Privacy Policy

Effective Date: 8 July 2026  |  Replaces version dated 10 July 2023

IndigoZest Limited (“we”, “our”, or “us”) values and respects the privacy of our clients, website visitors, and contacts (“you” or “your”). This Privacy Policy explains how we collect, use, retain, disclose, and protect your personal information when you interact with our website, products, and services (together, the “Services”).

We are committed to handling your personal information in accordance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”).

 

1. Who We Are

The data controller responsible for your personal information is:

IndigoZest Limited

Company Registration No. 7242603

Unit 7, Kings Park, Primrose Hill, Kings Langley, WD4 8ST

Telephone: 0333 305 5305

Email: hello@indigozest.co.uk

Data Protection Officer

Our Data Protection Officer (DPO) is Nicolai Landschultz, Managing Director. You can contact our DPO at:

Email: dpo@indigozest.co.uk

 

2. Information We Collect

2.1 Information You Provide to Us

When you contact us, request a quotation, purchase our products or services, or create an account, we may collect:

  • Name, email address, telephone number, and postal address
  • Billing and payment information
  • Property details relevant to your project (e.g. room layout, system requirements)
  • Account login credentials
  • Communications and correspondence with us
  • Any other information you choose to share with us

2.2 Smart Home and Installation Data

As part of delivering our home automation, home cinema, and lighting services, we and our technology partners (such as Control4, OvrC, and Lutron) may process data generated by installed systems in your property. This may include:

  • Device usage patterns (e.g. lighting scenes activated, media preferences, thermostat settings)
  • Occupancy and presence data (e.g. motion sensor triggers, system activation times)
  • Remote access and support logs (e.g. timestamps and actions taken during remote servicing)
  • System diagnostics and error logs

Where this data relates to your home environment, we treat it with the highest level of care. It is used solely to deliver and support your system, and is not sold or shared with third parties for marketing purposes.

2.3 Automatically Collected Information

When you visit our website, we may automatically collect:

  • Device and browser information (e.g. IP address, operating system, browser type)
  • Usage information (e.g. pages visited, links clicked, referring website, date and time of access)
  • Information collected via cookies and similar technologies (see Section 8)

 

3. How We Use Your Information and Our Lawful Bases

Under UK GDPR, we must have a lawful basis for processing your personal information. The table below sets out how we use your data and the basis on which we do so.

Performance of a contract (Article 6(1)(b)):

  • Processing and fulfilling your orders and service agreements
  • Communicating with you about your account, project, or support request
  • Providing aftercare and Concierge Support services

Compliance with a legal obligation (Article 6(1)(c)):

  • Retaining financial and tax records as required by HMRC
  • Responding to lawful requests from regulatory authorities or courts

Legitimate interests (Article 6(1)(f)):

  • Improving our website, products, and services
  • Detecting and preventing fraud, security incidents, and abuse
  • Sending service-related updates and communications to existing clients
  • Conducting internal research and analysis

When we rely on legitimate interests, we have assessed that our interests are not overridden by your rights. You may object to this processing at any time (see Section 7).

Consent (Article 6(1)(a)):

  • Sending you promotional offers, newsletters, and marketing communications (where you have opted in)
  • Placing non-essential cookies on your device (see Section 8)

Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

 

4. Sharing Your Information

We do not sell your personal information. We may share it with third parties only in the following circumstances:

Service Providers:

We engage trusted third-party suppliers and sub-contractors to help us deliver our services (for example payment processors, installation partners, and technology platforms such as Control4 and OvrC). These parties are bound by contractual obligations to protect your personal information and may only use it for the specific purposes we specify.

Legal Compliance:

We may disclose your information where required to do so by law, regulation, or legal process, including in response to a valid court order or request from a competent authority.

Business Transfers:

In the event of a merger, acquisition, or sale of all or part of our business, your personal information may be transferred to the acquiring entity. We will notify you before your information becomes subject to a different privacy policy.

With Your Consent:

We may share your information with third parties where you have given us your explicit consent to do so.

 

5. International Transfers of Personal Data

Some of our third-party service providers are based outside the United Kingdom. Where we transfer your personal information to countries that have not been granted adequacy status by the UK Government, we ensure appropriate safeguards are in place to protect your information in accordance with UK GDPR.

5.1 Countries with UK Adequacy Status

The UK Government has recognised certain countries as providing an adequate level of data protection, meaning personal data may flow to those countries without additional safeguards. These include the European Economic Area (EEA), Switzerland, and several others. Where our processors are located in these countries, no further transfer mechanism is required.

