Origami Energy Limited (Origami, we, us, our) is a company registered in England and Wales, with company number 8619644 and whose registered office address is at 205 Cambridge Science Park, Milton Road, Cambridge CB4 0GZ.
Origami provides a web-based software application (the Services) to business customers for use by their staff, suppliers and other affiliated parties.
Origami respects your privacy and is committed to protecting your personal data. This privacy notice describes how we collect and process information about visitors to our website (the Website) and users of the Services. The Website is not intended for children and we do not knowingly collect data relating to children.
This privacy notice does not apply to individuals whose information may be collected by our customers during their use of the Services.
Origami is aware of its obligations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) and is committed to processing your data securely and transparently. This privacy notice sets out, in line with GDPR and DPA 2018, the types of data that we hold on you, how we use that information, how long we keep it for and other relevant information about your data.
We keep our privacy notice under regular review. This version was last updated in August 2022.
How to contact us
If you have any questions about this privacy notice or want to exercise your rights, please contact us by either:
Sending our Data Protection Manager an email to firstname.lastname@example.org
Writing to us at Origami, 205 Cambridge Science Park, Milton Road, Cambridge CB4 0GZ
Data protection principles
In relation to your personal data, we will:
Process it fairly, lawfully and in a clear, transparent way
Collect your data only for reasons that we find proper in relation to your use of the Website and Services
Only use it in the way that we have told you about
Ensure it is correct and up to date
Keep your data for only as long as we need it
Process it in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate) lost or destroyed
Types of data we collect
Information you voluntarily provide to us directly
We collect and maintain personal information that you voluntarily submit to us via the Website and during your use of the Services. For example, when you sign up to use the Services, contact us on the Website and/or sign up to our newsletter or use any web chat functionality that we may introduce.
This may include some or all of the following registration information (some of which will be optional):
Any other personal information you choose to share with us when you contact us
Information we collect through your use of the Services and Website
This may include the following information:
IP address of device(s)
Operating system and device type
Your device’s IMEI number
The MAC address of the device’s wireless network interface
Your time zone setting
Your browser default language setting
Access times and dates
Referring website addresses
Navigation around the site
Links followed, including in emails
Time spent on pages or viewing content
Types of content viewed and shared
Information we receive from third-party brand partners
In some situations we may receive your email address from your employer or other third-party company that validly holds your details and is permitted to share them with us. This will be used solely to invite you to sign up to use the Services. We will not store or use your email address for any other purposes.
Why we process your data
We use the personal information we collect from or about you for the following purposes:
Provision of the Services
We use your registration information to register you and create your user account, log you in, verify who you are and otherwise to provide you with our access to the Services.
What is our legal basis? It is necessary for the performance and fulfilment of the Services.
Data Analytics and Insight
We analyse usage information including that which we observe about users from their interactions with our Services. This information is used to create insights about usage and behaviours across our Services. By using this information, we are able to measure the effectiveness of our Services and how users use Services and improve the functionality of our Services.
Where your personal information is not in an anonymous form, it is in our legitimate interest to use your personal information in such a way to ensure that we provide the very best services to you and our other users.
Sending you newsletters or other marketing communications (from Origami) for which you have subscribed.
Where you have given your consent we use your personal information to send you marketing materials about Origami’s products and services which we think you might be of interest to you.
What is our legal basis for this? We rely on your consent to be able to do this – given at the time that you request the marketing communications.
Sharing information with third-party processors
We may share your personal information with third-party processors in order to provide the Services to you. This includes companies that for example who host our servers or manage or databases for us, or provide other technology solutions. They have no independent rights to use your data and are strictly controlled by us under contract.
What is our legal basis for doing this? It is in our legitimate interests to share your personal information in such a way to ensure that we provide the very best service we can to you.
We may also use your personal information to:
Help improve the Services
Contact you to answer any queries you may have sent to us (for example, contacting our technical support team) or to seek feedback from you.
What is our legal basis for doing this? It is in our legitimate interest to use your personal information in such a way to ensure that we provide the very best service we can to you.
