Privacy Policy
Last updated: February 2026
1. Introduction and Data Controller
Tipio Energy Ltd ("we", "our", "us") is committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This Privacy Policy explains how we collect, use, store, and protect your personal information when you visit our website at tipioenergy.com, make enquiries, or engage our consulting services.
1.1 Data Controller Details
Tipio Energy Ltd is the data controller responsible for your personal data.
Registered in England and Wales Company number: 17011004
Registered office:
Tipio Energy Ltd
96 Nower Road
Dorking
RH4 3BX
1.2 Data Protection Contact
We have appointed a Data Protection Officer responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy or our privacy practices, please contact:
Data Protection Officer: Todd Hill
Email: hello@tipioenergy.com
Telephone: 07881 335 076
Post: Tipio Energy Ltd, 96 Nower Road, Dorking RH4 3BX
2. Information We Collect
We collect and process personal data through various means depending on how you interact with us.
2.1 Information You Provide Directly
- Contact and identity information: Name, email address, telephone number, job title, and company name when you submit enquiry forms, request information, or engage our services.
- Business information: Details about your organisation, energy consumption, site locations, and project requirements when you engage our consulting services.
- Communication records: Records of correspondence, meeting notes, and other communications between you and Tipio Energy.
- Financial information: Billing details and payment information necessary for invoicing and payment processing.
2.2 Information Collected Automatically
- Technical data: IP address, browser type and version, operating system, device information, and time zone setting.
- Usage data: Information about how you use our website, including pages visited, time spent on pages, navigation paths, and referring websites.
For detailed information about cookies and tracking technologies, please see our Cookie Policy.
2.3 Information from Third Parties
We may receive personal data about you from third parties, including:
- Referrals from existing clients or business partners
- Publicly available business information from company websites, LinkedIn, or industry directories
- Event organisers where we meet you at industry conferences or networking events
3. How We Use Your Information and Lawful Basis
UK GDPR requires us to have a lawful basis for processing your personal data. The table below sets out the purposes for which we use your data and the legal basis we rely on in each case.
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Responding to enquiries and providing quotes | Contact details, business information | Legitimate interests (responding to business enquiries) |
| Delivering consulting services under contract | Contact details, business information, project data, communications | Performance of contract |
| Invoicing and payment processing | Contact details, financial information | Performance of contract |
| Sending service updates and project communications | Contact details | Performance of contract / Legitimate interests |
| Sending marketing communications about our services | Contact details, business information | Consent (where required) / Legitimate interests (B2B soft opt-in) |
| Improving our website and services | Usage data, technical data | Legitimate interests |
| Website analytics and performance monitoring | Technical data, usage data | Legitimate interests / Consent (for non-essential cookies) |
| Maintaining business records and accounts | Contact details, financial information, communications | Legal obligation |
| Complying with legal and regulatory requirements | As required by the specific obligation | Legal obligation |
| Establishing, exercising, or defending legal claims | All relevant personal data | Legitimate interests |
3.1 Legitimate Interests
Where we rely on legitimate interests as the lawful basis for processing, we have assessed that the processing is necessary for our legitimate business interests and that these interests are not overridden by your rights and freedoms. Our legitimate interests include: operating and growing our business, understanding how clients and prospective clients use our website, improving our services, and maintaining relationships with clients and contacts.
You have the right to object to processing based on legitimate interests. See Section 9 for details on how to exercise this right.
4. Marketing Communications
We may send you marketing communications about our services, insights articles, industry updates, and events that we believe may be of interest to you.
4.1 When We Send Marketing
For business contacts, we rely on the "soft opt-in" under the Privacy and Electronic Communications Regulations (PECR). This means we may send you marketing if you have previously enquired about or used our services, and we gave you the opportunity to opt out at that time and in every subsequent communication.
Where we do not have an existing business relationship, we will only send marketing communications with your express consent.
4.2 Opting Out
You can opt out of marketing communications at any time by:
- Clicking the unsubscribe link in any marketing email
- Emailing us at hello@tipioenergy.com
- Contacting our Data Protection Officer using the details in Section 1
Opting out of marketing will not affect service-related communications necessary for the performance of any contract with you.
5. Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies to distinguish you from other users, improve your browsing experience, and analyse website usage.
For detailed information about the cookies we use, the purposes for which we use them, and how to manage your cookie preferences, please see our Cookie Policy.
6. Who We Share Your Data With
We do not sell your personal data to third parties. We may share your personal data with the following categories of recipients where necessary for the purposes described in this Privacy Policy.
6.1 Service Providers
We use third-party service providers to support our business operations, including:
- Cloud storage and productivity services (Google Workspace)
- Website hosting and analytics providers
- Email and communication platforms
- Accounting and invoicing software
- Electronic signature services (SignRequest)
- AI-assisted tools for document drafting and analysis (including OpenAI, Anthropic, Perplexity AI, and Replit)
These service providers are contractually bound to use your data only for the purposes of providing services to us and to implement appropriate security measures.
