Last Updated: 08 May 2026
1. Introduction and Our Role
This Privacy Policy describes how Bundled Bills, referred to as “we”, “us”, or “our”, collects, uses, and protects your personal information.
Bundled Bills is a trading name of Bundled Bills Ltd, registered in England and Wales. We act as a Data Controller for the personal data we collect to provide our utility management and bill-bundling services.
This policy is designed to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Data (Use and Access) Act 2025.
2. The Data We Collect
We process several categories of personal data depending on your interaction with our platform:
| Category | Data Elements |
|---|---|
| Identity Data | Full name. |
| Contact Data | Residential address, billing address, email, and mobile phone number. |
| Financial Data | Bank account details, including sort code and account number, and payment card tokens. Raw card data is processed by PCI-DSS compliant partners, such as Stripe. |
| Usage Data | Meter readings for gas, electricity, and water, plus broadband consumption metrics. |
| Credit Data | Credit scores and payment performance history obtained from Credit Reference Agencies (CRAs). |
| Technical Data | IP address, browser type, device identifiers, and cookie data. |
| Special Category Data | Health or medical data, such as Priority Services Register information, processed only with your explicit consent. |
3. Lawful Bases for Processing
We rely on the following legal grounds under Article 6 of the UK GDPR:
- Performance of a Contract: To set up your utility accounts, manage billing, and facilitate switching.
- Legitimate Interests: For fraud prevention, intra-group administrative sharing, improving staff training via call recordings, and operational AI summarization.
- Recognised Legitimate Interests (RLI): Under the Data (Use and Access) Act 2025, for responding to emergencies, safeguarding vulnerable individuals, or national security.
- Legal Obligation: For tax records with HMRC and validating Council Tax exemptions with local authorities.
- Consent: For direct marketing and processing special category medical information.
4. Disclosure to Third Parties
To provide our services, we share data with the following categories of recipients:
- Principal Utility Providers: Including energy, water, and broadband suppliers, such as British Gas and Virgin Media. These entities are independent controllers of the data they receive.
- Credit Reference Agencies (CRAs): We share data with Experian, Equifax, or TransUnion to assess creditworthiness and report payment performance under the Principles of Reciprocity.
- Local Authorities: To confirm your student status for Council Tax exemption purposes.
- Payment Processors: Third-party providers such as Stripe or LettsPay manage secure transactions.
- Debt Recovery Agencies: In the event of persistent non-payment, we may transfer your data to professional recovery services.
6. Artificial Intelligence (AI) and Machine Learning
We use AI tools to improve efficiency, such as summarizing support enquiries and monitoring call quality for training purposes.
- No Automated Decision-Making (ADM): We do not use AI to make final decisions regarding your credit limit, billing disputes, or service termination without human review.
- Data Security: Your data is processed in a “closed loop” and is never used to train external or public AI models.
Formatting note: The source document jumps from section 4 to section 6. The numbering has been preserved exactly as provided.
7. Data Retention and Security
7.1 Retention Policy
In line with the “Storage Limitation” principle, we retain primary customer records and financial data for six years following the termination of your contract to comply with the Statute of Limitations and HMRC requirements.
7.2 Technical Safeguards
We implement industry-standard security, including SSL/TLS encryption for data in transit and robust firewalls for data at rest. Access to sensitive data is restricted to authorized personnel only.
8. Your Legal Rights
Under the UK GDPR and the Data (Use and Access) Act 2025, you have the following rights:
- Right of Access (SAR): You may request a copy of the data we hold. We limit searches to what is “reasonable and proportionate” as permitted by the 2025 Act.
- Right to Rectification: You can update inaccurate data through our contact details listed on the website.
- Right to Erasure: You may request deletion of data, subject to our legal retention obligations.
- Right to Portability: You can request your data in a machine-readable format to move to another provider.
- Right to Object: You can opt out of direct marketing at any time.
8.1 Complaints Procedure
Effective June 2026, you have a statutory right to complain directly to our internal Data Protection Officer (DPO) before escalating to the Information Commissioner’s Office (ICO). We will acknowledge your complaint within 30 days.
9. Contact Us
For any privacy-related enquiries, please contact our Data Protection Officer:
- Email: privacy@bundledbill.com
- ICO Supervisory Authority: You have the right to lodge a complaint with the ICO at ico.org.uk.