Octopus Energy Collective Limited privacy policy

1 Introduction

We recognise that customers, clients and investors value their data and privacy, and so we treat personal data with great care. This policy sets out how and when we collect, use and share the personal information that you, or others, provide to us.

This privacy policy was last updated on 1 October 2023.

2 Who we are

This privacy policy applies to Octopus Energy Collective Limited (14036581) (“OECL”) which forms part of the Octopus Energy group of companies.

OECL is registered at and trades from UK House, 5th Floor, 164-182 Oxford Street, London, W1D1NN. Octopus Energy Group and OECL has appointed a data protection officer, Lynne Higgins, who is responsible for overseeing questions in relation to this privacy notice. If you have any questions or requests, please do contact us at the relevant email addresses provided at the end of this policy.

Your data will be processed on our behalf by Share In Ltd, a company registered in Scotland (number SC408803) with its registered office Suite 2, Ground Floor Orchard Brae House, 30 Queensferry Road, Edinburgh, United Kingdom, EH3 2HS ( ShareIn). ShareIn is registered with the ICO to process personal data and their registration number is ZA029742. ShareIn host OECL’s website and will be the data processor for the purposes of the Data Protection Act 2018 as amended by The Data Protection, Privacy and Electronic Communications (Amendments) Regulations 2019.

Your data will be held by ShareIn on their secure servers located in the Republic of Ireland, but will be processed by staff who work in the UK. Your data may also be transferred to locations outside the EU where the safeguarding criteria set out in Articles 44-50 of the GDPR are satisfied.

Any payment transactions you make through our website will be made through ShareIn, encrypted through SSL technology. ShareIn are a joint controller in respect of any personal data and any of your personal data they hold will be subject to this privacy policy.

3 Why we may collect data about you

There are many reasons why we may collect and process your personal information and data, including:

1. to provide and manage products and services you have requested
2. to verify your identity, ensure you meet eligibility requirements, protect against fraud and manage risk
3. to comply with legal or regulatory requirements
4. to understand our customers and develop, tailor and target our products and services;
5. to notify you about other investment opportunities listed on our website that are similar to those in which you have invested, or otherwise viewed or enquired about; and/or
6. to re-organise or make changes to our business.

4 Basis of collecting and using your data

When we collect your personal data we either have a lawful basis of doing so, or we obtain your consent to do so.

1. Consent. In specific situations, we can collect and process your data with your consent. You may withdraw your consent at any time but please remember that this could mean we may have to stop providing certain services to you.

2. Contractual obligations. We may process your information where it is necessary to either enter into a contract with you for the provision of our products or services or to perform our obligations under that contract or to provide you with advice or guidance in relation to accessing our products or services that are offered by us, or otherwise to comply with contractual obligations.

3. Legal compliance. If the law or any regulator in any competent jurisdiction requires us to, we may need to collect and process your data and also provide this to the relevant regulator.

4. Legitimate interest. We may process your information in the day to day running of our business, to manage our business and financial affairs and to protect our customers, employees and property. It is in our interests to ensure that our processes and systems operate effectively and that we can continue operating as a business. In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.

Please remember that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you.

5 How do we collect and use your data?

We may obtain information in several ways which may include:

1. Information which you give to us, including when you contact us or register your interest in any product, service or initiative listed on the OECL website;
2. Information that we receive from third parties, including other companies in the Octopus Energy Group, and third parties who provide services to you or us (including via credit reference agencies, fraud prevention agencies or government agencies);
3. Information that we learn about you through our relationship with you and the way you operate your Octopus Energy accounts and/or services (if any) or OECL accounts and/or services, such as the payments made to and from your accounts;
4. Information that we gather from the technology which you use to access our services (for example an IP address or telephone number);
5. Information that we gather from publicly available sources, such as the press, the electoral register, company registers and online search engines.

We collect and process personal information and data about you at the start of, and for the duration of, your relationship with us – in each case where we have a reason for doing so and only where that reason is permitted under data protection law. The section below sets out how we collect and use your data in specific circumstances.

It’s important that you keep your personal information with us up to date, so please let us know if anything changes.

