Customer Privacy Notice (UK) – Skilled Mapping Ltd

Controller: Skilled Mapping Ltd (“Skilled Mapping”, “we”, “us”)

Registered address: Maxi House, Halesfield 20, Telford, England, TF7 4QU

ICO Registration: ZB543078

Alternative trading name: “Cut Heat Loss” (this may appear on vehicle signage)

Privacy contact / Data Protection Officer: Alex Wrigglesworth — contact@skilledmapping.com

Postal requests: Data Protection, Skilled Mapping Ltd, Maxi House, Halesfield 20, Telford, England, TF7 4QU

Accessibility: You may ask a carer, family member or authorised representative to act for you (we may request proof of authority).

Quick summary

• We capture thermal images of building exteriors from public roads.

• People are not identifiable — human shapes are automatically masked; number plates are not readable in thermal imagery.

• We use this to help councils and energy networks prioritise retrofit and support fuel‑poverty programmes.

• We link certain open public datasets (under Open Government Licence or equivalent) to give context such as address references and administrative areas.

• You can opt your property out at skilledmapping.com (Opt‑out) or by emailing contact@skilledmapping.com.

• We never use data for insurance pricing, targeted advertising, credit or tenant screening.

• Contact: contact@skilledmapping.com.

Scope

This notice covers our website (enquiry/quote forms) and our street‑level thermal surveying and reporting services (vehicle/handheld/tripod capture from public roads). We may use commercial drones for commercial sites only. We do not operate a mobile app.

What we collect and why

Services (surveys, metrics, reports):

• Thermal façades of buildings captured from public roads (no interiors; windows appear opaque).

• Telemetry such as GNSS/RTK traces, timestamps and device settings.

• Derived metrics (~60 exterior features) and an energy/fabric score comparable to EPC indicators.

• Identifiers for processing/aggregation: UPRN/USRN, Ward and Local Authority District (LAD).

• Client/project records: commissioning details, addresses, schedules and correspondence.

Why: assess heat loss and building fabric, prioritise retrofit/fuel‑poverty support, evaluate outcomes, and produce aggregated research in the public interest.

Website:

• Enquiry/quote forms: name, email, phone, company, message, postcode/address.

• Security/server logs: limited technical data (e.g., IP address) to keep the site secure.

• Cookies/analytics: we do not run analytics or set non‑essential cookies.

External datasets we link

To place thermal measurements in context, we link our data to public reference datasets that are either open or appropriately licensed. Where possible we rely on **open government licences** (e.g., the Open Government Licence) or equivalent terms. Typical categories include:

• Property and street references (e.g., UPRN/USRN), administrative boundaries (Ward/LAD), and other basic geographies needed for aggregation and mapping.

• Public statistics used at area level (e.g., deprivation indices, rural/urban classifications) for research and planning purposes.

We apply data‑minimisation: linkage is designed to support aggregation and quality checks; we do not add person‑level datasets and we prohibit re‑identification attempts under our contracts.

How we capture and protect data

• Thermal‑only capture on residential streets; façades‑only; public roads only (OS Open Roads/USRN routing).

• No live driver view (driver sees maps/start–stop only); data is written to encrypted removable media and uploaded later (typically ≤ two weeks).

• Incidental capture (people/number plates) is minimised by routing/angles and masked/blurred/cropped before use.

• Separation of stores: thermal imagery and geolocation are stored separately and only joined via a secret in Google Secret Manager; access is role‑based and audited.

• Drivers carry GDPR information cards explaining the activity and rights.

• Operating conditions: capture proceeds only when suitable (e.g., ΔT ≥ 8–10 °C, low wind, no precipitation, usually after sunset).

• QA: ≥2% human QA on masking/cropping; target blur‑failure rate <0.5%; sample‑based EPC cross‑checks.

Lawful bases and your rights

We primarily rely on Legitimate Interests (UK GDPR Article 6(1)(f)) to provide surveys/reports, perform QA and service improvement, conduct research/statistics, and share tiered outputs with public‑interest recipients. We may rely on Contract (Article 6(1)(b)) for specific commissioned deliverables. For website security/enquiries we rely on LI/Contract/Legal obligation as appropriate. For B2B updates we rely on LI and comply with PECR opt‑out rules.

Your rights include access, rectification, erasure, restriction, objection, and (where applicable) portability. Where we rely on Legitimate Interests, you have a strong right to object. We respond within one month. Email contact@skilledmapping.com or write to the postal address above. We may ask for reasonable proof of authority for deletion requests made by representatives.

We do not process special category data, do not use facial recognition or biometric identification, and do not knowingly collect children’s data; any presence in public places is incidental and masked.

