We use analytics to improve the site

    We use analytics to understand what's working and where things can be clearer, so we can make the site easier to use for everyone.

    Privacy & cookies
    Skip to main content
    Your Privacy Matters

    Privacy Policy

    Last Updated: September 2025

    EcoHedge Ltd is committed to protecting and respecting your privacy and personal data in compliance with the UK GDPR and the Data Protection Act 2018.

    This Privacy Policy explains how we collect, use, and safeguard your personal data when you use our website ecohedge.com, our platform app.ecohedge.ai,, our platform app.ecohedge.ai, and any related services, communications, and integrations. It also explains your privacy rights, how the law protects you, and how we uphold the principles of data protection.

    1Our Data Protection Principles

    We comply with the UK GDPR by applying the following principles to all processing of personal data:

    • Lawfulness, fairness and transparency – we process data legally, fairly and openly.
    • Purpose limitation – we only process data for specific, explicit, and legitimate purposes.
    • Data minimisation – we only collect what we need.
    • Accuracy – we keep data accurate and up to date.
    • Storage limitation – we do not keep data longer than necessary.
    • Integrity and confidentiality – we secure data against loss, misuse or unauthorised access.
    • Accountability – we take responsibility for and can demonstrate compliance with these principles.

    2Who is Your Data Controller

    EcoHedge Ltd

    71-75 Shelton Street
    Covent Garden
    London, England
    WC2H 9JQ

    Email: hello@ecohedge.co.uk

    You may raise any concerns directly with us or with the Information Commissioner's Office (ICO) at www.ico.org.uk. However, we would appreciate the opportunity to resolve your concerns before you contact the ICO.

    3Types of Personal Data We Collect

    We may collect, use, store, and process the following categories of data:

    Profile/Identity Data

    name, job title, subscription tier

    Contact Data

    email, phone number, business/billing address

    Account Data

    username, encrypted password, authentication tokens, team relationships

    Financial & Transaction Data

    subscription details, invoices, payments (via Stripe), connected accounting data (Xero, QuickBooks)

    Technical Data

    IP address, browser/device details, logs, API usage

    Usage Data

    platform activity, reports generated, support history

    Business & Emissions Data

    company info, supplier info, emissions data

    AI & Integration Data

    AI categorisation feedback, API integration logs, connection statuses

    Marketing & Communications Data

    newsletter preferences, consent records, event registrations

    We also generate Aggregated Data (such as industry benchmarks and anonymised emissions profiles). This is not personal data as it does not identify individuals. We do not knowingly collect Special Category Data (sensitive personal data) or criminal conviction data.

    4Legal Basis for Processing

    We rely on the following lawful bases:

    • Consent – e.g., newsletters, beta testing, surveys.
    • Contractual necessity – to provide platform access, payments, reporting, integrations.
    • Legal obligation – e.g., tax compliance, fraud prevention, responding to court orders.
    • Legitimate interests – e.g., service improvements, security, anonymised benchmarking, business analysis, direct marketing.

    We have carried out Legitimate Interests Assessments (LIAs) to confirm that our interests do not override your rights and freedoms.

    5How We Use Personal Data

    We process your data for:

    1. Service Provision – managing accounts, generating reports, enabling collaboration.
    2. AI & Automation – transaction categorisation, emissions insights, model training (using anonymised data).
    3. Third-Party Integrations – accounting sync (Xero, QuickBooks), payments (Stripe), authentication (Auth0), email delivery (SendGrid).
    4. Communications – service notifications, customer support, newsletters (with consent).
    5. Analysis & Development – usage monitoring, bug fixing, product improvements.
    6. Legal & Security – fraud prevention, compliance, enforcement of terms.

    Automated decisions: Our AI categorisation supports emissions analysis but does not make decisions that produce legal or similarly significant effects without human review.

    6Disclosure of Personal Data

    We may share your data with:

    • Internal parties – EcoHedge staff and your team members.
    • Service providers – Auth0, Stripe, SendGrid, Vercel, Supabase, OpenAI, Nango, Xero, QuickBooks.
    • Professional advisers – lawyers, auditors, insurers, consultants.
    • Regulators & authorities – HMRC, ICO, law enforcement.
    • Corporate transactions – mergers, acquisitions, business transfers.

    We require all third parties to respect security and confidentiality, and to process data only on our instructions.

    7International Transfers

    Some providers are located outside the UK/EEA, particularly in the United States. Where this occurs, we implement safeguards such as:

    • Adequacy decisions (where available)
    • UK Addendum to EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA)
    • Certification mechanisms (where applicable)
    • Explicit consent (where appropriate)

    8Your Rights

    You have the following rights under UK GDPR:

    Access to your data
    Rectification of inaccurate data
    Erasure (where applicable)
    Restriction of processing
    Data portability
    Objection (to legitimate interest processing or marketing)
    Withdrawal of consent (where consent applies)
    Not to be subject to solely automated decisions

    To exercise your rights, email hello@ecohedge.co.uk. We may request ID to confirm your identity.

    9Data Security

    We apply technical, organisational, and contractual measures, including:

    • TLS encryption in transit, encryption at rest
    • Secure password hashing and MFA options
    • Firewalls, monitoring, and regular patching
    • Staff confidentiality training and role-based access control
    • Data Protection Impact Assessments for new processing
    • Vendor due diligence and contractual security obligations

    10Data Retention

    We retain personal data only as long as necessary for its purposes:

    Active accountsDuration of subscription + 30 days
    Emissions reports7 years (regulatory compliance)
    Financial records6 years (tax law)
    Support tickets2 years
    Usage logs12 months
    Marketing preferencesUntil withdrawn
    Deleted accountsCore data up to 12 months; anonymised data indefinitely

    We may retain data longer in the event of complaints or potential disputes.

    11Cookies & Tracking

    We use cookies and similar technologies to keep you logged in, save preferences, analyse usage, improve services, and deliver relevant marketing.

    12Children's Privacy

    Our services are not directed at individuals under 18. We do not knowingly collect children's data.

    13Changes to This Policy

    We may update this Privacy Policy periodically. Significant changes will be notified via email and on this page.

    14Contact Us

    EcoHedge Ltd

    71-75 Shelton Street
    Covent Garden
    London, WC2H 9JQ

    Email: hello@ecohedge.co.uk

    Website: ecohedge.com

    ICO Contact

    Information Commissioner's Office
    Wycliffe House, Water Lane
    Wilmslow, Cheshire, SK9 5AF

    Helpline: 0303 123 1113

    Website: www.ico.org.uk

    Your carbon roadmap

    Enter your website and I'll personalise your implementation roadmap in 90 seconds.