Privacy Policy
Last updated: [ADD DATE]
This policy explains how [YOUR ORGANISATION NAME]("we", "us") collects and uses your personal data when you use Energy Academy (the "Service"), and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Who we are
The data controller for your personal data is [YOUR ORGANISATION NAME], [REGISTERED ADDRESS]. You can contact us about privacy at [PRIVACY CONTACT EMAIL]. [If applicable: our ICO registration number is [ICO NUMBER].]
The data we collect
- Account data โ your name and email address when you create an account. Your password is handled by our authentication provider; we never see or store it in plain text.
- Learning data โ which lessons you mark complete and your quiz/exercise results, so we can show your progress.
- Profile & interests (optional)โ details you choose to add, such as your industry, job role and topics of interest, and your email-communication preferences. These are never required and are used only to send you relevant content if you've opted in.
- Technical data โ strictly-necessary local storage to keep you signed in and to remember your cookie choice. See our Cookie Policy.
- Communications โ any messages you send us (e.g. support requests).
We do not knowingly collect special-category data, and the Service is not directed at children.
How we use your data, and our lawful bases
- To provide the Service (create and run your account, save your progress) โ lawful basis: performance of a contract with you.
- To keep the Service secure and working (authentication, preventing abuse) โ lawful basis: our legitimate interests in operating a secure service.
- To remember your preferences (e.g. cookie choice) โ lawful basis: legal obligation / your consent as applicable.
- To respond to you when you contact us โ lawful basis: legitimate interests.
- To send you marketing communicationsyou've asked for (course updates, newsletter, services and events) and to tailor them using your optional profile details โ lawful basis: your consent.
We do not currently use analytics, advertising or other non-essential tracking cookies. If we ever do, we will ask for your consent first and update this policy.
Marketing communications and your choices
We only send you marketing emails if you have opted in, and you can choose which types you receive (course and platform updates, our newsletter and energy tips, consulting and services, and events and webinars). You can change your choices or unsubscribe at any time from the Email preferences section of your profile, or via the unsubscribe link in any marketing email. Withdrawing consent does not affect anything we sent before you withdrew it.
We use the optional details you give us (such as your industry, role and interests) only to make those communications more relevant to you. We do not sell your personal data, and we do not share it with third parties for their own marketing.
Who we share it with
We use trusted service providers who process data on our behalf, under contract:
- Supabase โ database and authentication (stores your account and learning data). Hosting region: West EU (Ireland),
eu-west-1. - Vercel โ website hosting and delivery.
We do not sell your personal data. We only disclose it to others where required by law.
International data transfers
Some of your personal data is stored and processed in the European Economic Area (EEA) โ our database and authentication provider, Supabase, hosts your data in Ireland. The EEA is covered by the UK's data protection adequacy regulations, which the UK Government has determined provide an adequate level of protection for personal data. These transfers are therefore permitted without additional safeguards. If we ever move your data outside the UK or the EEA, we will put appropriate safeguards in place (such as the UK International Data Transfer Agreement) and update this policy.
How long we keep it
We keep your account and learning data for as long as your account is active. When you delete your account (from your profile page) or ask us to delete your data, your account, profile, learning progress, quiz results and consent records are deleted immediately, and any residual copies clear from our provider's encrypted backups within 30 days. We may retain a minimal record for longer only where we must meet a legal obligation (for example, evidence that a marketing consent was withdrawn).
Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased ("right to be forgotten");
- restrict or object to certain processing;
- data portability (receive your data in a usable format);
- withdraw consent at any time, where we rely on consent.
To exercise any of these, email [PRIVACY CONTACT EMAIL]. We will respond within one month. You also have the right to complain to the UK's Information Commissioner's Office (ICO) at ico.org.uk โ though we'd appreciate the chance to help first.
How we protect your data
Access to your account is protected by authentication, and data is transmitted over encrypted (HTTPS) connections. No system is perfectly secure, but we take reasonable technical and organisational measures to protect your information.
Changes to this policy
We may update this policy from time to time. We will change the "last updated" date above and, for significant changes, let you know.
Contact
Questions about your privacy? Email [PRIVACY CONTACT EMAIL] or write to us at [REGISTERED ADDRESS].