Home » Privacy Policy

Privacy Policy for EPC Choice Ltd

Introduction

EPC Choice Ltd (“EPC Choice”, “we” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to all personal data obtained via our telephone services, website (including online forms and portals), marketing campaigns, and any other interactions with EPC Choice. We are the “data controller” for the personal data we process, which means we determine the purposes and manner in which your personal data is handled.

Contact Details: If you have any questions about this Privacy Policy or wish to exercise your rights (outlined below), you can contact us via email at [email protected] or by post at: Data Protection Officer, EPC Choice Ltd, 43 East Street, Bromley, Kent BR1 1QQ, United Kingdom. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you believe your data has been misused.

Personal Data We Collect and How We Use It

We collect personal data from you in a variety of ways, including through telephone calls, online forms and portals, and marketing activities. We only collect the data that is necessary for our specified purposes, and we ensure all processing has a lawful basis under the UK GDPR. Below is an overview of what information we collect, how we use it, and on what legal grounds:

  • Personal Data via Phone Calls: When you call us or we call you, we may collect your name, contact details (phone number, email), property address or details (for arranging Energy Performance Certificates and compliance services), and any other information you choose to provide during the conversation. We use this information to respond to your inquiries, provide quotes, schedule services (such as EPC assessments), and otherwise perform our contract or take steps at your request prior to entering a contract. The lawful basis for processing these call details is usually performance of a contract (if you are arranging our services) or legitimate interests (if you are requesting information or a quote) – for example, it is in both your and our interests to use your contact and property details to organize the service you requested. Please note that for quality assurance and training purposes, calls are recorded (see the “Call Recording” section below for more details on why and how we record calls, the lawful basis we rely on, and retention periods).

  • Personal Data via Online Forms and Portal: If you fill in forms on our website (such as a contact form or quote request form) or use our customer portal, we will collect the information you provide. This typically includes your name, email address, phone number, postal address, and details about your property or compliance needs. We use this information to provide the services you requested (for example, to generate an EPC quote, arrange an assessment, or register you for our portal), to communicate with you about your requests, and to maintain our business relationship. The lawful basis for this processing is usually contractual necessity (to take steps at your request or to fulfill a contract by providing our services) or legitimate interests (for example, to respond to general inquiries or improve our services). Our portal may also collect login credentials and usage data to ensure account security and functionality – this is processed under our legitimate interest in protecting our systems and users. Any optional information you provide (such as additional property details or preferences) will be used only for the specific purposes for which you provided it.

  • Personal Data via Marketing Campaigns: We may obtain your personal data when you interact with our marketing campaigns or promotions – for example, if you enter your details in a landing page to receive a discount, give us your business card at an event, or respond to an online advertisement. The information collected might include your name, contact information, job title (if relevant), and indicated interest in our services. We will use this data to follow up with you about our EPC and landlord compliance services, send you relevant information or offers, and gauge the effectiveness of our marketing. The lawful basis depends on the context: in many cases we will rely on your consent (e.g. you ticking a box to request marketing communications), and in other cases we may rely on legitimate interests for business-to-business marketing or where the law permits a “soft opt-in” (see “Marketing Communications” below). In every marketing communication, we will give you a clear opportunity to opt out or unsubscribe. If we collected your details from a third-party lead source, we will ensure that the third party had a lawful right to pass your information to us (for example, you gave consent to be contacted by partners) and we will inform you of our privacy policy at the first appropriate opportunity, in line with your right to be informed.

  • Personal Data from Other Sources: Occasionally we may receive personal data about you from other sources – for instance, if a letting agent, estate agent or other partner refers you to us for an EPC, or if we need to obtain Land Registry information for your property. In such cases, we will treat that data in accordance with this Privacy Policy and only use it for the purposes for which it was provided or a related compatible purpose. We will also inform you that we have obtained your data from a third party as required by law (typically at the first time we contact you, or within one month at the latest).

  • Automatically Collected Data (Website Usage): When you visit our website, we automatically collect some technical information like your IP address, browser type, and browsing actions through cookies and similar technologies. We use this to administer and improve our website, to analyze traffic and usage patterns, and to tailor our communications or advertisements. Please see “Cookies and Website Tracking” below for more detail on these practices.

We will not collect any more information than is necessary for the purposes described above. We do not collect any special categories of personal data (such as racial or ethnic origin, political opinions, health data, etc.) in the ordinary course of our business. We also do not intentionally collect information from children, as our services are aimed at adult property owners, landlords, and businesses.

