Privacy Policy
Last updated: 2026-04-16 · effective immediately
OwlWatt (the "Service") is built around a simple promise: we collect
only what we need to monitor your solar system, we never sell your data,
and we never train AI models on it.
This policy explains how we collect, use, share, and protect personal
information about you, and your rights under the European General Data
Protection Regulation (GDPR), the UK GDPR, the California Consumer
Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and
comparable U.S. state laws.
1. Who we are
OwlWatt is operated by its founder as a sole proprietorship in
Massachusetts, USA. For purposes of GDPR, we are the data "controller"
for personal information we collect from you. For purposes of CCPA, we
are a "business" and, where we act on our customers' behalf, a "service
provider." OwlWatt does not currently have an EU or UK representative
under GDPR Article 27; customers in the EU/UK with questions can contact
us directly at the address in Section 15.
2. What we collect and from where
Categories of information
- Account information: email, optional display name, timezone,
a salted one-way password hash (your plaintext password is never
stored), and your two-factor authentication secret (encrypted at
rest).
- Solar telemetry: production, consumption, and grid-flow watts
polled from your local Enphase Envoy or SolarEdge gateway every 5
seconds, plus per-microinverter snapshots every 5 minutes.
- System metadata: installer name, hardware specifications,
grid provider, SREC enrollment, contract PDFs, and utility bills
that you upload.
- Vendor credentials you provide (e.g., Enphase Enlighten email
+ password used to mint the JWT your collector needs to read your
local Envoy): stored encrypted at rest using AES-256-GCM with a
per-customer key wrapped under a master key held only in our cloud
secret store; decrypted only inside the short-lived JWT mint
operation against the vendor's authentication service; never logged,
never shared, and purged immediately when you disconnect the vendor
connection in Settings → Solar System.
- Device telemetry: health metrics from your OwlWatt collector
device (CPU temperature, disk usage, software version, LAN IP,
hostname) so we can keep it healthy.
- Support information: messages, attachments, and metadata
from support tickets and feature requests you submit.
- Usage information: web-server logs with IP address,
user-agent, timestamps, and pages accessed, kept for up to 90 days
for security and debugging.
Sources
- Directly from you — account signup, settings, support
tickets, contract and bill uploads, preference choices.
- From your OwlWatt collector — device identity, telemetry,
LAN IP, health.
- From your solar gateway — production, consumption, and
per-inverter metrics read locally by the collector.
- From web requests — IP address, browser metadata, approximate
country (provided by our CDN).
3. How we use it and why we are allowed to
We process personal information only for the purposes below, and only
where we have a lawful basis to do so under GDPR Article 6. Under CCPA,
these are the business purposes for which personal information is
collected.
- Deliver the Service — show your dashboard, history, and
audit-style reports; detect underperforming panels, billing
anomalies, and offline devices. Lawful basis: performance of a
contract.
- Generate AI insights using Anthropic's Claude commercial
API. Anthropic's commercial API terms prohibit using your data to
train their models. We send anonymized summaries only — never raw
bills or contracts — unless you explicitly request a contract
analysis. Lawful basis: performance of a contract; consent for
contract analysis.
- Keep your collector device healthy — diagnostics, over-the-air
software updates, offline detection. Lawful basis: performance of
a contract; legitimate interest in a reliable service.
- Communicate with you — account notifications, service
alerts, and support replies. Lawful basis: performance of a
contract for transactional mail; consent for any marketing.
- Secure the Service and prevent abuse — rate limiting,
intrusion detection, fraud prevention. Lawful basis: legitimate
interest in a secure service; compliance with legal obligations.
- Comply with law — respond to lawful requests from courts,
regulators, and law enforcement. Lawful basis: legal obligation.
4. What we do not do with it
- We don't sell your personal information to anyone.
- We don't share your personal information with your installer,
utility, or any third party for their own marketing or advertising
without your explicit consent.
- We don't train AI models on your data, and neither does Anthropic —
their commercial API terms prohibit it.
