1.1. This privacy policy (“Policy”) relates to the website at https://www.amber.net/, our online productivity tools, and platform and associated amber energy mobile and desktop applications including The Student Energy Project (TSEP) https://www.thestudentenergyproject.com/, as well as any subdomain or any such related website and/or mobile application for such website (together the “Website”).

1.2. You should read this Policy carefully as it contains important information about how we will use your Information (as defined below in clause 5.1). In certain circumstances (see below) you will be required to indicate your consent to the processing of your Information as set out in this Policy when you first submit such Information to or through the Website. For further information about consent see clause 8 below.

2.1. The terms “Amber” or “us” or “we” refer to Amber Energy Solutions Limited, the owner of the Website. We are a company registered in England and Wales under company number 06968134 whose registered office is at 1 Central Square, Cardiff, Wales CF10 1FS. The term “you” refers to the individual accessing and/or submitting Information to the Website.

Depending on the provided services we operate in the following capacity:

3.1 Data Controller:

We act as a Data Controller when we are responsible for determining the purposes and means for processing Personal Data. This may involve direct data collection and interactions with data subjects in relation to the services that we provide. This includes managing and safeguarding sensitive information in compliance with GDPR and pertinent privacy legislation.

3.2 Data Processor:

We act in the capacity of a Data Processor when processing Personal Data on behalf of the Customer for specific processing activities. This involves executing tasks as instructed by the Data Controller and maintaining compliance with contractual and legal obligations.

3.3 Sub-Processor Engagement:

We may engage third-party entities as sub-processors to support the delivery of contracted services. This engagement is subject to appropriate agreements and compliance measures to ensure the protection of Personal Data in accordance with applicable laws and regulations.

4.1. References in this Policy to:

4.1.1. “Privacy and Data Protection Requirements” means: the Data Protection Act 1998 (until repealed) (“DPA”), the Data Protection Directive (95/46/EC) (until repealed) and, from 25 May 2018, the General Data Protection Regulation 2016/679 (“GDPR”) or any equivalent provision which may replace the GDPR following the formal political separation of the United Kingdom from the European Union; the Regulation of Investigatory Powers Act 2000; the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699); the Electronic Communications Data Protection Directive (2002/58/EC); the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003); and all applicable laws and regulations which may be in force from time to time relating to the processing of Personal Data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner or any other supervisory authority, and the equivalent of any of the foregoing in any relevant jurisdiction; and

4.1.2. “Personal Data”, “Data Controller” and “Data Processor” and “processing” shall have the meanings given to them in the DPA or, from 25 May 2018, the GDPR.

4.2. For the purposes of applicable Privacy and Data Protection Requirements, we (Amber Energy Solutions Limited) are a Data Controller and therefore we are responsible for, and control the processing of, your Personal Data in accordance with applicable Privacy and Data Protection Requirements. “Personal Data” has a legal definition but, in brief, it refers to information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Such information must be protected in accordance with applicable Privacy and Data Protection Requirements.

5. Information we may collect about you

5.1. When you use the Website and/or when you otherwise deal with us we may collect the following information about you (“Information”):

5.1.1. Personal information including first and last name;

5.1.2. Contact information including current residential address, primary email address and/or primary phone number;

5.1.3. Billing information with billing details including credit card information, and banking address;

5.1.4. Technical information including, IP address, operating system, browser type and related information regarding the device you used to visit the Website, the length of your visit and your interactions with the Website, and more specifically:

• Services Metadata. For example, the energy data, channels, people, features, content and links you interact with, the types of files shared and what third party services (if any);
• Log data. As with most websites and technology services delivered over the Internet, our servers automatically collect information when you access or use our Websites or Services and record it in log files. This log data may include the IP address, the address of the web page visited before using the Website, browser type and settings, the date and time the Website was used, information about browser configuration and plugins, language preferences and cookie data (for more information on cookies please see clause 17 below);
• Device information. We collect information about devices accessing the Website, including type of device, what operating system is used, device settings, application IDs, unique device identifiers and crash data. Whether we collect some or all of this information often depends on the type of device used and its settings;
• Location information. We receive information from you, your Customer and other third-parties that helps us approximate your location. We may, for example, use a business address submitted by your employer, or an IP address received from your browser or device to determine approximate location. we may also collect location information from devices in accordance with the consent process provided by your device;

