- what information we collect;
- how we use that information;
- how this information is shared;
- your rights; and
- other useful privacy and security related matters.
We hope you take the time to read this policy as it is important you understand how we collect, store and use your data for the purpose it was collected. Please note if we make changes which we consider to be important, the date on which the change has been made will be recorded at the end of this policy and the change will be effective from that date onwards.
Data Controller or Data Processor?
Where it is stated in the footer of the page that this website is ‘Powered by Bright Utilities’ then the Data Controller is Bright Utilities. Where it is stated that the website you are on is powered by another party other than Bright Utilities then that party is the Data Controller and we are the Data Processor. Please note as a Data Processor we will still collect, store and transfer your personal data but this will be under instruction from the Data Controller.
Data Protection Officer?
While we are not required to have a Data Protection Officer, we have taken the decision to appoint a named party within our organisation as the DPO. If you have any questions relating to GDPR or data protection in general, please send your question(s) or data request to our DPO at email@example.com. Please note all data related issues should be sent to our DPO and not our Customer Service team. Please see ‘Your Rights’ section below in order to understand your data protection rights.
Information we collect
When you use our Services, we collect the following types of information:
Information you provide us:
We collect and store the information to enter into our software platforms. We use this information in order to help progress a supply application to the supplier of your choosing as a result of you using our Services. The information collected may include both sensitive and personal data which could be but is not limited to your name, postal address, e-mail address, phone number, bank details and any other details as may be required by one of our supplier or broker partners in order to help facilitate your energy switch.
We may also collect information from you if you contact or request information or customer support.
Additional Information collected:
We may collect the following additional information:
- your registered consent to receive marketing correspondence or application specific communications;
- your name and contact details if you contact us or participate in a survey, contest or promotion;
- details such as metering data, location data and other personal2 data (including IP address and browser type) collected by your availing of the Services;
- device information including unique device identified;
- information and communications on forums on the websites, including chat rooms and message boards, profile comments and chat messaging or other users;
- your bank details including account name holder, account number, sort code and bank location;
- you communicate including email correspondence, telephone or Live Chat conversations – either to request support to complete transfers or to request status updates regarding applications or other general conversions;
- your response to marketing campaigns from us or through our third parties i.e. open/click on such emails;
- your social media profile details (name, profile photo and other information you make available to us) when you connect with or contact us through a social media account;
- information derived based on profiling activity (see below); and
- information from third party databases to comply with our legal and regulatory obligations.
Third Party and Publicly Available Sources
Not all the personal information we hold about you will always come directly from you. We may also collect information from third parties such as our partners, service providers and publicly available websites (i.e. social media platforms), to comply with our legal and regulatory obligations, offer Services we think may be of interest, to help us maintain data accuracy and provide and enhance the Services.
How do we use this information
We process personal information in order to display supply options and to facilitate the progression of a supply switch to a supplier of your choosing. Your information is more specifically used as follows:
- Personalisation: We use personal information to deliver and suggest tailored content to personalise your experience with our Services. This is processing which is necessary for the purpose of our legitimate interests in delivering or presenting relevant content to our customers.
- Marketing and events: Subject to any preferences you have expressed (where applicable), we use personal information to deliver marketing and event communications to you across various platforms, such as email, telephone, text messaging, direct mail, online, push notification or otherwise. We will do this, unless specifically instructed otherwise by you, for a reasonable period of time after your switch contracted period has come to an end. The reason for this is that we would like to inform you about products, services, promotions and special offers which we think may be of interest to you.
If we send you a marketing email or SMS, it will include instructions on how to opt out of receiving these marketing communications in the future. Please allow up to 48 hours for any changes you make to your marketing preferences to be fully processed. Please remember that even if you opt out of receiving marketing emails, we may still send you important Service information related to your supply application.
We will, from time to time, send you marketing material which may be of particular interest to you based upon your behaviours, activity, trends and interests. These marketing messages will provide you with information about the products, services, active promotions or offers available to you by any company within the Group and information about products and services provided by our selected partners and third parties. Except where we use your personal data for marketing purposes on the basis of your prior written consent and subject to any opt out preferences you notify to us in respect of electronic direct marketing communications, we process personal data for marketing purposes as necessary for the purpose of our legitimate interests in promoting our products and services.
