Privacy Policy

1. Who we are

The data controller for personal data processed via Techs.Solar is:

For all data protection matters, contact us through our contact form. We do not publish a dedicated email address for data protection requests to limit harvesting, but the contact form is monitored daily and supervisory authorities (including the Hellenic Data Protection Authority) are welcome to use it for official correspondence.

2. Data Protection Officer

We have not appointed a Data Protection Officer because we do not meet the mandatory appointment criteria under GDPR Article 37 (our core activities do not consist of large-scale systematic monitoring of individuals or large-scale processing of special categories of data).

For any data protection matter, use our contact form. The platform founder personally reviews data protection enquiries.

3. Where your data lives — hosting and sub-processors

Personal data is stored on servers hosted in Germany by Hetzner Online GmbH under a GDPR-compliant Data Processing Agreement. Hetzner does not access the data; they provide the underlying infrastructure.

We use the following third-party sub-processors to deliver the service. Each is engaged under a Data Processing Agreement (or equivalent contractual safeguards) and processes data only for the specific purposes described below.

Email delivery is handled by our own SMTP server hosted on Hetzner (Germany). We do not use third-party email service providers (no Postmark, Mailgun, SES, or Resend).

FingerprintJS (used for anti-scraping per §7.6) runs as an open-source library bundled with our application. It does not contact FingerprintJS servers or any external CDN — telemetry features are explicitly disabled in our configuration.

We do not sell personal data to third parties under any circumstances.

4. Your rights under GDPR

If you are in the EU/EEA, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate or incomplete data
• Erasure — request deletion of your data (subject to legal retention obligations described in the relevant sections below)
• Restriction — ask us to limit processing while a request is reviewed
• Portability — receive your data in a structured, commonly used, machine-readable format
• Objection — object to processing based on our legitimate interests
• Withdraw consent — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing
• Complaint to a supervisory authority — you may lodge a complaint with the data protection authority in your country of residence. For Greek residents, this is the Hellenic Data Protection Authority (HDPA — Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα), www.dpa.gr. Residents of other EU countries should contact their national supervisory authority.

To exercise any of these rights, use our contact form. We respond within 30 days of receiving your request (extendable by a further 60 days for complex requests, with notice to you).

5. Homeowner data

5.1 What we collect

When you request a quote from an installer or otherwise interact with the public homeowner-facing service, we collect:

• Contact details you provide — name, email address, phone number (when you choose to share it)
• Property details you enter — postcode, property type, system size estimate, and any other information you include in a quote-request form
• Search activity — the postcode(s) you search and the timestamp of each search (used for service operation and aggregate platform statistics; not individually profiled)
• Technical data — IP address (truncated for analytics; full IP retained only briefly for fraud detection and rate limiting), browser type, language preference
• CAPTCHA score — when you interact with a phone-reveal control on an installer profile, hCaptcha returns a bot-likelihood score; we store this for fraud detection

We do not require homeowners to create an account. We do not collect special categories of data (such as health, political views, religion) about homeowners.

5.2 How we use it and legal basis

5.3 Who we share homeowner data with

• The installer you select when you submit a quote request — the installer becomes an independent data controller for your data from that point and is responsible for their own compliance with GDPR. They are contractually required to use your data only for responding to your enquiry.
• Stripe, hCaptcha, Microsoft Clarity, Google, and other sub-processors listed in §3 — only to the extent necessary for the technical functioning of the service
• No marketing partners, no data brokers, no advertising networks — we do not share homeowner data for marketing or advertising purposes

5.4 How long we keep it

• Quote request data — 2 years from submission, then deleted
• Search activity — aggregate counts retained indefinitely; per-search detail retained 90 days for fraud detection, then anonymised or deleted
• Solar Potential calculator inputs — addresses are not stored on our servers (sent to Google Solar API only for the duration of the calculation)
• Homeowner waitlist signups — retained until you ask us to delete them or until you receive the notification you signed up for (whichever is later)
• CAPTCHA scores and IP-based fraud signals — 90 days

6. Installer data

6.1 Account and profile

When you create an installer account, we collect:

• Business identification — business name (legal and trading), VAT number, registered address, business legal form, contact phone and email
• Profile content — bio, business photos, certifications, service types, languages spoken, areas served
• Verification data — at signup we automatically query the relevant national business registry to confirm your VAT number, business name, legal form, and registered address. For Greek installers this is the General Commercial Registry (ΓΕΜΗ). The verification query is a one-time automated lookup against a public government registry; no personal data is shared with the registry — we only receive their confirmation of public records.
• Activity logs — security-relevant events on your account (login times, password changes, payment-method changes, admin actions taken on your behalf)

Legal basis: Article 6(1)(b) — performance of the installer subscription contract. Activity logs are processed under Article 6(1)(f) — legitimate interest in account security.

