1. Who We Are (Data Controller)
The data controller responsible for your personal information is A N Heating Services Limited, operating this service under the trading name Boilers Scotland at www.boilersscotland.co.uk.
For all data protection enquiries, you can contact us at: info@boilersscotland.co.uk or call 01236 590941.
2. Personal Data We Collect
We collect personal data that you provide directly to us through our online quote and booking system. The categories of data we collect are:
| Category | Data Collected | Why We Collect It |
|---|---|---|
| Identity | Full name | To identify you and address communications |
| Contact | Email address, telephone number | To send quotes, booking confirmations, and installation updates |
| Property Address | Full installation address and postcode | To provide location-specific quotes and dispatch engineers |
| Property Details | Property type, boiler location, system type, fuel type | To generate an accurate fixed-price quote |
| Photographs | Images of your boiler, flue, gas meter, and pipework | To allow our engineers to review and confirm the installation scope |
| Payment | Billing name, partial card details (last 4 digits), payment confirmation | To process deposit and balance payments |
| Technical | IP address, browser type, pages visited, session cookies | To operate the website securely and maintain your session |
We do not collect special category data (such as health data, ethnicity, or biometric data). We do not knowingly collect data from individuals under 18 years of age.
3. Legal Basis for Processing
Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:
- 1
Contract performance
Processing your name, contact details, address, property information, and photographs is necessary to provide you with a quote, confirm a booking, and carry out your boiler installation.
- 2
Legitimate interests
We process technical data (such as IP addresses and session information) to operate our website securely, prevent fraud, and improve our service. Our legitimate interest does not override your rights.
- 3
Legal obligation
We may be required to retain certain records (e.g. Gas Safe installation certificates, VAT records) to comply with legal obligations under UK law.
- 4
Consent
Where we send you optional marketing communications, we will do so only with your explicit consent. You may withdraw consent at any time by contacting us.
4. Third-Party Data Processors
We use trusted third-party services to operate our platform. Each is a data processor acting on our instructions and is subject to appropriate data processing agreements.
Stripe ·Payment Processing
Deposit and balance payments are processed by Stripe Payments Europe, Ltd (registered in Ireland). When you make a payment, your card details are submitted directly and securely to Stripe; your full card number is never transmitted to or stored on our servers.
Stripe is PCI-DSS Level 1 compliant. Data may be processed within the EEA or in the United States under Stripe's standard contractual clauses with the ICO. For details, see stripe.com/gb/privacy.
Data shared: Billing name, transaction amount, and payment confirmation reference.
Cloudflare R2 ·Photo Storage
Photographs that you upload as part of the quote confirmation process (images of your boiler, flue, gas meter, and pipework) are stored using Cloudflare, Inc. via their R2 object storage service. R2 provides secure, private cloud-based image storage within the European Union.
Your photos are stored only for the purpose of engineer review and are retained for a period of 12 months following installation (or for the duration of any active warranty period, if longer). Photos submitted for quotes that do not result in a booking are deleted within 90 days. Your photos are stored in Cloudflare's Western European data centres. For details, see cloudflare.com/privacypolicy.
Data shared: Uploaded image files and associated metadata (upload timestamp, file type).
Resend ·Transactional Email
We use Resend to send transactional emails, including quote confirmations, booking receipts, installation reminders, and post-installation follow-ups. Resend acts as a data processor and processes your email address and the content of messages sent to you.
Data shared: Your name and email address.
Twilio ·SMS Notifications
Where you have provided a mobile telephone number and opted to receive SMS updates (such as installation day reminders or engineer arrival notifications), these messages are sent via Twilio Inc. Twilio processes your mobile number and message content to deliver SMS messages on our behalf.
Twilio is headquartered in the United States. Data transfers are covered by appropriate safeguards. For details, see twilio.com/en-us/legal/privacy.
Data shared: Your mobile telephone number and the text content of notifications.
5. How Long We Keep Your Data
| Type of Data | Retention Period |
|---|---|
| Quote requests that do not result in a booking | 90 days from quote generation |
| Customer contact and booking details | 7 years from the date of installation (for legal and warranty purposes) |
| Installation photographs | 12 months post-installation, or the warranty period if longer |
| Payment records and invoices | 7 years (as required by HMRC) |
| Gas Safe installation certificates | Indefinitely (as required by regulation) |
| Session and authentication cookies | See our Cookie Policy |
6. Your Rights Under UK GDPR
You have the following rights in relation to your personal data. To exercise any of these rights, please contact us at info@boilersscotland.co.uk. We will respond within one calendar month.
Right of access
Request a copy of the personal data we hold about you (a Subject Access Request).
Right to rectification
Ask us to correct inaccurate or incomplete data.
Right to erasure
Ask us to delete your data where there is no compelling reason for us to keep it.
Right to restrict processing
Ask us to limit how we use your data in certain circumstances.
Right to data portability
Receive your data in a structured, machine-readable format.
Right to object
Object to processing based on legitimate interests or for direct marketing.
Right to withdraw consent
Withdraw consent for any processing based on consent, at any time.
Right to complain
Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or alteration. These measures include:
- TLS encryption for all data transmitted between your browser and our servers
- Secure, access-controlled database environments
- Encrypted storage of authentication credentials
- Access restricted to authorised personnel only, on a need-to-know basis
- Regular review of third-party processor security standards
No method of electronic transmission or storage is 100% secure. If you have concerns about the security of your data, please contact us immediately.
8. International Data Transfers
Some of our third-party processors (Stripe, Cloudflare, Twilio) may transfer or process your data outside the UK or EEA, including in the United States. Where this occurs, we ensure that appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or standard contractual clauses approved by the Information Commissioner's Office.
9. Cookies
We use cookies and similar technologies to operate our website and maintain your session. For full details of the cookies we use and how to manage them, please read our Cookie Policy.
10. Contact and Regulatory Authority
For any privacy-related questions, to submit a Subject Access Request, or to exercise any of your rights, please contact us:
Email: info@boilersscotland.co.uk
Phone: 01236 590941
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. You can contact the ICO at ico.org.uk/make-a-complaint or by telephone on 0303 123 1113.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, technology, or legal obligations. The effective date at the top of this page will always reflect the most recent update. Where changes are material, we will notify you by email. Continued use of our service following any update constitutes acceptance of the revised policy.