Privacy Policy

1.1 Information Provided Directly

When you register for an account, execute a contract, submit a support inquiry, or otherwise interact with the Service, we may collect the following categories of personal information:

• Identity and contact data: full name, email address, telephone number, mailing address, and job title;
• Organizational data: company or employer name, industry classification, and organizational role;
• Account credentials: usernames, passwords, and multi-factor authentication information;
• Communication data: records of correspondence, support tickets, feedback submissions, and survey responses;
• Transaction data: billing information, payment records, and purchase history (where applicable and processed through authorized third-party payment processors).

1.2 Operational, Building, and Energy System Data

In the course of delivering the Service, the Company may collect, ingest, process, and analyze operational data from systems authorized by the Customer. This data, referred to herein as “Customer Data,” may include without limitation:

• Utility consumption data: electricity, natural gas, water, steam, chilled water, and other commodity interval and billing data;
• Advanced metering infrastructure (AMI) and sub-metering data;
• Building management system (BMS/BAS) data, including HVAC, lighting, and control system telemetry;
• Equipment and end-use performance data, including runtime, setpoints, efficiency metrics, and fault codes;
• Environmental and indoor air quality sensor data, including temperature, humidity, CO2, and occupancy;
• Renewable energy and distributed energy resource (DER) generation and storage data;
• GHG emissions factors, scope data, and carbon accounting inputs;
• Demand response event data and curtailment records;
• Energy audit findings, retrofit measure documentation, and baseline characterization data;
• System configuration metadata, asset inventories, and facility profile information.

Customer Data remains the property of the Customer as further described in Section 7 of this Policy. The Company processes Customer Data solely for the purpose of delivering the Service and fulfilling its contractual obligations.

1.3 Automatically Collected Technical Information

When you access the Service via our website or platform, we may automatically collect the following categories of technical information through server logs, analytics tools, and similar mechanisms:

• Network identifiers: IP address and approximate geographic location derived therefrom;
• Device and browser information: device type, operating system, browser type and version, and screen resolution;
• Usage and interaction data: pages visited, features accessed, session duration, click-path data, and referral URLs;
• Access logs: timestamps of login events, API calls, and data queries;
• Platform performance metrics: error logs, latency data, and diagnostic information.

This technical information is used to operate, secure, and improve the Service and does not, standing alone, identify you as an individual.

1.4 Cookies and Similar Tracking Technologies

The Service may employ cookies, web beacons, pixel tags, local storage, and similar tracking technologies for the following purposes:

• Session management: maintaining authenticated login sessions and preserving user preferences;
• Analytics: measuring Service usage patterns, feature adoption, and performance in aggregate;
• Security: detecting fraudulent activity and unauthorized access attempts;
• Functionality: enabling platform features that require persistence of user state.

Users may control, limit, or disable cookies through browser settings or applicable device controls. Disabling certain cookies may impair Service functionality. Where required by applicable law, we will obtain your consent prior to placing non-essential cookies.

1.5 Information from Third-Party Sources

In limited circumstances, the Company may receive information about you or your organization from authorized third-party sources, including utility data aggregators, Green Button Connect platforms, energy data exchanges, and Customer-authorized integration partners. Such information is used solely in connection with the delivery of the Service and is subject to this Policy.

2.1 Service Delivery and Operations

• Providing, operating, and maintaining the Service, including M&V analytics, energy auditing support, load forecasting, decarbonization modeling, FDD, DSM/DR program analytics, and GHG emissions reporting;
• Processing and analyzing Customer Data to generate performance insights, savings quantification, baseline models, and compliance reports;
• Configuring and managing Customer accounts, integrations, and data pipelines;
• Performing engineering and advisory services as contracted.

2.2 Security, Integrity, and Compliance

• Detecting, investigating, and preventing unauthorized access, fraud, abuse, and security incidents;
• Maintaining audit logs and access records for security and compliance purposes;
• Complying with applicable legal obligations, judicial orders, and regulatory requirements.

