Privacy statement

This privacy statement explains how we handle information about you and your household.

One of our company’s founding beliefs is that technology can empower people – as long as it’s used with good intentions.

All companies say they take privacy seriously. And yet, not all of them really do – particularly those that make money by selling their users’ data, or selling access to their users based on who they are. Coincidentally, those companies’ privacy policies are often rather difficult to understand, unless you’re a solicitor. (And if you are, what you read might make you livid.)

We are not like them. We don’t make our money through advertising or selling data. We earn money from your subscriptions, which means our interests are closely aligned with yours. And we believe we best act in your interests by being completely transparent about how we store and process your personal information.

That’s why we’ve written this privacy statement in plain English. It explains what we do, and why we do it, without glossing over the important details, or counting on you glazing over. We hope you’ll find it simple, informative and fair, but if you have any questions at all, ask us at data@nous.co.

We use technologies to help us understand how visitors use our website.

Some enable our servers to recognise your web browser, and to know how and when you visit our website, or use our app or service. For instance, we set a number of “cookies” – small pieces of data, usually text files, placed on your computer, tablet, phone or similar device – which we can read when you use our service, even if some time has passed since the cookie was set.

We also supplement information we collect from you with information received from third parties. This includes third parties that place their own cookies on your device(s) while you have browsed other websites or used other services (see Third party cookies).

If we weren’t able to set cookies, we wouldn’t understand how our services were being used, and we’d be unable to deliver them properly. That’s why, in legal and business terms, we view these cookies as “essential”.

Why do we do this? In short, we set cookies to deliver our service. For example, they help to make pages load quickly, and to allow you to live chat with us. Cookies also help ensure safety and security. Some enable us to make sure your information is secure, and that only you can access it when you use our service.

In order to fulfil our contractual obligations to you and all our customers, in legal terms we have a legitimate interest in ensuring an operational and safe website for all visitors.

We may also use this information to improve our business and service for customers and visitors (see General development).

Third party cookies. Some cookies are set by third parties on our behalf including: Segment (https://segment.com/legal/privacy/), Google (Analytics) (https://policies.google.com/privacy), Sentry (https://sentry.io/privacy/), Hotjar (https://www.hotjar.com/privacy/).

If you’ve given us your email address when you join – we use it to manage your account (for example, in order to contact you about household utility providers), and to send you information about our business (including marketing content). Any marketing emails will have an unsubscribe option.

In legal terms, it’s our legitimate interest to promote our service to you, and we need your email address to fulfil our contractual obligations to you if you are one of our customers.

To send emails, we work with a third party called Customer.io (https://customer.io/legal/privacy-policy/). Customer.io may include a small image (also known as a tracking pixel) in each email, which lets us know when you’ve opened that email.

If you use our website, app or service, we collect and process information about you and your household in order to serve you. This includes the following kinds of information:

• Information you gave us yourself. Such as, your name and household address, the email address or addresses used by your household utility providers to contact you, as well as any other relevant information (for example, your existing utility providers).
• Information about you supplied to us by third parties directly controlled by you. For example, we may look at emails sent to you by utility providers with the assistance of an email service, like Microsoft Outlook. Or, we may analyse the payments you make to a utility provider by looking at the relevant entries in your bank account through an OpenBanking interface (which may be provided by a third party vendor, the use and processing of which is regulated by the FCA). In order to obtain this kind of information, we’ll get your express consent before we retrieve, process and store that data. You may withdraw that consent at any time (see Your rights). Nous’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
• Information about you or your household activities, supplied by third parties, that are not directly controlled by you. Your active consent is not required in order for us to retrieve and process this kind of information. Examples include data from providers such as DVLA and Electralink.
• Payment processing information. If you become a paying member of our service then we will need to process and store payment information for you. This is processed on our behalf by our payment processor Stripe. Some of the information is made known to us (such as the total amount to be paid, and whether or not a payment was successful), but other information is not (for instance, credit card numbers and other security information). So, even though we are responsible for some of the processing our payment processor carries out, information you give the processor is not shared back with us. For more about their handling of your personal information, please refer to Stripe’s privacy policy (https://stripe.com/en-gb/privacy)

The reason we need this information before you become a customer is to deliver a free personalised service to you. If you decide to become a customer of our premium service, we need to manage the service you and your household receive, to process payments, and for audit and quality assurance purposes.

In legal terms, it’s our legitimate interest to attract new customers and show how our service can help them. We also need these kinds of information to fulfil contractual obligations to you.

Sharing data with third parties. We share parts of this information with third parties, where it’s necessary for us to provide our services:

• With household utility providers, if they require the information to provide quotations or enter into a contract with our customers.
• With electronic mail hosts, if they host an email address used by your utility providers to contact you. We share that email address and other relevant information, for example if you have consented to us accessing your email.
• With payment providers (such as Stripe) in order to process payments from customers.
• With Tink AB (our open banking provider), enabling us to access your bank account. They process your data as a controller (meaning, they may use it for their own purposes – for example, so that they can comply with legal obligations placed on them). Read their privacy policy (https://link.tink.com/privacy-policy/en) to learn more about this.
• With Facebook, in order to make sure that our adverts reach the most appropriate people, we use Facebook's customer list custom audiences feature, which enables us to create an audience using data such as email addresses. When using this feature, we obscure the data before we pass it to Facebook, so that no personal information is passed to them. Please refer to Facebook privacy policy (https://www.facebook.com/privacy)

Your mobile device, web browser or whatever other method you use to connect to our website, app or service, automatically sends information to our systems. This includes IP address, browser version and app version (as appropriate), which is automatically collected and stored in “log” files.

