1. Purpose of this policy
1.1. This privacy policy explains how Village HeatShare (“we”, “us”, “our”) collects, uses, stores and shares personal information when you interact with us, including via our website, online tools and communications.
1.2. We take your privacy seriously. We aim to handle personal information responsibly, keep it secure, and use it only for clear and legitimate purposes.
1.3. For the purposes of UK data protection law, we are the data controller of your personal information (unless we explicitly state otherwise).
1.4. This policy is intended to meet our transparency obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Our contact details
Organisation name: Village HeatShare - CBN Ltd
Address: Holyoake House, Hanover Street, Manchester M60 0AS
Email: info@villageheatshare.com
Data Protection Officer (DPO): Tom Barker
2. The personal information we collect
2.1. We may collect and process the following categories of information:
A. Information you provide to us
Name, email address, phone number, postal address (if provided)
Your role/organisation (if relevant)
Information you submit in forms (e.g. expressions of interest, surveys, feedback)
Content of messages you send us (email, contact forms, support requests)
B. Account information (if you create an account)
Username/email, login and authentication details
Preferences (e.g. notification settings)
Records of actions within the service (where relevant for audit/security)
C. Location and project-related information
General location such as postcode/area, and any information you submit about a building or site (for example, interest in a heat network, property characteristics you choose to share)
D. Website and technical information
IP address, browser/device type, pages visited, approximate location, referral source
Cookie and analytics identifiers (see Section 10)
2.2. We do not intend to collect “special category” data (e.g. health data) unless you choose to provide it and we have a clear lawful basis to use it. Please avoid sharing special category data unless we explicitly ask for it.
2.3. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us and we will delete it where appropriate.
3. How we use your information
3.1. We use personal information to:
Provide and operate Village HeatShare services and features
Respond to enquiries and provide support
Send updates you request (e.g. newsletters, project updates, events)
Run consultation, engagement, research or surveys connected with Village HeatShare objectives
Improve our website and services (including analytics and performance monitoring)
Keep our systems secure, prevent misuse, and maintain audit logs
Meet legal, regulatory, funding and reporting obligations (where applicable)
3.2. Where possible, we use aggregated or anonymised information (which does not identify individuals) for reporting and evaluation.
4. Our lawful basis for processing
4.1. UK GDPR requires us to have a lawful basis to use your personal information. Depending on the context, we rely on one or more of the following:
A. Contract (UK GDPR Article 6(1)(b))
Where processing is necessary to provide a service you request or to perform a contract with you (for example, if you create an account or subscribe to a service feature).
B. Consent (UK GDPR Article 6(1)(a))
Where you have given clear permission (for example, optional cookies or marketing emails where required). You can withdraw consent at any time (see Section 12).
C. Legitimate interests (UK GDPR Article 6(1)(f))
Where we have a legitimate reason to process data and it does not override your rights—for example operating and improving the service, communicating with stakeholders about Village HeatShare activities, and preventing fraud or misuse. Where we rely on legitimate interests, we consider the impact on your rights and expectations.
D. Legal obligation (UK GDPR Article 6(1)(c))
Where we must comply with a legal requirement.
E. Public task (UK GDPR Article 6(1)(e)) – include only if relevant
Where processing is necessary to perform a task in the public interest (for example, if you are a public authority or delivering an official public function). If this does not apply to Village HeatShare, delete this section.
4.2. If our lawful basis changes materially, we will update this policy and/or provide an appropriate notice.
5. Communications and marketing
5.1. If you subscribe to updates, we may email you information we think is relevant to Village HeatShare (e.g. project updates, events, consultations).
5.2. You can opt out at any time by using the unsubscribe link in emails (where provided) or by emailing [insert privacy contact email].
5.3. We do not sell personal information to third parties.
6. Sharing your information
6.1. We may share personal information with trusted third parties where necessary to operate Village HeatShare, for example:
Website hosting and cloud storage providers
Email distribution and CRM tools
Analytics and performance tools
Form and survey tools
IT support and security providers
6.2. We require service providers to protect personal information and only use it to provide services to us.
6.3. We may also share information if required by law or a valid legal request, to protect our rights and safety, and/or with funders or partners in aggregated or anonymised form wherever possible.
