Privacy Policy

Information about the way we collect and store data and how we keep it secure

This Privacy Policy explains how we handle, manage, and control your Data and gives you information about your rights.

We have tried to make this Privacy Policy easy to read and understand.  This includes using clear and transparent language.  Sometimes, we still need to define a word or phrase more precisely.  Where we have used bold to emphasise a word or used a word in quotation marks, that means it is a defined term, these terms are explained at the end of this Privacy Policy.

By using our Service you agree to this Privacy Policy, which should be read in conjunction with our Terms and Conditions. If you think that there is a mistake, if you need anything explaining, please contact us at help@youtility.co.uk.

This Privacy Policy complies with our requirements under the GDPR.

The expressions “we” “our” or “us” means Youtility Limited (“Youtility”), and references to “you” or “your” means you as the customer/end user of our Service.

Youtility Limited is a company registered in England and Wales under company registration number 09802196. Our registered office is 6 Corunna Court, Corunna Road, Warwick, England, CV34 5HQ. Our ICO number is ZA255938.

This document may be amended from time to time. Please check our website for the latest version of this Privacy Policy and our Terms and Conditions.

This Privacy Policy was last updated on the 21st of February 2024.

Key takeaways

  • We hold and process your Data securely and we are open and transparent about how your Data is used.
  • When you use our Service via a Commercial Partner, we use your Data to generate a list of energy, telecoms or other deals and if you choose to submit a switch application, we will pass your Data onto the New Provider you have chosen.
  • Our Commercial Partners may share offers with you from time to time where considered suitable. Any marketing by the Commercial Partners is covered by their marketing preferences and their privacy policy and is not covered within our Privacy Policy.
  • We will never share your Data with any third parties unless we have explained the sharing in this Privacy Policy or if we obtain your consent.
  • We will share your Data with some third parties who we use for the delivery of our We always use written agreements to require them to comply with our instructions and the GDPR.
  • We are required to share your Data with the New Provider as necessary to submit your switch application.
  • We are the Data Controller for the Service we provide to you. We are responsible for our use of your Data, as explained in this Privacy Policy.
  • If a Commercial Partner has shared your Data with us, the Commercial Partner is the Data Controller for the Data they hold about you. The Commercial Partner’s use of your Data will be set out in their own privacy policy, and we are not responsible for their use of your Data.
  • If we are the Data Controller you can ask us to have your Data deleted, amended, ask for a copy of your Data, or ask for your Data to be transferred to another Data Controller at any time.
  • We respect your Data and comply with data protection laws and good practice both in the UK and in other jurisdictions we may operate in, e.g. the EU.
  • When we pass your Data to a New Provider, the New Provider becomes the Data Controller for any Data they hold and process. They may use the Data we share with them to enter into an agreement with you and to provide their services to you.  The New Provider’s use of your Data will be set out in their own privacy policy, and we are not responsible for their use of your Data.
  • If you agree to commence a switch you will inform us of your marketing preferences with the New Provider. We will pass these preferences over to the New Provider. The New Provider’s use of your marketing preference Data will be set out in their own privacy policy, and we are not responsible for their use of your marketing preference Data.
  • We are fully accountable to the UK data protection authority, the Information Commissioner’s Office known as the “ICO”.
  • If you have any concerns about your Data, we have a complaints procedure. If you are unsatisfied with our responses, you have the right to escalate your case to the ICO for an independent decision.

Scope of Privacy Policy

This Privacy Policy applies to all personal data we process through our Service. This Privacy Policy explains how Youtility processes, stores, and protects your Data, and what your rights are as a Data Subject.

Data protection roles and responsibilities

We are a Data Controller for your Data in relation to our Service.  As a Data Controller we have various responsibilities under the GDPR, including providing you with this information about your Data.

