Privacy Policy

Privacy Policy

This post is also available in: Fr (Fr), Es (Es), De (De), It (It),

EcoAct is committed to ensuring that your privacy is protected. Looking after your personal data is important to us. We want you to be confident that your data is safe and secure with us, and you understand how we use it.

We are committed to doing the right thing when it comes to how we collect, use and protect your personal data, that’s why we’ve developed this privacy notice which:

  • Sets out the types of personal data that we collect
  • Explains how we use your data
  • Explains how we ensure your privacy is maintained
  • Explains the rights and choices you have when it comes to your personal data

This notice also applies to information we collect about people who use our services and our website.

EcoAct are both a data controller and a data processor under the new General Data Protection Regulation.

Contact details

By post: Data Protection Officer, EcoAct, Second Floor, MidCity Place, 71 High Holborn, London WC1V 6EA

By email:


Please see our separate Cookie Policy.

What information we collect

Personal data is any information relating to an identified or identifiable living person. EcoAct processes personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.

When you register with us or enquire about our services, you will provide us with personal data. Given the diversity of the services we provide to our clients, we process many categories of personal data, including as appropriate for the services we are providing:

  • Company name and address
  • Contact details including name, address, email, phone number
  • Financial Details for invoice and payment
  • Information you may consider relevant and necessary for us to deliver our services
  • In the case of job applications we will collect personal data included in any submitted CV

When we collect personal data we are known as the ‘controller’ and when our clients supply data we are the ‘processor’. When acting as a ‘processor’ we will manage on your behalf the personal information you require from your clients.

Processing of data

Our policy is to collect only the personal data necessary for agreed purposes and we ask our clients to only share personal data where it is needed for those purposes.

EcoAct wants to provide the best service experience; we therefore gather this data to understand your needs and personalise our service, thus providing you with a better service experience. The information may be used for:

  • Providing a tailored and personalised service to clients and customers with products and services most likely to interest you
  • In execution of the job application process
  • Internal audit purposes
  • Improving our services
  • Processing payments
  • Periodically send promotional or market research communications which we think you may find interesting using the contact details which you have provided

EcoAct may contact you by email, phone, SMS or mail. The lawful basis on which we process data for this purpose will be different depending on the reason for the contact.

In all the below scenario’s ‘consent’ means that consent which is willingly and knowingly given having understood the terms of this privacy notice.

If you are enquiring about our services we will use either ‘consent’ or ‘contract’ in order to fulfil your request for information

As an active customer which means currently engaged on one or more projects we will use ‘consent’ and ‘contract’

As an inactive customer which means no longer engaged on a project we will use ‘consent’ or ‘legitimate interest’

Data retention

EcoAct will as a minimum keep your information for as long as we are providing you a service or are likely to provide a service due to an enquiry we have received.

We review the need to hold personal data on an annual basis. Any personal data, physical or electronic, that no longer needs to be maintained for the purposes of meeting our legal or regulatory obligations will be reviewed and when appropriate securely destroyed.

Where data is processed solely for marketing purposes, any information we use for this purpose will be kept until you notify us that you no longer wish to receive this information, or until the data is deleted following annual review, whichever is earliest.

As part of ensuring we are providing the right services to you we may use your data to pursue our legitimate interests in a way which would reasonably be expected as part of running our business and supplying services, this will be done in a way that does not materially impact your rights, freedom or interests. For example, we may use information on the services and products supplied historically to you to support or make available appropriate new offerings.

We may also use your address details to post out direct marketing materials telling you about products and services that we think may be of interest to you.

You may choose to opt out of any marketing communications at any time by any of the following methods:

  • Unsubscribing from the campaign
  • Emailing us at

Should you prefer to use royal mail:

  • Marketing, EcoAct, Second Floor, MidCity Place, 71 High Holborn, London WC1V 6EA

Note that unsubscribing does not imply the deletion of your data. To exercise your right to be forgotten and have your data deleted see the ‘How to exercise your Rights’ section at the end of this notice.

Sensitive personal data

We will not normally ask you for sensitive personal data as defined under law as ‘special category information’ and specifically in Article 9 of the GDPR.

In the event you are required to attend our site it may benefit you to notify us of any health condition or disability you have so that we are aware of these conditions and how they affect you. This will allow us to take any reasonable steps to accommodate specific needs or requirements you have when hosting you. This type of information is known under the law as ‘special category information’ (or ‘sensitive personal data’) and we require your explicit consent to process this information. This data will only be kept as long as it is required for this purpose, or until such time as you notify us you no longer consent to its processing.

