This Privacy Policy (the “Policy”) applies whenever AORO Solar UK uses your personal data. It describes how we collect, use, disclose, retain and otherwise process personal data relating to our customers, prospective customers, website visitors, enquirers, finance applicants, users of our mobile and web applications, employees, contractors, suppliers, business partners and other individuals with whom we interact in the course of operating our business.
AORO Solar UK is operated by Nimbus Nine Ltd, a company incorporated in England and Wales, trading as AORO Solar UK and AORO Energy. AORO Solar UK is supported by AORO Core Inc, which provides the AORO OS and AORO CRM software infrastructure used to manage customer data securely. AORO Solar UK’s activities in the United Kingdom include the design, supply, installation, commissioning, operation and maintenance of solar photovoltaic systems, battery energy storage systems and electric vehicle charging infrastructure; the provision, support or facilitation of energy-related services, directly or through authorised partners, where applicable. Given the breadth of those activities, the personal data we process is necessarily varied in type and sensitivity, and we are committed to ensuring that all such processing is carried out lawfully, fairly and transparently, and in full compliance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (the “DPA 2018”), the Privacy and Electronic Communications Regulations 2003 (“PECR”) and all other applicable data protection and privacy legislation in force in the United Kingdom from time to time.
This Policy also applies to our websites located at www.aorosolar.co.uk, www.aorocore.com, www.aorogroup.com and www.aoroenergy.com (together, the “Sites”), to the AORO mobile applications, to the AORO OS and AORO CRM platforms, and to any other online or offline channel through which we collect personal data. It should be read together with our Cookie Policy, our Terms and Conditions of Sale and, where applicable, any supply contract, installation contract, finance introduction documentation or service-level agreement which you have entered into with AORO Solar UK.
In this Policy, references to “AORO Solar UK”, “we”, “us” or “our” mean Nimbus Nine Ltd trading as AORO Solar UK and AORO Energy, and where applicable AORO Core Inc in its role as technology provider or data processor.
This Policy is kept under regular review to ensure that it continues to protect your privacy interests and to reflect changes in our business, in our technology and in the applicable legal landscape. We reserve the right to update this Policy from time to time, with any updates published on the Sites and, where appropriate, notified to you directly. Please review this Policy regularly so you can see the most up to date information on our privacy practices. We will not, however, substantially change the way in which we use personal information already provided by you without your prior agreement or without otherwise informing you and affording you the opportunity to object where required by law.
AORO Solar UK is operated by Nimbus Nine Ltd and supported by AORO Core Inc. The roles of these entities are as follows:
Nimbus Nine Ltd is the data controller for all customer personal data relating to energy-related services, solar and battery installations, EV charging services, enquiries, marketing and customer interactions conducted under the AORO Solar UK and AORO Energy brands. Nimbus Nine Ltd is registered as a data controller with the Information Commissioner’s Office (the “ICO”). Where our activities require accreditation, certification, licensing or regulatory registration (including, without limitation, those administered by industry or consumer-protection schemes, or by financial or energy regulators), we undertake such activities only where and to the extent that the relevant authorisation applies, or where we operate through authorised third-party providers.
AORO Core Inc acts as a data processor on behalf of Nimbus Nine Ltd and provides the software infrastructure used to manage and process data, including the AORO OS and AORO CRM platforms. In that capacity, AORO Core Inc processes personal data strictly in accordance with the documented instructions of Nimbus Nine Ltd pursuant to a written processing agreement meeting the requirements of Article 28 of the UK GDPR. In addition, AORO Core Inc may act as an independent controller where it licenses the AORO OS and AORO CRM platforms to its own software customers and processes personal data (for example, account, billing and administrative data relating to those customers and their end users) for its own business purposes; that independent controller processing is governed by the AORO Core Inc customer agreements and the applicable AORO Core Inc privacy notice, and is outside the scope of this Policy save to the extent expressly stated.
