1. Who We Are and How to Contact Us

Etheco is an ethical consumer information and switching platform operated by Etheco Ltd, a company registered in England and Wales (company number 12815916) with its registered office at 175b Reculver Road, Herne Bay, Kent, England, CT6 6PY, United Kingdom.

We are the data controller for personal data collected through our website at etheco.com and related services. As data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring we comply with UK data protection law.

1.1 Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our approach to data protection and is your primary point of contact for all data protection matters.

You can contact our DPO directly:

• Email: dpo@etheco.com
• Post: Data Protection Officer, Etheco Ltd, 175b Reculver Road, Herne Bay, Kent, England, CT6 6PY, United Kingdom

We are registered with the Information Commissioner’s Office (ICO), the UK’s data protection supervisory authority. Our ICO registration number is ZC096325. You can verify our registration at ico.org.uk/esdwebpages/search.

2. What This Policy Covers

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you:

• visit and browse the Etheco website;
• create an account with us;
• sign up to receive marketing communications or newsletters;
• use our comparison, switching, or referral services;
• contact us directly by email, phone, or post;
• interact with us on social media.

This policy is written in plain English in line with ICO transparency guidance. Where we use legal terms, we explain what they mean. We review this policy at least annually and whenever our processing activities materially change.

3. Our Data Protection Principles

We process personal data in accordance with the seven data protection principles set out in the UK GDPR. In practice this means we:

• only collect data for specified, explicit, and legitimate purposes (purpose limitation);
• only collect data that is adequate, relevant, and limited to what is necessary (data minimisation);
• keep data accurate and, where necessary, up to date (accuracy);
• only retain data for as long as necessary (storage limitation);
• protect data using appropriate technical and organisational security measures (integrity and confidentiality);
• process data lawfully, fairly, and transparently (lawfulness, fairness, and transparency); take responsibility for demonstrating compliance (accountability).

We apply the principle of privacy by design — meaning data protection is built into our systems and processes from the outset, not added as an afterthought. Where a new processing activity is likely to pose a high risk to individuals’ rights and freedoms, we carry out a Data Protection Impact Assessment (DPIA) before commencing processing. Our DPO is consulted as part of that process.

We maintain a Record of Processing Activities (ROPA) as required by Article 30 UK GDPR. The ROPA is available for inspection by the ICO upon request.

4. The Personal Data We Collect

4.1 Data You Provide Directly

• Identity data: your name;
• Contact data: email address, postal address;
• Account data: username, encrypted password, account preferences and settings;
• Marketing preferences: your opt-in choices, the timestamp and mechanism of consent, and any subsequent changes;
• Communications data: the content and metadata of any messages or enquiries you send us;
• Switching data: information you share when using our switching services, such as current provider, postcode, or usage information. We do not directly collect bank account numbers, sort codes, payment card details, or government-issued identity numbers.

4.2 Data We Collect Automatically

• Technical data: IP address, browser type and version, device type and operating system, screen resolution;
• Usage data: pages visited, time on page, links clicked, referring URL, search terms used on our site;
• Cookie and tracking data: see Section 12 (Cookies) for full details.

4.3 Data From Third Parties

• Analytics providers (e.g. Google Analytics): aggregated and pseudonymised usage statistics;
• Affiliate and switching networks: confirmation that a click-through, sign-up, or switch was completed;
• Social media platforms: if you interact with our social pages or use social login, we may receive basic profile information from that platform. Where a platform acts as a joint controller, their privacy policy also applies to that processing.

4.4 Special Category Data

We do not intentionally collect special category data (which includes data about health, biometrics, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sex life or sexual orientation, or criminal convictions). Please do not submit such information to us.

If special category data is inadvertently received — for example, in a free-text message — we will delete it unless we have a clear lawful basis to retain it. Our DPO can advise on such situations.

5. How and Why We Use Your Data

We only process your personal data where we have a valid legal basis under UK GDPR. The table below sets out each processing purpose, the data involved, and the basis we rely on.