In some cases, we may provide software services to other organisations, which may involve us processing your Data on behalf of those organisations.  In that situation, we are not providing services to you directly; we are only acting as a supplier to the relevant organisation.  The organisation is the Data Controller, and we are the Data Processor, acting on the instructions of the Data Controller.  The organisation’s own privacy policy will provide you with the relevant information about the collection, use and retention of your Data.

If you have any questions or concerns about the processing of your Data by the organisation, or by us on behalf of the organisation, you should direct your query to the organisation.

Our Service may be provided to you through a website or mobile application operated by one of our Commercial Partners or the Commercial Partner may link to our own web-based Service.

If a Commercial Partner shares your Data with us, the Commercial Partner is an independent Data Controller for the Data which they hold and process about you.  The Commercial Partner’s use of your Data will be set out in their own privacy policy, and we are not responsible for their use of your Data.  However, we are responsible for your Data (as an independent Data Controller) once it is received by us.

If you choose to switch to a New Provider via the Service, we will share the appropriate and necessary Data with the New Provider you have chosen.  The New Provider will become an independent Data Controller for the Data which they hold and process about you. The New Provider’s use of your Data will be set out in their own privacy policy, and we are not responsible for their use of your Data.

How we receive or collect your Data

We provide you with a Service, which allows you to find alternative service providers by comparing pricing and which helps you to complete the switching process to a New Provider.

Our Commercial Partners can embed our Service into their mobile application, embed in their website or link to our website.

To assist your user journey, our Commercial Partner may share your Data with us so that it can be automatically pre-filled into our Service.  If our Commercial Partner shares your Data with us, they do this under their own privacy policy.  The Commercial Partner is responsible for making sure they are entitled to share your Data with us and that they have explained the sharing to you.  We are responsible for any of your Data which we receive from the Commercial Partner and this Privacy Policy covers that Data.

Alternatively, you may input your Data directly into our web products either branded as Youtility, co-branded with our Commercial Partner or branded as our Commercial Partner. You may be asked to fill in additional information.

Before you enter any Data on our Service you will be made aware of this Privacy Policy.

If you use the Service to initiate a switch to a New Provider, that New Provider will update us on the status of your switch.

Data we process about you

To provide the Service we process personal data, which can be defined as information about living, identifiable individuals, covering both facts and opinions about the individual, but need not be sensitive information. It can be as little as name and address but must be processed in accordance with the Data Subject’s (i.e. your) rights. The processing can either be automated (i.e., part of a computer record) or a manual record.

Personal data can include “Sensitive Data” which includes racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person’s sex life or sexual orientation.

We will process your Data when you use the Service.

As part of the switching journey, we may collect or receive Data on whether you are considered vulnerable. This Data is Sensitive Data and will be treated with respect and will be stored in an encrypted database and deleted or anonymised as soon as is practically possible.

We will process the following Data about you:

  • name (“Identity Data”);
  • address and email address (“Contact Data”);
  • your current energy provider, tariff, and energy usage (“Energy Data”);
  • if you are considered to be vulnerable and eligible for additional support from your New Supplier (“Vulnerability Data”);
  • when you use our Service, we may process your location, device type, browser and browser version, OS version, App version (“Technical Data”);
  • information about how you interact with and use our Service (“Usage Data”); and
  • your preferences in receiving marketing from us and our third parties and your communication preferences (“Marketing and Communications Data”).

We may also collect, use and share anonymised and/or aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals’ anonymous Data to calculate the percentage of users completing a switch, or we may process anonymous technical/usage information to analyse general trends in how users are interacting with the Service.

How we use your Data

The law requires us to have a legal basis for collecting and using your Data. We rely on one or more of the following legal bases:

Performance of a contract with you: Where we need to perform the contract, we are about to enter into or have entered into with you.

Legitimate interests: We may use your Data where it is necessary to conduct our business and pursue our legitimate interests, for example to prevent fraud and enable us to give you the best and most secure customer experience. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your Data for our legitimate interests. We do not use your Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Legal obligation: We may use your Data where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.

