1.Introduction

We respect your privacy and are committed to protecting your personal data and your right to privacy. This Privacy Notice sets out how we process your personal data.

Pozitive Planet Ltd is a company registered in England & Wales (registration number 13153065) with a registered office at The Octagon, 27 Middleborough, Colchester, CO1 1TG. Pozitive Planet Ltd is made up of different legal entities, details of which can be found here, using the brand name of “Pozitive Planet”. This Privacy Notice is issued on behalf of Pozitive Planet Ltd and applies to each legal entity using the brand name of “Pozitive Planet”. When we mention “Pozitive Planet”, “we”, “us” or “our” in this Privacy Notice, we mean each relevant legal entity processing your personal data. We will let you know which entity will be the controller for your data when you purchase a service from or through us. Pozitive Planet Ltd is the controller and responsible for this website and the group as a whole and has registered with the Information Commissioner’s Office under number ZB228792. The various other Pozitive Planet entities have registered too and for details of the other registrations click here.

We have appointed a Data Protection Manager who is responsible for overseeing questions in relation to this Privacy Notice and our controlling and processing of data. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact us using the details set out below, click here.

Pozitive Planet provides business services to customers. The personal data we process is used to manage our commercial relationship with you, comply with legal obligations and pursue our legitimate business interests. This website and our products and services are not intended for children, and we do not knowingly collect data relating to children.

Any changes we may make to this Privacy Notice will be updated on our website and, where appropriate, notified to you in writing.

2. What data we hold?

We will only ask for information that we need. We collect personal data to be able to provide our products and services to you. Where necessary, we will also collect personal data from others associated with you, for example if they are a beneficiary of the service e.g. your employees. By giving us information about someone else for the purpose of arranging the service, you confirm that you have their permission to do so and that you have shared this Privacy Notice with them.

We collect, use, store and transfer different kinds of personal data about you, depending on the service(s) we provide to you. We have grouped the data together as follows:

• Identity Data includes first name, last name, title, gender, date of birth, identification numbers including copies of your passport, visa, driving licence, home address, personal telephone number, personal e-mail address, meter point details, device details.
• Contact Data includes billing address, business e-mail address and business telephone numbers.
• Financial Data includes bank account, payment card details.
• Transaction Data includes details about payments to and from you, other details of services you have purchased from us and who you make contact with and who contacts you.
• Technical Data includes Internet Protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website. We collect this personal data by using cookies, server logs and other similar technologies. Please see our cookie policy click here. for further details.
• Profile Data includes your username and password, your interests, preferences, feedback and survey responses.
• Usage Data includes information about how you use our website, products and services.
• Marketing and Communications Data includes your preferences in receiving marketing from us.
• Other Personal Data includes personal data you otherwise voluntarily provide, for example when corresponding in writing (including via email or other electronic means), in meetings or during phone conversations or entered into any of our websites.

The majority of the personal data provided by you is mandatory in order for us to administer the client relationship and perform our obligations under our contract(s) with you and/or comply with statutory requirements relating to the services we provide to you. Failure to provide mandatory personal data may affect our ability to perform the service and potentially affect your ongoing client relationship with us.

We take the security of personal data very seriously. We have administrative, physical and technical safeguards in place to protect personal data against unlawful or unauthorised processing, or accidental loss or damage. We will ensure, where personal data are processed that:

a) The processing is recorded, and the record sets out, where possible, a suitable time period for the safe and permanent erasure of the different categories of data in accordance with our Data Retention Policy.

b) Where we no longer require Personal Data for the purpose for which it was collected, we will delete it or render it permanently anonymous as soon as possible.

c) Where records are destroyed we will ensure that they are safely and permanently disposed of. The list set out above is not exhaustive, and there may be other personal data which we may collect, store and use in the context of the client relationship.

3. Where do we get it from?

The majority of the personal data which we process is collected directly from you. Your information is made up of all the financial and personal information we collect and hold about you/your business and the proprietors, officers and beneficial owners of that business and your transactions. It includes:

• information you give us when you contact us directly by phone or email, or when you use our website, including our customer portal
• information that we receive from third parties – including third parties who provide services to you and us, credit reference, fraud prevention or government agencies and financial institutions (where permitted by law);
• information that we learn about you through our relationships with you and the way you operate your account/or services;
• information that we gather from the technology which you use to access our services (for example an IP address or telephone number) and how you use it; and
• information that we gather from publicly available sources, such as the press, the electoral register, company registers and online search engines.

3.1. Credit reference and fraud prevention considerations

Before we provide services to you, we undertake checks for the purposes of preventing fraud and money laundering and to verify your identity. These checks require us to process personal data about you.

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address.

In order to process your application, we will supply your personal data to Credit Reference Agencies (CRA) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.

We also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at http://www.experian.co.uk/crain/index.html.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws and meet the regulatory requirements that apply to us. Such processing is also a contractual requirement of the goods and services we offer.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

3.2. Automated Decisions

As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision-making, so if you want to know more please contact us on the details below click here.

3.3. Consequences of Processing

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services you have requested or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details below click here.

