Privacy Policy 

Privacy Policy – Last Updated 18 May 2026 

NUS Alive Limited (Company Number 08873775) 

The privacy and security of your personal information is extremely important to us. This privacy policy explains how and why we use your personal data, to make sure you stay informed and can be confident about giving us your information. Your personal data is in safe hands with us. 

1. Definitions 

To help you understand this policy, we use the following terms: 

• Alive Profile: Your personal account within the Alive App. 
• Alive App: The mobile application used to display your ID or card and to provide additional features. 
• Holder: The individual to whom the ISIC, IYTC, ITIC, or NUS ID card is issued. 
• ISIC Card: The International Student Identity Card, endorsed by UNESCO. 
• IYTC Card: The International Youth Travel Card, available to individuals under 35 who are not full-time students. 
• ITIC Card: The International Teacher Identity Card, available to full-time teachers or teaching assistants. 
• Card: refers to all any or all of the; ISIC/ ITIC/ IYTC/ AliveID/ NUS ID 
• Data Controller: The organisation that determines how and why your personal data is processed. 
• Data Processor: A third party that processes your personal data on behalf of the data controller. 
• Personal Data: Any information that relates to an identified or identifiable individual. 
• NUS ID: A digital student identity card powered by AliveID and displayed in the Alive App. NUS ID serves as a student identifier provided by NUS, the relevant Student Union, the relevant University, and/or third-party providers. NUS ID is issued in digital form only. 
• NUS: The National Union of Students (United Kingdom). 
• Student Union: The relevant students’ union affiliated with the Holder’s university or educational institution, which may determine eligibility for and distribute the NUS ID. 
• Membership Enrolment Platform (MEP): The system or platform through which student membership data is collected and transmitted to the relevant technical partner for the purpose of NUS ID issuance and activation. 
• Transactional Data: Data relating to the use of the NUS ID card, including but not limited to records of benefit redemptions, discount usage, campus access events, and other interactions processed via the NUS ID. 
• Distribution Partner: A Student Union, University, or other authorised entity responsible for distributing and managing NUS ID cards to eligible students. 

2. Privacy Principles 

We take your privacy seriously. The following principles underpin our approach to respecting your privacy: 

• We value the trust that you place in us by giving us your personal information. We will always use your personal information in a way that is fair and worthy of that trust. 
• We will provide clear guidance on how we use your personal information. We shall always be transparent with you about what information we collect, what we do with it, with whom we share it and who you should contact if you have any concerns. 
• We will take all reasonable steps to protect your information from misuse and keep it secure. 
• We will comply with all applicable data protection laws and regulations, and we will co-operate with data protection authorities. In the absence of data protection legislation, we will act in accordance with generally accepted principles governing data protection. 
• We will always protect your personal data and, as part of this, we regularly review our privacy notice so that you can see how we use your data and what your options are. If there are any further changes to the ‘UK General Data Protection Regulation’ (UK GDPR) or related laws, we may need to amend this statement in the future. 

A few quick notes: 

• This privacy policy explains what data we collect as well as how and why we use your personal data. 
• The policy applies to you if you’re a card holder, student, if you are an organisation we have a working relationship with (e.g. supplier), if you visit our websites or email, call or write to us. 
• We will never sell your personal data. We will only share it with organisations we work with who meet our high privacy standards. 

3. Index 

• Who ‘we’ are 
• Personal Data We Hold About You 
• Online Identity Verification and Processing of Minors’ Data 
• How we use your personal data 
• Sharing of Transactional Data with Student Unions 
• How we secure your data 
• Where your personal data may be processed 
• Events 
• Disclosing and sharing information 
• Data Retention 
• Your data protection rights 
• When we use Legitimate Interest 
• Contact for Alive App Data Requests 
• What to do if you are not happy? 
• Changes to this Privacy Policy 

4. Who ‘We’ are 

In this policy, whenever you see the words ‘we’ it refers to NUS Alive Limited (Company Number 08873775). 

Our registered office address is Merseyway Innovation Centre, 21-23 Merseyway, Stockport, SK1 1PN. 

We operate the following sites: https://www.isic.org.uk 

If you have any questions relating to this privacy policy or how we use your personal data, please send them to dpo@isic.org.uk or post them to the Data Protection Officer, NUS Alive Limited, Merseyway Innovation Centre, 21-23 Merseyway, Stockport, SK1 1PN. 

5. Personal Data We Hold About You 

5.1 We collect personal data from you when you voluntarily submit information directly to us or our application. This can include information you provide when you register to use the application, login to the application, complete a form, correspond with us, use discounts via our application or subscribe to our email lists. 