For ease of reference, where this Policy refers to a “controller” in respect of a particular processing activity, that expression shall be construed in accordance with the allocation of controllership set out in this Section 2 and in the table at Section 5\.
Our registered office and correspondence address is The Leadenhall Building, Leadenhall Street, London, Greater London, England, EC3V 4AB.
We may collect and process your personal data for a number of clearly defined purposes as permitted by the UK GDPR, the DPA 2018 and other applicable legislation. Further detail, including the categories of personal data processed and the legal bases on which we rely, is set out in Section 5 (“How We Use Personal Data and the Legal Basis”) of this Policy.
The Sites and the AORO Solar UK platforms are not intended for children and we do not knowingly collect personal data relating to individuals under the age of 18\. Where we become aware that personal data relating to a child has been collected inadvertently, we will take prompt steps to delete that personal data, save where we are obliged or permitted to retain it by law.
You have a number of rights in relation to your personal data, including the right to object to certain processing which we undertake, the right to obtain a copy of the personal data we hold about you and the right to ask for your personal data to be corrected, restricted or erased in certain circumstances. More information about these rights, the circumstances in which they may be exercised and the procedure for doing so is set out in Section 11 (“Your Rights”) of this Policy.
For any queries or to exercise any of your rights in relation to data protection, please email our Data Protection Officer at dpo@aorosolar.co.uk or write to the Data Protection Officer at the address set out in Section 14 (“Contact Details”) of this Policy.
You may unsubscribe from marketing communications at any time and without charge. To opt out of direct marketing, please select the “unsubscribe” link in any marketing email, reply “STOP” to any marketing SMS, adjust your preferences in the AORO customer portal or email privacy@aorosolar.co.uk. Our Sites, applications and marketing emails use cookies and similar technologies in order to improve functionality, recognise returning users and customise your experience; you may reject or block non-essential cookies through the cookie consent banner displayed on first visit or through your browser settings, as explained more fully in our Cookie Policy and in Section 8 of this Policy.
We may collect personal data whenever you correspond or interact with us, whether by post, telephone, electronic mail, live chat, video conferencing, social media, through one of the Sites, through one of our mobile applications, through the AORO customer portal, at one of our premises or at a third-party event at which we are present. We may also collect data when you purchase products or services from us, use our products or services, make or receive a payment, apply for employment, participate in market research or attend a site survey.
In particular, we may collect and process the following categories of personal data, which we have grouped together for ease of reference:
We do not routinely collect sensitive personal data and will only do so where it is strictly necessary for the purposes described in this Policy, or where you have voluntarily provided it to us.
We use a number of different methods to collect personal data about you, including the following:
We are only permitted to use your personal data where we have a proper legal basis to do so. The legal bases on which we most commonly rely are:
We have set out in the table below a summary of how and why we may use your personal data, the categories of personal data processed and the legal basis (or bases) on which we rely. Where we rely on legitimate interests, the table identifies what those legitimate interests are. This table is intended to be illustrative rather than exhaustive; please contact us using the details in Section 14 if you require further information about the specific legal basis on which we rely for a particular processing activity.
| Purpose / Use | Type of Data | Legal Basis |
|---|---|---|
| To respond to enquiries, arrange site surveys or appointments, provide quotations for solar, battery storage, EV charging or energy-related services, and to register you as a new customer of AORO Solar UK. | Identity Contact Technical |
Consent, where you have submitted an enquiry, requested a quotation or booked an appointment.
Performance of a contract with you or taking steps at your request prior to entering into a contract. |
| To introduce you to third-party finance providers or finance brokers where applicable, so that you may apply for finance in connection with solar, battery, EV charging or other home energy products. Where such introductions are made, they are conducted either under appropriate authorisation or through authorised third-party partners. We do not provide financial advice unless we are authorised to do so or act through an authorised partner. | Identity Contact Financial Transaction Health |
Consent, where you have asked us to introduce you to a finance provider.
