Privacybeleid

Version 1.0 - Februari, 2025

Privacy Statement – Repower EMS Portal

Version 1.0 – February 2025

Repower EMS B.V., Helmkruidstraat 1, 6841 BZ Arnhem, The Netherlands

Chamber of Commerce (KvK) No. 95966080

Introduction

This Privacy Statement describes how Repower EMS B.V. (“Repower EMS”, “we”, “our”, “us”) processes personal data when you access and use our customer portal at https://portal.repowerems.com (the “Portal”).

We are committed to protecting personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Dutch Implementation Act (UAVG), and other applicable laws. This Statement is intended to provide transparency to users, customers, and their representatives about how we handle personal data.

Data Controller

Repower EMS B.V. acts as the Data Controller for all processing activities described in this Privacy Statement.

Contact details:

  • Helmkruidstraat 1, 6841 BZ Arnhem, The Netherlands
  • privacy@repowerems.com

Categories of Personal Data We Process

When you use the Portal, we may process the following categories of personal data:

  1. Account and identity data – full name, business email address, organization, user role, login identifier.
  2. Authentication data – credentials provided via Single Sign-On (SSO) through Google or Microsoft. We receive basic identity attributes (name, email address, unique ID). We do not store your external SSO password.
  3. Technical and usage data – IP address, browser type, device information, login time, session activity, security logs.
  4. EMS service data – configuration data, system identifiers, energy usage and performance data linked to your Energy Management System.
  5. Support and communication data – correspondence, support tickets, and other information you voluntarily provide when contacting us.

Purposes of Processing

We process personal data only for specific, explicit, and legitimate purposes:

  • To provide and secure access to the Portal (authentication, authorization).
  • To manage accounts, roles, and organizational settings.
  • To deliver, configure, and improve our EMS services.
  • To provide customer and technical support.
  • To maintain system security, detect and prevent fraud or misuse.
  • To comply with legal obligations (e.g., tax, regulatory compliance, audit logs).
  • To improve service quality through aggregated, anonymised analytics.

We do not use personal data for automated decision-making that produces legal or similarly significant effects.

Legal Bases for Processing

Our processing of personal data is based on one or more of the following GDPR legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR) – where processing is necessary to provide SaaS and Portal access under our service agreements.
  • Legal obligation (Art. 6(1)(c) GDPR) – for compliance with EU and Dutch legal requirements.
  • Legitimate interests (Art. 6(1)(f) GDPR) – including service improvement, fraud prevention, IT security, and business administration.
  • Consent (Art. 6(1)(a) GDPR) – for optional activities (e.g., analytics cookies or marketing communications). Consent can be withdrawn at any time.

Sharing of Personal Data

We only share personal data where necessary and subject to appropriate safeguards:

  • Identity providers – Google and Microsoft for SSO authentication.
  • IT and hosting providers – for secure cloud and infrastructure services.
  • Authorized contractors and service partners – assisting with system maintenance or support.
  • Legal or regulatory authorities – where disclosure is required by law.

We do not sell personal data to third parties.

International Data Transfers

If personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards in line with Chapter V GDPR, including:

  • EU Commission adequacy decisions; or
  • Standard Contractual Clauses (SCCs) with supplementary measures as necessary.

Data Retention

We retain personal data no longer than necessary for the purposes for which it was collected:

  • Account data – retained for the lifetime of the account; deleted or anonymised within 6 months after termination.
  • Log data – retained for up to 12 months for security, troubleshooting, and audit purposes.
  • EMS technical data – retained in accordance with contractual agreements with your organization.
  • Support data – retained up to 24 months to resolve issues and for auditability.

Legal or regulatory requirements may require longer retention periods in certain cases.

Data Security

We apply appropriate technical and organizational measures to protect personal data, including:

  • End-to-end encryption of communications (TLS/mTLS).
  • Role-based access controls and multi-factor authentication.
  • Hosting within secure EU-based data centers.
  • Regular vulnerability testing, monitoring, and backups.

Despite these measures, no system is completely secure. We maintain incident response procedures to promptly address any data breach.

Your Rights under the GDPR

You have the following rights in relation to your personal data:

  • Right of access – obtain a copy of your personal data.
  • Right to rectification – correct inaccurate or incomplete data.
  • Right to erasure – request deletion (“right to be forgotten”), subject to legal limitations.
  • Right to restriction – limit how we process your data.
  • Right to data portability – receive your data in a machine-readable format.
  • Right to object – object to processing based on legitimate interests.
  • Right to withdraw consent – at any time, where processing is based on consent.

Requests may be submitted to privacy@repowerems.com. We will respond within one month in accordance with GDPR requirements.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Cookies and Similar Technologies

The Portal uses cookies that are strictly necessary for operation and secure login. Where non-essential cookies (e.g., analytics or personalization) are used, you will be asked for consent through a cookie banner or settings panel. You may withdraw your consent at any time.

Changes to This Privacy Statement

We may amend this Privacy Statement from time to time. Updates will be published at https://www.repowerems.com/privacybeleid. Where changes materially affect your rights, we will provide additional notice (e.g., by email or portal notification).

Contact

For questions, requests, or complaints regarding this Privacy Statement or our data processing practices, please contact:

Repower EMS B.V.

Helmkruidstraat 1, 6841 BZ Arnhem, The Netherlands

privacy@repowerems.com