Boiler Upgrade Scheme — up to £7,500 off a new heat pump. Check your eligibility → Learn more
← Home

Privacy Policy

Last updated: April 2026 · UK GDPR + PECR compliant

UKHeatPumpQuotes("we," "us," "our") operates an installer-matching service that connects UK homeowners with independent, MCS-certified air source heat pump installers. This Privacy Policy describes what we collect, our lawful basis, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

Data controller

For the purposes of UK GDPR, UKHeatPumpQuotes is the data controller for the contact details and property information you submit through our site. When we share your data with an MCS- certified installer, that installer becomes an independent data controller for their use of the data and has their own privacy notice that applies.

What we collect

When you submit a request through our website, we collect: your name, phone number, email address, postcode, town, property type, number of bedrooms, current heating fuel, ownership status, and installation timeline. We also automatically log limited technical data — IP address, browser user-agent, the page you submitted from — for fraud prevention and audit purposes. The IP and user-agent captured at consent time are kept as proof-of-consent under PECR audit standards.

Lawful basis (Art. 6 UK GDPR)

Our lawful basis for processing your contact details is your consent (Art. 6(1)(a)) given at the moment of form submission. Under PECR Reg. 21 and 22, this consent is also our basis for live calls, SMS and email marketing communications from us and the installer(s) we share your details with.

How we use your information

We share your contact details with up to three MCS-certified installers serving your postcode, so they can contact you with quotes and arrange a heat-loss survey. We may also use your information to: improve our service, prevent fraud, comply with legal obligations, and respond to your requests. We do not sell your data to data brokers, and we do not use it for purposes unrelated to heat pump matching without re-asking for consent.

Sharing with installers

We share with up to three MCS-certified installers who serve your area. The named-or-categorised consent at submission time covers this — the consent text says specifically "up to three MCS-certified air source heat pump installers serving my area." Once an installer receives your details, they become an independent data controller. If you no longer wish to hear from a specific installer, ask them directly to stop, or use the form below to revoke across our portfolio.

Your rights (UK GDPR)

  • Access (Art. 15): request a copy of the personal data we hold about you.
  • Rectification (Art. 16): ask us to correct inaccurate information.
  • Erasure / right to be forgotten (Art. 17): ask us to delete your data, subject to legal retention exceptions.
  • Restriction (Art. 18): ask us to limit how we use your data.
  • Portability (Art. 20): get your data in a machine-readable format.
  • Object (Art. 21): object to processing for direct marketing.
  • Withdraw consent (Art. 7(3)): withdraw consent at any time — the form below revokes across our portfolio (ukheatpumpquotes.co.uk, busgrant.uk, ashpcost.co.uk, heatpumpvsboiler.uk).

To exercise any of these, email [email protected]. We respond within one calendar month as required by Art. 12. If you're not satisfied with our response, you can complain to the Information Commissioner's Office: ico.org.uk or 0303 123 1113.

Withdraw consent / opt-out

Use the form below to withdraw consent. Your phone number and/or email will be added to our portfolio-wide Do Not Contact list, and any historical lead matching either field will be flagged as revoked so it's not re-shared with any new installer.

Submit your phone number, your email address, or both. Both are added to our portfolio-wide Do Not Contact list, and any previously stored lead matching either field is flagged as revoked.

We honour opt-out requests within 24 hours across every site we operate. For SMS, you may also reply STOP. For questions, email [email protected].

For SMS, you may also reply STOP to any message we send. To opt out of phone calls only (without erasing your data), contact us at [email protected].

Retention

We retain lead records for 24 months from the date of consent, consistent with the ICO's Direct Marketing Code of Practice. After 24 months, the data is automatically reviewed: if you have re-engaged in that time, we keep it for another 24-month cycle; otherwise it is deleted. Consent proof records (the version of text shown, the timestamp, IP and user-agent) are retained for the same period to support our PECR audit position.

Cookies

We use only strictly necessary cookies (no third-party analytics, no advertising trackers). Strictly necessary cookies under PECR Reg. 6(4) do not require consent — they include the cookies that store your form progress so a refresh doesn't lose your answers, and any session token used for the opt-out flow.

International transfers

Your data is stored on servers in the EU and UK. We do not transfer your data outside the UK/EEA except where the recipient (an installer) is based in the UK and is itself a UK data controller bound by UK GDPR.

Security

We use commercially reasonable administrative, technical, and physical safeguards. No method of transmission over the internet is 100% secure, so we cannot guarantee absolute security.

Children

Our service is for adults aged 18 or over who own or rent residential property. We do not knowingly collect data from anyone under 16.

Changes

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes are highlighted on our homepage or by email notice for 30 days.

Contact

Questions or DSARs? [email protected]. Opt-out requests outside the form: [email protected].