Solar Tracking Efficiency

Privacy Policy

Last updated: 2026-05-18

This policy explains how we collect, use, store, and protect your personal data when you use this application. It is written to comply with the EU General Data Protection Regulation (GDPR) and the Brazilian Lei Geral de Proteção de Dados (LGPD).

1. Data controller

The data controller responsible for your personal data is Solar Tracking Efficiency. For any privacy-related question, contact us at [email protected].

2. What data we collect

We only collect the information you provide directly:

  • Account data: name and email address you provide at registration.
  • Solar system data: the name you give to your installation, its location (typically city/state, at the precision you choose to enter), system size (kWp), and equipment specifications (panel count, panel wattage, inverter capacity, battery capacity, installation date).
  • Monthly readings: energy generated, consumed, and exported per month, plus any monthly projections you configure.
  • Optional profile picture: an avatar image, if you choose to upload one.
  • Technical data: minimal session and CSRF cookies required for authentication; standard server access logs (IP address, request timestamps) kept short-term for security and abuse prevention.

We do not collect special-category data (health, biometrics, political opinions, etc.). For visitor measurement we use a privacy-respecting, self-hosted analytics service (Umami) — see Section 10 for details. We do not use third-party advertising trackers.

3. Why we use your data (purposes and legal basis)

  • Provide the service (display your dashboards, store your readings, authenticate you) — legal basis: performance of a contract (GDPR Art. 6(1)(b); LGPD Art. 7, V).
  • Keep the service secure (rate limiting, abuse detection, audit logs) — legal basis: legitimate interest (GDPR Art. 6(1)(f); LGPD Art. 7, IX).
  • Comply with legal obligations when applicable — legal basis: legal obligation (GDPR Art. 6(1)(c); LGPD Art. 7, II).
  • Public sharing of your dashboard — only when you explicitly generate a public link. The shared payload is sanitized and excludes your name, email, location, and any other personal identifier. Legal basis: your consent (GDPR Art. 6(1)(a); LGPD Art. 7, I), which you can withdraw at any time by revoking the link.

4. Public sharing — what others can see

When you create a public share link for one of your solar systems, only technical and production data is exposed: system size (kWp), panel count and wattage, inverter and battery capacity, monthly projections, and your monthly readings. Your name, email, location, system name, installation date, and any other personal identifier are never included in the public payload. You can revoke or rotate the link at any time from the system's edit page; once revoked, the URL stops working immediately.

5. How long we keep your data

  • Account and solar system data: kept for as long as your account is active.
  • After account deletion: your account, solar systems, readings, and avatar are deleted from the live database. Encrypted backups, if any, are rotated out within 30 days.
  • Server access logs: typically retained for up to 30 days for security purposes.

6. Security

We protect your data with industry-standard controls:

  • All traffic between your browser and our servers is encrypted in transit using HTTPS/TLS.
  • Passwords are stored as one-way hashes (bcrypt) — they are never stored in plain text and cannot be recovered, only reset.
  • Database storage volumes and backups use encryption at rest where supported by our hosting provider.
  • Access to production data is restricted to authorized personnel and authenticated systems only.
  • Cross-site request forgery (CSRF) protection is enforced on all state-changing requests.

7. Your rights

Under the GDPR (Art. 15–22) and LGPD (Art. 18), you have the right to:

  • Access the personal data we hold about you and obtain a copy.
  • Rectify inaccurate or incomplete data — most data can be edited directly in your profile and system pages.
  • Erase your data ("right to be forgotten") by deleting your account.
  • Restrict or object to certain processing activities.
  • Port your data to another service in a structured, commonly used format.
  • Withdraw consent at any time (e.g. by revoking a public share link); withdrawal does not affect prior lawful processing.
  • Lodge a complaint with a supervisory authority — in the EU, your national Data Protection Authority; in Brazil, the ANPD.

To exercise any of these rights, contact us at [email protected]. We aim to respond within 30 days (GDPR) or 15 days (LGPD).

8. Sharing with third parties

We do not sell your personal data. We do not share your personal data with third parties except for trusted infrastructure providers (hosting, database, email delivery) acting as data processors under written agreements that require them to protect your data and use it only on our instructions.

9. International transfers

Where data is transferred outside your country of residence (for example, to a hosting region in another jurisdiction), we rely on safeguards permitted by GDPR and LGPD, such as Standard Contractual Clauses (SCCs) or equivalent legal mechanisms.

10. Cookies and analytics

We use only the minimal cookies required for the application to function:

  • Session cookie — keeps you signed in.
  • CSRF token cookie — protects against cross-site request forgery.

We do not use advertising or third-party tracking cookies. Because these cookies are strictly necessary for the service, no consent banner is shown for them (consistent with GDPR ePrivacy guidance and LGPD Art. 7, IX).

For visitor measurement we run a self-hosted instance of Umami on a domain we operate. Umami is a privacy-respecting analytics tool that:

  • Does not set any cookies in your browser.
  • Does not store your IP address — it is one-way hashed and discarded.
  • Does not use cross-site fingerprinting or any persistent identifier.
  • Collects only aggregate, anonymous data: page URL, referrer, screen size, browser type, country (derived from the hashed IP and discarded after lookup).
  • Stores all data on infrastructure we operate — no third party receives it.

Legal basis: legitimate interest (GDPR Art. 6(1)(f); LGPD Art. 7, IX) — measuring aggregate site usage to improve the service. Because no personal data and no cookies are involved, no consent banner is required (consistent with EDPB and ANPD guidance on anonymous analytics). You can opt out at any time by enabling Do Not Track in your browser, which Umami honors.

11. Children

This service is not directed at children under 16 (or the equivalent age of digital consent in your jurisdiction). We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.

12. Changes to this policy

We may update this policy to reflect changes in our service or legal requirements. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated to active users by email or in-app notice.

13. Contact

Questions or concerns? Contact our privacy team at [email protected].