- We don't use your data for cross-context behavioral advertising.
- We don't collect special categories of data (health, biometrics,
religion, etc.).
5. Do Not Sell or Share My Personal Information
We do not sell or share your personal information, for any
purpose, to anyone. There is nothing for you to opt out of here,
because the default is already off. We do not participate in any
cross-context behavioral advertising programs. If that ever changes,
we will update this section at least 30 days before any such activity
begins and provide a working opt-out mechanism. We honor Global
Privacy Control (GPC) signals from your browser as an expression of
opt-out preference.
6. Who we share it with (Subprocessors)
We engage the following third-party service providers to operate the
Service. We will post updates to this list at least 30 days before
adding a new subprocessor so customers have time to object.
| Provider |
Location |
Service |
Data categories |
Reference |
| Fly.io |
USA (Newark, NJ) |
Application hosting |
All customer data in transit through the app tier; no long-term storage |
Privacy / DPA |
| Neon |
USA (AWS us-east-1, N. Virginia) |
Postgres database |
Account, telemetry, devices, contracts, support tickets, consent log |
Privacy / DPA |
| Cloudflare |
Global edge (HQ USA) |
DNS, CDN, DDoS protection, WAF |
HTTP request metadata (IP, user-agent, timestamps); TLS-terminated page contents |
Privacy / DPA |
| Resend |
USA |
Transactional email delivery |
Email address, message body, delivery metadata |
Privacy / DPA |
| Anthropic |
USA (commercial API) |
AI-generated dashboard insights, and contract analysis when you opt in |
Anonymized telemetry summaries; contract text only when you opt in. Anthropic's commercial terms prohibit training on your data. |
Privacy / Terms |
7. International data transfers
All current subprocessors process personal data in the United States.
If you access the Service from the EU, UK, Switzerland, or another
jurisdiction that restricts cross-border transfers, your data will be
transferred to and processed in the United States.
Transfers from the EU/UK/Switzerland to the United States are covered
by Standard Contractual Clauses (SCCs) incorporated into each
subprocessor's DPA linked above, and — where applicable and active — by
the EU–U.S. Data Privacy Framework (DPF), UK Extension, and
Swiss–U.S. Data Privacy Framework.
8. How long we keep it
- Raw 5-second telemetry: retained for 13 months so we can
provide accurate year-over-year comparisons, billing anomaly
detection, and audit-ready reports for installer claims.
- Aggregated daily/monthly telemetry: retained indefinitely
while your account is active, for historical trends.
- Account information: retained for as long as your account
is active. On request, your account is soft-deleted immediately and
hard-deleted after a 30-day grace period.
- Contracts, bills, and support tickets: retained for as long
as your account is active, plus 2 years for dispute-resolution
purposes, then deleted.
- Web-server logs and IP addresses: retained for up to 90 days
for security, debugging, and abuse prevention.
- Encrypted database backups: may persist up to 90 days after
account deletion before rolling off.
To erase all your data entirely, use Account Deletion in Settings
→ Privacy.
9. Cookies and similar technologies
OwlWatt uses only strictly necessary cookies. Specifically:
- Session cookie (
owlwatt_session): a signed JWT
that keeps you logged in. HttpOnly, Secure, SameSite=Lax. Expires
with your session.
We do not use analytics cookies, advertising cookies, tracking
pixels, or third-party marketing tags. Because these cookies are
strictly necessary for the Service to function (you couldn't stay
logged in without them), they are exempt from consent requirements
under the EU ePrivacy Directive and equivalent laws. We will add a
consent banner if we ever introduce non-essential cookies.
10. How we protect it
- All connections to OwlWatt are TLS-encrypted (HTTPS).
- Passwords are salted and hashed with a one-way key-derivation
function; your plaintext password is never stored or logged.
- Two-factor-authentication secrets are encrypted at rest.
- Vendor credentials you provide (e.g., Enphase Enlighten email +
password) are envelope-encrypted at rest under a per-customer
AES-256-GCM key whose wrapping key lives only in our cloud secret
store; the plaintext exists only inside short-lived JWT mint
operations against the vendor's authentication service.