Call Recording

Scope: EPC Choice records all inbound and outbound telephone calls across our departments. This includes calls to our customer service line, sales inquiries, and any other calls with our staff. We record calls to ensure we deliver a high-quality service and for the purposes outlined below.

Purposes of Call Recording: Call recordings are used exclusively for legitimate business purposes, including:

  • Training and Quality Assurance: We listen to selected recordings to train our staff, to monitor the quality of customer service, and to identify areas for improvement. This helps us maintain high standards and consistency in our communications.

  • Record-Keeping and Accuracy: Recordings create an accurate record of what was discussed or agreed during a call (for example, the details of an appointment booking or specific instructions you provide). This protects both you and us – it helps resolve any disputes or misunderstandings by referring to the exact conversation.

  • Compliance and Security: In certain cases, recordings may be used to detect or prevent fraud, to ensure compliance with our legal obligations, or to defend our legal interests. For example, if you make a complaint or if there is a legal claim, the call recording may serve as evidence of what was communicated.

We do not use call recordings for any automated decision-making or for marketing purposes. Recordings are never shared or sold to any third-party for their own purposes. They are accessed only by authorized personnel on a need-to-know basis (such as our training team, quality supervisors, or legal/compliance staff if relevant).

Lawful Basis: The lawful basis for recording calls is our legitimate interests in running an effective business and delivering a good service. We have conducted a Legitimate Interests Assessment to ensure that recording calls is necessary and proportionate for the above purposes and that it does not override your privacy rights. We also take into account that call recording is a standard practice for quality assurance in our industry, and we mitigate privacy impact by providing clear notice and strict access controls. In some circumstances, call recording may also be necessary for performing a contract (for example, if you place an order by phone, the recording helps fulfil and document the contract) or to comply with legal obligations (if regulations required us to retain certain call records, although this is unlikely for our specific services).

Notice to Callers: We are committed to transparency about call recordings. At the start of each call, you will hear a disclosure such as: “Please note, all calls are recorded for training and quality purposes.” This upfront notice ensures that you are informed that the call will be recorded. If you continue with the call after hearing this notice, we will assume you are aware of and do not object to the recording. If you prefer not to be recorded, you may choose to end the call and contact us by alternative means (such as email), or let us know your concerns – where feasible, we will try to accommodate requests (for example, we may be able to arrange a call on a line that is not recorded or pause the recording, especially if sensitive information like payment card details needs to be given).

Retention Period for Recordings: Call recordings are retained for a limited period. We retain recorded calls for 12 months from the date of the call, after which they are securely deleted. This retention period is designed to be long enough to cover our operational needs (for instance, to review a call for training within a year or to resolve any disputes or follow-up issues that arise shortly after the call) but not longer than necessary in line with data protection principles. In general, 6–12 months is considered a reasonable retention period for call recordings kept for training and quality purposes. After 12 months, call audio files are permanently erased or anonymized, unless we are legally required to keep a specific recording for a longer period (for example, in the context of an ongoing legal dispute or investigation).

Security of Recordings: All call recording files are stored on secure systems. We implement appropriate technical and organizational security measures to protect call recordings from unauthorized access or disclosure. This includes encryption and access controls to ensure only trained, authorized staff can listen to recordings. Our call recording system is maintained in the UK (or if using a trusted cloud provider, on servers that ensure UK GDPR-equivalent protection). We do not transfer call recordings overseas unless adequate safeguards are in place (see “International Data Transfers” below).

Your Rights Regarding Call Recordings: Because call recordings may contain your personal data (your voice and the information you share), they are treated as personal data under the UK GDPR. This means you have the same rights over call recordings as with other personal data. You may request access to a copy of a call recording involving you, or ask us to erase it or restrict its processing if you have valid grounds (for example, if you believe it wasn’t lawfully recorded). We will review such requests on a case-by-case basis, as sometimes we may need to retain a recording (e.g. to establish or defend legal claims). To request a copy or deletion of a call recording, please contact us as described in the “Your Rights” section. We may need to ask for details (such as the date and time of the call and the phone number used) to locate the correct recording, and for proof of identity, before we can release or erase call data.

Cookies and Website Tracking

Like most websites, our site uses cookies and similar tracking technologies to provide a smooth experience and to help us understand how people use our services. Some of these cookies are necessary for the website to function, while others are optional and help us with analytics and advertising. Here we explain what cookies we use and how:

  • What Are Cookies: Cookies are small text files placed on your device when you visit our site. They allow the website to recognize your device and store certain information about your preferences or past actions. For example, a cookie might remember that you’re logged into our portal, or record which pages you visited and when.

