ENSEK's Public Privacy Notice



This document is our privacy notice for the purposes of Articles 13 and 14 of the UK GDPR, with respect to personal data concerning website users, Ignition users, and our marketing database.


This privacy notice is addressed to the types of individuals listed below (the data subjects). PLEASE ENSURE THAT YOU READ THIS NOTICE.


(1) Individuals who are contacts for our clients, contractors or other third parties we may deal with.

(2) Contractors include development companies, professional services companies, and software and system suppliers.

(3) We hold this data as controller.

Energy Supply Customers

(1) Individuals who are supply customers of our clients, whose data is processed in our SaaS systems.

(2) Your energy supplier is the controller, and we are their data processor.

(3) We hold this data as processor.


(1) Individuals who make a sales or other enquiry with us, including by submitting a contact or request form through our website.

(2) Individuals who we include on our marketing database.

(3) We hold this data as controller.


(1) Individuals who are given a log-in or account to any system of ours, such as individuals given access to our product help system or SaaS systemsor support ticket system.

(2) Individuals who are given a sharing link to access any resources on any system of ours, including SharePoint files, Trello boards, or a user interface testing service.

(3) This is mainly staff of our clients who are using our systems on behalf of our clients.

(4) This does not include our staff or contractors, as they are covered by separate privacy notices, but the same type of data is held for them as well.

(5) We hold this data as processor (for our clients) and controller (with respect to feedback, usage and logging data).


(1) Individuals who visit and browse our website.

(2) Individuals who visit our offices or attend meetings we arrange.

(3) Individuals who join any video or audio conference call that we may set up.

(4) We hold this data as controller.

Not Listed?

(1) We have separate privacy notices for staff, job applicants, and contractors.

(2) These are available on request.

Any Questions?

If you have any questions, please contact our HR team in the first instance, and then our data protection officer if your question has not been resolved.


This privacy notice explains what personal data we hold about you, how we collect it, how we use it, who we share it with, and what your rights are. We are required to notify you of this information, under data protection legislation. Set out below are some general points to note before reading further.

What is the applicable law?

(1) This document is a privacy notice is published to comply with Article 13 and Article 14 of the UK GDPR.

(2) You can find out more information through the useful links section of this document.

What is our commitment as controller?

(1) The controller of your data is the person ultimately responsible for the processing of your data.

(2) As the controller of your data, we are committed to complying with our legal obligations as controller of your personal data, and to transparency about what we use your data for.

(3) Our legal obligations are set out in: the UK GDPR and Data Protection Act 2018 (supplements the UK GDPR).

(4) As controller, we comply with the data protection principles when gathering and using personal information. We seek to ensure that our information collection and processing is always proportionate.

(5) We will inform you of any material changes to information we collect or to the purposes for which we collect and process it.

What is our commitment as processor?

(1) The processor of your data is the person who is processing data on behalf of the controller (such as a sub-contractor).

(2) If we are the processor of your data, we are committed to complying with our legal obligations as processor of your personal data, and to transparency about what we use your data for.

(3) Our legal obligations are set out in: the UK GDPR and Data Protection Act 2018 (supplements the UK GDPR).

(4) As a processor, our main obligations are to keep your data secure, and only to process it in accordance with the instructions of the controller.

Energy Supply Customers

(1) If you are a customer of an energy supplier, and any personal data relating to you (and your energy supply) is processed by us in our cloud service for your supplier, then please read the following.

(2) We are only the data processor. Your supplier is the controller of the personal data we hold. You should ask your supplier for their privacy notice. Your rights in this document should be exercised against your supplier, who will contact us if we need to be involved.

(3) The majority of this document does not apply to you, but please note that we do owe our security obligations to you and the controller, and you still have the right to complain about us to the Information Commissioner directly.

(4) For information, we process a large range of data relating to your energy supply contract. for the supplier. This includes your supply contract details, your contact, meter and address details, meter readings, prices, bills, payments, debt, and complaints. We only process these according to the instructions of your supplier.