5.1.5. Information obtained through our correspondence and monitoring in accordance with clause 5.2 below; and

5.1.6. Details of any enquiries made by you through the Website, together with details relating to subsequent correspondence (if applicable). We collect certain personal information from and about you when you get in contact with us through various channels. This includes using our website, interacting with us via phone calls, emails, web chat, SMS, and social media messaging platforms such as WhatsApp. We collect and record data from these interactions to respond to your enquiries, provide support, and enhance the service we deliver. By monitoring and recording these communications, we ensure that we can offer the best possible service and maintain accurate records of your interactions with us.

5.2. We may monitor your use of the Website through ‘cookies’ and similar tracking technologies. We may also monitor traffic, location and other data and information about users of the Website. Such data and information, to the extent that you are individually identifiable from it, shall constitute Information as defined above. However, some of this data will be aggregated or statistical, which means that we will not be able to identify you individually. See clause 17 below for further information on our use of cookies.

5.3. Occasionally we may receive information about you from other sources, for example any social media apps you connect with through the Website, or from any third-party websites and applications that integrate or communicate with the Website in relation to you. If so, we will add this information to the Information we already hold about you in order to help us carry out the activities listed below.

5.4. If you make use of our Website through a social media provider, such as LinkedIn, we may access information about you via that social media provider in accordance with their policies. When using social media and you have chosen to include it in your social media account, we may access information such as your name, profile picture, gender, birthday, email address, town or district and any other information you have chosen to make available. We may also access information from social media providers about your use of an application that we run on their website.

5.5. We process your personal information to deliver, maintain, and enhance our services, which includes the use of advanced technologies such as artificial intelligence (AI) and machine learning (ML) that are necessary for optimising service delivery, improving customer experience, and enhancing support capabilities, including but not limited to:

• Analysis of Interactions: Enhancing our understanding of user interactions to provide better support and service.
• Transcription of Communications: Converting communications, including web chat, into text for record-keeping and improved responses.
• Chatbot and Voice Bot Interactions: Employing AI-driven chat and voice bots for handling both voice and text-based customer interactions to provide prompt assistance.
• Personalisation: Tailoring our services and communications to better meet your needs and preferences.
• Automation and Service Optimisation: Utilising AI and ML tools to streamline workflows, analyse data, and improve the efficiency, accuracy and effectiveness of our services.

Please be assured that our use of these technologies is fully compliant with the General Data Protection Regulation (GDPR). We adhere to rigorous technical security measures and uphold strict security and privacy standards to ensure the protection of your data.

6. How long we keep your Information

6.1. We shall retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, in accordance with the legal bases set out in section 7.1, and to comply with legal, regulatory, or contractual obligations. Specifically:

6.1.1. Where the legal basis for processing is the performance of a contract, personal data will be retained for the duration of the contractual relationship and for a reasonable period thereafter, in order to comply with legal, regulatory, or contractual obligations.

6.1.2. Where the legal basis for processing is express consent, such as for marketing purposes, personal data will be retained until consent is withdrawn, unless another lawful basis for retention applies.

6.2. If required, we may retain personal data for longer periods to comply with legal, regulatory, or contractual obligations.

6.3. Please be aware that if you send us personal data via social media messaging platforms, this data will be stored along with your other account records in line with our standard data retention policy. We may use the information provided through these channels to update your account details as necessary.

7. Legal Basis for Processing Your Information

7.1. Under the UK GDPR and the Data Protection Act 2018, we will only process your personal information where we have a valid legal basis to do so. The legal bases for processing your information include:

• Performance of a contract: Processing is necessary to enter into or fulfil a contract with you, including operating, maintaining, providing, and improving our website and services. This also includes handling enquiries, complaints, and account administration such as invoicing and billing.
• Compliance with legal obligations: We may process your personal data to comply with regulatory or legal requirements, such as responding to law enforcement requests, preventing fraud, or meeting financial reporting obligations.
• Legitimate interests: Processing is necessary for our legitimate business interests, provided your rights and freedoms do not override these interests. This includes improving our services, ensuring website functionality, analysing trends, investigating security incidents, and sending certain marketing communications. You have the right to object to processing based on legitimate interests (see clause 15.6).
• Consent: Where we rely on your consent, such as for marketing communications to personal email addresses, you may withdraw your consent at any time (see “Marketing and opting out” in clause 9).

