Privacy Notice – TRACE.App

This Privacy Policy is updated regularly. The current version is always available at Privacy Notice – TRACE.App.

1. Scope of this Privacy Policy

This Privacy Notice applies exclusively to TRACE.App, the cloud-based energy analysis application by TRACE Electricity GmbH, accessible at app.trace-electricity.com.

TRACE Electricity GmbH acts as the Controller within the meaning of Art. 4 No. 7 GDPR for end users (B2C). For B2B corporate accounts where TRACE processes personal data of employees on behalf of a company, TRACE Electricity GmbH acts as Data Processor (Art. 28 GDPR).

The following privacy and contractual documents apply to TRACE.App:

• Privacy Notice – TRACE.App – this document; governs all data processing within TRACE.App
• Data Processing Agreement (DPA) – TRACE.App – pursuant to Art. 28 GDPR, for B2B corporate accounts
• Technical and Organizational Measures (TOM) – TRACE.App – security measures pursuant to Art. 32 GDPR, annex to the DPA

For the website trace-electricity.com, a separate Privacy Policy applies. For the TRACE.Parser application, the Privacy Notice – TRACE.Parser applies.

2. Controller

The Controller for the processing of personal data within TRACE.App is:

TRACE Electricity GmbH
Dorothea-Bernstein-Weg 48
22081 Hamburg
Germany
Email: privacy@trace-electricity.com

A Data Protection Officer (DPO) has not been appointed at TRACE Electricity GmbH, as the legal requirements under Art. 37 GDPR in conjunction with § 38 BDSG are not met. Please direct privacy inquiries to: privacy@trace-electricity.com.

3. What is TRACE.App?

TRACE.App is a cloud-based application for decision-makers in small and medium-sized enterprises (SMEs) who wish to analyse their energy consumption, identify savings potential and reduce their CO₂ emissions. Users can record energy consumption data, receive individual recommendations and request suitable energy solution providers based on the analysis.

TRACE.App is aimed at decision-makers and employees in companies. Use by minors under the age of 18 is not intended.

4. What data do we process?

4.1 Data provided by you

When registering and using TRACE.App, we collect:

• First name and last name
• Email address and password (access credentials – passwords are stored exclusively in hashed form and are not visible to us in plain text)
• Phone number (optional)
• Communication preferences (e.g. consent to newsletter)
• Company information (industry, size, location) – to the extent provided by you
• Energy consumption data and costs entered by you

Note on energy consumption data: TRACE.App processes electricity billing data and load profiles. TRACE Electricity processes this data exclusively for the purposes stated in this Privacy Policy (energy analysis and contract performance). We are of the opinion that highly granular smart meter data may in individual cases allow conclusions to be drawn about living habits. We therefore process this data with particular care, without profiling for marketing purposes and without disclosure to third parties outside the recipients mentioned in this policy.

If you register via a third-party service (e.g. Google), we receive the profile data transmitted by that service (name, email address) as part of the OAuth process. Please note that Google processes data in accordance with its own privacy policy when you use Google Login (policies.google.com/privacy). We have no influence over this processing. You can revoke TRACE's application access to your Google account at any time at myaccount.google.com/permissions. When using Google Sign-In, the privacy policies of Google Ireland Ltd. also apply (policies.google.com/privacy). Data transfer to the USA is based on the EU-U.S. DPF. Should the EU-U.S. adequacy decision (C(2023) 4745) be suspended or revoked, the transfer shall alternatively be based on the EU Standard Contractual Clauses pursuant to Implementing Decision (EU) 2021/914.

When using Google Sign-In, Google Ireland Limited processes your Google account data as an independent controller in accordance with its own privacy policy (https://policies.google.com/privacy). TRACE only receives the profile data transmitted to us after sign-in (name, email address, Google user ID).

4.2 Automatically collected data

During use of TRACE.App, technical data is automatically collected:

• IP address (truncated or anonymised for analytics purposes)
• Device and browser information (type, operating system, version)
• Usage log (login timestamps, functions accessed)
• Approximate geographic location (derivable from IP address)
• Crash reports and technical error logs: AWS CloudWatch (Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg) — error logging and system monitoring. Processing location: EU. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in system security and error diagnosis). (Automatically deleted after a maximum of 90 days.)

