Privacy Policy

1. Overview

Company: BIT Technology s.r.o., Slovakia
Website: energyvision.bemooore.com
Apps: EnergyVision (iOS and Android)
Contact Email: hello@energyvision.app

2. What Personal Data We Collect

2.1 Account Data

• Email address - Used for account registration, password recovery, and marketing communications (with opt-in)
• Password - Securely hashed and stored for authentication
• Single Sign-On (SSO) - Google Sign-In or Apple Sign-In (we receive your email and display name from the provider)
• Profile information - Optional: first name, last name, profile photo

2.2 Meter Data (Property Data, NOT Personal Data Under GDPR)

• Meter readings - Values, timestamps, and meter identifiers
• Meter photos - Raw photographs of analog meters (encrypted storage in Supabase)
• GPS location - Auto-tagged from meter photos to identify property location (not for user tracking)
• Meter metadata - Meter type, meter ID, unit of measurement (kWh, m³, GJ, etc.)
• Invoice photos - Bill/invoice images uploaded for Smart Invoice Scan feature (optional)

Note: Under GDPR, meter readings at a specific property are considered property data, not personal data. However, we treat them with the same security and privacy protections as personal data.

2.3 Usage Analytics & Engagement Data

• Firebase Analytics: App usage events (app opens, meter readings, screen views, feature engagement)
• PostHog: Session recordings, heatmaps, error tracking (web only)
• Microsoft Clarity: Session recordings, heatmaps, page analytics (web only)
• Google Tag Manager: Event tracking, conversion tracking, goal completions
• Crash reports: Firebase Crashlytics captures app crashes and errors (device model, OS version)

2.4 Communication & Marketing Data

• Push notification tokens: Firebase Cloud Messaging (FCM) tokens to send meter reading reminders and energy-saving tips
• Email for marketing: Sent via Brevo/Sendinblue (only with your opt-in consent)
• Quiz responses: Energy assessment quiz answers to provide personalized recommendations

2.5 Device & Technical Data

• Device identifiers: App installation ID (for crash reporting and analytics)
• Device info: OS version, app version, device model (for error tracking)
• IP address: Captured in server logs (temporary retention for security)
• Cookies & tracking: Essential cookies (session), analytics cookies (Google Analytics, Clarity)

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

• Contract (Article 6.1.b): Processing necessary to provide the EnergyVision service (account registration, meter reading storage, forecasting)
• Consent (Article 6.1.a): Marketing emails, push notifications, non-essential analytics (PostHog, Clarity)
• Legitimate interests (Article 6.1.f): Security improvements, fraud prevention, app performance optimization, essential analytics (Firebase, GTM)
• Legal obligation (Article 6.1.c): Data retention for 5 years to comply with EU energy audit regulations

4. How We Use Your Data

4.1 Core Service Delivery

• Account authentication and security
• Storing meter readings and historical data
• AI-powered OCR for meter reading recognition
• Forecasting energy consumption using machine learning
• Displaying personalized energy-saving tips and recommendations
• Generating monthly/annual reports and bill forecasts

4.2 Analytics & Improvement

• Understanding user behavior and feature usage
• Identifying and fixing bugs, performance issues
• Improving user experience and app design
• Measuring engagement, retention, and conversion metrics

4.3 Communication

• Monthly meter reading reminders (push notifications)
• Energy-saving tips and personalized recommendations
• Product updates, new features, important notices
• Marketing emails (only with your explicit opt-in)
• Account support and troubleshooting

4.4 Safety & Security

• Detecting and preventing fraud or unauthorized access
• Complying with legal requests from authorities
• Protecting against cyberattacks and data breaches

5. Data Sharing & Third Parties

5.1 Third-Party Service Providers (Data Processors)

We share your data with the following processors under Data Processing Agreements (DPA):

• Supabase (Backend & Storage): Authentication, database, and encrypted photo storage (GDPR-compliant, EU data centers)
• Firebase (Google): Analytics, crash reporting, push notifications, performance monitoring
• OpenRouter / Anthropic (Claude AI): Cloud AI for meter OCR fallback (when on-device ML confidence is low)
• Brevo/Sendinblue: Marketing email delivery (GDPR-compliant, EU-based)
• PostHog: Session analytics and error tracking (self-hosted or EU data center)
• Microsoft Clarity: Web analytics and heatmaps
• Google (Tag Manager, Analytics): Event tracking and conversion measurement

5.2 Data Sharing with Third Parties

We do NOT sell your data to third parties. Your meter readings and personal information are never shared with energy companies, government agencies, or other external parties without your explicit written consent.