2.3 Communications and Support

• Responding to inquiries, providing technical support, and facilitating customer success activities;
• Delivering service notifications, platform updates, maintenance advisories, and contractual communications;
• Sending marketing and product communications where permitted by applicable law and subject to opt-out rights.

2.4 Product Development and Improvement

• Analyzing usage patterns and Service performance to improve functionality, usability, and reliability;
• Developing, testing, and deploying new features, analytical models, and methodologies;
• Generating aggregated and de-identified benchmarking data and industry research, provided that such data cannot reasonably be used to identify any individual Customer or facility.

2.5 Legal and Business Purposes

• Enforcing our Terms of Service, contractual agreements, and legal rights;
• Protecting the safety, rights, and property of the Company, its customers, and third parties;
• Facilitating corporate transactions such as mergers, acquisitions, or asset sales, subject to appropriate confidentiality obligations.

4.1 General

The Company does not sell, rent, or trade personal information to third parties for their independent commercial purposes.

4.2 Service Providers

The Company may share information with vetted third-party service providers engaged to assist in the operation and delivery of the Service, including without limitation:

• Cloud infrastructure and data hosting providers;
• Data integration, ETL, and pipeline service providers;
• Utility data aggregators and Green Button Connect facilitators;
• Analytics, monitoring, and observability platforms;
• Customer relationship management (CRM) and support tools;
• Identity, authentication, and security service providers;
• Payment processors (for billing and subscription management).

All service providers are contractually obligated to: (a) process data only for authorized purposes; (b) implement appropriate technical and organizational security measures; and (c) not further disclose data without the Company's prior written authorization.

4.3 Legal Disclosures

The Company may disclose information to governmental authorities, regulators, or third parties when required by applicable law, subpoena, court order, or regulatory demand, or when the Company reasonably believes disclosure is necessary to: (a) comply with a legal obligation; (b) protect the safety or legal rights of the Company, its customers, or the public; or (c) prevent fraud, abuse, or illegal activity. Where permitted, the Company will provide reasonable prior notice to affected Customers.

4.4 Business Transfers

In connection with a merger, acquisition, reorganization, or sale of all or substantially all of the Company's assets, Customer Data and personal information may be transferred to the acquiring entity, subject to obligations of confidentiality and data protection no less protective than those set forth in this Policy.

4.5 Aggregated Data

The Company may share aggregated and fully de-identified data with third parties, including industry organizations, research bodies, and regulators, for benchmarking, research, and public interest purposes, provided such data cannot reasonably be used to identify any individual or Customer.

5.1 Security Measures

The Company implements a risk-based program of technical and organizational security measures designed to protect personal information and Customer Data against unauthorized access, disclosure, alteration, and destruction. Such measures include without limitation:

• Encryption of data in transit using industry-standard TLS protocols;
• Encryption of sensitive data at rest;
• Secure, access-controlled cloud infrastructure with network segmentation;
• Role-based access controls (RBAC) and principle of least privilege;
• Multi-factor authentication for administrative access;
• Continuous system monitoring, intrusion detection, and audit logging;
• Periodic security assessments, vulnerability scanning, and penetration testing;
• Employee security awareness training and access management policies.

5.2 No Absolute Security

While the Company employs commercially reasonable security safeguards, no method of electronic transmission or storage is completely secure. The Company cannot guarantee the absolute security of information and shall not be liable for security breaches that occur despite reasonable safeguards.

5.3 Incident Response

In the event of a confirmed security incident involving personal information, the Company will provide notification to affected Customers and, where required, to applicable regulatory authorities, in accordance with applicable data breach notification laws and any contractual obligations.

