Privacy Policy

2.1 Information You Provide Directly

• Full name, email address, telephone number, and postal address when you request a quote, book a survey, or contact us
• Property details including address, roof type, roof orientation, property age, number of bedrooms, and EPC rating when using our solar calculators or estimator tools
• Energy usage data including current energy provider, annual energy consumption, and tariff information
• Financial information for grant eligibility assessments, finance applications, and payment processing
• Communications and correspondence with our team via email, phone, WhatsApp, or our website chat (Nova)
• Newsletter subscription preferences and marketing consent choices
• Feedback, reviews, and testimonials you choose to share

2.2 Information Collected Automatically

• IP address, browser type and version, and operating system
• Device identifiers including device type, screen resolution, and unique device IDs
• Pages visited, time spent on each page, click patterns, scroll depth, and navigation paths
• Referral source (how you arrived at our website), including search engine queries, advertising clicks, and referring websites
• Geographic location data derived from your IP address (city and region level)
• Cookie data, local storage identifiers, and tracking pixel information
• Interaction data from our advertising platforms including ad impressions, clicks, and conversion events

2.3 Information from Third-Party Sources

• Advertising platform data from Meta (Facebook/Instagram) and Google, including audience segment information and ad interaction data
• Analytics data from Google Analytics, Google Tag Manager, and associated tools
• Email engagement data from Klaviyo, including open rates, click-through rates, and email interaction patterns
• CRM data from GoHighLevel related to lead management and customer communications
• Publicly available property and energy data used to enhance our solar estimation tools

3.1 Service Delivery (Legal Basis: Contract)

• Providing quotes for solar panels, battery storage, heat pumps, and insulation
• Arranging and conducting home surveys and site assessments
• Processing and managing installation orders
• Submitting grant and funding applications on your behalf (e.g., ECO4, Home Energy Scotland)
• Managing Distribution Network Operator (DNO) grid connection applications
• Administering warranty claims and providing after-sales support
• Processing payments and financial arrangements

3.2 Marketing and Advertising (Legal Basis: Consent)

• Sending email newsletters with energy tips, grant updates, and promotional offers via Klaviyo
• Delivering targeted advertisements on Facebook, Instagram, and the Meta Audience Network
• Delivering targeted advertisements on Google Search, Google Display Network, and YouTube
• Creating Custom Audiences and Lookalike Audiences on Meta platforms based on customer and website visitor data
• Remarketing and retargeting campaigns to website visitors who did not complete a quote request
• Measuring advertising effectiveness through conversion tracking on Google and Meta platforms

3.3 Website Improvement and Analytics (Legal Basis: Legitimate Interest)

• Analysing website traffic, user behaviour, and engagement patterns using Google Analytics (GA4)
• Conducting A/B testing to improve website design, content, and user experience
• Monitoring website performance, error rates, and technical issues
• Personalising website content based on user location and browsing behaviour
• Improving our online calculators and estimation tools based on usage data

3.4 Legal and Regulatory Compliance (Legal Basis: Legal Obligation)

• Maintaining MCS certification records as required by the Microgeneration Certification Scheme
• Retaining financial records for tax and accounting purposes (HMRC requirements)
• Complying with building regulations and energy performance certificate requirements
• Responding to lawful requests from regulatory authorities and law enforcement

4.1 Meta (Facebook and Instagram) Advertising

We use the Meta Pixel (formerly Facebook Pixel) on our website to:

• Track conversions from Facebook and Instagram advertisements (e.g., quote requests, calculator usage, phone calls)
• Optimise ad delivery to reach people most likely to be interested in solar panels, battery storage, and energy efficiency services
• Build Custom Audiences of website visitors for remarketing purposes
• Create Lookalike Audiences to find new potential customers similar to our existing customers
• Measure the return on investment of our Meta advertising spend

4.2 Google Advertising

We use Google Ads conversion tracking and Google Tag Manager to:

