Last updated on 4 January 2026
Meet George Limited (“Meet George”, “we”, “us”, “our”) provides a UK business energy comparison and switching platform. We are registered in England and Wales (company number 15747538) with our registered office at 18 Albert Road, Bournemouth, Dorset, BH1 1BZ.
This Privacy Policy explains how we collect and use personal data when you:
Scope: Meet George is a business-to-business service for UK businesses (including sole traders, limited companies, LLPs and trusts). We do not offer a service to domestic consumers.
Age restriction: Our service is for business users aged 18 or over. We do not knowingly collect personal data from children.
Data protection lead (privacy contact): privacy@meetgeorge.co.uk
We collect personal data from you, from documents you upload, and from partners involved in the switching process (such as energy suppliers and platform/brokerage partners).
Important: We collect bank details only to pass them to the relevant supplier(s) for Direct Debit set-up. We do not store bank details long-term and we delete them once they have been submitted to the supplier, subject to short-lived technical processing needs (e.g. retry/validation windows).
We use these logs for security, fraud prevention, monitoring, troubleshooting, compliance evidence and service integrity. We do not intentionally log full document contents (e.g. bill images) or bank details.
If implemented, we may obtain:
This will be clearly signposted in-product before any check is performed.
Special category data: We do not intentionally collect special category data (such as health data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, or data concerning sex life or sexual orientation). If you choose to upload documents containing this type of information, we process it only to the extent necessary to provide the service and secure the platform.
Under UK GDPR we must have a lawful basis for each purpose.
Purpose: create and manage accounts, authentication, dashboards, support, service administration.
Lawful basis: performance of a contract; legitimate interests (operating and securing the service).
Operational processing: Our platform uses secure storage for uploaded documents, background processing to run certain workflows (for example, document extraction and sending notifications), and caching/rate-limiting controls to protect the service and improve performance.
Purpose: extract tariff/usage details from uploaded documents to reduce manual entry and improve accuracy.
Lawful basis: performance of a contract; legitimate interests (efficient, accurate service delivery).
Purpose: measure and improve the quality, safety and reliability of AI-assisted features (for example, identifying common failure modes, improving extraction accuracy, monitoring abuse patterns, and improving user experience). This may involve processing AI interaction data such as the types of questions asked, feature usage metrics, error signals, and, where necessary for troubleshooting or security, limited short-term log data. We are designed to prefer aggregated and de-identified analytics over storing raw question text.
Lawful basis: legitimate interests (improving and securing the service).
Where we publish insights (for example, aggregated trends about what business users ask our AI), we do so in a way designed to avoid identifying any individual or business. We do not publish customer-identifiable AI queries or confidential customer-specific information.
Purpose: obtain supplier quotes, submit switch requests, manage LoA/contract signing, manage the switching journey.
Lawful basis: performance of a contract.
Purpose: obtain quotes, run eligibility steps where required, set up contracts, and set up Direct Debits.
Lawful basis: performance of a contract; legitimate interests (operating a broker-led switching service).
Purpose: receive ongoing consumption/usage data from suppliers to calculate supplier commissions and support account operations (e.g. contract status and renewal visibility).
Lawful basis: legitimate interests (operating our business model and supporting customers operationally).
We maintain Legitimate Interests Assessments (LIAs) where we rely on legitimate interests and can provide a copy on request.
Purpose: website analytics, measurement, and experience improvements.
Lawful basis: consent (for non-essential cookies); legitimate interests / strictly necessary (for essential cookies and security).
Purpose: send important service communications (e.g. account/security notices, switch status updates, launch notifications you requested).
Lawful basis: performance of a contract; legitimate interests.
Purpose: product updates and marketing communications.
Lawful basis: consent (you can unsubscribe at any time).
Purpose: reduce failed applications by filtering out tariffs you are unlikely to qualify for, where supplier eligibility rules require it.
Lawful basis: legitimate interests (and, where strictly necessary to progress a switch, performance of a contract). We will provide clear notice at the point of collection.
We use AI to (a) extract information from bills/contracts, (b) answer questions about contract terms, and (c) provide tariff recommendations.
When AI-assisted features are used, we may send limited relevant information from your uploaded documents and business profile to third-party AI providers via our AI infrastructure. We are designed to minimise personal data sent to AI providers and avoid sending unnecessary personal data. We are designed to configure and contract with AI providers to restrict training on customer content, using business-oriented settings where appropriate.
We do not make solely automated decisions that have legal or similarly significant effects on you. You remain in control and must review and confirm any switch.
More detail on our AI-assisted features, safeguards, and third-party AI provider controls is set out in our AI Transparency & Ethics Policy.
We share personal data only where needed for the purposes above.
Energy suppliers typically act as independent controllers for quote issuance, credit/eligibility decisions, contract set-up, billing and supply. We share business/contact data, meter identifiers, usage information, and (where required) signed documents and bank details for Direct Debit set-up.
Where your switch runs via a platform/brokerage route (e.g. POWWR/Broker360 and related supplier portal integrations), data may be shared to operate the switching workflow, commission processing, and associated operational steps. Depending on the activity, a partner may act as an independent controller or our processor. We put appropriate data protection terms in place and document the role split.
For example, POWWR typically acts as our processor for portal connectivity and switching workflow operations, but may act as an independent controller for certain commission administration and brokerage platform activities.