6.4. User-generated/public information If the site allows you to post content publicly (e.g. comments, forum posts, shared project pages, suggested community projects), anything you publish may be visible to others. Please consider what you share. We may moderate content, but we cannot control copying or onward sharing by third parties once content is public.
7. International transfers
7.1. Some of our service providers may process data outside the UK. Where this happens, we ensure appropriate safeguards are in place, such as UK adequacy regulations, the UK International Data Transfer Agreement (IDTA) / UK Addendum to EU Standard Contractual Clauses, or other lawful safeguards recognised under UK GDPR.
7.2. You can contact us to ask what safeguards apply to a specific provider.
8. How long we keep your information
8.1. We keep personal information only as long as necessary for the purposes described in this policy, including providing services and support, maintaining records and audit trails, complying with legal/accounting/funding obligations, and establishing or defending legal claims.
8.2. Typical retention periods
Mailing list subscription records: until you unsubscribe + 12 months
Enquiry/support correspondence 12 months
Account data: for as long as the account is active, then 12 months after closure
Analytics logs: 12 months
Funding/reporting records: up to 5 years (if applicable)
9. Security and storage
9.1. We use appropriate technical and organisational measures to protect personal information, such as access controls, least-privilege permissions, and encryption in transit (HTTPS/TLS).
9.2. No method of transmission or storage is completely secure. If a security incident occurs that affects your rights and freedoms, we will notify the relevant regulator and/or you where required by law.
10. Cookies and analytics
10.1. Cookies are small text files stored on your device. We may use cookies and similar technologies to enable essential site functionality, understand how visitors use our site and improve it, and remember preferences.
10.2. Cookies and similar technologies are regulated in the UK under the Privacy and Electronic Communications Regulations (PECR). We will only place non-essential cookies (for example, analytics or marketing cookies) on your device if you give us informed, affirmative consent. Essential cookies that are strictly necessary for the website to work do not require your consent.
10.3. We will ask for your consent for non-essential cookies where required. You can also control cookies through your browser settings. When you first visit our website, you will be asked to set your cookie preferences. You can change your choices at any time by using Cookie Preferences on our website [in the website footer?]. Where we use a cookie banner, we aim to provide a clear choice to accept or reject non-essential cookies, as well as to manage preferences by category.
10.4. If applicable, we use analytics tools (e.g. Google Analytics, [others?]). These tools may collect technical and usage data such as pages visited and time spent. We aim to configure analytics in a privacy-conscious way (for example, IP anonymisation where available).
10.5. Cookie list. A current list of the cookies we use (including their provider, purpose, category and expiry) is available here: [insert link cookie table page].
11. Your rights
11.1. You have rights under UK GDPR, including:
Right of access – request a copy of your personal information
Right to rectification – ask us to correct inaccurate data
Right to erasure – ask us to delete your data in certain circumstances
Right to restrict processing – ask us to pause use of your data in certain circumstances
Right to data portability – receive certain data in a portable format
Right to object – object to processing based on legitimate interests or direct marketing
Rights related to automated decision-making – safeguards if decisions are made solely by automated means (confirm whether this applies)
11.2. To exercise your rights, contact [insert privacy contact email]. We may need to verify your identity before responding.
12. Withdrawing consent
12.1. Where we rely on consent (e.g. marketing emails or optional cookies), you can withdraw consent at any time by changing cookie preferences (if your site supports this), unsubscribing from emails, or contacting [insert privacy contact email].
12.2. Withdrawing consent does not affect the lawfulness of processing carried out before consent was withdrawn.
13. Complaints
13.1. If you have concerns, please contact us first at [insert privacy contact email] and we will try to resolve the issue.
13.2. You also have the right to complain to the UK regulator, the Information Commissioner’s Office (ICO).
14. Changes to this policy
14.1. We may update this policy from time to time. The latest version will be published on our website with the “Last updated” date shown at the top.