Performance of a contract with you. Compliance with legal and regulatory obligations, where applicable. |
| To process and deliver your order, including design and engineering of your solar or battery system, network operator notifications, commissioning, warranty administration, managing payments and collecting sums properly owed to AORO Solar UK. | Identity Contact Financial Transaction Profile |
Performance of a contract with you.
Necessary for our legitimate interests (to administer accounts, recover debts properly owed and fulfil our obligations to relevant network operators and, where applicable, accredited or certified bodies). |
| To use third-party service providers to verify identity, undertake anti-money-laundering and know-your-customer checks where applicable, and confirm the validity of payment card and bank account details. | Identity Contact Financial |
Performance of a contract with you.
Necessary for our legitimate interests (to reduce the risk of fraud, mistaken identity and financial crime). Compliance with legal obligations, where applicable. |
| To enable you to take part in a competition, customer loyalty scheme, referral programme, promotion, customer satisfaction survey or feedback request operated by AORO Solar UK. | Identity Contact Profile Usage |
Performance of a contract with you.
Necessary for our legitimate interests (to study how customers use our products and services, and to develop our products, services and business). |
| To administer, operate and protect our business, our Sites and the AORO OS and AORO CRM platforms, including troubleshooting, data analysis, testing, maintenance, support, reporting, hosting and incident response. | Identity Contact Technical |
Necessary for our legitimate interests (for running our business, the provision of IT and cloud services, network and information security, and the prevention of fraud).
Compliance with legal obligations. |
| To deliver relevant content, advertisements and promotions to you on our Sites and on third-party platforms, and to measure the effectiveness of our advertising, including re-marketing via recognised advertising networks. | Identity Contact Profile Usage Technical |
Necessary for our legitimate interests (to study how customers use our products and services and develop our business).
Consent in respect of non-essential cookies and similar tracking technologies. |
| To use data analytics to improve our Sites, platforms, products, services, customer relationships and experiences, and to measure and improve the effectiveness of our communications and marketing. | Technical Usage |
Necessary for our legitimate interests (to keep our Sites and platforms updated and relevant, to define customer segments and to develop our products and business). |
| To monitor social media platforms, our Sites, the AORO mobile applications and customer responses to email and SMS marketing in order to assess engagement and address concerns. | Identity Contact Technical Usage Profile |
Necessary for our legitimate interests (to study how customers view our products and services, address possible concerns and develop our business). |
| To send you relevant marketing communications and make personalised suggestions and recommendations regarding our solar, battery storage, EV charging, energy-related and associated products and services, including cross-promotion between AORO Solar UK and AORO Energy. | Identity Contact Technical Usage Profile |
Necessary for our legitimate interests (to carry out direct marketing to existing customers and to develop our business).
Consent, where you have provided your prior consent to receiving direct electronic marketing communications, as required by the Privacy and Electronic Communications Regulations 2003 (PECR). |
| To record and monitor telephone calls, webchat sessions, video calls and electronic correspondence with our customer service, sales, collections and technical support teams for staff training, quality assurance, complaint handling and the retention of accurate records. | Identity Contact Technical Profile |
Necessary for our legitimate interests (to train our staff, improve the quality of our service and retain accurate records in the event of complaints, disputes or regulatory enquiries).
Compliance with legal and regulatory obligations, where applicable. |
| To analyse your transactions, product usage data (including generation, consumption, battery state-of-charge and export data) and other information you provide in order to understand you better as a customer and to tailor our services and communications. | Identity Contact Financial Transaction Profile Usage Energy |
Necessary for our legitimate interests (to study how customers use our products and services, provide you with relevant offers and information, and to develop our business). |
| To contact you when you provide a review, testimonial or market research feedback, and to provide such feedback (in anonymised or pseudonymised form where practicable) to third-party panel providers for analysis. | Identity Contact Profile Usage |
Necessary for our legitimate interests (to study how customers view our products and services, address concerns and develop our business). |
| To identify customers in vulnerable circumstances and to deliver fair outcomes, including adjusting communications, payment arrangements and service delivery where appropriate. | Identity Contact Health Financial |
Necessary to safeguard your economic wellbeing.
