GDPR Compliance at Kilowatts.uk

Last updated: December 14, 2025

Kilowatts.uk is built with data minimisation, privacy by design, and explicit consent control. This page explains how guest mode, consent logging, cookies, and analytics/advertising controls work on our platform.

GuestID and guest mode

When you first arrive, we generate a pseudonymous GuestID (a session-based random hash). This identifier contains no personal data and is used solely to maintain continuity during anonymous browsing.

$sessionHash = substr(hash('sha256', $sessionId . '-' . $timestamp), 0, 32);
setcookie("GuestID", "fingerprint=" . $sessionHash, ...);

While you are not logged in, you are represented internally by a guest object with default values (for example id=0, loggedIn=false). No personal data is required at this stage.

Consent-driven user flows

Solar comparison flow

Anonymous start: postcode and address data (via Google Places if enabled) linked only to your GuestID.
Consent logging: ticking a consent checkbox records acceptance with timestamp and policy version against the GuestID.
Identified stage: when you provide your phone number or email address, an account and project are created, earlier consent is linked, and modelling tools (such as Dr Kilowattson) are activated.

Non-solar guest projects

Guests may submit other project types using consent-based forms. When submitted, an account is created automatically and you are logged in immediately (“short-circuit login”). Your consent is recorded with timestamp and policy version.

Cookies and tracking technologies

Essential cookies (always active)

These cookies are required for the site to function and do not require consent:

PHPSESSID — session management.
GuestID — pseudonymous identifier for guest mode.
jwt — security token for authenticated API requests.
user_tz — timezone for correct date and time display.
GDPRConsents — records acceptance of policies and preferences.

Analytics and advertising cookies (optional)

Kilowatts.uk uses Google Tag Manager (GTM) to manage analytics and advertising technologies. These cookies are:

Disabled by default
Only activated after explicit user consent
Fully controllable via our cookie preference switch

When enabled, analytics cookies help us understand how the platform is used so we can improve performance and usability. Advertising cookies, if enabled, may be used to measure campaign effectiveness.

Google tags are configured to respect consent signals and will not fire until consent has been granted. You can change or withdraw consent at any time via the cookie settings.

For full details, see our Cookie Policy.

GDPR consent and audit logs

We maintain a dedicated GDPR log table to evidence compliance. Logged fields may include:

User ID (if identified; otherwise linked to GuestID).
Consent purpose and status (accepted, rejected, withdrawn).
Method and source (form, modal, cookie banner).
IP address and user agent (where available, for security and audit).
Policy type and version accepted.
Timestamp of the consent event.

These records are used solely to demonstrate compliance and are never sold, shared for marketing, or used for profiling.

Legal bases for processing

Contract: to deliver comparisons, quotes, and services you request.
Legitimate interests: site security, abuse prevention, essential cookies, and platform integrity.
Consent: analytics, advertising, optional communications, and enabling Google Maps/Places.

Your rights

Under UK GDPR, you have the right to access, correct, delete, restrict, port, or object to processing of your personal data. You may withdraw consent at any time without affecting the lawfulness of prior processing.