We believe privacy should be simple and honest. The short version: we collect only what we need to run the service, we delete your bill file immediately after reading it (unless it's needed as smart meter consent evidence), we never sell your data, and you can ask us to delete everything at any time. The full details are below.
1. Who We Are
EnergyScan is operated by SCM Digitech Limited, a company incorporated in England and Wales (company number 14333758). We are the data controller responsible for your personal data collected through energyscan.co.uk and app.energyscan.co.uk (together, the "Service").
We are registered with the Information Commissioner's Office (ICO). If you have any questions about how we handle your data, contact us at steve@energyscan.co.uk.
2. What Data We Collect
2.1 Data you provide directly
| Data | When collected | Purpose |
|---|---|---|
| Email address | Account registration or waitlist sign-up | Account access, deal alerts, service communications |
| Password (hashed) | Account registration | Account security — we never store your password in plain text |
| Energy bill file (photo or PDF) | When you upload a bill | AI extraction of tariff and usage data only — deleted immediately after processing |
| Extracted bill data | After bill processing | Stored in your profile to power daily monitoring and improve comparison accuracy |
2.2 Extracted bill data we store
Once your bill has been processed, we store the following extracted fields in your account profile:
- Supplier name and tariff name
- Unit rates (pence per kWh) for electricity and/or gas
- Standing charges
- Estimated annual usage (kWh)
- Contract end date and exit fee amount (if present)
- Bill date
The original bill file is permanently deleted immediately after extraction. We do not retain photographs or PDFs of your bills.
2.3 Data collected automatically
| Data | Purpose |
|---|---|
| IP address | Security, fraud prevention, and abuse detection |
| Browser type and device information | Ensuring the Service works correctly across devices |
| Pages visited and actions taken within the app | Service improvement and debugging |
| Session tokens (cookies) | Keeping you logged in securely |
2.4 Payment data
We do not collect or store your payment card details. All payment processing is handled by Stripe, Inc. When you subscribe, you enter your card details directly into Stripe's secure interface. We receive only a confirmation of payment and a Stripe customer reference. Stripe's privacy policy is available at stripe.com/gb/privacy.
2.5 Smart meter data (with your explicit consent)
If you choose to connect your smart meter, we access the following data from your meter via the Data Communications Company (DCC) network, using n3rgy Data Ltd as our authorised data processor. This data is only collected after you provide separate, explicit consent through our dedicated smart meter consent flow — it is not collected as part of your general use of the Service.
| Data | Purpose |
|---|---|
| Half-hourly electricity consumption readings (kWh) | Daily cost tracking, bill forecasting, tariff simulation, usage alerts |
| Half-hourly gas consumption readings (kWh), where a gas smart meter is installed | Daily cost tracking, bill forecasting, heating efficiency analysis |
| Meter details (device type, status, installation address, MPAN/MPRN) | Verifying your meter identity and ensuring data is matched to the correct property |
| Up to 12 months of historical consumption data (where available from the DCC) | Year-on-year comparison, seasonal pattern analysis, tariff modelling |
You can disconnect your smart meter at any time via your account settings. See Section 2.6 below for details on how smart meter consent works.
2.6 Smart meter consent — how it works
Smart meter data access is governed by the Smart Energy Code (SEC) and requires your explicit, informed consent — separate from your agreement to EnergyScan's general terms of service. Here is how it works:
- Separate consent flow — when you click "Connect Smart Meter", you are shown a dedicated explanation of what data we will access, why, for how long, and who processes it. You must actively check a consent box and confirm. This is entirely separate from your account registration and subscription.
- Identity verification — your uploaded energy bill serves as a recognisable official document that verifies your identity and your connection to the metered address. We cross-reference the address on your bill with the meter installation address held by the DCC.
- Consent duration — your consent is valid for 12 months. We will contact you approximately 30 days before it expires to invite you to renew. If you do not renew, data collection stops automatically.
- Withdrawal — you can withdraw consent at any time by clicking "Disconnect Smart Meter" in your account settings (takes effect within seconds), by emailing us (processed within 24 hours), or by cancelling your subscription or deleting your account. On withdrawal, we immediately notify n3rgy Data Ltd to stop collecting your data.
- Consent evidence — the SEC requires us to retain evidence of your consent (the bill used for verification, the meter inventory check, and a record of your consent action) for 4 years after consent is withdrawn or expires. This is a legal obligation that applies even if you delete your account — see Section 6 for details.
3. How We Use Your Data
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Creating and managing your account | Contract performance (Article 6(1)(b)) |
| Processing your bill and providing comparison results | Contract performance (Article 6(1)(b)) |
| Running daily market monitoring and sending deal alerts | Contract performance (Article 6(1)(b)) |
| Sending subscription-related emails (receipts, renewal notices, cancellation confirmations) | Contract performance (Article 6(1)(b)) |
| Sending monthly market update emails to subscribers | Legitimate interests (Article 6(1)(f)) — you may opt out at any time |
| Waitlist communications (launch notification) | Consent (Article 6(1)(a)) — given at sign-up; withdrawable at any time |
| Fraud prevention and security | Legitimate interests (Article 6(1)(f)) |
| Improving the accuracy of our AI extraction | Legitimate interests (Article 6(1)(f)) |
| Accessing and processing your smart meter data (daily cost tracking, bill forecasting, tariff simulation, usage benchmarking, switching recommendations) | Explicit consent (Article 6(1)(a)) — given through our dedicated smart meter consent flow; withdrawable at any time via account settings |
| Retaining smart meter consent evidence (bill image, meter verification, consent records) | Legal obligation (Article 6(1)(c)) — required by the Smart Energy Code for 4 years after consent withdrawal |
| Complying with legal obligations | Legal obligation (Article 6(1)(c)) |
We do not use your data for advertising, profiling, or any purpose unrelated to providing the Service.