Where we get personal information

• You (website forms and correspondence).

• Our own sensors (thermal façades from public roads; bystanders are masked).

• Public reference datasets used for linkage and aggregation (e.g., UPRN/USRN, Ward/LAD, basic geographies, and area statistics) under **open government licences** or equivalent terms.

• In some projects, property datasets supplied by councils/regulated partners (e.g., address lists or programme cohorts).

Tiered access and data minimisation

• Tier 1 (Aggregated Ward/LAD): rates and counts only; k‑anonymity ≥10 per cell; no per‑address data.

• Tier 2 (Per‑address metrics): fabric features/score for the property; no raw imagery and no linkage keys. Eligible recipients: regulated/public‑interest entities under a data‑sharing agreement.

• Tier 3 (Cohort research): time‑bounded research cohorts with additional safeguards; outputs are de‑identified/aggregated.

Roles: Skilled Mapping is Controller for capture/analytics and tiered sharing. Tier‑2 recipients act as independent Controllers for permitted purposes set in the data‑sharing agreement. If we deliver on a client’s specific written instructions, we may act as Processor; the role is defined in the contract.

Research data sharing (limited)

Some regulated entities or research organisations working on clear public‑benefit projects may receive time‑bounded access to raw thermal data under enhanced safeguards (contractual bans on re‑identification/secondary use, secure environments, no onward transfers, no external linking, audit rights, deletion/attestation). Visible/RGB residential imagery is not shared.

How long we keep information

• Raw thermal/telemetry: default ≤ 12 months; up to 36 months for documented public‑interest research (biennial review).

• Derived datasets and client reports: typically up to 7 years (programme evaluation, warranties, accounting) or as required by contract/law.

• Website enquiries: up to 12 months (unless we subsequently contract with you).

• Security/server logs: up to 12 months (logs retained in europe‑west2).

• Property opt‑out suppression list: as long as needed to honour the opt‑out.

• Back‑ups: rolling cycles (typically ≤90 days).

Who we share information with

Service providers (processors):

• Google Cloud Platform (GCP) — storage/compute in europe‑west2 (London); encryption at rest/in transit; IAM/KMS.

• Google Workspace/Drive — business email and file storage/collaboration.

Data licence recipients (independent controllers):

• Local authorities and public bodies; energy companies/network operators; institutional research and not‑for‑profit partners.

Banned categories: consumer insurers, tenant‑screening, ad‑tech, credit scoring, employment screening, bailiff/recovery, real‑estate lead generation.

All recipients are subject to contractual bans on re‑identification and high‑risk secondary uses, and to audit/attestation requirements. You may object to this sharing.

International transfers

Primary storage and processing are in GCP europe‑west2 (London, UK). Limited access from France operates under the UK International Data Transfer Agreement (IDTA) with a documented Transfer Impact Assessment (TIA). If Standard Contractual Clauses (SCCs) are used with EEA partners or subprocessors in future, we will implement equivalent safeguards.

Property‑level opt‑out and removal

• Do not collect: submit your address/UPRN at skilledmapping.com (Opt‑out), or email contact@skilledmapping.com with subject “Property opt‑out”. We will add your property to our suppression list to exclude it from future capture/processing.

• Delete existing raw: you may request deletion of façade tiles and associated raw sensor data relating to your property. We will honour valid requests unless retention is required by law or we can demonstrate overriding legitimate grounds (we will explain if these apply).

SLA: we aim to implement do‑not‑collect within 3 working days and delete/suppress within 10 working days for already‑captured data. We propagate valid opt‑outs to active data recipients.

Automated decision‑making

We do not make decisions with legal or similarly significant effects about individuals. Our models produce building‑fabric indicators to support public‑interest planning and retrofit; they are not used to make decisions about specific people.

Security and incidents

We apply appropriate technical and organisational measures, including encryption in transit and at rest, SSO/MFA, least‑privilege RBAC, audit logging and access reviews, secure development and vulnerability management, and staff confidentiality and training.

Incidents: 0–24 h contain/rotate keys/preserve logs/initial triage; 24–72 h impact assessment, ICO notification test, stakeholder communications, corrective actions; post‑72 h root‑cause analysis and control updates.

How to complain

Please contact us first at contact@skilledmapping.com or by post to the address above. If you remain unhappy, you can complain to the Information Commissioner’s Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF • Helpline 0303 123 1113 • ico.org.uk/make-a-complaint

Transparency

We publish annual route plans, a completed‑areas map, a DPIA summary, and the property opt‑out page at skilledmapping.com.

Last updated: 7 October 2025