  • Types of Cookies We Use:

    • Strictly Necessary Cookies: These cookies are essential for the operation of our website and portal. They enable core functionality such as security, network management, and accessibility (for instance, keeping you logged in as you navigate between pages). These cookies do not require consent as they are needed to deliver the service you requested (per the Privacy and Electronic Communications Regulations 2003 (PECR)). You cannot disable essential cookies via our banner, but you can set your browser to block them (however, parts of the site may not work as a result).

    • Analytics Cookies: We use analytics tools (for example, Google Analytics) to collect information about how visitors use our website. This includes which pages are viewed, how long users stay, how they navigate the site, and errors encountered. The data collected may include your IP address, browser type, and device information, but we configure these tools to anonymize or mask IP addresses where possible. We use this information in aggregate form to improve our website’s usability and content. These analytics cookies will only be set with your consent. When you first visit our site, you will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies. If you opt in, the lawful basis for processing the analytics data is your consent (UK GDPR Article 6(1)(a)). If you decline, we will not set analytics cookies, and your visit will not be tracked by these tools. You can also withdraw your consent later by using our Cookie Settings link on the website or by clearing cookies in your browser.

    • Advertising & Remarketing Cookies: We participate in online advertising networks such as Google Ads to show you relevant advertisements for our services on other websites. To do this, we (or third-party advertising partners) may set tracking cookies or pixels on your device when you visit our site. These cookies do not store directly identifying personal information (like your name), but they tag your browser with the fact that it visited our site. This allows us to “remarket” to you – for example, if you visited our EPC services page, you might later see an ad for EPC Choice on another site in the Google display network. Third-party vendors (like Google) use these cookies to serve our ads on other websites based on your prior visits to our site. The use of advertising cookies is subject to your consent via our cookie banner. If you consent, the lawful basis is consent; if you do not, we do not set these cookies. You can also opt-out of Google’s use of cookies for ads at any time by adjusting your Google Ad Settings, and you can control cookies from other ad networks via YourOnlineChoices.com (for UK users).

    • Functional Cookies: In addition to the above, we might use certain cookies to enhance website functionality, such as remembering your preferences (e.g., your preferred language or region). These may be treated as non-essential (requiring consent) unless strictly needed.

  • Cookie Consent and Control: When you first visit our site, you will see a cookie notice explaining that we use cookies and giving you the option to accept or reject non-essential cookies. We will not set analytics or marketing cookies on your browser without your affirmative consent (e.g. clicking “Accept” on the banner). You can change your cookie preferences at any time by using the cookie management tool on our website (often accessible via a “Cookies” link or icon). Additionally, most web browsers allow you to control cookies through their settings, including blocking third-party cookies or all cookies, and deleting cookies. Refer to your browser’s help documentation for instructions on how to do this (for example, the ICO provides guidance and links for controlling cookies on major browsers). Please note that if you disable cookies entirely, some features of our site (particularly the portal login and session features) may not function properly.

  • Web Analytics: If we use Google Analytics or similar analytics services, be aware that these providers might process data on servers outside the UK (Google Analytics data may be processed in the United States or other locations). However, we have configured our analytics to comply with data protection requirements: for instance, Google Analytics can be set to anonymize IP addresses in the EU/UK, and we have accepted Google’s Data Processing Addendum which incorporates the UK standard contractual clauses for data transfer (see “International Data Transfers” below). The analytics data we see is aggregated and does not directly identify individual users. It simply helps us understand overall user behavior and website performance.

  • Third-Party Content and Links: Our website may include links to third-party websites or embedded content (like maps or videos). Clicking those links or viewing that content may allow those third parties to set their own cookies or collect data about you. We do not control third-party cookies and recommend you read the privacy/cookie policies of those sites for information. For example, if we embed a YouTube video or a Google Map, Google may set cookies for its own purposes.

For more detailed information, please refer to our separate Cookie Policy (if available on our website). By using our site with cookies enabled in your browser, you are agreeing to our use of cookies as described here. We strive to adhere to all applicable cookie laws and guidance (including PECR and ICO guidance), meaning we seek clear, affirmative consent for non-essential cookies and provide all required information about their use.