Purpose	Data Used	Legal Basis	Can You Object?
Creating and managing your account; providing ratings, content and information.	Identity, contact, account data.	Contract (Art. 6(1)(b)): necessary to perform our agreement with you.	No — essential to the service.
Sending marketing emails and communications where you have opted in.	Identity, contact, marketing preference data.	Consent (Art. 6(1)(a)) + PECR s.22: explicit opt-in required.	Yes — withdraw consent at any time.
Sending service/transactional communications (account alerts, policy updates, security notices).	Identity, contact, account data.	Contract / Legitimate interests (Art. 6(1)(b)/(f)): necessary to maintain the service.	No — non-marketing service messages.
Website analytics and service improvement.	Technical, usage, cookie data.	Legitimate interests (Art. 6(1)(f)). LIA documented, available on request from DPO.	Yes — right to object applies.
Fraud prevention and platform security.	Technical, account, usage data.	Legitimate interests (Art. 6(1)(f)): necessary to protect users and the platform.	Limited — serious security exceptions apply.
Complying with legal obligations (e.g. responding to lawful authority requests).	As required by the relevant obligation.	Legal obligation (Art. 6(1)(c)).	No — legally required.
Tracking affiliate referrals and commission attribution.	Technical data (click ID, pseudonymous identifier).	Legitimate interests (Art. 6(1)(f)). LIA documented, available on request from DPO.	Yes — right to object applies.

5.1 Legitimate Interests Assessments

Where we rely on legitimate interests as our legal basis, we carry out and document a Legitimate Interests Assessment (LIA) to ensure our interests are not overridden by your fundamental rights and freedoms. Our LIAs are maintained by the DPO and are available upon written request at dpo@etheco.com.

5.2 Marketing — PECR Compliance

In addition to UK GDPR, sending electronic marketing communications (including email and SMS) is regulated by the Privacy and Electronic Communications Regulations 2003 (PECR). We will only send marketing emails where:

• you have given us prior, freely given, specific, informed, and unambiguous consent (opt-in);

OR

• you are an existing customer who has purchased or enquired about a similar product or service, you were given the opportunity to opt out at the time of collection, and you have not subsequently opted out (the ‘soft opt-in’ exception under PECR Regulation 22(3)).

We record the date, time, mechanism, and source of your consent and do not infer consent from inaction or pre-ticked boxes. We do not use third-party purchased marketing lists. You can withdraw consent at any time via the unsubscribe link in any marketing email or by contacting dpo@etheco.com.

6. Sharing Your Data

We do not sell, rent, or trade your personal data. We share your data only in the following circumstances.

6.1 Data Processors

We engage third-party service providers who process personal data on our behalf as data processors. All processors are subject to written Article 28 UK GDPR-compliant data processing agreements, which restrict how they may use your data, require appropriate security measures, and prohibit sub-processing without our prior written consent. Our current processor categories include:

• cloud hosting and infrastructure providers;
• email service providers (for marketing and transactional emails);
• analytics and performance monitoring platforms;
• customer support and communication tools;
• affiliate and switching network platforms.

6.2 Affiliate and Switching Partners

When you click through to a third-party provider from our platform, a pseudonymous click identifier is shared with the affiliate network to enable commission tracking. This does not include your name, email address, or Etheco account details. If you proceed with a switch, the third-party provider becomes an independent data controller in relation to the data you provide them, and their own privacy policy governs that processing.

6.3 Joint Controllers

Where we use social media platforms’ features (such as embedded content or social login), those platforms may process your data as joint controllers with us. In such cases, we will make the joint controller arrangement clear at the point of interaction.

6.4 Legal Disclosure

We may disclose personal data where required to do so by applicable law, court order, or to cooperate with regulatory or law enforcement authorities acting within their legal powers. We will only disclose the minimum data necessary and will, where legally permissible, notify affected individuals.

6.5 Business Transfers

If Etheco undergoes a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction. We will notify you of any such transfer before it takes effect and before your data becomes subject to a materially different privacy policy.

7. International Data Transfers

We aim to process and store personal data within the UK. Where we use processors or sub-processors located outside the UK or the EEA, we ensure appropriate safeguards are in place before any transfer takes place. These safeguards may include:

• an adequacy decision by the UK Government confirming the destination country provides an essentially equivalent level of protection;
• a UK International Data Transfer Agreement (IDTA) or an International Data Transfer Addendum to the EU Standard Contractual Clauses; or
• binding corporate rules or other approved transfer mechanisms.