When you contact us

When you contact us (including by phone, email, through social media or through a website contact form) in relation to the OECL business, we may process your personal information (including your name, address, contact details, the name of the organisation you work for and other personal information you’ve given us) in order to respond to your query and provide the customer services you have asked us to (if any; for example providing assistance with the OECL platform).

We rely on your consent to handle your personal information in this way. If you do not provide us with the data we request from you for customer services purposes, we may not be able to fully answer your queries. We may log and record the interactions you have with us, such as phone calls, email opens and click throughs to help us better service your requests.

When you register interest in or sign up to the Octopus Energy Collective or OECL, or invest through the OECL platform

When you register your interest in or register for OECL or the Octopus Energy Collective, we will use your personal information to complete your registration and evaluate whether you qualify for the Octopus Energy Collective based on applicable regulation and whether additional products and services may be relevant to you based on your interaction with us and our websites. The details we (or our relevant service providers) collect from you may include your name, address, date of birth, email address, phone number, nationality, Octopus Energy account number (if any) and credit history, investor categorisation, information about your financial circumstances, anti-crime and fraud information (to verify that you are neither suspected nor a victim of fraud or other offences and that your details do not appear on politically exposed persons and sanctions lists), education (including experience of and understanding of investing), goods and services provided by Octopus Energy Group Companies to you to date, visual images (such as copies of passports or drivers licence to verify identity) and payment or bank account details.

If provided to us or Octopus Energy by you, we may also collect vulnerability data, such as your age, any disabilities or health conditions or any financial circumstances of you or a member of your household. It’s important that you keep your personal information up to date, so please let us know if anything changes.

When you register for the Octopus Energy Collective or invest through the OECL platform, we may share your personal information with other Octopus Energy Group Companies and/or third parties involved in the process, such as white label partners, payment providers and credit reference agencies, who we use to assess fraud, credit and/or security risks and also investee companies in connection with your investment. We need to process your personal information in this way to comply with applicable legislation.

Marketing communications

We use your email address to send you direct marketing emails from OECL about the investments listed on our website, and other products and services from OECL. OECL do this only where you have signed up for an account on OECL and have not chosen to opt out of emails on new investments and products from OECL. We do this based on our legitimate interest to make sure customers who have opened an account are aware of new investments launching and other related product news. We only rely on our legitimate interests, where these are not outweighed by your interests or fundamental rights and freedoms. We have done a balancing test and determined that you would expect to receive this information as it is in your interests to receive the latest information about our products and services and about any special offers and promotions. We will only send you emails about our own products and services and never share your information with any third parties for their direct marketing purposes. You can opt out of receiving direct marketing at any time through clicking the unsubscribe link in our emails, or by contacting us.

To make our website better and more secure

We will use your personal information to provide you with a more effective user experience, such as by displaying services we think you will be interested in. Using your information in this way means that your experience of our website will be more tailored to you, and the content you see on our website may differ from someone else.

We may also share your aggregated, anonymous data with third party analytics and search engine providers that assist us in the improvement and optimisation of our website.

We will also use your personal information for the purposes of administering our website and making them more secure, including troubleshooting, data analysis, testing, research, statistical and survey purposes. We process your data for this reason because we have a legitimate interest to provide you with the best experience we can, and to ensure that our website is kept secure.

You can task us to stop using your personal information in this way by using the “do not track” functionality in your internet browser. If you enable “do not track” functionality, our website may be less tailored to your needs and preferences.

Technical information and analytics

When you visit our website, we will automatically collect the following information:

• technical information, including the IP address used to connect your computer to the internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, screen resolution, operating system and platform; and
• information about your visit, including the full Uniform Resource Locators, clickstream to, through and from our website (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse away from the page.

We may also collect information on your location on our websites, such as your location data when accessing the website in line with the location settings on your phone or internet browser. This can be disabled or amended via the relevant IOS/Android platforms or in your internet browser settings.

We work closely with various third parties, including advertising networks, analytics providers, hosting providers and search information providers from whom we may also receive general aggregated anonymous information about you.

Product and Service Development

We sometimes process your data where we have a legitimate interest for doing so, for example:

• to better understand our customer demographic and the content of customer communications and requests to create more relevant campaigns, products and services.
• to make predictions about future behaviour based on current behaviour, to help develop and tailor our products and services.
• to build a profile personally for you, so we can do things like personalise and improve our products and services.
• for data analysis, testing, research, statistical and survey purposes.