• Track conversions from Google Search, Display, and YouTube advertisements
• Implement remarketing lists to show relevant ads to previous website visitors across the Google Display Network
• Measure and optimise our Google Ads campaigns for cost-effectiveness
• Use Google Ads Customer Match to reach existing customers with relevant updates and offers
• Track cross-device conversions to understand the full customer journey

4.3 How to Opt Out of Advertising Tracking

• Meta: Visit facebook.com/adpreferences to manage your ad settings, or use the "Off-Facebook Activity" tool to control how Meta receives data from our website
• Google: Visit adssettings.google.com to manage your ad personalisation preferences, or install the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout
• Industry opt-out: Visit youronlinechoices.eu (EU/UK) or optout.aboutads.info (US) for broader advertising opt-out options
• Browser settings: Most modern browsers allow you to send a "Do Not Track" signal. While not all services honour this signal, we respect it where technically feasible
• Cookie settings: Use our cookie consent mechanism on the website to decline marketing cookies, or manage cookies through your browser settings

5.1 Essential Cookies

These cookies are strictly necessary for the website to function. They cannot be disabled without severely impacting site functionality. They include session management cookies, security tokens (CSRF protection), and cookie consent preference storage. These cookies do not require your consent under PECR.

5.2 Analytics Cookies

We use Google Analytics (GA4) cookies (_ga, _ga_*, _gid) to understand how visitors interact with our website. These cookies help us identify popular pages, track user journeys, and improve website performance. We have enabled IP anonymisation within Google Analytics. Data is retained for 26 months. These cookies are only set with your consent.

5.3 Advertising and Marketing Cookies

These cookies support our advertising and remarketing activities:

• Meta Pixel cookies (_fbp, _fbc): Identify browsers for Facebook advertising attribution and track ad click-throughs. Duration: _fbp (3 months), _fbc (2 years)
• Google Ads cookies (_gcl_au, _gcl_aw): Track Google Ads conversions and enable remarketing. Duration: 90 days
• Google Tag Manager: Manages the deployment of analytics and advertising tags. GTM itself does not set cookies, but tags deployed through it may do so
• Klaviyo cookies (__kla_id): Identify visitors for email marketing attribution and track website activity for subscribers. Duration: 2 years

5.4 Managing Your Cookie Preferences

When you first visit our website, you are presented with a cookie consent banner allowing you to accept or reject non-essential cookies. You can change your preferences at any time by clearing your cookies and revisiting the site. You can also manage cookies directly through your browser settings. Blocking certain cookies may affect your experience on our website.

For our full Cookie Policy with detailed cookie tables, please visit our dedicated Cookie Policy page.

6.1 Service Partners

• Installation partners and subcontractors directly involved in delivering your solar panel, battery storage, heat pump, or insulation project
• Equipment manufacturers and suppliers for warranty registration and support
• Finance providers where you have applied for a finance arrangement
• Distribution Network Operators (DNOs) for grid connection applications

6.2 Government and Regulatory Bodies

• Grant and funding bodies such as Home Energy Scotland and ECO4 scheme administrators
• MCS (Microgeneration Certification Scheme) and TrustMark for certification and compliance purposes
• HMRC for tax and financial reporting obligations
• Local planning authorities where planning permission is required
• The Information Commissioner's Office (ICO) if required

6.3 Technology and Advertising Partners

• Google LLC (Google Analytics, Google Ads, Google Tag Manager) -- for website analytics, advertising, and conversion tracking
• Meta Platforms, Inc. (Facebook, Instagram) -- for advertising, conversion tracking, and audience creation
• Klaviyo, Inc. -- for email marketing, automation, and subscriber management
• GoHighLevel -- for customer relationship management and lead management
• Supabase (database hosting) -- for secure data storage and application functionality

6.4 Professional Advisors

We may share data with our professional advisors including accountants, lawyers, and insurance providers where necessary to obtain advice or manage claims.

