Privacy Policy

Last updated: 04 December 2025
Applies to: netzerogurus.co.uk and any page that links to this notice

1) Who we are (Data Controller)

ECO4 Gurus Ltd trading as Net Zero Gurus (“Net Zero Gurus”, “we”, “us”, “our”) is the data controller for personal data collected via our website, marketing, sales, and customer support channels.

• Registered company: ECO4 Gurus Ltd (T/A Net Zero Gurus)
• Postal address: Cavendish House, 3 Brighton Road, Liverpool L22 5NG, United Kingdom
• General contact: hello@netzerogurus.co.uk
• Data Protection Officer (DPO): Andrew Foote — andrew.foote@netzerogurus.co.uk

In some client projects, we may act as a data processor for councils, housing associations, or other organisations. In those cases, we process personal data on their instructions and you should consult their privacy notices.

2) Scope

This notice explains how we collect, use, disclose, and protect personal data when you:

• Visit https://netzerogurus.co.uk (“Website”)
• Contact us, download content, subscribe to updates, or otherwise engage with our marketing and events
• Purchase or receive our services (e.g., retrofit coordination, assessment, quality assurance and compliance support)

3) Personal data we collect

Data you provide to us

• Identity & contact: name, job title, organisation, email, telephone, postal address
• Communication content: enquiries, feedback, meeting notes
• Account & preferences: marketing preferences, subscription choices
• Transaction data: purchase history, invoices, payment references (we do not store full card details)
• Project data: property details necessary to scope services; scheme eligibility information you choose to share

Special category data (only if necessary)

We do not routinely collect special category data via the Website. In limited cases (e.g., to assess eligibility or tailor retrofit solutions), you may choose to share health‑related information that indicates vulnerability or specific needs. We will only process such data where you give explicit consent or where it is necessary to protect vital interests (e.g., risk of significant harm) and you are incapable of giving consent.

We do not intentionally collect criminal convictions/offence data.

Data we collect automatically

• Technical & usage data: IP address, device identifiers, browser type/version, pages viewed, time/date stamps, referrers, approximate location, and similar diagnostic data
• Cookies & similar technologies: see Section 11 (Cookies) and our Cookie Policy

4) Where we get your data

• Directly from you (web forms, email, phone, meetings, events)
• Your organisation (if you are a business contact)
• Our processors providing services like website hosting, analytics, communications, and CRM (limited to what’s necessary)
• Public sources (e.g., company websites or directories) where lawful

5) Purposes and lawful bases

We only process personal data where we have a lawful basis under UK GDPR:

Purpose	Examples	Lawful basis
Respond to enquiries & provide services	Quotes, scoping, delivery, customer support	Contract (Art. 6(1)(b)) or Legitimate interests (Art. 6(1)(f)) to respond to requests
Account administration & billing	Invoicing, payment records, dispute handling	Contract; Legal obligation (tax/accounting)
Service improvement & security	Troubleshooting, analytics, service metrics, fraud/security	Legitimate interests (to operate and secure our services)
Marketing & communications	Newsletters, event invites, service updates	Consent (PECR) for email/SMS to individuals; Soft opt‑in for similar products/services to existing customers; Legitimate interests for B2B emails where permitted. Opt‑out available anytime
Compliance & governance	Audits, regulatory requests, legal claims	Legal obligation; Legitimate interests (establish, exercise, defend legal claims)
Special category data (if applicable)	Health information relevant to retrofit suitability or vulnerability	Explicit consent (Art. 9(2)(a)); Vital interests (Art. 9(2)(c)) in emergencies

PECR marketing rules (UK): We only send electronic marketing to individuals where we have prior consent or the soft opt‑in applies (you bought/negotiated to buy a similar service and had a clear opt‑out at collection and in every message). B2B marketing is permitted where legitimate interests apply and an opt‑out is provided. You can unsubscribe at any time.

6) Cookies and similar technologies

We use cookies, pixels, and similar technologies to operate the Website, remember preferences, and measure performance. Where required, we obtain your consent through our cookie banner. You can change or withdraw consent at any time via the banner’s Preferences link.

• See our Cookie Policy (linked from the banner and footer) for the full list of cookies, their purposes, and retention.

