OwlWatt
Privacy Policy
OwlWatt (the "Service") is built around a simple promise: we collect only what we need to monitor your solar system, we never sell your data, and we never train AI models on it.
This policy explains how we collect, use, share, and protect personal information about you, and your rights under the European General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and comparable U.S. state laws.
- 1. Who we are
- 2. What we collect and from where
- 3. How we use it and why we are allowed to
- 4. What we do not do with it
- 5. Do Not Sell or Share My Personal Information
- 6. Who we share it with (Subprocessors)
- 7. International data transfers
- 8. How long we keep it
- 9. Cookies and similar technologies
- 10. How we protect it
- 11. Your rights
- 12. Complaints and supervisory authorities
- 13. Children's privacy
- 14. Changes to this policy
- 15. Contact
1. Who we are
OwlWatt is operated by its founder as a sole proprietorship in Massachusetts, USA. For purposes of GDPR, we are the data "controller" for personal information we collect from you. For purposes of CCPA, we are a "business" and, where we act on our customers' behalf, a "service provider." OwlWatt does not currently have an EU or UK representative under GDPR Article 27; customers in the EU/UK with questions can contact us directly at the address in Section 15.
2. What we collect and from where
Categories of information
- Account information: email, optional display name, timezone, a salted one-way password hash (your plaintext password is never stored), and your two-factor authentication secret (encrypted at rest).
- Solar telemetry: production, consumption, and grid-flow watts polled from your local Enphase Envoy gateway every 5 seconds, plus per-microinverter snapshots every 5 minutes.
- System metadata: installer name, hardware specifications, grid provider, SREC enrollment, contract PDFs, and utility bills that you upload.
- Vendor credentials you provide (e.g., Enphase Enlighten email + password used to mint the JWT your collector needs to read your local Envoy): stored encrypted at rest using AES-256-GCM with a per-customer key wrapped under a master key held only in our cloud secret store; decrypted only inside the short-lived JWT mint operation against the vendor's authentication service; never logged, never shared, and purged immediately when you disconnect the vendor connection in Settings → Solar System.
- Device telemetry: health metrics from your OwlWatt collector device (CPU temperature, disk usage, software version, LAN IP, hostname) so we can keep it healthy.
- Support information: messages, attachments, and metadata from support tickets and feature requests you submit.
- Usage information: web-server logs with IP address, user-agent, timestamps, and pages accessed, kept for up to 90 days for security and debugging.
Sources
- Directly from you — account signup, settings, support tickets, contract and bill uploads, preference choices.
- From your OwlWatt collector — device identity, telemetry, LAN IP, health.
- From your solar gateway — production, consumption, and per-inverter metrics read locally by the collector.
- From web requests — IP address, browser metadata, approximate country (provided by our CDN).
3. How we use it and why we are allowed to
We process personal information only for the purposes below, and only where we have a lawful basis to do so under GDPR Article 6. Under CCPA, these are the business purposes for which personal information is collected.
- Deliver the Service — show your dashboard, history, and audit-style reports; detect underperforming panels, billing anomalies, and offline devices. Lawful basis: performance of a contract.
- Generate AI insights using Anthropic's Claude commercial API. Anthropic's commercial API terms prohibit using your data to train their models. We send anonymized summaries only — never raw bills or contracts — unless you explicitly request a contract analysis. Lawful basis: performance of a contract; consent for contract analysis.
- Keep your collector device healthy — diagnostics, over-the-air software updates, offline detection. Lawful basis: performance of a contract; legitimate interest in a reliable service.
- Communicate with you — account notifications, service alerts, and support replies. Lawful basis: performance of a contract for transactional mail; consent for any marketing.
- Secure the Service and prevent abuse — rate limiting, intrusion detection, fraud prevention. Lawful basis: legitimate interest in a secure service; compliance with legal obligations.
- Comply with law — respond to lawful requests from courts, regulators, and law enforcement. Lawful basis: legal obligation.
