We believe privacy should be simple and honest. The short version: we collect only what we need to run the service, we delete your bill file immediately after reading it, we never sell your data, and you can ask us to delete everything at any time. The full details are below.
1. Who We Are
EnergyScan is operated by SCM Digitech Limited, a company incorporated in England and Wales (company number 14333758). We are the data controller responsible for your personal data collected through energyscan.co.uk and app.energyscan.co.uk (together, the "Service").
We are registered with the Information Commissioner's Office (ICO). If you have any questions about how we handle your data, contact us at hello@energyscan.co.uk.
2. What Data We Collect
2.1 Data you provide directly
| Data | When collected | Purpose |
|---|---|---|
| Email address | Account registration or waitlist sign-up | Account access, deal alerts, service communications |
| Password (hashed) | Account registration | Account security — we never store your password in plain text |
| Energy bill file (photo or PDF) | When you upload a bill | AI extraction of tariff and usage data only — deleted immediately after processing |
| Extracted bill data | After bill processing | Stored in your profile to power daily monitoring and improve comparison accuracy |
2.2 Extracted bill data we store
Once your bill has been processed, we store the following extracted fields in your account profile:
- Supplier name and tariff name
- Unit rates (pence per kWh) for electricity and/or gas
- Standing charges
- Estimated annual usage (kWh)
- Contract end date and exit fee amount (if present)
- Bill date
The original bill file is permanently deleted immediately after extraction. We do not retain photographs or PDFs of your bills.
2.3 Data collected automatically
| Data | Purpose |
|---|---|
| IP address | Security, fraud prevention, and abuse detection |
| Browser type and device information | Ensuring the Service works correctly across devices |
| Pages visited and actions taken within the app | Service improvement and debugging |
| Session tokens (cookies) | Keeping you logged in securely |
2.4 Payment data
We do not collect or store your payment card details. All payment processing is handled by Stripe, Inc. When you subscribe, you enter your card details directly into Stripe's secure interface. We receive only a confirmation of payment and a Stripe customer reference. Stripe's privacy policy is available at stripe.com/gb/privacy.
3. How We Use Your Data
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Creating and managing your account | Contract performance (Article 6(1)(b)) |
| Processing your bill and providing comparison results | Contract performance (Article 6(1)(b)) |
| Running daily market monitoring and sending deal alerts | Contract performance (Article 6(1)(b)) |
| Sending subscription-related emails (receipts, renewal notices, cancellation confirmations) | Contract performance (Article 6(1)(b)) |
| Sending monthly market update emails to subscribers | Legitimate interests (Article 6(1)(f)) — you may opt out at any time |
| Waitlist communications (launch notification) | Consent (Article 6(1)(a)) — given at sign-up; withdrawable at any time |
| Fraud prevention and security | Legitimate interests (Article 6(1)(f)) |
| Improving the accuracy of our AI extraction | Legitimate interests (Article 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Article 6(1)(c)) |
We do not use your data for advertising, profiling, or any purpose unrelated to providing the Service.
4. Who We Share Your Data With
We do not sell your personal data. We share it only with the following third-party service providers, and only to the extent necessary to operate the Service:
| Provider | Role | Data shared | Location |
|---|---|---|---|
| Supabase | Database and authentication | Account data, extracted bill data | EU (AWS) |
| Stripe | Payment processing | Email address, subscription status | USA (SCCs in place) |
| Resend | Transactional email delivery | Email address, email content | USA (SCCs in place) |
| Mailchimp (Intuit) | Waitlist and marketing emails | Email address | USA (SCCs in place) |
| OpenAI / AI provider | Bill data extraction (AI processing) | Bill file contents (deleted by provider after processing) | USA (SCCs in place) |
| Vercel | Application hosting | Server logs, IP addresses | USA/EU (SCCs in place) |
"SCCs" means Standard Contractual Clauses — the approved legal mechanism under UK GDPR for transferring personal data to countries outside the UK/EEA.
We may also disclose your data if required to do so by law, court order, or regulatory authority, or to protect the rights, property, or safety of SCM Digitech Limited, our users, or others.
5. Cookies
We use a small number of cookies that are strictly necessary to operate the Service:
- Authentication cookie — keeps you logged in during and between sessions. Set by Supabase.
- Session cookie — maintains your session state while using the app. Deleted when you close your browser.
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use Google Analytics or similar services.
6. How Long We Keep Your Data
| Data | Retention period |
|---|---|
| Bill files (photo/PDF uploads) | Deleted immediately after AI extraction — not retained |
| Extracted bill data and account profile | Retained while your account is active, then deleted within 30 days of account deletion |
| Email address and account credentials | Retained while your account is active, then deleted within 30 days of account deletion |
| Subscription and payment records | Retained for 7 years to comply with financial record-keeping obligations |
| Waitlist email addresses | Retained until you unsubscribe or request deletion |
| Server logs (IP addresses, access logs) | Up to 90 days, then automatically purged |
7. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access — you can request a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct inaccurate or incomplete data.
- Right to erasure — you can ask us to delete your personal data. We will comply unless we are required to retain it by law (e.g. financial records).
- Right to restriction — you can ask us to restrict how we process your data in certain circumstances.
- Right to data portability — you can request your data in a structured, machine-readable format.
- Right to object — you can object to processing based on legitimate interests, including for marketing purposes.
- Right to withdraw consent — where processing is based on consent (e.g. waitlist emails), you can withdraw it at any time without affecting prior processing.
To exercise any of these rights, email us at hello@energyscan.co.uk. We will respond within one month. We will not charge a fee for reasonable requests.
If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
8. Children's Privacy
The Service is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us at hello@energyscan.co.uk and we will delete it promptly.
9. Security
We take the security of your personal data seriously. Our security measures include:
- All data in transit is encrypted using TLS (HTTPS);
- Passwords are hashed using bcrypt before storage — we cannot read your password;
- Database access is restricted to authenticated application services only;
- Bill files are processed in memory and deleted immediately — they are never written to persistent storage;
- Stripe handles all payment card data — we never receive or store card numbers.
No method of transmission or storage is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected users without undue delay, as required by UK GDPR.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by updating the effective date at the top of this page. We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.
11. Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or how we handle your data, please contact us:
- SCM Digitech Limited — Company No. 14333758
- Email: hello@energyscan.co.uk
- Registered in England and Wales
This Privacy Policy was last updated on 20 February 2026. For our Terms of Service, see energyscan.co.uk/terms.