Please note we may also publish the personal details of winners of promotions or prizes received, on our websites in accordance with our legitimate interests.
- Risk Management: In order to provide the Services to you and for our legitimate purposes, we process personal data to evaluate and manage risks to our business.
- Show and measure ads and Services: We use a combination of information collected such as advertising cookies, your email address and your onsite activity to show you targeted and relevant advertisement on a selection of whitelisted websites across the world wide web and social media websites. This information can also be used to measure and analyse the effectiveness and reach of these ads, to help us improve and refine our marketing strategy in accordance with our legitimate interests.
- Surveys and polls: If you choose to participate in a survey or poll, any personal information you provide may be used for marketing or market research purposes in accordance with our legitimate interests.
- Diagnostics, research and development: We use personal information for internal research and development purposes, to help diagnose system problems, to administer our websites, to improve and test the features and functions of our Services, to develop new content, products and services. To carry out testing and analysis. This processing is necessary for the purpose of our legitimate interests.
- Legal and regulatory obligations: We may be required to use and retain personal information for legal and compliance reasons, such as the prevention, detection, or investigation of a crime; or fraud. We may also use personal information to meet our internal and external audit requirements, information security purposes, and as we otherwise believe to be necessary or appropriate: (a) under applicable law, which may include laws outside your country of residence; and (b) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence.
- Profiling: In accordance with our legitimate interests detailed below or to comply with our legal obligations, we carry out profiling and analysis based upon your location data, product selection and application activity and behaviours for the following purposes:
- Customer segmentation to offer you tailored products and services, and more relevant marketing. For example, if you are a small energy consumer or large energy consumer, we will aim to primarily send you marketing material related to products or services suiting your business size;
- Risk and trading analysis; and
- Licensing and legal obligations i.e. prevention of fraud.
- Other purposes: We may be required to use and retain personal information for; loss prevention; and to protect our rights, privacy, safety, or property, or those of other persons in accordance with our legitimate interests.
How is your information shared
Your personal information may be transferred or disclosed to any company within the Group to suppliers or to third parties in order to fulfil the Purpose as defined. Any transfer of your personal data will be in compliance of the General Data Protection Regulation (GDPR).
Our third-party service providers & partners:
The Group will pass your information to approved energy supplier, we may also from time to time, retain trusted third parties to process your information to provide us with services globally, including for customer support, information technology, payments, sales, marketing, data analysis, research and surveys. As part of our agreements with our partners, we may be required to share your information for the purposes of calculating fees and benefits owed.
Third parties for legal reasons:
We will share personal information when we believe it is required, such as:
- To comply with legal obligations and respond to requests from government agencies, including law enforcement and other public authorities, which may include such authorities outside your country of residence;
- In the event of a merger, sale, restructure, acquisition, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings); and
- To protect our rights, users, systems, and Services.
Your personal information may be disclosed to any regulatory or industry associations (with whom the Group has agreements (Memoranda of Understanding or “MOUs”) for the sharing of such data) in connection with policing the integrity or enforcing the rules of the energy regulator and/or the detection of crime and where the Group considers that there are reasonable grounds to suspect that you may be involved in a breach of such rules or the law, have knowledge of a breach of such rules or the law or otherwise pose a threat to the integrity of our business based upon our assessment of your activities on our websites or it may be based on information provided to us by a regulatory body or respect third party. Please note the regulator or other authority may then use your personal information to investigate and act on any such breaches in accordance with their procedures.
Under the General Data Protection Regulation, you, as a data subject have a number of rights which are detailed below. Some of these only apply in specific circumstances and are qualified in several respects by exemptions in data protection legislation. We will advise you in our response to your request if we are relying on any such exemptions.
- Access to personal data: You have a right to request a copy of the personal information that we hold about you.