7.2. We will only process your personal data for the purposes described above and will ensure that any processing is carried out in compliance with applicable data protection laws. Where necessary, we will conduct assessments to balance our legitimate interests with your rights and freedoms.

8.1. As noted above, you will be required to give consent to certain processing activities before we can process your Information as set out in this Policy. Where applicable, we will seek this consent from you when you first submit Information to or through the Website.

8.2. If you have previously given consent you may freely withdraw such consent at any time. You can do this through your account on the Website or by notifying us in writing (see clause 21 below).

8.3. If you withdraw your consent, and if we do not have another legal basis for processing your information (see clause 6 above), then we will stop processing your Information. If we do have another legal basis for processing your information then we may continue to do so subject to your legal rights (for which see clause 15 below).

8.4. Please note that if we need to process your Information in order to operate the Website and/or provide our services, and you object or do not consent to us processing your Information, the Website and/or those services may not be available to you.

9.1. Where you are dealing with us on behalf of a limited company or LLP, for business purposes, then we may contact you by email to your corporate email address about similar or related products that we offer. If you prefer not to receive any direct marketing communications from us, or you no longer wish to receive them, you can opt out at any time (see below).

9.2. Where you have previously ordered products or services from us we may contact you by telephone and email and post about similar or related products, services, promotions and special offers that may be of interest to you. We will inform you (during the sale process) if we intend to use your data for such purposes and give you the opportunity to opt-out of receiving such information from us. In addition, and if you have given permission, we may also contact you by telephone and email about our other products, services, promotions and special offers that may be of interest to you. We will inform you (before collecting your data) and seek your permission if we intend to use your data for such additional marketing purposes. If you prefer not to receive any direct marketing communications from us, or you no longer wish to receive them, you can opt out at any time (see below).

9.3. If you have given permission, we may contact you by [mail, telephone and email] to provide information about products, services, promotions, special offers and other information we think may be of interest to you. We will inform you (before collecting your data) if we intend to use your data for such purposes. If you would rather not receive such marketing information from us, or you no longer wish to receive it, you can opt out at any time (see below).

9.4. If you have given permission, we may share your personal data with carefully selected third party organisations and business partners and they may contact you directly (unless you have asked them not to do so) by mail, telephone and email about products, services, promotions and special offers that may be of interest to you. We will inform you (before collecting your data) and seek your permission if we intend to disclose your data to third parties for such purposes. If you prefer not to receive direct marketing communications from our business partners, or you no longer wish to receive them, you can opt out at any time (see below).

9.5. You have the right at any time to ask us, or any third party, to stop processing your information for direct marketing purposes. If you wish to exercise this right, you should contact us by sending an email to privacy@amber.net, or contact the relevant third party using their given contact details, giving us or them enough information to identify you and deal with your request. Alternatively, you can follow the unsubscribe instructions in emails you receive from us or them.

We carry out automated marketing qualification using some of the information that we collect about you (clause 5). We won’t ever carry out such qualification if it is intrusive, and you always have the right to object.

11.1. We may disclose your Information (including Personal Data):

11.1.1. To other companies within our group of companies (which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006);

11.1.2. To our business partners, service providers, or third-party contractors to enable them to undertake services for us and/or on our behalf. This includes providers of engineering services, industry data collection and aggregation, call-centre operations, IT and system administration services, and those utilising advanced technologies such as AI and machine learning. We ensure these entities have appropriate measures in place to protect your Information;

11.1.3. To any prospective buyer or seller (and their representatives) in the event that we sell or buy any business or assets;

11.1.4. To protect and defend the rights, property or safety of amber energy or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues.