Must you provide data?

(1) There is no obligation to provide the data referred to in this privacy notice.

(2) However, if you are a customer of an energy supplier, then they will need data relating to your supply in order to make the supply of energy to you.


When we refer to a contract in this privacy notice, we mean any contract for supply of services between you and us, and any non-disclosure agreement or heads of terms between you and us.

Processor and Controller

This privacy notice sets out whether we, or any person we transfer your data to, are: (a) controller (ultimately responsible); (b) processor (handle data for someone else).


The controller (or where applicable, processor) of your data is ENSEK LTD, and our contact details are set out blow.

Our Company Name


Our Company Number

UK Companies House: 07167027

Our Country of Registration

England and Wales

Our Registered Office

(1) Hounds Gate, 30-34 Hounds Gate, Nottingham, England, NG1 7AB.

(2) This is also our postal address and head office.

Our Website


Data Protection Email


Our Data Protection Officer

Our Data Protection Officer can be contacted through the email address provided above


This section lists what data we hold about you in connection with your dealings with ENSEK Ltd.


(1) You may be captured on CCTV if you visit our premises.

(2) There is CCTV located in the main building reception and the car park. It is owned and operated by the landlords of the building.

(3) There is CCTV located in our communications room, where our servers and other equipment are located. This is owned and operated by ourselves.


Any emails and messages, and notes of any calls, between you and us.

Company Name

The name of any company or other organisation you are representing or work for.


(1) Web Download in Email - image download email.

(2) Direct Messages from linked in or other social meter, phone calls.

Email Address

This will be the email address that is supplied to us, so it could be a work or private email address depending on what is supplied.


Any queries and other enquiries that you raise with us, and responses that we give to you.


Any feedback you provide.

Job Title

Your job title or role at the company or other organisation you represent or work for.


(1) Log-in and account details where you are given access by us to any system (e.g. SaaS system) or resource (e.g. user guides).

(2) Data concerning your logging in to and use of our systems, to tack and monitor correct usage, and to support our clients in dealing with wrongful usage.


Your first name, middle names, and last names.

Phone Number

Your telephone number supplied to us, and/or any public telephone number published by any company or organisation you represent.

Product Testing Information

(1) If you are asked to participate in any user interface, user feedback or other product testing and feedback activities then me may capture and store information concerning that testing and the results of any testing and feeback which is used solely to improve our products and services.

(2) This may comprise: (a) how you interacted with user interface designes; (b) audio, written or viisual feedback you provide on user interface designs.


Product Usage Information

(1) We capture information about visits to the web based user interfaces for our SaaS products. This will be visits by client staff who have accounts in our SaaS products, or by our own staff.

(2) This comprises: (a) page views; (b) browser name; (c) browser version; (d) server name; (e) first visit; (f) last visit; (g) sample group; (h) client you work for; (i) language; (j) your user roles; (k) number of days active; (l) average usage per day; (m) total usage time; (n) usage trend; (o) quantity of events; (p) page usage time; (q) feature clicks.



Your relationship with us, such as whether you are a client, potential sales opportunity, supplier, visitor or other.

Support Comments

Any support ticket descriptions, comments, and feedback you provide.

Task Audit Information

(1) If you are given user rights to access any of our systems, then we may record and store information about your use of those systems, including APIs called and tasks undertaken in the systems.


Video Call Recordings

Your image and voice may be captured if you allow your video feed or audio to feature in any video call or conference we arrange and record. For instance a business update, or training, conference to which you are invited.

Website Usage Information

(1) We capture and record information about visits to our website, and our cookies notice gives further information on this.

(2) This may include when you visited, the IP address you visited from, browser information, your location in the globe, the pages you visited, the parts of the pages you viewed, and server session information concerning any processes you are undertaking through our website.

(3) This information may be captured by means of JavaScript, and by cookies or other local browser storage technologies, which are detailed further in our cookies notice.

