Privacy Policy

Last updated: 11/04/2026

Introduction

This Privacy Policy explains how LOSTNRETURNED LIMITED (Company no. 16604363) (‘we’, ‘our’ or ‘us’) collects, uses, stores and protects personal data when you use our LostnReturned service, accessible via lostnreturned.com (Platform).

The Platform allows people who own items (“owners”) to create an account and generate a personalised QR code and recovery page for use on their items, and allows people who have found items (“finders”) to report found items by scanning QR codes or submitting finder forms. We facilitate the connection between owners and finders by forwarding finder reports directly to owners via email; owners do not create or edit finder reports or lost item records about finders in the Platform.

Our services are intended for users aged 18 and over, or those with legal capacity to enter into contracts in their jurisdiction. We do not knowingly collect or solicit personal data from children under the age of 18. If we become aware that we have inadvertently collected personal data from a child under 18 without appropriate parental or guardian consent, we will take steps to delete such data promptly. If you believe we may have collected personal data from a child, please contact us immediately at support@lostnreturned.com.

We take data protection very seriously. Please read this privacy policy carefully as it contains important information on how we process personal data.

We act as an independent data controller for the personal data we process to operate and secure the Platform, including for individual owners who create an account and generate a personalised QR code and Recovery Page for use on their items, finders who interact with Recovery Pages, and business account holders who use our service.

In the contact-form flow, we collect finder details submitted via the Recovery Page and forward that finder report to the relevant owner/business account holder; the owner/business then processes the forwarded finder report as an independent controller. In the Direct Contact flow, we publish the owner’s chosen contact details on the Recovery Page and the finder contacts the owner directly outside the Platform; in that case, LostnReturned does not receive the finder’s contact details or message through the Direct Contact channel (unless the finder separately chooses to submit a finder form or otherwise contacts us). Business customers are responsible as independent controllers for any use they make of finder or owner data they receive and for any communications they send to finders (including under PECR/e-privacy rules where applicable).

It also explains your rights in relation to your personal data and how to contact us or the relevant regulator in the event you have a complaint. Our collection, storage, use and sharing of your personal data is regulated by law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where we offer services to individuals in the European Economic Area (EEA) or otherwise fall within scope of the EU General Data Protection Regulation (EU GDPR), the EU GDPR may also apply to particular processing activities.

We are committed to making our Platform and this privacy policy accessible and usable for as many people as possible. If you encounter accessibility barriers, or if you require this privacy policy in an alternative format, please contact us at support@lostnreturned.com and we will do our best to accommodate your needs.

What this policy applies to

This privacy policy relates to your use of the Platform and the services you access through it, including creating an account and generating a personalised QR code and Recovery Page for use on your items as an owner, reporting found items as a finder, and managing business accounts.

It applies to users in the United Kingdom, the European Economic Area (EEA) and, where relevant, other locations, except where we are legally restricted from providing services or transferring data (for example, to countries or individuals subject to applicable sanctions or export control laws). Our operations include processing in both the UK and the Netherlands, with orders processed in either jurisdiction depending on operational capacity.

The Platform may link to or rely on other apps, websites, APIs or services owned and operated by us or by certain trusted third parties to enable us to provide you with services through the Platform. These other apps, websites, APIs or services may also gather information about you in accordance with their own separate privacy policies. For privacy information relating to these other apps, websites or services, please consult their privacy policies as appropriate. For more information see the section ‘Who we share your personal data with’ below and our separate Cookies Policy (available at https://lostnreturned.com/cookies), which explains how we and our partners use cookies and similar technologies.

Personal data we collect about you

We act as an independent data controller for the personal data described below that we collect and process to operate and secure the Platform.

For business-to-business accounts, we do not currently provide staff-level user profiles or role-based access for individual employees of business customers under the current Platform functionality. The business account email address may itself identify or relate to an individual contact at the business (for example, a generic inbox or a named contact), and we treat such information as personal data where it identifies a living individual.

We do not currently act as a data processor on behalf of business customers. If we introduce staff-level features or other functionality that would involve processing personal data on behalf of business customers in future, we will update this privacy policy and, where required, enter into appropriate data processing agreements.

Waitlist and early access sign-up data
We may also collect personal data when you sign up to join our waitlist, request early access, or ask to hear about the launch of LostnReturned. This includes your first name, last name, email address and country. We use this information to manage the waitlist, send launch-related updates, and, where permitted by law, send marketing communications in line with your preferences.