Sharing your personal data

EcoAct works with several agencies and carefully selected service providers that carry out certain functions on our behalf to support the services we provided to you. These include, for example, companies that help us with technology services and also payment processing. We only share personal data that enables the agencies and our service providers to provide their services and it will always be shared in a secure and appropriate manner.

We may share personal data with other organisations in the following circumstances:

  • If the law or a public authority says we must share the personal data
  • If we need to share personal data in order to establish, exercise or defend our legal rights (this includes providing personal data to others for the purposes of preventing fraud and reducing credit risk)
  • To an organisation we sell or transfer (or enter into negotiations to sell or transfer) any of our businesses or any of our rights or obligations under any agreement we may have with you to. If the transfer or sale goes ahead, the organisation receiving your personal data can use your personal data in the same way as us; or to any other successors in title to our business

Protection of personal data

This section sets out some of the measures we have in place to secure personal data:

  • Access to personal data is provided only to those employees who require access to perform their job function
  • Access to our computer systems is protected by robust security measures which include firewall, email and file encryption at rest and in transit, anti-virus and anti-ransomware, 24×7 security monitoring to detect unusual network activity
  • Our staff are trained and tested on data protection and cyber security awareness
  • We use the services of a specialist computer security services provider to ensure our systems remain secure using the latest technologies applicable for companies of our size and in our industry sector
  • We have robust procedures and policies in place that are adhered to by our staff
  • All physical instances of personal data are treated with the same strict security as electronic data.
  • Physical data is kept secure at all times when not being processed.
  • Policy and procedures exist for the safeguarding of any personal data in physical form that, by necessity, leaves the office environment including electronic data being carried in physical form such as DVD or USB

Your rights and choices relating to your personal data

Under data protection legislation, you have several rights regarding the use of
your personal data, as follows:

The right of confirmation and access

As a data subject you have the right to obtain confirmation from the data controller as to whether or not personal data concerning you is being processed. You also have the right to obtain from us free information about your personal data stored at any time, and a copy of this information. Furthermore, you have the right to obtain information as to whether personal data is transferred to a third country or to an international organisation. Where this is the case, you also have the right to be informed of the appropriate safeguards relating to the transfer.

Right to rectification and to be forgotten

You have the right to ask us to rectify inaccurate data or to complete any incomplete personal data that we hold. You have the right to ask us to erase your personal data without delay where one of the statutory grounds applies, so long as the processing is not necessary. If you request us to erase your personal data, then this means that our business relationship will end as we cannot provide our service without processing your data.

If you exercise your ‘Right to be Forgotten’, then all personal data stored will be deleted. This means that you may be contacted again in the event that you re-connected with us via web, phone or email and/or your details are given to us by a third party.

Right to object

You have the right to restrict the processing of your personal data under certain circumstances, including if you have contested its accuracy and while this is being verified by us, or if you have objected to its processing and while we are considering whether we have legitimate grounds to continue to do so. You have the right to object, on grounds relating to your particular situation, at any time, to the processing of personal data concerning you.

Right of data portability

You also have the right for certain data you have given us to be provided to you in a structured and commonly used electronic format (for example, a .csv file), so that you can move, copy or transfer this data easily to another data controller. You may also request that we transmit this data directly to another organisation where it is practical for us to do so.

Automated individual decision-making, including profiling

You have the right not to be subjected to a decision based solely on automated processing, including profiling. EcoAct do not process any personal data in this way.

How to exercise your Rights

If you wish to contact us in respect of any of the Rights described above, please use the contact details below.


Data Protection Officer, EcoAct, Second Floor, MidCity Place, 71 High Holborn, London WC1V 6EA


We will normally respond to your request free of charge and within 30 days’

How to complain about the use of your data

If you wish to raise a complaint about how we have handled your personal data, including in relation to any of the rights outlined above, you can contact us on the details at the start of this notice and we will investigate the matter for you. If you are not satisfied with our response, or believe we are processing your data unfairly or unlawfully, you can complain to the supervisory authority:

Information Commissioner’s Office (ICO)

Wycliffe House

Water Lane


SK9 5AF.

You can find further information about the ICO and their complaints
procedure here:

GDPR compliant data collection statement.

EcoAct uses the information you provide to contact you about similar products and services. You may unsubscribe from these communications at any time.