Where required, we also conduct a Transfer Impact Assessment (TIA) to evaluate whether the legal and factual conditions in the destination country allow the transfer mechanism to be effective in practice. Our DPO maintains a record of all international transfer arrangements.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data. These rights can be exercised at any time, free of charge, by contacting our DPO at dpo@etheco.com.

8.1 Right of Access (Subject Access Request)

You have the right to request a copy of the personal data we hold about you and information about how we process it. We will respond within one calendar month of receiving a valid request. Where requests are complex or numerous, we may extend this by up to a further two months, but we will notify you of the extension within the first month and explain the reason.

8.2 Right to Rectification

You can ask us to correct personal data that is inaccurate or to complete data that is incomplete.

8.3 Right to Erasure

You can ask us to delete your personal data where, for example, the data is no longer necessary for the purposes it was collected, you withdraw consent, or you successfully object to processing. This right is not absolute and does not apply where we have a legal obligation or legitimate interest that overrides it.

8.4 Right to Restrict Processing

You can ask us to pause or limit processing of your personal data in certain circumstances, for example while we investigate a rectification request or pending the outcome of an objection.

8.5 Right to Data Portability

Where processing is based on consent or contract and is carried out by automated means, you can ask us to provide your personal data in a structured, commonly used, machine-readable format (e.g. CSV or JSON). Where technically feasible, you can ask us to transmit it directly to another controller.

8.6 Right to Object

You have the right to object at any time to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You have an absolute right to object to processing for direct marketing purposes at any time, with no exceptions.

8.7 Right to Withdraw Consent

Where processing is based on consent (including for marketing), you can withdraw it at any time.

Withdrawal does not affect the lawfulness of processing that took place before withdrawal.

8.8 Rights Relating to Automated Decision-Making

We do not use solely automated decision-making that produces legal or similarly significant effects on individuals. Our company ratings are applied editorially and reflect human judgement. If we introduce any automated decision-making of this kind in future, we will update this policy and take all steps required by UK GDPR Article 22.

8.9 How to Exercise Your Rights

Contact our DPO: dpo@etheco.com. We will acknowledge your request within 5 business days and respond in full within one calendar month. We may need to verify your identity before processing your request.

8.10 Right to Complain

You have the right to lodge a complaint with the ICO at any time — you do not need to raise it with us first, though we welcome the opportunity to address concerns directly.

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our data retention schedule is maintained by the DPO and is reviewed annually. Key retention periods are set out below.

• Account and identity data: retained for the duration of your account and for 6 years following account closure, to enable us to respond to queries, handle disputes, and comply with our legal and contractual obligations (Limitation Act 1980).
• Marketing consent records: retained for the period of the marketing relationship plus 3 years, to demonstrate PECR compliance and to handle any challenge to our consent records.
• Communications (emails, enquiries): 3 years from the date of last contact, for the purpose of handling follow-up queries and legal claims.
• Analytics data: pseudonymised and aggregated where possible; identifiable session data retained for no more than 14 months (in line with Google Analytics best practice and ICO guidance).
• Security and access logs: 12 months from collection, for the purpose of incident investigation and platform security. Logs relating to a confirmed security incident may be retained for up to 6 years.
• Affiliate and switching data: 6 years from transaction completion, in line with standard commercial limitation periods.

When retention periods expire, data is securely deleted or irreversibly anonymised. Our DPO oversees the implementation of our data retention schedule.

10. Data Security

10.1 Technical and Organisational Measures

We implement appropriate technical and organisational measures (TOMs) to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. Our current measures include, but are not limited to:

• encryption of data in transit using TLS 1.2 or higher (HTTPS enforced across all pages);
• encryption of personal data at rest where technically appropriate and proportionate;
• role-based access control and the principle of least privilege for all internal system access;
• multi-factor authentication required for all staff accessing systems containing personal data;
• regular vulnerability assessments and periodic penetration testing by qualified third parties;
• a patch management process to address known security vulnerabilities within agreed timeframes;
• documented incident response procedures, including a Data Breach Response Plan;
• data protection and security awareness training for all staff at induction and annually thereafter;
• secure deletion procedures for data that has reached the end of its retention period;
• supplier security assessments as part of our procurement and processor management process.

