Privacy policy

About the privacy policy document

Privacy policies outline a business’ practice on the collection, storage and use of personal data. The standard document is intended for use on a website which collects:

  • Basic, non-sensitive personal data (such as name, contact and credit card details) for the purpose of supplying goods or services to users of the site, or for contacting users with direct marketing information.
  • Information about users’ online behaviour, like IP addresses and web log data. It is designed for use in conjunction with the Standard document, Terms of website use (UK), the Standard document, Website terms and conditions of supply and the Standard document, Acceptable use policy.

It is designed for use in conjunction with the Standard document, Terms of website use (UK), the Standard document, Website terms and conditions of supply and the Standard document, Acceptable use policy.

The document does not cater for a situation in which sensitive personal data is collected (such as data relating to racial or ethnic origin, political opinions and religious beliefs), for which “explicit consent” is required (section 2 and Schedule 3, DPA).

For more information, see Practice note, Overview of UK data protection regime: Sensitive personal data: additional rules.

If such data are collected on the site, it would be advisable to dispense with a separate privacy policy and incorporate its contents into a click-wrap consent form where the user has to click on an icon to indicate his or her wishes with respect to the processing. Similarly, the standard document will not be suitable for dealing with employee information or for sites which are targeted at children (see Practice note, Overview of UK data protection regime: Minors ).

  • Established in the UK (section 5(1)(a)).
  • Not established in the UK but where the data controller makes use of equipment situated within the UK, except where this equipment is used only for the purposes of mere transit through the UK (section 5(1)(b)).
For questions to be considered when trying to determine which national data protection law(s) adopted pursuant to the Data Protection Directive (1995/46/EC) may be applicable to the processing of personal data, see Checklist, which national data protection law(s) apply to the processing of personal data. Website operators may have establishments which hold data in a number of countries. If so, they will need to ensure that they comply with the data protection laws in each of those jurisdictions. The standard document ensures compliance with the DPA. This policy may meet the legal requirements in other EU member states. However, since the Data Protection Directive has not been implemented in precisely the same way in each EU member state – in some states, the obligations on the data controller are more onerous than those imposed under the DPA – consideration must be given to the laws of each state in which the site is or is likely to be accessed.

How to use this standard document

Privacy policies are ultimately designed to allow website operators to comply with their fair processing obligation and to obtain the users’ consent to that processing. Users cannot be said to have granted “freely given, specific and informed” consent to processing unless they have been given the opportunity to read the terms on which their data is to be collected, stored, used and shared before they submit the relevant personal data.

The Information Commissioner’s Office advocates a layered notice as the most effective at making individuals aware of how website operators will use their information. This usually consists of two linked notices, one short and one longer.

To comply with best practice, data controllers are therefore encouraged to:

  • Include a short notice where there is not enough space to provide more detailed information, for example in an advert. The notice should be clear and easy to read and understand, and placed wherever personal information is collected. It should contain basic information, for example, the identity of the data controller and the way in which the personal data will be used. It should contain a link to the longer notice that is the privacy policy.
  • Make their privacy policy accessible to users by means of a prominent hyperlink from the short notice and, where possible, on each page of the site. The privacy policy should include all legal provisions, although it may also contain links to further material that explains more specialist issues (for example, the circumstances in which information will be disclosed to the police). However, data controllers should ensure that the privacy policy remains accessible to users. Fragmentation into too many individual documents should therefore be avoided.

It is also important to ensure that the general website terms and conditions do not contradict the terms of the privacy policy.

Finally, data controllers should be aware that the privacy policy will be an enforceable contract, and therefore should not promise anything which the data controller cannot fulfil.

Welcome Energy Limited (“We”) are committed to protecting and respecting your privacy.

This policy (together with any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting you are accepting and consenting to the practices described in this policy.

Information about the data controller

  • The full name of the data controller must be provided (paragraph 2(3)(a), Part 2, Schedule 1, DPA). This can conveniently be set out at the beginning of the policy.
  • The DPA does not require data controllers to appoint a nominated representative for the purposes of the DPA. However, where such a representative is appointed, details must be given to the data subject.

