Privacy Policy (UE)

This privacy statement was last updated on July 14, 2025 and applies to citizens and legal permanent residents of the European Economic Area and Switzerland.

In this privacy statement, we explain what we do with the data we obtain about you via https://hexergy.app/. We recommend you carefully read this statement. In our processing we comply with the requirements of privacy legislation. That means, among other things, that:

• we clearly state the purposes for which we process personal data. We do this by means of this privacy statement;
• we aim to limit our collection of personal data to only the personal data required for legitimate purposes;
• we first request your explicit consent to process your personal data in cases requiring your consent;
• we take appropriate security measures to protect your personal data and also require this from parties that process personal data on our behalf;
• we respect your right to access your personal data or have it corrected or deleted, at your request.

If you have any questions, or want to know exactly what data we keep of you, please contact us.

1. Purpose, data and retention period

We may collect or receive personal information for a number of purposes connected with our business operations which may include the following: (click to expand)

2. Purpose of Data Processing

Data is processed for the following purposes:

• Service provision: user registration, energy community management, display of production/consumption data
• Management of authorizations: permission to process energy data through explicit consent
• Functional communications: sending OTPs, notifications, emails related to the community or document status
• Regulatory compliance: fulfillment of legal or regulatory obligations
• Service analysis and improvement: aggregated and pseudonymized data analysis for statistical and development purposes

3.Cookies

Our web platform uses cookies.

4. Legal Basis of Processing

• Contract execution (Art. 6.1.b GDPR)

• Explicit consent (Art. 6.1.a GDPR), e.g. for authorizations

• Legal obligations (Art. 6.1.c GDPR)

• Legitimate interest of the data controller (Art. 6.1.f GDPR), e.g. for IT security or service improvement

5. Disclosure practices

We disclose personal information if we are required by law or by a court order, in response to a law enforcement agency, to the extent permitted under other provisions of law, to provide information, or for an investigation on a matter related to public safety.

If our website or organisation is taken over, sold, or involved in a merger or acquisition, your details may be disclosed to our advisers and any prospective purchasers and will be passed on to the new owners.

We have concluded a data Processing Agreement with Google.

6. Processing Methods and Security

Data is processed electronically using secure systems that follow privacy by design and by default principles. Measures comply with:

• GDPR EU Regulation 2016/679
• NIS2 Directive and digital service security measures
• ISO/IEC 27001:2022 standards for information security

Measures include:

• Data encryption at rest and in transit
• Database segmentation (dev/staging/prod)
• Role-based access control (RBAC)
• Logging, auditing, and traceability
• Backup and disaster recovery systems

7. Data Access and Authorized Parties

Personal data is accessible only to:

• • The data owner (user)
  • Community administrators (based on roles)
  • Authorized HexErgy staff (e.g., IT technicians, project managers)
  • Data processors (e.g., cloud providers, OTP/email services)

All parties are bound by confidentiality agreements.

8. Security

We are committed to the security of personal data. We take appropriate security measures to limit abuse of and unauthorized access to personal data. This ensures that only the necessary persons have access to your data, that access to the data is protected, and that our security measures are regularly reviewed.

9. Data Retention

Data is retained for as long as necessary to fulfill the stated purposes, unless longer retention is required by law (e.g., for tax reasons).

Stored in:

• • Encrypted relational databases (e.g., PostgreSQL on AWS RDS)
  • Encrypted document storage (e.g., Amazon S3 with temporary controlled access)

10. Third-party websites

This privacy statement does not apply to third-party websites connected by links on our website. We cannot guarantee that these third parties handle your personal data in a reliable or secure manner. We recommend you read the privacy statements of these websites prior to making use of these websites.

11. Amendments to this privacy statement

We reserve the right to make amendments to this privacy statement. It is recommended that you consult this privacy statement regularly in order to be aware of any changes. In addition, we will actively inform you wherever possible.

12. Data Transfers Outside the EU

Data may be processed by providers outside the EEA (e.g., AWS, email services). In such cases, we ensure:

• • Valid Standard Contractual Clauses (SCC)

  • Compliance with EU-U.S. Data Privacy Framework or equivalent

13. Analytics, Statistics, and Anonymization

Data may be used for statistical and system analysis, only in aggregated or pseudonymized form to prevent user identification.

14. Changes to the Privacy Policy

HexErgy reserves the right to change this policy at any time. Users will be informed of significant changes via email or platform notice.

15. DPO and Reports

HexErgy has nominated as Data Protection Officer (DPO) lAvv. Ludovica Terenzi, P.IVA 15186081004, contact info email: info+privacy@hexergy.it

16. Data Subject Rights

If you have any questions or want to know which personal data we have about you, please contact us. You can contact us by using the information below. You have the following rights:

• You have the right to know why your personal data is needed, what will happen to it, and how long it will be retained for.
• Right of access: You have the right to access your personal data that is known to us.
• Right to rectification: you have the right to supplement, correct, have deleted or blocked your personal data whenever you wish.
• If you give us your consent to process your data, you have the right to revoke that consent and to have your personal data deleted.
• Right to transfer your data: you have the right to request all your personal data from the controller and transfer it in its entirety to another controller.
• Right to object: you may object to the processing of your data. We comply with this, unless there are justified grounds for processing.

Please make sure to always clearly state who you are, so that we can be certain that we do not modify or delete any data of the wrong person.

17. Filing a Complaint

If you are not satisfied with the way in which we handle (a complaint about) the processing of your personal data, you have the right to submit a complaint to the Data Protection Authority www.garanteprivacy.it. 

18. Contact Details

Data Controller:
HexErgy S.R.L.
Via Francia 6A, Guglionesi, Campobasso, Molise, 86034, Italy
VAT: IT01895870705
Email: info+privacy@hexergy.it
Website: https://hexergy.it/it

19. Data Requests

For the most frequently submitted requests, we also offer you the possibility to use our data request form