Privacy Notice
Energy2 Ltd Last updated: 7 May 2026 Version: Rev A
This privacy notice explains how Energy2 Ltd ("Energy2", "we", "us", "our") collects, uses, and shares personal data when you enquire about our products, become a customer, use a battery energy storage system (BESS) we have installed, or work for or with us as an employee, subcontractor or supplier.
1. Who we are
- Registered name: Energy2 Ltd
- Company number: 13668568
- Registered address: Fourthtime, Grubbins Lane, Speen, Buckinghamshire, HP27 0SH
- ICO registration number: ZC011630
- Privacy contact: [email protected]
Energy2 Ltd is the data controller for the personal data described in this notice.
2. Personal data we collect
We collect the following categories of personal data, depending on your relationship with us.
When you enquire (via our website contact form, email, phone, or at events):
- Name, email address, phone number, postcode.
- Our website contact form does not store your data on the website itself; submissions are sent directly to our Gmail business inbox.
When you become a customer:
- Full name, full installation address, email address, phone number.
- Photographs of your property taken during site survey and installation. We may also use selected installation photographs in our own marketing materials, but only after they have been anonymised to remove identifying features (we will not publish any photograph showing customers' faces, house names or other details that could identify the property or occupants).
- Energy consumption data, copies of energy bills, and your MPAN (Meter Point Administration Number).
- Your Wi-Fi network name (SSID) and password — provided by you so that we can connect your inverter and BESS to your home network during commissioning. Wi-Fi credentials are entered directly into the inverter and used only during commissioning; they are not stored in our CRM and are not retained by Energy2 once the system is online. We recommend that you change your Wi-Fi password after installation.
During and after installation:
- Operational and technical telemetry sent by your installed BESS to our cloud platform at
os.energy2.co.uk. This includes state of charge, voltages, currents, temperatures, energy flows, system events and alarms, timestamps, the system's serial number, and the public IP address from which it connects. Telemetry is linked to your customer record so that we can identify your system for monitoring, safety and warranty purposes. - Account information for third-party monitoring portals (for example Solis Cloud or Victron VRM) which we set up on your behalf using your name, email address, and installation address.
When you pay us:
- Payment card details are entered directly into Stripe and are not stored by us. We receive only the transaction reference and amount.
- If you pay by bank transfer, we receive your bank reference details.
Children's data: Our products and services are not directed at children. We do not knowingly collect personal data from anyone under the age of 18. If you believe we may have inadvertently collected information about a child, please contact us at [email protected] and we will delete it.
3. How we use your personal data, and our lawful basis
| Purpose | Lawful basis under UK GDPR |
|---|---|
| Responding to enquiries and producing quotes | Legitimate interests (responding to your enquiry) and steps taken at your request prior to entering a contract |
| Designing your system and producing schematics, quotations, and contracts | Performance of a contract |
| Submitting applications to your Distribution Network Operator (DNO) for connection permission | Performance of a contract and legal obligation (EREC G98 or EREC G99, as applicable, requires DNO notification) |
| Generating MCS certificates for your installation | Performance of a contract and legal obligation under the MCS scheme |
| Generating an IWA-backed workmanship guarantee | Performance of a contract |
| Arranging deliveries to your installation address | Performance of a contract |
| Allowing subcontracted installers and approved partners to carry out the installation | Performance of a contract |
| Connecting your inverter and BESS to your home network during commissioning | Performance of a contract |
| Monitoring system performance and safety, diagnosing faults, and supporting our warranty obligations | Legitimate interests (system monitoring, safety, fault diagnosis, accountability) and performance of a contract (warranty support) |
| Setting up and maintaining your inverter manufacturer's monitoring portal account | Performance of a contract |
| Taking and reconciling payments | Performance of a contract |
| Bookkeeping, invoicing and statutory tax records | Legal obligation (UK tax and accounting law) |