4. Who We Share Your Data With
We do not sell your personal data. We share it only with the following third-party service providers, and only to the extent necessary to operate the Service:
| Provider | Role | Data shared | Location |
|---|---|---|---|
| Supabase | Database and authentication | Account data, extracted bill data | EU (AWS) |
| Stripe | Payment processing | Email address, subscription status | USA (SCCs in place) |
| Resend | Transactional email delivery | Email address, email content | USA (SCCs in place) |
| Mailchimp (Intuit) | Waitlist and marketing emails | Email address | USA (SCCs in place) |
| Anthropic | Bill data extraction (AI processing) | Bill file contents (deleted by provider after processing; not used for model training) | USA (SCCs in place) |
| n3rgy Data Ltd | Smart meter data retrieval from the DCC network | Meter reference numbers (MPAN/MPRN), half-hourly consumption readings. n3rgy acts as a data processor and does not use your data for any other purpose. | UK |
| The Energy Shop Ltd | Tariff comparison data and energy supplier switching | When you view tariff comparisons: postcode, meter reference numbers (MPAN/MPRN), annual energy consumption. When you submit a switch application: name, date of birth, email, phone number, supply address, bank details (sort code and account number for direct debit setup), and current tariff information. The Energy Shop processes switch applications on behalf of energy suppliers. | UK |
| Vercel | Application hosting | Server logs, IP addresses | USA/EU (SCCs in place) |
"SCCs" means Standard Contractual Clauses — the approved legal mechanism under UK GDPR for transferring personal data to countries outside the UK/EEA.
We may also disclose your data if required to do so by law, court order, or regulatory authority, or to protect the rights, property, or safety of SCM Digitech Limited, our users, or others.
5. Cookies
We use a small number of cookies that are strictly necessary to operate the Service:
- Authentication cookie — keeps you logged in during and between sessions. Set by Supabase.
- Session cookie — maintains your session state while using the app. Deleted when you close your browser.
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use Google Analytics or similar services.
6. How Long We Keep Your Data
| Data | Retention period |
|---|---|
| Bill files (photo/PDF uploads) | Deleted immediately after AI extraction — not retained. Exception: if your bill is used as identity evidence during the smart meter consent flow, that specific bill image is retained for 4 years after consent withdrawal (Smart Energy Code requirement). |
| Smart meter consumption data (half-hourly readings) | Retained while your account is active and smart meter consent is in place. Deleted on account deletion. |
| Smart meter consent evidence (bill image, meter verification, consent records) | Retained for 4 years after consent is withdrawn or expires, as required by the Smart Energy Code. If you delete your account before the 4-year period expires, this evidence is anonymised (personal details removed; only meter reference and consent timestamps retained). |
| Extracted bill data and account profile | Retained while your account is active, then deleted within 30 days of account deletion |
| Email address and account credentials | Retained while your account is active, then deleted within 30 days of account deletion |
| Subscription and payment records | Retained for 7 years to comply with financial record-keeping obligations |
| Switch application data (name, address, bank details submitted to The Energy Shop) | Application reference and tariff details retained while your account is active for status tracking and commission reconciliation. Bank details are transmitted to The Energy Shop at the time of switching and are not stored by EnergyScan after submission. |
| Waitlist email addresses | Retained until you unsubscribe or request deletion |
| Server logs (IP addresses, access logs) | Up to 90 days, then automatically purged |
7. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access — you can request a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct inaccurate or incomplete data.
- Right to erasure — you can ask us to delete your personal data. We will comply unless we are required to retain it by law (e.g. financial records, or smart meter consent evidence required by the Smart Energy Code for 4 years after withdrawal).
- Right to restriction — you can ask us to restrict how we process your data in certain circumstances.
- Right to data portability — you can request your data in a structured, machine-readable format.
- Right to object — you can object to processing based on legitimate interests, including for marketing purposes.
- Right to withdraw consent — where processing is based on consent (e.g. waitlist emails, smart meter data access), you can withdraw it at any time without affecting prior processing. For smart meter data, click "Disconnect Smart Meter" in your account settings.
To exercise any of these rights, email us at steve@energyscan.co.uk. We will respond within one month. We will not charge a fee for reasonable requests.
If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
8. Children's Privacy
The Service is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us at steve@energyscan.co.uk and we will delete it promptly.
9. Security
We take the security of your personal data seriously. Our security measures include:
- All data in transit is encrypted using TLS (HTTPS);
- Passwords are hashed using bcrypt before storage — we cannot read your password;
- Database access is restricted to authenticated application services only;
- Bill files are processed in memory and deleted immediately — they are never written to persistent storage (except where retained as smart meter consent evidence, in which case they are stored encrypted at rest in a restricted-access storage bucket);
- Smart meter consent evidence is stored with database-level access controls that prevent modification after creation;
- Stripe handles all payment card data — we never receive or store card numbers.
No method of transmission or storage is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected users without undue delay, as required by UK GDPR.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by updating the effective date at the top of this page. We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.
11. Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or how we handle your data, please contact us:
- SCM Digitech Limited — Company No. 14333758
- Email: steve@energyscan.co.uk
- Registered in England and Wales
This Privacy Policy was last updated on 6 March 2026. Previous versions are available on request.