Categories of personal data processed	In more detail
Identity and account data you input into the Platform (including Direct Contact settings)	For owners/business account holders, we collect your email address, first and last name, mobile telephone number, postal address, billing address and other contact details you provide to create and manage an account. If you enable the Direct Contact feature, we will publish the contact details you choose to display (for example, a phone number for calls or SMS, a WhatsApp number, and/or an email address) on your Recovery Page, which is publicly accessible to anyone who scans the QR code or visits the Recovery Page URL. You may also choose to add an optional contact preference note (for example, “WhatsApp preferred” or “calls after 18:00”). Only the contact details and preference text you fill in will be shown. For finders, in the contact-form flow we collect your name (or pseudonym), email address, mobile telephone number, and any message content you choose to include when reporting a found item. In the Direct Contact flow, we do not require you to provide your contact details to LostnReturned to contact the owner (you contact the owner using the published details), although we may still collect limited technical/usage data (for example, QR scan logs) as described below.Your account login credentials, including email address (used as username) and password. For business accounts, we also collect business name and account-level contact information.Payments for our services are processed through Stripe. Payment information is transferred through secure encrypted connections and stored on our payment partner’s servers, subject to their privacy policy. We do not store your full payment card details. We retain payment references, subscription details, order history, and billing information as a data controller to manage your account, fulfil orders, and comply with our legal obligations including tax and accounting requirements (for example, through our accounting provider Xero).
Data collected when you use specific functions in the Platform	Data you provide when using the Platform, including your own items, contact preferences, QR code generation history, subscription details, order history for QR code products (including shipping addresses and product selections), gift card purchase details and, where you provide them, gift recipient details (such as name and delivery address) so that we can send physical products or digital products to them on your behalf, and any support requests you submit. We use recipient details only to fulfil the relevant order, manage any related queries, and comply with our legal obligations; recipients may contact us directly to exercise their data protection rights. Each Recovery Page is also assigned a randomly generated Support ID (for example, LNR-XXXX-XXXX), which may be visible on the Recovery Page and/or within the page URL. This Support ID is generated randomly and is not derived from or linked to your name, email address, or any other personal identifier. It is used solely for customer support, troubleshooting, and internal account management purposes, and is not used for profiling or marketing. Where we introduce the ability for owners to upload photos of their items (for example, to help finders identify a lost item), we will collect and process any such photos as owner-provided account data on the same lawful basis as other account data, and will update this policy accordingly. For finders: Name, email address, mobile telephone number, message content describing the found item, and optionally the time and location where the item was found. Important notice to finders: How you contact an owner depends on the Recovery Page settings. (1) Contact-form flow: if the Recovery Page contains a finder form, when you submit a finder report, your contact details and message are forwarded to the owner/business account holder. Once forwarded, the owner/business becomes an independent controller of the copy they receive and we do not control how they use your details or communicate with you. (2) Direct Contact flow: if the owner has enabled Direct Contact, the Recovery Page will display the owner’s chosen contact details (for example, a phone number for calls or SMS, a WhatsApp number, and/or an email address) and you can contact them directly; in that case, LostnReturned does not receive your message or your contact details through the Direct Contact channel. Please use any displayed contact details only to help return the item and not for any other purpose. Safety warning (including for children and vulnerable users): please do not share unnecessary personal information, and take care if arranging to meet someone in person. If you are under 18 or a vulnerable person, we recommend involving a trusted adult and using safe, public locations (or appropriate third-party collection points) and never sharing sensitive information (such as your home address) unless strictly necessary. If you feel unsafe or suspect fraud, stop communicating and contact local law enforcement where appropriate. For business accounts: Business name, account email address, subscription and billing details, QR code order history, and usage data relating to the business account. Business accounts operate at account level with one email address per business; we do not currently collect or store personal data of individual staff members employed by business customers under the current Platform functionality. We also collect QR code scan logs, timestamps of platform interactions, and usage analytics to improve our service and ensure Platform security. Where Direct Contact is enabled, we also log account-level events such as when Direct Contact is enabled or disabled and what category of contact detail is selected for display (for example, email and/or phone), to help us operate the feature, investigate abuse, and evidence the settings applied at a point in time. We keep personal data only for as long as necessary for the purposes for which it was collected, including providing the Platform, maintaining security, preventing fraud and abuse, handling support requests, and meeting our legal and regulatory obligations. Retention periods vary depending on the type of data and why we hold it (for example, account data, finder submissions, technical/security logs, and order or billing records may be kept for different periods). For example, finder submissions and related case data are typically retained for up to twelve months after the finder submission is made (or after the matter is resolved), after which it is deleted or anonymised unless we are required or permitted by law to retain it for longer. We delete or anonymise personal data when it is no longer needed, unless we are required or permitted by law to retain it for longer (for example, for tax/accounting record-keeping or to establish, exercise or defend legal claims).
Data collected when you permit the collection of location data	If enabled by you, location data may be collected when using map or location-based functions, for example when a finder optionally provides the location where an item was found. This feature is entirely optional and controlled by your device settings. Finders are not required to provide location information when submitting a report. We do not track your ongoing location or collect location data in the background.
Other data the Platform collects automatically when you use it	Your activities on, and use of, the Platform which reveal your preferences, interests or manner of use of the Platform and the times of use Other information such as device type, browser type, operating system, IP address, time zone settings, and other technical information about how you access and use the Platform.
Data collected when you make an enquiry with us	Your name, email address, organisation (if applicable), and any other information you choose to include in your enquiry (for example, details of a lost or found item, or questions about our services).
Marketing and communications data	Your preferences in receiving marketing emails from us and, where applicable, from our third-party providers, and your communication preferences (for example, whether you wish to receive updates about LostnReturned, new features, or other services).

