Who we are

Correla understands the importance of protecting personal information and is committed to complying with the UK GDPR, UK Data Protection Act (DPA 2018) and any other applicable data protection legislation applicable to the processing of personal data.

This notice applies to personal data processed in relation to the towsty.co.uk website (“our site”). Our site is operated by Correla Limited. We are registered in England and Wales under company number 13062055 and have our registered office at Lansdowne Gate, 65 New Road, Solihull, England, B91 3DL. Correla Limited is the controller and responsible for your personal data (collectively referred to as "Correla", "we", "us" or "our" in this privacy notice).

This website is not intended for children, and we do not knowingly collect data relating to children.

The personal information we collect and use:

‍In order to provide our services to you, we collect, use and are responsible for processing personal data to deliver those services. We collect that either directly from you or from third parties. Regardless of the source of data, Correla are committed to protecting your personal data and to ensuring that your personal information is used properly, lawfully and transparently. For more information on lawful basis, find guidance here

Purpose/Use	Type of Data	Legal Basis
To improve the products and services we offer our customers To generate and provide you with an automated heat pump installation cost estimate and projected energy savings based on the information you provide.	(a) Postcode, relevant property details (e.g. property type, number of bedrooms, current heating system, age of property) (a) Identity and contact details (e.g. name, email, postcode); (b) Property and occupancy details (e.g. property type, number of bedrooms, number of residents, number of radiators, listed building status, floor area, current heating system, age of property).	Legitimate Interests (to improve our services) Performance of a contract (to deliver the service you requested).
To connect you with independent heat pump installers or finance providers (if you consent) so they can contact you to arrange a quote or discuss finance options.	(a) Identity and contact details (e.g. name, email, telephone, address/postcode); (b) Relevant property and energy details needed to inform installers or finance providers (e.g. property type, size, current heating system).	Consent (opt-in; you may withdraw your consent at any time).
To send you marketing communications about our services (e.g. newsletters or updates) if you have consented.	(a) Contact details (e.g. email address); (b) Marketing preferences (record of your consent).	Consent (you will receive marketing only where you have provided your consent; you can withdraw it at any time).
To administer and improve our website and services (including troubleshooting issues, monitoring for fraud or security threats, data analysis and refining our cost estimation model and user experience).	(a) Technical and usage data about how you use our website (b) IP address	Legitimate interests (to operate, secure, and improve our services) unless the law requires your consent to deploy cookies or tracking technology.
To comply with legal or regulatory obligations, and to establish or defend legal claims (including enforcing our terms).	(a) Identity and contact details; (b) Other information relevant to the specific obligation or claim (e.g. details of your request, communications, or use of our service).	Legal obligation (where processing is required by law); Legitimate interests (e.g. to enforce terms or defend claims).

Sharing your data

Circumstance and provision of service sometimes require the sharing of your data with law enforcement, other data processors such as suppliers of technology, or other data controllers to provide you with a service you’ve requested. We only do this under strict protocols and where we have the correct and sufficient mechanisms and controls in place. We may share your data with:

Cookie control provider – we use an industry leading supplier to provide you a compliant cookie control which enables you to provide your consent to cookies.
Yesil Limited – to obtain property specific insight that informs your estimate.
Where you provide your consent to do so, we’ll share your contact details and relevant property information with independent heat pump installers or finance providers so they can contact you to arrange a quote or discuss finance options.

Marketing

You will receive marketing communications by email or phone (depending on your preference) if you have consented to receiving information about decarbonising your home from us.

Opting out of Marketing

You can ask to stop sending you marketing communications at any time by following the unsubscribe links within any marketing communication sent to you or by contacting us at box.correla.privacy@correla.com

If you opt out of receiving marketing communications, you will still receive service-related communications that are essential for administrative or customer service purposes.

How long do we keep your information?

‍We will keep your personal information only as long as is necessary to conclude the purpose for which it was collected, or to meet legislative requirements. Personal information will be securely destroyed or put beyond use when it is no longer required, in accordance with our data retention and information management policy.