11.1.5. If we are under a duty to disclose or share Personal Data in order to comply with any legal obligation, including (but not limited to) any request or order from law enforcement agencies and/or HMRC in connection with any investigation to help prevent unlawful activity; and

11.1.6. To other third parties if you have specifically consented to us doing so.

11.1.7. To social media platforms and messaging services, such as WhatsApp, when you interact with us through these channels. The processing of your information will be subject to the privacy policies of the respective platforms.

11.2. We may disclose aggregated, anonymous information (i.e. information from which you cannot be personally identified), or insights based on such anonymous information, to selected third parties, including (without limitation) analytics and search engine providers to assist us in the improvement and optimisation of the Website. In such circumstances we do not disclose any information which can identify you personally.

11.3. If our whole business is sold or integrated with another business your Information may be disclosed to our advisers and any prospective purchasers and their advisers and will be passed on to the new owners of the business.

11.4. Use of Third-Party Processors. Where third parties process data on our behalf, they are not permitted to use it for their own purposes, they are only permitted to use your personal information as instructed by us and in compliance with applicable laws.

12.1. We implement strict security procedures to protect your personal information, including verifying your identity during communications and employing robust protocols. We adhere to the highest standards of security and technical organisational measures in accordance with GDPR, including the use of data encryption, secure communication practices, and compliance with stringent security standards for any use of artificial intelligence (AI) or machine learning (ML) technologies. 

12.2. While we will use all reasonable efforts to safeguard your Information, you acknowledge that the use of the internet is not entirely secure and, therefore, we cannot guarantee the security or integrity of any Information that is transferred from you or to you via the internet. 

12.3. When you communicate with us via social media platforms or messaging services, such as WhatsApp, please be aware that these platforms operate under their own privacy policies and security measures. By choosing to interact with us through these platforms, you consent to the processing of your personal data by the respective platform in accordance with its privacy policy, and you do so at your own discretion. We will handle any personal data shared through these channels in line with our data retention policies. Please note that while we take measures to protect your personal information, we do not have control over how these platforms manage and process data shared through their services. 

We may monitor and record communications with you, including but not limited to telephone conversations, emails, web chat, SMS, and social media messaging platforms such as WhatsApp. This is done for the purposes of provision of services, quality assurance, training, fraud prevention, and compliance purposes. We collect and record data from these interactions to respond to your enquiries, provide support, and enhance the service we deliver. By monitoring and recording these communications, we ensure that we can offer the best possible service and maintain accurate records of your interactions with us. Any information that we receive through such monitoring and communication will be added to the information we already hold about you and may also be used for the purposes listed in clause 6 above. 

14.1. From time to time, it may be necessary to transfer your information to third-party entities located outside of the United Kingdom (UK) and the European Economic Area (EEA) (“International Transfers”) for the provision of contracted products and services. In accordance with GDPR and applicable data protection laws, such International Transfers are permitted providing additional safeguards are in place to maintain the privacy and security of your personal information. Amber remains committed to the protection of your data and will rely on Standard Contractual Clauses (SCC) supported by Transfer Risk Assessments (TRA) when making International Transfers to ensure the secure and lawful processing of personal information in line with applicable data protection laws.

Definitions

Standard Contractual Clauses (SCCs): SCCs are contractual clauses adopted by data protection authorities, which set out the appropriate safeguards for the transfer of personal data to third countries that do not ensure an adequate level of data protection

Transfer Risk Assessments (TRAs): Transfer Risk Assessments are conducted to assess and mitigate the risks associated with the international transfer of personal data. TRAs help ensure that adequate safeguards are in place to protect the privacy and security of personal information during such transfers.

Consent for International Transfers: It is important to note that, in certain circumstances, no additional consent is required for International Transfers when relying on SCCs and TRAs. However, such transfers will only be made when there is a legitimate reason, such as when it is necessary for the provision of contracted products and services.

If you give us information on behalf of a third party, you confirm that the third party has appointed you to act on their behalf and has agreed that you can: give consent on their behalf to the processing of their Information; receive on their behalf any data protection notices; and give consent to the transfer of their Information abroad (if applicable).

