Privacy Policy

Last updated: 03 March 2026  ·  Version 1.0

1. Who We Are

This Privacy Policy explains how [YOUR COMPANY NAME] ('we', 'us', or 'our') collects, uses, stores, and protects your personal data when you use our energy comparison website at https://heatpumptariffs.uk (the 'Site').

We are the data controller responsible for your personal data. You can contact us about any privacy matter using the details in Section 12.

ICO Registration: We are in the process of registering with the Information Commissioner's Office (ICO). Our registration number will be added here upon completion.

2. What Personal Data We Collect

2.1 Account Information

When you register on our Site, we collect: your full name, your email address, your password (stored in hashed form — never in plain text), and your Distribution Network Operator (DNO) region, selected by you to identify applicable energy tariffs in your area.

2.2 Energy Meter Reading Data

To provide our energy comparison service, we collect and store half-hourly (30-minute interval) smart meter readings that you upload manually, and half-hourly smart meter readings fetched automatically via your Bright app account (if you choose to connect it). We only hold meter reading data from 1 January 2025 onwards.

2.3 Bright App Integration

If you choose to connect your Bright app account, you will be asked to enter your Bright username and password. These credentials are transmitted securely over HTTPS and are stored temporarily solely for the purpose of authenticating with the Bright service. They are deleted as soon as an access token has been obtained. We do not use your Bright credentials for any other purpose.

Important: Because we temporarily store your Bright credentials, we apply strong encryption to protect them at rest. We strongly recommend using a unique password for your Bright account that you do not use elsewhere.

2.4 Communications Data

We may process your email address to send: password reset emails; notifications if your Bright app connection fails (only if you have opted in); and energy comparison results to your email address (only when you request this).

2.5 Referral and Supplier Data

When you click a referral link to a supplier's website, that link contains an identifier associated with our Site. Please review the relevant supplier's own privacy policy for details of how they process your data once you visit their site.

2.6 Technical and Usage Data

We may automatically collect certain technical data when you visit our Site, including your IP address, browser type and version, and pages visited.

⚠ Action required: Confirm which cookies/analytics your site uses and complete Section 8.

3. Our Lawful Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we rely on the following lawful bases:

  • Contract — processing necessary to provide you with the energy comparison service you have registered for.
  • Consent — for optional notifications and cookie analytics, where you have given explicit consent.
  • Legitimate interests — for security monitoring and fraud prevention, where our interests do not override your rights.
  • Legal obligation — where we are required to process data by law.

4. How Long We Keep Your Data

  • Account data (name, email, DNO region): Retained for as long as your account is active.
  • Meter reading data: We hold data from 1 January 2025 onwards only.
  • Bright credentials: Stored temporarily during authentication only; deleted immediately once an access token has been obtained.
  • Bright access token: Deleted immediately upon revocation or account deletion.
  • Inactive accounts: If you do not log in for 180 consecutive days, your account and all associated personal data will be automatically and permanently deleted. We will send warning emails in advance of deletion.

5. Who We Share Your Data With

We do not sell your personal data. We may share your data only in the following circumstances:

  • Bright (Hildebrand Technology Ltd): Your Bright credentials are shared with Bright solely to authenticate your account. Bright is an independent data controller and their own privacy policy governs their processing.
  • Energy supplier partners: When you follow a referral link from our Site, the supplier receives a referral identifier linked to our account. No personal data from your profile is transmitted as part of this referral link.
  • Legal obligations: We may disclose your data where required by law, court order, or regulatory authority.

⚠ Action required: Name your email service provider and analytics provider here.

6. Your Rights Under UK GDPR

As a UK resident, you have the following rights:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate or incomplete data.
  • Right to erasure — request deletion of your data. You may also delete your account directly through your account settings at any time.
  • Right to restrict processing — ask us to limit how we use your data in certain circumstances.
  • Right to data portability — request your data in a structured, machine-readable format.
  • Right to object — object to processing based on our legitimate interests.
  • Right to withdraw consent — where processing is based on consent, you may withdraw at any time without affecting prior processing.

To exercise any of these rights, contact us at [privacy@yourwebsite.co.uk]. We will respond within one calendar month. You also have the right to lodge a complaint with the ICO.

7. How We Protect Your Data

  • Passwords are stored using strong cryptographic hashing and are never held in plain text.
  • Bright credentials are encrypted at rest during the brief period they are held.
  • All data in transit is protected by TLS encryption (HTTPS).
  • Access to personal data is restricted to authorised personnel only.
  • Accounts and data are automatically purged after 180 days of inactivity.

8. Cookies

⚠ Action required: Complete this section once you have decided on your cookie/analytics setup. Document essential session cookies and any analytics cookies. If using Google Analytics, a cookie consent banner compliant with UK PECR is required.

We use essential cookies strictly necessary for the Site to function (for example, keeping you logged in). We will only set non-essential cookies with your explicit consent.

9. Minimum Age

⚠ Action required: Energy supply contracts are legally binding and can only be entered into by adults (18+). We strongly recommend confirming a minimum age of 18 before going live.

Our services relate to energy supply contracts. We do not knowingly collect personal data from children. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

10. Third-Party Links

Our Site contains referral links to energy supplier websites. Once you leave our Site via such a link, this Privacy Policy no longer applies. We encourage you to read the privacy policies of any third-party sites before providing personal data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the 'Last updated' date at the top of this document.

12. Contact Us

Email: [privacy@yourwebsite.co.uk]
Post: [Your Company Name, Address, Town, Postcode]
ICO: ico.org.uk  ·  0303 123 1113

Terms & Conditions Create an Account