If you do not provide personal data we ask for where it is required, it may prevent us from providing service to you through the Platform.

We may use anonymised, aggregated data for server improvements, industry analysis, and benchmarking purposes. This data cannot identify individuals or organisations and helps us enhance our Platform’s functionality and user experience. Such analysis may include usage patterns, feature utilisation, and general service trends to optimise our offerings. Once data has been anonymised so that it can no longer be linked to an identifiable individual, it is no longer treated as personal data.

We collect and use this personal data for the purposes described in the section ‘How and why we use your personal data’ below.

Sensitive Data

Sensitive personal data (also known as special category data) means information related to personal data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data (where used for identification purposes); data concerning health; data concerning a person’s sex life; and data concerning a person’s sexual orientation.

We do not knowingly or intentionally collect sensitive personal data or information about criminal convictions from individuals using LostnReturned or our other services unless this is specifically required by law or you have given your explicit consent and we have identified a lawful basis for doing so. Where such data is required, we implement additional security measures and safeguards in accordance with applicable data protection laws.

If, however, you do submit sensitive data to us, such as by including it in free-text fields or messages, or by making this sensitive data available to other users of the Platform, we will treat that information as having been provided voluntarily by you. Please avoid including sensitive personal data (or information about children or vulnerable individuals) in free-text fields unless it is strictly necessary.

Location service/data

For security purposes, we automatically determine your approximate location (limited to country/region level) using your IP address. This information is used solely for security checks, fraud prevention, and to help us apply the correct legal and regulatory framework (for example, determining whether UK GDPR or EU GDPR applies to your data). This processing is based on our legitimate interests in securing the Platform and complying with applicable laws. It does not affect core Platform functionality, and we do not use this location data for any other purpose.

The Platform’s map features function independently of your location data. The location information we collect is used solely for security purposes.

Our map services are provided through Google Maps integration. When using these services/data, data may be collected by Google in accordance with their Privacy Policy.

We exert no control over Google’s Privacy Policy and we therefore recommend that you consult their privacy policy for further information on how Google protect personal data please visit their site – https://policies.google.com/privacy?hl=en-US. For more information see the section ‘Who we share your personal data with’ below.

How your personal data is collected

We use different methods to collect data from and about you including through:

Your interaction with us: We collect personal data when you use the Platform, including when you:

Register as an owner
Generate QR codes for your items
Report a found item as a finder by scanning a QR code or submitting a finder form
Create or manage a business account
Place orders for QR code products or gift cards
Request technical support or customer service
Subscribe to marketing communications
Contact us directly via email, phone, or social media
Participate in feedback surveys
Interact with Platform features, either directly or indirectly through your usage activity

How and why we use your personal data

Under data protection law, we can only use your personal data if we have a proper legal basis. The lawful bases we rely on are:

where you have given consent
to comply with our legal and regulatory obligations
for the performance of a contract with you or to take steps at your request before entering into a contract, or
for our legitimate interests or those of a third party

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own. You can obtain details of this assessment by contacting us (see ‘How to contact us’ below). Where we rely on your consent as a lawful basis for processing, you may withdraw that consent at any time by contacting us at support@lostnreturned.com or, for marketing communications, by using the unsubscribe link included in any marketing email we send you. Withdrawal of consent does not affect the lawfulness of any processing carried out before the withdrawal.

