Privacy Policy

Last updated: 13 May 2026

1. Introduction

This notice describes how EcoBrace Ltd ("EcoBrace", "we", "us") processes personal data when you use our marketing site at ecobrace.co.uk or the authenticated product at app.ecobrace.co.uk. EcoBrace Ltd is a company registered in England and Wales [company number: TBC]; we are the data controller for the processing described here.

This notice forms the data-protection schedule to our Terms of Service. For privacy queries, including subject access requests, contact hello@ecobrace.co.uk.

2. What personal data we collect

We collect the following categories of personal data:

  • Account data — the name, email address and company you provide when you create an account, plus login timestamps and authentication events.
  • Usage data — records of searches, campaigns, top-ups and other actions you take in the platform, retained against your account so we can bill you, support you and improve the Service.
  • Technical identifiers — standard server-side data your browser sends with each request: IP address, user agent, preferred language and timestamps. We use these for security, debugging and rate limiting.
  • Payment data — handled by Stripe on our behalf. We see metadata about a transaction (amount, currency, status) but we do not see or store your card number. Stripe's own privacy notice covers its handling of payment data.
  • Customer-supplied data — campaign recipient lists you upload for direct-mail campaigns. We process this on your instructions as your processor; see section 6.

The platform also serves UK property data — EPC certificates, council tax band data, postcode and address data — sourced from public registers. This data describes properties rather than identifiable individuals visiting our site, so we do not treat it as personal data about you when you browse the marketing site.

3. Lawful bases (UK GDPR Article 6)

We rely on the following lawful bases for the processing described above:

  • Contract (Article 6(1)(b)) — processing necessary to run your account and deliver the Service you have signed up for, including billing.
  • Legitimate interests (Article 6(1)(f)) — securing the platform against fraud and abuse, debugging faults, understanding aggregate product usage to improve the Service. We have weighed these interests against your rights and we will reconsider on request.
  • Consent (Article 6(1)(a)) — marketing emails, and any optional cookies we may introduce in future. You may withdraw consent at any time without affecting prior lawful processing.
  • Legal obligation (Article 6(1)(c)) — retaining records to meet tax, accounting and fraud-prevention obligations.

4. How we use your data

We use the data described in section 2 to: operate your account; deliver Search, Direct Mail and any other features you use; calculate and charge Fees; provide customer support and respond to enquiries; protect the platform against fraud and abuse; meet legal and accounting obligations; and send transactional service communications (for example, password resets, billing receipts and incident notifications).

We send marketing communications only with your consent, and every marketing email contains a one-click unsubscribe link.

5. Who we share data with (sub-processors)

We do not sell your personal data. We share it only with the sub-processors we need to deliver the Service:

  • Microsoft Azure — cloud hosting and database, primary processing in the UK region.
  • Stripe — payment processing. Stripe operates in the UK / EU and the US under applicable adequacy decisions and contractual safeguards.
  • Azure Communication Services — transactional email delivery, UK / EU region.
  • Print fulfilment partner — [print partner: TBC]. For Direct Mail campaigns we share recipient lists with our print partner under a written data-processing agreement; lists are deleted once the campaign has been dispatched.
  • Cloudflare — bot-protection challenge service (Turnstile) and edge network. Cloudflare processes IP addresses and challenge metadata to verify that submissions to our contact form originate from human users.

We will publish an up-to-date list of sub-processors and notify Customers of any material change. We may also disclose personal data where required by law or in response to a valid request from a competent regulator.

6. International transfers

Primary processing takes place in the United Kingdom and the European Economic Area. Where a sub-processor (for example, Stripe's US arm) processes data outside the UK / EEA, we rely on UK adequacy decisions and / or the UK International Data Transfer Agreement (IDTA) or the Addendum to the EU Standard Contractual Clauses, as appropriate. Copies of the relevant transfer mechanisms are available on request.

7. Retention

We keep personal data only as long as we need it. Indicative retention periods (we will review and tighten these as the product matures):

  • Account data — for the life of your account, plus six (6) years after closure to meet UK tax and accounting obligations.
  • Campaign records (the fact a campaign ran, target counts, audit trail) — twenty-four (24) months after the campaign completes.
  • Campaign recipient lists — deleted from the print fulfilment partner once the campaign has been dispatched; retained inside the platform only as long as the campaign is in progress unless you keep the list on your account.
  • Server access logs — ninety (90) days.
  • Support correspondence — twenty-four (24) months after the case closes.
  • Marketing consent records — kept while consent is current, plus three (3) years after withdrawal as evidence of lawful processing.

8. Cookies

The marketing site at ecobrace.co.uk currently uses no cookies: no analytics, no advertising, no cross-site trackers, no consent banner is needed. If we introduce cookies later, this notice will be updated and consent will be collected where required.

The authenticated product at app.ecobrace.co.uk uses cookies for authentication and session management — these are strictly necessary for the Service to function and are documented in the product's own privacy notice.

When you submit the contact form on this site, Cloudflare's Turnstile bot-protection service may set short-lived cookies on the challenge subdomain (challenges.cloudflare.com) as part of verifying that you are a human user. These cookies are not set on the ecobrace.co.uk domain.

9. Your rights under UK GDPR

You have the following rights in respect of personal data we hold about you:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct data that is inaccurate or incomplete.
  • Erasure — ask us to delete your personal data, subject to any legal obligation we have to retain it.
  • Restriction — ask us to limit how we process your data in certain circumstances.
  • Portability — ask us to provide your data in a structured, commonly used and machine-readable format.
  • Objection — object to processing we carry out on the basis of legitimate interests, including direct marketing.
  • Withdraw consent — withdraw any consent you have given us at any time; this does not affect prior lawful processing.
  • Automated decision-making — ask us not to subject you to a decision based solely on automated processing that has legal or similarly significant effects on you (see section 12).

To exercise any of these rights, email hello@ecobrace.co.uk. We will respond within one calendar month. We may ask you to verify your identity before disclosing personal data.

10. Security

We take reasonable technical and organisational measures to protect personal data, including: TLS in transit across all public endpoints; encryption at rest for Azure SQL and Azure Blob storage; role-based access control over admin tooling; secrets stored in Azure Key Vault rather than in code; no shared administrator credentials; and structured access logs retained for incident review.

No internet-connected system is perfectly secure. If we discover a personal-data breach that is likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals where required.

11. Children

The Service is intended for business use and is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

12. Automated decision-making

We do not make decisions about you that are based solely on automated processing and that produce legal effects or similarly significant effects on you. The Service performs automated filtering of property data on your instructions; the downstream marketing decisions remain yours.

13. ICO registration & complaints

EcoBrace Ltd is registered with the Information Commissioner's Office as a data controller [ICO registration number: TBC].

If you are unhappy with the way we have handled your personal data, please contact us first at hello@ecobrace.co.uk so we can try to put it right. You also have the right to complain directly to the ICO at ico.org.uk or by phone on 0303 123 1113.

14. Changes to this notice

We may update this notice from time to time. For material changes — for example, introducing analytics cookies or a new category of sub-processor — we will notify you in advance via email or in-product banner. Non-material changes (drafting clarifications, contact-detail updates) may be made without advance notice.

15. Contact

Privacy queries — including subject access requests — go to hello@ecobrace.co.uk or via the contact form .