Privacy Policy

How Solar Group Utilities Ltd collects, uses, and protects the personal information of people who use our Client Portal.

Last updated: 20 April 2026 · Version: 1.0

Section 1 Who we are

This policy applies to personal information that Solar Group Utilities Ltd (“we”, “us”, or “our”) collects through the Client Portal at access.solar-group.co.uk and its supporting services.

Data controller: Solar Group Utilities Ltd

Registered address: 2 Beverley Way, Malvern, WR14 1LA, United Kingdom

ICO registration number: ZC127857

Privacy contact: info@solar-group.co.uk

We act as the data controller for personal information handled through the Client Portal. That means we decide what personal data we hold, how we use it, and how long we keep it.

We are not required to appoint a Data Protection Officer. All privacy questions, rights requests, and complaints should be sent to the contact address above.

Section 2 What this policy covers

This policy explains how personal information is handled when you use the Client Portal as a client user, a supply partner, or a member of our staff.

It covers:

Information you give us when you sign in, update your profile, upload a photo, or contact us through the portal.
Information we generate about your use of the portal (logins, activity, error logs).
Information we process on your behalf as part of delivering our maintenance, reporting, and financial services.

It does not cover:

Personal data we hold offline or in systems unrelated to the Client Portal — those are covered by separate privacy notices.
Third-party websites you reach by clicking a link from the portal. Their own privacy policies apply.

Section 3 Information we collect

We only collect what we need to run the portal and deliver the services your organisation has contracted us to provide.

Information you provide directly

Account details — name, work email address, organisation, and role.
Profile information — display name and an optional profile photo.
Authentication data — password (stored as a salted hash), magic-link tokens (single-use).
Ticket content — anything you type into a ticket: descriptions, chat messages, comments, quote acceptances, purchase-order references.
Files you upload — photographs, PDFs, reports, purchase orders, and other attachments.
Commercial information — purchase-order numbers, invoice references, bank details you submit as part of a financial workflow.

Information we generate automatically

Usage and audit data — which pages you visit, actions you perform, and the timestamps of each.
Device information — browser type, operating system, and general device characteristics. We do not collect precise location.
Push notification tokens — if you choose to enable notifications, a device-specific token is stored so we can deliver alerts.
Error logs — diagnostic information captured when something goes wrong, to help us fix bugs.

Information we receive from other people

From your employer — if your organisation invites you to the portal, they provide your name and email address.
From our engineering partners — names and contact details needed to attend site or complete work.

We do not knowingly collect special-category personal data (such as health, biometric, or political opinions) through the portal. We do not use automated decision-making or profiling that produces legal or similarly significant effects.

Section 4 How we use your information

Under UK GDPR, we must have a lawful basis for every way we use your personal information. The table below sets out what we do with it and why.

What we do	Lawful basis	Why
Create your account and let you sign in	Performance of a contract	To provide access to the portal under our agreement with your organisation.
Manage maintenance tickets, quotes, and reports	Performance of a contract	Core operational service delivery.
Issue and reconcile invoices and purchase orders	Performance of a contract · Legal obligation	To run the commercial side of the service and meet our accounting / tax duties.
Send operational emails (invites, status updates, invoices)	Performance of a contract · Legitimate interests	To keep you informed about work on your sites.
Send push notifications	Consent	You choose to turn these on in your profile. You can turn them off at any time.
Secure the platform and prevent misuse	Legitimate interests	To keep the portal and your data safe. Our interests are balanced against your privacy.
Improve the portal (diagnostics, error logs)	Legitimate interests	To fix bugs and make the service work well for everyone who uses it.
Comply with legal and regulatory duties	Legal obligation	Including tax, accounting, health & safety, and responding to lawful requests.

We do not use your personal information for marketing. We do not sell or rent personal data to anyone.

Section 5 Who we share your information with

We share personal information only when we need to in order to run the service, meet a legal duty, or protect our legitimate interests.

Within your own organisation

Other authorised users from your organisation may see tickets, chats, and files that relate to your sites. Role-based access controls limit what each user can see.

Our supply partners

When a third-party contractor is engaged to deliver work at one of your sites, we share the minimum personal information needed for them to complete the job (typically site contact details and job descriptions). Supply partners are not given access to your portal account.

Our sub-processors

We use carefully selected service providers to host and run the portal. Each is bound by a written data-processing agreement that requires them to protect your information and use it only to deliver the service to us.

Provider	What they do	Hosting region
Supabase	Database, authentication, file storage backbone	European Union (AWS)
Cloudflare	Application hosting (Workers), edge network, file storage (R2)	Global edge with data at rest in EU / UK
Microsoft 365 (Graph API)	Outbound email, calendar events for engineers	European Union
Xero	Accounting — purchase orders, invoices, bills	European Union
SafetyCulture	Field inspection data capture and reporting	European Union / Australia
Monday.com	Internal work-tracking and ticket synchronisation	European Union
Make.com	Workflow automation between the portal and other services	European Union

Other disclosures

Professional advisers — lawyers, accountants, and auditors who support our business, bound by confidentiality.
Regulators and law enforcement — where we are legally required to disclose information.
In a corporate transaction — if our business is sold or restructured, personal data may transfer to the new owner, subject to this policy.

