • To improve the service through aggregated analytics.

3. Bank account data (TrueLayer)

We use TrueLayer, an FCA-authorised open-banking provider, to securely connect to your bank. TrueLayer uses read-only access — we cannot move money or initiate payments. We receive only the transaction information needed to award points and prompt reviews. You can disconnect your bank at any time from your wallet. See TrueLayer's privacy notice at truelayer.com/legal.

4. Payment data (Stripe)

Subscription and payment processing is handled by Stripe. When you enter card details, they are sent directly to Stripe and never stored on Maxxed's servers. Stripe is PCI-DSS Level 1 certified. See Stripe's privacy policy at stripe.com/privacy.

5. Your rights under UK GDPR

You have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your personal data (the "right to be forgotten").
  • Restrict or object to certain processing.
  • Data portability — receive your data in a structured, machine-readable format.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

6. Right to deletion

You can request deletion of your account and personal data at any time by emailing info@maxxed.co.uk. We will permanently delete your data within 30 days, except where we are required to retain it by law (e.g. financial records). Public reviews may be retained in anonymised form.

7. Data retention

We keep your personal data only as long as needed for the purposes described above, or as required by law. Bank transaction history is retained while your account is active and deleted on account closure.

8. Contact us

For any privacy questions or to exercise your rights, contact our Data Protection team: