PRIVACY NOTICE
SUNPOWER ONE

Last updated: [January 2023]

1. What does this notice cover?

This notice describes how SunPower GmbH ("SunPower”, "we", "us" or "our") uses and discloses your personal data in SunPower One application. It also describes your data protection rights, including a right to object to some of the processing which SunPower GmbH carries out. More information about your rights, and how to exercise them, is set out in the "Your choices and rights" section.

This notice applies to SunPower One users. The data processing described in this notice may be limited as required by applicable law.

 

2. What categories of personal data we collect?

• Device information and identifiers: connection information, including IP address, WiFi information, advertising ID, device ID, location, operating system, mobile network carrier, device type, software and hardware attributes, and app version number and identifiers

• Registration information: your name, e-mail address, password, language, PV panel and batteries details including serial number, installation date, warranty duration, your installer contact details

• Contact information: e-mail, phone, language, country, city, street, postal code, personal data in message

• Household information: property information including property type, size, age, homeowner/enter, postal code, type of residents, number of residents, details of house appliances

• Product and energy information: Energy tariff data, fetch information consumption, serial number on product, fetch battery information, installation date, telemetric data, money performance details

• Analytics and behavioural data include app usage (e.g. date, time and request), content viewed, content favourites, consumer profiles, inference data.

• Preferences includes your preferences for receiving marketing communications from us (including your marketing consent status) and cookies and tracking technologies consent choices.

We collect most of this information from you directly. For example, data is collected through sign-in forms and when using the SunPower One application.

 

3. Why we collect, use and store this personal data?

We have to have a legal basis to process your data. We explain these legal bases below. We also explain the purposes for which we process your data, the processing operations that we carry out, and the categories of data that we use for each purpose.

Legal Basis

Contractual performance (Art. 6 (1) b GDPR) – we have obligations which are related to making our services available to you via the SunPower One. To fulfil these obligations, we have to use your data.

Consent (Art. 6 (1) a GDPR) – in certain limited cases, we ask for your consent to use your data. Whenever we ask with your consent, we will explain the situations where we use your data and for what purposes.

Legitimate interest (Art. 6 (1) f GDPR) – we can process your data when this is necessary for us to achieve a business purpose, or where this is necessary for someone else to achieve their purpose. We explain below what interests we, or others, are trying to achieve when we process your data. Where we process personal data on the basis of a legitimate interest, then – as required by data protection law – we have carried out a balancing test to document our interests, to consider what the impact of the processing will be on individuals and to determine whether individuals’ interests outweigh our interests in the processing taking place. You can obtain more information about this balancing test by using the contact details at the end of the notice.

Legal obligation (Art. 6 (1) c GDPR) – as an organisation we have obligations to comply with legal, regulatory and other requirements under EU or Member State laws. In certain cases, we will have to use your data to meet these obligations.

Purposes

Purpose	Legal basis	Personal data	Recipients	Sources
Registration and basic use of application	Art. 6 (1) b GDPR	Registration information, device information and identifiers	Hosting providers	Directly from user
Monitoring of energy usage	Art. 6 (1) b GDPR	Registration information, Household information, Product and energy information	Hosting providers	Directly from user
Communication with the user	Art. 6 (1) b GDPR	Contact information	Hosting providers	Directly from user
Recommendations for energy usage reduction	Art. 6 (1) b GDPR	Registration information, Household information, Product and energy information	Hosting providers	Directly from user
Analyse application usage	Art. 6 (1) f GDPR   Legitimate interest: Improvement of our services and products	Registration information, Household information, Product and energy information, Analytics, and behavioural data	Hosting providers	Directly from user, Analytical tool providers
Offering new products and services	Art. 6 (1) a GDPR	Registration information, Household information, Product and energy information, Analytics and behavioural data	Hosting providers, Analytics tool providers, Insurance companies, Energy suppliers, Financing institutes, Mobility service provider, Community service	Directly from user, Analytical tool providers
Newsletter	Art. 6 (1) f GDPR   Legitimate interest: Providing you with information on our product and services	Contact information	Hosting providers	Directly from user
Behavioral advertising	Art. 6 (1) a GDPR or Art. 6 (1) f GDPR if consent is not required   Legitimate interest: Marketing of our or our partners products and services	Device information and identifiers, Preferences, Registration information, Household information, Product and energy information, Analytics and behavioural data	Hosting providers, Advertising partners	Directly from user, Analytical tool providers

 

Additional information about behavioural advertising

We and our partners collect personal data via cookies and similar technologies. For more information please see: Privacy and Security in Firebase (google.com).

Generally, cookies and similar technologies will only be used (i) with your consent or (ii) without your consent only where those cookies and similar technologies are strictly necessary to provide our services to you. You can object to the use of these cookies and revoke your relevant consents by using your settings on your mobile device.

Additional information about marketing

Marketing messages from us:

We would like to send you marketing communications, which includes our newsletters, promotional e-mails, and information about products, services and promotions offered by us, our partners, and other organisations with which we work. You would receive marketing communications from us if you created an account and we obtained your prior opt-in consent to send you marketing.

Unsubscribe from marketing messages:

To unsubscribe from marketing messages, you may use one of the following methods:

• Where you have an account with us directly, you can change your choices at any time in your Profile

• You can also opt out of marketing by clicking on the unsubscribe link in our marketing e-mails

 

4. Where we transfer your personal data?

We may transfer personal data that we collect from you to third parties located in countries that are outside of the UK and the European Economic Area ("EEA") (including to the United States) or to members of our group of companies in connection with the above purposes. Please be aware that countries which are outside the UK and the EEA may not offer the same level of data protection as the UK and the EEA, although our collection, storage and use of your personal data will continue to be governed by this Privacy Notice.

In the event such an organisation is in a country which is not subject to an adequacy decision by the EU Commission or considered adequate as determined by applicable data protection laws, we take steps to ensure your personal data is adequately protected:

• Singapore (in relation hosting provider services) – Standard Contractual Clauses

• USA (in relation to Google Analytics services) – Standard Contractual Clauses, please see for more information Privacy and Security in Firebase (google.com).

A copy of the relevant mechanism can be obtained for your review on request by using the contact details below.

 

5. How long do we maintain your data?

We maintain the information we collect for as long as necessary to provide the services, for so as long as reasonably required to satisfy the purpose for which you submitted the information or for our business purposes, or as required by law. Where processing is based on consent, this will not last longer than until you withdraw your consent.

After such period we will take steps to delete your personal data (including any account that you set up to use the application). After such period we will take steps to delete your personal data (including any account that you set up to use the Services).

 

6. Your choices and rights

You have certain rights regarding your personal data. These rights are described in more detail below.

If you have given us your consent, you can withdraw it at any time (Art. 7 (3) GDPR). The withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal. You can withdraw consent regarding personal data collection for marketing and advertising purposes in your profile information.

You also have the right to object to the processing of your personal data by us:

• in certain circumstances, if we process your data based on Article 6 (1) (e) or (f) GDPR (including profiling) (Art. 21 (1) GDPR),

• we process your data for direct marketing purposes (Art. 21 (2) GDPR).

Generally, you also have the right to request us to:

• access and obtain a copy of your personal data that we store (Art. 15 GDPR),

• provide some of your personal data to you or another data controller in a commonly used, machine-readable format (Art. 20 GDPR),

• update or correct your personal data if it is inaccurate (Art. 16 GDPR),

• delete your personal data (including your account) from our systems under certain circumstances (Art. 17 GDPR),

• restrict the processing of your personal data under certain circumstances (Art. 18 GDPR).

Additionally, if you are based in France, you also have the right to:

• set guidelines regarding the use of your personal data after your death (Art. 85 French Data Protection Act),

• register on the Bloctel list of objections to cold calling, this is a free service (Art. 223-1 French Consumer Code).

We will consider all the above requests and provide our response within a reasonable period (and in any event within any time required by applicable law). Please note however that under certain circumstances the above rights may be restricted. If an exception applies, we will tell you this when responding to your request. We may request you provide us with information necessary to confirm your identity before responding to any request you make.

You also have the right to lodge a complaint with your local data protection authority (Art. 77 GDPR) in the EEA if you believe we have not complied with applicable data protection laws. The relevant local authority differs depending on your country of residence. For the EEA you may refer to the website of the European Data Protection Board to find out more about how to contact your local data protection authority. You may under certain circumstances also seek a remedy through local courts, if you believe your rights have been breached.

 

7. Updates to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

 

8. Contact us

The data controller for your personal data will be SunPower GmbH.

If you have questions about this privacy notice or wish to contact us for any reason in relation to our personal data processing, please contact us at e-mail address: dpo@maxeon.com or by phone 0 800 000 798 0.