Privacy Policy

1. Who we are

For the purpose of this Privacy Policy, "you" or "your" means any end user accessing or receiving our digital services, which include our Website and/or Subscription Services (as defined below), and "we", "us", "our" or "Postcode Energy" means Postcode Energy Limited, company number 16883347 with our registered office address at 4-4a, Blackburn Road, Accrington, BB5 1HD, United Kingdom.

2. How we process personal data

This Privacy Policy, together with any other documents referred to in it, aims to give you information on how and the basis any personal data that we collect from you, or that you provide to us will be processed by us. This Privacy Policy also sets out how you can instruct us if you prefer to limit the use of that personal data, and the procedures that we have in place to safeguard your privacy.

Please read this Privacy Policy carefully to understand our views and practices regarding your personal data and how we collect, use and protect it.

By using or accessing our website, https://postcode.energy ("Website"), or any services, features or content that are provided when you create an account with us or pay for access to our subscription offering ("Subscription Services") (together, the "Services"), or communicating with us, you understand and agree that we will collect and process your personal data in accordance with this Privacy Policy. If you do not agree with this Privacy Policy you must not access or use the Services or submit information to us through or in connection with the Services.

The Services are not intended for children and we do not knowingly collect data relating to children. If you are under 18, you must not use the Services.

3. Controller

For the purpose of applicable data protection laws, we will be regarded as an independent data controller of your personal data when we collect your personal data through the Services.

4. Contact us

For questions, complaints or requesting further information from us on data protection and privacy, or any requests concerning your personal data, or where you have identified a risk to our processing of personal data, please write to privacy@postcode.energy.

5. Types of personal data we may collect about you

Personal data means any information about an individual from which that person can be identified. We may collect, use, store and transfer the following types of personal data about you:

• Identity Data: your full name and email.
• Contact Data: email address and home address (if you have provided this).
• Profile Data: your user ID and password and Subscription Service purchases.
• Financial Data: the last four digits of your credit card, card brand, name on card, billing address (if collected by Stripe), expiry date, card country, transaction history and subscription status. We have access to this data through Stripe but do not process payments ourselves.
• Marketing Data: your preferences in regards to receiving marketing information and communication from us, and your communication preferences and subscription tier (if applicable).
• Technical Data: internet protocol (IP) address, login data, browser type and version, device type, time zone setting, browser plug-in type and versions, operating system and other technology on the devices you use to access the Services.
• Usage Data: information on how you interact with and use the Services. This includes pages viewed, features used, interaction timestamps, and referral sources.
• Error Logs: automatically deleted after 90 days. Error logs may include device type, browser information, and the page/feature where an error occurred.

We also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals' Usage Data to calculate the percentage of users accessing a specific feature of our Website in order to analyse general trends as to how users are interacting with the Services, to help improve our service offering.

6. How we collect your personal data

We use different methods to collect data from and about you including through:

Your interactions with us

You may give us your personal data by filling in online forms or by corresponding with us by email. This includes personal data you provide when you:

• browse our Website;
• create an account;
• pay to access our Subscription Service;
• contact us for enquiries or information;
• view, access and navigate the Services;
• participate in a marketing/sales promotions or online surveys;
• request marketing materials; and/or
• give us feedback or contact us.

Automated technologies or interactions

As you interact with the Services, we may automatically collect Technical Data and Usage Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. Please see our cookie policy for further details. We will ask for your consent to collect any such data for non-essential functions.

Third parties or publicly available sources

We may receive personal data about you from various third parties and publicly available information to which we have access. This includes where we ingest energy-related datasets from government or regulatory sources. We also send location data (postcodes and/or geographic coordinates) to third-party data providers, including OpenWeatherMap, to retrieve environmental information such as air quality data. No personally identifiable information is shared with these providers.

