Introduction

We are committed to protecting and respecting your privacy. This policy explains how we collect, use, and protect your personal data in accordance with the General Data Protection Regulation (GDPR). This policy applies across both domains that are relevant t o the service Thermly provides: thermly.co.uk and platform.thermly.co.uk.

Data We Collect

We may collect and process the following data about you:

• Identification Information that you provide us:
  name, email address, postal address, postcode, phone number, details relating to your property, images of your property, energy usage data, property ownership status, etc.

• Payment Data:
  bank and / or credit card details – please note however that we currently use a third party provider of payment processing systems (Stripe) and we do not store payment details on any Thermly system

• Technical Data:
  IP address, browser type, and version, time zone setting, browser plug - in types and versions, operating system and platform, and other technology on the devices you use to access this website

• Usage Data:
  information about how you use our website, products, and services

• Marketing and Communications Data:
  your preferences in receiving marketing from us and your communication preferences.

How We Use Your Data

We use your data to:

• Facilitate the delivery of our digital services, including software, applications, and online tools.

• Provide and manage your access to our website.

• Personalise and tailor your experience on our website.

• Respond to communications from you, and initiate communications with you as appropriate, including by email, telephone call, online ‘chat’, and by post.

• Analyse your use of our site to improve our services.

Legal Basis for Processing

We process your personal data based on the following legal grounds, depending on the nature of the services we provide to you:

• Consent:
  you have given clear consent for us to process your personal data for a specific purpose – details of which can be found in the Terms and Conditions of Use when proceeding with our online assessment of your property, for example.

• Contract:
  the processing is necessary for a contract or agreement we have with you (for example the Terms and Conditions referred to above).

• Legal Obligation:
  the processing is necessary for us to comply with the law.

• Legitimate Interests:
  the processing is necessary for our legitimate interests or the legitimate interests of a third party.

Cookies

We use two main types of cookies.

• Essential cookies:
  these are created and implemented by Thermly to enable the platform to function properly, including in relation to the authentication of users. You must agree to allowing these cookies if you want to use Thermly.

• Google Analytics (GA)
  GA collects cookies and IP addresses which are classed as personal data. At Thermly we use Google Analytics to collect data. We need this data to understand how you use our website so we can improve its design and functionality. We also need the data to get the most out of our marketing campaigns. With your consent, Google Analytics will process and collect your personal data to give us valuable information. Google Analytics will transfer your data to the United States and store it for a fixed period. To learn more about Google's data transfer policies here and to find out more about Google’s own privacy policy in general here.

• TWIPLA:
  Thermly also uses a service provided by TWIPLA. TWIPLA is a website analysis service that collects data traffic on our website and general information from website visitors. TWIPLA collects statistics to improve the experience of our website visitors.TWIPLA never uses cookies for this purpose. As a website operator that uses TWIPLA to measure reach, we may process information about the device you are using and its characteristics, information about technical features of the website visit, the number of page visits and statistically relevant behaviour of our visitors on the website, depending on the data protection level we have activated. Depending on the location from which you access our website, it is possible that TWIPLA will not collect any information about the device you are using due to our technical settings.

Please note that in agreeing to this Data Privacy Policy and in providing such cookie consent (for which we use CookieYes), that consent/agreement applies to the following domains: thermly.co.uk and platform.thermly.co.uk.

Data Sharing and Third Party Service Providers

• Amazon Web Services (AWS):
  We use Amazon Web Services (AWS) to host and manage our infrastructure. AWS may process personal data on our behalf in accordance with their Data Processing Addendum. AWS data centers are located in various regions, and we configure our services to store data in compliance with applicable data protection laws, including the UK GDPR and EU GDPR.

• Stripe:
  We use Stripe to process payments securely. When you make a purchase, your payment details are transmitted directly to Stripe and are not stored on our servers. Stripe acts as a data controller for the payment information it processes and complies wit h P CI - DSS standards. For more information, please refer to Stripe’s Privacy Policy.

• SendGrid by Twilio:
  We use SendGrid, a service provided by Twilio, to send transactional and marketing emails. SendGrid processes your email address and message content to deliver communications on our behalf. Twilio adheres to Binding Corporate Rules and complies with GDPR and other applicable data protection laws.

