Privacy Notice

Updated May 2020

Your privacy is important to us. This privacy notice explains what personal data we collect from you and why, as well as how we use it and keep it secure. If you have any questions about this privacy notice, or if you wish to exercise your rights you can contact our Data Protection Officer (DPO) by email at, by writing to Data Protection Officer, Wave, Priory House, Abbey Road, Pity Me, Durham, DH1 5RR or by calling 03450 704 158.

Who are we?

We are Wave, a joint venture between Anglian Water Business (National) Limited (Company Number 3017251) and NWG Business Limited (Company Number 04047470). We provide our customers with water, wastewater (sewerage), efficiency and energy services. Our registered office is Northumbria House, Abbey Road, Pity Me, Durham, DH1 5FJ.

What this Privacy Notice covers

At Wave, we take your privacy very seriously and are committed to putting our customers first by being transparent on how we collect, use and protect personal information.

Wave is both a Data Controller and Data Processor. We will process personal data about our non-household customers (“NHH customers”) who are registered to eligible water and wastewater supply points in the non-household retail water market (as defined in the Water Act 2014, Water Services etc (Scotland) Act 2005 and market codes), and who receive energy services within the energy market. We will also process personal data about prospective water and energy customers. 

We want you to be confident that your personal information is safe and secure. Except as provided for in this Privacy Notice, we will not share your personal information with third parties for any other purpose, unless we are permitted to do so by law.

This privacy policy explains:

  • what personal information we collect about you;
  • the source of your personal information;
  • what we use your personal data for;
  • the legal grounds for processing your personal information;
  • how and when you can withdraw your consent;
  • when personal information may be transferred outside the UK or EEA;
  • marketing-related information;
  • how we share information with third parties;
  • what you should do if your personal information changes;
  • whether you need to provide your personal information to us;
  • if any monitoring is involved in processing your personal information;
  • about other automated decision making;
  • how long your personal information is retained by us;
  • your rights under data protection laws;
  • your right to object;
  • your marketing preferences and what they mean; and
  • how to contact us.

We may make changes to this notice from time to time, for example to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will notify our customers of changes by prominently posting a notice on our websites (, and We encourage you to regularly check back and review this notice, so that you will always know what information we collect, how we use it and who we share it with.

What are the legal grounds for processing personal information (including when we share it with others)?

We rely on the following legal bases to use your personal data.

  • Where it is necessary to perform a contract or take steps to enter into a contract needed to provide you with our products or services, such as:
    • assessing an application for a product or service you hold with us, including considering whether to offer you the product, the price or the payment methods available;
    • managing products and services you hold with us, or an application for one;
    • updating your records, tracing your whereabouts to contact you about your account and do this for recovering debt (where appropriate); and
    • all stages and activities relevant to managing the product or service including enquiry, application, administration and management of accounts.
  • Where it is in our legitimate interests to do so.
  • To comply with our legal obligations.
  • Within your consent or explicit consent. For example, for some of our processing of special categories of personal data; such as your health if you are a vulnerable customer, data will be shared with the Market Operators (CMA and MOSL).


From time-to-time, we may tell you about products and services that we think may be of interest to you, for example services that help improve efficiency in your business or could lower your utility costs. These might come from ourselves or carefully selected third parties. Each time you are contacted with such information, you are given the opportunity not to receive any more. You may ask us at any time to stop sending you these communications.

Please let us know via our website by completing a general enquiry form on our website, by calling 03450 704 158 or by writing to us at the address set out in the Contact Us section at the end of this privacy notice. If you receive a marketing email from us, you will always have the option to remove your consent by using the unsubscribe option. Please note though, you may still receive non-personalised information about us or our services through your letterbox.

What are marketing preferences and what do they mean?

We may use your supply or business address, phone numbers and email addresses to contact you according to your marketing preferences. You can stop our marketing communications at any time by using the Contact Us information at the end of this document.

How do we share your information with third parties?