For the purpose of the Data Protection Act 1998 (the Act), the data controller is Welcome Energy of
Monarch House
7-9 Stafford Road

In order to comply with his fair information obligation and to ensure that the users’ consent to the data controller’s processing activities is “informed”, information should be provided about the types of data which the site will process. Because different data protection requirements may apply to different types of data, and because different types of data are likely to be processed for different purposes, the privacy policy should ideally list the following types of data separately:

  • Basic biographical data provided by the user (for example, the user’s name, address, e-mail address, telephone number, and information provided via the site’s interactive and social media functions).
  • Information about the user’s visit to the site that is automatically collected by the site (for example, technical information about the user’s browser type and settings and his IP address, pages visited or products viewed, the length of time on each page, page interaction information).
  • Information received from other sources including other websites or online services controlled by the data controller and third parties (for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies).

IP addresses

A question arises as to whether an Internet Protocol (IP) address can constitute personal data. An IP address is a 4 to 12-digit number (such as that identifies a specific computer connected to the internet, and which can usually be converted into a more memorable ‘real’ text address known as a domain name (such as Various internet server computers located around the internet have a database conversion table that automatically converts a domain name into the numeric address of the relevant host site and vice versa. There are also “who is” services offered by sites which, upon the user providing a domain name or IP address, offer information about the owner of that name or address. The Information Commissioner’s view is that an IP address may fall within the definition of personal data under the DPA where it can be linked to an individual user perhaps through other information held or from information that is publicly available on the internet. This issue is not specifically addressed in the DPA.

In many cases, website operators will be permitted to process IP address under the legitimate interest condition set out in paragraph 6(1) of Schedule 2 to the DPA. However, the website operator’s interest must be balanced against the legitimate interest of the user in his privacy. Website operators should therefore exercise caution and process IP addresses only when necessary.

For more information about the nature of IP addresses under data protection laws, see for example, “Data Protection: Protecting personal data in online services”.

And “Practice note, Data protection and the internet: General application of Data Protection Act 1998: Meaning of personal data and processing: IP addresses”.

Information we may collect from you

We may collect and process the following data about you:

The information you give us. You may give us information about you by filling in forms on our site (our site) or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you register to use our site, subscribe to our service, and when you report a problem with our site. The information you give us may include your name, address, e-mail address and phone number, financial and credit card information, personal description and photograph.

Information we collect about you. With regard to each of your visits to our site we may automatically collect the following information:

  • Your client account details and relevant organizational information in the Client Area.
  • Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
  • Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
  • Information we receive from other sources. We may receive information about you if you use any of the other websites we operate or the other services we provide. In this case we will have informed you when we collected that data that it may be shared internally and combined with data collected on this site.


Cookies are small data files which most website operators place on the browser or hard drive of their user’s computer. Cookies may gather information about the user’s use of the website or enable the website to recognise the user as an existing customer when he returns to the website at a later date. More recently, cookies have also been used to collect information about the user, which allows the website operator or a third party to create a profile of the user, his preferences and his interests for the purpose of serving the user with targeted, interest-based advertising. Following the adoption of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208) (2011 Regulations), which amend the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) (2003 Regulations), the use of cookies is only allowed if the user concerned:
  • Has been provided with clear and comprehensive information about the purposes for which the cookie is stored and accessed.
  • Has given his or her consent.
(Regulation 6(1) and (2), revised 2003 Regulations.) Guidance issued by the Information Commissioner sets out in more detail how these obligations are to be met. In particular, the guidance states that information about the use of cookies should ideally be included in a prominent place on the website rather than merely in the privacy policy. This privacy policy forms part of a layered approach to the provision of information. Detailed information about the use of cookies should therefore be included in a cookie policy to which this privacy policy should link. A link to the cookie policy should also be included in a prominent place on the website itself. Alternatively, the link included on the website may link to a short-form notice (this may also appear by way of a mouse-over highlight) which will, in turn, link to the cookie policy. For a sample cookie policy and short-form cookies notice, see Standard clauses, Information about cookies: short-form notice and Cookie policy. For more information about the legal requirements governing the use of cookies and the practical steps providers can take to comply with their obligations, see Practice notes, Cookies: UK issues and Complying with the new cookie regime: practical steps.