The table below explains what we use your personal data for and why.

What we use your personal data for	Our reasons
Create and manage your account with us	To perform our contract with you or to take steps at your request before entering into a contract (for example, to create and manage your LostnReturned owner account or business account, process your orders for QR code products, and provide customer support). Where we process account data for security monitoring, fraud prevention, or Platform improvement purposes, we rely on our legitimate interests in operating and securing the Platform and protecting users from abuse.
Providing LostnReturned service functionality, including Recovery Pages, Direct Contact (where enabled), and forwarding finder reports to owners (where a finder form is used)	We process data to provide Platform functionality under the following lawful bases: For owners and business account holders: To perform our contract with you under our Terms and Conditions of Use, including providing QR code generation and fulfilment, hosting Recovery Pages, publishing owner contact details on Recovery Pages where you enable Direct Contact, receiving and forwarding finder reports where a finder form is used, subscription management, and customer support. We also rely on our legitimate interests for related security, abuse prevention, and operational logging (including Direct Contact enable/disable logs). For finders: (a) Contact-form flow: under our legitimate interests in facilitating the return of lost items to rightful owners, we collect finder submission data and forward it to the relevant owner/business. We have balanced this legitimate interest against your rights by providing transparency in this policy and on the finder submission page; making finder data only for limited security/dispute purposes; making finder submissions entirely voluntary; and relying on the reasonable expectation that reporting a found item will result in sharing your details with the owner. For optional location data, we rely on your device-level consent submissions voluntary; applying data minimisation; applying security/anti-abuse measures; and retaining finder submissions only for limited periods consistent with our retention practices. (b) Direct Contact flow: where Direct Contact is enabled and you contact the owner directly using published details, we do not process your contact details or message content for that direct communication; we process only the technical/usage data needed to operate and secure the Recovery Page (for example, QR scans, timestamps, IP address, and device/browser information) based on our legitimate interests in operating, securing, and improving the Platform. Important limitation of liability and safety: Where finder details are forwarded to an owner/business (contact-form flow), once we forward your finder report we have no control over how the owner/business uses your contact details or communicates with you. Where Direct Contact is enabled, the owner’s contact details are published publicly on the Recovery Page and you contact the owner directly. In either case, owners/businesses act as independent controllers for their communications and handling of personal data they receive. We are not responsible for any misuse of personal data, disputes, scams, fraud, or harm arising from owner-finder interactions outside of our reasonable control. We strongly recommend that both owners and finders exercise caution when sharing additional personal information or meeting in person, and report any concerns to us and, where appropriate, to law enforcement.
To enforce legal rights or defend or undertake legal proceedings	Depending on the circumstances:to comply with our legal and regulatory obligationsin other cases, for our legitimate interests or those of a third party, i.e. to protect our business, interests and rights or those of others
Sending relevant marketing communications and for making personalised suggestions and recommendations to you about the products that may be of interest to you based on your profile data	For our legitimate interests, to carry out direct marketing to business contacts, develop our services and grow our business, and, where required by law, having obtained your consent to receive direct marketing communications. You can withdraw your consent or object to marketing at any time (see ‘Marketing’ below).
Carry out market research through your voluntary participation in surveys	Necessary for our legitimate interests to study how customers use our Platform and to help us improve and develop our Platform and services offered through the Platform.
Communications with you not related to marketing, including about changes to our terms or policies or updates concerning the requests placed by you through the Platform or changes to the Platform or service or other important notices	Depending on the circumstances:to comply with our legal and regulatory obligationsto keep you updated on the requests placed by youin other cases, for our legitimate interests or those of a third party, i.e., to provide the best service to you
Protect the security of systems and data	To comply with our legal and regulatory obligations, we may also use your personal data to ensure the security of systems and data to a standard that goes beyond our legal obligations, including implementing encryption, role-based access controls, and regular security audits.
Operational reasons, such as improving efficiency, training, and quality control or to provide support to you	For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service to you
Statistical analysis to help us manage our business, e.g., in relation to our performance, customer base, functionalities and offerings or other efficiency measures	For our legitimate interests or those of a third party, i.e. to be as efficient as we can so we can deliver the best service to you and improve and develop our Service and the Platform.
Updating and enhancing user records	To perform our contract with you (for example, maintaining accurate account and Recovery Page settings), to comply with our legal obligations, and where appropriate for our legitimate interests in keeping our records accurate and up to date, preventing fraud, and maintaining Platform security.
To comply with our legal and regulatory obligations	Depending on the circumstances:to perform our contract with you or to take steps at your request before entering into a contract (in this case, the contract means the Terms and Conditions of Use which apply to the Platform)to comply with our legal and regulatory obligationswhere neither of the above apply, for our legitimate interests or those of a third party, e.g., making sure that we can keep in touch with our customers about their accounts and new services or functionalities related to the Platform
To share your personal data with members of our group and third parties in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency.In such cases information will be anonymised where possible and only shared where necessary	Depending on the circumstances:to comply with our legal and regulatory obligationsin other cases, for our legitimate interests or those of a third party, i.e., to protect, realise or grow the value in our business and Platform