5. Processing and Results

Data is processed in an automated manner on the basis of algorithms and technical procedures.

The analyses and results generated by TRACE.App may be incomplete or incorrect. The provider assumes no liability for the accuracy, correctness, completeness or suitability of the results for any particular purpose.

Responsibility for reviewing and using the results lies exclusively with the user.

6. Legal Bases

• Contract initiation and performance (Art. 6(1)(b) GDPR): Processing of registration and account data as well as energy consumption data entered for the purpose of providing the app functions.
• Legitimate interests (Art. 6(1)(f) GDPR): Processing of technical usage data to ensure operation, detect and defend against attacks (intrusion detection), diagnose errors and develop the app further. TRACE has carefully assessed that this processing does not constitute an unreasonable burden on the data subjects: the data collected is of a technical nature, is not used for profiling or advertising purposes and is deleted after 90 days. The interest in smooth and secure operation outweighs the interest of users in non-processing. The legitimate interest consists in app security, fraud prevention and usage analysis to improve the app.
• Consent (Art. 6(1)(a) GDPR): Marketing communications by email (newsletters, product updates), if you have consented to this. You can revoke your consent at any time – either via the unsubscribe link in any marketing email or by email to privacy@trace-electricity.com. Revocation does not affect the lawfulness of processing carried out prior to revocation.
• Statutory retention obligations (Art. 6(1)(c) GDPR): Retention of contractual and, where applicable, billing data pursuant to § 147 AO, § 257 HGB (6 and 10 years respectively).
• Consent for analytics cookies (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG): Use of Google Analytics 4 after prior consent via the cookie banner on the TRACE website. Technically necessary cookies are set pursuant to § 25(2) No. 2 TDDDG without consent.

7. Obligation to Provide Data

The provision of your registration data (name, email address) is contractually required for the use of TRACE.App. Without this information, it is not possible to create a user account and thus use the app. The provision of further data (phone number, company information) is voluntary.

For the actual analysis function, the input of energy consumption data (consumption values, costs, location details) is required; without this information, no recommendations and savings analyses can be generated.

8. Disclosure of Data

We only disclose your personal data in the following cases:

• At your request: If you actively initiate a request to an energy solution provider via the app, we disclose name, contact data and the energy consumption data released for the request. The legal basis is Art. 6(1)(a) GDPR (your active request). The respective energy solution provider is independently responsible for its subsequent processing. Since energy solution providers are independent controllers, their own privacy policy applies to their further processing. Possible recipient categories include: energy suppliers, energy consultants, providers of renewable energy solutions (e.g. photovoltaic, heat pumps, battery storage) and energy efficiency consulting companies. The providers contacted in each individual case will be communicated to you as part of the request confirmation. Upon request, we will inform you which providers received your data in connection with a request initiated by you; please contact us at privacy@trace-electricity.com.
• To data processors: To service providers who support us in the operation and further development of the app (see Section 9).
• Due to statutory obligations: Where we are legally or officially obligated to disclose.

We do not sell your data.

9. Third-Party Providers and Sub-Processors

TRACE uses the following service providers as sub-processors. Data Processing Agreements (DPAs) as required by Art. 28 GDPR have been concluded with all service providers.

For corporate accounts (B2B) where TRACE processes personal data of employees on behalf of the company, the Data Processing Agreement (DPA) – TRACE.App pursuant to Art. 28 GDPR is available.

TRACE.App data is stored exclusively on servers in Germany.

Amazon Web Services EMEA SARL is used as the primary cloud infrastructure provider (backend, database, data storage) pursuant to Art. 28 GDPR. Processing location: AWS eu-central-1 (Frankfurt, Germany). Auth0 (Okta EMEA Limited) is used for user authentication; processing location: EU tenant (eu.auth0.com, eu-west-1, Ireland). No third-country transfer. As a subsidiary guarantee in the event of a group interaction with the US-based Okta, Inc., Standard Contractual Clauses pursuant to SCC 2021/914 Module 4 (non-EU data processor → EU controller) have been agreed.

