Privacy policy

What we collect, why, and what you can ask us to do with it.

This page sets out what we collect when you use heatpass.co.uk, why, who else sees it, and how to ask us to change or delete it.

Who

Who runs HeatPass.

HeatPass is run by an individual sole trader. Until a UK company is incorporated, that named person is the data controller for any personal data you give us through this site.

Email hello@heatpass.co.uk for the controller's full name and registered address. We hand those over on request rather than publishing them on the page, to keep them off scrapers.

UK GDPR and PECR govern the data of UK visitors.

Data

What we actually collect.

The site doesn't collect anything until you ask it to. Four categories sit below. The list is exhaustive.

Your email, if you join the newsletter.

The footer form sends your address to our server, which forwards it to Brevo, the email-sending provider. No other field is collected.

Wizard session data, if you start the qualification check.

When you submit a postcode on the check page, we send it to a server we run. The server forwards your postcode to the gov.uk energy performance register and returns the addresses on file. When you pick yours, we read a small subset of the energy certificate (property type, age, floor area, insulation, current heating fuel, energy rating) and store it against an unguessable session token. The token is the URL of your check; we never tie it to your identity.

Cookie-consent state, if you interact with the banner.

Accepting, rejecting, or customising the banner does three things. A heatpass_consent cookie is written to your browser. A consent record is written to our log so we can prove what you chose. And if you accepted analytics, Google Analytics 4 and Microsoft Clarity load and start setting their own cookies. The consent record holds a salted SHA-256 hash of your IP, your user agent, your country at the ISO-2 level, and the choices you made. We never store your IP in plaintext.

Analytics events, if you accepted analytics.

GA4 and Clarity record what most analytics tools record: page views, session length, button clicks tagged for tracking, scroll behaviour, and a handful of our own named events such as qualifier_started and newsletter_subscribe_attempt. Clarity replays inputs with name and email fields masked.

Wizard answers and the verdict, if you complete the qualification check.

When you go through /check, we save the answers you give about your home, the energy certificate data we looked up for it, and the verdict we computed. It is keyed by an unguessable token in your URL — no email or phone number is stored against the record unless you take the next step. It is kept for 90 days, then deleted, unless you save your HeatPass or proceed to a match.

Email, phone, and installer match, if you ask to be connected.

On a Full Pass verdict, the connect step asks for your email address, phone number, and an explicit "yes, contact me" tick. Those three details go to a separate lead record on our hosted storage, to one MCS-certified installer who covers your postcode, and to our Brevo contact list with a flag that bumps retention to two years. Nobody else gets them. Not three installers, not a panel, not a directory. Email hello@heatpass.co.uk any time and we delete the record.

Why

The lawful bases.

Two lawful bases under UK GDPR cover everything above.

Consent.

Newsletter and analytics processing both depend on you actively saying yes, by submitting the form or by clicking the banner. Withdrawal is one click, from the unsubscribe link in every email or the footer "Cookie settings" button. Withdrawing doesn't unwind processing that already happened, but it stops the next round.

Legitimate interests.

The cookie-consent audit log itself is a legitimate interest. PECR requires us to be able to prove what you chose; without an audit row, "the user said yes" is impossible to evidence. Hashing your IP makes the row unique enough to honour a deletion request without anyone (us included) being able to read the original.

Share

Who else sees it.

Six recipients see your data, depending on what you've done.

  • Brevo (Sendinblue SAS). Stores your newsletter subscription and sends the emails. Based in France.
  • Your matched installer. If you ask to be connected on a Full Pass verdict, we send your email, phone, postcode, and a verdict summary to one MCS-certified installer who covers your area. They use it to contact you about a heat-pump quote. One installer only, never a panel. Based in United Kingdom.
  • MHCLG (UK Government — gov.uk energy performance register). Receives postcode and certificate-number queries when you use the qualification check, and returns the energy certificate data on file. We don't tell them who you are; only the postcode you typed. Based in United Kingdom.
  • Google. Receives GA4 events if you accepted analytics. EU servers are used by default; some processing happens in the US. Based in EU and United States.
  • Microsoft. Receives Clarity session replays and heatmaps if you accepted analytics. Based in United States.
  • Sentry (Functional Software, Inc.). Receives a record of any uncaught error in our server code so we can fix it. Personal data such as postcode, email, phone, and request bodies is stripped before the record leaves our server. Based in EU (Frankfurt and Dublin).
  • Cloudflare. Hosts the site, runs the consent and qualification endpoints, and stores the consent log, qualification sessions, and lead introductions on our behalf. Based in EU (Frankfurt) for storage; global edge for site delivery.