6.2 Payment and subscription data

• Stripe Customer ID and Stripe Subscription ID are stored on our servers
• Payment method details (card number, expiry, CVC) are processed and stored by Stripe — not by us. We never see or store full payment card numbers.
• Invoices and payment history generated by Stripe are linked to your account and accessible via your dashboard and the Stripe Customer Portal

Legal basis: Article 6(1)(b) — performance of contract.

6.3 Territory subscriptions

When you purchase territory rights (Verified Local, Claim, Exclusive, or Founding Member tier — see Territory Terms for full mechanics), we process:

• The municipality (Local Administrative Unit, LAU) for which you hold the subscription
• The tier you have purchased and the associated monthly or annual subscription amount
• Your Founding Member grant record (if applicable) — which records your permanent "LAU for life" entitlement and persists across subscription lifecycle events (active / dormant / revoked)
• Search-result placement events — your above-fold appearances are counted per month and shown on your dashboard

Legal basis: Article 6(1)(b) — performance of contract.

Retention: territory subscription records are retained for 7 years from the end of the subscription period to meet financial record-keeping obligations under applicable tax law (for Greek-incorporated Shibui Ltd, Law 4174/2013).

6.4 GPO (Group Purchase Order) participation

If you participate in a Group Purchase Order organised on the Techs.Solar platform, we process additional data specifically related to the GPO order:

• Signatory details — full legal name and role/title of the person signing the Member Agreement on behalf of your business
• Electronic signature audit trail — the multi-factor signature events (per eIDAS Article 26 Advanced Electronic Signature), including email and SMS verification timestamps, IP address at signing, and a tamper-evident PDF record of the signed agreement
• Commitment quantities — the quantities of equipment you commit to via the GPO
• Payment tranches — payments made under the GPO order
• Default cascade and dispute records — if applicable, records of any default events and the resolution path taken

Legal basis: Article 6(1)(b) — performance of the Member Agreement you accepted.

Retention: GPO participation records, including the signed Member Agreement and all signature audit trail data, are retained for 7 years from the close of the GPO order.

6.5 Google Drive integration (optional)

You may optionally connect your Google account to enable a one-way data mirror from Techs.Solar to a folder in your own Google Drive. The OAuth scope we request is the minimum required:

• drive.file — we create and manage only the specific files we create in your Drive. We cannot access, read, or modify any other files in your Drive.
• spreadsheets and documents — cell-level write access to the Sheets and Docs we created, for writing your leads, quotes, and proposals

Data flows one-way from Techs.Solar to your Drive. We never read back files you have edited. You can disconnect the integration at any time from your account settings.

Joint controllership (GDPR Article 26): when you enable Drive integration, you become a joint data controller for the personal data we mirror to your Drive — including the contact details of any homeowner leads forwarded to you. You are independently responsible for GDPR compliance for that copy of the data.

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

6.6 How long we keep installer data

7. Cookies, tracking, and analytics

7.1 Cookie consent banner

When you first visit Techs.Solar, you are shown a cookie consent banner. The banner offers granular consent (you can accept or decline analytics cookies independently of strictly-necessary cookies). Your consent choice is stored locally in your browser and respected on subsequent visits. You can change your choice at any time via the cookie preferences link in the site footer.

7.2 Strictly necessary cookies (no consent required)

7.3 Functional cookies (no consent required)

7.4 Analytics cookies (consent required — Microsoft Clarity)

If you consent to analytics, Microsoft Clarity loads. Clarity provides heatmaps showing which areas of pages are clicked or hovered, scroll depth measurement, and session recordings — anonymised video replays of visitor sessions used to understand UX issues.

Clarity is operated by Microsoft Corporation in the United States under the EU-US Data Privacy Framework. Their cookie list is at learn.microsoft.com/en-us/clarity/setup-and-installation/cookie-list.

You can:

• Decline analytics in our cookie banner (Clarity will not load)
• Withdraw consent later via the cookie preferences link in the footer
• Set your browser's "Do Not Track" header (Clarity respects DNT in some configurations)
• Use a browser privacy extension to block analytics

Legal basis: Article 6(1)(a) — your explicit consent.

7.5 Bot detection — hCaptcha

When you interact with the phone-number reveal control on an installer profile, hCaptcha loads to verify you are not a bot. hCaptcha is operated by Intuition Machines, Inc. in the United States under the EU-US Data Privacy Framework. It receives technical signals (IP address, browser fingerprint, mouse patterns) to compute a bot-likelihood score which we use to decide whether to reveal the contact details.

hCaptcha is loaded lazily — it does not run unless you interact with the reveal control.

Legal basis: Article 6(1)(f) — legitimate interest in preventing harvesting of installer contact details and protecting installers from spam.