- Database backups and off-site copies are encrypted.
- Access to production systems is limited to the founder and
protected by strong authentication and audit logging.
- We maintain internal records of processing activities (RoPA) and
review our subprocessor list on a rolling basis.
No system is perfectly secure. If we ever experience a personal-data
breach that is likely to result in a risk to your rights and freedoms,
we will notify affected customers without undue delay and, where
required, notify the relevant supervisory authority within 72 hours.
11. Your rights
You have the following rights over your personal information. To
exercise any of them, email [email protected]
or use the self-service options in Settings → Privacy where
indicated. We will respond within 30 days (GDPR) or 45 days (CCPA);
free of charge in the vast majority of cases.
Rights available to everyone
- Access: download all of your data as a ZIP (Settings →
Privacy → Export my data).
- Correction: edit your profile, system information, and
preferences in Settings; email us for anything you can't self-serve.
- Deletion: request account deletion from Settings →
Privacy; 30-day grace period, then hard-deleted.
Additional rights under GDPR / UK GDPR
- Restriction: ask us to restrict processing while a dispute
is pending.
- Objection: object to processing based on legitimate interest
or direct marketing.
- Portability: receive your data in a structured,
machine-readable format (the ZIP export satisfies this).
- Withdraw consent: where processing is based on consent
(e.g., marketing emails, contract analysis), withdraw at any time
without affecting the lawfulness of processing done before withdrawal.
- Not be subject to solely automated decision-making that
produces legal or similarly significant effects. We don't do this
today; if we ever introduce such processing, we will notify you and
provide an opt-out.
Additional rights under CCPA / CPRA
- Right to know what categories and specific pieces of
personal information we have collected, used, disclosed, or shared
about you in the past 12 months — see Sections 2, 3, and 6.
- Right to delete — see the Deletion right above.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing — we do not sell or
share, so there's nothing to opt out of. See Section 5.
- Right to limit use of sensitive personal information — we do
not collect sensitive PI as defined by CPRA.
- Right to non-discrimination — we will not charge you more,
provide degraded service, or penalize you in any way for exercising
any of these rights.
- Authorized agents: you may designate an authorized agent
to make requests on your behalf; we will verify the agent's authority
and your identity before acting.
We may need to verify your identity before fulfilling certain
requests; we will match information you provide against your account
record and may ask for additional verification for sensitive requests.
12. Complaints and supervisory authorities
If you believe we have mishandled your personal information, we
would like the chance to fix it — please contact us first at
[email protected]. You also
have the right to lodge a complaint with a supervisory authority:
- EU residents — your local Data Protection Authority.
A directory is available at edpb.europa.eu.
- UK residents — the Information Commissioner's Office at
ico.org.uk.
- California residents — the California Privacy Protection
Agency at cppa.ca.gov,
and the California Attorney General.
- Other U.S. states with comprehensive privacy laws
(Virginia, Colorado, Connecticut, Utah, and others) — your state
Attorney General.
13. Children's privacy
The Service is intended for homeowners and is not directed to
children under 16. We do not knowingly collect personal information
from anyone under 16. If you believe a child under 16 has provided us
personal information, please contact
[email protected] and we will
delete it.
14. Changes to this policy
We will update this policy from time to time as the Service evolves
or as the law requires. When we make material changes — adding a new
subprocessor, changing retention periods, adding new categories of
data, or expanding our use of your data — we will notify you at least
30 days in advance by email and by posting a prominent notice on the
Service. We also update the "Last updated" date at the top of this
page on any change.
Questions, requests, or concerns about this policy or how we handle
your personal information?
- Email: [email protected]
- Mail: OwlWatt, c/o Olivier Beauchemin, Massachusetts, USA
(full mailing address provided on request)
If you are an EU or UK data subject and would like to exercise
rights that require us to engage additional formalities (for example, a
subject access request through an authorized agent), please state that
in your email and we will respond accordingly.