(4) This is not recorded against you personally, and is stored and used in an anonymous form, except that if you are added to our marketing database HubSpot, the information may be linked to you at that point.


This section sets out how we obtain your data, including from you and other sources.

From Forms You Complete

We obtain it from forms you complete, including any general enquiries, sales, media contacts, demo requests forms on our website, any newsletter sign-up, any surveys or interviews your participate in, and any testing web pages you participate in.

From Your Documents

From files and documents you provide to us, and emails and messages you send, and from your public LinkedIn account.

From Conversation With You

We obtain it from conversation with you, which may include phone calls and video calls, emails, and instant messaging.

From Your Web Browser and Email Client

(1) From data automatically supplied by your web browser when you visit our website.

(2) From data we collect through your browser by means of cookies, JavaScripts and other technologies on our website.

(3) From tracking images downloaded in our marketing emails, that capture when the email was opened and whether you clicked on links in it.

From Our SaaS Systems

Where we are collecting analytics concerning usage of our SaaS systems by staff of our client or our own staff, we will again collect data from your web browser (including on any work or personal equipment you use to access our systems} and we may also collect data from events in our SaaS system that are associated with your user account.

From Our Back Office Systems

Where you are provided with a link to any back office system, file sharing service or other resource of ENSEK, that system may monitor and log your access, viewing, downloading or other use of that resource.


To be able to process your data we need to have a lawful basis for doing so under the law.


To enter into or perform a contract with you or your employer or company.

Criminal Records

(1) We do not process any data concerning your criminal convictions.

(2) However, we may do so if you are a job applicant or employee or contractor - and you should see our separate privacy notices for those roles.

Legal Obligation

We need to do so to comply with a legal obligation or exercise a legal right. This could be a statute.

Our Legitimate Interests

(1) We do so for our "legitimate interests".

(2) This is flexible ground which we must prove.

(3) It requires a judgement on our part, but is typically doing something you would normally expect, or there is a compelling justification.

(4) You have a right to object if you don't agree with our judgement (see later in this notice), and we must stop if it is clear you have overriding reasons for asking us to stop.

(5) Most of our processing would fall within legitimate interests or contract performance, such as: (a) operating a proper and secure procurement process; (b) verification of identity; (c) assessment of suitability; (d) security checks; (e) making informed decisions; (f) negotiating contracts; (g) managing the supply of services to us and monitoring that it is in accordance with the contract; (h) monitoring use of our networks, systems, and offices; (i) performing our contractual commitments with our clients; (j) securing work and services outputs; (k) financing and insuring our business; (l) and improving our products and services.

Sensitive Data

(1) We do not process any data concerning your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, or sex life or sexual orientation.

(2) However, we may process health data if you are a job applicant or employee or contractor - and you should see our separate privacy notices for those roles.

Your Consent

(1) If the above do not apply, we would need to get your consent to the specific use.

(2) This could be an explicit documented consent, or it could be implicit because you have requested some action to be taken involving your data.

Your Interests

We need to do so, to protect you vital interests.

This could include care for your health and safety.


This part sets out the key purposes we use your data for.

Enquiry Follow-Up

PURPOSE | For the purposes of following up on an enquiry or request you made, including any follow-up sales processes.

EXAMPLES | (1) Telephoning or emailing you following an enquiry by you. (2) Arranging meetings and video conferences with you. (3) Providing a demonstration to you. (4) Pursuing a sales process with you. (5) Preparing and signing an NDA or heads of terms for a sale discussion or proposed contracts. (6) Providing information you have requested.

LAWFUL BASIS | Legitimate Interest- We are responding to an enquiry you made, as you would expect, and you have implicitly requested our response by submitting your form.


PURPOSE | For the purposes of marketing our products to you or the business or organisation you represent or work for.

EXAMPLES | (1) Email marketing messages. (2) Linked-in campaigns.