See ‘Who we share your personal data with’ for further information on the steps we will take to protect your personal data where we need to share it with others.

Marketing

We send essential service-related communications to LostnReturned users through email (currently via Postmark for transactional emails) and, where appropriate, through other communication channels that we may make available from time to time (for example, SMS). These include security updates, subscription notifications, QR code delivery confirmations, and important information about your use of LostnReturned (for example, messages about a lost or found item). These communications are necessary for the operation of the Platform and are distinct from marketing messages.

Where you sign up to receive updates, join our waitlist, or otherwise choose to hear from us, we may send you marketing communications about our services, launch updates, new features, and related products. Where required by law, we will only send such communications with your consent.

If you create a LostnReturned account, we may also send you communications related to your account, transactions, or use of the Platform. These are not marketing communications and are necessary for the performance of our contract with you.

You can opt out of marketing communications at any time using the methods described below. You will continue to receive essential service-related messages.

Our Platform analytics help us improve service delivery by tracking user engagement, QR scan patterns, finder form submissions, and platform feature utilisation, while maintaining user privacy through secure data handling practices. We rely on our legitimate interests for this analytics processing, having conducted a legitimate interests assessment (LIA) balancing our business needs against users’ rights and freedoms. Where consent is required under applicable law (such as for cookies or similar technologies, or certain analytics features provided by third parties in connection with email engagement), we will obtain such consent before processing.

LostnReturned acts as an independent data controller for all communications we send. Marketing communications will be directed to business account holders and individual users only where we have a lawful basis to do so. For business-to-business marketing, we rely on our legitimate interests (subject to your right to object). For individual consumers, we will obtain consent before sending marketing communications, in accordance with the Privacy and Electronic Communications Regulations (PECR). We currently use providers to help us manage and send marketing emails and to understand engagement with those emails. We may also promote our services through third-party advertising platforms, including Meta (Facebook and Instagram) and TikTok. Where we run targeted advertising on these platforms, we may share limited data (such as hashed email addresses or device identifiers) with those platforms as permitted under applicable data protection law; each platform acts as an independent controller for its own use of that data, and their respective privacy policies govern that processing. We do not currently act as a data processor for business customers. If we introduce features in the future that involve processing personal data on behalf of business customers as a data processor (for example, staff-level access controls or internal business messaging), we will implement GDPR-compliant data processing agreements containing the mandatory clauses required by Article 28 UK GDPR before commencing any such processing, and any communications sent on behalf of those customers will be clearly identified as such.

You will have the right to opt out of receiving marketing communications at any time by:

contacting us at the support email address set out in ‘How to contact us’ below
using the ‘unsubscribe’ link included in any marketing emails you receive from us

We will not use your personal data for marketing purposes if you have told us not to. For information about how long we keep your personal data (including contact details used for marketing), see ‘How long your personal data will be kept’ below.

For more information on data subject rights and how they should be exercised, see ‘Your rights’ below. LostnReturned acts as an independent data controller for all personal data we process, so you may exercise your rights directly with us. We will respond to data subject rights requests without undue delay and in any event within one month of receipt, with the possibility of extending this by a further two months where necessary, taking into account the complexity and number of requests.