| Sharing relevant information with our insurers (for example to notify an incident, manage a claim, or obtain advice from our brokers) | Legitimate interests (protecting our business and managing risk) |
| Establishing, exercising, or defending legal claims, and complying with court orders, regulatory requests, or other legal obligations | Legal obligation and legitimate interests (the defence of legal claims) |
| Using anonymised installation photographs in our own marketing materials | Legitimate interests (promoting our products and demonstrating our installation quality). You may object at any time by contacting [email protected]. |
4. Who we share your personal data with
4.1 Service providers (acting as our data processors)
| Provider | Purpose | Where data is processed |
|---|---|---|
| Google (Gmail / Google Workspace) | Business email | USA (with UK GDPR transfer safeguards) |
| Hostinger | Hosting our internal CRM database | United Kingdom |
| Cloudflare | Hosting our website (Cloudflare Pages) and content delivery | USA / global edge (with UK GDPR transfer safeguards) |
| GitHub (Microsoft) | Source code and deployment pipeline for our website | USA (with UK GDPR transfer safeguards) |
| Xero | Accounting and bookkeeping | UK / New Zealand (UK adequacy decision applies) |
| Cypher Business Intelligence | External accountancy services | United Kingdom |
| Stripe | Card payment processing | UK / USA (with UK GDPR transfer safeguards) |
| DocuSign | Electronic signature of contracts and documents | USA (with UK GDPR transfer safeguards) |
| EasyPV | System design, schematic and DNO letter generation (processes name, installation address and MPAN) | United Kingdom |
We have data processing terms in place with each of these providers.
4.2 Independent recipients (separate data controllers)
We share limited personal data with the following organisations. Each is responsible for its own use of your data under its own privacy notice:
- Your Distribution Network Operator (DNO) — to apply for and obtain permission to connect your system. We share your name, installation address, MPAN, and system details.
- MCS (Microgeneration Certification Scheme) — to register your installation and generate certificates. We share your name, installation address, and MPAN.
- IWA (Independent Warranty Association) — to issue your workmanship guarantee. We share your name and installation address.
- Inverter manufacturer monitoring platforms — for example Solis Cloud (operated by Ginlong Technologies, China) and Victron VRM (Victron Energy, Netherlands). We share your name, email and installation address to set up your account.
- Suppliers — we may share your installation address with suppliers solely for the purpose of arranging deliveries.
- Subcontracted installers and approved partners — we share your name, installation address and phone number so that they can carry out the installation.
- Our insurers, insurance brokers and professional advisers — where it is necessary to notify an incident, manage a claim, or obtain professional advice.
- Courts, law enforcement, regulators, and other public authorities — where we are required to disclose information by law, in response to a valid legal request, or where disclosure is necessary to establish, exercise or defend legal claims.
We do not sell your personal data, and we do not share it with third parties for advertising. We may use anonymised installation photographs in our own marketing materials, as described in section 3.
5. If you are an employee, subcontractor or supplier
This section applies if you work for or with Energy2.
5.1 Employees
We collect and process the following personal data about employees:
- Your name, home address, and contact details
- Right to work documentation (for example passport, share code, or visa) as required by the Immigration, Asylum and Nationality Act 2006
- Bank details, for payroll
- Your signed employment contract and related HR records (e.g. payroll, holiday, performance, training)
- Emergency contact name, relationship, and contact number
Lawful basis:
- Performance of your employment contract — to pay you and manage the employment relationship.
- Legal obligation — for right to work checks, payroll, tax, and pension auto-enrolment.
- Legitimate interests — for emergency contact information, so we can contact a nominated person if there is an incident at work.
If you provide us with an emergency contact, please make sure that person knows we hold their details and why.
We may also share your information with our insurers, insurance brokers and professional advisers in connection with incidents or claims, and with courts, law enforcement, regulators or other public authorities where required by law or necessary to establish, exercise or defend legal claims.
