Privacy Policy | ZESTEC Services Limited

1. Introduction

ZESTEC SERVICES LIMITED ("we," "us," or "our") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (www.zestecservices.com), use our services, or otherwise interact with us.

We provide renewable energy and electrical design consultancy services, including solar PV, battery energy storage systems (BESS), EV charging infrastructure, and general AC electrical design across domestic, commercial, and industrial sectors.

Data Controller:
ZESTEC SERVICES LIMITED, registered in England and Wales, Registered Office: 20 Wenlock Road, London, England, N1 7GU. Company Registration Number: 16566434.
Data Protection Contact: dataprotection@zestecservices.com

2. Information We Collect

We collect the following categories of personal data:

2.1 Personal Data You Provide Directly

Contact details: name, email address, phone number, postal address
Company information: company name, job title, company registration details
Project information: details submitted via design request forms, consultation enquiries, or quotation requests
Financial information: bank details, payment information, invoicing details
Communications: correspondence via email, phone, contact forms, and social media
Contract information: signed agreements, purchase orders, and related documentation

2.2 Project Data

Technical documents: single-line diagrams (SLDs), PV designs, cable calculations, site surveys, and photographs uploaded for technical reviews
BESS and EV charging specifications and infrastructure details
MPAN details and DNO correspondence

2.3 Usage Data (Collected Automatically)

IP address, browser type, device information, and operating system
Pages visited, time spent on pages, and navigation paths
Referring website and search terms used
Cookies and similar tracking technologies (see Section 8)

2.4 Data from Third Parties

Information from business partners, subcontractors, or referral sources
Publicly available information from Companies House, LinkedIn, or professional directories
Credit reference information (where relevant to commercial arrangements)

3. How We Use Your Information

3.1 Service Delivery

To provide renewable energy design consultancy services (solar PV, BESS, EV charging, electrical design)
To perform technical reviews, calculations, and compliance assessments
To respond to enquiries and deliver quotations
To manage project delivery, milestones, and communications

3.2 Contract Management

To process payments, issue invoices, and manage accounts
To administer retainer packages and project-based engagements
To manage subcontractor relationships and installation framework agreements

3.3 Business Operations

To analyse website usage and optimise user experience
To improve our services based on feedback and usage patterns
To send marketing communications (with your consent)
To maintain our quality management system and professional standards

3.4 Legal and Regulatory Compliance

To comply with legal obligations (HMRC, Companies House, professional body requirements)
To establish, exercise, or defend legal claims
To maintain professional indemnity insurance records
To comply with health and safety legislation

4. Lawful Bases for Processing

We process personal data on the following lawful bases under UK GDPR:

Contract Performance (Art. 6(1)(b)): Service delivery, project management, invoicing, communications — necessary to perform our contract with you or to take pre-contractual steps at your request.
Legitimate Interests (Art. 6(1)(f)): Business development, service improvement, marketing to existing clients — our legitimate interests in operating and improving our business, balanced against your rights.
Legal Obligation (Art. 6(1)(c)): Tax records, health and safety compliance, regulatory reporting — required by UK law including HMRC requirements and H&S legislation.
Consent (Art. 6(1)(a)): Marketing communications to new contacts, cookies (non-essential) — you may withdraw consent at any time without affecting prior processing.

5. Data Sharing

We do not sell your personal data. We may share data with the following categories of recipients:

Subcontractors and installation partners: under framework agreements with equivalent confidentiality and data protection obligations, solely for the purpose of delivering your project
Cloud service providers: for secure storage and backup of project files and communications (e.g., Microsoft 365, cloud hosting providers)
Professional advisors: solicitors, accountants, insurers, and auditors under professional duty of confidentiality
IT service providers: for website hosting, email, and business system maintenance
Analytics providers: anonymised website usage data for site improvement (e.g., Google Analytics)
Credit reference agencies: where relevant to commercial credit assessments
Regulatory and government bodies: HMRC, HSE, ICO, DNOs, and other authorities where required by law or regulation
Debt collection agencies: in cases of non-payment (you will be notified before referral)

All third-party recipients are required to process data in accordance with our instructions and applicable data protection law. We conduct due diligence on third-party data processors and require written data processing agreements.

6. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of Access (Article 15): Request a copy of the personal data we hold about you
Right to Rectification (Article 16): Request correction of inaccurate or incomplete data
Right to Erasure (Article 17): Request deletion of your data where there is no compelling reason for continued processing
Right to Restriction (Article 18): Request that we restrict processing in certain circumstances
Right to Data Portability (Article 20): Receive your data in a structured, commonly used format
Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing
Rights related to Automated Decision-Making (Article 22): We do not currently use automated decision-making that produces legal or similarly significant effects

Exercising Your Rights:
Contact: dataprotection@zestecservices.com or write to Data Protection, ZESTEC SERVICES LIMITED, 20 Wenlock Road, London, England, N1 7GU.

We will respond within 1 month of receiving your request (extendable by 2 months for complex or numerous requests, with notice). We may ask for identification verification before processing requests.

If you are dissatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of data in transit (TLS/SSL) and at rest
Access controls with role-based permissions and multi-factor authentication
Regular backups and disaster recovery procedures
Secure file sharing and cloud storage with reputable UK/EEA-based providers
Staff training on data protection and information security
Secure disposal and destruction of data when no longer required
Incident response procedures for data breaches
Regular security reviews and vulnerability assessments

No method of electronic transmission or storage is completely secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your personal data, we will notify you and the ICO within 72 hours where required by law.

8. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance your browsing experience and analyse site traffic.

8.1 Essential Cookies

Required for core website functionality (e.g., session management, security). These cannot be disabled.

8.2 Analytics Cookies

Used to understand how visitors use our website, including pages visited, time on site, and navigation patterns. We use Google Analytics with IP anonymisation enabled. These are placed only with your consent.

8.3 Marketing Cookies

Used to deliver relevant advertisements and track campaign effectiveness across platforms including LinkedIn, Facebook, and Google. These are placed only with your consent.

You can manage cookie preferences via the cookie consent banner on our website or through your browser settings. Disabling cookies may affect website functionality.

9. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

Active contract data: Duration of contract plus warranty period (12 months) — contract performance and warranty obligations
Financial records: 6 years from end of financial year — HMRC statutory requirement
Project files and designs: 6 years from project completion — limitation period for legal claims
Professional indemnity records: 6 years from last service delivery — insurance and legal defence
Marketing data: Until consent withdrawn or data no longer needed — consent-based processing
Website analytics: 26 months — Google Analytics default
Job applicant data: 6 months after recruitment decision — legitimate interests
Complaints and disputes: 6 years from resolution — limitation period

After the retention period, data is securely deleted or anonymised so that it can no longer be associated with you.

10. International Data Transfers

We primarily process and store your data within the UK. Where data needs to be transferred outside the UK (for example, to cloud service providers with international infrastructure), we ensure appropriate safeguards are in place:

Transfers to countries with UK adequacy decisions
International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs)
Binding Corporate Rules where applicable

We will not transfer your data outside the UK without ensuring an equivalent level of protection. You may contact us for details of the safeguards in place for any specific transfer.

11. Children's Privacy

Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate parental consent, we will take steps to delete it promptly.

12. Third-Party Links

Our website may contain links to third-party websites, including social media platforms (LinkedIn, Facebook, Instagram), professional bodies (IET, Engineering Council), and regulatory organisations. We are not responsible for the privacy practices or content of these external sites. We encourage you to read their privacy policies before providing any personal data.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or business practices. Changes will be posted on our website with the updated date. For significant changes, we will notify existing clients by email.

We recommend reviewing this policy periodically. The date at the top of this document indicates when it was last updated.

14. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices:

ZESTEC SERVICES LIMITED
Data Protection Contact: info@zestec-services.com
General Enquiries: info@zestec-services.com
Website: www.zestecservices.com
Registered Office: 20 Wenlock Road, London, England, N1 7GU
Phone: 07394 558784

If you wish to make a complaint about how we handle your personal data, please contact us first so we can try to resolve the issue. You also have the right to complain to the ICO:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk | Phone: 0303 123 1113