top of page

Privacy & Cookie Policy

1. Introduction

Heat Scheme Limited is committed to protecting the privacy and security of personal data collected from our clients. This policy outlines how we collect, use, and safeguard personal data in compliance with the UK Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

 

2. Scope

This policy covers:

​

  • Data collection and processing

  • Purpose of data collection

  • Data access and security

  • Data storage

  • Security audits

  • Data subject rights

  • Data retention and disposal

  • Incident response

  • Contact information

  • Policy updates

​​

​

3. Data Collection and Processing

We adhere to the principle of data minimisation and collect only the personal data necessary to provide our services. Personal data is collected directly from users through our web application during the sign-up process. The types of personal data we collect include:

​

  • Name

  • Email address

  • Home address

  • Phone number
     

Personal data is processed internally by Heat Scheme Limited. We use trusted third-party service providers (acting as data processors) to support service delivery, but we do not sell personal data to third parties.

​​

​

4. Purpose of Data Collection

The personal data we collect is used for the following purposes:

​

  • Providing consultation and guidance services.

  • Operating employer benefit schemes and verifying eligibility where applicable.

  • Delivering marketing and promotional communications about services, features, updates, savings opportunities, and offers, including carefully selected partner offers where consent has been given.
     

Marketing consent can be withdrawn at any time. We do not sell personal data to third parties.

​​

5. Lawful Basis for Processing

Personal data is processed in accordance with the following lawful bases under GDPR:

​

  • Performance of a contract

  • Legitimate interests

  • Legal obligations
     

When we send direct marketing communications (including by email and, where applicable, SMS or WhatsApp), the lawful basis for processing is consent, which can be withdrawn at any time.

​

6. Data Access and Security

6.1 Access Controls


Strict role-based access controls ensure only authorised personnel can access personal data.

​

  • Direct database access is limited to the Director and CTO.

  • Database access is restricted by IP whitelist.

  • Multi-Factor Authentication (MFA) is required for database access.
     

6.2 Security Measures

​

Our web application and database adhere to industry-standard security practices.

​

  • Data in transit is encrypted using TLS.

  • Data at rest is encrypted using Azure encryption services (AES-256).
     

6.3 Password Management

 

Passwords must be at least 12 characters long and include uppercase, lowercase, numbers, and special characters. Passwords are stored using strong hashing algorithms (bcrypt).

​

7. Data Storage

 

We use trusted services such as Microsoft Azure for hosting data, ensuring compliance with applicable data protection regulations.

​

7A. AI-Powered Services

 

We use third-party artificial intelligence (AI) service providers to support certain features of our services, including AI-powered chat and image analysis tools. Limited personal and property-related information may be shared with these providers (for example, Energy Performance Certificate data, home ownership status, property characteristics, and information or images you submit) to improve response quality.

​

These AI providers act as data processors and may process personal data only on our instructions under appropriate contractual safeguards. Personal data is not used by AI providers to train their own models or for independent purposes, and no automated decision-making producing legal or similarly significant effects is carried out.

​

8. Security Audits

 

Regular security audits are performed on our application to identify and address potential vulnerabilities.

​

9. Data Subject Rights

 

Heat Scheme Limited respects and upholds data subject rights under GDPR, including:

​

  • Right to access

  • Right to rectification

  • Right to erasure

  • Right to restrict processing

  • Right to data portability

  • Right to object (including to direct marketing)

  • Right to lodge a complaint with the Information Commissioner’s Office (ICO)
     

10. Data Retention and Disposal

 

Personal data is retained only for as long as necessary to provide our services. Data is securely disposed of within 30 days of account closure or a valid deletion request unless retention is required by law.

​

11. Incident Response

 

If a personal data breach poses a risk to individuals’ rights and freedoms, we will notify affected individuals and the ICO within 72 hours, in accordance with legal requirements.

​

12. Contact Information

For queries related to data protection or to exercise your rights, contact our Data Protection Officer:

​

13. Policy Updates

 

This policy is reviewed annually and updated as necessary to reflect changes in our practices, technology, or legal requirements.

Last updated: January 2026

​

bottom of page