3.4. Data Transfers

Whenever fraud prevention agencies transfer your personal data outside UK and the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the UK and the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

4. What we use your data for?

We require your personal data to provide you with services in accordance with the contract between us (which may deem to occur under law). That means we only request as much information from you as we need to carry out the activity you have requested or to enable us to carry out commercial transactions and to administer your account.

We process your personal data to comply with legal obligations in connection with the services we provide, any applicable industry codes and licences and to prevent and reduce fraud and other financial crime.

Your personal data may be used to pursue our legitimate business interests, provided that your legal rights do not override those interests. For example, to improve our service or let you know about other services we offer.

Your data will be anonymised when we use it to test, develop and improve our services.

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We believe you will be interested in receiving information about the other businesses which are part of Pozitive Planet businesses and the synergies and efficiencies that this could bring to your business.

Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and you have not opted out of receiving that marketing.

5. Who we pass your personal data to

Your personal data may be shared with third parties to fulfil part of the contract between us and them to enable us to provide the services to you and to comply with legal obligations:

• Other companies in the Pozitive Planet group acting as joint controllers or processors and who are based in the UK and in India, listed here, and provide you with specified services, or provide us with IT and system administration services and undertake leadership reporting.
• CRAs, law enforcement agencies, fraud prevention agencies, judicial bodies or tax authorities;
• Government entities, authorities, regulatory and industry bodies. For example:

• • purpose of monitoring the performance of a task carried out in the public interest we to share your personal data with Department of Business, Energy and Industrial Strategy (BEIS) to enable BEIS to monitor the delivery of the Energy Bills Support Scheme and evaluate the success of the scheme. The way in which BEIS will us your personal data is described in their Privacy Notice at https://www.gov.uk/government/publications/electricity-meter-data-collected-through-the-energy-bills-support-scheme-privacy-notice/use-of-electricity-meter-data-collected-through-the-energy-bills-support-scheme-privacy-notice.
  • to comply with legal obligations, we supply information about customers who benefit from the Feed-in Tariff or Smart Export Guarantee to Ofgem, we provide meter point data of customers who we supply energy to, to the Retail Energy Code Company, and we provide meter point data of customers who have received a government discount on their energy bill, to BEIS.

• External agencies like the police, fire service, or local councils in the event of an emergency, such as under the Civil Contingencies Act 2004.
• Organisations which provide us with administration and processing services in order to manage your account and maintain our relationships with you and for ongoing customer service.
• Financial institutions and organisations providing payment services which manage payments and direct debit instructions on our behalf in order to collect payments from you.
• Accountants, lawyers, notaries and other professional advisers when considering, structuring, documenting, concluding, terminating, varying, amending or renewing a particular transaction already in place with you.
• Companies that provide you with benefits or services associated with your good or service.
• Organisations that manage our meter estate and data in order to ensure that your metering is in a working order and you are billed accurately for your services.
• Distribution and transportation companies in order to comply with legal obligations in our licence and industry codes.
• Revenue protection and debt collection services in order to enable debt recovery.
• Organisations that help you with complaints management in order to respond to a complaint you made about us.
• Industry code bodies in order to comply with a legal obligation, we supply information about customers who are subject to theft investigations and respond to requests for information about our customer base.
• Research agencies in order to gain your feedback following a smart meter installation and other surveys.
• Brokers to pursue our legitimate business interests in order to keep you informed of products and services that are available from us or may be of interest where permitted by law.
• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

6. How data is stored?

Your personal data is stored in a secure, password-protected and encrypted bespoke database. It is accessible by our designated data processors only for the purposes stated above.

7. Outside the UK and/or EU

We share your personal data within Pozitive Planet. This may involve transferring your data outside the UK. Also, our external third parties may be based outside the UK so their processing of your personal data will involve a transfer of data outside the UK. Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
• We may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

Please contact us on the details below click here if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

8. How long your data is retained for?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

9. Your rights
Data protection laws provide you, as an individual, rights to:

• Right of access – you can request access to your personal information (a data subject access request), so you can check what data we hold about you and are using it in accordance with the law.
• Right to rectification – you can ask us to correct personal information that we hold about you.
• Right to erasure – you can ask us to delete your personal data where there is no good reason for us to hold this data. You can also ask us to delete or remove your personal information where you have exercised your right to object to processing.
• Right to restriction of processing – you can ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Right to data portability – you can ask for a copy of the data we hold about you, in an accessible format and the right to transfer it, or to require us to transfer it directly, to another controller.
• Right to object to processing – you can object to the processing of your personal information and there is something about your particular situation which makes you want to object to processing on this ground.

No fee is required to claim any of these rights. However, we may charge a reasonable fee or refuse to comply if your request for access is considered to be unfounded or excessive.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You have the right to make a complaint at any time to the Information Commissioner’s Office. Their contact details are:
Telephone: 0303 123 1113
Email: casework@ico.org.uk
Post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Website: www.ico.org.uk

However, please contact us in the first instance if you have any issue that you wish to discuss.

10. Contacting us

If you have any questions about your rights to your personal data or wish to exercise your rights in relation to your personal data please email our Data Protection Manager at datacontoller@pozitiveplanet.com.