We will not share your information with anyone outside of Wave, except:

  • where we have your permission;
  • where required for the provision of products or services;
  • where we are required by law and by law enforcement agencies, judicial bodies, government entities or tax authorities;
  • with regulatory bodies including the Market Operators for Scotland and England (CMA and MOSL), using dedicated users with password-controlled access via private/public key certificates to ensure its security;
  • with Wholesalers providing the supply of water and/or sewerage services in accordance with the Wholesale Retail Codes. We may pass on your contact details so that your wholesaler can contact you, for example, in the event of an emergency or to replace your meter; 
  • with third parties providing services to us, such as IT software and maintenance providers, bill print houses and subcontractors acting on our behalf;
  • with debt collection agencies;
  • with credit reference agencies via secure file transfer protocols; and
  • where permitted by law, it is necessary for our legitimate interest or those of a third party and it is not inconsistent with the purposes listed above.
  • with Retailers providing the supply of water and/or sewerage services in accordance with the Wholesale Retail Codes;

What if your personal information changes?

You should advise us of any changes to personal information so that we can update our records. This means we can continue to administer services to you. You can do this using your chosen contact method in the Contact Us page of our website. We will then update your records.

Do you have to provide your personal information to us?

We are unable to provide you with our products or services if you do not provide certain information to us, for example your name, business name, addresses information etc.

Do we do any monitoring involving processing of your personal information?

In this section, monitoring means any listening to, recording of, viewing of, intercepting of, or taking and keeping records of calls, email, text messages, social media messages, face-to-face i.e. CCTV and other communications.

We may monitor where permitted by law and we will do this where the law requires it, or to comply with regulatory rules, to prevent or detect crime, in the interests of protecting the security of our communications systems and procedures and for quality control and staff training purposes. This information may be shared for the purposes described above.

What are your rights under data protection laws?

The following is a list of the rights that all individuals have under the data protection laws. They don’t apply in all circumstances. If you wish to use any of them, we will explain at that time if they are engaged or not.

  • The right to be informed about the processing of your personal information.
  • The right to rectification if your personal information is inaccurate and to have incomplete personal information rectified.
  • The right to object to processing of your personal information.
  • The right to restrict processing of your personal information.
  • The right to erasure and have your personal information erased (“the right to be forgotten”).
  • The right to data portability which allows you to move, copy or transfer your personal information.
  • The right of access to your personal information.
  • Rights related to automated decision-making and profiling which has a legal effect or otherwise significantly affects you.

You have the right to request access to your personal information that we hold about you. Please use the Contact Us information at the end of this document.

If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible.

You also have the right to complain to the Information Commissioner’s Office which enforces data protection laws – visit for more information.

Your right to object

You have the right to object to certain purposes for processing data for direct marketing purposes and to data processed for certain reasons based on your legitimate interests.

You can do this by using the Contact Us information at the end of this document to exercise your rights.

Contact us

If you have any questions about this privacy notice, or if you wish to exercise your rights or contact the Data Protection Officer (DPO) you can get in touch by telephone, by email or in writing using the following contact details:

Data Protection Officer
Priory House
Abbey Road
Pity Me

Telephone: 03450 704158


What information do we collect?

Personal information we will process about you may vary based on what service we provide to you. Typically, we need details such as:

  • Personal information including title, full name, job title, address, postcode and how you want to pay your bill, so that we know who you are, where your premises are and what services you need from us.
  • Contact information such as a phone number or email address, so that we can keep in touch with you about our services and your account with us.
  • Bank details so that we can manage your payments for our services.
  • Records of your contact with us – for example by telephone and via our website.

    Occasionally, we may also hold information indicating that due to health needs, a Non-Household (NHH) customer is a priority for re-connection if there is an interruption to the water supply.

    What is the source of your personal information?

    We collect personal information from the following sources:

    What do we use your personal data for?