International Data Transfers

Providers of certain technologies or services may operate from different countries. We operate a UK/Adequate country first policy when undertaking or considering the transfer of your personal data outside of the UK. Where we transfer data outside the UK we rely on the following:

UK GDPR Adequacy decisions: Under the regulation, a number of countries have been deemed adequate in their data protection laws and mechanisms, meaning they have an equivalent level of protection as the UK. For example, the EU has adequate protection.

International Data Transfer Agreements (IDTAs). Where data is to be shared beyond an adequate country, Correla ensures that an IDTA is in place with that supplier, meaning an adequate contractual measure is in place to protect your data.

‍Your Rights

‍The UK GDPR facilitates a number of rights for you to access, rectify and delete your data. Your rights are:

Right to be Informed: You have the right to ask us how and why we are processing your personal data. If we have provided this to you in the form of this privacy notice, we will inform you. Where processing has not been identified in this notice, we will provide you with details of what data we are processing, why we are processing it, where we are processing it, and how it is being processed.
Right to Access: You have a right to access and have a copy of your information provided to you.
Right to Rectification: You have the right to have your data updated where inaccuracies have occurred and for that data to be completed, where it remains incomplete.
Right to erasure (Also known as the Right to be Forgotten): You have a right for your data to be deleted, but only if you meet a particular element of the following criteria:
1. We don’t need the data anymore to provide the service or product,
2. You have withdrawn your consent for us to process that data,
3. If you have objected to the use of your data and we can no longer justify the reason for processing your data,
4. You have objected to direct marketing we undertake,
5. There is a legal obligation which requires us to erase the data,
6. It is found that we have processed the data unlawfully,
7. You wish us to erase the data based on it being processed.
Right to restrict processing: You have the right to restrict us from processing your data if:
1. You don’t believe the data we are processing about you is accurate,
2. The data we are processing has been obtained without a lawful basis, and you wish to restrict the processing rather than delete it
3. You wish us to retain the data when it is no longer needed by us to provide the service, in support of a legal claim
4. Where you have objected to the processing of your data and we are in the process of considering the legitimate interest we have in processing it
Right to data portability: Where you have provided data to us and Correla is the Data Controller, you have the right to be provided with your data in a format that enables you to transfer that data to another provider.
Right to object to processing: You have the right to object to our processing of your personal data where:
1. We are directly marketing to you – this is an absolute right.
2. Where we are processing under legitimate interest. This is not an absolute right, and we may continue to process your data if our legitimate interest is compelling for the continuation of processing
3. We are processing the data under the lawful basis of ‘Public Task’.
Rights relating to automated decision making and profiling: Where we undertake automated decision making as part of our services or products (in which your personal data is or can be processed) you can request:
1. Information on those automated decisions and profiling outputs,
2. Human intervention where you are challenging a decision presented by the automated process,
3. Information on the regularity of the checks we carry out to ensure the systems generating those decisions are working as intended.

Exercise Your Rights

To exercise any of the rights above, please email the Correla privacy team stating:

The right(s) you wish to exercise
Any specifics relating to the data that may help us identify and implement your request.

The email for the Correla Privacy team is: box.correla.privacy@correla.com

We reserve the right to request identification from you to verify your request and to ensure accuracy and security of any data provided under the exercising of your rights.

‍You can also exercise any of the rights above by writing to us. Please mark your letter: F.A.O. Correla Data Protection Officer.

Our address is: Correla Ltd, Lansdowne Gate, 65 New Road, Solihull, B91 3DL

Personal Data Security

We are committed to making sure we keep your personal data confidential and implement and manage data security measures that are applicable to the processing we do. We adhere to, and are accredited against, the following standards:

ISO27001: 2022
NIST

The standards above are supplemented by a robust set of controls and policies that mean our Correla team are trained in data protection responsibilities and how to secure your personal data.

We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Did we do ok?

‍We hope that we can resolve any query or concern you raise about our use of your information.

‍If we do not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office (ICO). To contact the ICO, visit their website https://ico.org.uk/concerns/

You can contact them directly on the ICO helpline: 0303 123 1113.

‍

Changes to this privacy notice

You may request a copy of this privacy notice from us using the contact details set out above. We may modify or update this privacy notice from time to time.

Third-party links

This website may include links to third-party websites, plug-ins and applications.

Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

Version Control

Version	Effective Date	Change
01.	04/02/2026	Initial Privacy Notice

Privacy Notice