7.6 Anti-scraping fingerprint (search results only)

When you search for installers, we use a server-side fingerprinting mechanism to detect and limit automated scraping of our installer directory. This serves an important platform-integrity purpose: without anti-scraping, competitor platforms could systematically harvest our installer roster and contact details, and the economic model that makes installer subscriptions worthwhile would collapse.

How it works:

• An open-source fingerprinting library (FingerprintJS v5) generates a pseudonymous browser fingerprint from technical signals (screen size, browser version, installed fonts, etc.)
• The fingerprint ID is transmitted via a background beacon to our own /telemetry/search endpoint — never to a third party, never appearing in URLs
• The raw fingerprint is immediately hashed with a secret salt using SHA-256, and only the hash is retained
• The fingerprint hash is not linked to your name, email, or any other identifying personal data
• We have explicitly disabled the FingerprintJS library's optional monitoring telemetry — the library does not contact FingerprintJS servers
• Hash data is retained for 30 days for active security analysis, after which it is anonymised or deleted

Legal basis: Article 6(1)(f) — legitimate interest in platform security and prevention of unauthorised data harvesting. This processing falls within the "strictly necessary" exemption of the ePrivacy Directive and Greek Law 3471/2006 Article 4.

8. International data transfers

Where your personal data is transferred outside the European Economic Area, we rely on the following safeguards under GDPR Articles 44–49:

• EU-US Data Privacy Framework — for transfers to U.S.-based sub-processors that are self-certified under the framework (Microsoft Clarity, hCaptcha, Google, Userback, Stripe's U.S. legal entities where applicable)
• Standard Contractual Clauses — for any sub-processor not covered by an adequacy decision; SCCs are signed bilaterally between Techs.Solar and the sub-processor
• EU-only processing — for some sub-processors (notably Stripe Payments Europe and Hetzner) all processing occurs within the EU and no international transfer takes place

You may request a copy of the safeguard documentation for any specific transfer via our contact form.

9. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33
• Notify affected data subjects directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms, in accordance with GDPR Article 34
• Maintain an internal log of all personal data breaches and the remediation actions taken

10. Children's data

The Techs.Solar service is not directed at children under 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us via the contact form and we will delete the data without undue delay.

11. Automated decision-making and search ranking

Search results on Techs.Solar are ordered by an automated algorithm. The ranking takes into account:

• The subscription tier held by each installer (Exclusive, Founding Member, Claim, Verified Local, or organic)
• The profile completeness, reviews, and recency of each installer
• The relevance of each installer to the municipality you searched
• Other quality signals related to platform integrity

This ranking does not produce legal or similarly significant effects on individuals within the meaning of GDPR Article 22. Homeowners always receive a list of results to choose from; the ranking determines order, not exclusion.

You have the right to information about the logic involved in this automated processing under GDPR Article 13(2)(f). For a full description, see our Installer FAQ or contact us via the contact form.

12. How we contact you

12.1 Transactional communications

We send transactional emails and (where applicable) SMS messages that are strictly necessary for the service you have requested. These cannot be opted out of while you have an active account or pending interaction. Examples:

• For homeowners: confirmation that your quote request has been forwarded to an installer
• For installers: lead notifications, billing receipts, subscription renewal reminders, security alerts, signature verification codes

Legal basis: Article 6(1)(b) — performance of contract.

12.2 Subscription renewal reminders (installers)

For annual subscriptions, we send renewal reminders by email 30 days and 7 days before the next billing date. The reminder includes the renewal amount, date of charge, and a direct link to cancel via the Stripe Customer Portal.

12.3 Marketing communications

We send marketing communications only with your explicit opt-in, recorded at the time of signup or via a specific marketing-consent action (such as joining a country waitlist). Every marketing email includes a one-click unsubscribe link. Withdrawing consent does not affect transactional communications.

Legal basis: Article 6(1)(a) — your explicit consent.

13. Profile photos and reviews

Installer profile photos uploaded by you may contain personal data of you, your employees, or third parties. You are responsible for obtaining consent from people pictured before uploading. We process these photos to display your installer profile to homeowners.

Customer reviews submitted by homeowners are published on the relevant installer's profile with the reviewer's first name and review text. We moderate reviews for compliance with our community guidelines but do not edit substantive content.

14. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered installers by email and to all visitors via a banner on the site for at least 30 days from the effective date. Continued use of the service after a material change constitutes acceptance of the updated Policy.

A full changelog of material amendments is available on request via the contact form.

15. Contact us

For any question about this Privacy Policy, any data protection matter, or to exercise your GDPR rights, please use our contact form (link also in the site footer).

Postal address (for formal correspondence only):

Supervisory authority for Greek residents: