Privacy Policy

1. Who We Are

Solar IOT ("we", "our", "us") is a software-as-a-service platform that enables homeowners and solar-energy enthusiasts to automate smart-home devices based on real-time solar generation data.

The service is operated by the Solar IOT team. Our primary contact email is support@solariot.app.

By using the Solar IOT website at solariot.app (or any Heroku-hosted subdomain we operate) and the associated API, you agree to this Privacy Policy. If you do not agree, please do not use the service.

2. Data We Collect

We collect the following categories of personal and operational data:

• First name, last name, and email address (required for registration)
• Mobile/phone number (optional, used for SMS notifications)
• Encrypted password (hashed with bcrypt — we never store plain-text passwords)

• SunSynk: Your SunSynk username, encrypted password, and plant/inverter ID — stored to poll your solar data
• SmartThings: OAuth access/refresh tokens — stored after you authorise Solar IOT via SmartThings' official OAuth flow
• Tuya: Tuya Client ID, Client Secret, and Device ID — provided by you to control Tuya smart devices
• IFTTT: IFTTT Webhook key — provided by you to trigger IFTTT actions
• Sinric Pro: Sinric Pro App Key and Device ID — provided by you to control Sinric Pro devices
• Home Assistant: Home Assistant URL and Long-Lived Access Token — provided by you to control Home Assistant entities

• Automation rules you create (thresholds, device actions, schedules)
• Job execution logs (timestamps, triggered actions, watt readings)

• IP address and browser/device type (collected by our hosting provider, Heroku)
• Pages visited, time-on-page, and error logs
• Authentication tokens (JWT) stored in your browser's localStorage

• Subscription plan and status
• Payment is processed entirely by Stripe — we never store card numbers or bank details on our servers

3. How We Use Your Data

We use the data we collect only to provide and improve the Solar IOT service:

• To operate automations: We use your third-party credentials to poll your solar inverter, read device states, and trigger device actions on your behalf.
• To authenticate you: Your email and password hash are used to verify your identity when you sign in.
• To send notifications: If you enable notifications, we may use your phone number or email to send alerts about automation activity or service issues.
• To manage your subscription: We use Stripe to process payments and manage your trial/subscription status.
• To improve the service: Aggregated, anonymised usage data helps us understand how the platform is used and where to improve it.
• To comply with legal obligations: We may retain certain records to satisfy legal, tax, or regulatory requirements.

We do not use your data for advertising, profiling, or sale to third parties.

4. Third-Party Services & Integrations

Solar IOT integrates with several third-party platforms. When you connect an integration, data flows between Solar IOT and that platform according to their own privacy policies. We recommend reviewing their policies:

• SunSynk — sunsynk.org — provides live solar generation data
• SmartThings (Samsung) — Samsung Privacy — device control via OAuth
• Tuya — tuya.com/privacy — device control
• IFTTT — ifttt.com/privacy — webhook triggers
• Sinric Pro — sinric.pro — device control
• Home Assistant — self-hosted by you; connection details stay on our server
• Stripe — stripe.com/privacy — payment processing
• Heroku (Salesforce) — Salesforce Privacy — cloud hosting

We access your third-party accounts only to the extent necessary to perform the automations you have configured. We do not read, store, or transmit any data from those accounts beyond what is required for that purpose.

5. Data Storage & Security

Your data is stored in a Neon PostgreSQL database with encrypted connections (TLS). The database is hosted in a secure, access-controlled cloud environment.

Security measures we apply include:

• All passwords hashed with bcrypt (industry-standard salted hashing)
• Third-party API credentials stored encrypted in the database
• All data-in-transit protected with HTTPS/TLS
• Authentication via short-lived JWT tokens
• CAPTCHA challenge on registration to prevent automated abuse

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we apply reasonable industry-standard measures. If you become aware of any security issue, please contact us immediately at support@solariot.app.

6. Cookies & Local Storage

Solar IOT does not use tracking cookies or advertising cookies.

We use browser localStorage to store your authentication token (JWT) so you stay logged in between sessions. This token is only readable by the Solar IOT domain.

Our hosting provider (Heroku) may set technical cookies required for session and load-balancing purposes. These are operational and not used for tracking.

7. Data Retention

• Account data is retained for as long as your account is active, plus a maximum of 30 days after deletion.
• Job execution logs are retained for up to 90 days to support troubleshooting.
• Billing records may be retained for up to 7 years where required by law.
• Anonymous usage analytics may be retained indefinitely but cannot be linked back to you.

You can request deletion of your account and all associated personal data at any time by contacting us (see Section 13).

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your account and personal data ("right to be forgotten").
• Portability: Request your data in a machine-readable format.
• Objection: Object to the processing of your data in certain circumstances.
• Restriction: Request that we restrict processing of your data in certain circumstances.

To exercise any of these rights, email us at support@solariot.app with the subject line "Privacy Request". We will respond within 30 days.

If you are located in the European Economic Area (EEA), you also have the right to lodge a complaint with your local data protection authority.

9. Children's Privacy

Solar IOT is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will promptly delete that information.

10. International Data Transfers

Solar IOT is operated globally. Your data may be stored and processed in countries outside your own (including the United States, where Heroku and Neon are based). By using Solar IOT, you consent to the transfer of your data to these locations.

Where required, we rely on standard contractual clauses or equivalent mechanisms to ensure your data receives adequate protection when transferred across borders.

11. Billing & Payment Data

Subscription payments are processed by Stripe, Inc. We never receive your full card number, CVV, or bank account details. Stripe returns a customer ID and subscription status, which we store to determine your account tier.

Stripe is PCI-DSS Level 1 certified. For details on how Stripe handles payment data, see stripe.com/privacy.

Your subscription status (free trial, pro, cancelled) is stored in our database and used to determine feature access.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send a notification to your registered email address if the changes are significant

Continued use of the service after changes are posted constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your data, please contact us:

• Email: support@solariot.app
• Website: solariot.app

We aim to respond to all privacy-related enquiries within 30 days.