5.3 B2B / Enterprise Sharing (Optional)

If you are a business customer (property manager, facility operator, energy auditor), you may choose to:

• Export meter data for reporting to your clients or management systems
• Share aggregated energy data with third-party dashboards (Grafana, etc.)
• Integrate with your internal systems via API

These sharing activities require your explicit authorization and are logged in your account.

6. Data Retention

6.1 Meter Readings & Property Data

We retain meter readings and associated photos for 5 years from the date of upload. This retention period is required by EU energy audit and billing regulations to support energy inspections and dispute resolution.

6.2 Account & Authentication Data

• Active accounts: Retained for the duration of your account subscription
• Deleted accounts: Data permanently deleted within 30 days of account deletion request
• Password hashes: Never shared or exposed; deleted upon account termination

6.3 Analytics & Cookies

• Firebase Analytics: 2 years (Google's default retention)
• Server logs (IP addresses): 30 days maximum
• PostHog / Clarity: As per their data retention policies (typically 90 days to 1 year)
• Google Ads cookies: 90 days

6.4 Marketing & Email Data

• Email subscriptions: Retained until you unsubscribe
• Email engagement: Stored by Brevo per their retention policy

7. Your Rights & Control (GDPR Articles 15-22)

Under GDPR and applicable data protection laws, you have the following rights:

7.1 Right to Access

You can request a copy of all personal data we hold about you. Submit a request to hello@energyvision.app with the subject "Data Access Request." We will respond within 30 days.

7.2 Right to Rectification

You can update or correct your account information directly in the app settings. For data you cannot edit yourself, contact us at hello@energyvision.app.

7.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and associated personal data. Note:

• Meter readings will be deleted within 30 days of your request
• Account data (email, password) will be permanently removed
• Data required by law (e.g., for audit trails) may be retained in anonymized form
• Server backups may retain data for up to 60 additional days

7.4 Right to Restrict Processing

You can request that we restrict how we use your data (e.g., stop marketing emails, stop analytics). This will limit the service functionality but is fully supported.

7.5 Right to Data Portability

You can request your data in a machine-readable format (JSON or CSV) for import into another service. Submit a request to hello@energyvision.app with the subject "Data Portability Request."

7.6 Right to Object

You can object to specific processing activities:

• Marketing emails: Click "Unsubscribe" in any email or disable in Settings
• Push notifications: Disable in app Settings
• Analytics: Opt out in Settings (PostHog, Clarity)
• Tracking cookies: Use browser settings or our cookie consent tool

7.7 Right to Withdraw Consent

If we process data based on your consent, you can withdraw it at any time by contacting hello@energyvision.app or changing your Settings.

7.8 Right to Lodge a Complaint

If you believe we have violated your data protection rights, you can lodge a complaint with your national data protection authority (DPA). For Slovakia, this is the Office for Personal Data Protection.

8. Cookies & Tracking

8.1 Essential Cookies

Automatically set. Required for login, security, and basic functionality.

• Session cookies: Expire after 24 hours of inactivity
• CSRF tokens: Prevent unauthorized requests
• Language preference: Remembers your selected language

8.2 Analytics Cookies

Require your consent (unless deemed necessary for service improvement):

• Google Analytics (via GTM): Tracks page views, user behavior, conversion funnels (optional)
• Microsoft Clarity: Records session behavior, heatmaps, rage clicks (optional)
• Firebase Analytics: App usage metrics, event tracking (essential for app performance)

8.3 Advertising / Tracking Cookies

EnergyVision does not currently use third-party advertising tracking pixels. Google Ads remarketing is disabled by default.

8.4 Cookie Management

You can manage cookies in your browser settings. We provide a cookie preference tool at signup and in Settings. Disabling analytics cookies will not affect core functionality.

9. Children's Privacy

EnergyVision is not intended for users under 13 years old (or the applicable age of digital consent in your country). We do not knowingly collect personal data from children. If we discover a child has created an account, we will delete the account and associated data within 30 days.

Parents or guardians who believe their child has registered can contact us at hello@energyvision.app for account removal.

10. Security

10.1 Data Protection Measures

• Encryption in transit: TLS 1.3 for all connections
• Encryption at rest: AES-256 for photos and sensitive data in Supabase
• Password security: bcrypt hashing with salt (never stored in plaintext)
• Access controls: Role-based access (RBAC) for team accounts and B2B features
• Audit logs: All data modifications logged with timestamps and user IDs
• Regular backups: Daily encrypted backups to secure cloud storage

10.2 Security Incident Response

In the event of a data breach, we will:

• Notify affected users within 24 hours
• Notify relevant data protection authorities within 72 hours (as required by GDPR)
• Provide guidance on steps users can take to protect themselves
• Investigate root causes and implement preventive measures

10.3 Limitations

While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute protection against all attacks or breaches. Users are responsible for keeping their password confidential.

11. International Data Transfers

EnergyVision operates primarily within the EU. However, some data may be transferred to the United States (via Google Firebase, OpenRouter, Anthropic) and other countries for:

• Cloud storage and backup (Supabase EU data centers preferred)
• Analytics and crash reporting (Google Firebase)
• AI processing for OCR and forecasting (OpenRouter / Anthropic)

For transfers outside the EU/EEA, we rely on:

• Standard Contractual Clauses (SCC): For transfers to US processors
• Adequacy Decisions: Where applicable (e.g., UK transfers)
• Binding Corporate Rules: For intra-company transfers

By using EnergyVision, you consent to these transfers. If you have concerns about international transfers, please contact us at hello@energyvision.app.

12. AI & Machine Learning

12.1 AI Vision (OCR)

We use AI to recognize meter values from photos. The process:

• On-device AI: First, we attempt recognition using on-device ML models (Apple Vision framework, Google ML Kit) with 100% data privacy
• Cloud AI fallback: If on-device confidence is below 85%, the photo is sent to Claude Sonnet (via OpenRouter) for verification. Only the photo is sent; no identifying information.
• Photo retention: Photos are stored locally on your device and in encrypted Supabase storage

12.2 AI Forecasting (Consumption Prediction)

We use historical meter readings and seasonal patterns to forecast future consumption. This analysis:

• Is performed locally in the app (no data sent to AI services)
• Uses only your own data (no aggregation with other users)
• Can be disabled in Settings if you prefer manual forecasting

12.3 Training & Model Improvement

We do NOT use your meter photos or personal data to train machine learning models without your explicit consent. Any future model training will require opt-in agreement.

13. GDPR-Specific Clauses

13.1 Data Processing Agreement (DPA)

If you are a business customer (B2B), we provide a Data Processing Agreement upon request. Contact hello@energyvision.app to request a DPA.

13.2 Lawful Basis & Necessity

All processing activities are based on lawful grounds (Article 6 GDPR) and are necessary for the legitimate purpose claimed.

13.3 Automated Decision-Making & Profiling

EnergyVision does NOT use automated decision-making to make final decisions about you (e.g., automated credit decisions, automated blocking). We provide recommendations (energy-saving tips), but final decisions are always human-driven.

13.4 Data Protection Impact Assessment (DPIA)

We have completed a DPIA for meter photo storage and AI processing. If you would like to review this assessment, contact hello@energyvision.app.

14. Other Regulations

14.1 CCPA / CPRA (California)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal data is collected
• Right to delete personal data
• Right to opt-out of data sales (we do not sell data)
• Right to non-discrimination for exercising your rights

To exercise CCPA rights, contact hello@energyvision.app with "CCPA Request" in the subject line.

14.2 LGPD (Brazil)

If you are a Brazilian resident, we comply with the Lei Geral de Proteção de Dados (LGPD). You have similar rights as under GDPR (access, deletion, portability).

14.3 PIPEDA (Canada)

If you are a Canadian resident, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).

15. Contact & Requests

To exercise your privacy rights or ask questions about this policy:

15.1 How to Submit Requests

Email hello@energyvision.app with:

• Your account email address
• Type of request (Access, Deletion, Portability, Rectification, Restriction, Objection)
• Relevant details (specific data if applicable)
• A copy of government ID (for identity verification)

15.2 Response Process

• We will acknowledge receipt within 5 business days
• We will fulfill the request within 30 days (extendable to 60-90 days for complex requests)
• We may request additional information to verify your identity
• We will notify you if we cannot fulfill the request and provide reasons

16. Policy Changes

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Updating this page with a new "Last updated" date
• Sending an email notification to your registered email address
• Posting a prominent notice in the app or on the website

Your continued use of EnergyVision after changes constitutes your acceptance of the updated Privacy Policy. If you disagree with changes, you may request account deletion.

17. Disclaimer

18. Quick Reference: Data Categories