If you are an individual, this section sets out your legal rights in respect of any of your Personal Data that we are holding and/or processing. If you wish to exercise any of your legal rights, you should put your request in writing to us (using our contact details in clause 21 below) giving us enough information to identify you and respond to your request.

16.1. You have the right to request access to information about Personal Data that we may hold and/or process about you, including: whether or not we are holding and/or processing your Personal Data; the extent of the Personal Data we are holding; and the purposes and extent of the processing.

16.2. You have the right to have any inaccurate information we hold about you be corrected and/or updated. If any of the Information that you have provided changes, or if you become aware of any inaccuracies in such Information, please let us know in writing giving us enough information deal with the change or correction.

16.3. You have the right in certain circumstances to request that we delete all Personal Data we hold about you (the ‘right of erasure’). Please note that this right of erasure is not available in all circumstances, for example where we need to retain the Personal Data for legal compliance purposes. If this is the case, we will let you know.

16.4. You have the right in certain circumstances to request that we restrict the processing of your Personal Data, for example where the Personal Data is inaccurate or where you have objected to the processing (see clause 15.6 below).

16.5. You have the right to request a copy of the Personal Data we hold about you and to have it provided in a structured format suitable for you to be able to transfer it to a different data controller (the ‘right to data portability’). Please note that the right to data portability is only available in some circumstances, for example where the processing is carried out by automated means. If you request the right to data portability and it is not available to you, we will let you know.

16.6. You have the right in certain circumstances to object to the processing of your Personal Data. If so, we shall stop processing your Personal Data unless we can demonstrate sufficient and compelling legitimate grounds for continuing the processing which override your own interests. If, as a result of your circumstances, you do not have the right to object to such processing then we will let you know.

16.7. You have the right to object to direct marketing, for which see clause 8.4 above.

If you have any concerns about how we collect or process your Information then you have the right to lodge a complaint with a supervisory authority, which for the UK is the UK Information Commissioner’s Office (“ICO”). Complaints can be submitted to the ICO through the ICO helpline by calling 0303 123 1113. Further information about reporting concerns to the ICO is available at https://ico.org.uk/concerns/.

18.1. Our website may issue ‘cookies’ (small text files) to your device when you access and use the Website and you will be asked to consent to this at the time (e.g. when you first visit our website). Cookies do not affect your privacy and security since a cookie cannot read data off your system or read cookie files created by other sites.

18.2. Our Website uses cookies and other tracking and monitoring software to: distinguish our users from one another; collect standard Internet log information; and to collect visitor behaviour information. The information is used to track user interactions with the Website and allows us to provide you with a good experience when you access the Website, helps us to improve our Website, and allows us to compile statistical reports on Website visitors and Website activity.

18.3. You can set your system not to accept cookies if you wish (for example by changing your browser settings so cookies are not accepted), however please note that some of our Website features may not function if you remove cookies from your system. For further general information about cookies please visit www.aboutcookies.org or www.allaboutcookies.org.

19. Changes to this Policy

19.1. We keep this Policy under regular review and may change it from time to time. If we change this Policy we will post the changes on this page, and place notices on other pages of the Website as applicable, so that you may be aware of the Information we collect and how we use it at all times. You are responsible for ensuring that you are aware of the most recent version this Policy as it will apply each time you access the Website.

19.2. This Policy was last updated on 24/02/2025

20.1. Our Website may contain links to other websites. This Policy only applies to our Website. If you access links to other websites any Information you provide to them will be subject to the privacy policies of those other websites.

20.2. We have no control over third party websites or systems and accept no legal responsibility for any content, material or information contained in them. Your use of third party sites or systems will be governed by the terms and conditions of that third party. It is your responsibility to ensure you are happy with such third-party terms and conditions.

20.3. The display of any hyperlink and/or reference to any third-party website, system, product or service does not mean that we endorse that third party’s website, products or services and any reliance you place on such hyperlink, reference or advert is done at your own risk.

This Policy aims to provide you with all relevant details about how we process your Information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. If you have any difficulty in reading or understanding this Policy, or if you would like this Policy in another format (for example audio, large print or braille), please get in touch with us.