7. How we use your personal data

Legal basis

The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:

a) Performance of a contract with you: where we need to perform the contract we are about to enter into or have entered into with you.

b) Legitimate interests: where it is necessary to conduct our business and pursue our legitimate interests (for example to enable us to give you the best and most secure customer experience) and your interests and fundamental rights do not override those interests. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

c) Legal obligation: where we need to comply with a legal obligation to which we are subject.

d) Consent: we rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you subscribe to an email newsletter.

Purposes for which we will use your personal data

We have set out below a description of all the ways we plan to use the various categories of your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose / Activity	Type of Data	Lawful Basis
Provide and administer the Services and manage your subscription	Identity Data, Contact Data, Profile Data, and Financial Data	Performance of a contract
Verify identity and manage authentication	Identity Data, Contact Data, Profile Data, Technical Data	Performance of a contract; legitimate interests (security and fraud prevention)
Process payments and prevent fraud	Identity Data, Financial Data	Performance of a contract; legitimate interests (prevent fraud; recover debts owed to us)
Retrieve and present energy consumption, tariff and property-related insights	Identity Data, Contact Data and Profile Data	Performance of a contract
Provide comparisons, recommendations and alerts	Identity Data, Contact Data and Profile Data	Performance of a contract; legitimate interests (improve our Website and Services)
Notify you about changes to our terms or privacy policy, respond to enquiries and provide customer support	Identity Data, Contact Data, Profile Data, Technical Data, Usage Data and Error Logs	Necessary to comply with a legal obligation; performance of a contract; legitimate interests (improve our Website and Services, remedy defects or bugs)
Maintain the security and integrity of our systems	Technical Data, Usage Data, Error Logs	Legitimate interests (improve our Website and Services, remedy defects or bugs)
Improve and develop the Services, including analytics and research	Usage Data, Technical Data	Legitimate interests (improve our Website and Services)
Contact you with information about our products and services	Identity Data and Contact Data	Legitimate interest (offer our Services to you)

Direct marketing

You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving the marketing.

We may also analyse your Identity Data, Contact Data, Profile Data, and Marketing Data and Technical and Usage Data to form a view of services or offers that may be of interest to you so that we can then send you relevant marketing communications.

Third party marketing

We will get your express consent before we share your personal data with any third party for their own direct marketing purposes.

Opting out of marketing

You can ask to stop sending you marketing communications at any time by opting out in the settings in your account or by using the unsubscribe link included in our marketing emails.

If you opt out of receiving marketing communications, you will still receive non-marketing communications that are essential for administrative, legal or customer service purposes.

8. Disclosure of your personal data

Your personal data may, for the purposes set out in this Privacy Policy, be disclosed for processing to:

• our suppliers, business partners and subcontractors, including technical subcontractors who provide us with hosting and analytics services, database and authentication services, payment processing, rate limiting and error monitoring. For example, we use Vercel Analytics to collect anonymous usage data (only with your consent), sentry.io to process Error Logs on our behalf, AWS SES to send transactional and marketing emails, and Upstash Redis to process rate limiting data (including IP addresses, which expire automatically after a short period);
• our legal and other professional advisers;
• our service providers who may access your personal information when providing services to us;
• third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them;
• the Information Commissioner's Office and other regulators and authorities who require reporting of processing activities or disclosure of personal information in certain circumstances;
• the police, HMRC and any other law enforcement agency, regulator, government authority or other third party where we believe this is necessary to comply with a legal or regulatory obligation, to protect the rights, property or safety of Postcode Energy, our customers or others.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

In the event that Postcode Energy undergoes a merger, acquisition, or sale of all or part of its business or assets, we may disclose your personal data to the prospective or actual buyer, successor, or relevant third parties as necessary for the purposes of the transaction and subject to appropriate confidentiality protections.