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see our Cookie policy.

Purpose limitation

The processing of personal data is subject to a strict purpose limitation principle. The data must be must be collected for specified, explicit and legitimate purposes, and not be further processed in a way incompatible with those purposes (paragraph 2, Part 1, Schedule 1 and paragraph 2(3)(c), Part 2, Schedule 1, DPA). The data controller must provide the data subject with information about the purposes for which the data will be processed (for example, order fulfilment, billing and delivery). The purpose must be clearly and specifically identified. In particular, it must be detailed enough to allow the data subject to determine what kind of processing is and is not included within the specified purpose. Consequently, data controllers should ensure that the purposes they notify to data subjects (for example, as part of a privacy policy) are not too vague or general. In practice, this may mean that they should specify clearly which types of data are processed for which purposes. Failure to do so could result in an overall failure to comply with the purpose limitation principle.

Further processing of personal data for purposes not specified at the time of collection is only permitted if it is not incompatible with the purpose or purposes for which the data was originally collected. The data controller must therefore take care to determine at the outset, the potential purposes for which he may use the data. However, personal data that is not required for a particular purpose must be erased or put beyond use. The data controller should therefore resist the temptation to fill the privacy policy with purposes for which he may use the data in the future “just in case”.

For more information about the purpose limitation principle, visit

If there is a change in the purposes for which visitors’ data is collected, the policy will require amendment, which in turn will need to be notified to data subjects (see Changes to our privacy policy). Website owners should therefore give careful consideration to the uses to which they want to put the data they collect, so as to avoid or minimise the risk of having to seek further consents.

The statement in the privacy policy concerning aggregate information on the usage of the site is not legally required, but it may help to promote customer confidence.

Uses made of the information

We use information held about you in the following ways:

The information you give to us. We will use this information to:

  • Carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
  • Provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about;
  • To provide you, with information about goods or services we feel may interest you. If you are an existing customer, we will only contact you by electronic means (e-mail or SMS) with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you. to notify you about changes to our service;
  • Ensure that content from our site is presented in the most effective manner for you and for your computer.

Information we collect about you. We will use this information to:

  • Administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
  • Improve our site to ensure that content is presented in the most effective manner for you and for your computer;
  • Allow you to participate in interactive features of our service, when you choose to do so;

As part of our efforts to keep our site safe and secure.

Sharing personal data

Information should be provided as to whether the data will be accessed by, disclosed or sold to, third parties, and for what purposes (such as for credit card clearance, credit reference, order fulfilment, delivery, data analysis or customer support) (paragraph 2(3)(d), Part 2, Schedule 1, DPA). Some website owners sell customer lists, for example to advertisers (see Practice note, Overview of UK data protection regime: Third party data). It is particularly critical for the data controller to have the right to transfer data on a sale of the business.

Disclosure of your information

We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

Export of personal data to third countries and security

Under the eighth data protection principle, the transfer of any personal data to countries outside the EEA is only permitted where the receiving country provides an adequate level of protection (paragraph 1, Schedule 4, DPA). The DPA provides several exemptions and derogations from this principle, including where the European Commission has made a finding of adequacy in respect of the relevant country or if the data subject consents to the transfer. If the data controller intends to store or transfer the data to one or more non-EEA countries that are not covered by a Commission finding of adequacy, he should include wording in the privacy policy that implies the user’s consent to that transfer. Ideally, the website owner should also specify the countries to which personal data may be transferred (although in practice this may be impossible, since those destinations are likely to be subject to change).