7) Who we share data with

We only share personal data where necessary and subject to contracts imposing confidentiality and security obligations:

• Hosting & IT providers (website hosting, backup, security monitoring, email)
• Communications & productivity platforms (e.g., email, video conferencing)
• Analytics & performance tools
• Payment & invoicing service providers and banks
• Professional advisers & insurers (legal, accounting, insurance)
• Delivery & logistics partners (if we send physical items)
• Client organisations (e.g., councils, housing associations, scheme administrators) where project work requires it
• Regulators and authorities where legally required
• Business transfers: in the context of a merger, acquisition, or asset sale, subject to appropriate safeguards

We do not sell personal data.

8) International transfers

Your data may be processed outside the UK (e.g., where a provider uses non‑UK data centres). Where this happens, we implement appropriate safeguards such as:

• UK International Data Transfer Agreement (IDTA); or
• EU Standard Contractual Clauses with the UK Addendum; and
• Transfer risk assessments and technical/organisational controls.

You can contact us for copies of the relevant safeguards (redactions may apply for confidentiality).

9) How long we keep data (retention)

We keep personal data only as long as needed for the purposes set out above, and to meet legal, accounting, and audit obligations. Typical periods:

• Enquiry data (no contract): up to 24 months from last interaction
• Marketing data: until you withdraw consent / opt‑out, or 24 months of inactivity (whichever is sooner)
• Contract, billing, and tax records: 6 years from financial year end (HMRC requirements)
• Website logs & security data: typically 12 months
• Project and scheme compliance files (e.g., retrofit/ECO/WHLG/SHDF): for the duration of the project/scheme and for at least 6 years afterwards, or longer if required by the relevant scheme rules or funding conditions

When retention expires, we delete or irreversibly anonymise data. Where deletion is not immediately possible (e.g., backups), we isolate and protect the data until deletion.

10) Your rights

Subject to conditions and exemptions in UK GDPR/DPA 2018, you have the right to:

• Be informed about our processing
• Access your personal data
• Rectify inaccurate or incomplete data
• Erase your data (where applicable)
• Restrict processing (temporarily limit use)
• Data portability (receive data you provided in a structured, commonly used format and/or request transfer to another controller)
• Object to processing based on legitimate interests or direct marketing
• Not be subject to decisions based solely on automated processing, including profiling, that have legal or similarly significant effects (we do not carry out such decision‑making)

To exercise your rights, email admin@eco4gurus.co.uk or hello@netzerogurus.co.uk. We may need to verify your identity. We respond within one month (extendable by two months for complex requests; we will let you know if this applies).

If you believe we have not handled your data correctly, you can complain to the UK Information Commissioner’s Office (ICO) at https://ico.org.uk/make-a-complaint/. We would appreciate the chance to resolve your concerns first.

11) Children

Our services are not directed to children under 18. We do not knowingly collect data from minors. If you believe a minor has provided personal data, contact us and we will delete it.

12) Security

We apply appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit (TLS), least‑privilege permissions, secure configuration, logging/monitoring, and staff training. No system is 100% secure; if we become aware of a personal data breach that presents a risk to your rights and freedoms, we will act in line with our incident response plan and notify the ICO and affected individuals where required.

13) Our role as processor (on behalf of clients)

When we act as a processor (e.g., for a council or housing provider), we process personal data only on the written instructions of the controller and in accordance with a binding data processing agreement that includes confidentiality, security, sub‑processor controls, assistance with data subject rights, and deletion/return at the end of the engagement.

14) Third‑party links

Our Website may contain links to third‑party sites/services. Those parties control their own privacy practices. We encourage you to review their privacy notices.

15) Do Not Track

We do not currently respond to Do‑Not‑Track (DNT) signals. If a standard is adopted that we must follow, we will update this notice.

16) Changes to this notice

We may update this notice from time to time. The “Last updated” date shows the latest revision. Substantive changes will be highlighted on the Website and/or communicated directly where appropriate.

17) Contact us

Postal: ECO4 Gurus Ltd T/A Net Zero Gurus, Cavendish House, 3 Brighton Road, Liverpool L22 5NG, UK

General & privacy queries: hello@netzerogurus.co.uk

Data Protection Officer: Andrew Foote — andrew.foote@netzerogurus.co.uk