9. International transfers

Whenever we transfer your personal data internationally to countries whose privacy laws do not offer an adequate, substantially similar or otherwise sufficient level of protection required under the applicable laws of England and Wales, we will ensure that a similar degree of protection is afforded by implementing appropriate safeguards. These may include:

• entering into contractual agreements that impose strict data privacy and security obligations (e.g. the European Commission's Standard Contractual Clauses or the International Data Transfer Addendum to the European Commission's Standard Contractual Clauses). You may request a copy of these safeguards by contacting us at privacy@postcode.energy;
• applying technical and organisational security measures (such as encryption, access controls, and data minimisation protocols);
• conducting data transfer risk assessments or legal evaluations, where required under applicable laws; and/or
• ensuring compliance with US transfer regulations; or
• relying on the explicit consent of the individual, where permitted or required under relevant law.

10. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know, and are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

However, please be aware that communications over the internet, such as emails, are not secure unless they have been encrypted. We cannot accept responsibility for any unauthorised access or loss of personal information that is beyond our control.

11. Your rights in relation to your information

You can write to us at any time to obtain a copy of your information and to have any inaccuracies corrected. Please write to: privacy@postcode.energy.

You have the following rights under data protection laws in relation to your personal data:

• Access: you are entitled to be provided with a copy of the personal data we hold about you, and verify we are lawfully processing it.
• Deletion: you have the right to ask us to delete personal information we hold about you though please bear in mind that we may need to keep all or part of your data for specific legal reasons, which will be notified to you, if applicable, at the time of your request.
• Rectification: you are entitled to have any incomplete or inaccurate personal data corrected.
• Withdraw consent: where we collect and/or process your personal data for which you have provided consent, you have the right to withdraw your consent in relation to such processing.
• Restriction: under certain circumstances specified by data protection law, you have the right to request us to restrict the processing of your personal data, or we may restrict the processing of your data (e.g. if you claim your data is inaccurate, you object to the processing of your personal data and we are considering your request, if processing is unlawful and you oppose erasure and request restriction instead, etc.).
• Object: you have the right to object to our processing of your personal data based on: (i) our legitimate interests or the performance of a task in the public interest; (ii) direct marketing (including profiling); (iii) processing for purposes of scientific/historical research and statistics. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
• Portability: you have the right to request us to provide you with your personal data in a structured, commonly used and machine-readable form and to ask us to transmit the data directly to another organisation if this is technically feasible.

Requests must be made in writing to privacy@postcode.energy. Please provide us with your name and address when making any such request, along with brief details of the information of which you would like a copy or which you would like to be corrected (this helps us to locate more readily your data).

We may require proof of your identity before providing you with details of any personal data we may hold about you.

We may only request a reasonable fee from you when your request is manifestly unfounded or excessive or repetitive or we receive a request to provide further copies of the same information.

12. Cookies and other technologies

We use cookies and other similar technologies to distinguish you from other users of the Website. This helps us to provide you with a good experience when you browse our Website and allows us to improve our Website. For detailed information on these cookies, the way we use them and the purposes for which we use them, please see our cookie policy.

13. Changes to this Privacy Policy

We reserve the right to amend or modify this Privacy Policy and if we do so we will post the changes on our Website. It is your responsibility to check the Privacy Policy every time you submit information to us. Historic versions of this Privacy Policy can be obtained by contacting us.

If we make significant changes to this policy, and provided that you have provided us with your Contact Data, we will use reasonable endeavours to notify you by email.

14. Use of your personal information submitted to other apps or websites

The Services may include links to, or integrations with, third-party websites or services. We do not control and are not responsible for the content, availability, products or services of any third party. Your use of third-party services is governed by the relevant third party's terms and privacy policies. We are not responsible for the privacy policies and practices of other websites, even if you accessed the third party website using links from our Website, or any other part of the Services.

We recommend that you check the policy of each website or app you visit and contact the owner or operator of such website or app if you have concerns or questions.

15. Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances we anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes. In such case we may use this information indefinitely without further notice to you.

16. Complaints

You have the right to make a complaint at any time to the relevant regulator for data protection issues in your jurisdiction (which, in the United Kingdom is the Information Commissioner's Office, ico.org.uk). However, we would appreciate the chance to deal with your concerns before you approach them. Please contact us in the first instance by writing to privacy@postcode.energy.