7.1 Transfers to the United States

Google LLC, Meta Platforms Inc., and Klaviyo Inc. are based in the United States. Data transfers to these providers are protected by:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
• The EU-US Data Privacy Framework (where the provider is a certified participant)
• Additional technical and organisational security measures implemented by each provider
• Our assessment that the level of protection provided is essentially equivalent to that guaranteed within the UK

7.2 Transfers to the EU/EEA

The UK government has determined that the EU/EEA provides an adequate level of data protection. No additional safeguards are required for transfers to EU/EEA countries.

Retention Schedule

• Quote enquiries (not converted to a sale): 24 months from last contact
• Customer installation records: Duration of the warranty period (up to 25 years) plus 2 years
• MCS and certification records: 25 years (regulatory requirement)
• Financial and accounting records: 7 years (HMRC legal obligation)
• Marketing consent records and email subscriber data: Until consent is withdrawn or the subscriber opts out
• Website analytics data (Google Analytics): 26 months
• Advertising platform data (Meta, Google): Retained by the platform in accordance with their own retention policies; our custom audience data is refreshed or deleted as needed
• Chat and communication logs (Nova, WhatsApp): 12 months from the conversation date
• Calculator and estimator usage data: 12 months (anonymised thereafter for statistical purposes)

9.1 UK GDPR Rights (Applicable to All Users)

• Right of access: Request a copy of the personal data we hold about you (Subject Access Request)
• Right to rectification: Request correction of inaccurate or incomplete personal data
• Right to erasure ("right to be forgotten"): Request deletion of your personal data where there is no compelling reason for continued processing
• Right to restrict processing: Request that we limit the processing of your personal data in certain circumstances (e.g., while we verify accuracy)
• Right to data portability: Request a copy of your data in a structured, commonly used, machine-readable format (e.g., CSV) and have it transferred to another controller
• Right to object: Object to the processing of your personal data for direct marketing purposes (absolute right) or processing based on legitimate interests
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal
• Rights related to automated decision-making: You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not currently use fully automated decision-making.

9.2 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your data
• Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions
• Right to opt out of "sale" or "sharing": We do not sell your personal information. However, our use of advertising cookies and pixels may constitute "sharing" under CCPA. You can opt out by declining marketing cookies via our cookie consent mechanism
• Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights
• Right to correct: You have the right to request correction of inaccurate personal information
• Right to limit use of sensitive personal information: If we collect sensitive personal information, you have the right to limit its use to what is necessary to provide the services

9.3 How to Exercise Your Rights

To exercise any of your privacy rights, please contact us at info@scottishenergyefficiency.co.uk or write to us at Prospect Business Centre, Dundee DD2 1TY. We may need to verify your identity before processing your request. We will respond within one calendar month for UK GDPR requests and within 45 days for CCPA requests.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk, or call the ICO helpline on 0303 123 1113.

Technical Measures

• SSL/TLS encryption for all data transmitted between your browser and our website (HTTPS)
• Encrypted database storage with Supabase, including Row Level Security (RLS) policies to prevent unauthorised data access
• Regular security audits and vulnerability assessments of our website and infrastructure
• Secure API communications with all third-party services using authenticated and encrypted connections
• Access controls limiting employee and contractor access to personal data on a need-to-know basis
• Multi-factor authentication for administrative access to our systems

Organisational Measures

• Staff training on data protection principles and security best practices
• Data processing agreements in place with all third-party processors
• Incident response procedures for identifying, reporting, and managing data breaches
• Regular review and updating of security policies and procedures
• Data minimisation: we only collect data that is necessary for the stated purposes

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach. If the breach poses a high risk, we will also notify affected individuals directly without undue delay.

Notification Process

• Update the "Last updated" date at the top of this page
• Post a prominent notice on our website for a reasonable period
• Where the change materially affects how we process your data, notify you by email (if we have your email address and you have consented to communications)
• Where legally required, obtain fresh consent before processing your data under the updated terms