EPC Booker

Privacy Policy

Last updated: April 2026

1. Who we are

EPC Booker is operated by Carn Energy Ltd. When we refer to "we", "us", or "our" in this policy, we mean Carn Energy Ltd.

We are committed to protecting your personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For questions about this policy or your data, contact us at hello@epcbooker.co.uk.

2. Data we collect

End Customers (people making bookings):

  • Name, email address, and phone number
  • Property address and postcode
  • Property details (type, bedrooms)
  • Payment confirmation data (we do not store card numbers — Stripe handles this)
  • Booking history

Organisation users (dashboard admins and assessors):

  • Name and email address
  • Login credentials (passwords are stored as irreversible hashes)
  • Activity within the dashboard (bookings managed, jobs completed)

3. How we use your data

We use personal data to:

  • Process and confirm bookings
  • Send booking confirmation and appointment reminder emails
  • Enable assessors to view their assigned jobs
  • Enable org admins to manage their bookings and assessors
  • Process payments via Stripe
  • Comply with legal obligations

We do not sell your data to third parties. We do not use your data for advertising.

4. Legal basis for processing

We process personal data on the following legal bases:

  • Contract: processing necessary to fulfil a booking you have made.
  • Legitimate interests: operating and improving the platform, preventing fraud.
  • Legal obligation: where required to comply with applicable law.

5. Third parties

We share data with the following third parties only to the extent necessary to operate the platform:

  • Stripe — payment processing. Stripe is PCI DSS compliant and handles card data entirely.
  • Fly.io — API hosting. Your data is stored on servers within the EU/UK.
  • Vercel — frontend hosting.
  • Resend — transactional email delivery (booking confirmations).

We do not share your data with any other third parties without your explicit consent.

6. Data retention

We retain booking records for 7 years to comply with financial record-keeping requirements. Login account data is retained for as long as the account is active. You may request deletion of your personal data by contacting us — we will delete what we are not legally required to retain.

7. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data (subject to legal retention requirements)
  • Object to processing based on legitimate interests
  • Request restriction of processing
  • Data portability

To exercise any of these rights, email hello@epcbooker.co.uk. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

EPC Booker does not use tracking or advertising cookies. We use only the technical cookies necessary to keep you logged in to the dashboard and assessor portal. These are session-based and expire when you close your browser or sign out.

9. Changes to this policy

We may update this Privacy Policy from time to time. The date at the top of this page reflects when it was last updated. We will notify Organisation account holders of material changes by email.