Email and SMS/WhatsApp Marketing Communications

This section explains how we use personal data for direct marketing via email and SMS/WHATSAPP(text messages), and the steps we take to ensure compliance with privacy laws. We engage in direct marketing to inform our customers and prospects about our latest services, updates, offers, and insights relevant to EPCs and landlord compliance. However, we respect your choice and privacy, and you will not receive unwanted marketing from us.

Lawful Basis for Marketing: Under UK data protection and e-privacy laws, we will only send you marketing emails or texts if we have an appropriate legal basis to do so. This will be either:

  • Your Consent: In most cases, we will ask for your consent to send you promotional emails or SMS/WHATSAPP/WHATSAPP. For example, when you fill out an online form or deal with us, we might ask you to tick a box agreeing to receive our newsletter or special offers. If you give consent, we will rely on Article 6(1)(a) UK GDPR as our lawful basis to send you marketing messages. You have the right to withdraw your consent at any time, and we will make it easy to do so (see “Opt-Out” below).

  • “Soft Opt-In” (Legitimate Interests): There is a limited exception (often called the soft opt-in) that allows us to send marketing emails/SMS/WhatsApp to existing customers even if they haven’t explicitly consented, provided certain conditions are me. We may rely on this if: (a) you purchased a service from us or entered negotiations to do so (e.g. requested a quote or booking); (b) we are marketing similar services to you (for example, reminding you of renewal services or offering a related compliance service); and (c) we gave you a clear opportunity to opt out of marketing at the point we collected your details and in every message thereafter. In this scenario, our lawful basis is legitimate interests (UK GDPR Article 6(1)(f)), as we have a legitimate interest in promoting our services to those who have shown interest or are existing customers, and we consider that this is not overridden by your rights due to the safeguards in place (opt-out options and relevant content). Note: This soft opt-in applies only to individual customers (including sole traders) – we treat corporate recipients slightly differently (see below).

Regardless of the basis, we will never send you unsolicited marketing if you have told us you do not want it. We also do not share or sell your contact details to other companies for their own marketing.

Opt-Out MechaniSMS/WHATSAPP/WhatsApp: Every marketing email we send will include an “unsubscribe” link in the footer. You can click that link to instantly stop receiving further emails from us. For SMS/WHATSAPPmessages, you may be given instructions such as replying “STOP” to opt out. You can also contact us at any time (by email or phone) and request to be removed from marketing lists. We will process any opt-out request as soon as possible, and certainly within a few days. There is no charge for opting out, and opting out will not affect any services you have with us (you will still receive operational or service-related communications but not marketing content).

Scope of Marketing: The types of marketing communications you might receive include: a periodic newsletter with energy efficiency tips or regulation updates; promotions or discounts on our services; announcements of new services or service areas; or requests for feedback or reviews. We aim to send a reasonable volume of messages and not spam you. Typically, emails might be sent a few times a month at most, and SMS/WHATSAPPonly for urgent or special offers if you consented to those.

Third-Party Marketing: We will not send you third-party marketing unless you specifically consent to it. Similarly, we will not provide your details to other companies for them to market to you, without your consent. If our practices change in the future, we would seek your explicit permission.

Business-to-Business Communications: If you represent a corporate entity (e.g., you are an employee of a landlord company or estate agency), we may send marketing emails to your work email on the basis of legitimate interests even without prior consent, as B2B emails are not subject to the same strict consent rules under PECR. However, you will still have the right to opt out, and we will honor any “do not contact” requests from businesses or employees. We maintain suppression lists to ensure we don’t accidentally contact those who have unsubscribed.

Compliance with PECR: Our approach to e-mail and SMS/WHATSAPPmarketing is designed to comply with the UK Privacy and Electronic Communications Regulations. These regulations require consent for unsolicited electronic marketing to individuals, with the soft opt-in exception for customers. We keep records of how and when consent was obtained, and we include our identity and contact details in every message (as required by law). We also check telephone numbers against the Telephone Preference Service (TPS) before making any marketing calls, and will not make marketing calls to numbers that have opted out of marketing calls. (Marketing calls are relatively rare for us and generally only made to business contacts or individuals who have expressly requested a call-back).

Profiling and Segmentation: We may sometimes segment our contact list to send more relevant marketing (for example, distinguishing between residential landlord clients and commercial property clients to send tailored content). We might use data like your past service history or location to do this. However, we do not make any automated decisions that have legal or similarly significant effects on you without human involvement. You have the right to object to any profiling for direct marketing – if you do, we will cease any analysis of your data for marketing purposes and simply keep you on a general do-not-contact list.