6.2 Professional Advisers
We may share data with our professional advisers, including lawyers, accountants, and insurers, where necessary for the provision of legal, accounting, or insurance services.
6.3 Legal and Regulatory Disclosures
We may disclose your personal data where required by law, regulation, or court order, or to protect our legal rights or the rights, property, or safety of others.
6.4 Business Transfers
In the event of a merger, acquisition, or sale of all or part of our business, your personal data may be transferred to the acquiring entity as part of the transaction. We will notify you of any such transfer and any choices you may have regarding your data.
7. International Data Transfers
Some of the third-party service providers we use are based outside the United Kingdom, including in the United States. This means that your personal data may be transferred to, stored in, and processed in countries outside the UK.
The services we use that involve international transfers include:
- Google (USA) – Google Workspace which includes cloud storage, calendar, email, and productivity tools
- OpenAI (USA) – AI-assisted document analysis and drafting
- Anthropic (USA) – AI-assisted document analysis and drafting
- Perplexity AI (USA) – research and information retrieval
- Replit (USA) – software development tools
7.1 Safeguards for International Transfers
Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place to protect your data, including:
- Transfers to countries that have received an adequacy decision from the UK government, meaning they provide an adequate level of data protection
- Use of the UK International Data Transfer Agreement (UK IDTA) or the EU Standard Contractual Clauses with the UK Addendum, as applicable
- Contractual commitments from service providers regarding data protection standards
You may request further information about the safeguards we have in place by contacting our Data Protection Officer.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.
To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process the data, and applicable legal requirements.
| Data Category | Retention Period | Reason |
|---|---|---|
| Enquiries that do not proceed to engagement | 2 years | Business development and follow-up |
| Client project files and deliverables | 7 years from project completion | Contractual reference, professional indemnity, limitation periods |
| Contracts and engagement letters | 7 years from contract end | Legal and contractual requirements, limitation periods |
| Financial and accounting records | 7 years | HMRC requirements, Companies Act |
| Invoices and payment records | 7 years | Tax and VAT compliance |
| Marketing consent records | Duration of consent plus 2 years | Evidence of consent for regulatory compliance |
| Website analytics data | 26 months (aggregated) | Website performance analysis |
| Correspondence and communications | 7 years from last contact | Business records, dispute resolution |
In some circumstances, we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such data without further notice to you.
9. Your Rights Under UK GDPR
Under UK data protection law, you have certain rights regarding your personal data. These rights are subject to certain conditions and limitations as set out in the legislation.
9.1 Summary of Your Rights
- Right of access: You have the right to request a copy of the personal data we hold about you.
- Right to rectification: You have the right to request that we correct any inaccurate or incomplete personal data.
- Right to erasure: You have the right to request that we delete your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
- Right to restrict processing: You have the right to request that we restrict the processing of your personal data in certain circumstances.
- Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to have that data transmitted to another controller where technically feasible.
- Right to object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent: Where we rely on consent as the lawful basis for processing, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.
9.2 How to Exercise Your Rights
To exercise any of your rights, please contact our Data Protection Officer using the details in Section 1. Please provide sufficient information to allow us to verify your identity and locate your data.
We will respond to your request within one month of receipt. If your request is complex or we receive a large number of requests, we may extend this period by up to two further months, in which case we will notify you of the extension and the reasons for it.
We will not charge a fee for responding to most requests. However, we may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive.
10. Right to Complain to the ICO
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection.
We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact our Data Protection Officer in the first instance.
Information Commissioner's Office
Website: ico.org.uk
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
11. Automated Decision-Making and Profiling
We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.
While we use AI-assisted tools to support document drafting, analysis, and research, all significant decisions regarding our services and client relationships are made by our team with human oversight.
12. Children's Data
Our website and services are intended for businesses and business professionals. We do not knowingly collect personal data from individuals under 18 years of age.
If you believe we have inadvertently collected data from a child, please contact our Data Protection Officer immediately and we will take steps to delete such data.
13. Third-Party Links
Our website may contain links to third-party websites, including industry resources, government information, and service providers. These websites have their own privacy policies, and we do not accept any responsibility or liability for their policies or practices.
We encourage you to read the privacy policy of every website you visit.
14. Data Security
We have implemented appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
Our security measures include:
- Encryption of data in transit and at rest
- Access controls limiting data access to authorised personnel
- Secure password policies and multi-factor authentication
- Regular review of security practices and service provider security
- Staff awareness of data protection obligations
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO and, where required, notify you without undue delay.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. The date at the top of this page indicates when this Privacy Policy was last updated.
We will notify you of material changes by posting the updated Privacy Policy on our website with a prominent notice, and where appropriate, by email. We encourage you to review this Privacy Policy periodically.
Your continued use of our website or services after any changes to this Privacy Policy constitutes your acceptance of the updated policy.
16. Contact Us
If you have any questions about this Privacy Policy or our data protection practices, please contact our Data Protection Officer:
Todd Hill
Data Protection Officer
Email: hello@tipioenergy.com
Telephone: 07881 335 076
Post: Tipio Energy Ltd, 96 Nower Road, Dorking RH4 3BX