Section 6 International data transfers

Most of your personal information stays inside the UK or European Economic Area (EEA). Where data does move outside those regions, we put recognised legal safeguards in place.

Some of our sub-processors are headquartered outside the UK / EEA (for example, Cloudflare and SafetyCulture). Where a transfer takes place, we rely on one or more of the following safeguards:

UK adequacy regulations — where the UK government has determined that a country offers adequate protection.
The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, where no adequacy decision exists.
Supplementary technical measures — such as encryption in transit and at rest, to reduce any residual risk.

You can ask us for a copy of the safeguards that apply to a particular transfer by emailing info@solar-group.co.uk.

Section 7 Cookies & browser storage

The portal uses a small number of technical cookies and browser-storage entries. None of them are advertising cookies, and we don't use any third-party analytics trackers.

Item	Type	Purpose
Supabase session token	Local storage (strictly necessary)	Keeps you signed in between visits so you don't have to log in every time.
Realtime socket ID	Session (strictly necessary)	Lets us push live updates (new messages, ticket status changes) to your browser.
Push subscription	Service worker (consent-based)	Stored only if you turn on push notifications. Removed when you turn them off.
Preferences	Local storage (strictly necessary)	Small UI preferences — which accordions are open, last-viewed tab, etc.

The strictly-necessary items are required for the portal to work at all. They are not used for tracking or profiling. You can clear cookies and local storage from your browser at any time, but doing so will sign you out and reset your preferences.

Section 8 How long we keep your information

We don't keep personal information for longer than we need to. Retention periods depend on the type of record and any legal duty that applies.

Record type	Typical retention period
Active user account	For as long as your organisation wants you to have access. Closed accounts are anonymised or deleted within 12 months of closure.
Tickets, chats, uploaded files	For the duration of our contract with your organisation plus up to 6 years, to meet contractual and legal limitation periods.
Financial records (invoices, POs, bills)	At least 6 years from the end of the relevant financial year, to meet UK tax and accounting law.
Authentication & security logs	Up to 24 months.
Error and diagnostic logs	Up to 90 days, unless needed longer to investigate a specific incident.
Push notification subscriptions	Until you disable notifications or sign out.

When a retention period ends, we either delete the personal data or anonymise it so it can no longer be linked to you.

Section 9 Your rights under UK GDPR

UK data protection law gives you a set of rights over your personal information. You can exercise any of them free of charge by emailing info@solar-group.co.uk.

Right of access. Ask for a copy of the personal information we hold about you.
Right to rectification. Ask us to correct anything that is inaccurate or incomplete.
Right to erasure (“right to be forgotten”). Ask us to delete your personal information where there is no good reason for us to keep it.
Right to restrict processing. Ask us to pause certain uses of your personal information while a question is resolved.
Right to data portability. Ask for a copy of the information you gave us in a structured, machine-readable format.
Right to object. Object to any processing we carry out on the basis of legitimate interests.
Right to withdraw consent. Where we rely on your consent (for example, push notifications), you can withdraw it at any time. Withdrawing consent does not affect the lawfulness of anything we did before you withdrew it.
Rights around automated decisions. We don't make automated decisions with legal effect, but if you believe otherwise you have the right to object.

We will respond within one month of receiving a valid request, as required by law. If your request is particularly complex we may extend that by up to two further months and will tell you if we do. We may ask you to verify your identity before we release information.

Section 10 How we protect your information

We take appropriate technical and organisational measures to keep your personal information safe.

Encryption in transit — all connections to the portal use HTTPS (TLS 1.2 or higher).
Encryption at rest — database and file storage are encrypted on disk by our hosting providers.
Invite-only access — you can only reach the portal if someone at your organisation (or our team) has invited you.
Role-based access controls — database row-level security ensures users only see records for sites and clients they are entitled to.
Staff training and access controls — only staff with a genuine need can see personal data, and access is regularly reviewed.
Regular backups — data is backed up and the backups are encrypted and access-controlled.

If we ever become aware of a personal data breach that is likely to affect your rights, we will notify the Information Commissioner's Office within 72 hours as required by law, and we will contact affected users without undue delay.

Section 11 Complaints

We would always prefer to resolve any concern directly with you. If you're not satisfied, you can escalate to the UK data-protection regulator.

Please get in touch with us first:

Email: info@solar-group.co.uk
Post: Solar Group Utilities Ltd, 2 Beverley Way, Malvern, WR14 1LA, United Kingdom

If you remain unhappy, you have the right to complain to the Information Commissioner's Office (ICO):

Website: ico.org.uk/make-a-complaint
Helpline: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Section 12 Changes to this policy

We review this policy regularly and update it when we need to — for example, when we add a new feature or change a sub-processor.

The current version number and “last updated” date are shown at the top of this page. When we make a material change, we will:

Update the date and version number at the top of this policy.
Notify you through the portal or by email where the change is significant.

We recommend you check this page from time to time so you're aware of how we handle your information.

Privacy Policy v1.0 · Last updated 20 April 2026