5.2 Transfers to the United States

Several of our key technology providers are based in the United States, including Google (Analytics, Tag Manager, and Workspace), Creston and Snap One / Control4. The United Kingdom and the United States maintain a data transfer arrangement known as the UK Extension to the EU-US Data Privacy Framework (the “UK-US Data Bridge”), which came into force on 17 October 2023.

Where a US-based processor is certified under the UK-US Data Bridge, we may transfer personal data to them in reliance on that arrangement. For any US processors not covered by the Data Bridge, we use the UK International Data Transfer Agreement (IDTA) or equivalent contractual safeguards.

5.3 Transfers to Other Countries

Where we use processors in other countries (for example, Zoho, which is headquartered in India), we rely on the UK International Data Transfer Agreement (IDTA) or an Addendum to the EU Standard Contractual Clauses to provide appropriate safeguards for your personal data.

You may request a copy of the safeguards we have put in place for any international transfer by contacting our DPO using the details in Section 1.

 

6. Data Retention

We retain your personal information for as long as necessary to fulfil the purposes for which it was collected, and in accordance with our legal obligations. Specifically:

  • Client project and contractual records: retained for 7 years from the date of the last transaction, in line with HMRC requirements
  • Marketing contact information: retained until you withdraw consent or opt out
  • Website usage and analytics data: retained for up to 26 months
  • Support and service logs: retained for the duration of your support agreement

When personal information is no longer required, it is securely deleted or anonymised.

 

7. Your Rights

Under UK GDPR, you have the following rights in relation to your personal information:

  • Right of access — you may request a copy of the personal information we hold about you (a Subject Access Request or SAR). We will respond within one calendar month. There is no charge for a SAR.
  • Right to rectification — you may ask us to correct inaccurate or incomplete personal information.
  • Right to erasure — you may ask us to delete your personal information where there is no legitimate reason for us to continue processing it, subject to applicable legal obligations.
  • Right to restrict processing — you may ask us to pause the processing of your personal information in certain circumstances.
  • Right to data portability — where processing is based on your consent or on a contract, you may ask us to provide your personal information in a structured, commonly used, machine-readable format.
  • Right to object — you may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Rights related to automated decision-making — you have the right not to be subject to decisions made solely by automated processing that produce significant legal or similar effects on you.

To exercise any of these rights, please contact our DPO using the details in Section 1. We will respond within one calendar month. In complex cases, we may extend this by a further two months and will inform you if we do so.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection:

Information Commissioner’s Office

Website: ico.org.uk

Helpline: 0303 123 1113

Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

 

8. Cookies and Similar Technologies

Our website uses cookies and similar technologies to improve your browsing experience, analyse website usage, and support our marketing activities.

Essential cookies

These are necessary for the website to function and cannot be switched off. They are set in response to actions you take, such as setting your privacy preferences or filling in forms.

Analytics cookies

We use analytics tools (including Google Tag Manager and associated services) to understand how visitors interact with our website. This data is used in aggregate and helps us improve our content and user experience.

Marketing cookies

We may use cookies to deliver relevant advertising and to track the effectiveness of our marketing campaigns. These are placed only with your consent.

When you first visit our website, you will be asked to accept or decline non-essential cookies. You can change your preferences at any time via the cookie settings link in our website footer. You can also manage cookies through your browser settings, though this may affect the functionality of the site.

 

9. Data Security

We employ appropriate technical and organisational measures to protect your personal information from unauthorised access, loss, disclosure, alteration, or destruction. These include access controls, encrypted communications, and regular security reviews.

No method of transmission over the internet or electronic storage is completely secure. Whilst we take all reasonable precautions, we cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, inform you directly without undue delay.

 

10. Children’s Privacy

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately and we will take steps to delete it.

 

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or services. When we make material changes, we will update the effective date at the top of this policy and, where appropriate, notify you by email or through a notice on our website.

Your continued use of our Services after any changes take effect constitutes your acceptance of the updated policy.

 

12. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our data protection practices, please contact our Data Protection Officer:

Nicolai Landschultz — Data Protection Officer

IndigoZest Limited

Unit 7, Kings Park, Primrose Hill, Kings Langley, WD4 8ST

Telephone: 0333 305 5305

Email: nicolai@indigozest.co.uk