LAWFUL BASIS | (1) Consent- We will have asked for your consent, including in any website forms. (2) You have the right to ask for this to stop.


PURPOSE | Where you have signed-up, we will use your data to send to our regular newsletter until you ask us to stop.

LAWFUL BASIS | (1) Consent- You requested by submitting your email. (2) You have the right to ask for this to stop.

Product Improvement

PURPOSE | (1) Our main products are SaaS products, which are accessed by our clients using a web user interface. (2) The quality of that user interface determines how well and efficiently our clients and their staff are able to use our products. (3) We therefore, as with a web site, we seek to capture information about how our SaaS products and their interfaces are used by our staff, which we then use to consider and improve the design of our products and the user guidance we provide.

LAWFUL BASIS | (1) Legitimate interest - To be able to improve our products. (2) Contract - To be able to deliver SaaS products that meet the standards expected by our clients in their contracts with us.

Relationship Management

PURPOSE | To manage our business or other relationship with you or the company or organisation you work for.

EXAMPLES | Client account management, contract management, support, and delivery purposes, to deal with matters arising in relation to a service contract with us, and to deliver on the service contract with us.

LAWFUL BASIS | (1) Contract- To perform and manage a contract between you and us, or between the company or organisation you work for and us. (2) Legitimate Interest- We would not be able to manage our contracts properly without being able to contract our client or other party to the contract.

Physical Security

PURPOSE | We use CCTV to monitor access to our offices for security monitoring purposes.

EXAMPLES | To check if any unauthorised persons are accessing our premises.

LAWFUL BASIS | Legitimate Interest- The protection of the security of our property and assets.

System Management

PURPOSE | To be able to manage access to and use of the systems you are given access to.

EXAMPLES | (1) To be able to give you the access intended. (2) To authenticate and authorise your access, and revoke your access. (3) To communicate with you about your access. (4) To maintain access logs and audit trails for the purposes of recording what you do in our systems.

LAWFUL BASIS | (1) Contract- To perform a contract with a client whom you work for. (2) Legitimate Interest- To protect the rights interests of our clients' in relation to their data you may have access to. (3) To protect our rights and interests in relation to our data and information in the system. (4) To maintain the security of our systems and be able to detect and evidence wrong-doing.

System Security

PURPOSE | We use various monitoring tools and services to monitor and log access to our systems for security management purposes.

EXAMPLES | To check if any unauthorised persons are accessing our systems, and to verify that our systems are being used correctly.

LAWFUL BASIS | Legitimate Interest- The protection of the security of our property, assets and systems.

Training and Information Sharing

PURPOSE | (1) We may use your video and voice call recordings for the purposes of keeping evidence of the call, and incidentally in connection with the sharing of that video or call in our business. (2) We would not record a video or voice call without making you aware at the time.

EXAMPLES | (1) Recording a meeting for the purposes of capturing the details of that meeting so that its information can be communicated to others not able to be present, can be actioned correctly, and evidence is maintained. (2) Recording of a training, event, or other type of meeting for the purposes of training or providing business information and updates internally.

LAWFUL BASIS | (1) Legitimate Interest- To be able to share training and business updates in our business to those not able to attend. (2) To be able to keep a proper record for the effective performance of our business.

Visit Management

PURPOSE | To manage your visits with us.

EXAMPLES | Arranging and administering face-to-face meetings and visits, and virtual meetings through videos.

LAWFUL BASIS | Legitimate Interest- To be able to manage the day to day operation of our business effectively, and know who we are dealing with.

Website Improvement

PURPOSE | We use website usage information to be able assess the use of our website and improve it so that it is visited and used more, and has better rankings in search engines.

EXAMPLES | Capturing how many unique visitors there are and how often they are visiting and which parts of the site are used most.

LAWFUL BASIS | Legitimate Interest- To be able to promote and grow our business through an effective and relevant website.