Where we do process your personal data, we rely on legitimate interests to process your data in this way, we always carry out a “balancing” test in line with the ICO’s guidance to ensure that our processing is necessary and is not outweighed by your rights to privacy.

6 How we use your information

We will only use or disclose your personal data for the purposes it was collected for and as disclosed in this policy.

7 Sharing your information

To the extent permitted by applicable law, we may share your information in the Octopus Energy Group, including locations outside of the UK and European Economic Area (“EEA”), for legal and regulatory purposes, to manage risk, to ensure correct information about and to better manage your account and provide customer service. The Octopus Energy Group includes all subsidiaries of Octopus Energy Group Limited, including OECL (“Octopus Energy Group Companies”).

Where we share your information with any third parties, we always do so in line with this privacy policy and in compliance with data protection laws and regulatory requirements. Those third parties may process your information as either a data controller or as our data processor (this will depend on the purposes of our sharing your personal data with such third party) but we ensure that these third parties only use your data in line with our instructions.

In addition to the above, some of the organisations we may share your information with include:

• Anyone who is named and authorised on your Octopus Energy or Octopus Energy Collective account
• Our affiliates and partners, including our white-label partners, to the extent necessary to enable us to deliver our services to you.
• Payment providers, to help us process your payments to us.
• Credit reference agencies, fraud prevention agencies, anti-money laundering and terrorist financing tools, both when you first sign up and routinely whilst you have an account with us to help us assess (i) creditworthiness and product suitability, (ii) check your identity, (iii) manage your account, (iv) assess any fraud, credit or security risks, and (v) prevent criminal activity.

We may also share your information for the following reasons.

If our business is sold

We will transfer your personal information to a third party as follows:

• if we sell or buy any business or assets, we will provide your personal information to the seller or buyer (but only to the extent we need to, and always in accordance with data protection legislation); and
• if Octopus Energy or OECL, or the majority of its assets, are acquired by somebody else, in which case the personal information held by Octopus Energy or OECL will be transferred to the buyer.

We process your personal information in this way because we have a legitimate interest to ensure our business can be continued by the buyer.

Where we have a legal or regulatory obligation

In some circumstances we may need to share your personal information:

• if we are under a duty to disclose or share it to comply with a legal obligation (for example, to investigate something like theft or fraud); or
• to protect the rights, property or safety of our website, or any Octopus Energy Group websites or our customers. This includes (but is not limited to) exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

In difficult circumstances

We speak to customers regularly, and some of those people will be in difficult circumstances. Occasionally people will share information which indicates that they, or a member of their household, are in imminent danger or at serious risk, and in line with guidance from the Information Commissioner, in such circumstances we may refer the situation to relevant authorities or sources of assistance. In such cases we will consider first and foremost the interests of the person at risk.

For statistical and research purposes

We may share some broader statistics and customer profiling information with third parties and within the Octopus Energy Group, but the information or data will be anonymised, so you will not be identifiable from it.

8 Where is my data stored?

The data and information that we collect and process may be transferred to, processed in and stored at, a destination outside of the UK.

Whenever we transfer, process or store your personal information outside of the UK, we will always ensure it is protected by making sure we have safeguards in place. This might mean only transferring your personal information to a country that has been deemed by the European Commission to provide an adequate level of protection, or by using specific contractual protections. You can contact us at the relevant email addresses provided at the end of this policy for details of how we protect specific transfers of your data.

All information that you provide us with is stored on our secure servers, or those of our third parties’ data storage providers.

9 Security

We will take all steps reasonably necessary to ensure that your information and/or data is treated securely and in accordance with this privacy policy.

When we have received your information and/or data, we will use strict procedures and security features to prevent unauthorised access. Unfortunately, the transmission of information via the internet is not completely secure and although we will do our best to protect your information and/or personal data, we cannot guarantee its security completely. Accordingly, in the case of a security breach we do not accept any liability for the direct or indirect loss, theft or misuse of any information and/or data that you have provided to us.

10 How long do we retain your data for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, accounting or administrative requirements.

