Privacy policy.
1. Purpose & Scope
This policy explains how we collect, use, share and protect personal data – specifically half‑hourly electricity consumption data from non‑domestic smart meters, plus limited business contact information – in line with:
UK GDPR & Data Protection Act 2018
Smart‑Meter Data Access & Privacy Framework (DAPF) for non‑domestic premises, including the micro‑business opt‑out for HH data
Privacy & Electronic Communications Regulations (PECR) 2003
Any other UK laws that apply to limited companies.
It covers our website, energy‑assessment services, PV‑battery deployment, ongoing optimisation, billing and energy‑trading activities for the full lifecycle of each system.
2. Who we are & how to reach us
| Role | Contact |
| Controller | Heliotec Limited, Registered office: Suite 160 95 Wilton Road, London, United Kingdom, SW1V 1BZ |
| Data‑protection lead | Laura Cahill, Data Protection Lead, lc@heliotec.energy |
| Complaints | You can complain to us first. You may also complain to the ICO: www.ico.org.uk |
3. What data we collect
| Category | Examples | Source | Lawful basis |
| Smart‑meter half‑hourly consumption data | MPAN, HH kWh values (14‑36 months history for feasibility; 25‑year operational feed) | Supplier‑provided files under Letter of Authority; ongoing Data Communications Co. (DCC) feed | Consent (LoA & PPA/Lease) – non‑revocable while contract in force; Contract for settlement, billing & grid‑service delivery |
| Site & business contact details | Contact name, role, work email, phone; authorised signatory | Provided by client | Contract |
| Billing & financial data | Company name, invoicing address, PO numbers, bank details for direct debit | Provided by client | Legal obligation (accounts), Contract |
| Technical asset data | Inverter/BESS serial IDs, performance telemetry | Our devices + OEM portals | Legitimate interest (asset management) |
| Website & marketing | IP address, session cookies, newsletter sign‑up email | Website visitor | Consent; Legitimate interest (essential cookies) |
We do not intentionally collect special‑category data.
4. How we use the data
Produce feasibility reports and commercial proposals.
Design, deploy and optimise PV‑BESS systems, including automated dispatch via third‑party VPP/VLP platform.
Provide accurate settlement‑grade billing and share statements with clients.
Settle grid‑service revenues with National Grid ESO.
Improve our models by using anonymised, aggregated HH datasets.
Run our business operations (accounting, compliance, insurance).
Send optional newsletters if you opt‑in.
We never sell raw meter data.
5. Data sharing & third‑party management
We only share data with processors that are contractually bound to UK GDPR standards and, where relevant, DAPF obligations. Current categories:
Cloud-hosted email and document storage (EU region)
PV system design and monitoring platforms (UK-hosted)
Inverter and battery telemetry portals (UK data centres)
Virtual Lead Party (VLP) and grid trading platforms (UK-hosted)
Billing and direct debit platforms (UK data centres)
Each processor is reviewed against a Third‑Party Data Protection Assessment (DPA) process and is reviewed annually or upon any material change.
International data transfers & safeguards
International transfers outside the UK/EU are limited to approved US sub‑processors under UK‑approved Standard Contractual Clauses & supplementary measures.
Where a supplier (e.g. Google Workspace or MailerLite) may route limited business‑contact data (names, work emails, newsletter preferences) to the United States, we apply the following safeguards:
UK Addendum to the EU Standard Contractual Clauses (SCCs) or standalone UK International Data Transfer Agreement (IDTA) executed with each provider.
A documented Transfer Risk Assessment (TRA) evaluating U.S. law and practice for the specific dataset.
End‑to‑end TLS in transit and AES‑256 encryption at rest, enforced by the provider.
Data minimisation: only contact metadata crosses borders—never consumption or asset‑performance data.
Continuous monitoring: if a provider changes hosting footprint or sub‑processor list, we review the TRA within 30 days.
Should we ever need to move operational smart‑meter data outside the UK/EU (e.g. to settle a grid‑service in another market), we will either (a) pseudonymise it so no customer is identifiable, or (b) obtain explicit customer consent beforehand.
6. Data retention & deletion
| Dataset | Active retention | Aggregated/anonymised | Final deletion |
| Feasibility HH data | 7 years from system commissioning | Kept indefinitely (anonymised) | Raw deleted after 7 years |
| Operational HH feed | Life of contract | 6 years post‑termination | Deleted thereafter |
| Contracts & invoices | 6 years + current FY (Companies Act & HMRC) | n/a | Deleted thereafter |
| Marketing consents | Until opt‑out or 2 years inactivity | n/a | Deleted within 30 days of opt‑out |
7. Cookies & electronic communications
Our site uses essential cookies (session, CSRF) and analytics cookies servers). Analytics cookies load only if you click “Accept analytics”. Marketing emails follow PECR rules and always include an unsubscribe link.
8. Security measures
ISO‑27001‑aligned controls; annual risk assessment.
Google Workspace Context‑Aware Access (geo/IP restrictions).
End‑to‑end TLS; data at rest with AES‑256.
Role‑based access & MFA for all privileged accounts.
9. Incident response & breach notification
We run a 4‑hour internal breach triage SLA. If a personal‑data breach is likely to risk rights & freedoms we notify the ICO within 72 hours and affected clients without undue delay. Post‑mortems are recorded and corrective actions tracked to closure.
10. Your rights
You may exercise any UK GDPR rights (access, rectification, erasure, restriction, portability, objection). Email: lc@heliotec.energy Identity checks apply.
11. Changes to this policy
Any major change (e.g. new data category) will be emailed to active clients 30 days before it takes effect. “Last updated” date appears at top.
Key legal reference: DAPF review – BEIS 2018, p. 8‑11 (third‑party access & micro‑business opt‑out); UK GDPR & Data Protection Act 2018.