5.2 Subcontractors and suppliers
We collect and process the following personal data about subcontractors and suppliers:
- Your business or trading name and contact name
- Contact details (email, phone, address)
- Invoices you submit and any supporting paperwork
- Bank or payment details so we can pay you
- Where applicable, your UTR, VAT registration number, and copies of insurance and trade certifications
Lawful basis:
- Performance of a contract — to engage you and pay you for the work you do.
- Legal obligation — to keep accounting and tax records.
- Legitimate interests — to manage our supplier relationships, verify your insurance and certifications, and maintain accurate records of work carried out.
We may also share your information with our insurers, insurance brokers and professional advisers in connection with incidents or claims, and with courts, law enforcement, regulators or other public authorities where required by law or necessary to establish, exercise or defend legal claims.
5.3 Retention (employees, subcontractors and suppliers)
| Data | Retention |
|---|---|
| Right to work records | Duration of employment plus 2 years after employment ends |
| Payroll, tax and pension records | 6 years from the end of the relevant tax year (HMRC requirement) |
| Employment contracts and HR records | Duration of employment plus 6 years after employment ends |
| Subcontractor and supplier invoices and accounting records | 7 years from the end of the relevant accounting period (HMRC requirement) |
| Subcontractor / supplier active records (contact details, insurance certificates etc.) | Duration of the working relationship, plus a reasonable period after it ends |
6. International transfers
Some of our service providers and recipients listed above process personal data outside the United Kingdom. Where this happens, we rely on one of the following lawful transfer mechanisms:
- A UK Government adequacy decision (for example, the EU and the EU-US Data Privacy Framework as recognised by the UK).
- The UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum.
- Another lawful transfer mechanism under UK GDPR.
You can request a copy of the relevant safeguards by contacting [email protected].
7. How long we keep your personal data (customers and enquirers)
| Data | Retention period |
|---|---|
| Enquiries that do not result in a contract | 24 months from last contact |
| Customer records, design files, photographs, installation documentation, and telemetry | Up to 15 years from the date of installation, in line with our warranty obligations and legitimate interests in supporting and diagnosing the systems we have installed |
| Wi-Fi credentials | Used only during commissioning. Not stored in our CRM. We recommend you change your Wi-Fi password after installation. |
| Accounting and tax records | 7 years from the end of the relevant accounting period (HMRC requirement) |
| Business email correspondence | Up to 15 years, in line with the customer record retention period |
After these periods, personal data is deleted or anonymised.
8. How we protect your personal data
We use a range of organisational and technical measures, including:
- Two-factor authentication on all Energy2 staff email and CRM accounts.
- Role-based access controls limiting who within Energy2, and which subcontractors and partners, can see customer data.
- Encrypted connections (TLS) for data in transit, including telemetry sent from installed BESS units to
os.energy2.co.uk. - Reputable, contractually-bound service providers for hosting, payments, accounting and email.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, in line with Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay.
9. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you.
- Rectification of inaccurate or incomplete data.
- Erasure of your data, subject to our legal obligations and any ongoing warranty support.
- Restriction of how we use your data while a query is being resolved.
- Portability of your data, where applicable.
- Object to processing carried out on the basis of legitimate interests.
To exercise any of these rights, please contact [email protected]. We will respond within one calendar month.
Automated decision-making. Energy2 Ltd does not make decisions about you based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. Decisions about quotes, system design, contracts, and customer service are made by people.
10. Cookies and tracking
Our website at energy2.co.uk does not set analytics or marketing cookies and does not use third-party tracking pixels. Cloudflare may set strictly necessary cookies for security, performance and abuse prevention; these are exempt from consent requirements under the Privacy and Electronic Communications Regulations (PECR).
11. Complaints
If you are unhappy with how we have handled your personal data, please contact us first at [email protected] so we have the opportunity to put things right.
You also have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
12. Changes to this notice
We may update this notice from time to time. The "Last updated" date above will reflect any changes. We will notify active customers by email of any material changes.