    We will only use and share your information where it is necessary for us to lawfully carry out business activities. We use your personal data to:

    • If you contact us by telephone, your call may be digitally recorded to deliver appropriate services. This includes maintaining high quality standards, crime detection and/or prevention and to ensure that our employees comply with legal obligations and our policies and practices. When a call is recorded we will collect; a recording of the conversation; and; your phone number. Telephone call recording will be turned off when a customer’s credit or debit card details are given, in line with Payment Card Industry Data Security Standards (PCI DSS) and data protection legislation, including the GDPR.

    • Google Tag Manager;
      This website uses Google Tag manager. Google Tag Manager is a solution operated by Google LLC. 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) that allows marketed website tags to be managed using an interface. The Tag Manager tool itself (which implements the tags) is a cookie- less domain and does not register personal data. The tool causes other tags to be activated which may, for their part, register data under certain circumstances. Google Tag Manager does not access this information. If recording has been deactivated on domain or cookie level, this setting will remain in place for all tracking tags implemented with Google Tag Manager. Google Tag Manager’s policy is available to view; Google Tag Manager Use Policy.

    • Google Analytics;
      We use a tool called “Google Analytics” to collect information about use of this site. Google Analytics collects information such as how often users visit this site, what pages they visit, when they do so, and what other sites they used prior to coming to this site. We use the information we get from Google Analytics only to improve this site. Google Analytics collects only the IP address assigned to you on the date you visit this site, rather than your name or other identifying information. Google’s ability to use and share information collected by Google Analytics about your visits to this site is restricted by the Google Analytics Terms of Use and the Google Privacy Policy.

    • Hotjar;
      We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices (in particular device's IP address (captured and stored only in anonymized form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), preferred language used to display our website). Hotjar stores this information in a pseudonymized user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user. For further details, please see Hotjar’s privacy policy by clicking on this link; Hotjar Privacy Policy

      You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by following this opt-out link; Hotjar Opt-Out

    • If you contact us by telephone, your call may be recorded for training and service-related purposes. This includes maintaining high quality standards, crime detection and/or prevention and to ensure that our employees comply with legal obligations and our policies and practices. We also monitor email communications and may restrict delivery under certain circumstances.

    • We comply with the data minimisation principles of data protection laws, and we will not collect any personal data that we do not need to be able to provide services to you.
      • Information you give to us or that is generated about you when you use our products or services, for example information that allows us to contact you or bill you for our services.
      • Other sources such as Fraud Prevention Agencies, HM Revenue and Customs (HMRC), Credit Risk agencies and other organisations to assist in prevention and detection of crime, police and law enforcement agencies or as part of our debt collection process.
      • From other trading parties in the NHH water market; this may be from other Retailers, Wholesalers or Market Operators i.e. Market Operator Services Limited (MOSL) in England or The Central Market Agency (CMA) in Scotland.
      • provide you with the services you want from us;
      • administer your account including dealing with any enquiries and complaints;
      • in relation to any unpaid bills i.e. with debt collection agencies;
      • and changes to our systems such as change to our bank details or notifications related to our retail licences);
      • prevent fraud;
      • keep our records accurate and updated;
      • undertake customer profiling;
      • create statistical information and carry out market analysis (on a non-personal basis);
      • comply with any legal obligation we may have;
      • contact you about services we believe that you may be interested in;
      • contact you about service-related issues including interruptions to supply, water quality issues, planned maintenance that could/will affect supplies and major roadworks that would require closure of key roads or commuter routes;
      • follow guidance and best practice under the change rules of bodies such as CMA and MOSL and to comply with relevant legal and regulatory obligations that we are subject to e.g. to comply with The Water Services Regulation Authority (Ofwat), Department for Environment, Food and Rural Affairs (Defra) or The Information Commissioner's Office (ICO) requirements;
      • monitor and keep records of our communications with you and our staff;
      • administer our good governance requirements, such as internal reporting and compliance obligations;
      • undertake market research and analysis and developing statistics; and
      • carry out checks at Credit Reference and Fraud Prevention Agencies pre-application, at application and periodically after that;
        • Fraud Prevention information - The information which we and others provide to the fraud prevention agencies about you, those who are jointly liable for our services with you and your business, may be supplied by fraud prevention agencies to other organisations and used by them and us to:
          • prevent crime, fraud and money laundering by, for example, checking details provided on applications for credit and credit-related or other facilities;
          • manage credit and credit-related accounts or facilities;
          • check details on applications for jobs or when checked as part of employment;
          • trace whereabouts of individuals and recover debts that are owed; and
          • conduct other checks to prevent or detect fraud.
        • Credit risk analysis – We will provide your personal data to Credit Reference Agencies and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recovery debts and prevent criminal activity. We will also continue to exchange information about you with Credit Reference Agencies on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. Credit Reference Agencies will share your information with other organisations. The identities of the Credit Reference Agencies, and the ways in which they use and share personal information, are explained in more detail at
      • Personal Information from third parties such as credit risk analysis agencies, English and Scottish market operators (CMA and MOSL) or the electoral roll.