In summary, we aim to keep our marketing respectful and transparent. You will only hear from us if it’s lawful to do so, and you can change your mind at any time. Your decision regarding marketing communications will not affect the service we provide to you as a client.

Sharing of Personal Data

We treat your personal data with care and confidentiality. We do not sell your personal information to third parties for their own marketing or commercial purposes. However, in the course of running our business and providing our services, we may need to share your data with certain trusted parties. We only share the data that is necessary, and we ensure that any third party recipient has a duty to protect your information and use it only for the specified purpose. The key instances in which we share personal data are:

  • Service Providers: We use a number of third-party service providers to operate our business. These include IT hosting companies (for our website and database), cloud storage providers, customer relationship management (CRM) software, email service platforms, SMS/WhatsApp delivery services, and call recording/telephony platforms. We also might use payment processors if you pay us via credit card or direct debit. These providers act under our instructions and are data processors for us. We have contracts in place with each of them that require them to protect your data to UK GDPR standards and not use it for any other purpose. For example, if we use an email marketing platform to send our newsletters, that platform will store your email address and the content of emails but only to send our communications as instructed by us.

  • EPC Assessors and Compliance Partners: In order to carry out our services, we may share details with qualified energy assessors, surveyors, or other subcontractors who perform the EPC assessments or compliance checks on our behalf. For instance, if you book an EPC assessment, we might assign a local accredited energy assessor to visit your property. We will provide them with the information needed to perform the service – typically your name, property address, contact details, and service request details. These assessors are either our employees or bound by confidentiality agreements and data protection obligations as our contractors. They are only allowed to use your data to carry out the service and must handle it securely.

  • Business Partners and Referrals: If your interaction with us came via a referral partner (for example, an estate agent or landlord association that directed you to us), we might share basic information back to that partner for tracking commissions or performance (e.g., confirmation that an EPC was carried out for a referred client). We will not share more than necessary, and where possible we will inform you if such sharing is expected. We will never share your data with another organization for them to market to you, unless you have given consent.

  • Legal Requirements and Protection: We may disclose personal data to third parties if required by law or if we believe in good faith that such action is necessary to: (i) comply with a legal obligation or lawful request (for example, a court order, regulatory request, or law enforcement inquiry); (ii) enforce our contractual terms or other agreements; (iii) detect, prevent, or address fraud or security issues; or (iv) protect the rights, property, or safety of EPC Choice, our customers, or others. For example, we might provide information to government bodies like Trading Standards or the Information Commissioner’s Office if they lawfully require it.

  • Corporate Transactions: If in the future we undergo a business transaction such as a merger, acquisition by another company, or sale of some or all assets, personal data may be transferred to the successor or acquiring entity as part of the transaction. In such cases, we will ensure the confidentiality of the personal data is maintained and that you are notified before your data becomes subject to a different privacy policy.

In all cases of sharing, we adhere to the principle of data minimisation – only sharing what is necessary for the purpose. We also assess the third parties for their data protection standards. Our contracts with processors contain appropriate data protection clauses (including, where applicable, Standard Contractual Clauses for international data transfers – see next section). Where third parties are independent controllers (e.g., an authority or partner), we ensure they have an appropriate legal basis and necessity for any data we provide.

If you would like more information about the third parties with whom we may share data (or a current list of subprocessors), you can contact us. We’re happy to provide transparency regarding which vendors handle your personal information on our behalf.

International Data Transfers

EPC Choice primarily stores and processes personal data within the United Kingdom. However, some of our service providers or partners may be located outside of the UK, which means your personal data could be transferred or accessed in other countries. In particular, we sometimes use cloud-based services or software providers based in the United States or other countries. For example, if we use an email newsletter service, customer database, or analytics platform provided by a US company, data (such as your email address or website usage data) might be transferred to or accessed from the US.

Risks of International Transfers: Countries outside the UK (and EEA) may not have the same data protection laws as the UK. This means personal data might not be automatically protected to the same standard if it is sent to, say, the US or Asia. The UK GDPR imposes rules to ensure that when we transfer personal data abroad, the protection travels with it.

Our Safeguards: Whenever we transfer your personal data outside the UK, we will ensure that one of the following conditions is met to legitimize the transfer:

  • Adequacy Decision: We will send data only to countries that the UK government has formally decided have an “adequate” level of data protection. (As of now, the UK has adequacy regulations for countries such as members of the EEA, Canada (commercial organizations), Japan, New Zealand, etc. The US is not currently generally deemed adequate by the UK, except for specific frameworks.) If an adequacy regulation covers the destination country, your data will be transferred under that safeguard.