Where health-related information is processed, reasons of substantial public interest (Article 9(2)(g) UK GDPR and Schedule 1, Part 2 of the Data Protection Act 2018). Compliance with legal obligations, where applicable. |
| To enable authorised third parties to provide grid services, flexibility services, demand-side response, virtual power plant participation and system optimisation services to you, where such services are provided or introduced through regulated partners. | Identity Contact Financial Transaction Profile Usage Meter reference numbers (where provided) Meter, inverter and battery serial numbers Generation, consumption and export data |
Performance of a contract with you.
Necessary for our legitimate interests (to study how customers use our products and services and to develop our business). Compliance with legal obligations, where applicable. |
| To enable third parties to support data quality and simplified data entry into our Sites, apps and the AORO OS platform (for example, address lookup services, company information lookups and energy tariff lookups). | Identity Contact Financial Usage |
Necessary for our legitimate interests (to ensure accurate registration of address, meter and supplier details as part of our onboarding process). |
| To enable trusted third-party providers to support and improve the customer experience, including CRM integrations, service orchestration, field service management and scheduling of installation and maintenance visits. | Identity Contact Financial Transaction Profile |
Necessary for our legitimate interests (to enhance the customer journey, develop our products and services, and operate our business efficiently). |
| To operate the AORO OS and AORO CRM platforms on behalf of Nimbus Nine Ltd, including the provision of cloud hosting, data storage, software support, platform analytics, AI-assisted recommendations and automated workflow orchestration. | Identity Contact Technical Usage Transaction Profile |
Processing carried out by AORO Core Inc in its capacity as data processor, on the documented instructions of Nimbus Nine Ltd (the controller), pursuant to Article 28 UK GDPR.
Controller legal bases are those identified in the other rows of this table. |
We may, subject to obtaining your specific and freely given consent, undertake the following additional processing activities:
Where you have given consent, you are entitled to withdraw that consent at any time by contacting us in accordance with Section 14 of this Policy or by using the opt-out mechanism provided within any relevant communication. The withdrawal of your consent does not affect the lawfulness of processing carried out prior to your withdrawal. Following withdrawal, we may only continue to process your personal data where another lawful basis for processing applies, such as where we are required to retain it in order to comply with a legal or regulatory obligation.
You have an absolute right to object to the processing of your personal data for direct marketing purposes, including profiling for direct marketing purposes, at any time. You may opt out of direct marketing by selecting the “unsubscribe” link in any marketing email, by replying “STOP” to any marketing SMS, by adjusting your preferences within the AORO customer portal or by contacting us using the details in Section 14\.
We may share your personal data with selected third parties in order to operate our business, deliver our products and services, comply with our legal obligations and pursue our legitimate commercial interests. We take all reasonable steps to ensure that any third party with whom we share your personal data is bound by appropriate contractual obligations, in particular requirements of confidentiality, security and compliance with applicable data protection legislation.
The categories of recipient with whom we may share your personal data include:
We require all third parties with whom we share your personal data to respect the security of your personal data and to treat it in accordance with applicable data protection legislation. We do not permit our third-party service providers to use your personal data for their own purposes and we only authorise them to process your personal data for specified permitted purposes, in accordance with our written instructions and subject to appropriate technical and organisational security measures.
AORO operates across multiple jurisdictions and, as a consequence, personal data processed under this Policy may from time to time be transferred to, stored in or accessed from jurisdictions outside the United Kingdom. In particular, personal data processed through the AORO OS and AORO CRM platforms may be processed by AORO Core Inc outside the United Kingdom in its capacity as data processor to Nimbus Nine Ltd.