Consent: We rely on consent only where we have obtained your active agreement to use your Data for a specified purpose, for example if you subscribe to an email newsletter.

We have set out below a description of all the ways we plan to use the various categories of your Data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

  • To provide the Service to you, we may process your Identity Data, Contact Data, Energy Data and Vulnerability Data (where you have provided this). Our lawful bases for processing this Data are: performance of a contract with you and that the processing is necessary for our legitimate interests (to track completed switches in order to receive a commission from a New Provider).
  • To manage our relationship with you (including notifying you of any changes to our Privacy Policy or dealing with your requests, complaints and queries) where we hold your data, we may process your Identity Data, Contact Data and if applicable Marketing and Communications Data. Our lawful bases for processing this Data are: performance of a contract with you, or such processing is necessary to comply with a legal obligation, or such processing is necessary for our legitimate interests (to keep our records updated and manage our relationship with you).
  • To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data), we may process your Identity Data, Contact Data and Technical Data. Our lawful bases for processing this Data are: such processing is necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) or that it is necessary to comply with a legal obligation.
  • To deliver relevant Service content to you and measure or understand the effectiveness of our Service and our communications and marketing we may process your Identity Data, Contact Data, Energy Data, Usage Data, Marketing, Communications Data and Technical Data. Our lawful basis for processing this Data is that it is necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy, to define types of customers for our products and services, to keep our Service updated and relevant, to develop our business and to inform our marketing strategy).
  • To send you relevant marketing communications and make personalised suggestions and recommendations to you about our services that may be of interest to you based we may process your Identity Data, Contact Data, Technical Data, Usage Data, Energy Data and Marketing and Communications Data. Our lawful bases for processing this Data are that it is necessary for our legitimate interests (to carry out direct marketing, develop our products/services and grow our business) or consent, having obtained your prior consent to receiving direct marketing communications.

We may share your Data with Commercial Partners and New Providers

When you use our Service via a Commercial Partner, we may share certain information with the Commercial Partner about your use of the Service, including whether you applied for and completed a switch to a New Provider.

When you use the Service to initiate a switch to a New Provider, we will share certain information with the New Provider to facilitate the switch.

We may share your Data with our suppliers

When you use our Service, the information you provide may be shared with selected third-party suppliers to perform certain data processing tasks on our behalf, e.g. our IT suppliers. We engage these providers on terms that ensure the confidentiality and security of your Data, and which ensure that is not shared without our approval and that it is only used to perform the tasks for us and that they comply with our instructions and the GDPR.

Third Party Links

Our Service may contain links to other websites or applications which are not controlled by us including by our Commercial Partners. We are not responsible for the privacy practices or content of such other websites, services, or applications. As such, visiting these other websites or applications is at your own risk.

Cookies

We use cookies on our Service and website to facilitate proper functioning and analyse how you and others interact with our website and Service.

We only use non-essential cookies, for example for statistics or analytics, if you consent. You can adjust your cookie preferences at any time by clearing the cookie cache in your web browser, which will present you with the cookie consent management platform when you visit the Youtility website again.

Marketing

If our Commercial Partners or a New Provider uses your Data for marketing purposes, they will be responsible for their use of your Data and for compliance with marketing regulations.

We do not retain your Data and will not contact you unless related to the Service with which you have shared your Data with us or our Commercial Partner.  

When you provide your Data on the Service, we will not use it to send direct marketing communications from us or any third parties unless you expressly ask us to.

You will still receive service-related communications that are essential to provide the Service to you (e.g. notifying you if you have not completed all information for the requested Service) or for administrative or customer service purposes.

Security, Data Protection Responsibilities & Training

We have put in place appropriate security measures to prevent your Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Data on our instructions, and they are subject to a duty of confidentiality.

All members of staff, whether permanent or temporary, any suppliers including data processors, all have a duty to abide by the Youtility internal Data Protection Policy. This policy is checked every 6-months and if appropriate updated from time to time to ensure it remains relevant and up to date.