  • Standard Contractual Clauses: In the absence of an adequacy decision, we use legally-approved standard data protection clauses (Standard Contractual Clauses, or SCCs) recognized under Article 46(2) of the UK GDPR to contractually require the recipient to give your data equivalent protection. For example, our contracts with US-based cloud providers include UK SCCs (and/or the new UK International Data Transfer Addendum) which oblige the provider to protect your information, honor your rights, and, if applicable, resist or notify us of any access requests from foreign authorities so we can challenge unwarranted disclosures.

  • Other Safeguards: In some cases we might rely on other permitted mechaniSMS/WHATSAPP/WhatsApp, such as binding corporate rules (if we were transferring within a corporate group, though currently we operate primarily in the UK only) or adherence to an approved code of conduct or certification. If the recipient participates in a recognized international framework (for instance, if a US recipient is certified under a UK-accepted Privacy Shield successor framework), we may rely on that once it’s approved by UK authorities.

  • Derogations: We will only rely on the specific exceptions in Article 49 UK GDPR for transferring data (such as your explicit consent, or where the transfer is necessary for our contract with you or for the establishment or defense of legal claims) in exceptional cases. Our policy is to always ensure equivalent protection via an adequacy or contractual measure whenever possible.

Examples: Practically, what this means is that if we use Microsoft or Google cloud services (which might involve servers globally), or if our customer support software is hosted in the US, we will have in place an agreement incorporating SCCs. Similarly, if we work with an overseas consultant or partner who needs access to data, we will ensure a proper data transfer agreement is in effect.

Your Rights and Remedies for International Transfers: Regardless of where your data is processed, we will uphold your rights (see “Your Rights” below). If personal data is transferred outside the UK, you are entitled to be informed of the transfer and the safeguards in place – which is one reason we’re providing this detail. If you’d like more information about international data transfers (for example, to obtain a copy of the relevant SCCs or learn which countries we may transfer data to), you can contact us. Please note that while we can confirm the safeguards, some contract details may need to be redacted for confidentiality.

We continuously monitor developments in data transfer law. If there are changes (for example, new rules or court decisions affecting transfers), we will adapt our practices. Our goal is to ensure that your personal data enjoys a high level of protection no matter where it is handled.

Data Retention

We will only keep your personal data for as long as it is necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. In compliance with the UK GDPR’s principle of “storage limitation,” we have defined retention periods for different categories of dataBelow is a summary of our retention practices:

  • Service and Contract Data: If you become a customer of EPC Choice (for example, you commission an EPC or compliance service), we will retain your contact details, service records, contracts, and related correspondence for up to 6 years after the end of our contract or last interaction with you. This period is based on the statute of limitations under UK law for contractual claims – six years is the typical period in which either party could raise a legal claim relating to the contract. Keeping records for this duration is considered an industry standard to protect both our interests and yours in case any disputes arise. It also helps us serve you better if you come back to us within that time frame (for example, having records of your property’s past EPC). After 6 years of inactivity (no services or engagements), we will securely delete or anonymize your personal data associated with that contract, unless a longer period is required for legal reasons (such as ongoing litigation).

  • Prospective Customer Data (Quotes and Inquiries): If you contacted us for a quote or information but did not proceed to a service, we will typically retain your personal data for approximately 12 to 24 months from the date of our last interaction. We keep it for a short period in case you decide to proceed or have follow-up questions, and also to ensure we don’t immediately re-contact you with the same offer. However, if you asked to not be contacted, we will move your details to a suppression list to ensure we respect that (and only keep minimal info needed to honor your no-contact request). Quote records older than 1-2 years that never became customers are periodically purged as they are unlikely to remain relevant.

  • Call Recordings: As noted in the “Call Recording” section, recorded calls are kept for 12 months and then deleted. Any recording that we determine is needed longer (for example, due to a complaint investigation) will be isolated and stored only as long as necessary for that specific issue, then erased.

  • Marketing Data: If you have consented to receive marketing, we will retain the personal data necessary for that (e.g. your name, email, phone) until you unsubscribe or otherwise tell us you no longer wish to receive our marketing. If you unsubscribe or opt-out, we will promptly remove you from our active mailing lists, and we may keep your contact details in a suppression list indefinitely to ensure we do not accidentally send you further marketing. If we obtained your data for a marketing campaign and you never engaged or responded, we may delete your data after a certain period (for example, 2 years) to avoid retaining data about non-responsive prospects indefinitely.