Where we transfer your personal data outside the United Kingdom, we always ensure that an appropriate safeguard is in place to protect your personal data. In particular, we will only transfer your personal data outside the United Kingdom:
In respect of transfers of personal data to AORO Core Inc, the transfer is effected under a recognised UK-valid transfer mechanism (such as the UK Addendum to the EU Standard Contractual Clauses or, where eligible, the UK Extension to the EU-US Data Privacy Framework), supplemented by additional technical safeguards including encryption in transit and at rest, pseudonymisation of data where technically feasible, strict access controls, tenant isolation, comprehensive logging and regular security reviews. Further information about the safeguards we rely upon, including a copy of the relevant transfer mechanism (with commercially sensitive information redacted) is available on request from the Data Protection Officer at the address given in Section 14\.
Our Sites, our mobile applications, the AORO OS and AORO CRM platforms and our marketing emails use cookies, pixel tags, software development kits, local storage and other similar technologies (together, “cookies”) in order to distinguish you from other users, remember your preferences, analyse traffic and usage patterns, personalise content and measure the effectiveness of our communications and advertising.
Full information about the specific cookies used on each of our Sites, their purpose, duration and the third parties (if any) that place them, together with information about how to manage and reject cookies, is set out in the Cookie Policy published on each of our Sites. You may also adjust your browser settings to accept or reject cookies, although please be aware that if you reject essential cookies, parts of our Sites and services may not function correctly.
Where cookies collect personal data, they are governed by this Policy. We only place non-essential cookies on your device where you have consented to us doing so via the cookie consent banner presented on your first visit to a Site; your consent preferences may be reviewed and changed at any time via the “Cookie Preferences” link in the footer of each Site.
We may use your Identity, Contact, Technical, Usage and Profile data to form a view on what we think you may want or need, or what may be of interest to you, in respect of the products and services offered by AORO Solar UK and by selected third-party partners. This is how we decide which products, services and offers may be relevant for you.
You will receive marketing communications from us only where you have expressly consented to receive them, or where you are an existing customer and we have a legitimate interest in marketing to you under the “soft opt-in” exemption in regulation 22 of PECR, and you have not objected to receiving such marketing. Where we rely on the soft opt-in, we will only market similar products and services to those you have previously purchased from us.
You may ask us or selected third parties to stop sending you marketing messages at any time, without charge, and we will do so promptly. You may opt out of marketing communications by selecting the “unsubscribe” link contained in any marketing email, by replying “STOP” to any marketing SMS, by adjusting your communication preferences within the AORO customer portal or by contacting our Data Protection Officer using the details in Section 14\.
Where you opt out of receiving marketing communications, this opt-out will not apply to personal data provided to us as a result of a product or service purchase, warranty registration, finance enquiry, safety notification or other transactional matter, for which we will continue to communicate with you using the contact details you have provided.
We have implemented appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. These measures have been designed having regard to the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks of varying likelihood and severity for the rights and freedoms of natural persons.
Our security programme includes, without limitation: the encryption of personal data in transit (using industry-standard transport layer security) and at rest (using recognised encryption algorithms); role-based access controls and the principle of least privilege; multi-factor authentication for privileged access; network segmentation and firewalling; intrusion detection and prevention capabilities; vulnerability scanning and periodic security testing; secure software development practices and code review; logging, monitoring and incident detection; formal change management procedures; business continuity and disaster recovery planning; physical security controls at our premises and at our third-party data centres; information security awareness training for staff; and background screening of personnel where appropriate.
We aim to align with recognised information security standards, including ISO/IEC 27001 and Cyber Essentials Plus, as our compliance framework develops. Where we rely on third-party service providers, we assess their information security posture as part of our supplier due diligence and require them to maintain appropriate safeguards consistent with the sensitivity of the personal data they process on our behalf.