6.1 Retention Principles

The Company retains personal information and Customer Data only for as long as reasonably necessary to fulfill the purposes for which it was collected, including to:

• Provide and operate the Service for the duration of the applicable subscription term;
• Comply with applicable legal, regulatory, tax, and accounting obligations;
• Resolve disputes, enforce agreements, and exercise legal rights;
• Support audit, assurance, and verification activities required by applicable M&V protocols, energy program rules, or regulatory frameworks.

6.2 Post-Termination

Upon expiration or termination of a Customer's subscription, the Company will retain Customer Data for the period specified in the applicable contract or DPA. Upon request received within sixty (60) days of termination, the Company will provide Customer Data in a commercially standard format for export. Following the applicable retention period, Customer Data will be securely deleted or anonymized in accordance with the Company's data destruction procedures.

6.3 Anonymized Data

Aggregated and fully de-identified data derived from Customer Data may be retained indefinitely for product improvement, benchmarking, and research purposes, provided that such data cannot reasonably be used to identify any individual or Customer.

7.1 Ownership

As between the parties, Customers retain all right, title, and interest in and to Customer Data, as further provided in the Terms of Service. The Company acquires no ownership interest in Customer Data by virtue of this Policy or the provision of the Service.

7.2 Limited Processing License

The Customer grants the Company a limited, non-exclusive, royalty-free license to access, store, process, and analyze Customer Data solely to the extent necessary to: (a) deliver the Service; (b) fulfill contractual obligations; (c) comply with applicable law; and (d) generate aggregated, de-identified data in accordance with Section 4.5.

7.3 No Unauthorized Use

The Company shall not use Customer Data for any purpose not authorized by these Terms, this Policy, or applicable contractual agreements. In particular, the Company shall not: (a) sell or transfer Customer Data to third parties; (b) use Customer Data to develop competing products or services; or (c) use Customer Data for targeted advertising.

7.4 Data Processing Agreements

For Customers subject to applicable data protection laws (including the EU General Data Protection Regulation (“GDPR”) or the California Consumer Privacy Act (“CCPA”)), the Company will enter into a Data Processing Agreement (“DPA”) upon request, which shall govern the Company's role as data processor with respect to personal data contained within Customer Data.

8.1 Cross-Border Transfers

The Company's operations and infrastructure may involve the transfer, storage, and processing of data across national borders, including from the European Economic Area (“EEA”), United Kingdom, and other jurisdictions with data localization or transfer restrictions.

8.2 Transfer Safeguards

Where personal data is transferred to a jurisdiction that has not been recognized as providing an adequate level of data protection, the Company shall implement appropriate transfer safeguards, which may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Binding Corporate Rules (BCRs) or equivalent intra-group transfer mechanisms;
• Other legally recognized transfer mechanisms under applicable data protection law.

8.3 Data Residency

Customers with specific data residency requirements should contact the Company to discuss available configurations and any applicable contractual arrangements.

9.1 General Rights

Depending on your jurisdiction of residence and applicable law, you may have the following rights with respect to your personal information:

• Right of access: the right to request confirmation of whether we process your personal data and, if so, to obtain a copy thereof;
• Right to rectification: the right to request correction of inaccurate or incomplete personal data;
• Right to erasure: the right to request deletion of your personal data under certain circumstances;
• Right to restriction: the right to request that we restrict the processing of your personal data under certain circumstances;
• Right to data portability: the right to receive your personal data in a structured, commonly used, machine-readable format;
• Right to object: the right to object to processing based on legitimate interests or for direct marketing purposes;
• Right to withdraw consent: where processing is based on your consent, the right to withdraw such consent at any time without affecting the lawfulness of processing prior to withdrawal.

9.2 California Residents

California residents may have additional rights under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), including the right to know, delete, and opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising privacy rights.

9.3 How to Submit Requests

To exercise any of the rights described in this Section, please submit a written request using the contact information provided in Section 13. We will respond to verifiable requests within the timeframe required by applicable law (generally thirty (30) to forty-five (45) days, with extensions where permitted). We may require verification of identity before processing requests.