1. Introduction
Heat Scheme Limited is committed to protecting the privacy and security of personal data collected from our clients. This policy outlines our practices concerning the collection, use, and protection of personal data in compliance with the UK Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
2. Scope
This policy covers:
- Data collection and processing
- Purpose of data collection
- Data access and security
- Data storage
- Security audits
- Data subject rights
- Data retention and disposal
- Incident response
- Contact information
- Policy updates
3. Data Collection and Processing
We adhere to the principle of data minimization. We collect and process only the minimal amount of personal data necessary to provide our services. We collect personal data directly from our users through our web application during the sign-up process. The types of personal data we collect include:
- Name
- Email Address
- Home address
- Phone number
All personal data is processed internally by Heat Scheme Limited. We do not pass or process this data through any third parties.
4. Purpose of Data Collection
The personal data we collect is used solely for the purpose of providing specific consultation services to our clients. We do not use this data for any other purposes without explicit consent.
5. Data Access and Security
5.1 Access Controls
We implement strict role-based access controls to ensure that only authorized personnel can access personal data.
- Direct database access is limited to the Director and CTO, ensuring minimal exposure.
- Access to the database is restricted by IP whitelist, allowing access only from authorized IP addresses.
- Multi-Factor Authentication (MFA) is required for database access.
5.2 Security Measures
Our web application and database adhere to industry-standard security practices to protect the data from unauthorized access, alteration, disclosure, or destruction.
- All data in transit is encrypted using TLS (Transport Layer Security) protocols.
- All data at rest is encrypted using Azure’s encryption services (AES 256 with unique built-in server certificate).
5.3 Password Management
Passwords for the application must be at least 12 characters long and include a combination of uppercase letters, lowercase letters, numbers, and special characters.
- Passwords are stored using strong hashing algorithms (bcrypt).
6. Data Storage
We use trusted services like Microsoft Azure for hosting our data, ensuring compliance with relevant data protection regulations.
7. Security Audits
Regular security audits are conducted on our application to identify and address any potential vulnerabilities.
8. Data Subject Rights
Heat Scheme Limited respects and upholds the rights of data subjects as outlined in the GDPR. These rights include:
- Right to Access: You can request access to your personal data by contacting us via email.
- Right to Rectification: If you believe any of your personal data is inaccurate or incomplete, you can request corrections by contacting us.
- Right to Erasure: You can request the deletion of your personal data at any time by contacting us. Please note that this may affect our ability to provide our consultation services to you.
- Right to Restrict Processing: You can request that we limit the processing of your personal data under certain circumstances.
- Right to Data Portability: You can request a copy of your personal data in a machine-readable format.
- Right to Object: You can object to our processing of your personal data for direct marketing purposes or based on legitimate interests.
- Right to Lodge a Complaint: In addition to the rights mentioned above, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes on data protection regulations. In the UK, the supervisory authority is the Information Commissioner's Office (ICO).
To exercise any of these rights, please contact us using the email provided in the Contact Information section.
9. Data Retention and Disposal
We retain personal data for as long as necessary to provide our consultation services. This typically means we will retain your data for as long as you maintain an active account on our site. Once you close your account or request data deletion, we will securely dispose of your personal data within 30 days, unless we are required to retain it for legal or regulatory reasons.
10. Incident Response
Heat Scheme Limited has a data breach policy in place. In the event of a data breach that risks the rights and freedoms of individuals, we will notify the affected individuals and the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. Our policy includes our methodology for identifying, reporting, and containing breaches, as well as evaluating the risks and notifying relevant parties.
11. Contact Information
For any queries related to data protection or to exercise your data subject rights, please contact our Data Protection Officer:
- Name: Patrick Dougherty
- Position: Director
- Email: info@heatscheme.co.uk
- Phone: 020 7126 8476
12. Policy Updates
This Data Protection Policy is reviewed annually and updated as necessary to reflect changes in our practices, technology, legal requirements, and other factors. We will notify users of any material changes to this policy via email or through a prominent notice on our website.
Last updated: 22/07/2024