Privacy Policy

The data controller for processing activities described in this policy is:

Data Protection Officer (DPO): [DPO name and contact details — to be appointed. For inquiries in the interim, contact [email protected]].

We process the following categories of data when you use ChargeSuite:

We process personal data only where we have a lawful basis under GDPR Art. 6:

• Art. 6(1)(b) — Contract performance

  Providing the ChargeSuite platform: user authentication, compliance analysis, gap reports, regulatory alerts, V2G optimisation, subsidy matching, and billing management.

• Art. 6(1)(c) — Legal obligation

  Compliance with applicable law, including responding to lawful requests from German supervisory authorities.

• Art. 6(1)(f) — Legitimate interests

  Platform security and fraud prevention, service reliability monitoring, product improvement analytics, and enforcing our Terms of Service. Our legitimate interests do not override your rights as a data subject.

• Art. 6(1)(a) — Consent

  Where we send optional marketing communications to your business contact. You may withdraw consent at any time.

We retain personal data for as long as necessary to fulfil the purposes set out above, subject to the following schedules:

• Account and compliance profile data: retained for the duration of the active contract, then deleted or anonymised within 30 days of contract termination.
• Compliance Q&A logs and gap reports: retained for 3 years after account deletion to support regulatory audit trails, then permanently deleted.
• Charging session metadata: retained for 3 years to meet German energy-law record-keeping requirements (EnWG).
• Usage analytics (aggregated): retained indefinitely in anonymised form.
• Billing records: retained for 10 years in accordance with German commercial law (HGB § 257).

Upon a verified erasure request under GDPR Art. 17, we will delete all personal data within 30 days, except where retention is required by law.

We engage the following sub-processors to deliver our services. All sub-processors are bound by Data Processing Agreements that require equivalent GDPR protections:

We will notify you at least 30 days in advance of any material changes to our sub-processor list.

Für Unternehmenskunden, die personenbezogene Daten im Rahmen der ChargeSuite-Dienste verarbeiten lassen, stellen wir einen Auftragsverarbeitungsvertrag (AVV) gemäß Art. 28 DSGVO zur Verfügung. Der AVV regelt Gegenstand, Dauer, Art und Zweck der Verarbeitung sowie technische und organisatorische Maßnahmen (TOMs).

Der AVV wird vor Vertragsabschluss auf Anfrage bereitgestellt — insbesondere für Stadtwerke und öffentlich-rechtliche CPOs, die im Rahmen ihrer Ausschreibungsverfahren eine unterzeichnete AVV benötigen.

Datenverarbeitung ausschließlich in Deutschland. Alle Kundendaten — einschließlich KI-Compliance-Anfragen, Betreiberprofile und Lückenanalyse-Ergebnisse — werden auf Servern in Deutschland (AWS eu-central-1, Frankfurt) verarbeitet und gespeichert.

Anfragen bitte an: [email protected]

As a data subject (or as the representative of your organisation), you have the following rights under GDPR:

• Right of access (Art. 15): Request a copy of personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate personal data.
• Right to erasure (Art. 17): Request deletion of your personal data where no legal obligation to retain exists. In-app erasure is available via Settings.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON/CSV export available on request).
• Right to restriction (Art. 18): Request that we limit processing while a dispute is resolved.
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
• Right to lodge a complaint: You may lodge a complaint with the Hessian Commissioner for Data Protection and Freedom of Information (HBDI) or any EU supervisory authority.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption at rest using AES-256 on all AWS RDS and S3 resources
• Encryption in transit using TLS 1.2 or higher for all API and browser connections
• Row-Level Security (RLS) in PostgreSQL enforcing tenant data isolation
• Audit logging for all data access and administrative actions
• Access controls with least-privilege principles; production access restricted to authorised personnel
• Regular vulnerability scanning and dependency audits (npm audit, Dependabot)
• Breach notification to affected operators and supervisory authorities within 72 hours of becoming aware of a breach

ChargeSuite uses the Anthropic Claude API to generate regulatory compliance answers. When you submit a query to the Compliance Brain, the following data is transmitted to Anthropic's API:

• The text of your compliance question
• Relevant excerpts from the regulatory corpus (no personal data)
• Your operator profile summary (company type, charger count, certifications — no individual employee names)

Anthropic processes this data under a Data Processing Agreement with ChargeSuite and does not use it to train its models. No automated decisions with legal or similarly significant effects are made solely by the AI; all compliance outputs are advisory and require human review.

ChargeSuite uses only technically necessary cookies required for authentication (Clerk session tokens) and security (CSRF protection). We do not use advertising or tracking cookies. No cookie consent banner is displayed because we rely solely on strictly necessary cookies exempt from consent requirements under ePrivacy Directive Art. 5(3).

We may update this Privacy Policy from time to time. Material changes will be notified by e-mail to the registered operator contact at least 14 days before taking effect. The “Last updated” date at the top of this page always reflects the most recent revision.