Where you are issued an NUS ID card, we collect and process personal data in connection with the issuance, activation, and use of the NUS ID. This data is received from the relevant Student Union via the MEP and may include your name, date of birth, photograph, student status, Student Union membership status, university or educational institution name, and contact details. 

When you use your NUS ID to access benefits, redeem discounts, or interact with campus services, we may collect Transactional Data relating to such usage. This may include the date, time, and nature of the transaction, the benefit or service accessed, and the identity of the providing organisation. Transactional Data is processed for the purposes of administering the NUS ID benefit network, verifying entitlement, and providing aggregated reporting to the relevant Student Union and/or University. 

5.1.1. Verifying your Card: 

When you register to use our application, it may be necessary to verify the validity of your Card. We will also on a regular basis verify the validity of your Card, either at our own initiative or by your request. If your Card goes through a validation process, we will process your name, Card number, date of verification and IP Address. The verification, including the personal data necessary for it, will be stored for 5 years from the date of verification. 

5.1.2. Application Profile: 

When you have completed your registration to our application, a profile will be created for you in our application. For managing your profile and enabling use of our application, we will process the personal data belonging to your Card and/or data you have provided us. The personal data collected and processed are your name, date of birth, Card Number, contact details, photo, country of residence, issuer organisation of your Card, Card type, Card validity, Card status, your preferences and information about how you use and connect to the application, favourite discounts and password. 

NUS ID may remain technically available for a period of up to four (4) years from the date of issuance, subject to the Holder continuing to meet the applicable eligibility requirements. 

5.1.3. Displaying your Card 

For physically displaying and using your Card in the application, an image of your Card will be generated and temporarily stored, including any information found on your Card. 

5.1.4. Direct Marketing: 

So that we can ensure that you get the best from your Card proposition, we will send out newsletters and other electronic direct marketing under legitimate interests. We will process your name, e-mail address and phone number. You can unsubscribe from this processing at any time from the footer of any email from us. 

NUS ID is issued in digital form and distributed to students via the relevant Student Union and its membership platform using the API service of the relevant technical partner. You access and activate the NUS ID by completing the required activation process, which includes requesting activation from the student profile in the relevant membership platform, downloading the Alive App, completing onboarding steps, and uploading a photograph (if not already provided through the API data transfer). 

5.2 We also collect personal data indirectly from you, such as information about the pages you look at on the application and the device you connect to the application with. 

5.3 We will now describe a few of the aforementioned categories of personal data we collect in more detail: 

• (a) Contact details: Include data such as your name, your email address and your telephone number associated with your account. 
• (b) Account information: Include data such as your contact details (as above) and any other information you share when creating an account with our application. 
• (c) Your preferences: Choices you make such as notification and messaging preferences or choices about how the application is set up. 
• (d) Information about how you use and connect to the application: 

(i) We collect information about how you use the application such as the pages and links you access, the discounts you have selected, the time you access the application and duration you are on it, the website you come to the application from or go to after leaving the application and selections and choices you make when using the application. 

(ii) We also collect information about the computer or other electronic devices you use to connect to the application such as details about the type of device (which can include unique device identifying numbers), its operating system, browser and applications connected to the application through the device, your Internet service provider or mobile network, your IP address and your device’s telephone number (if it has one). 

• (e) Information about your location: Subject to your consent, we may collect your location or an approximation thereof to show nearby discounts/benefits or location on the map. We do not connect location data to concrete users. 
• (f) Information provided by other organisations: Other organisations may provide information that we associate with you where they are lawfully permitted to share it, such as contact details, demographic data, or Internet navigation information. 

6. Online Identity Verification and Processing of Minors’ Data 

6.1 Online Verification and Check of the ID/Card Holder’s Identification 

If you give your voluntary and express consent, we will verify and check your identification when you purchase your ID online (or for the creation of a digital ID) by comparing your details against a scan of your identity document. The scan must be made solely by the Holder to whom the identity document belongs, and will be used only for the purpose of verifying your identity. This process includes checking your photograph and the details on your ID against those on your identity document. 

Following verification, GTS ALIVE Group s.r.o. will securely destroy the copy (scan) of your identity document. The retention period for the identity confirmation scan is no longer than 14 days from the verification of your identity, after which the copy is securely destroyed. 

The legal basis for this processing is your consent, which you may withdraw at any time. 

You are not required to give your consent to this process. If you do not agree, your identity may be verified by means of a scan of a notarial deed or a notary’s statement confirming that the Holder shown in the photograph and their personal data correspond to the details on the relevant identity document. In this case, the legal basis for retaining the certificate is legitimate interest. The certificate will be retained for a maximum period of 5 business days after the identity check has been performed. You have the right to object to this processing. 