That's the full list. We don't sell your details, don't share with marketers, and don't pass anything to insulation companies, energy suppliers, comparison sites, or installers. Installer matching is still being built; when it goes live, this page is updated and you're asked to accept again. The plain-English summary of who-sees-what lives on trust and privacy.

Keep

How long we keep things.

Each category has its own retention.

  • Newsletter contact. Kept until you unsubscribe (one-click link in every email) or ask us to delete it.
  • Consent record. Kept for around three years from creation, in line with the UK ICO's "as long as needed for evidence" guidance, then deleted.
  • Qualification session. Kept for 90 days from creation, then deleted. Up to two years if you ask us to save your HeatPass or to be matched with an installer. You can ask us to delete it sooner at any time.
  • Lead record (connect step). Created only when you submit the connect form on a Full Pass verdict. We keep it while you and the installer are still in contact, so we can route follow-ups, and delete it on request. Separate from the qualification session.
  • Server error reports. Kept for 30 days, then deleted. Personal data is stripped before the report leaves our server.
  • Analytics cookies. GA4's _ga and _ga_4L6DTRP281 last 2 years; Clarity's range from a session up to 1 year per cookie. Full table on the cookies page.

When a retention window ends we delete or pseudonymise the record. If you'd like a faster deletion, ask. The full per-cookie table is on cookies.

Abroad

Data leaving the UK.

Some recipients above are outside the UK, so storing data with them is a cross-border transfer. UK GDPR requires a lawful safeguard for each.

  • EEA recipients. Brevo's France servers and our hosted storage in Frankfurt. The UK has an adequacy regulation for the EEA, so no extra safeguard is needed.
  • US recipients. Google and Microsoft. We rely on the UK Extension to the EU–US Data Privacy Framework, plus standard contractual clauses where the framework doesn't apply.

If any of these arrangements changes, this page is updated and the policy version is bumped.

Rights

Your rights.

Under UK GDPR you can ask for a copy of the data we hold about you, ask us to correct anything that's wrong, ask us to delete it where the lawful basis allows, ask us to stop using it for a particular purpose, withdraw consent that you previously gave, and complain to the UK Information Commissioner's Office at ico.org.uk.

Email hello@heatpass.co.uk to exercise any of these. We aim to respond within seven working days; the legal maximum is one calendar month, extendable by two months for genuinely complex requests, with notice.

Updates

When this page changes.

This is policy version 1.2, last reviewed May 2026.

Version 1.2 is a wording-only pass: the same data, the same recipients, the same retention rules. We trimmed implementation-level detail (storage technology names, table names) that did not help anyone exercise a right or understand what we hold, and reframed retention windows as the dates that bind us rather than the engineering state. No new collection, no new recipient, no re-prompt.

Version 1.1 expanded the policy to cover the qualification check. Postcodes and a small subset of energy-certificate data are now stored in a 90-day session record. Two recipients (gov.uk's energy performance register and Sentry) were added to who else sees it, and the matching retention rules to how long we keep things.

When we add a new tracker, change a recipient, or expand the scope of what we collect, the policy version is bumped, the page is updated, and you're re-prompted to accept cookies. Smaller edits — typos, layout, or clarifications like the 1.2 pass above — get a version bump but no re-prompt.

The version of the policy you accepted is recorded against your consent record, so you can always look up exactly what you said yes to.

Ready when you are

That's the policy. Now the postcode.

Two minutes, your postcode, your home's verdict.