• Zoho:
  We use Zoho services for customer relationship management (CRM), support, and internal operations. Zoho may process personal data such as your name, email address, and interaction history. Zoho complies with GDPR and other global privacy regulations.

• Google Analytics 4:
  We use Google Analytics 4 to understand how users interact with our website. Google Analytics collects anonymized data such as pages visited, time spent on site, and device information. IP anonymization is enabled to protect your privacy. Google may process this data in accordance with its Privacy Policy.

• Citrus Compliance:
  We may share your data with our Principal Firm Citrus Compliance for regulated complaints handling and compliance monitoring.

• TWIPLA (formerly Visitor Analytics):
  We use Twipla to gather insights into website usage and visitor behavior. Twipla does not use cookies or collect personally identifiable information unless explicitly configured to do so. All data is anonymized and processed in compliance with GDPR.

• DocuSign:
  We use DocuSign to facilitate the secure signing of documents. When you sign a document electronically, your name, email address, and signature are processed by DocuSign. DocuSign complies with eIDAS, ESIGN, and UETA regulations and adheres to GDPR standards.

• CookieYes:
  We use CookieYes to manage user consent for cookies and trackers on our website and platform. CookieYes scans our site and provides a consent banner to ensure compliance with GDPR, ePrivacy, and CCPA. Your consent preferences are stored securely and can be updated at any time.

• Social sign in:
  We offer social sign-in options through Google, Apple, and Meta to provide a convenient and secure way for users to access our services. When you choose to sign in using one of these providers, we receive limited personal information such as your name, email address, and profile picture, as permitted by your account settings with the respective platform. This data is used solely to authenticate your identity, personalise your experience, and manage your account. We do not access your login credentials or share your data with these providers beyond what is necessary for authentication. Your use of social sign-in is subject to the privacy policies of Google, Apple, and Meta, and we encourage you to review those policies to understand how your data is handled by each provider.

Data Security

We are committed to ensuring the security of your personal data. We have implemented appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. We store your data on secure, password-protected servers hosted by Amazon Web Services (AWS), located in the UK, in accordance with GDPR regulations. All data transmitted to and from our services is encrypted using Transport Layer Security (TLS) to ensure its security during transmission.Access to your personal data is limited to authorised personnel who are committed to maintaining its confidentiality and security. These include, for example:

• Data Protection Policies:
  we have established data protection policies that outline our commitment to data security and provide guidelines for handling personal data. All employees receive regular training on data protection and security best practices.

• Incident Response Plan:
  we have an incident response plan in place to address any data breaches or security incidents promptly and effectively.

• Data Minimisation:
  we ensure that personal data collected is limited to what is necessary for the purposes for which it is processed.

• Regular Reviews:
  we regularly review and update our data protection practices to ensure ongoing compliance with GDPR and other applicable laws.

• Data Cleansing:
  we ensure that any physical copies of personal data are securely disposed of when no longer needed.

By implementing these measures, we aim to provide a high level of security for your personal data and protect it from potential threats. However, please note that no method of transmission over the internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security.

Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes - described above – for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Your Rights

Under the GDPR, you have the right to:

• Access your personal data

• Rectify inaccurate or incomplete data

• Erase your personal data

• Restrict the processing of your data

• Object to the processing of your data

• Data portability

Please use the details provided below if you wish to enact any of these rights including with regard to deletion/erasure of any or all of your data. Once you have notified us in writing we will remove the data from our systems within 5 working days.

Contact Us

If you have any questions about this privacy policy or our data protection practices, please contact us via email at enquiries@thermly.co.uk, or at our postal address:

Thermly Limited
40 King Street
Manchester
M2 6BA

Complaints

If you have any concerns about our use of your personal information, you can make a complaint to us at the address above. You can also complain to the ICO if you are unhappy with how we have used your data. The ICO’s helpline number is 0303 123 1113, or at their postal address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Changes to This Policy

We may update this policy from time to time. We will notify you of any changes by posting the new policy on our website.