Without a verified identity, it is not possible to use the services of a digital ID. 

6.2 IDs and Other Activities of Holders Under the Age of 16 – Confirmation by a Legal Guardian 

If a Holder under the age of 16 applies for an ID/Card (including a digital ID/Card) or plans to use any of GTS ALIVE Group s.r.o.’s information society services, the processing of personal data is lawful only if the relevant consent has been expressed or approved by a person with parental responsibility over the child. GTS ALIVE Group s.r.o. therefore requires the consent of the legal guardian of such Holder. The personal data of the legal guardian are retained for the purpose of verifying their identity and recording the consent. 

Legal basis for processing: Performance of a contract, performance of a legal obligation, and legitimate interest. 

Legitimate interests: Selected important data or documents (e.g., records of the consents given) are retained for potential inspection by a supervisory authority, to defend against claims, or to exercise our rights. 

Retention period: Until the Holder reaches the age of 16 years, and for 3 years thereafter. 

Categories of personal data concerned: Identification and contact data, approval-related logs and/or documents, and related documentation (if any). 

Voluntary disclosure of data: The provision of personal data is voluntary; however, without providing personal data, it is not possible to conclude and perform a contract for these services or to issue an ID pass. 

6.3 Verifying Photographs Online 

When a Holder provides a photograph for display on their ID, we will check the photograph to ensure it meets specific requirements. This includes verifying that the photograph shows the Holder, that the person in the photograph is not wearing sunglasses or headgear, that the quality of the photograph is sufficient to identify and verify the person when using the ID, and that the head is not hidden. For this purpose, we process the Holder’s personal data. 

We also use the services of a supplier to check photographs, specifically Google Ireland Limited (incorporated under the laws of Ireland, identification number: 368047, registered office: Gordon House, Barrow Street, Dublin 4, Ireland). We have entered into a data processing agreement with Google. The service used is called Google Cloud Vision. This service verifies, among other things, that there is a person in the photograph, that the person is not wearing sunglasses or headwear, and that the photograph quality is sufficient for its intended use. The verification process does not involve identity checks or the processing of biometric personal data or other special categories of data. 

Retention period: Data used for internal verification and checks are deleted immediately after validation and in any case within 24 hours. The retention period of a photograph is the same as the period for which the photograph is used on your ID, which corresponds to the retention period of the personal data on the ID according to this Policy. 

Legal basis: Performance of a contract and legitimate interest. You have the right to object to processing based on legitimate interest. 

7. How we use your personal data 

Depending on the purpose for which we use your personal data, we rely on one or more of the following lawful bases under UK data protection law: performance of a contract, compliance with a legal obligation, our legitimate interests, and, where relevant, your consent 

We will use your personal data for the purposes outlined at the time you provided it to us. Examples include: 

• Administering your discount membership and our relationship with you as a cardholder, as well as providing you with information about discount offers and other related purposes. 
• Responding to your requests and fulfilling our contractual obligations with you. 
• Under legitimate interest, we will share information with the National Union of Students (United Kingdom), Company number 08015198 and/or NUS Students’ Union Charitable Service. As a student, we want to ensure you have access to the latest information about campaigns and competitions for students. You can opt out at any time by emailing dpo@isic.org.uk 
• We may also need to provide your personal data if we are asked by the police, or any other regulatory or government authority in relation to safeguarding. 
• Administering your NUS ID and our relationship with you as an NUS ID holder, including verifying your eligibility, issuing and activating your NUS ID, and providing you with access to the NUS ID benefit network. 
• Sharing Transactional Data with the relevant Student Union and/or University via the MEP for the purposes of understanding benefit usage, improving services, and delivering communications relevant to you as a Student Union member. Such data may be shared in aggregated or individual form as agreed between NUS Alive and the relevant Student Union. 
• Receiving personal data from the MEP operated by or on behalf of the relevant Student Union, for the purpose of issuing and activating NUS ID cards. 

We may analyse information we hold about you, including Transactional Data, to understand how our services are used, to improve those services, and to support reporting to relevant students’ unions and universities. This may include profiling, but we do not make decisions about you that are based solely on automated processing where those decisions have legal effects or similarly significant effects on you. 

8. How we secure your data 

We want to keep our customers and suppliers safe, so the security of your data and of our information systems is incredibly important to us. When you entrust your personal information to us, we take care of it as if it were our own. We spend a lot of time, money and resources on ensuring that the personal details you entrust to us are protected from loss, misuse and abuse. 