We use vendors for hosting, databases/authentication, transactional email delivery, analytics/monitoring, and e-signature. We maintain appropriate data processing agreements with our processors.
This includes e-signature providers used for Letters of Authority and contract signing (for example Documenso and DocuSign), and AI infrastructure providers used to route requests to AI models where enabled.
Current vendor list: Our Trust Centre contains the current vendor/sub-processor list including regions and the applicable international transfer mechanism: meetgeorge.co.uk/trust-centre
Some service providers are located in (or may access data from) countries outside the UK (including the United States and Australia). Where UK personal data is transferred internationally, we use appropriate safeguards such as:
We record the vendor, region and transfer mechanism in our Trust Centre and internal transfer register. (See: meetgeorge.co.uk/trust-centre)
The UK is introducing frameworks to enable trusted, customer-directed data sharing (often described as “Smart Data”). Where we participate in any applicable scheme, we will comply with the relevant rules and provide appropriate, scheme-specific notices and controls.
Where a smart data scheme introduces specific consent or authorisation requirements (for example standardised digital permissions or consent dashboards), we will implement scheme-compliant user controls and update our notices accordingly.
We keep personal data only for as long as necessary for the purposes described above, including legal, regulatory and dispute-resolution needs.
| Data type | Typical retention | Rationale |
|---|---|---|
| Account profile data (name, email, preferences) | While account active + 90 days | Account administration, security, support |
| Support tickets and correspondence | 24 months | Operational support continuity |
| Uploaded bills | While application active + 12 months | Evidence, user convenience, dispute handling |
| Uploaded existing contracts (if provided) | While application active + 12 months | Context for switching journey and queries |
| LoA (signed) | Contract life + 6 years | Authority evidence, disputes/claims |
| Energy contract documents (signed) | Contract life + 6 years | Contract evidence, disputes/claims |
| Switching workflow records (quote selections, timestamps, audit trail) | Contract life + 6 years | Audit, dispute resolution |
| Operational application logs (platform/server logs) | 30–90 days | Security monitoring, troubleshooting, service integrity |
| Audit trail and webhook event logs (workflow and compliance traceability) | Contract life + 6 years | Evidence of switching events/signing/authority, dispute handling, compliance traceability |
| Background job execution logs (asynchronous workflows) | 30–90 days | Troubleshooting and operational reliability of background processing |
| Monitoring/observability telemetry (metrics/traces, where enabled) | 30–180 days (configuration dependent) | Reliability monitoring, performance and security detection |
| Bank details (for Direct Debit) | Deleted after supplier submission | Direct Debit set-up only |
| Supplier-provided ongoing usage data | While contract live + 24 months | Commission calculation, operations, renewal visibility |
| Incomplete applications (abandoned journeys) | 90 days | Allow users to resume; fraud/security checks |
| Cookie consent records | 6 years | Evidence of consent |
| Web analytics event data | Per analytics configuration (typically 14-26 months) | Site measurement |
| Inactive accounts (no login/activity) | Review at 24 months inactivity | Data minimisation |
You can request deletion sooner where applicable (see “Your rights”). Where we must retain data for legal claims or compliance, we will restrict access and retention to what is necessary.
You have rights under UK GDPR, including:
Timeframes: We respond to rights requests without undue delay and within one month. This can be extended by up to two further months for complex or multiple requests, and we will tell you within the first month if we need an extension.
Please note that rights may be qualified where requests relate to security logs, fraud prevention, or legal claims, or where fulfilling a request would adversely affect the rights of others. Where this applies, we will explain our reasoning.
To exercise your rights, contact: privacy@meetgeorge.co.uk
We maintain operational, security and audit logs to help protect the platform, prevent fraud and misuse, maintain availability, troubleshoot issues, and evidence key events in the switching journey.
These logs may include identifiers such as account IDs, tenant IDs, timestamps, IP address, request identifiers, and records of actions/events (for example: switching workflow events, signing events, supplier/webhook events and background job execution events).
We minimise the personal data contained in logs and apply access controls and retention limits. We do not intentionally store bank account details in logs and we do not intentionally store full uploaded document contents (such as bill images) in logs.
Further details of our vendors used for hosting, processing, monitoring and logging (including regions and applicable transfer mechanism) are published in our Trust Centre: meetgeorge.co.uk/trust-centre
We use technical and organisational measures designed to protect personal data, including encryption in transit, access controls, least-privilege access, and audit logging. Our Trust Centre summarises key security controls and governance commitments: meetgeorge.co.uk/trust-centre
If a personal data breach occurs, we will assess it promptly and, where required by law, notify the ICO and affected individuals.
Our website or platform may include links to third-party sites (e.g. suppliers/partners). Their privacy practices are governed by their own policies. We are not responsible for third-party sites.
We may update this Privacy Policy from time to time. If changes are material, we will post a notice on our website or in-product and, where appropriate, notify account holders by email.
For service-related complaints (including complaints about our switching service or AI-assisted outputs), please see our Complaints Procedure published on our website. Privacy complaints can be raised via privacy@meetgeorge.co.uk as set out below. If we cannot resolve an eligible complaint within 8 weeks, or we issue a deadlock letter, you may be able to escalate to the Energy Ombudsman under the Ombudsman’s scheme rules.
If you have concerns, contact us first at privacy@meetgeorge.co.uk. You also have the right to complain to the UK Information Commissioner’s Office (ICO):