4. What we do not do with it
- We don't sell your personal information to anyone.
- We don't share your personal information with your installer, utility, or any third party for their own marketing or advertising without your explicit consent.
- We don't train AI models on your data, and neither does Anthropic — their commercial API terms prohibit it.
- We don't use your data for cross-context behavioral advertising.
- We don't collect special categories of data (health, biometrics, religion, etc.).
5. Do Not Sell or Share My Personal Information
6. Who we share it with (Subprocessors)
We engage the following third-party service providers to operate the Service. We will post updates to this list at least 30 days before adding a new subprocessor so customers have time to object.
| Provider | Location | Service | Data categories | Reference |
|---|---|---|---|---|
| Fly.io | USA (Newark, NJ) | Application hosting | All customer data in transit through the app tier; no long-term storage | Privacy / DPA |
| Neon | USA (AWS us-east-1, N. Virginia) | Postgres database | Account, telemetry, devices, contracts, support tickets, consent log | Privacy / DPA |
| Cloudflare | Global edge (HQ USA) | DNS, CDN, DDoS protection, WAF | HTTP request metadata (IP, user-agent, timestamps); TLS-terminated page contents | Privacy / DPA |
| Resend | USA | Transactional email delivery | Email address, message body, delivery metadata | Privacy / DPA |
| Anthropic | USA (commercial API) | AI-generated dashboard insights, and contract analysis when you opt in | Anonymized telemetry summaries; contract text only when you opt in. Anthropic's commercial terms prohibit training on your data. | Privacy / Terms |
7. International data transfers
All current subprocessors process personal data in the United States. If you access the Service from the EU, UK, Switzerland, or another jurisdiction that restricts cross-border transfers, your data will be transferred to and processed in the United States.
Transfers from the EU/UK/Switzerland to the United States are covered by Standard Contractual Clauses (SCCs) incorporated into each subprocessor's DPA linked above, and — where applicable and active — by the EU–U.S. Data Privacy Framework (DPF), UK Extension, and Swiss–U.S. Data Privacy Framework.
8. How long we keep it
- Raw 5-second telemetry: retained for 13 months so we can provide accurate year-over-year comparisons, billing anomaly detection, and audit-ready reports for installer claims.
- Aggregated daily/monthly telemetry: retained indefinitely while your account is active, for historical trends.
- Account information: retained for as long as your account is active. On request, your account is soft-deleted immediately and hard-deleted after a 30-day grace period.
- Contracts, bills, and support tickets: retained for as long as your account is active, plus 2 years for dispute-resolution purposes, then deleted.
- Web-server logs and IP addresses: retained for up to 90 days for security, debugging, and abuse prevention.
- Encrypted database backups: may persist up to 90 days after account deletion before rolling off.
To erase all your data entirely, use Account Deletion in Settings → Privacy.
9. Cookies and similar technologies
OwlWatt uses only strictly necessary cookies. Specifically:
- Session cookie (
owlwatt_session): a signed JWT that keeps you logged in. HttpOnly, Secure, SameSite=Lax. Expires with your session.
We do not use analytics cookies, advertising cookies, tracking pixels, or third-party marketing tags. Because these cookies are strictly necessary for the Service to function (you couldn't stay logged in without them), they are exempt from consent requirements under the EU ePrivacy Directive and equivalent laws. We will add a consent banner if we ever introduce non-essential cookies.
10. How we protect it
- All connections to OwlWatt are TLS-encrypted (HTTPS).
- Passwords are salted and hashed with a one-way key-derivation function; your plaintext password is never stored or logged.
- Two-factor-authentication secrets are encrypted at rest.
- Vendor credentials you provide (e.g., Enphase Enlighten email + password) and vendor OAuth tokens (Enphase v4 access & refresh tokens) are envelope-encrypted at rest under a per-customer AES-256-GCM key whose wrapping key lives only in our cloud secret store; the plaintext exists only inside short-lived JWT mint or OAuth-refresh operations against the vendor's authentication service. The encrypted envelope is the sole source of truth — we do not retain plaintext copies.
