Privacy Policy

Last Updated: September 2025

EcoHedge Ltd ("EcoHedge", "we", "us", or "our") is committed to protecting and respecting your privacy and personal data in compliance with the United Kingdom General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and all other mandatory UK data protection laws.

This Privacy Policy explains how we collect, use, and safeguard your personal data when you use:

• Our website www.ecohedge.com
   
• Our platform app.ecohedge.ai
   
• Any related services, communications, and integrations
   

It also explains your privacy rights, how the law protects you, and how we uphold the principles of data protection.

1. Our Data Protection Principles

We comply with the UK GDPR by applying the following principles to all processing of personal data:

• Lawfulness, fairness and transparency – we process data legally, fairly and openly.
   
• Purpose limitation – we only process data for specific, explicit, and legitimate purposes.
   
• Data minimisation – we only collect what we need.
   
• Accuracy – we keep data accurate and up to date.
   
• Storage limitation – we do not keep data longer than necessary.
   
• Integrity and confidentiality – we secure data against loss, misuse or unauthorised access.
   
• Accountability – we take responsibility for and can demonstrate compliance with these principles.
   

2. Who is Your Data Controller

EcoHedge Ltd is the Data Controller for your personal data.

Registered office:
EcoHedge Ltd
71-75 Shelton Street
Covent Garden
London, England
WC2H 9JQ

Email: hello@ecohedge.co.uk

We are not legally obliged to appoint a Data Protection Officer and have not voluntarily appointed one. You may raise any concerns directly with us or with the Information Commissioner’s Office (ICO) at www.ico.org.uk. However, we would appreciate the opportunity to resolve your concerns before you contact the ICO.

3. Types of Personal Data We Collect

We may collect, use, store, and process the following categories of data:

• Profile/Identity Data – name, job title, subscription tier
   
• Contact Data – email, phone number, business/billing address
   
• Account Data – username, encrypted password, authentication tokens, team relationships
   
• Financial & Transaction Data – subscription details, invoices, payments (via Stripe), connected accounting data (Xero, QuickBooks)
   
• Technical Data – IP address, browser/device details, logs, API usage
   
• Usage Data – platform activity, reports generated, support history
   
• Business & Emissions Data – company info, supplier info, emissions data
   
• AI & Integration Data – AI categorisation feedback, API integration logs, connection statuses
   
• Marketing & Communications Data – newsletter preferences, consent records, event registrations
   

We also generate Aggregated Data (such as industry benchmarks and anonymised emissions profiles). This is not personal data as it does not identify individuals.

We do not knowingly collect Special Category Data (sensitive personal data) or criminal conviction data.

4. Legal Basis for Processing

We rely on the following lawful bases:

• Consent – e.g., newsletters, beta testing, surveys.
   
• Contractual necessity – to provide platform access, payments, reporting, integrations.
   
• Legal obligation – e.g., tax compliance, fraud prevention, responding to court orders.
   
• Legitimate interests – e.g., service improvements, security, anonymised benchmarking, business analysis, direct marketing.
   

We have carried out Legitimate Interests Assessments (LIAs) to confirm that our interests do not override your rights and freedoms.

5. How We Use Personal Data

We process your data for:

1. Service Provision – managing accounts, generating reports, enabling collaboration.
    
2. AI & Automation – transaction categorisation, emissions insights, model training (using anonymised data).
    
3. Third-Party Integrations – accounting sync (Xero, QuickBooks), payments (Stripe), authentication (Auth0), email delivery (SendGrid).
    
4. Communications – service notifications, customer support, newsletters (with consent).
    
5. Analysis & Development – usage monitoring, bug fixing, product improvements.
    
6. Legal & Security – fraud prevention, compliance, enforcement of terms.
    

Automated decisions: Our AI categorisation supports emissions analysis but does not make decisions that produce legal or similarly significant effects without human review.

6. Disclosure of Personal Data

We may share your data with:

• Internal parties – EcoHedge staff and your team members.
   
• Service providers – Auth0, Stripe, SendGrid, Vercel, Supabase, OpenAI, Nango, Xero, QuickBooks.
   
• Professional advisers – lawyers, auditors, insurers, consultants.
   
• Regulators & authorities – HMRC, ICO, law enforcement.
   
• Corporate transactions – mergers, acquisitions, business transfers.
   

We require all third parties to respect security and confidentiality, and to process data only on our instructions.

7. International Transfers

Some providers are located outside the UK/EEA, particularly in the United States.

Where this occurs, we implement safeguards such as:

• Adequacy decisions (where available).
   
• UK Addendum to EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA).
   
• Certification mechanisms (where applicable).
   
• Explicit consent (where appropriate).
   

8. Your Rights

You have the following rights under UK GDPR:

• Access to your data
   
• Rectification of inaccurate data
   
• Erasure (where applicable)
   
• Restriction of processing
   
• Data portability
   
• Objection (to legitimate interest processing or marketing)
   
• Withdrawal of consent (where consent applies)
   
• Not to be subject to solely automated decisions
   

To exercise your rights, email hello@ecohedge.co.uk. We may request ID to confirm your identity.

9. Data Security

We apply technical, organisational, and contractual measures, including:

• TLS encryption in transit, encryption at rest
   
• Secure password hashing and MFA options
   
• Firewalls, monitoring, and regular patching
   
• Staff confidentiality training and role-based access control
   
• Data Protection Impact Assessments for new processing
   
• Vendor due diligence and contractual security obligations
   

10. Data Retention

We retain personal data only as long as necessary for its purposes:

• Active accounts – duration of subscription + 30 days
   
• Emissions reports – 7 years (regulatory compliance)
   
• Financial records – 6 years (tax law)
   
• Support tickets – 2 years
   
• Usage logs – 12 months
   
• Marketing preferences – until withdrawn
   
• Deleted accounts – core data up to 12 months; anonymised data indefinitely
   

We may retain data longer in the event of complaints or potential disputes.

11. Cookies & Tracking

We use cookies and similar technologies to:

• Keep you logged in
   
• Save preferences
   
• Analyse usage
   
• Improve services
   
• Deliver relevant marketing
   

12. Children’s Privacy

Our services are not directed at individuals under 18. We do not knowingly collect children’s data.

13. Changes to This Policy

We may update this Privacy Policy periodically. Significant changes will be notified via email and on this page.

14. Contact Us

Email: hello@ecohedge.co.uk
Address: EcoHedge Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Website: www.ecohedge.com

ICO Contact:
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
www.ico.org.uk