Privacy Policy
This policy explains what personal data Elewatt collects, why we collect it, and your rights under the GDPR.
Last updated: 8 May 2026
Data controller
Elewatt is operated by Lindau OÜ, an Estonian VAT-registered company owned by the maintainer (Reedik Lindau). Lindau OÜ is the data controller for personal data processed through the service. For privacy questions, write to reedik@elewatt.eu.
What data we collect
Account data: email address, hashed password, preferred language, country, currency, and VAT preference. Contract data (optional): electricity contract details you enter to get accurate cost calculations — supplier, fixed/spot type, fees, contract dates. Integration credentials: OAuth tokens or API credentials for the third-party services you choose to connect (Shelly Cloud, Daikin Onecta, Sonoff, Nibe Uplink, Home Assistant). These are stored encrypted and used only to control your own devices. Device and schedule data: the schedules Elewatt computes for your devices and the on/off events that result. Feedback and sponsor enquiries: anything you voluntarily submit through the feedback or sponsor inquiry forms (name, email, message). Server logs: standard request logs (IP address, user agent, timestamps) kept for security and debugging.
Why we use your data
We use your data only to provide and improve the service: to authenticate you, compute electricity cost estimates, schedule your connected devices around cheap-price windows, send transactional emails (password reset, email verification, feedback updates), and keep the service secure and debuggable. We do not sell or share your personal data for advertising.
Lawful basis (GDPR Article 6)
Most processing happens under the contract you enter into when you create an account (Art. 6(1)(b)) — without it we cannot provide the service. We rely on legitimate interests (Art. 6(1)(f)) for fraud prevention, security monitoring, and basic server logs. Where we ask for explicit consent (e.g., optional analytics or marketing communications), we rely on Art. 6(1)(a); you can withdraw consent at any time without affecting prior processing.
Cookies and analytics
We use only necessary cookies for core functionality: authentication session, language preference (NEXT_LOCALE), and your cookie-consent choice. For usage analytics we use Vercel Analytics, which is cookieless and privacy-friendly — it stores no personal identifiers and collects only anonymised, aggregated data such as pages visited and country. We do not use marketing or advertising cookies. You can manage your preferences any time via the "Cookie settings" link in the footer.
Sub-processors and third parties
We rely on a small set of vetted providers that act as data processors on our behalf: • Vercel Inc. — application hosting and edge network. • Neon — managed PostgreSQL database (EU region). • Resend — transactional email delivery. • Vercel Analytics — cookieless usage analytics. When you connect a third-party integration, Elewatt communicates with the provider you chose (e.g., Shelly Cloud, Daikin Onecta, Sonoff, Nibe Uplink, Home Assistant) using the credentials you supplied. Those providers are independent controllers of the data they hold, and their own privacy policies apply. We also fetch electricity spot prices from public APIs (ENTSO-E, Elering). No personal data is sent to those APIs.
How long we keep your data
We keep your personal data while your account is active. When you delete your account, we delete the associated data without undue delay; encrypted backups are rotated out within 30 days. Server logs are kept for up to 90 days. Sponsor invoices and related correspondence are kept for 7 years to comply with Estonian accounting law.
Your rights
Under the GDPR you have the right to access your data, rectify inaccurate data, delete your data, restrict or object to processing, and receive your data in a portable format. To exercise any of these rights, write to reedik@elewatt.eu — most actions (including full account deletion) can also be performed from your account settings. If you believe we are mishandling your data, you can lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee) or with the supervisory authority in your EU country of residence.
International data transfers
Your data is processed primarily within the European Economic Area. Where a sub-processor (such as Vercel Inc.) operates outside the EEA, we rely on the European Commission's Standard Contractual Clauses and the provider's supplementary safeguards to ensure your data receives an equivalent level of protection.
Children
Elewatt is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has created an account, please contact us so we can remove the data.
Changes to this policy
We may update this policy as the service evolves. The "Last updated" date at the top reflects the most recent change. For material changes that affect your rights, we will notify you by email or through an in-app notice before the change takes effect.
Contact
For any privacy-related question or request, write to reedik@elewatt.eu. We aim to respond within 30 days, in line with GDPR Article 12(3).