Privacy Policy
Last Updated: September 2025
EcoHedge Ltd is committed to protecting and respecting your privacy and personal data in compliance with the UK GDPR and the Data Protection Act 2018.
This Privacy Policy explains how we collect, use, and safeguard your personal data when you use our website ecohedge.com, our platform app.ecohedge.ai,, our platform app.ecohedge.ai, and any related services, communications, and integrations. It also explains your privacy rights, how the law protects you, and how we uphold the principles of data protection.
1Our Data Protection Principles
We comply with the UK GDPR by applying the following principles to all processing of personal data:
- Lawfulness, fairness and transparency – we process data legally, fairly and openly.
- Purpose limitation – we only process data for specific, explicit, and legitimate purposes.
- Data minimisation – we only collect what we need.
- Accuracy – we keep data accurate and up to date.
- Storage limitation – we do not keep data longer than necessary.
- Integrity and confidentiality – we secure data against loss, misuse or unauthorised access.
- Accountability – we take responsibility for and can demonstrate compliance with these principles.
2Who is Your Data Controller
EcoHedge Ltd
71-75 Shelton Street
Covent Garden
London, England
WC2H 9JQ
Email: hello@ecohedge.co.uk
You may raise any concerns directly with us or with the Information Commissioner's Office (ICO) at www.ico.org.uk. However, we would appreciate the opportunity to resolve your concerns before you contact the ICO.
3Types of Personal Data We Collect
We may collect, use, store, and process the following categories of data:
Profile/Identity Data
name, job title, subscription tier
Contact Data
email, phone number, business/billing address
Account Data
username, encrypted password, authentication tokens, team relationships
Financial & Transaction Data
subscription details, invoices, payments (via Stripe), connected accounting data (Xero, QuickBooks)
Technical Data
IP address, browser/device details, logs, API usage
Usage Data
platform activity, reports generated, support history
Business & Emissions Data
company info, supplier info, emissions data
AI & Integration Data
AI categorisation feedback, API integration logs, connection statuses
Marketing & Communications Data
newsletter preferences, consent records, event registrations
We also generate Aggregated Data (such as industry benchmarks and anonymised emissions profiles). This is not personal data as it does not identify individuals. We do not knowingly collect Special Category Data (sensitive personal data) or criminal conviction data.
4Legal Basis for Processing
We rely on the following lawful bases:
- Consent – e.g., newsletters, beta testing, surveys.
- Contractual necessity – to provide platform access, payments, reporting, integrations.
- Legal obligation – e.g., tax compliance, fraud prevention, responding to court orders.
- Legitimate interests – e.g., service improvements, security, anonymised benchmarking, business analysis, direct marketing.
We have carried out Legitimate Interests Assessments (LIAs) to confirm that our interests do not override your rights and freedoms.
5How We Use Personal Data
We process your data for:
- Service Provision – managing accounts, generating reports, enabling collaboration.
- AI & Automation – transaction categorisation, emissions insights, model training (using anonymised data).
- Third-Party Integrations – accounting sync (Xero, QuickBooks), payments (Stripe), authentication (Auth0), email delivery (SendGrid).
- Communications – service notifications, customer support, newsletters (with consent).
- Analysis & Development – usage monitoring, bug fixing, product improvements.
- Legal & Security – fraud prevention, compliance, enforcement of terms.
Automated decisions: Our AI categorisation supports emissions analysis but does not make decisions that produce legal or similarly significant effects without human review.
6Disclosure of Personal Data
We may share your data with:
- Internal parties – EcoHedge staff and your team members.
- Service providers – Auth0, Stripe, SendGrid, Vercel, Supabase, OpenAI, Nango, Xero, QuickBooks.
- Professional advisers – lawyers, auditors, insurers, consultants.
- Regulators & authorities – HMRC, ICO, law enforcement.
- Corporate transactions – mergers, acquisitions, business transfers.
We require all third parties to respect security and confidentiality, and to process data only on our instructions.
7International Transfers
Some providers are located outside the UK/EEA, particularly in the United States. Where this occurs, we implement safeguards such as:
- Adequacy decisions (where available)
- UK Addendum to EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA)
- Certification mechanisms (where applicable)
- Explicit consent (where appropriate)
8Your Rights
You have the following rights under UK GDPR:
To exercise your rights, email hello@ecohedge.co.uk. We may request ID to confirm your identity.
9Data Security
We apply technical, organisational, and contractual measures, including:
- TLS encryption in transit, encryption at rest
- Secure password hashing and MFA options
- Firewalls, monitoring, and regular patching
- Staff confidentiality training and role-based access control
- Data Protection Impact Assessments for new processing
- Vendor due diligence and contractual security obligations
10Data Retention
We retain personal data only as long as necessary for its purposes:
| Active accounts | Duration of subscription + 30 days |
| Emissions reports | 7 years (regulatory compliance) |
| Financial records | 6 years (tax law) |
| Support tickets | 2 years |
| Usage logs | 12 months |
| Marketing preferences | Until withdrawn |
| Deleted accounts | Core data up to 12 months; anonymised data indefinitely |
We may retain data longer in the event of complaints or potential disputes.
11Cookies & Tracking
We use cookies and similar technologies to keep you logged in, save preferences, analyse usage, improve services, and deliver relevant marketing.
12Children's Privacy
Our services are not directed at individuals under 18. We do not knowingly collect children's data.
13Changes to This Policy
We may update this Privacy Policy periodically. Significant changes will be notified via email and on this page.
14Contact Us
EcoHedge Ltd
71-75 Shelton Street
Covent Garden
London, WC2H 9JQ
Email: hello@ecohedge.co.uk
Website: ecohedge.com
ICO Contact
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: www.ico.org.uk