To determine the appropriate retention period for the personal information we hold, we consider the amount, nature and sensitivity of the personal information, the risk of harm from unauthorised use or disclosure of your personal information, the reasons why we handle your personal information (including the nature of the activity, product or service), the applicable legal requirements and whether we can achieve those purposes through other means. Retention periods may be changed from time to time based on business or legal and regulatory requirements.

In addition, in some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical analysis, such as looking at email open rates, or to improve our website and app and develop new products. In these cases, we may use this information indefinitely without further notice to you.

11 What are my rights under data protection laws?

You have various rights under the data protection laws, which you can exercise by contacting us. The easiest way to do this is by email to the relevant email addresses set out at the end of this policy.

11.1 Right to object

You have the right to object to us handling your personal information where we are handling your personal information based on our legitimate interests. If you ask us to stop handling your personal information in this way, we will stop unless we can show you that we have compelling grounds as to why we should continue to use your personal information.

You can also ask us to stop handling your personal information for marketing purposes at any time.

11.2 Right of access

You have the right to access your personal information which we are handling, and you are entitled to receive confirmation and details about whether your personal information is being processed by us.

11.3 Right to rectification

You have the right to require us to rectify any inaccurate personal information we hold about you. You also have the right to ask us to complete personal information which you think is incomplete.

11.4 Right to restriction

You can restrict our processing of your personal information where:

• you think we hold inaccurate personal information about you;
• our handling of your personal information breaks the law, but you do not want us to delete it;
• we no longer need to process your personal information, but you want us to keep it for legal reasons; or
• where we are handling your personal information because we have a legitimate interest (as described in 3 “Why we may collect data about you” and 4 “How do we collect and use your data?” section above) and are in the process of objecting to this use of your personal information.

Where you exercise your right to restrict us from using your personal information, we will then only process your personal information when you agree, except for storage purposes and to handle any legal claims.

11.5 Right to data portability

This right only applies to your personal information we are handling because you consented to us using it or because there is a contract in place between us. You have the right to receive your personal information in a structured, standard machine-readable format, and the right to ask us to send your information to another organisation or to give it to you.

11.6 Right to erasure

You have the right to require us to erase your personal information in the following circumstances:

• where we no longer need to use your personal information for the reasons we told you we collected it for;
• where we needed your consent to use your personal information, you have withdrawn your consent and there is no other lawful way we can continue to use your personal information;
• where you object to our use of your personal information and we have no compelling reason to carry on handling it;
• if our handling of your personal information has broken the law; and
• where we must erase your personal information to comply with a law we are subject to.

11.7 Right to complain

You have the right to lodge a complaint with the Information Commissioner's Office, the supervisory authority for data protection issues in the United Kingdom. If you wish to raise a complaint on how we have handled your information without lodging a complaint with the Information Commissioner’s Office, you can contact our Data Protection Officer as set out below.

12 What about websites we link to?

The website and other Octopus Energy group websites may include links to third-party websites, advertisers, affiliates, plug-ins and applications. If you click on a link to any of these websites or enable those connections, you will leave our websites and this may allow third parties to collect or share data about you.

We have no control over these third-party websites and are not responsible or liable for (i) their privacy statements, notices or policies or (ii) any contents or materials on third-party websites. We encourage you to check the privacy policy of every third-party website before you submit any personal data to these websites.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

13 Updates, additional notices and contact

Changes to our privacy policy

We keep our privacy policy under regular review. Any changes we make to our privacy policy in the future will be posted on the OECL website and, where appropriate, notified to you by email or post. Please check back frequently to see any updates or changes to our privacy policy. Please note that by continuing to use the website, you are agreeing to any updated versions of the OECL privacy policy.

Additional notices or policies

It is important that you read this policy together with any other privacy policy or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This policy supplements any other privacy notices or policies and is not intended to override them.

Information Commissioner

We would always rather you speak to us first if you have any questions about our handling of your personal data, so we can resolve any problems as quickly as possible. However, if you are not happy with the way we have handled your data, or would like more information about your rights, you can contact the Information Commissioner’s Office, the UK’s independent authority on data privacy at www.ico.org.uk.

Contact us

OECL will usually be the data controller in respect of your personal data and can answer any questions you may have about our privacy practices or the use of your personal data. Details of OECL business contacts are listed below, or you can also email our data protection officer at dpo@octoenergy.com.