Who we share your personal data with

We collect and process personal data through our website and mobile application as an independent data controller. This includes:

Business owner account data: business name, account holder name, email address, phone number, postal/billing address, hashed login credentials, subscription details, order history, payment references (processed through Stripe and not stored by us in full), shipping addresses for QR code delivery, gift card details, and Recovery Page settings (including whether Direct Contact is enabled and what contact details are set to display publicly)

Finder submission data: name, email address, phone number, message content, optional time/location information about found items

Technical and usage data: QR scan logs, timestamps, IP addresses, country/region information, device type, browser information, operating system

Communication data: support enquiries, in-app or email communications and other messages you or we send in relation to the Platform.

Accounting data: invoice information processed for payment processing and tax compliance

We act as an independent controller for this data in connection with operating and securing the Platform. Where we act as a processor for a business customer in limited cases that are expressly agreed in writing, we will process the relevant personal data on the business customer’s documented instructions for the purposes set out in that agreement.

We share your personal data with trusted third-party service providers, including Mitchell Digital for hosting infrastructure, Postmark for transactional email delivery, Klaviyo for marketing and email analytics, and Xero for accounting. All providers must implement appropriate technical and organisational measures that comply with UK and, where applicable, EU data protection laws. These providers act as our processors and are bound by contracts ensuring data protection, confidentiality, and security requirements that align with our obligations to you.

Where you use LostnReturned or other Platform features in connection with a business customer (for example, your employer or a venue that uses our services), we may share relevant personal data with that business customer so that they can manage their relationship with you and fulfil their own legal obligations. In doing so, we and the business customer will generally act as independent controllers, each responsible for our own compliance with applicable data protection laws.

We or the third parties mentioned above may occasionally also need to share your personal data with:

external auditors, e.g. in relation to the audit of our accounts and our company —the recipient of the information will be bound by confidentiality obligations
professional advisors (such as lawyers and other advisors)—the recipient of the information will be bound by confidentiality obligations
law enforcement agencies, courts or tribunals and regulatory bodies to comply with legal and regulatory obligations
other parties in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised but this may not always be possible. The recipient of the information will be bound by confidentiality obligations and will be required to use your personal data only for the purposes for which it was disclosed. We will notify affected data subjects of any such transfer where required by law.

If you would like more information about who we share our data with and why, please contact us (see ‘How to contact us’ below).

We retain your personal data in accordance with our internal Data Retention Policy and Record Retention Schedule, which take into account the storage limitation principle under UK GDPR and, where applicable, EU GDPR.

Following the end of the applicable retention period, we will securely delete or anonymise your personal data in accordance with applicable technical standards and industry best practices, unless retention is required by law. Where we anonymise data, we ensure that it can no longer identify you and cannot be re-identified.

How long your personal data will be kept

We keep personal data only for as long as necessary for the purposes for which it was collected. Waitlist and early-access sign-up data will be retained so that we can manage the waitlist and send emails about LostnReturned in line with your preferences. You can unsubscribe from these emails at any time. We will delete or anonymise your personal data when it is no longer needed for these purposes, or upon request, unless we are required to retain it for legal, regulatory or record-keeping reasons.

International Transfers of Data

LostnReturned processes and stores personal data within the United Kingdom with administrative access from the Netherlands. Our hosting infrastructure is provided by Mitchell Digital, with servers located in secure data centres in the UK.

Legal basis for UK-EEA transfers: Transfers of personal data between the UK and EEA benefit from the UK’s adequacy regulations (permitting UK-to-EEA transfers) and the European Commission’s adequacy decision for the UK (permitting EEA-to-UK transfers). Where we transfer data to countries outside the UK/EEA that do not benefit from an adequacy decision, we implement appropriate safeguards under UK GDPR and/or EU GDPR, including Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs, together with any supplementary measures required by law.

Future processor arrangements: Currently, LostnReturned acts as an independent data controller for all personal data we process, including business owner account data and finder submissions. If we introduce features in the future that involve processing personal data on behalf of business customers as a data processor (for example, staff-level access controls or internal business messaging), we will implement appropriate data processing agreements and transfer mechanisms at that time. Any such processor arrangements will be clearly documented and communicated to affected customers.

Third-country transfers: For any transfers of personal data to countries outside the UK/EEA that do not benefit from an adequacy decision, we implement appropriate safeguards under UK GDPR and/or EU GDPR, including Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs, together with any supplementary measures required by law. Our third-party service providers (including Stripe, Klaviyo, Postmark, Xero and Mitchell Digital) may process data in various jurisdictions, and we ensure that appropriate transfer mechanisms are in place for any processing outside the UK/EEA.