This section details who we may share your information with. We will normally share in confidence unless the law requires otherwise


PURPOSE | (1) We may share your personal data with any third party that is auditing our business and controls, including our security measures and operational controls, for the purposes of evidence, but only to the extent reasonably required for such evidence. (2) It will be shared securely, and under a non-disclosure agreement; and is shared normally to the auditors secure evidence repository.

RECEIVED AS | They use it as our sub-processor, to provide audit services to us.

Our Clients

PURPOSE | We may share any feedback information, support ticket information, and information concerning your use of our systems with your employer / the company you work for, for the purposes of assessing our software and performance, and audit, logging and investigation purposes.

RECEIVED AS | They will receive it as a controller, and not our processor.

Systems Providers

PURPOSE | We store your data with our systems providers noted in the next part below, but they are not expected to access or use it other than to provide the system functionality to us (e.g. reports) - the data just resides on the systems as part of their cloud service, and is encrypted at rest.

RECEIVED AS | They will receive it as our sub-processor.


Your data is kept in the systems referred to below. We no longer keep any paper records and all of your data is created, stored, and retained electronically.


We host our website and manage our customer relationship datase, contacts, enquiries and forms in Hubspot.


Microsoft 365 and SharePoint

(1) ENSEK uses Microsoft 365, Exchange, and SharePoint for its general email, messaging, document creation, document storage and document sharing.

(2) Your personal data may appear there in an ad-hoc form where there is follow-up activity following an enquiry.



(1) SaaS product usage information for our SaaS product users, is stored in the Pendo solution (see useful links) in a pseudo anonymised form.

(2) We hash the user's email address and only store the hash in Pendo, along with the analytics information associated with that user.

(3) It is not possible for Pendo to link the data back to a person, only ENSEK Ltd can do that by using the original email address stored in ENSEK Ltd.'s SaaS systems.



In April 2024 we have commenced using this product for testing and obtaining user feed back on our user interface and user interface design ideas, and this product will store the results of that testing.



This section covers our retention policy.

General Principle

We will only use your data for as long as it is required for the purposes for which it is processed.

Archiving Period - CCTV

CCTV recordings are held for 30 days, unless a recording is needed for evidence in relation to an incident that has happened, in which case the we will hold the data for a long as required for that incident, but no more than 7 years.

Archiving Period - Clients and Contractors

If you are (or you are staff of) a client or contractor of ENSEK, then your personal data will be retained for the duration of our relationship and contract with the client or contractor, and for 7 years thereafter.

Archiving Period - Other

In any other case, your data will be retained for 36 months.


This section covers our security measures.

General Principle

(1) We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way.

(2) In particular we have the following measures to keep your data secure.

ISO 27001

We are certified to and aim to keep certified to ISO 27001, which requires us to have a security management system, and to maintain a wide range of security controls. See ISO 27001

ISO 27701

We are also certified to and aim to keep certified to ISO 277001, which is an extension to ISO 27701 for privacy information management. See ISO 27701

Other Standards

We have our security controls audited independently by an auditor under the SOC (service organisation controls) audit standards, as well as under the smart energy code, the retail energy code, and other standards.

Data Breach

(1) We have procedures in place to deal with any suspected data security breach affecting your data.

(2) We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Other Measures and Controls

(1) The above standards and audits require and examine all our security and privacy measures and controls, which we have in place to protect against unauthorised use, access to, change to, or disclosure of your data, against viruses and other malicious software, and against unauthorised access to our equipment, offices, networks, cloud systems, and databases.

(2) These measures and controls cover areas such as office access controls, equipment log-in, cloud system log-in and associated roles and permissions, network and access monitoring, staff training, management, staff background checks, usage monitoring, anti-virus and other protective software and devices, and data segregation and encryption.

System Providers

Individual system providers listed in this document have their own separate security and controls with respect to your data in their systems, and we consider these prior to using those systems.

Cloud First

We operate on a "cloud first" basis, which means that your data is stored in secure and reputable cloud systems, rather than at any offices of ours.

