Version 2.1 — Effective 18 May 2026

Privacy & Cookie Policy

At a glance

Who we areEquilibriq Ltd, a UK SaaS provider of Connection Due Diligence services supporting NESO grid connection compliance.
What data we useBusiness contact details, account and login data, content you upload to the Platform, support and correspondence data, billing data, website usage and cookie data.
WhyTo provide and improve the Platform, perform our contract, comply with legal duties, run our business and (with consent where required) communicate with you.
Our roleWe are a controller for Website, marketing, billing and account data. We are a processor for personal data within content our Clients upload to the Platform (“Client Data”); the Client is the controller of that data.
Your rightsAccess, rectification, erasure, restriction, portability, objection, to withdraw consent, and to complain to the ICO (Reg. No. ZC150215).
Contactprivacy@equilibriq.com

2. Our roles: controller and processor

2.1 Where we act as controller: We are the controller for personal data that we collect for our own purposes, including: personal data about visitors to the Website (analytics, cookies, enquiries, marketing); personal data about prospective and current Clients' representatives (sales, onboarding, CRM, support, billing and account administration); personal data about Authorised Users we provision for access to the Platform (names, business email addresses, role, login credentials, authentication and audit data); personal data we are required to retain to comply with legal, regulatory and accounting obligations.

2.2 Where we act as processor: When our Clients use the Platform, they upload, generate or instruct the processing of information relating to grid connection applications, due diligence subjects, site portfolios, third parties and counterparties (“Client Data”). To the extent Client Data contains personal data, the Client is the controller and Equilibriq is the processor. In that case, our processing is governed by the data processing terms in our Master Services Agreement / Data Processing Addendum, not this Policy.

3. Personal data we collect and why

The table below summarises the categories of personal data we process as controller.

CategoryExamples of dataPurposeLawful basis (UK GDPR Art. 6)
Enquiry & contact dataName, Business email/phone, Employer, Content of messageRespond to enquiries; provide information about the Services; pre-contract steps.Art. 6(1)(b) pre-contract; Art. 6(1)(f) legitimate interests.
Account & Authorised User dataName, Business email, Role/job title, Login credentials, MFA secrets/tokens, Audit & access logsProvision and operate accounts; authenticate and authorise users; maintain security; produce audit trails.Art. 6(1)(b) performance of contract; Art. 6(1)(f) legitimate interests; Art. 6(1)(c) where required by law.
Support, training & correspondenceName, Contact details, Tickets, Meeting notes, Recordings (with notice)Handle support requests; deliver training; investigate incidents; improve the Services.Art. 6(1)(b) performance of contract; Art. 6(1)(f) legitimate interests.
Billing & financial dataBilling contact, Purchase orders, Invoice data, VAT detailsInvoicing, payment processing, credit control, tax and accounting records.Art. 6(1)(b) performance of contract; Art. 6(1)(c) compliance with tax/accounting law.
Marketing & CRM dataName, employer, business email, Sector/role, Engagement metrics, Event attendanceSend B2B marketing, newsletters, event invitations; measure campaign effectiveness; suppression lists.Art. 6(1)(f) legitimate interests (B2B marketing); Art. 6(1)(a) consent where required.
Website & cookie dataIP address, Device & browser, Pages viewed, Referrer, Cookie identifiersOperate, secure, measure and improve the Website; analytics; recognise repeat visitors.Art. 6(1)(a) consent for non-essential cookies; Art. 6(1)(f) legitimate interests for strictly necessary cookies.
Recruitment data (if you apply)CV/resume, Cover letter, References (with permission), Right-to-work infoAssess applications and manage recruitment.Art. 6(1)(b) pre-contract; Art. 6(1)(c) where required by law; Art. 6(1)(f) legitimate interests.
Compliance & legal recordsKYC/due diligence on counterparties (where required), Contract records, Dispute records, Insurance claimsComply with legal duties; establish, exercise or defend legal claims.Art. 6(1)(c) legal obligation; Art. 6(1)(f) legitimate interests.

We do not generally process special category data (UK GDPR Art. 9) or criminal offence data (Art. 10) in operating the Platform.

We do not require you to provide personal data, but if you do not provide information we ask for (for example, your business email to log in), we may be unable to provide the Services.

4. How we obtain personal data

  • directly from you when you contact us, sign up for the Services, attend our events, subscribe to communications or interact with our Website;
  • from your employer or organisation when they nominate you as an Authorised User of the Platform;
  • automatically through cookies and similar technologies on our Website (see section 12);
  • from publicly available sources (such as Companies House, the UK National Energy System Operator (NESO), distribution network operators, planning portals and corporate websites) where this is necessary to evaluate prospective business relationships or to validate connection due diligence inputs;
  • from third party data providers (for example, marketing data services, KYC/AML services) on a lawful basis;
  • from public energy industry registers and authorities relevant to grid connection compliance.

5. Automated processing and AI features

The Platform uses analytical models, scoring rules, machine-learning and other automated processing to produce assessments, recommendations and reports relating to grid connection due diligence. These outputs are intended to support, not replace, the professional judgement of our Clients and their personnel.

We do not use the Platform to make decisions that produce legal or similarly significant effects on individuals based solely on automated processing within the meaning of Article 22 of the UK GDPR. Outputs of the Platform are reviewed and actioned by our Clients.

We may use third party large language model (“LLM”) and AI service providers to operate certain features. We contractually require these providers not to use Client Data to train their models, and we apply input filtering and access controls. Specific subprocessors are listed at https://equilibriq.com/subprocessors.