In the event we could not or choose not to continue to rely on any particular transfer mechanism at any time, we would not transfer your personal data outside the UK/EEA unless we could do so on the basis of an alternative mechanism or exception provided by applicable data protection law.

Your rights

Under the UK GDPR and, where applicable, the EU GDPR, you have a number of rights in relation to your personal data. You may exercise your data protection rights directly with us by contacting us using the details in the ‘How to contact us’ section below. We may need to take reasonable steps to verify your identity before responding, in line with our internal procedures for data subject requests. If you are a finder whose details were forwarded to an owner or business account holder, we can only exercise your rights in relation to the copy of your data that we control; you should also contact the relevant owner or business account holder directly to exercise your rights in relation to the separate copy of your data that they hold as an independent controller.

For more information regarding these rights, please visit the ICO website here.

Access to a copy of your personal data	The right to be provided with a copy of your personal data.
Correction (also known as rectification)	The right to require that inaccurate or incomplete personal data is corrected.
Erasure (also known as the right to be forgotten)	The right to have your personal data deleted—in certain situations, subject to legal requirements around data records, our legitimate business interests (for example, in relation to security, fraud prevention and dispute resolution), and other applicable legal obligations.
Restriction of use	The right to request that the use of your personal data is restricted in certain circumstances, for example if you contest the accuracy of the data.
Data portability	The right, in certain situations where the processing is based on your consent or on a contract with you and is carried out by automated means, to receive the personal data you provided through the Platform in a structured, commonly used and machine-readable format and/or have us transmit that data to a third party where technically feasible.
To object to use	The right to object to processing of your personal data. Specifically, you have the right to object:at any time to your personal data being used for direct marketing (including profiling)in certain other situations to the continued processing of your personal data by us where we are relying on our legitimate interests or those of a third party, unless we have compelling legitimate grounds to continue the processing.
Not to be subject to decisions without human involvement	The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.

For further information on each of those rights, including the circumstances in which they apply, please contact us. You may find it helpful to refer to the guidance from the UK’s Information Commissioner on your rights under the UK GDPR at https://ico.org.uk/for-the-public/. If you are in the EEA, guidance from your local supervisory authority may also be relevant.

Keeping your personal data secure

We implement appropriate technical and organisational security measures to protect your personal data, including encryption in transit and, where appropriate, encryption at rest, secure access controls, regular security monitoring, and backup procedures. Our hosting infrastructure is provided by Mitchell Digital with data stored in secure data centres located in the UK. While we implement industry-standard security measures appropriate to our size and risk profile, we cannot guarantee absolute security. Users should also take reasonable precautions to protect their account credentials and report any suspected security issues to support@lostnreturned.com immediately.

If you become aware of any potential security issue, please report it immediately to us. For business owners who receive finder data forwarded by LostnReturned, you are responsible, in your capacity as an independent data controller, for handling any breach of that data in accordance with your own controller obligations (including, where applicable, assessment and notification obligations to the ICO or other competent supervisory authority and affected individuals).

For information about our security measures and how we protect your personal data, please contact us. We are committed to transparency about our security practices while protecting sensitive security information from potential misuse.

How to complain

For queries about personal data processing and to exercise your data rights, please contact us directly. For technical support issues with the LostnReturned platform (such as QR code scanning problems, account access issues, order fulfilment queries, or subscription management), you can also contact us at the same email address.

While you have the right to lodge a complaint with a supervisory authority, we encourage you to first raise any concerns with us directly at support@lostnreturned.com so we can address them promptly. If you are a finder whose details were forwarded to a business owner and your concern relates to how that business owner has handled your data, you should raise your concern with them directly.

If you are in the UK, you can lodge a complaint with the Information Commissioner’s Office (ICO) if you are unhappy with how we or your organisation have used your personal data. The ICO can be contacted via https://ico.org.uk/make-a-complaint, by telephone on 0303 123 1113, or by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. If you are in the EEA, you also have the right to lodge a complaint with your local data protection supervisory authority.

Changes to this privacy policy

This privacy policy may be updated periodically to reflect changes in our practices, services, or legal requirements. We will post the updated version on our website and indicate the date of the latest revision, and we may also notify you of material changes via the Platform or by email. Please check back regularly to stay informed about our privacy practices.

How to contact us

You can contact us by email at support@lostnreturned.com (or any replacement address notified to you) if you have any questions about this privacy policy, about how we use your personal data as a data controller (including for LostnReturned), or if you wish to exercise your data protection rights directly with us where applicable.