Last updated: March 6, 2026
1. Introduction
This Privacy Policy describes how IOT Solutions AS ("we", "us", "our", "the Company") collects, uses, stores, and protects personal data when you use the allmy.energy web application and progressive web app (the "Service").
We are committed to protecting your privacy and processing your personal data in accordance with the EU General Data Protection Regulation (GDPR), the Norwegian Personal Data Act (Personopplysningsloven), and other applicable data protection legislation.
Data Controller: IOT Solutions AS
2. What Personal Data We Collect
2.1. Data You Provide Directly
When you create an account or use the Service, we collect:
| Data | Purpose | Required |
|---|---|---|
| Email address | Account identification, authentication, notifications | Yes |
| First name | Personalizing the Service, display name | Yes |
| Last name | Personalizing the Service, display name | Yes |
| Mobile/phone number | Contact, account recovery | No |
| Password | Authentication (stored as a cryptographic hash, never in plain text) | Yes (email login) |
When you register or log in via Google OAuth or SSO/SAML, we receive your name and email address from the identity provider. We do not receive or store your Google or SSO password.
2.2. Two-Factor Authentication Data
If you enable two-factor authentication, we store:
- TOTP: A shared secret used to generate time-based codes (associated with your authenticator app).
- WebAuthn/Passkeys: Public key credentials registered by your device (private keys never leave your device).
2.3. Data Generated Through Your Use of the Service
| Data | Description |
|---|---|
| User preferences | Favorite meters, favorite tags, language preference (Norwegian/English) |
| Access sharing records | Edit/view access links you create and share for tags |
| Tag metadata | Names, attributes, documents, videos, and reports you create within the Service |
| Solar reports | Solar panel calculation parameters and results you generate |
2.4. Energy Data (Retrieved on Your Behalf)
When you grant us access via Elhub (the Norwegian metering data hub), we retrieve and process:
- Meter metadata: Meter number, meter ID, building name, smart meter type, location (zip code, city, latitude, longitude)
- Consumption data: Hourly, daily, and monthly energy readings (electricity, district heating/cooling, gas, water)
- Cost data: Grid costs, energy costs, spot prices, consumption tax, Enova tax, connection fees, reactive costs, power costs
- Weather data: Temperature readings correlated with your consumption data
This data is sourced from Elhub, grid operators, and Nord Pool (spot prices) and is processed solely to provide the Service to you.
2.5. Data Collected Automatically
When you use the Service, the following data may be collected automatically:
| Data | Collected by | Purpose |
|---|---|---|
| Authentication tokens | GoTrue (self-hosted) | Session management via cookies |
| Error reports | Sentry | Diagnosing and resolving technical issues |
| Session replays | Sentry | Understanding error context (sampled) |
| Page views, web vitals | Vercel Analytics | Performance monitoring |
| Session recordings, heatmaps, interaction data | Microsoft Clarity | Improving user experience |
| IP address, browser type, device info | Various (as part of standard HTTP requests) | Security, analytics |
3. Legal Basis for Processing
We process your personal data under the following legal bases (GDPR Article 6):
| Legal Basis | Applies To |
|---|---|
| Performance of a contract (Art. 6(1)(b)) | Processing necessary to provide the Service (account management, energy data retrieval, reporting) |
| Consent (Art. 6(1)(a)) | Optional analytics (Microsoft Clarity, session recordings); two-factor authentication enrollment; Elhub data access (consent given through Elhub) |
| Legitimate interest (Art. 6(1)(f)) | Error monitoring (Sentry), performance analytics (Vercel Analytics), security measures, fraud prevention |
| Legal obligation (Art. 6(1)(c)) | Where required by law (e.g., accounting records, legal requests) |
4. Cookies and Similar Technologies
4.1. Essential Cookies
The Service uses essential cookies for authentication and session management. These cannot be disabled while using the Service.
| Cookie | Purpose | Duration |
|---|---|---|
| Authentication cookies (sb-*, auth, supabase, .auth.token patterns) | Store encrypted session tokens (JWT access token and refresh token). Split across multiple chunked cookies for large payloads. | Up to 400 days (browser); cleared on logout |
4.2. Analytics and Tracking
| Service | Type | Data Collected | Data Destination |
|---|---|---|---|
| Microsoft Clarity | Analytics script | Session recordings, heatmaps, clicks, scrolling, interaction patterns | Microsoft (clarity.ms) — global |
| Vercel Analytics | Performance analytics | Page views, web vitals, navigation performance | Vercel servers |
| Sentry | Error monitoring | Error reports, stack traces, DOM session replays (10% of sessions; 100% on error) | Sentry EU (ingest.de.sentry.io) |
Sentry client requests are tunneled through the /monitoring route on our server.
4.3. Fonts
The Manrope font is loaded from Google Fonts at build time and served locally by the application. No runtime requests to Google are made for font loading.
5. How We Use Your Data
We use your personal data for the following purposes:
- Providing the Service: Creating and managing your account, retrieving and displaying your energy data, generating reports, charts, and analytics.
- Authentication and security: Verifying your identity, managing sessions, enforcing two-factor authentication, preventing unauthorized access.