  • Website Data (Cookies): Data collected via cookies and similar technologies is retained according to the type of cookie. For instance, Google Analytics data may be retained for 14 months or a duration we configure in the analytics tool. Advertising cookies persist for varying times (some up to 90 days, others longer) as set by the third parties, but they can be cleared by you at any time via your browser. We respect the expiration of cookies and do not forcibly prolong them. For more details, see our Cookies section or Cookie Policy.

  • Legal and Financial Records: We retain invoices, payment records, and accounting records for at least 6 years as required under UK tax law (HM Revenue & Customs requires businesses to keep financial records for 6 years). If any personal data is contained in those records (e.g. your name on an invoice), it will be retained as part of our legal obligation in accounting. Similarly, if we have records of consents or preferences (proof of consent for GDPR, for example), we may retain those as long as needed to demonstrate compliance (which could be up to 6 years if tied to a contract, or until you withdraw consent plus a short period).

  • Job Applications: (Note: if applicable) If you apply for a job with us and provide personal data, we typically retain unsuccessful application data for up to 6–12 months and successful candidates’ data as part of their employment record in line with employment laws. (This may not be relevant for a customer-facing privacy policy, but we note it for completeness if we were collecting such data through the site.)

After the applicable retention period has elapsed, we will securely destroy or anonymize personal data. “Anonymizing” means we remove personal identifiers so that the data can no longer be associated with you, and it may then be used for statistical analysis or business planning without further notice. For example, we might keep anonymized trends about how many EPCs were done in each region per year, but not keep your name attached to that record.

Extension of Retention: In certain circumstances, we may keep data for longer than the periods above, for instance:

  • If there is a legal dispute or investigation, we will retain data until it is resolved and no further action is anticipated, even if this extends beyond normal retention.

  • If a regulation mandates a different retention period for specific data, we follow that law.
    We periodically review the data we hold and securely dispose of anything no longer needed.

Our goal is to not retain personal data indefinitely or “just in case”. If you have questions about our retention schedule for a particular type of record, please contact us.

Data Security

We take the security of your personal data seriously. EPC Choice implements appropriate technical and organizational measures to prevent unauthorized access, loss, alteration, or disclosure of personal information. These measures include, but are not limited to: access controls to limit which employees or contractors can see your data; secure password policies and two-factor authentication on our systems; encryption of data where applicable (both in transit and at rest, for sensitive information); firewall and antivirus protections for our IT infrastructure; and regular training of staff on data protection best practices. We also pseudonymize or anonymize data if we need to use it for internal testing or analytics in a way that doesn’t require your identity.

Although we strive to protect your information, no method of electronic storage or transmission is 100% secure. However, we follow industry standards to ensure a level of security appropriate to the risk. In the unfortunate event of a data breach that poses a high risk to your rights and freedoms, we will notify you and the ICO as required by law.

Your Rights

Under the UK GDPR and the Data Protection Act 2018, you have a number of important rights in relation to your personal data. We respect these rights and have processes in place to enable you to exercise them. These rights include:

  • Right to Be Informed: You have the right to be given clear, transparent information about how we collect and use your personal data. This Privacy Policy is part of fulfilling that right. We also provide just-in-time notices where appropriate (for example, a notice on a form explaining why we ask for certain details).

  • Right of Access: You can request a copy of the personal data we hold about you, as well as supplementary information (such as the purposes of processing or the categories of data). This is commonly known as making a “Data Subject Access Request.” We will provide you with a copy of the information in a commonly used format, normally within one month of your request. If you have an account on our portal, you may also have the ability to directly view certain personal data we hold (like your contact information and service history).

  • Right to Rectification: If any personal data we have about you is inaccurate or incomplete, you have the right to have it corrected or completed. Upon your request, we will rectify any errors in your personal data. If we have shared the incorrect data with others, we will, where possible, inform them of the correction as well.

  • Right to Erasure: This is also known as the “right to be forgotten.” In certain circumstances, you can ask us to delete or remove personal data we hold about you. This right is not absolute – it applies, for example, if the data is no longer needed for the original purpose, if you withdraw consent (and no other legal basis applies), or if you object to processing and we have no overriding legitimate grounds to continue, among other scenarios. We will assess requests on a case-by-case basis. Please note, for instance, we may not be able to delete data that we are required to keep by law or which is necessary for legal claims. But we will always inform you of the outcome and reasoning.