    We only collect information about you that we need to ensure you get the best service from us. We respect your privacy and we minimise the information we collect.

    How and when you can withdraw your consent

    Where we are relying upon your consent to process personal information, you can withdraw this at any time by using the Contact Us information at the end of this document.

    You may withdraw your consent to processing of special categories of personal at any time too. However, in this instance, you need to be aware that if you choose to do so then the Market Operators (CMA and MOSL) may be unable to continue to provide certain services to you and us. If you choose to withdraw your consent, we will tell you more about the possible consequences. The withdrawal of your consent in this circumstance shall not affect the lawfulness of the processing based on consent before the withdrawal.

    Is personal information transferred outside the UK or the European Economic Area?

    We are based in the UK, but sometimes your personal information may be transferred outside the EEA to our contracted suppliers who work on our behalf. This may include sensitive information for the purposes of providing the service requested by you. If it is necessary to transfer your personal information outside of the EEA, we will only do so where:

    • the European Commission has decided that the country or organisation we are sharing your information with will protect your information adequately;
    • the transfer has been authorised by the relevant data protection authority; and/or
    • we have ensured that suitable safeguards are in place, for example we have entered into a contract with the organisation with which we are sharing your information.

    What about other automated decision making?

    We sometimes make decisions about you using only technology, where none of our employees or any other individuals are involved. For instance, we may do this to:

    • decide whether to offer you a product or service, or the price we will offer, or what terms and conditions to offer you or to assess what payment methods we can offer you; and
    • enter in to or perform a relevant contract which is authorised by laws that apply to us or is based on your explicit consent.

    If you wish to get in touch about automated decisions made by us, including to challenge the outcome of a decision, please contact us using the details set out at the end of this notice. We will periodically monitor our automated decision-making systems to ensure that they are working correctly.

    How do we protect your personal information?

    Wave takes the protection of our customer’s information very seriously. All customer personal data is held in our customer relationship manager (CRM) system which has controlled access and is subject to strong cyber security measures. All access to our system is strictly controlled. We also operate strict physical security at all our sites and employees all receive cyber security and data protection awareness training.

    How long is your personal information retained by us?

    Unless we explain otherwise to you, we will hold your personal information based on the following criteria:

    • for as long as we have reasonable business needs as detailed in this notice, such as managing our relationship with you and managing our operations and always in accordance with our Record Control Procedure; and
    • for retention periods in line with legal, audit, tax, accounting and regulatory requirements or guidance.

Your rights

The Data Protection Act 2018 and General Data Protection Regulation gives you certain rights towards your personal information. We take all reasonable efforts to ensure we allow you to exercise those rights. Further information on your rights can be found at

 Access to your personal information

If you want to see more of the information that we have about you, you can make a data subject access request by writing to.

Wave, Priory House, Abbey Road, Pity Me, Durham, DH1 5RR

Telephone: 03450 704158