10.2 Limitations

No method of transmitting or storing data electronically can be guaranteed to be completely secure. While we take our security obligations seriously and maintain measures proportionate to the risks involved, we cannot give an absolute assurance that data transmitted to us will never be intercepted. You should take appropriate steps to protect your own account credentials and devices.

10.3 Personal Data Breaches

We operate a documented Data Breach Response Plan. In the event of a personal data breach:

• All actual or suspected breaches are logged in our internal breach register, regardless of severity, as required by Article 33(5) UK GDPR.
• Where a breach is likely to result in a risk to individuals’ rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, as required by Article 33 UK GDPR.
• Where a breach is likely to result in a high risk to individuals’ rights and freedoms, we will notify affected individuals directly, without undue delay, as required by Article 34 UK GDPR.
• Our DPO leads the breach response process and is responsible for making risk assessments and notification decisions.

10.4 Vulnerability Disclosure

If you discover a potential security vulnerability on our platform, we ask that you report it responsibly to our DPO at dpo@etheco.com before any public disclosure. We will acknowledge receipt within 5 business days and work to assess and remediate any confirmed vulnerability promptly. We will not take legal action against security researchers who disclose vulnerabilities to us in good faith and in accordance with this responsible disclosure principle.

11. Children’s Privacy

Our Service is intended for adults only. We do not knowingly collect personal data from anyone under the age of 18. Our sign-up process includes an age confirmation step. If you are a parent or guardian and believe your child has submitted personal data to us, please contact dpo@etheco.com and we will promptly delete the data.

12. Cookies and Similar Technologies

12.1 What Are Cookies?

Cookies are small text files stored on your device by websites you visit. Similar technologies include web beacons, pixels, local storage, and session storage. We use these collectively to refer to as ‘cookies’ in this section.

12.2 Cookies We Use

• Strictly necessary cookies: Required for core website functionality (e.g. session management, load balancing, CSRF protection). These do not require your consent and cannot be disabled through our preference centre, though you can block them via your browser settings (which may break the website).
• Analytics and performance cookies: Help us understand how visitors interact with our site (e.g. Google Analytics, privacy-enhanced mode). These are only placed with your explicit consent. If you decline, the site continues to function normally.
• Functional cookies: Enable enhanced functionality such as remembering your display preferences. Only placed with your consent.
• Marketing and targeting cookies: We do not currently use marketing or targeting cookies. If we introduce them in future, this policy will be updated and fresh consent will be sought.

12.3 Your Cookie Choices

When you first visit our website, a cookie consent banner will appear. In line with ICO guidance:

• Rejecting non-essential cookies is as easy as accepting them — both options are equally prominent.
• Closing the banner or scrolling past it does not constitute consent.
• No non-essential cookies are set before you make a positive choice to accept them.
• The website works fully without non-essential cookies — refusing cookies will not degrade your core experience.

You can change your cookie preferences at any time using the button below, or by adjusting your browser settings. Note that deleting cookies via your browser does not remove your stored preference — please use our preference centre for this.

13. Links to Third-Party Websites

Our platform contains links to third-party websites and services. This Privacy Policy applies only to our own data processing. We have no control over third-party privacy practices and accept no responsibility for them. We encourage you to read the privacy policy of any third-party site you visit.

14. Changes to This Policy

We review this Privacy Policy at least annually and may update it to reflect changes to our processing activities, our Service, or applicable law. Where changes are material, we will notify you by email (where you have an account) and by posting a prominent notice on our website. The updated policy will take effect on the date indicated in the ‘Last updated’ field above.

If you disagree with the updated policy and the changes relate to processing for which consent was the lawful basis, you can withdraw your consent and, where relevant, delete your account.

Your statutory rights are not affected.

15. Contact Us

For any question, concern, or data rights request relating to this Privacy Policy or our data processing: