UK GDPR PRIVACY NOTICE

Privacy Policy

This notice explains what personal data 1app.energy collects, why we use it, who helps us process it, and how you can exercise your privacy rights.

1. Who We Are

1app.energy is a trading name of 1App Energy Ltd. For UK GDPR purposes, 1App Energy Ltd is the controller for account, customer, connected-device and service-usage data processed through the 1app.energy website and application.

1App Energy Ltd

Registered office: 71-75, Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Company registration number: 17062482

Privacy contact: privacy@1app.energy

2. The Data We Collect

We collect the data needed to run the service, connect supported devices, provide support, protect accounts, and improve reliability. In accordance with UK GDPR data minimisation principles, we only collect personal data that is adequate, relevant, and limited to what is necessary for these purposes.

  • Account data: email address, authentication identifiers, account status, selected home or installation, role and support-access settings.
  • Home and device setup data: installation name, timezone, device selections, inverter or charger details, tariff settings, topology settings, and customer-entered setup notes.
  • Device credentials: API keys, OAuth tokens or similar connection details for supported providers. Credentials are encrypted with AES-256 before storage and are used to read data, perform actions you have enabled, or automatically refresh expired access tokens.
  • Energy and control data: solar, battery, EV, grid, tariff, alert, optimiser, control-command and support diagnostic data generated by connected devices and by 1app.energy.
  • Billing data: subscription status, payment metadata and billing records. We use Stripe for payment processing and do not store full card numbers.
  • Usage and security data: IP address, device and browser information, pages visited, login and session events, operational logs, consent choices, rate-limit events and security/audit records.

3. Cookies, Storage and Analytics

We use essential cookies and browser storage for authentication, security, consent preferences, dashboard operation and service reliability. These are needed for the service to work.

Optional analytics tools only run after you give analytics consent. These tools may include Google Analytics, PostHog and Microsoft Clarity. They help us understand product usage, fix friction in signup and onboarding, and improve the service. We do not currently load personalised advertising pixels.

The app also records limited first-party operational activity, such as whether a signed-in installation opened the app on a given day. This supports customer support, reliability monitoring and engagement reporting. It is not third-party advertising tracking.

4. Why We Use Data

We use personal data under the following UK GDPR lawful bases:

  • Contract: to create your account, connect supported devices, show dashboard data, provide history and reports, run enabled controls, process billing, and provide support.
  • Legitimate interests: to secure accounts, prevent abuse, debug service issues, monitor reliability, improve algorithms, keep audit logs, and understand product performance where those interests are not overridden by your rights.
  • Consent: for optional analytics, optional support access, optional communications, and any optional feature where the product asks for permission.
  • Legal obligation: to keep required accounting, tax, company, security and compliance records.

5. Processors and Third Parties

We do not sell your personal data. We use third parties only where needed to provide, secure, analyse or bill for the service.

  • Hosting and database: Supabase for database and authentication, Railway for backend API, worker and Redis services, and Vercel for the public frontend and CDN.
  • Payments: Stripe for checkout, subscription and customer-portal processing when paid access is enabled.
  • Analytics: Google Analytics, PostHog and Microsoft Clarity, only after analytics consent and subject to the production-host restrictions in the app.
  • Connected providers: provider platforms you choose to connect, such as SolisCloud, LuxPowerTek, myenergi, Ohme, Hypervolt, Octopus Energy, Daikin or other supported providers.
  • Operational tooling: error monitoring, email, support or security tools where configured for service delivery and incident response.

6. Automated Controls

Customer-enabled optimisation

Where supported and enabled by you, 1app.energy may use automated rules to schedule battery, EV or tariff-aware actions. These controls do not constitute solely automated decisions producing legal or similarly significant effects under UK GDPR Article 22. They do not make legal, credit, employment or similar decisions about you. You can disable supported controls, adjust settings, revoke provider access, or ask support to review a control outcome at any time.

7. Security

We use TLS for data in transit, role-based access, operational audit logs, secret redaction, rate limiting and production deployment controls to protect your data. No internet service can be made risk-free, so we keep security controls under review as the product changes.

For detailed information on how we protect your information, including our industry-standard AES-256 credential encryption, infrastructure security, and incident response procedures, please review our comprehensive Data Security Policy.

8. Retention

We keep personal data for as long as needed for the purpose it was collected, including service delivery, support, security, billing, legal obligations and dispute handling.

  • Active accounts: account, setup, telemetry, history and control data are retained while needed to provide dashboard history, reports, support and optimisation.
  • Deleted devices or accounts: active credentials are removed or disabled when a device or account deletion is processed. Some logs, backups and records may remain for a limited period where required for security, legal or operational reasons.
  • Billing and tax records: limited billing records may be retained for up to 6 years where required for UK tax and accounting purposes.

9. Hosting and International Transfers

Not a UK-only hosting claim

1app.energy is UK designed, but the service uses cloud providers. The public frontend may be served through global edge/CDN infrastructure. The backend and database are hosted with cloud providers in European regions based on the latest production evidence available to us.

Some providers, analytics tools, payment processors, support tools or connected-device platforms may process data outside the UK or EEA. Where this happens, we rely on appropriate safeguards such as adequacy regulations, standard contractual clauses, data-processing terms or equivalent transfer mechanisms required by data-protection law.

10. Your Rights

Subject to legal limits, you may have the right to request access, correction, erasure, restriction, portability, objection to processing, and withdrawal of consent where processing is based on consent.

To exercise a privacy right, email privacy@1app.energy. We may need to verify your identity before acting on a request.

11. Account and Device Deletion

Revoking access

You can revoke provider access by removing a connected device, deleting your account where available, or regenerating API keys in the relevant manufacturer or supplier app.

Deletion requests are processed against active service systems. We may retain limited records where needed for fraud prevention, security, tax, accounting, legal claims, backup integrity or mandatory compliance.

12. Children's Data

1app.energy is not intended for children or for users under 18. We do not knowingly collect personal data from children.

13. Links to Other Websites

The service may link to third-party websites or provider portals. Those sites are controlled by their own operators and have their own privacy notices. Review those notices before submitting data to them.

14. Policy Updates

We may update this Privacy Policy from time to time. Material changes will be communicated through the service, by email, or by another appropriate method.

15. Contact and Regulator

For privacy concerns, contact privacy@1app.energy.

You also have the right to lodge a complaint with the UK Information Commissioner's Office:ico.org.uk/make-a-complaint