A “transfer” of data may include the act of posting information to a website which can be accessed from overseas. This issue is particularly relevant (and problematic) for website owners who publish personal data on their sites, as it may be difficult to specify the relevant countries in which the data could be accessed. Examples of such sites are those which enable users to contact one another, such as auction sites, and those which provide instant messaging facilities. Owners of these sites should seek to impose rules of conduct on users in order to protect privacy. Such rules may be included in the privacy policy. For more information on the conditions that must be met to make personal data exports lawful, see for example Practice note, Cross-border transfers of personal data.

In order to promote confidence in users of the website, the privacy policy also includes an assurance that the data will be kept secure. The DPA imposes stringent security obligations on the data controllers in any case (see paragraph 7, Part I, Schedule 1, DPA). The assurance is qualified by a statement clarifying that the transmission of information via the internet is never completely secure. The privacy policy excludes the website owner’s liability for personal data lost in transmission to the website.

Where we store your personal data

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA, who work for one of our suppliers for us. By submitting your personal data, you agree to this transfer, storing or processing. Welcome Energy Limited will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Your rights

You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at

Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Subject access requests

Pursuant to section 7 of the DPA, an individual can make a written request:

  • To be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller; and
  • Where that is the case, to be given by the data controller a description of the personal data, the purposes for which they are processed and the recipients to whom they may be disclosed (“subject access request”).
In most cases, the individual is also entitled to receive a copy of the data which is found to be held by the data controller, and to be told the source of the data. The information must normally be provided within 40 days. The data controller may charge a fee of up to £10.00 for each subject access request. The privacy policy is drafted to remind users that they have a right to make a subject access request. There is no legal requirement to include such a provision but it may help to promote confidence in the website. Again, some website owners may choose not to draw website users’ attention to their right to make a subject access request. For more information on subject access requests, see Practice note, Overview of UK data protection regime: Rights of individuals: Right of access.

Access to information

The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act. Any access request may be subject to a fee of £10 to meet our costs in providing you with details of the information we hold about you.

Changes to the policy

In order to ensure its continued enforceability, the privacy policy includes a notice that changes made to it will be notified to users. The website owner may be unable to enforce retrospective changes to, for example, the purposes for which the personal data already collected from users of the website are used, unless such additional purposes have been notified to the relevant user and, where appropriate, the relevant consents have been obtained.

In his guidance, the Information Commissioner has stated that any changes to the privacy policy will only affect how data controllers can use any information collected after the date of the change. Visitors who provided information before the change will have done so in the light of the previous privacy statement, so data controllers must honour the assurances contained in that statement. Website controllers wishing to change the use they make of personal information they already hold should ideally get the individuals’ opt-in consent by notifying them of the proposed new use and obtaining their positive agreement. This is particularly important where that further use can be considered incompatible with the purpose for which the data was initially collected (see Checklist, Purpose limitation in data protection: When is further processing permitted?). Individuals who do not respond to an e-mail explaining the changes to the privacy policy are not deemed to have given their consent. The Information Commissioner accepts that in some cases, it will be enough to advise the individuals of the new use and give them an opportunity to object. This will be the case if the new use is not for a new purpose, or if the nature and purpose of the new use are close to the terms of the original privacy statement.

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.

Contact information

The policy must contain contact details to enable users to withdraw their consents, where the law permits them to object to certain types of processing. In particular, the Information Commissioner has stated that the geographical address of the website operator should be given.

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to

Website acceptable use policy

This acceptable use policy sets out the terms between you and us under which you may access our website (our site). This acceptable use policy applies to all users of, and visitors to, our site.

Your use of our site means that you accept, and agree to abide by, all the policies in this acceptable use policy. is a website operated by Welcome Energy Limited (we or us). We are a limited company registered in England under company number 10389438 and have our registered office at

Monarch House
7-9 Stafford Road

Our VAT number is 277993823

Prohibited uses

You may use our site only for lawful purposes. You may not use our site:

  • In any way that breaches any applicable local, national or international law or regulation.
  • In any way that is unlawful or fraudulent or has any unlawful or fraudulent purpose or effect.
  • For the purpose of harming or attempting to harm minors in any way.
  • To send, knowingly receive, upload, download, use or re-use any material which does not comply with our content standards.
  • To transmit, or procure the sending of, any unsolicited or unauthorised advertising or promotional material or any other form of similar solicitation (spam).
  • To knowingly transmit any data, send or upload any material that contains viruses, Trojan horses, worms, time-bombs, keystroke loggers, spyware, adware or any other harmful programs or similar computer code designed to adversely affect the operation of any computer software or hardware.