Access Controls

We limit access to your personal information to those who have a genuine business need to know it.

Proportionate and Confidentially

Those processing your information will do so only in an authorised and proportionate manner and are subject to a duty of confidentiality.


This section covers your rights in relation to our processing of your data.


(1) You have the following rights in relation to our processing of your personal data, but please note that these rights may be subject to conditions and exceptions set out in the law.

(2) If you would like to exercise these rights, please contact the head of human resources or our data protection officer.

(3) If you are not sure, just email us using our contact details in this document.

Our Service Providers

If you ask for the following, we are obliged to pass this request down to the providers of the systems we use and anyone else we use to process your data, as needed. See Article 19 of the UK GDPR.

Right to be informed

(1) You have the right to be informed if your data is being used.

(2) This document is how we are informing you.

(3) See Article 13 and Article 14 of the UK GDPR.

Right to withdraw consent

If any processing is based on your consent, you have the right to withdraw it at any time. Just email using our contact details in this document.

Right to stop direct marketing

You have the right to stop direct marketing at any time.

Right to a copy

(1) You have a right to an update of the information in this document.

(2) You also have a right to a copy of the personal data we hold about you.

(3) See Article 15 - Paragraph 3 of the UK GDPR.

(4) You have the right to ask for your data in a computer readable for, so that you can use it elsewhere.

(5) See Article 20 of the UK GDPR.

Right to a correction

(1) You have the right to request correction of your data (a right to rectification).

(2) See Article 16 of the UK GDPR.

Right to erasure

(1) You have the right to request erasure of your data (also known as the right to be forgotten).

(2) However, there are a range of exceptions to this, which mean that we do not have to erase your data if there are good reasons for retaining a copy of it.

(3) See Article 17 of the UK GDPR.

Right to restriction

(1) You have the right to request that we stop using your data for some purposes.

(2) There are conditions that apply.

(3) This means that we might still hold your data, but we would be stopped from using it for certain purposes.

(4) See Article 18 of the UK GDPR.

Right to object to legitimate interests

(1) If the legal basis for our using your personal data is a "legitimate interest", or we are using your data to market to you, then you can object to the processing.

(2) See Article 21 of the UK GDPR.

(3) We must stop the processing, unless we can show that our interests should take precedence over yours.

Automated Decision Making

(1) If we are making important decisions about using a compute, without any human involvement, then you can ask us to stop, subject to conditions.

(2) See Article 22 of the UK GDPR.

Right to complain

(1) We hope that our head of human resources and data protection officer can resolve any quey or concern you have about our use of your personal data or your rights.

(2) In any case, you have the right to complain to the Information Commissioner at any time.

(3) Their details are: (a) Address - Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; (b) Helpline number - 0303 123 1113; (c) ICO website - https://ico.org.uk/make-a-complaint/


Data Protection Act 2018

Contains additional rules to support the UK GDPR.



The processor of your data.


ICO | Complaints Page

Page for making a complaint to the ICO.


ICO | Your Rights

ICO page on your rights.


Information Commissioners Office (ICO)

The UK regulator of privacy laws.


ISO 27001

International security controls standard.


ISO 27701

International personal data management controls standard.


Microsoft 365

Our back office business tools for email, messaging, calling, and file creation, storage and editing.



A software analytics solution that collects data from our SaaS product web pages and


SOC (Service Organisation Controls)

Auditing standard for auditing of security and operational controls.



The UK's copy of the GDPR following BREXIT.


UK GDPR | Article 13

The provision of the GDPR requiring this notice.


UK GDPR | Article 14

The provision of the GDPR requiring this notice.


UK GDPR | Data Protection Principles

The fundamental rules we have to follow when processing your data.


UK GDPR | Lawful Basis

We must satisfy one of the grounds in this article to be able to process your data.



A third party system use to test user interface designs with users and to obtain user surveys and feedback, used by us to improve and develop our user interface designs.