External threats to our data security are changing all the time, so we have a robust process for assessing, managing and protecting all of our new and existing systems to ensure they are up to date and secure. 

Our staff complete mandatory information security and data protection training when they start with us and every year afterwards, to reinforce their responsibilities and requirements and ensure they understand and comply with their obligations under the Data Protection Act 2018 and UK GDPR. We carefully control who has access to your information and ensure that it is only used in the way you would expect. 

When you trust us with your data we will keep your information secure to maintain your confidentiality. 

9. Where your personal data may be processed 

Whenever we transfer personal data out of the EEA or the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented: 

• We will only transfer personal data to countries that have been deemed to provide an adequate level of protection for personal data by the ICO. 
• Where we use certain service providers, we may use specific contracts approved by the ICO which give personal data the same protection it has in the UK. 
• Where we transfer personal data to providers outside the UK, including providers based in the US, we will only do so where there is an adequacy regulation in place or where we have put in place appropriate safeguards, such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or other transfer mechanisms recognised under UK data protection law.]We also take regular encrypted backups. 

We use GTS ALIVE Group s.r.o. (ID No. 09296727), with its registered office at Na Maninách 1092/20, Holešovice, 170 00 Prague 7, Czech Republic, registered in the Commercial Register maintained by the Municipal Court in Prague, section C, entry no. 334013, as a data processor for certain services. As GTS ALIVE Group s.r.o. is located outside the UK, we have a written agreement in place that ensures your personal data is protected in line with UK data protection law. This agreement includes obligations to maintain confidentiality and implement appropriate security measures. We only transfer your data to GTS ALIVE Group s.r.o. using approved safeguards such as the UK International Data Transfer Agreement (IDTA) or other mechanisms recognised by UK data protection law. 

In connection with the NUS ID program, your personal data may also be processed by MEP providers acting as data processors on behalf of the relevant Student Union. MEP providers process personal data for the purposes of membership management, eligibility verification, NUS ID distribution, and the delivery of Transactional Data reporting. NUS Alive Limited must be recognised as data controller, and, GTS ALIVE Group s.r.o., and the MEP relevant for data considered under an NUS ID, must be recognised as data processors within the privacy policies of each participating Student Union. 

10. Events 

We may collect and process your data in connection with events, for example to register your attendance or provide event information. The legal basis for this is our legitimate interest or your consent. 

11. Disclosing and sharing information 

We do not sell your personal data. We may share it with trusted partners, such as IT service providers or mailing houses, to achieve the purposes set out in this policy. 

In relation to NUS ID, we may share your personal data and/or Transactional Data with the following categories of recipients: 

• The relevant Student Union, for the purposes of membership management, benefit administration, and communications with you as a Student Union member. 
• MEP providers, acting as data processors on behalf of the relevant Student Union, for the purposes of managing student membership records, processing NUS ID-related data, and generating reports on benefit usage. 
• GTS ALIVE Group s.r.o., acting as data processors, for the purposes of NUS ID issuance, activation, verification, and benefit network administration. 
• Third-party benefit providers, where necessary, to verify your NUS ID status and entitlement when you access a benefit or service. 

Transactional Data relating to your use of the NUS ID card may be shared with the relevant Student Union and/or University via the MEP platform. This data may include records of benefit redemptions, discount usage, and campus interactions processed via the NUS ID. Such sharing is carried out under our legitimate interest in supporting the administration of the NUS ID benefit network and the Student Union’s legitimate interest in understanding how its members use available services. 

12. Data Retention 

We will only use and store your information for as long as it is required for the purposes it was collected, or as required by law. 

In relation to NUS ID, we apply the following data retention and anonymisation periods, based on our legitimate interest in maintaining accurate records, defending against potential claims, complying with regulatory requirements, and supporting audit and accountability obligations: 

12.1 Data retention after NUS ID issuance: 

Personal data associated with an active NUS ID will be retained for the duration of the card’s validity period and for 6 months thereafter. Where an NUS ID is cancelled, revoked, or deactivated, personal data will be anonymised within 6 months of the date of cancellation. 

12.2. Data retention in cases of non-activation of NUS ID: 

Where personal data is received from the MEP but the NUS ID is not activated by the Holder, such data will be anonymised within 6 months of receipt. 

12. 4. Transactional Data retention: 

Transactional Data will be retained for 2 years from the date of the relevant transaction. 

Upon expiry of the applicable retention period, personal data will be anonymised or securely deleted in accordance with our data retention procedures. Anonymised data, which can no longer be used to identify an individual, may be retained for statistical and analytical purposes. 

