Privacy Policy (UK)

Last updated: 31/10/2025

1) Who we are (Controller)

A. Dawes ST T/A Prime EPC Midlands ("we", "us") is the data controller for personal data we process.

Contact: adam@epcmids.co.uk, 07354953773.

2) What this policy covers

How we collect, use, store and share your personal data under UK GDPR and the Data Protection Act 2018. If you have questions, contact us (details above). You can also complain to the Information Commissioner’s Office (ICO).

EPC & other services we handle (where relevant)

We provide property assessment services which may include:

• Domestic EPCs — existing dwelling EPCs (RdSAP)

• Floor Plans — 2D floor plans for illustrative purposes only

• Thermal Imaging — qualitative screening in accordance with BS EN ISO 6781-1:2023

3) The data we collect

• Identity & contact: name, email, phone, postal address, company/business name (if applicable).

• Booking/job details (via ServiceM8): requested services, dates/times, job notes you provide, quotes, invoices, work status, photos/documents you upload.

• EPC/energy assessment evidence: property address and access details; survey notes; photographs (internal/external/plant) used as evidence; floor‑plans and measurements; heating/cooling/hot‑water/lighting details; insulation and construction details; meter/electricity/gas/oil or other energy

• Thermal Imaging: property address and access details; observation notes; thermal imagery photographs (internal/external/plant) used for report making;

• Floor Plans: property address and access details; floor‑plans and measurements;

• Website & account (via Squarespace): forms you submit, account/profile details (if applicable), support messages.

• Payment: payment status/amount and limited identifiers (e.g., last 4 digits or transaction IDs). We do not store full card numbers; these are processed by ServiceM8.

• Communications: emails, messages, feedback;

• Marketing preferences: opt‑ins/outs and unsubscribe history.

• Device/usage (Google Analytics + Squarespace + ServiceM8): IP‑derived general location, device/browser type, pages viewed, buttons clicked, session duration, referring URLs, and similar event data collected via cookies or similar technologies (see Cookies below).

• Special category data (only if relevant to a service) — collected only with your explicit consent. We avoid capturing identifiable individuals in photographs wherever practicable.

4) How we get your data

• Directly from you: when you book, request a quote, provide access, or supply building/plant information.

• On site: during surveys and inspections we collect evidence (notes, measurements, photos) required to create EPCs to meet scheme quality assurance and also to perform floor plan and thermal imaging services.

• Automatically: through our Squarespace website and Google Analytics when you consent to analytics cookies.

• From our job/booking system: ServiceM8 when you request, schedule, or amend work.

• From payment providers: limited payment metadata from ServiceM8 so we can reconcile transactions.

If you do not provide evidence reasonably required for an assessment, we may be unable to produce or lodge the certificate/report.

5) Why we use your data & lawful bases

• To take and manage bookings, quotes, and jobs; provide services; and customer support.

• Operate our website and online forms (Squarespace, ServiceM8) — Legitimate interests/Contract.

• Job management, scheduling, quoting, invoicing, on‑site notes and photos (ServiceM8) — Contract/Legitimate interests.

• Create and lodge Energy Performance Certificates (EPCs) to the Energy Performance of Buildings (EPB) Register via our accreditation scheme (ECMK Ltd) and comply with scheme quality assurance — Legal obligation/Public task under the EPB Regulations and related guidance.

• Payment processing, fraud prevention, record‑keeping — Legal obligation/Legitimate interests.

• Appointment reminders and service messages — Legitimate interests (you can object at any time).

• Analytics (Google Analytics) — Consent under PECR for non‑essential cookies. We only run analytics after you consent via our cookie banner; you can withdraw consent any time.

• Marketing by email/SMS — Consent (or legitimate interests/soft opt‑in where permitted). You can withdraw consent or object at any time.

• Health/special category data (e.g., allergy information) — Explicit consent; you can withdraw at any time.

6) Sharing your data

We share data with trusted processors and organisations who help deliver our services or who receive data by law, under contracts and safeguards that protect your data:

• Squarespace, Inc. (and affiliates) — website hosting/CMS, form handling, site performance.

• Google Ireland Limited / Google LLC — Google Analytics for understanding site usage and improving our services.

• ServiceM8 Pty Ltd — job management, scheduling, quotes, invoices, job communications.

• ECMK Ltd (our accreditation scheme) — lodgement of EPCs/DECs/ACIRs to the national EPB Register and scheme quality assurance/audits.

• Department for Levelling Up, Housing and Communities (DLUHC) — operator of the Energy Performance of Buildings Register where EPCs/DECs/ACIRs are lodged and some details are publicly available.

• Independent auditors appointed by ECMK/DLUHC — evidence review for quality assurance and compliance.

• Professional advisers and insurers — for legal advice and to establish/defend legal claims.

• Payment processor — ServiceM8 for secure payments.

• Email/SMS provider — SerivceM8 for transactional and (with consent) marketing messages. We may also share data where required by law or to establish/defend legal claims. We do not sell your data.

7) International transfers

Some of our providers are based outside the UK, or process data internationally (for example, the United States and Australia for services such as Google, Squarespace, and ServiceM8). Where personal data is transferred outside the UK, we rely on appropriate safeguards, such as:

• UK adequacy regulations (including participation in recognised frameworks where applicable), and/or

• UK International Data Transfer Agreements (IDTAs) or the UK Addendum to EU Standard Contractual Clauses with additional measures where needed. ECMK Ltd and DLUHC (EPB Register) are UK‑based.

8) Retention

We keep personal data only as long as necessary, e.g.:

• Customer/booking & job records (ServiceM8): [6 years] after your last interaction (tax/audit).

• Website enquiry forms (Squarespace): [24 months] after last contact or when exported into our job system, whichever is sooner.

• Analytics (Google Analytics): event/user‑level data retained for [14 months] (or your configured GA retention), then deleted or aggregated.

• EPC/DEC/ACIR records: certificates/reports lodged to the national register are retained for up to 20 years in line with government policy/guidance.

• Marketing data: until you unsubscribe or after 24 months of inactivity.

• Special category data: minimum necessary, typically 12 months unless required longer. We then delete or anonymise it.

9) Your rights

You have rights to access, rectify, erase, restrict, object, and data portability, and to withdraw consent where processing is based on consent. To exercise them, contact adam@epcmids.co.uk. You can also request that your EPC/DEC/ACIR is opted‑out of public display on the national register (note: it must still be lodged where required by law). If unresolved, you can complain to the ICO at ico.org.uk.

For register queries you can also contact the EPB Register helpdesk. For scheme‑related quality assurance matters you can contact ECMK Ltd.

10) Cookies

Our website runs on Squarespace. We use:

• Strictly necessary cookies (Squarespace, ServiceM8) to make the site work (security, load balancing, basic functions) — these run without consent.

• Analytics cookies (Google Analytics) to understand site usage and improve services — these run only if you consent via our cookie banner.

You can manage your choices anytime via Cookie settings on our site. You can also use Google’s opt‑out tools (e.g., the Google Analytics opt‑out add‑on) in addition to withdrawing consent.

11) Security

We use appropriate technical and organisational measures (encryption, access controls, staff training) to keep your data secure. No method is 100% secure; please keep your account details safe.

12) Children

Our services are not directed to children under 18. We do not knowingly collect data from children without appropriate consent.

13) Changes to this policy

We may update this policy from time to time. We will post the new version here and change the “Last updated” date. For material changes, we will notify you by email or on‑site notice when appropriate.