Business administration, record keeping and legal compliance
We use your personal information for the following business administration and legal compliance purposes:
To comply with our legal obligations
To enforce our legal rights
To protect rights of third parties
In connection with a business transition such as a merger, acquisition by another company, or sale of all or a portion of our assets.
Use in this way may involve us sharing your personal information with professional advisers such as lawyers and accountants and/or governmental or regulatory authorities.
What is our legal basis? It is in our legitimate interest to ensure that we keep our records up-to-date and use them in connection with a business transition, enforce our legal rights, or to protect the rights of third parties. Otherwise, it is our legal obligation to use your personal information to comply with any legal obligations imposed upon us or other laws regulations that we are subject to.
How we obtain your consent
Where use of your personal information by us requires your consent, you may provide such consent:
At the time we collect your personal information by following the options we provide
By submitting information with a clear understanding of what it will be used for
By informing us using the contact details set out in this privacy notice
Third-party links and services
The Website and Services may contain links to third-party brands, websites and services. Please remember that when you use a link to go from the Website and/or Services to another website or you request a service from a third party, this privacy notice no longer applies.
Your browsing and interaction on any other website, or your dealings with any other third party and/or service provider, is subject to that website’s or third party’s own rules and policies.
We do not monitor, control or endorse the privacy practices of any third parties. We encourage you to become familiar with the privacy practices of every website you visit or third-party service provider that you deal with and to contact them if you have any questions about their respective privacy policies and practices.
Transfers outside the EEA
Although our offices and servers are based within the United Kingdom, in certain circumstances we may transfer your personal data outside the EEA to processors or subcontractors working for us, including in the USA, in connection with our business or for legal reasons. We will ensure that the transfer is lawful and that there are appropriate security arrangements.
If the European Commission has decided that a country does not provide an adequate level of protection in relation to data that is transferred there, we will enter into an agreement ensuring appropriate and suitable safeguards with our group member, processors or other transferee, or that there is another approved transfer mechanism in place. This may be via binding corporate rules or on standard terms adopted by the Information Commissioner and approved by the European Commission.
Protecting your data
We are aware of the requirements to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such risks such as encrypting payroll data.
Where we share your data with third parties, we provide written instructions to them to ensure that your data is held securely and in line with GDPR and DPA 2018 requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
How long we keep data for
The period for which we keep your personal data will depend on the reason we collected the data.
Where we hold your personal data:
In connection with a contract, we will store that data for the duration of the contract, the relevant limitation period for that contract plus one more year
To comply with our legal obligations, we will store that data for as long as it is necessary for us to hold that data
For purposes to which you have consented, in accordance with your consent
For our business legitimate interests, we will store that data for so long as we have a lawful basis to do so. We will review data held periodically and will only continue to store it where we determine that we continue to have a lawful basis to do so.
Your rights in relation to your data
The law on data protection gives you certain rights in relation to the data we hold on you. These are:
The right to be informed: This means that we must tell you how we use your data, and this is the purpose of this privacy notice.
The right of access: You have the right to access the data that we hold on you. To do so, you should make a subject access request.
The right for any inaccuracies to be corrected: If any data that we hold about you is incomplete or inaccurate, you are able to request us to correct it.
The right to have information deleted: If you would like us to stop processing your data, you have the right to ask us to delete it from our system where you believe there is no reason for us to continue processing it.
The right to restrict the processing of the data: For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct.
The right to portability: You may transfer the data that we hold on you for your own purposes.
The right to object to the inclusion of any information: You have the right to object to the way we use your data where we are using it for our legitimate interests.
The right to regulate any automated decision-making in way that adversely affects your legal rights.
Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted, by having a legitimate reason for doing so.
If you wish to exercise any of the rights explained above, please contact us at email@example.com.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Making a complaint
The supervisory authority in the UK for data protection matters is the Information Commissioner’s Office (ICO). If you think your data protection rights have been breached in any way by us, you are able to make a complaint to the ICO at any time. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. Details regarding how to contact us are above.