- Database backups and off-site copies are encrypted.
- Access to production systems is limited to the founder and protected by strong authentication and audit logging.
- We maintain internal records of processing activities (RoPA) and review our subprocessor list on a rolling basis.
- OwlWatt maintains an internal Written Information Security Program (WISP) describing the administrative, technical, and physical safeguards we apply to your personal information, reviewed at least annually. The WISP itself is not published, but its existence is confirmed here for transparency.
No system is perfectly secure. If we ever experience a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify affected customers without undue delay and, where required, notify the relevant supervisory authority within 72 hours.
11. Your rights
You have the following rights over your personal information. To exercise any of them, email [email protected] or use the self-service options in Settings → Privacy where indicated. We will respond within 30 days (GDPR) or 45 days (CCPA); free of charge in the vast majority of cases.
Rights available to everyone
- Access: download all of your data as a ZIP (Settings → Privacy → Export my data).
- Correction: edit your profile, system information, and preferences in Settings; email us for anything you can't self-serve.
- Deletion: request account deletion from Settings → Privacy; 30-day grace period, then hard-deleted.
Additional rights under GDPR / UK GDPR
- Restriction: ask us to restrict processing while a dispute is pending.
- Objection: object to processing based on legitimate interest or direct marketing.
- Portability: receive your data in a structured, machine-readable format (the ZIP export satisfies this).
- Withdraw consent: where processing is based on consent (e.g., marketing emails, contract analysis), withdraw at any time without affecting the lawfulness of processing done before withdrawal.
- Not be subject to solely automated decision-making that produces legal or similarly significant effects. We don't do this today; if we ever introduce such processing, we will notify you and provide an opt-out.
Additional rights under CCPA / CPRA
- Right to know what categories and specific pieces of personal information we have collected, used, disclosed, or shared about you in the past 12 months — see Sections 2, 3, and 6.
- Right to delete — see the Deletion right above.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing — we do not sell or share, so there's nothing to opt out of. See Section 5.
- Right to limit use of sensitive personal information — we do not collect sensitive PI as defined by CPRA.
- Right to non-discrimination — we will not charge you more, provide degraded service, or penalize you in any way for exercising any of these rights.
- Authorized agents: you may designate an authorized agent to make requests on your behalf; we will verify the agent's authority and your identity before acting.
We may need to verify your identity before fulfilling certain requests; we will match information you provide against your account record and may ask for additional verification for sensitive requests.
12. Complaints and supervisory authorities
If you believe we have mishandled your personal information, we would like the chance to fix it — please contact us first at [email protected]. You also have the right to lodge a complaint with a supervisory authority:
- EU residents — your local Data Protection Authority. A directory is available at edpb.europa.eu.
- UK residents — the Information Commissioner's Office at ico.org.uk.
- California residents — the California Privacy Protection Agency at cppa.ca.gov, and the California Attorney General.
- Other U.S. states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, and others) — your state Attorney General.
13. Children's privacy
The Service is intended for homeowners and is not directed to children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has provided us personal information, please contact [email protected] and we will delete it.
14. Changes to this policy
We will update this policy from time to time as the Service evolves or as the law requires. When we make material changes — adding a new subprocessor, changing retention periods, adding new categories of data, or expanding our use of your data — we will notify you at least 30 days in advance by email and by posting a prominent notice on the Service. We also update the "Last updated" date at the top of this page on any change.
15. Contact
Questions, requests, or concerns about this policy or how we handle your personal information?
- Email: [email protected]
- Mail: OwlWatt, c/o Olivier Beauchemin, Massachusetts, USA (full mailing address provided on request)
If you are an EU or UK data subject and would like to exercise rights that require us to engage additional formalities (for example, a subject access request through an authorized agent), please state that in your email and we will respond accordingly.