Note: Hotjar (behaviour analytics) is used exclusively on the public website trace-electricity.com, not on the app domain app.trace-electricity.com. Details on the use of Hotjar on the website can be found in the general Privacy Policy.

Microsoft Bookings (Appointment Scheduling)

For booking support and consultation appointments, we use Microsoft Bookings from Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. When booking, name, email address and the selected appointment are processed. The legal basis is Art. 6(1)(b) GDPR (initiation of a consulting contract). Microsoft Ireland Operations Limited is bound as a data processor pursuant to Art. 28 GDPR. Third-country transfer: Standard Contractual Clauses (SCC 2021/914). Further information: privacy.microsoft.com/en-us/privacystatement.

10. Retention Periods

Backup copies on AWS S3 (eu-central-1) are automatically deleted after a rolling 35-day cycle. The storage limitation corresponds to Art. 5(1)(e) GDPR.

• Account data: For the duration of the user relationship. If you delete your account via the app itself, it is initially deactivated. Within 90 days of deactivation, you can reactivate your account by logging in again; after this period, your personal data will be irreversibly deleted, unless statutory retention obligations apply. Explicit erasure requests pursuant to Art. 17 GDPR (by email to privacy@trace-electricity.com) are carried out immediately without observing the 90-day transition period, unless statutory retention obligations apply.
• Energy consumption data: For the duration of the user relationship, then final deletion after expiry of the 90-day transition period following account deletion (together with the account data).
• Usage logs (technical data): 90 days, then automatic deletion.
• Audit and access logs: Retention 12 months, legal basis Art. 6(1)(c) GDPR in conjunction with §§ 147 AO, 257 HGB.
• Marketing consent: Until revocation; after revocation, no further marketing emails will be sent.
• Data subject to statutory retention obligations: In accordance with the statutory periods (max. 10 years).

Overview of retention periods:

• Contact requests: 3 years (§ 195 BGB)
• Billing data: 10 years (§ 147 AO, § 257 HGB)
• Analytics logs (anonymised): Event data is stored in Google Analytics 4 for 14 months (configured). Aggregated reports may be retained longer.
• Account data after cancellation: 90 days (re-entry period), then deletion
• Data subject to statutory retention obligations: pursuant to applicable law

11. LinkedIn Ireland Unlimited Company — Insight Tag (Joint Controllers pursuant to Art. 26 GDPR)

We use the LinkedIn Insight Tag from LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland on our website.

Purpose: Analysis of the effectiveness of our LinkedIn advertisements (conversion tracking); creation of anonymised statistics on website usage by LinkedIn members.

Joint controllership (Art. 26 GDPR): LinkedIn Ireland Unlimited Company and we are jointly responsible for the data collection triggered by the Insight Tag within the meaning of Art. 26 GDPR. LinkedIn acts as an independent controller — not as our data processor. Basis: LinkedIn's Joint Controller Agreement (legal.linkedin.com/pages-joint-controller-addendum).

Data processed: IP address (anonymised by LinkedIn within 7 days), URL data, referrer information, device data, timestamps.

Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner). Retention period: 90 days (pseudonymised conversion data). Opt-out: LinkedIn account settings → Privacy settings → Advertising settings.

Pursuant to Art. 26(2) sentence 2 GDPR, we designate TRACE Electricity GmbH (privacy@trace-electricity.com) as the primary point of contact for data subjects' rights in connection with LinkedIn-processed data. We will forward your request to LinkedIn if necessary.

12. Cookies and Tracking Technologies

TRACE.App uses technically necessary cookies to maintain your session (session cookies, set pursuant to § 25(2) No. 2 TDDDG without consent, as they are required exclusively for session management) as well as optional analytics cookies (Google Analytics), provided you have consented to their use on the TRACE website (trace-electricity.com). Consent applies across domains: consent given on trace-electricity.com is stored in a first-party cookie (trace-consent-v1, validity: 12 months, domain: .trace-electricity.com). This cookie is readable from both domains simultaneously, as it is set on the shared parent domain. When app.trace-electricity.com is first accessed, the consent manager reads this cookie. If no stored consent is found, the cookie banner also appears on the app domain. A detailed overview of the cookies used can be found in the cookie settings. You can revoke or adjust your consent at any time via the "Cookie settings" link in the website or app footer.