You also agree:

  • Not to reproduce, duplicate copy or re-sell any part of our site in contravention of the provisions of our terms of website use.
  • Not to access without authority, interfere with, damage or disrupt:
    • Any part of our site;
    • Any equipment or network on which our site is stored;
    • Any software used in the provision of our site; or
    • Any equipment or network or software owned or used by any third party.

Where we provide any interactive service, we will provide clear information to you about the kind of service offered, if it is moderated and what form of moderation is used (including whether it is human or technical).

We will do our best to assess any possible risks for users (and in particular, for children) from third parties when they use any interactive service provided on our site, and we will decide in each case whether it is appropriate to use moderation of the relevant service (including what kind of moderation to use) in the light of those risks. However, we are under no obligation to oversee, monitor or moderate any interactive service we provide on our site, and we expressly exclude our liability for any loss or damage arising from the use of any interactive service by a user in contravention of our content standards, whether the service is moderated or not.

The use of any of our interactive services by a minor is subject to the consent of their parent or guardian. We advise parents who permit their children to use an interactive service that it is important that they communicate with their children about their safety online, as moderation is not foolproof. Minors who are using any interactive service should be made aware of the potential risks to them.

Where we do moderate an interactive service, we will normally provide you with a means of contacting the moderator, should a concern or difficulty arise.

Content standards

These content standards apply to any and all material which you contribute to our site (contributions), and to any interactive services associated with it.

You must comply with the spirit of the following standards as well as the letter. The standards apply to each part of any contribution as well as to its whole.

Contributions must:

  • Be accurate (where they state facts).
  • Be genuinely held (where they state opinions).
  • Comply with applicable law in the UK and in any country from which they are posted.

Contributions must not:

  • Contain any material which is defamatory of any person.
  • Contain any material which is obscene, offensive, hateful or inflammatory.
  • Promote sexually explicit material.
  • Promote violence.
  • Promote discrimination based on race, sex, religion, nationality, disability, sexual orientation or age.
  • Infringe any copyright, database right or trade mark of any other person.
  • Be likely to deceive any person.
  • Be made in breach of any legal duty owed to a third party, such as a contractual duty or a duty of confidence.
  • Promote any illegal activity.
  • Be threatening, abuse or invade another’s privacy, or cause annoyance, inconvenience or needless anxiety.
  • Be likely to harass, upset, embarrass alarm or annoy any other person.
  • Be used to impersonate any person, or to misrepresent your identity or affiliation with any person.
  • Give the impression that they emanate from us, if this is not the case.
  • Advocate, promote or assist any unlawful act such as (by way of example only) copyright infringement or computer misuse.

Suspension and termination

We will determine, in our discretion, whether there has been a breach of this acceptable use policy through your use of our site. When a breach of this policy has occurred, we may take such action as we deem appropriate.

Failure to comply with this acceptable use policy constitutes a material breach of the terms of use upon which you are permitted to use our site, and may result in our taking all or any of the following actions:

  • Immediate, temporary or permanent withdrawal of your right to use our site.
  • Immediate, temporary or permanent removal of any posting or material uploaded by you to our site.
  • Issue of a warning to you.

Legal proceedings against you for reimbursement of all costs on an indemnity basis (including, but not limited to, reasonable administrative and legal costs) resulting from the breach.



Our offices will be closed for the Bank Holiday (Monday 29 August 2022).
If you have a query, please contact us from Tuesday 30 August onwards, and we
will be happy to deal with your query then.
energy efficiency