Privacy Notice (UK GDPR)

1. Who We Are

Xtra Phones UK Ltd (company number 08204476), trading as CompareTheNetworks.com (“we”, “us”, “our”), is the data controller for the purposes of UK data protection law. Our registered office is Suite 2, Haughmond View, Shrewsbury Business Park, Shrewsbury, SY2 6LG.

This notice explains how we collect, use, store and share personal data when you use our website, speak to us by phone, email or chat, or take our services.

2. How to Contact Us

Privacy enquiries & data rights: privacy@comparethenetworks.com

General: info@comparethenetworks.com

Postal: Data Protection, Xtra Phones UK Ltd, Suite 2, Haughmond View, Shrewsbury Business Park, Shrewsbury, SY2 6LG

3. Scope

This notice applies to:

• Our website comparethenetworks.com and any sub‑domains
• Our telephone calls (inbound/outbound), emails, chat and forms
• Our sales, support and account management services

4. The Data We Collect

We may collect and process the following categories of personal data (as relevant):

• Identity and contact details
• Account, order and billing data
• Communications (emails, messages, support tickets, notes)
• Website/device data (IP address, pages visited, browser type, referral URLs)
• Call data (recordings, date/time, numbers, duration) and notes
• Device and service identifiers (e.g. IMEI/ICCID/SIM numbers, porting/PAC/STAC details)
• Usage data relevant to billing (e.g. allowances, out‑of‑bundle, bolt‑ons)
• Marketing preferences and consent records

We do not intentionally collect special category data. Please do not provide it unless we specifically request it.

5. How We Collect Your Data

• Directly from you
• From your employer or colleagues where we provide B2B services
• From partners/suppliers (e.g. networks/wholesalers) to provision or support services
• Automatically via our website (usage/cookies) and phone systems (call metadata/recordings)
• From publicly available sources and reputable data suppliers where lawful

6. Purposes and Lawful Bases

We use personal data to:

• Provide quotes, set up and deliver services — contract, Art. 6(1)(b)
• Customer service, troubleshooting and quality assurance — legitimate interests, Art. 6(1)(f)
• Call recording for training and dispute resolution — legitimate interests; where an order/complaint is discussed we may also rely on contract or legal obligation
• Billing, payments, refunds and account management — contract; legal obligation
• Marketing our services to business contacts — legitimate interests; to individuals with consent, Art. 6(1)(a)
• Security/fraud prevention — legitimate interests; legal obligation where applicable

You can object to processing based on legitimate interests at any time (see “Your rights”).

7. Telephone Calls & Recordings

We record certain inbound/outbound calls for training, quality assurance and to resolve disputes.

Retention: audio is kept for up to 6 months, then deleted unless we need to retain it longer due to an active dispute, fraud investigation or legal requirement. We can provide an unrecorded alternative (e.g. email or scheduled unrecorded callback) if you prefer not to be recorded.

8. Cookies, Website & Live Chat

We use cookies and similar technologies to operate our site and understand usage. Live chat/website tools may capture your IP address, device and browser information to secure sessions and deliver the service. You can control cookies via your browser; essential cookies may be required. See our Cookie Notice for details.

8a. Session Recording & Analytics (PostHog)

We use PostHog (PostHog Inc., hosted in the EU) to record anonymised session replays of how visitors interact with our website. This helps us identify usability issues and improve your experience.

What is captured:

• Mouse movements, clicks, scrolls, and page navigation
• Pages visited and time spent on each page
• Device type, browser, and screen size
• Page performance metrics

What is NOT captured:

• Passwords (always masked)
• Payment card details
• Any data entered on third‐party sites

Session recordings are stored on PostHog's EU servers (eu.posthog.com) and retained for 90 days. Recordings are only reviewed by authorised staff for the purpose of website improvement. Bot and crawler traffic is automatically excluded. You can opt out of session recording by disabling JavaScript or using a browser extension that blocks analytics scripts.

Legal basis: Legitimate interest (Art. 6(1)(f) UK GDPR) — improving website usability and user experience.

9. Sharing Your Data

We share data with:

• Networks/wholesalers and service partners to provision/support services
• IT, hosting, analytics, communications and payment providers acting under contract as processors
• Professional advisers, auditors and insurers
• Law enforcement/regulators/courts where required by law

Some processing occurs outside the UK (e.g. EEA, US, South Africa). Where we transfer data internationally, we use appropriate safeguards such as the UK Addendum/IDTA, UK‑approved SCCs, or an adequacy decision.

10. Credit Checks & Fraud Prevention (Creditsafe)

For certain orders (for example where a credit limit, device financing or a personal guarantee is involved) we and/or our partners carry out credit and identity checks with credit reference and fraud‑prevention agencies.

• Primary CRA we use: Creditsafe Business Solutions Limited (FCA FRN 742313), Ty Meridian, Cardiff Gate Business Park, Malthouse Ave, Pontprennau, Cardiff CF23 8BA. Privacy: creditsafe.com/gb/en/legal/privacy-policy.html
• What they do: supply us with information to help verify identity, assess creditworthiness and prevent fraud. They may draw on public sources (e.g. Companies House, electoral roll, court records) and credit data they hold.
• Search “footprints”: CRAs record that a search has been made. Depending on the product and CRA, this may be a soft (quotation) search or, if we tell you in advance, a hard search that may be visible to other lenders.
• Ongoing sharing: we may share account performance data (e.g. payment status, defaults) with CRAs and fraud‑prevention agencies to manage risk and protect against fraud.
• Partners’ CRAs: our networks/wholesalers may run their own checks and use other CRAs (e.g. Equifax, Experian or TransUnion) – please see their privacy notices for details and the industry CRAIN notice used by the main consumer CRAs.

11. Automated Decision‑Making & Profiling

We do not make decisions based solely on automated processing that have legal or similarly significant effects on you. Some partners (e.g. networks) may use automated credit scoring; where that happens, we ensure a route to human review on request.

12. If You Don’t Provide Personal Data

Where we need personal data by law or to enter into/perform a contract and you do not provide it when requested, we may be unable to provide or continue the service (for example, carry out credit checks, port a number or set up billing). We will notify you if this applies.

13. How Long We Keep Your Data

We only keep personal data for as long as necessary. Typical periods:

• Call recordings (audio) — up to 6 months
• Orders, contracts, invoices and related account records — up to 6 years
• Complaint/ADR files — up to 6 years after closure
• Lead/enquiry data (no contract) — 12 months from last interaction
• Marketing consent/preferences — 24 months from last interaction or until withdrawn
• Website logs/analytics — typically 12–24 months

Backups may persist briefly after deletion. We may retain data longer where required by law or in connection with a dispute.

14. Keeping Your Data Secure

We use proportionate technical and organisational measures, including access controls, encryption in transit where applicable, secure hosting and staff training. We act promptly on suspected data incidents and notify regulators/individuals where required.

15. Your Rights

Under UK GDPR you can:

• Access your personal data
• Rectify inaccurate data
• Erase data (in certain cases)
• Restrict processing
• Object (including to marketing and legitimate interests)
• Data portability
• Withdraw consent where relied upon

To exercise your rights, email privacy@comparethenetworks.com.

You have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk or 0303 123 1113; address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

16. Children

Our services are aimed at businesses and adult consumers. We do not knowingly collect data from children.

17. Changes to This Notice

We may update this notice from time to time. The latest version will be available at comparethenetworks.com/privacy-policy.