Privacy Policy

GBICT Energy B.V. (“GBICT Energy”, “we”, “us”) is a Dutch company registered in Almere, Netherlands. We operate the GBICT Energy platform — a SaaS service for home battery optimization and virtual power plant (VPP) participation.

This Privacy Policy explains how we collect, use, store, and protect personal data when you use our website, platform, or API. We act as the data controller under the General Data Protection Regulation (GDPR).

Contact: info@gbict.nl · GBICT Energy B.V., W. Dreesweg 14, 1314CL Almere, Netherlands

We collect the following categories of personal data:

• Account data: name, email address, and encrypted password when you register an account. If you use OAuth (Google), we receive your name and email from that provider.
• Device data: battery brand and model, current state of charge, capacity, charge/discharge cycles, inverter configuration, and energy usage history from connected devices (e.g. Sessy, Victron, SolarEdge).
• Energy contract data: dynamic tariff data retrieved via the Tibber API, including your energy prices and consumption data as permitted by your Tibber authorization.
• Usage analytics: pages visited, features used, button clicks, and session duration. This data is collected in aggregated, pseudonymous form and is used solely to improve the product.
• Technical data: IP address, browser type and version, operating system, screen resolution, referring URL, and time zone. This is automatically logged when you use the service.
• Support communications: emails, tickets, or chat messages you send to our support team.

We process your personal data on the following legal bases under GDPR Article 6:

• Performance of a contract (Art. 6(1)(b)): to deliver the optimization service, authenticate your account, process payments, and provide customer support.
• Legitimate interests (Art. 6(1)(f)): to improve our product through anonymized analytics, detect fraud, and ensure platform security.
• Consent (Art. 6(1)(a)): for non-essential cookies and marketing communications. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): to comply with Dutch and EU law, including tax and financial reporting requirements.

We share data only with trusted processors who are contractually bound to protect it under a Data Processing Agreement (DPA):

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

We use the following cookies:

You can manage cookie preferences in your browser settings or via the cookie banner shown on your first visit. Disabling non-essential cookies does not affect platform functionality.

We retain your personal data only as long as necessary:

• Active account: all data is retained for the duration of your subscription.
• After account deletion: account data and device data are permanently deleted within 30 days of account closure, unless we are required to retain it by law.
• Support communications: retained for 2 years to ensure continuity of service and dispute resolution.
• Financial records: retained for 7 years as required by Dutch tax law (Belastingwetgeving).
• Analytics data: aggregated and anonymized; not subject to deletion requests as it cannot be linked to an individual.

Under GDPR Articles 15–21, you have the following rights regarding your personal data:

• Right of access (Art. 15): you may request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): you may ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17): you may request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.
• Right to data portability (Art. 20): you may request your data in a machine-readable format (JSON or CSV) to transfer to another service.
• Right to object (Art. 21): you may object to processing based on legitimate interests, including for direct marketing.
• Right to restrict processing (Art. 18): you may request that we limit how we use your data in certain circumstances.

To exercise any of these rights, email info@gbict.nl. We will respond within 30 days as required by GDPR.

We are subject to the jurisdiction of the Autoriteit Persoonsgegevens (AP), the Dutch Data Protection Authority, which is a member of the European Data Protection Board (EDPB).

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with the AP at autoriteitpersoonsgegevens.nl.

We implement industry-standard security measures to protect your data, including TLS encryption in transit, AES-256 encryption at rest (via Supabase), row-level security policies, and regular security audits. Access to personal data is restricted to authorized employees and contractors on a need-to-know basis.

We may update this Privacy Policy from time to time. We will notify you by email and display a notice in the dashboard at least 14 days before any material changes take effect. Continued use of the service after that date constitutes acceptance of the updated policy.