EcoFit UKJoin as a Pro

Privacy Policy

Last updated: 31 May 2026 — EcoFit UK

1. Who we are

EcoFit UK operates this website. We are the data controller for personal data collected through this service. To contact us about your data, email [email protected].

2. What data we collect

We collect the following categories of personal data:

  • Customers: name, email address, phone number, and postcode submitted when requesting quotes. We also store your answers to the quote wizard (e.g. installation type, timing).
  • Installers: business name, owner name, contact email, phone, postcode, service area, bio, specialties, years trading, and logo. Payment information is processed by our payment provider (Stripe) and we store only a Stripe customer reference.
  • Attribution data: if you arrive via a referral link or marketing campaign, we may store the referring domain and UTM campaign parameters (source, medium, campaign) linked to your account, to understand how people find us.
  • All visitors: standard server access logs (IP address, browser type, pages visited) retained for up to 90 days. Where needed for location-based matching, your IP address may be used to infer an approximate location (see section 5).

3. How we use your data

We use your data to:

  • Match customers with suitable installers in their area.
  • Share customer contact details with installers who choose to reveal them using credits — contact details are only disclosed after an explicit installer action.
  • Send transactional emails (quote notifications, receipts, account notices).
  • Prevent fraud and ensure platform security.
  • Understand how customers find us (attribution data), so we can improve our marketing.
  • Resolve location for matching purposes using your postcode or, as a fallback, an approximate geolocation inferred from your IP address.

We do not sell personal data to third parties or use it for unsolicited marketing without your consent.

4. Legal basis (UK GDPR)

We process data under the following lawful bases:

  • Contract performance — providing the quote matching service you requested.
  • Legitimate interests — fraud prevention, platform security, and internal analytics (attribution data).
  • Consent — attribution cookies (you can withdraw consent at any time by clearing your cookies or contacting us).

5. Third-party processors

We share data with the following processors under data processing agreements:

  • Stripe — payment processing (subscription billing and credit purchases). Stripe processes data in the US and EU under Standard Contractual Clauses.
  • Microsoft Azure Blob Storage — installer logo image hosting. Data is stored in the EU.
  • ipapi.co — IP geolocation, used to pre-fill your approximate area before you enter a postcode. Only your IP address is sent; no other personal data.
  • postcodes.io — UK postcode geocoding (latitude and longitude lookup). Only your postcode is sent.

Where processors are based outside the UK, transfers are made under UK-approved Standard Contractual Clauses or equivalent safeguards.

6. Data retention

We retain personal data only for as long as necessary:

  • Unrevealed customer leads — deleted after 90 days if no installer has revealed the contact details.
  • Revealed customer leads — deleted after 12 months from the date of first reveal.
  • Payment records — retained for 7 years for financial and tax compliance.
  • Server access logs — deleted after 90 days.
  • Installer profiles — retained until deletion is requested or the account is closed.
  • Reviews— retained as part of the public record of a verified transaction; customer name is shown as first name and last initial only. If your account is deleted and a review remains, your name is replaced with “Verified Customer” and your email is removed.

7. Cookies

We use the following cookies:

  • cookie_consent — records your cookie preference. Max age: 1 year. Not used for tracking.
  • eco_utm_source, eco_utm_medium, eco_utm_campaign — store the marketing campaign that referred you, so we can understand which channels work. Max age: 30 days. Only set if you have consented. HttpOnly.
  • eco_ref — stores the domain that referred you (e.g. a partner site). Max age: 30 days. Only set with consent. HttpOnly.
  • eco_installer_id — keeps installers logged in to their dashboard. Max age: 30 days. HttpOnly.
  • NextAuth session cookies — keep admin users logged in. Session-scoped. HttpOnly.

No third-party tracking or advertising cookies are set. You can withdraw consent for attribution cookies at any time by clearing your browser cookies or visiting this page and using the cookie banner.

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate personal data.
  • Request deletion of your personal data (right to erasure).
  • Receive a copy of your data in a machine-readable format (data portability).
  • Object to or restrict certain processing.
  • Withdraw consent where processing is based on consent.

To exercise any right, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

9. Contact

Data protection questions: [email protected]