Privacy Policy
1. Who We Are
Lumeron is operated by Nextgen Controls Limited, a company registered in England and Wales. We are the data controller for the personal data described in this policy.
For any privacy-related questions or requests, contact us at: [email protected]
2. What Data We Collect
| Category | Data | Purpose |
|---|---|---|
| Account | Email address, name, Firebase authentication ID | Create and manage your account, authenticate you |
| Inverter credentials | API tokens for your inverter cloud service (SunSynk, GivEnergy, SolaX, Solis, Sungrow, Fox ESS) | Read your inverter data and apply optimised charging schedules on your behalf |
| Energy data | Battery state of charge, solar generation, grid import/export, power flows, energy history | Calculate optimal charging, display dashboard, track savings |
| Supplier data | Octopus Energy API key, account number, tariff codes, consumption history | Fetch electricity prices and consumption for optimisation |
| Location | UK postcode sector (e.g. SW1A 1) | Solar irradiance forecasting and regional tariff pricing |
| Subscription | Payment provider, transaction IDs, subscription status | Manage your Auto-pilot subscription |
| Device | Inverter serial numbers, model, battery capacity, solar panel capacity | Tailor optimisation to your specific hardware |
We do not collect: your inverter cloud password (discarded after initial authentication), your full home address, payment card details (handled by Stripe), or any data from other devices on your network.
3. Lawful Basis for Processing
Under UK GDPR, we process your data on the following bases:
- Contract: Processing your account data, inverter data, and energy data is necessary to provide the Lumeron service you signed up for.
- Legitimate interest: Service improvement, security monitoring, and fraud prevention.
- Consent: Where we send optional communications (you can withdraw consent at any time).
4. How We Use Your Data
- Authenticate you and manage your account.
- Read your inverter status and energy data to calculate optimal battery charging schedules.
- Apply charging schedules to your inverter automatically (Auto-pilot subscribers).
- Fetch electricity prices from your energy supplier to find the cheapest charging windows.
- Generate solar forecasts using your location and weather data.
- Calculate and display your energy savings and CO2 impact.
- Process and verify subscription payments.
- Provide customer support and troubleshoot issues.
5. Third-Party Services
We share data with the following third-party services, solely to operate Lumeron:
| Service | Data shared | Purpose | Location |
|---|---|---|---|
| Google Firebase | Email, auth tokens | User authentication | EU/US (Google Cloud) |
| Inverter cloud APIs (SunSynk, GivEnergy, SolaX, etc.) | API tokens, device commands | Read inverter data, apply charging schedules | Varies by provider |
| Octopus Energy API | API key, account number | Fetch electricity prices and consumption | UK |
| Open-Meteo | Approximate location (postcode sector) | Weather data for solar forecasting | EU |
| Render (hosting) | All service data | Application hosting and database | EU (Frankfurt) |
| Stripe | Customer ID, invoice records | Usage-based billing | US / EU |
We do not sell, rent, or trade your personal data to any third party.
6. International Data Transfers
Some of our third-party services process data outside the UK. Where this occurs, we rely on adequacy decisions, Standard Contractual Clauses (SCCs), or other appropriate safeguards as required by UK GDPR.
7. Data Security
- Inverter API tokens and supplier API keys are encrypted at rest using AES-256 (Fernet).
- Your inverter cloud password is never stored — it is used once during setup and then discarded.
- All data in transit is protected by TLS/HTTPS.
- Database access is restricted and credentials are managed through secure environment variables.
- The admin panel is protected by authentication and is not publicly accessible.
8. Data Retention
- Active accounts: Data is retained while your account is active.
- Deleted accounts: When you delete your account, your personal data is marked for deletion and your access is revoked immediately. Your data is permanently deleted after 30 days. During this retention period you can contact us at [email protected] to recover your account. We also retain a hashed (non-reversible) version of your email address to prevent trial abuse.
- Anonymised data: Anonymised energy usage data (which cannot be linked back to you) may be retained after account deletion for service improvement purposes.
- Energy history: Retained while your account is active for savings calculations and optimisation improvement.
9. Your Rights (UK GDPR)
You have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate data.
- Erasure: Request deletion of your data (you can also delete your account directly in the app).
- Portability: Request your data in a machine-readable format.
- Restriction: Request that we limit processing of your data.
- Objection: Object to processing based on legitimate interest.
To exercise any of these rights, email [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection.
10. Children
Lumeron is not intended for children under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes via email or an in-app notice. The "Last updated" date at the top reflects the most recent revision.
12. Contact
Nextgen Controls Limited
Email: [email protected]