All staff are required to be trained on our internal Data Protection Policies as part of any onboarding and an annual training programme.

Any Data including any Sensitive Data shall be stored encrypted.

Transfer of Data Outside the UK

In respect of your Data we do not currently transfer Data outside of the UK and do not intend to.

If in future we use a supplier(s) that transfers your Data outside the UK, we will ensure that the transfer complies with our obligations under the GDPR.  Some countries have been deemed to provide an adequate level of protection for personal data by the UK government.  If we are transferring your Data to such a country, we will always check that the proposed transfer comes within the scope of that adequacy.  In other cases, we will ensure there is an appropriate safeguard in place for the transfer, such as an International Data Transfer Agreement in the form approved by the ICO.

Data Retention

To determine the appropriate retention period for your Data, we consider the amount, nature and sensitivity of the Data, the potential risk of harm from unauthorised use or disclosure of your Data, the purposes for which we process your Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In general, we retain Data for as long as is necessary for the purpose(s) for which we originally collected it.  Any Data you enter in the Youtility platform shall be retained for seven (7) days unless you request otherwise.  After that period, your Data will be anonymised, and any remaining Data shall be deleted.  

We may also retain information if we are required to do so by law.

In some circumstances, you have the right to delete your Data – please contact us at help@youtility.co.uk.

If you need to contact us and we have deleted your Data, then we may ask you for Data to help identify you. As soon as we resolve the issue we will delete your Data again within 7 days.

Where we have anonymised your Data (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.

Your Data Protection Rights

Under the GDPR, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your Data.  If you wish to exercise any of the rights set out below, please contact us, help@youtility.co.uk.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

Right to Access – Subject Access Request (SAR)

If at any point you wish to either confirm whether your Data is being processed and/or access the Data we hold on you, you can request to see this information, free of charge.

To fulfil the SAR, the identity of the requester will be required to be verified before providing your Data. The time limits for our response will start from the point of the requester’s identity being confirmed.

Right to Be Informed

This Privacy Policy provides the information you need about how we collect and use your Data which we have outlined within this document.

Right to Erasure

In certain circumstances, you have the right to have Data that we hold about you erased. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Right to Object and Restrict

You can ask for the processing of your Data to be restricted, for example for marketing purposes. Where your Data is processed based on consent, you may also withdraw your consent to that processing at any time. You can also object to the processing of your Data entirely, but this may affect the Service we are able to offer.

Right to Portability

You can request a copy of your Data to be sent to another Data Controller or to yourself in a machine-readable format.

Contacting Us

Your Data is also stored when you communicate with us via email, social media, or other means by which you decide to contact us. This is usually limited to your name, email address and/or social media account depending on how you contact us and any correspondence on resolving your enquiry. We process this Data based on our contract with you and/or our legitimate interests in providing an efficient service to you.

Questions and Concerns

If you have any questions or concerns about how we handle your Data then please contact us at help@youtility.co.uk.

If you feel your issue has not been dealt with fully then you can escalate you can email complaint@youtility.co.uk.

If you are still not satisfied with the outcome, then you can escalate your issue for independent review to the ICO.

Defined terms

Commercial Partner means an independent company which has arranged for us to provide our Service to you.  This could be via the Commercial Partner’s own website, or they might refer you to our own website.

Data means your personal data, i.e. any information which relates to you as an identifiable person.  It does not include any information which has been made anonymous so that you are not identifiable.

Data Controller means the person who decides the purpose(s) for collecting and/or processing your Data, and also the main ways that your Data will be processed.

Data Subject means a living individual, in this case, you.

GDPR means the General Data Protection Regulation 2018, as incorporated into UK law.

New Provider means a provider you have chosen to switch to via the Service.

Privacy Policy means this privacy policy.

Service means the Youtility service which you can use to compare prices and switch suppliers for various services and any other services or businesses operated by Youtility.

Terms and Conditions means our terms and conditions which govern your use of our Service.