You will be required to provide adequate information to identify yourself and such other relevant information that will reasonably assist us in fulfilling your request. Your access will be provide with immediate effect subject to the required information being provided.
- Correction of personal data: You can request us to rectify and correct any personal data that we are processing about you which is incorrect.
- Right to withdraw consent: Where we have relied upon your consent to process your personal data, you have the right to withdraw that consent.
- To opt out of marketing, you can use the unsubscribe link found in the marketing communication you receive from us. Alternatively, you can send an email to our customer services team on the email stated above confirming that you would like your information removed from all marketing.
- Right of erasure: You can request us to erase your personal data where there is no compelling reason to continue processing. This right only applies in certain circumstances, it is not a guaranteed or absolute right. Please note in all cases we retain the right to hold a footprint of your application details in order to meet our legal obligations or to meet third party audit requirements
- Right to data portability: This right allows you to obtain your personal data that you have provided to us with your consent or which was necessary for us to provide you with our products and services in a format which enables you to transfer that personal data to another organisation. You may have the right to have your personal data transferred by us directly to the other organisation, if this is technically feasible.
- Right to restrict processing of personal data: You have the right in certain circumstances to request that we suspend our processing of your personal data. Where we suspend our processing of your personal data, we will still be permitted to store your personal data, but any other processing of this information will require your consent, subject to certain exemptions.
- Right to object to processing of personal data: You have the right to object to our use of your personal data which is processed on the basis of our legitimate interests. However, we may continue to process your personal data, despite your objection, where there are compelling legitimate grounds to do so or we need to process your personal data in connection with any legal claims.
- Rights relating to automated decision making and profiling: You have the right not to be subject to a decision which is based solely on automated processing (without human involvement) where that decision produces a legal effect or otherwise significantly affects you. This right means you can request that we involve one of our employees or representatives in the decision-making process. We are satisfied that we do not make automated decisions of this nature.
How to contact us
For any requests related to your personal information or any of your rights referenced above, please feel free to contact our Data Protection Officer
By email: firstname.lastname@example.org
By Phone: 0844 502 5052
Filing a complaint
Please note if you are not satisfied with how we manage your personal data, you have a right to make a complaint to your local Data Protection Authority. In the UK the authority if the Information Commissioner’s Office and contact details can be obtained at https://ico.org.uk/
Other useful privacy & data security related matters
Where we are the Data Controller, we will undertake to retain your ‘Personal Data’ as follows:
Where data is considered ‘Sensitive Data’ which includes information that could be used to cause you personal loss, including but not limited to such data as your date of birth and bank details; we will delete this type of information from our servers within 1 month of that data being transferred to the supplier in fulfilment of the Purpose as previously stated.
In respect to all other ‘Personal Data’ as defined within GDPR, we will retain personal information for as long as we reasonably require it for legal or business purposes. For the unregulated jurisdictions in which we operate, and subject to us not having a legal or regulatory requirement or a risk management reason for retaining your information for a longer period, your information will not be kept for longer than 1 year beyond your new supply contract end date. If you do not switch supply using one of our Services, then we will delete your information 1 year following the date of your last use of our website(s). Please note that we may be required in certain circumstances to retain your information indefinitely (for example as a result of a court order). We will take all necessary steps to ensure that the privacy of information is maintained for the period of retention.
We recognise that online security and data protection is an area of vital importance for all our customers, so it is important to us that you have confidence in the security of your personal details before you use our Services. We are committed to employing security measures to protect your information from access by unauthorised persons and to prevent accidental or unlawful processing, disclosure, destruction, loss, alteration and damage. Our technological security solutions are very advanced and are governed by a mature framework. Our approach is focused on preventing risks. In order to help us in this regard, we employ pseudonymization and encryption whenever possible to reduce the impact of any potential incidents. As the security of some communications via the internet is not completely secure, we cannot guarantee the security of any information that you disclose using your internet connection. You accept the inherent security implications of using the internet and the Group will accept no liability for any direct, consequential, incidental, indirect, or punitive losses or damages arising out of such an occurrence.