Energy Modeller — UK PV + Battery Quoting

1. Who we are

Energy Modeller Ltd (“we”, “us”) acts in two capacities:

As data controller— for personal data about our installer users (account, billing, usage), and for the aggregated, de-identified data we derive to improve our own modelling and AI (see section 3a). That aggregated data does not identify any individual.
As data processor— for personal data about installers’ end customers (homeowners / business customers), which the installer collects and controls. We process it on the installer’s documented instructions to run the Service for them.

Registered office: TBC, England & Wales. ICO registration number: TBC. Contact: privacy@energymodeller.com.

2. What we collect

From installers (as controller): email, company name, website, phone, brand colours, MCS certificate number, billing details (handled by Stripe; we store only payment IDs and subscription state), service-account audit logs.

From installers’ end customers (as processor on behalf of the installer):name, address, postcode, email, phone, energy bill data, questionnaire responses, chatbot conversations, signature metadata (IP, timestamp, T&Cs hash), smart-meter consumption data (when authorised via n3rgy or similar).

3. Why we process it

Service delivery— lawful basis: contract. Running the platform you signed up for.
Billing— lawful basis: contract + legal obligation.
Service improvement & analytics— lawful basis: legitimate interest, balanced against your privacy.
Customer support— lawful basis: legitimate interest.
Marketing emails(only to installers, not end customers) — lawful basis: legitimate interest (B2B) with opt-out in every email.

3a. Improving our own modelling & AI (aggregated, de-identified)

First, a distinction that matters:

Running the Service (scoring + recommendations). When we generate a lead score, recommendation or quote for an installer, we process that installer’s own identifiable customer records (postcode, usage, quote activity, etc.) to return the result to that installer. We do this as the installer’s processor— it is part of delivering the Service they signed up for, on their data, for their eyes only.
Improving / training our own models. Separately, we improve our simulation, recommendation and scoring models using aggregated, de-identified data pooled across the whole platform— e.g. “homes of this type in this region tend to…” patterns. This learning set is processed so it does not identify any individual (no names, addresses, contact details, or any value that could single a person out). Crucially, because it is de-identified and aggregated, it never exposes one installer’s customers, quotes or commercial figures to another installer— only generic, platform-wide patterns feed the model, never another account’s identifiable data. The live score you see on your own lead is always computed from your own account’s data (the processor activity above), not from anyone else’s. We do this as controller on the lawful basis of our legitimate interest in improving the accuracy of the Service, which a de-identified dataset does not override for any individual.

What we do NOT do: we do not send installer or end-customer personal data to any third-party AI vendor for that vendor to train on. Our AI sub-processors (e.g. Anthropic, OpenAI) are used on no-training / zero-retention API terms — they process a request to return a result and do not retain it to train their models. Because our own training set is aggregated + de-identified, an individual erasure request (section 6) removes that person’s identifiable records; it does not need to “un-train” a model, because no individual is present in the training data.

4. Who we share data with

We use the following subprocessors to deliver the Service. All are bound by data processing agreements with at-least-equivalent protections:

Vercel— hosting + edge network (US/EU)
Redis Cloud / Upstash— database storage (EU region)
Stripe— subscription billing + payment processing
Resend— transactional email delivery (EU)
Anthropic— Claude AI for chat, extraction, recommendations (no-training / zero-retention API terms; DPA in place)
OpenAI— voice transcription + realtime voice (no-training / zero-retention API terms; DPA in place)
ElevenLabs— text-to-speech for the Em voice assistant (DPA in place)
PostHog(EU region) — product analytics + optional session replay (consent-gated; off by default; see section 8)
Reonic / OpenSolar / Easy PV— design-tool integrations (only when installer explicitly authorises)
QuickBooks / Xero— accounting integrations (only when installer explicitly connects)
n3rgy— UK smart-meter data access (only with explicit end-customer consent)
PVGIS— European Commission solar irradiance dataset (postcode-level lookup, no personal data sent)

5. Retention

Account data: lifetime of the account, then 6 years post-closure for tax / accounting compliance.
Quote / share-link data: 30 days from creation, then auto-deleted (unless extended for legal / contractual reason).
Signed-contract artifacts (signature metadata, T&Cs hash, quote figures hash): 7 years from signing, per UK tax + contract retention norms.
Service-plan customer records: lifetime of the service plan + 6 years post-cancellation.
Audit logs & server logs: 90 days rolling.

6. Your rights

Under UK GDPR you have the right to:

Access your data
Rectify inaccurate data
Erase your data (subject to retention legal requirements)
Restrict or object to processing
Data portability (export)
Complain to the Information Commissioner’s Office (ico.org.uk)

To exercise any of these, email privacy@energymodeller.com. We respond within one month (UK GDPR Art. 12(3)), and will tell you promptly if a request needs identity verification or an extension for complexity.

Installers can self-serve a machine-readable export of their account data at any time from their account settings. End customers (homeowners): because the installer is the controller of your data, send access or erasure requests to your installer; we action them on the installer’s instruction as their processor, or directly if you contact us and we route it to them.

7. International transfers

Some subprocessors (Vercel, Anthropic, OpenAI, ElevenLabs, Stripe) process data in the US. We rely on Standard Contractual Clauses + the UK Addendum and, where applicable, the EU-US Data Privacy Framework.

8. Cookies

We use a single httpOnly session cookie (__Host-em_session) for authentication, which is strictly necessary and needs no consent. We also use PostHog (EU region) for product analytics and session replay to understand how the product is used and improve it. PostHog is off by default and only starts after you accept non-essential cookies via the banner; it is disabled for our own staff sessions, does not auto-capture every click, and masks form inputs. Session replay is switched off entirely on customer- facing pages (proposal, intake, formal-quote). You can decline at any time and we respect Do-Not-Track.

9. Changes

Material changes to this Notice will be emailed at least 30 days before they take effect.