Legal classification under TDDDG:

• § 25(1) TDDDG (consent required): Google Analytics 4 (GA4).
• § 25(2) No. 2 TDDDG (technically necessary, no consent required): Session token, authentication cookie.

Note: TRACE.App and the TRACE website use the same Google Analytics 4 account with an identical consent concept. A detailed description of processing by Google Analytics can be found in the Privacy Policy of the TRACE website.

TRACE uses GA4 Consent Mode v2. When consent is refused, only consent-state pings without personal data are transmitted to Google. Data collection for analytics purposes only takes place with consent.

13. Your Rights

As a data subject, you have the following rights against TRACE:

• Right of access (Art. 15 GDPR): You can request information about what data we have stored about you.
• Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate data.
• Right to erasure (Art. 17 GDPR): You can request the deletion of your data, insofar as no statutory retention obligations apply.
• Right to restriction of processing (Art. 18 GDPR): You can request restriction of processing.
• Right to notification (Art. 19 GDPR): We will notify every recipient to whom your personal data has been disclosed of any rectification, erasure or restriction of processing, unless this is impossible or involves disproportionate effort. Upon request, we will inform you about these recipients.
• Data portability (Art. 20 GDPR): You have the right to receive your data in a machine-readable format.
• Right to object (Art. 21 GDPR): You can object to processing based on legitimate interests at any time.
• Withdrawal of consent (Art. 7(3) GDPR): You can withdraw consent given (e.g. for marketing emails) at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

Right to object to direct marketing (Art. 21(2) GDPR): You have the right to object at any time to the processing of your personal data for direct marketing purposes; this also applies to profiling insofar as it is related to direct marketing.

To exercise your rights, please contact: privacy@trace-electricity.com.

Pursuant to Art. 12(3) GDPR, your requests will be answered within one month. In cases of particular complexity, this period may be extended by up to two further months; we will notify you of the extension in such cases.

You also have the right to lodge a complaint with a data protection supervisory authority. The competent authority for TRACE is the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI), Ludwig-Erhard-Str. 22, 20459 Hamburg, Tel. 040 42854-4040, mailbox@datenschutz.hamburg.de (www.datenschutz.hamburg.de).

14. Right to Object (Art. 21 GDPR)

To the extent that we process your personal data on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR (legitimate interest: app security, fraud prevention, usage analysis to improve the app), you have the right to object to this processing at any time on grounds relating to your particular situation. In such a case, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

To exercise your right to object, an informal email to privacy@trace-electricity.com is sufficient.

In addition, you have a separate right to object to the processing of your personal data for direct marketing purposes (Art. 21(2) GDPR). This right applies without the need to state a particular situation.

15. Data Security

TRACE implements technical and organizational measures (TOM) pursuant to Art. 32 GDPR to protect your data against unauthorised access, loss or destruction. Communication between your browser or app and our servers takes place exclusively via encrypted HTTPS connections (TLS 1.2+). Data at rest is stored encrypted with AES-256. Access rights are granted according to the principle of least privilege. TRACE.App servers are located in Germany. The complete TOM documentation is available at: Technical and Organizational Measures TRACE.App (TOM).

16. Changes to this Privacy Notice

We reserve the right to update this Privacy Notice to reflect changes in data processing or legal requirements. The current version is always available at trace-electricity.com/en/privacy-app/. We will inform you of material changes by email.

17. Service Discontinuation

In the event of service discontinuation by TRACE (§ 6(3) of the Terms of Use – App): 90 days' advance notice with export option; followed by irreversible deletion of all personal data.

18. Automated Decision-Making

TRACE does not make automated individual decisions with legal or similarly significant effect (Art. 22(1) GDPR). Algorithmically generated recommendations and analyses serve as decision support tools; the final decision always lies with the user.

If you also use the TRACE website or TRACE.Parser, the Privacy Policy and the Privacy Notice – TRACE.Parser additionally apply.