- Energy insights: Calculating consumption patterns, cost breakdowns, duration curves, temperature correlations, solar panel profitability estimates, and cost simulations.
- Data export: Generating PDF, Excel, and CSV reports from your energy data on demand.
- Collaboration: Enabling tag/portfolio sharing with other users via access links you create.
- Error resolution: Monitoring and resolving technical errors and performance issues.
- Product improvement: Understanding usage patterns to improve the Service's user experience and functionality.
- Communication: Sending password recovery codes and other account-related notifications via email.
6. Data Sharing and Third-Party Services
6.1. Third-Party Service Providers
We use the following third-party services as data processors:
| Service | Provider | Purpose | Data Region |
|---|---|---|---|
| Sentry | Functional Software, Inc. | Error monitoring, session replay | EU (Germany) |
| Microsoft Clarity | Microsoft Corporation | UX analytics, session recordings | Global |
| Vercel | Vercel, Inc. | Application hosting, web analytics | Global |
| Google LLC | OAuth authentication (when you choose Google login) | Global | |
| Elhub | Elhub AS | Energy meter data retrieval (Norwegian metering hub) | Norway |
6.2. When We Share Data
We share personal data only when:
- You grant explicit consent (e.g., granting Elhub access, sharing tag access links with others).
- Required by law (e.g., legal requests from authorities).
- Necessary for service operation (e.g., with our hosting and error monitoring providers as described above).
We do not sell your personal data to third parties. We do not share your energy consumption data with advertisers or third parties for commercial purposes unrelated to the Service.
6.3. International Data Transfers
Some of our third-party providers (Vercel, Microsoft, Google) may process data outside the EU/EEA. Where such transfers occur, they are protected by:
- EU Standard Contractual Clauses (SCCs)
- The EU-US Data Privacy Framework (where applicable)
- Other appropriate safeguards under GDPR Chapter V
Sentry processes data within the EU (Germany), and Elhub processes data within Norway.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (email, name, phone) | Retained while your account is active; deleted upon account termination |
| Authentication session cookies | Up to 400 days; cleared on logout or session invalidation |
| Energy consumption data | Retained while your account is active and Elhub consent is valid |
| Tags, reports, solar calculations | Retained while your account is active |
| Error logs (Sentry) | Per Sentry's retention policies (typically 90 days) |
| Analytics data (Clarity, Vercel) | Per each provider's retention policies |
| Exported reports (PDF, Excel, CSV) | Generated on demand and delivered to your browser; not stored on our servers |
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption in transit: All communication uses HTTPS/TLS encryption.
- Authentication security: PKCE (Proof Key for Code Exchange) flow for authentication; JWT tokens validated server-side on every protected request.
- Password security: Passwords are stored as cryptographic hashes (managed by GoTrue); minimum 6-character requirement enforced.
- Multi-factor authentication: Optional TOTP and WebAuthn/passkeys for enhanced account security.
- Access control: Row-level security enforced at the database level; JWT claims used to restrict data access per user.
- Session management: Tokens validated for expiration (with 60-second buffer); invalid or expired sessions are automatically terminated and cookies cleared.
- Production-only monitoring: Sentry error monitoring and session replays are only active in the production environment.
9. Your Rights Under GDPR
As a data subject, you have the following rights:
9.1. Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you. The Service displays your profile data in the Settings page and your energy data through the dashboard.
9.2. Right to Rectification (Article 16)
You can update your first name, last name, and phone number at any time through the Settings page. For changes to your email address, please contact us.
9.3. Right to Erasure / "Right to Be Forgotten" (Article 17)
You have the right to request deletion of your personal data. Upon deletion, we will remove your account data and associated energy data, except where retention is required by law.
9.4. Right to Restriction of Processing (Article 18)
You can request that we restrict the processing of your personal data in certain circumstances.
9.5. Right to Data Portability (Article 20)
You can export your energy data using the built-in export features (CSV, Excel, PDF). For other data portability requests, please contact us.
9.6. Right to Object (Article 21)
You may object to processing based on legitimate interest at any time.
9.7. Right to Withdraw Consent (Article 7(3))
Where processing is based on consent, you may withdraw it at any time. This includes:
- Elhub data access: Revoke consent through Elhub's portal at any time.
- Two-factor authentication: Remove enrolled factors through the Settings page.
Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
9.8. Right to Lodge a Complaint
You have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet):
- Website: datatilsynet.no
- Email: postkasse@datatilsynet.no
10. Elhub Data Access
10.1. To use the smart meter import feature, you must grant IOT Solutions AS access to your meter data through Elhub's consent management system.
10.2. This consent is managed entirely by Elhub and can be revoked at any time through Elhub's portal. Upon revocation, we will no longer retrieve new data for the affected meters.
10.3. We use Elhub data exclusively for providing energy monitoring, analysis, and reporting features within the Service.
11. Children's Privacy
The Service is not directed at children under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Changes will be effective upon posting the revised policy within the Service. We will notify you of significant changes via the Service or email. Your continued use of the Service after changes constitutes acceptance of the updated policy.
We encourage you to review this Privacy Policy periodically.
By creating an account and using allmy.energy, you acknowledge that you have read and understood this Privacy Policy.