Privacy & your data

Short version: we hold the minimum to do the job — on purpose — we never keep a password in readable form, and you can delete everything, any time, from your account.

• What we store. Your email (to sign you in), an optional postcode (for local deals), a sign-in password only if you choose to set one (kept as a scrambled one-way hash, never the password itself), and — only if you connect a meter — your meter’s resource id and an encrypted read-only data token. That’s it. No bank details, no personal profile, nothing sold.
• What we never store. Never a readable password — not ours (only a one-way hash, if you set one) and never your Bright account’s (we use it once to connect, then discard it). By default you sign in with a short-lived email link that expires in 15 minutes.
• How we secure it. The meter token is encrypted at rest. Sessions use a signed, secure, HTTP-only cookie. We never log secrets or tokens.
• Read-only. Meter access is read-only — we can see your usage, never change your account.
• Your control. Delete your account any time — it hard-deletes your record and meter connection immediately, with no retained copy.
• Logged out, nothing is stored. The free per-postcode check creates no account and stores nothing.

This privacy note is written to be plain and straightforward rather than exhaustive.