Privacy Policy

Last updated: 2 May 2026

This Privacy Policy explains how Enerwise Commercial (operated by SOLR AI Limited) collects, uses, shares and protects personal data when you use commercial.enerwise.co.uk. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

SOLR AI Limited ("Enerwise", "we", "us") is the data controller for personal data processed via Enerwise Commercial.

  • Data Controller: SOLR AI Limited
  • Email: info@solr.ai
  • ICO registration: available on request

2. What we collect

We collect:

  • Account data (name, work email, organisation, role)
  • Property data (address, EPC, building footprint, energy consumption)
  • Smart meter data, only with explicit user consent (N3rgy)
  • Technical data (IP, user agent, request logs) for security and abuse prevention
  • Auth events (login, MFA setup, password resets) for fraud detection

3. Lawful bases for processing

  • Contract — to deliver assessments and partner services you sign up for
  • Legitimate interests — security monitoring, fraud prevention, service improvement
  • Consent — marketing emails, smart meter consumption data, optional cookies
  • Legal obligation — record-keeping (e.g. MCS, Companies House)

4. How we share your data

We use a limited set of vetted subprocessors to operate the service. The full list is maintained at /subprocessors. Each is bound by a Data Processing Agreement compliant with UK GDPR Article 28.

We never sell personal data. We do not share data with marketers. Property and lead records are only shared with HDM partner organisations that you have explicitly engaged with.

5. International transfers

Primary storage is in the UK / EEA (Supabase eu-west-1, GCP europe-west2). Some subprocessors (e.g. Vercel, Cloudflare, Sentry EU) operate global networks; transfers outside the UK rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (SCCs).

6. Retention

  • Account data — for the life of the account, plus 12 months after deletion
  • Assessment outputs — 7 years (commercial record-keeping)
  • MCS / installation documents — 10 years (regulatory)
  • Server logs — 30 days
  • Sentry error events — 90 days
  • Marketing consent records — 6 years after withdrawal

7. Your rights

Under UK GDPR you may:

  • Access a copy of your data
  • Correct inaccurate data
  • Request erasure (right to be forgotten) via /dashboard/settings/account/delete
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time
  • Lodge a complaint with the ICO (ico.org.uk)

To exercise any right, email info@solr.ai.

8. Security

We use Cloudflare Enterprise (WAF, DDoS, bot management), TLS 1.2+, HSTS, Turnstile, GCP Secret Manager, Supabase Row-Level Security, TOTP MFA, Sentry with PII scrubbing, encrypted backups, and least-privilege access. Incidents are reported to the ICO within 72 hours where required.

9. Cookies

See our Cookie Policy for details. We use only strictly-necessary cookies by default; analytics and marketing cookies are off until you opt in.

10. Changes

We will post any material changes to this policy here and notify account holders at least 14 days before changes take effect.

11. Contact

SOLR AI Limited — info@solr.ai