Access to your personal data is limited to those of our employees, agents, contractors and other third parties who have a genuine business need to know. All such persons are subject to a contractual duty of confidentiality and are required to process your personal data only on our documented instructions.
We have established procedures to deal with any suspected personal data breach, including a formal incident response plan and a 72-hour notification protocol for breaches notifiable to the ICO. We will notify the ICO of a breach where we are legally required to do so, and will notify you directly where the breach is likely to result in a high risk to your rights and freedoms.
Under the UK GDPR and the DPA 2018, you have a number of rights in relation to the personal data we hold about you. These rights are summarised below:
Some of these rights are qualified rather than absolute and the particular circumstances of your request will need to be considered. For example, we may be entitled or obliged by law to retain your personal data notwithstanding a request for erasure, or we may need to redact or remove data where it includes personal data about another individual whose privacy we are also required to respect, even if that data is connected to your own. On occasion, there may be a compelling legitimate interest which entitles us to continue processing data notwithstanding an objection.
If you wish to exercise any of the rights described above, please contact our Data Protection Officer in accordance with Section 14 of this Policy. In order to respond to your request, we may need to verify your identity and, in some cases, ask you for further information about your request. We will not charge a fee for responding to a legitimate request unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee based on the administrative cost of providing the information or refuse to comply with the request.
We aim to respond to all legitimate requests within one month of receipt. Occasionally, it may take us longer than one month if your request is particularly complex or if you have made a number of requests; in such cases, we will notify you of the extension within one month of receiving your request and keep you updated on the progress of our response.
We will only retain your personal data for so long as is reasonably necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, tax, accounting or reporting requirements to which we are subject, and for the resolution of disputes, the enforcement of our contracts and the defence of legal claims.
In determining the appropriate retention period for each category of personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal and contractual requirements.
As an indicative guide, we generally retain personal data in accordance with the following retention principles:
We may retain your personal data for a longer period in the event of a complaint, regulatory enquiry or where we reasonably believe there is a prospect of litigation in respect of our relationship with you. Once the applicable retention period has expired, we will securely delete or anonymise your personal data so that it can no longer be associated with you.
If you are unhappy with the way in which we have handled your personal data or any privacy query or request you have raised with us, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters.
The contact details for the ICO are as follows: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; telephone 0303 123 1113; website https://ico.org.uk.
We would, however, greatly appreciate the opportunity to address your concerns before you approach the ICO. We therefore respectfully ask that you contact our Data Protection Officer in the first instance, using the details set out in Section 14 of this Policy, so that we have an opportunity to resolve the matter directly with you.
For any query or request in relation to this Policy, the processing of your personal data by AORO Solar UK or the exercise of any of your rights under applicable data protection legislation, please contact our Data Protection Officer using the details below:
In respect of processing activities for which AORO Core Inc acts as data processor, queries may also be directed to the address above. Rights requests will be managed in coordination between Nimbus Nine Ltd (as controller) and AORO Core Inc (as processor) in accordance with the processing agreement in place between those entities. Where AORO Core Inc acts as an independent controller in relation to its own software customers, queries concerning that processing should be directed to AORO Core Inc under its own privacy notice.
We keep this Policy under regular review and may update it from time to time to reflect changes in the law, our business or our privacy practices. The date of the most recent update is shown at the top of this Policy. Where a change is material, we will take reasonable steps to bring that change to your attention, for example by posting a prominent notice on the Sites or by sending a notification to the email address we hold for you.
It is important that the personal data we hold about you is accurate and current. Please inform us promptly if your personal data changes during your relationship with us, for example if you move to a new postal address, change your email address or change your telephone number. You may update your contact details at any time within the AORO customer portal or by contacting us using the details in Section 14\.
The Sites may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share personal data about you. We do not control those third-party websites, plug-ins or applications and are not responsible for their privacy practices or the content of their privacy statements. We encourage you to read the privacy policy of every website, plug-in or application you visit before providing your personal data to it.