Privacy Policy
Last updated: May 23, 2026
1. Data controller
Enertecma S.L.(“Enertecma”, “we”, “us”), operating the EnergyData Iberia service, is the data controller responsible for processing your personal data.
- Legal name: Enertecma S.L.
- Tax ID (CIF): B-80786072
- Registered office: Calle Abetos 7, Urb. Los Berrocales, Alpedrete, Madrid 28430
- Contact: dpo@energydataiberia.com
2. Data we collect
We collect the minimum data necessary to provide the service. The data we touch differs depending on whether you use the website or the Excel add-in.
2.1 Through the website (energydataiberia.com)
- Email address — Account creation and authentication. Stored in Supabase Auth.
- Payment information — Subscription billing (processed by Stripe; we do not store card details). Stripe is the controller of payment data.
- API usage counters — Rate limiting and plan enforcement (request counts keyed by API key, not by personal identifiers).
- Cookies and analytics data — Site improvement (only with your consent). See §5.
2.2 Through the Excel add-in
The add-in is a thin client. It sends your API key (license credential) and the timestamps and parameters of your =ED.* formula calls to our API to fetch the requested market data.
It does NOT:
- Collect, transmit, or store any of your spreadsheets, models, formulas, or simulation results — those stay on your machine.
- Run telemetry, usage tracking, behavioural analytics, or feature pings.
- Read or upload any file on your computer outside of the API request payload.
The only outbound network call from the add-in is the data fetch to energydataiberia.com/api/*. This is a deliberate competitive differentiator versus other Excel add-ins that monitor usage.
3. Third-party processors
We rely on the following processors to deliver the service:
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Authentication and database | EU / US (project-dependent) | DPF + SCCs |
| Postgres + TimescaleDB (Hetzner) | Database hosting | Helsinki, Finland (EU) | EU-EU, no foreign transfer |
| Stripe | Payment processing | Ireland (Stripe Payments Europe Ltd) + US | DPF + SCCs |
| Vercel | Website hosting (edge CDN) | Global edge / US HQ | DPF + SCCs |
| Cloudflare R2 | Encrypted database backups | US / global | DPF + SCCs |
| Upstash | Rate-limiting Redis | EU / US (configurable) | DPF + SCCs |
| Google Analytics | Anonymous site analytics (consent required) | EU / US | DPF + SCCs |
4. International transfers
Some of our processors operate outside the European Economic Area. Transfers are safeguarded by:
- The EU-US Data Privacy Framework (DPF)— verifiable for each US-based processor at www.dataprivacyframework.gov.
- Standard Contractual Clauses (SCCs)approved by the European Commission, where DPF does not apply or as a secondary safeguard, included in each processor’s Data Processing Agreement (DPA). Copies of the DPAs can be requested at dpo@energydataiberia.com.
For processors located within the EU (Hetzner — Finland), no international transfer takes place and only the standard processor agreement under GDPR Art 28 applies.
5. Cookies
We use the minimum cookies necessary for the site to function plus, with your consent, anonymous analytics cookies. No marketing cookies, no third-party trackers beyond Google Analytics.
| Cookie | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
| ed_consent | EnergyData (first-party) | Stores your cookie banner preferences | Essential | 1 year |
| sb-*-auth-token | Supabase (first-party) | User session (login) | Essential | Session (~1h refreshable) |
| sb-*-auth-token-code-verifier | Supabase (first-party) | PKCE flow for OAuth/email login | Essential | Transient |
| _ga | Google Analytics | Distinguishes unique visitors | Analytics (consent) | 2 years |
| _ga_B8FR536VEQ | Google Analytics | Maintains session state | Analytics (consent) | 2 years |
Changing your preferences: delete the ed_consent cookie from your browser and reload to re-trigger the banner. You can also block all cookies in your browser settings, though this may break login.
6. Data retention
We retain data only as long as needed for the purpose:
| Data category | Retention period | Basis |
|---|---|---|
| Account data (email, license) | While account is active. Inactive accounts (no login for 12 consecutive months) are deleted after a 30-day notice email. | Contract performance |
| Billing records (invoices, payment metadata) | 6 years | Spanish fiscal obligation (Art 30 C.Comercio) |
| API usage counters | 90 days rolling | Operational (rate limiting) |
| Google Analytics events | 14 months (GA default) | Consent |
| Contact form / support emails | 12 months | Legitimate interest |
| Database backups (Cloudflare R2) | 35 days rolling (point-in-time recovery window) | Operational (disaster recovery) |
7. Security
We apply industry-standard measures to protect your personal data:
- Transport encryption: all traffic to the website, API, and Excel add-in uses TLS 1.2+ (Let’s Encrypt certificates, auto-renewed).
- Authentication: passwords are hashed by Supabase Auth using industry-standard algorithms (bcrypt-like). We never see, store, or log your password in plaintext.
- Database access controls: Postgres Row-Level Security (RLS) is enabled on user-scoped tables; only authenticated users can read their own rows.
- Service-role keys: administrative database access keys are stored outside the application code (environment variables on the production server) and rotated on any security incident.
- Backups: encrypted at rest on Cloudflare R2 and during transit. Backup access is restricted to the database owner role.
If we ever experience a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the AEPD within 72 hours and you without undue delay, in accordance with GDPR Art 33 and 34.
8. Your rights
Under the GDPR, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erase your data (“right to be forgotten”)
- Port your data to another provider in a machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent for analytics cookies at any time
To exercise any of these rights, email us at dpo@energydataiberia.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Spanish Data Protection Agency:
- Agencia Española de Protección de Datos (AEPD)
- Address: C/ Jorge Juan 6, 28001 Madrid, Spain
- Telephone: 901 100 099 / 91 266 35 17
- Website: www.aepd.es
9. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or a notice on the website. The “Last updated” date at the top reflects the most recent revision.
10. Contact
For any privacy-related questions, contact us at dpo@energydataiberia.com.