6. Who we share personal data with

We share personal data only where it is necessary and lawful to do so, including with:

  • members of the Equilibriq corporate group, where applicable;
  • our personnel, contractors and professional advisers (legal, accounting, audit, insurance) under duties of confidentiality;
  • our subprocessors and other service providers — e.g. cloud hosting, identity & access management, email delivery, analytics, customer support, payments, CRM, productivity tools, AI/LLM providers — each engaged under written contracts that include data protection obligations equivalent to those required under Art. 28 UK GDPR. A current list is at https://equilibriq.com/subprocessors;
  • our Clients (where you are an Authorised User) to operate, secure and bill for the Services;
  • public authorities, regulators, courts and law enforcement where we are required by law to do so, or where it is necessary to establish, exercise or defend legal claims;
  • acquirers, investors and their advisers in connection with any actual or proposed merger, acquisition, reorganisation, sale of assets or financing event, subject to confidentiality protections;
  • any other third party with your consent or on your instructions.

We do not sell personal data.

7. International data transfers

We are based in the United Kingdom and host the production Platform in the UK and/or the European Economic Area (“EEA”). Some of our subprocessors may process personal data outside the UK and EEA, including in the United States.

Safeguards:

  • an adequacy decision adopted by the UK;
  • the UK International Data Transfer Agreement (the “IDTA”) or the UK Addendum to the European Commission's Standard Contractual Clauses; or
  • another transfer mechanism permitted by UK GDPR Articles 46–49.

You can request a copy of the relevant transfer mechanism by emailing privacy@equilibriq.com.

8. How long we keep personal data

We retain personal data for as long as necessary for the purposes for which it was collected, taking into account applicable legal retention requirements.

CategoryRetention period
Enquiry/contact data (no resulting contract)Up to 24 months after last interaction.
Account & Authorised User dataDuration of the contract with the Client + 6 years (limitation period under the Limitation Act 1980).
Client Data on the Platform (we are processor)For the duration of the Client's subscription; deleted or returned in accordance with the Data Processing Addendum on termination (typically within 30–90 days).
Audit, access and security logs12–24 months, longer if needed to investigate an incident.
Billing and financial recordsAt least 6 years after the end of the relevant tax year (HMRC requirements).
Marketing dataUntil you opt out and for a reasonable suppression period thereafter (no more than 24 months without renewed contact).
Recruitment data (unsuccessful)Up to 12 months after the recruitment decision, then deleted unless you consent to longer retention.
Compliance & legal recordsAs required by applicable law and the limitation period for relevant claims (typically 6 years; 12 years where the contract is executed as a deed).

After the retention period ends, we securely delete or anonymise personal data.

9. How we protect personal data

  • encryption of data in transit (TLS) and at rest;
  • identity and access management with role-based access controls and multi-factor authentication for Equilibriq personnel;
  • network segmentation, vulnerability management, monitoring and logging;
  • secure software development lifecycle practices, code review and dependency scanning;
  • supplier due diligence and Art. 28-compliant contracts with subprocessors;
  • incident response and business continuity processes, including tested backup and recovery;
  • personnel training, confidentiality undertakings and screening appropriate to role;
  • a documented information security programme aligned with recognised standards (e.g. ISO/IEC 27001 and the NCSC Cyber Essentials scheme).

10. Your rights

  • Right of access — to obtain a copy of personal data we hold about you and information about how we process it.
  • Right to rectification — to have inaccurate or incomplete data corrected or completed.
  • Right to erasure — to ask us to delete personal data in certain circumstances.
  • Right to restrict processing — to ask us to limit our use of personal data in certain circumstances.
  • Right to data portability — to receive personal data you provided to us in a structured, commonly used and machine-readable format.
  • Right to object — to processing carried out on the basis of our legitimate interests, including direct marketing (which we will always honour).
  • Right to withdraw consent — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right not to be subject to solely automated decisions — with legal or similarly significant effects (see section 5).

To exercise any rights: email privacy@equilibriq.com. We will respond within one month.

To complain to the ICO (Registration No. ZC150215): https://ico.org.uk/concerns or 0303 123 1113.

11. Children

The Services are intended for use by businesses and their personnel. We do not knowingly collect personal data from children under 18 through the Services. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Cookies and similar technologies

A cookie is a small text file placed on your device when you visit a website. Under PECR, we only use cookies that are not strictly necessary with your consent. You can give, refuse, manage and withdraw consent at any time via our cookie banner.

CategoryExamplesPurposeBasis / duration
Strictly necessarySession, load-balancing, CSRF, loginAllow the Website and Platform to function and remain secure.No consent required (PECR reg. 6(4)). Session-only or short-lived.
Analytics / performanceGoogle Analytics, HubspotUnderstand how the Website is used and improve it.Consent. Up to 14 months.
FunctionalPreference cookiesRemember your choices (e.g. region, language).Consent. Up to 12 months.
Marketing / advertisingLinkedIn Insight, Hubspot trackingMeasure campaign performance; deliver relevant content (B2B).Consent. Up to 13 months.

13. Third party websites

The Website and the Platform may contain links to third party websites, plug-ins and applications. We are not responsible for the content or privacy practices of those third parties and recommend you review their privacy notices.

14. Changes to this Policy

We may update this Policy from time to time. The latest version will always be available on the Website. Where the changes are material, we will provide additional notice (for example, by email to account holders or via in-Platform notification).

15. How to contact us

Equilibriq Ltd

124 City Road, London, EC1V 2NX, United Kingdom

Company number: 16732746

ICO Registration No: ZC150215

Privacy enquiries: privacy@equilibriq.com

General enquiries: contact@equilibriq.com