  • Right to Restrict Processing: You have the right to request that we “pause” or suppress the processing of your personal data in certain circumstances. This might apply if you contest the accuracy of the data (until we verify it), or if you have objected to processing (until we determine if our grounds override yours), or if processing is unlawful but you don’t want full erasure, or if we no longer need the data but you need us to keep it for a legal claim. When processing is restricted, we can still store the data but not use it for other purposes without your consent (except for vital reasons like legal claims or public interest). If restriction is lifted, we will inform you.

  • Right to Data Portability: For any personal data you provided to us and which we process by automated means under consent or contract, you have the right to request that we provide it to you in a structured, commonly used, machine-readable format (for example, a CSV file), or transfer it to another controller where technically feasible. This right primarily applies to data you actively gave us (like account details) rather than data we generated. If you request it, and it’s applicable, we will supply the data in a suitable format or transmit it directly if possible.

  • Right to Object: You have the right to object to certain types of processing of your personal data. Most notably, you can object to processing based on legitimate interests or to direct marketing. Direct Marketing: If you object to marketing, we will stop processing your data for that purpose immediately – as noted above, you can always unsubscribe from emails or let us know to stop texts/calls and we will honor that. Legitimate Interests: If you object to processing that we undertake on the basis of our legitimate interests (or those of a third party), we will consider your objection. We will be required to stop processing unless we have compelling legitimate grounds that override your rights or if the processing is needed for legal claims. For example, you might object to us using your data for statistical purposes – if it’s purely internal and anonymized, we’d likely continue, but if it identified you and you have a valid objection, we’d stop or anonymize it.

  • Rights in Relation to Automated Decision-Making and Profiling: You have rights to not be subject to decisions based solely on automated processing (including profiling) that have legal or similarly significant effects on you, unless certain exceptions apply. As noted, EPC Choice does not carry out such automated decision-making. We do not, for instance, automatically approve or reject services based on a computer algorithm without human involvement. In any event, if we ever did, you would have the right to obtain human intervention, to express your point of view, and to contest the decision.

In addition to the above, if we are processing your personal data based on consent, you have the right to withdraw that consent at any time. For example, you can withdraw consent to marketing emails by unsubscribing, or consent to cookies by changing your cookie settings. Withdrawal of consent will not affect the lawfulness of processing that occurred before the withdrawal.

Exercising Your Rights: You can exercise any of your rights by contacting us using the contact details provided in the Introduction. For efficiency, you may email our Data Protection Officer at [email protected] with your request. Please provide enough information for us to identify you (we may need to verify your identity to make sure we don’t give your data to someone else – for example, by asking you to confirm some details we have on file). Also describe the nature of your request clearly – e.g., “I am requesting a copy of my personal data that you hold” or “Please correct my phone number” etc. If you are not sure how to word it, just contact us and we will guide you.

We will respond to requests as soon as possible, generally within one month as required by law. If your request is particularly complex or if you have made a number of requests, we may extend this by up to two further months, but we will inform you of this extension within the first month and explain why it’s necessary. In most cases, we will not charge a fee for handling your request. However, if a request is manifestly unfounded or excessive (for example, repetitive), we are permitted by law to either charge a reasonable fee or refuse the request. If we refuse a request, we will explain our reasons, and you have the right to complain to the ICO.

Right to Complain: If you believe we have not complied with your data protection rights, you can complain to the ICO (Information Commissioner’s Office), which is the UK’s supervisory authority for data protection issues. You can find more information on the ICO website: or call their helpline at

0303 123 1113

We kindly ask that you first give us the opportunity to address your concerns by contacting us, as we take privacy seriously and will do our best to resolve any issues.

Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make significant changes, we will notify you by appropriate means – for example, by posting a prominent notice on our website or by contacting you via email (if the changes materially affect your rights or if we are required to do so). The “last updated” date at the end of this policy indicates when the latest changes were made. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

If we ever wish to use your personal data for a new purpose not covered by this Privacy Policy, we will provide you with a new notice explaining that use and its lawful basis, and, if required, seek your prior consent.

Updates to This Policy

We may update this Privacy Policy from time to time. Please check back periodically for changes.

Contact Us

Email: [email protected]
Postal Address: Data Protection Officer, EPC Choice Ltd, 43 East Street, Bromley, Kent BR1 1QQ, UK
Telephone: 0208 522 0001 (All calls are recorded)