Privacy Policy

Shires Energy Ltd ("Shires Energy", "we", "us", "our") is a company registered in England and Wales, company number 15781479, with its registered office at 9 Goldington Road, Bedford MK40 3JY, United Kingdom.

We are the data controller for the personal data described in this policy. For any privacy-related question, including subject access requests, contact us at privacy@shiresenergy.com.

This policy covers personal data collected through our website (shiresenergy.com), our customer portal, our staff systems, telephone and email correspondence, on-site visits, and any sales or installation engagement with us.

• Identity & contact data, name, company, role, email, phone, postal/site address.
• Project data, site location and characteristics, energy use, planning/grid information, photos and 3D scans of your property, project notes.
• Account data, login credentials and authentication tokens for the customer portal (we do not store passwords ourselves; authentication is handled by our backend provider).
• Communications data, the content of emails, callback requests, booking forms, and free-text notes you submit.
• Technical data. IP address, browser/device type, pages visited, referrer, and a pseudonymous visitor ID used to measure site usage.
• Marketing data, your preferences for receiving communications from us.

We do not knowingly collect special category data (e.g. health, ethnicity, political opinion) and ask that you do not submit such data through our forms.

Under UK GDPR Article 6, we rely on the following lawful bases:

Where we rely on legitimate interests, we have carried out a balancing test to ensure our interests do not override your rights and freedoms. You can ask for a summary of any such assessment.

We only collect personal data we genuinely need for the purpose stated, and we keep free-text fields optional wherever possible. Where AI-assisted intake is used to structure information you provide, we limit what is sent to the model to the minimum needed to extract structured fields, and we do not send special category data. You can always provide information by phone or email instead of through any chat interface.

We share personal data only with carefully selected processors and partners:

• Backend & database hosting, for storing your account, project records and files.
• Email delivery, for transactional and (where consented) marketing emails.
• AI model providers, when you use AI-assisted features (e.g. intake chat), the prompt content is processed by the model provider on the paid commercial tier under contractual terms that prohibit using your data to train their models.
• Calendar & meeting tools, to schedule site visits and calls.
• Installation sub-contractors, when work on your site requires it, under written confidentiality.
• Professional advisers, accountants, lawyers, insurers, where necessary.
• Authorities, where we are legally required to disclose (e.g. HMRC, courts, regulators).

We do not sell your personal data, ever.

Some of our processors are based outside the UK. Where this happens, we rely on the UK Government's adequacy regulations or, where none applies, the UK International Data Transfer Agreement / EU Standard Contractual Clauses with the UK Addendum, plus additional safeguards as appropriate.

• Enquiries and unsuccessful leads, up to 24 months from last contact.
• Active customer projects, for the duration of the project plus the warranty period.
• Financial records, at least 6 years from end of the relevant accounting period (UK statutory minimum).
• Marketing consent records, until you withdraw consent, plus a short retention to evidence the withdrawal.
• Site analytics events, up to 26 months in pseudonymous form.

Under UK GDPR you have the right to:

• Access the personal data we hold about you (subject access request)
• Rectification of inaccurate data
• Erasure ("right to be forgotten") in certain circumstances
• Restriction of processing
• Data portability (for data you provided, processed by automated means)
• Object to processing based on legitimate interests or for direct marketing
• Withdraw consent at any time, where processing is based on consent
• Not be subject to a decision based solely on automated processing that has a legal or similarly significant effect on you (we do not currently make such decisions)

To exercise any of these rights, email privacy@shiresenergy.com. We will respond within one calendar month.

You also have the right to complain to the UK supervisory authority, the Information Commissioner's Office (ICO), though we would appreciate the chance to address your concern first.

We use a small number of strictly-necessary cookies for security and session management, and a pseudonymous visitor identifier to measure site usage. Optional analytics or marketing cookies are only set with your consent. See our Cookie Policy for details and to change your preferences.

We use Row-Level Security on our database, encrypted connections (TLS), least-privilege access for staff, and audit logging on sensitive operations. We review our security posture regularly. No system is perfectly secure; if we ever detect a personal data breach that is likely to result in a risk to your rights, we will notify the ICO within 72 hours and you without undue delay.

Our services are aimed at landowners and businesses. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact us and we will delete it.

We may update this policy from time to time. The "last updated" date at the top reflects the most recent change. For material changes affecting how we use your data, we will give reasonable advance notice by email or website notice.