1. Introduction

Welcome to Electrac. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our electricity price tracking service.

2. Information We Collect

2.1 Information You Provide

• Phone Number: Required for SMS-based authentication and alert notifications
• Email Address: Collected during Pro subscription checkout for payment receipts, invoices, and subscription management (not used for marketing)
• SMS Consent: Your explicit consent to receive SMS messages, including the timestamp when you granted consent
• Alert Preferences: Your configured price alert thresholds and notification settings

2.2 Automatically Collected Information

• Device Information: Browser type, operating system, and device type
• IP Address: For security and session management
• Usage Data: How you interact with our service
• Session Data: Authentication tokens and session duration

2.3 Categories of Personal Information (CCPA)

For California residents, we collect the following categories of personal information as defined by the California Consumer Privacy Act (CCPA):

• Identifiers: Phone number, email address (Pro users only), IP address, session tokens, unique device identifiers
• Commercial Information: Pro subscription status, payment history, billing information, alert preferences, service usage records
• Internet or Network Activity: Browsing history within our service, interaction data, device information, browser type, page views, user events (tracked via Google Analytics with anonymized IP addresses)
• Geolocation Data: General location inferred from IP address (city/region level, not precise GPS location)
• Inferences: Usage patterns and preferences derived from your activity to personalize the service

We do not sell your personal information to third parties. We have not sold personal information in the preceding 12 months and do not have actual knowledge of selling personal information of minors under 16 years of age.

3. How We Use Your Information

3.1 Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide authentication and service delivery (phone number for login, session management, price data delivery)
• Consent: Processing based on your explicit consent for SMS price alerts and optional communications (you may withdraw consent at any time)
• Legitimate Interest: Processing necessary for our legitimate interests in security, fraud prevention, service improvement, and business analytics (balanced against your privacy rights)
• Legal Obligation: Processing necessary to comply with applicable laws, regulations, legal processes, or enforceable government requests

3.2 Purposes of Processing

We use the collected information for the following purposes:

• Authentication: To verify your identity and secure your account
• Service Delivery: To provide electricity price tracking and alerts
• Payment Processing: To process subscription payments, send receipts and invoices, and manage billing
• SMS Notifications: To send verification codes and price alerts
• Service Improvement: To analyze usage patterns and improve our service
• Security: To detect and prevent fraud, abuse, and security incidents
• Legal Compliance: To comply with applicable laws and regulations

4. SMS Communications and Consent Management

4.1 Explicit Consent

By checking the SMS consent box during sign-up, you explicitly consent to receive SMS messages from Electrac at the phone number you provide. We record the timestamp of your consent for compliance and record-keeping purposes.

4.2 Types of SMS Messages

• Authentication verification codes - Required for login (sent on-demand)
• Price alert notifications - Optional alerts you configure (frequency varies based on price volatility)
• Important service updates and security alerts - Rare, critical communications only

4.3 No Marketing Policy

Your phone number will NEVER be used for marketing purposes. We will only send:

• Authentication codes when you log in
• Price alerts that you explicitly configure and enable
• Critical service or security notifications

We will never sell, rent, or share your phone number with third parties for marketing purposes.

4.4 Message Frequency

Authentication: Only when you initiate login (on-demand, typically 1-2 per session)

Price Alerts: Varies based on electricity market conditions and your configured thresholds. You have full control over alert frequency by adjusting your spike/drop percentage thresholds and enabling/disabling alerts.

4.5 Consent Tracking

We store the timestamp when you grant SMS consent. This allows us to:

• Comply with SMS regulations and legal requirements
• Re-request consent if our terms change materially
• Maintain accurate records of user preferences
• Ensure we only send messages to users who have explicitly opted in

4.6 Withdrawing Consent

You may withdraw consent for non-essential SMS messages at any time by:

• Disabling alert preferences in your account settings
• Contacting our support team to request opt-out

Important: Authentication messages are essential to the service and cannot be disabled without deleting your account. Message and data rates may apply per your carrier's plan.

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

5.1 Service Providers

We use third-party service providers to operate our service. We share only the minimum data necessary with each provider:

• Twilio, Inc.: SMS message delivery for authentication codes and price alerts
  Data shared: Phone number, message content
  Privacy Policy: twilio.com/legal/privacy
• Stripe, Inc.: Payment processing for pro subscriptions
  Data shared: Payment information, billing details, email (if provided)
  Privacy Policy: stripe.com/privacy
• Digital Ocean, LLC: Infrastructure hosting and data storage
  Data shared: All service data (stored on our servers hosted by Digital Ocean)
  Privacy Policy: digitalocean.com/legal/privacy-policy
• Google LLC: Analytics and usage tracking via Google Analytics 4
  Data shared: Anonymized IP addresses, page views, user interactions, device information, browser type, and a unique internal identifier to link events across sessions
  Privacy Policy: policies.google.com/privacy
  You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on

These service providers are contractually obligated to:

• Use your data only to provide services to us
• Implement appropriate security measures to protect your data
• Comply with applicable data protection laws (including GDPR and CCPA)
• Not use your data for their own marketing purposes or share it with other third parties

We conduct due diligence on all service providers and require them to meet our security and privacy standards. However, we are not responsible for their privacy practices beyond our contractual requirements.

5.2 Legal Requirements

We may disclose your information if required by law or in response to valid legal requests.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new entity, subject to this privacy policy.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encrypted data transmission (HTTPS/TLS)
• Secure session tokens with 30-day expiration
• Time-limited verification codes (10-minute expiration)
• Rate limiting to prevent abuse
• Regular security audits and updates

However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Data Retention

We retain your personal information for as long as necessary to provide our services:

• Account Data: Retained while your account is active
• Verification Codes: Deleted after expiration (10 minutes) or verification
• Session Data: Retained for 30 days or until logout
• Usage Logs: Retained for security and operational purposes (typically 90 days)

You may request deletion of your account and associated data at any time by contacting support.

8. Your Rights

8.1 General Privacy Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of your personal data we hold
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and personal data
• Opt-Out: Disable SMS price alerts (authentication messages are required for service)
• Data Portability: Receive your data in a machine-readable format (JSON or CSV)
• Object to Processing: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent for SMS alerts or other consent-based processing

8.2 California Consumer Privacy Act (CCPA) Rights

If you are a California resident, you have additional rights under CCPA:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collected, the sources, purposes, and third parties we shared it with
• Right to Delete: Request deletion of your personal information (subject to legal exceptions)
• Right to Opt-Out of Sale: We do not sell your personal information, so this right does not apply
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights by denying service, charging different prices, or providing different quality of service

To submit a verifiable consumer request under CCPA, email [email protected] with your phone number. We will verify your identity using the phone number associated with your account and respond within 45 days.

8.3 GDPR Rights (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights:

• Right to Restriction: Request restriction of processing under certain circumstances
• Right to Lodge a Complaint: File a complaint with your local data protection authority if you believe we have violated your privacy rights
• Right to Data Portability: Receive personal data in a structured, commonly used, machine-readable format

To find your data protection authority, visit: edpb.europa.eu/about-edpb/about-edpb/members_en

8.4 How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected] with your request. We will respond within:

• 30 days for GDPR requests
• 45 days for CCPA requests (may be extended by 45 additional days with notice)
• Reasonable timeframe for other jurisdictions

We may require verification of your identity before processing your request to protect your privacy and security.

9. Cookies and Tracking

Electrac uses minimal tracking technologies:

• Local Storage: To store your session token and user preferences
• Session Management: To maintain your authenticated state

We do not use third-party advertising cookies or tracking pixels.

10. Children's Privacy

Electrac is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact us immediately.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. By using our service, you consent to such transfers.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by:

• Posting the new policy on this page
• Updating the "Last updated" date
• Sending you a notification (for significant changes)

Your continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this privacy policy or wish to exercise your rights, please contact us at: [email protected]

14. Data Breach Notification

In the unlikely event of a data breach that compromises your personal information, we are committed to transparency and will take the following actions:

14.1 Investigation and Assessment

• Immediately investigate the breach upon discovery
• Assess the scope, nature, and risk to your personal data
• Take immediate steps to contain and remediate the breach
• Document the incident, including affected data and number of users impacted

14.2 User Notification

We will notify affected users without unreasonable delay:

• GDPR (EEA, UK, Switzerland users): Within 72 hours of becoming aware of the breach, we will notify the applicable supervisory authority. We will notify affected users without undue delay if the breach poses a high risk to your rights and freedoms.
• California users: Within the most expedient time possible and without unreasonable delay, consistent with California Civil Code § 1798.82.
• Other US state laws: In accordance with applicable state breach notification laws, typically within 30-90 days depending on state requirements.

14.3 Notification Content

Breach notifications will include:

• Description of the incident and when it occurred
• Types of personal information affected
• Steps we are taking to address the breach and prevent future incidents
• Recommendations for steps you can take to protect yourself
• Contact information for questions and assistance

14.4 Regulatory Reporting

We will report data breaches to applicable regulatory authorities as required:

• GDPR supervisory authorities (within 72 hours)
• State Attorneys General (if 500+ residents of a state are affected, typically within 15 days for California)
• Consumer credit reporting agencies (if 1,000+ individuals affected in some states)
• Other regulatory bodies as required by applicable law

14.5 Prevention and Security Measures

While we maintain incident response procedures and security measures to detect, respond to, and recover from security incidents, no security measures are 100% effective. We cannot guarantee absolute security of your data, but we are committed to implementing industry-standard protections and continuously improving our security posture.