13. Your data protection rights 

You have the following rights: 

• Right of access: You can request a copy of your data. 
• Right to rectification: You can ask us to correct inaccurate or incomplete data. 
• Right to restrict processing: You can ask us to limit how we use your data. 
• Right to object: You can object to certain processing. 
• Right to erasure: You can ask us to delete your data. 

To exercise these rights, please email dpo@isic.org.uk. We aim to respond within 30 days. 

13.1 Data deletion in relation to your Card (including NUS ID) 

If you hold a Card (including an ISIC, IYTC, ITIC, AliveID or NUS ID) and wish to request the deletion of your personal data, you may do so by contacting us at dpo@isic.org.uk. Upon receiving a valid deletion request, we will take the following steps: 

• We will delete or anonymise your personal data held in connection with your Card, subject to any legal obligations requiring us to retain certain data (for example, for accounting, fraud prevention or regulatory purposes). 
• Where your Card has been issued via a Student Union, University or other Distribution Partner (including through a Membership Enrolment Platform), we will notify the relevant organisation of your deletion request so that corresponding records held by them in their capacity as data controller or processor may also be addressed. 
• Where your Card data is processed by GTS ALIVE Group s.r.o. or other technical partners acting as our data processors, we will instruct them to delete or anonymise personal data held on their systems in connection with your Card, subject to any legal obligations requiring retention. 
• Transactional Data that has already been shared with a Student Union, University or other partner prior to your deletion request may be retained by that partner in anonymised or aggregated form, where such data can no longer be used to identify you. 

We will aim to complete the deletion or anonymisation of your personal data within 30 days of receiving your verified request, unless we are required by law to retain some of that data for longer. 

Please note that deletion of the personal data we hold in relation to your Card may result in the deactivation of that Card and the loss of access to any benefits, services or functionalities linked to it. In particular, if your NUS ID is linked to Student Union membership verification, deletion may also affect your ability to demonstrate membership status. 

14. When we use Legitimate Interest 

We process your data under legitimate interest when it is necessary for our business, provided your rights and interests do not override ours. You can object to this processing. 

When we rely on legitimate interests, we consider the impact of the processing on your rights and freedoms and put safeguards in place to protect your personal data. You have the right to object to processing carried out on this basis, and you can contact us if you would like more information about how we have assessed our legitimate interests. 

We do not normally use sensitive personal data (for example, information about your health) for the services covered by this policy. If we ever need to use this kind of data in a specific situation, such as to help with accessibility needs or because the law requires it, we will only do so where the law allows us to and with extra protections in place. 

15. Contact for Alive App Data Requests 

For requests related to the Alive App, please contact: 

GTS ALIVE Group s.r.o. 

Na Maninách 1092/20, 170 00 Prague 7, Czech Republic 

Tel: +420 226 222 336 

Fax: +420 226 222 300 

Email: legal@gtsalive.com 

This contact is for matters relating specifically to the Alive App, which is operated by GTS ALIVE Group s.r.o. as data controller. 

16. What to do if you are not happy? 

If you have concerns about how we use your data, please contact us at dpo@isic.org.uk. You can also complain to the Information Commissioner’s Office (ICO): 

Information Commissioner’s Office 

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 

Helpline: 0303 123 1113 

Website: https://www.ico.org.uk 

17. Changes to this Privacy Policy 

We keep our privacy policy under regular review and will update it as needed. 

Summary of changes in this version 

We have updated this privacy policy to reflect how NUS Alive Limited supports the NUS ID and related services. The main changes are: 

• We have updated our name throughout to NUS Alive Limited, keeping the same company number and contact details. 
• We now explain how NUS ID and AliveID work, including how they are issued, activated and used in the Alive App. 
• We have added information about how we receive data from students’ unions and their membership platforms (MEPs) to issue and manage NUS ID. 
• We have introduced a clear definition of Transactional Data (for example, discount use or campus access events) and explained how this is used to administer the NUS ID benefit network. 
• We now give more detail on when and how Transactional Data may be shared with your students’ union and/or university to help them understand and improve the services they offer to members. 
• We have added specific data retention periods for NUS ID and Transactional Data, including what happens if you never activate your NUS ID. 
• We have updated our approach to children’s data, raising the age at which a legal guardian’s consent is required for an ID from 15 to 16. 
• We have included a new explanation of how you can request deletion of your NUS ID data, what we will do when we receive such a request, and how this affects your access to NUS ID benefits. 
• We have clarified the roles of NUS Alive Limited as data controller and our technical partners (including GTS ALIVE and MEP providers) as data processors, and how we ensure appropriate safeguards for international transfers.