The reason we store log files is they help us maintain and optimise our website, as well as allowing us to detect faults and fraudulent or other criminal activity.

In legal terms, we do this because it’s our legitimate interest to maintain a functional website, prevent its misuse and improve it for visitors.

All log information is automatically deleted 3 months after it is collected, unless we need it in order to investigate a fault, criminal activity or some other problem (in which case we keep it no longer than necessary to investigate and take appropriate action).

Some of the same information – your IP address, for example – is also collected by our analytics tools (see Cookies and tracking).

We use all the information we collect (other than server logs), including information from cookies and information about households, to help us develop our business.

The reason for storing this information is that it helps us improve our existing services. We use it to identify new services, options and business opportunities that we might offer, and to support their development. We also use it to identify suitable audiences for our marketing efforts. When household data has been anonymised (see Reporting and insights) we may use it to publish information which may be of general public interest.

In legal terms, it’s our legitimate interest to develop and promote our business in this way.

You create an account when you give us your name, email address, address or phone number, or authenticate using a SSO (Single Sign On) provider on nous.co (or any tool provided by nous.co).

If you’ve created an account with us, we keep all information about the account for a maximum of three years after it’s closed (so that, for instance, we can resolve any dispute we might have with you, or a third party, relating to the account). This includes any information you’ve shared with us on the account, or that we have received from third parties (for example, from household utility providers).

We carry out routine system backups, which are deleted in rotation over time. All information we process will be part of any backup. Our backup data will only be used as a result of emergencies (such as a critical system failure) and is not routinely accessible to us.

We work with companies that supply us with technology and data processing services, and we may share the information we have about you with them. Whenever we do this, we make sure we have a contractually binding agreement that prohibits our supplier from processing the data – unless we specifically tell them otherwise – and ensures they take proper care of your data.

The current list of suppliers includes: Amazon Web Services, Segment, Google (Analytics), Amplitude, Webflow, Vercel, Sentry, Hotjar, and Customer.io. This list may grow in future as we add more tools that help us operate our website, app and service.

We use cloud services who may be based in (or at least have servers in) countries other than the United Kingdom. So we may need to transfer some of your information to other countries. When we transfer information about you to countries within the European Economic Area, we protect your data in the same way we would do within the United Kingdom. All countries in this area have systems of data protection law that provide equivalent protection to the law of the United Kingdom.

Some of our cloud services have servers based in the USA, so we may also transfer some information about you to the USA, where the systems of data protection law do not provide equivalent protection. In that case, we require a signed, binding agreement with the third party, protecting the data at least as well as if it were still in the United Kingdom, and allowing you to take legal action against them if they do not. In legal terms, this means that our contracts with these third parties include the standard clauses which UK law requires.

Depending on the data and the nature of the service, we will also include additional safeguards we think appropriate. For example, by ensuring that information is encrypted in transit, or is encrypted while stored in the USA.

The household information we collect has value beyond providing our service. Viewed collectively, we can use pooled household data to spot patterns, track how households are adjusting their behaviour in response to cost of living pressures, and identify opportunities which could benefit all – even households which do not use our services directly.

In order to do this, we anonymise all personal and household information we collect (for example, by aggregating it with others’ data or stripping out personally identifiable markers), so that it is no longer possible to identify its relation to you. Once anonymised, data is no longer “personal data”. We use aggregated data to carry out statistical analysis and we may publish reporting and insights which are of general public interest (for example, in an index of financial impacts on households as a result of pricing changes in a particular industry category).

In legal terms, it’s our legitimate interest to anonymise personal data by aggregation in order to offer useful services to the public and to help promote our business.

If you or someone in your household has asked us to seek a social tariff on behalf of your household (see the social tariffs campaign section of our terms), we will ask for the name, date of birth, and phone number of the person named on the broadband account. We will also ask for the National Insurance number of the person in receiving qualifying benefits. We will only share these details with your broadband provider in order to secure a social tariff on behalf of your household.

We do this because, in legal terms, it’s our legitimate interest to promote the social tariff campaign and indirectly our services through our support of it. Even though we do not rely on “consent” as a legal basis for what we do, if we are processing your personal data in this way, we will stop doing so if you ask us to. You can ask us to stop at any time by emailing support@nous.co

We use https://paperform.co/ to collect this information and we will store it until the end of 2022 unless we contact you in the event of an ongoing social tariff campaign.

Under the UK General Data Protection Regulation you have a number of important rights free of charge. In summary, those include rights to:

• Access your personal information
• Require us to correct any mistakes in your information which we hold
• Require the erasure of personal information concerning you in certain situations
• Receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations
• Object at any time to processing of personal information concerning you for direct marketing
• Object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
• Object in certain other situations to our continued processing of your personal information
• Otherwise restrict our processing of your personal information in certain circumstances.

For further information on each of those rights, including circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation

If you would like to exercise any of those rights, please:

• Email, call or write to us.
• Let us have enough information to identify you. For example if you are a customer, the email address associated with your account. If you simply access our website, then let us know when you accessed the website and from what location.

The General Data Protection Regulation also gives you the right to lodge a complaint with the Information Commissioner who may be contacted at https://ico.org.uk/make-a-complaint/your-personal-information-concerns/ or telephone: 0303 123 1113

The initial version of this privacy statement committed to the company reviewing our storage of personal data other than account data and server log data before the end of 2022. This review was successfully carried out in December 2022.

We are Eighteen and a Half Limited (company number 13236360), trading under the name “Nous”. Our registered address is 18½ Sekforde St., London EC1R 0HL, but it is probably more convenient to contact us at data@nous.co or (if you are a customer) using the app.