Privacy Policy

May 5 2025

Te Uira ō Te Ringa Ltd t/a Aotea Energy

23 Westhaven Drive, 1010, Auckland CBD

Introduction

Aotea Energy ("we" or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our mobile application, IoT battery hardware, website, and related services (collectively, the "Services"). We comply with New Zealand’s Privacy Act 2020 and all applicable data protection laws, and we align with global best practices to safeguard your data. This means we are transparent about our data practices, use your information appropriately, keep it secure, and enable you to access and control your data. By using our Services, you agree to the collection and use of your information as described in this Policy.

If you do not agree with this Policy, please do not use the Services. We may update this Policy from time to time (see Changes to This Policy below). We encourage you to review this Policy periodically. If you have any questions, you can contact us at support@aoteaenergy.com.

Information We Collect

We collect several types of information to provide and improve our Services. This includes:

• — Account Information: When you create an account, we collect your name, email address, and a password. Your password is stored in an encrypted form – we never store it in plain text. We may also collect your contact address or phone number if you provide it for customer support or communications. We do not allow accounts for individuals under 18 (see Children’s Privacy below).
• — Device and Installation Data: If you use our Aotea Energy battery IoT hardware, we collect information about the device and its installation. This may include the installation address or location of the battery system, device identifiers, and configuration data. We also collect telemetry data from the battery, such as historical usage patterns, energy production/consumption, temperature, voltage, current, and other performance metrics. This data helps us monitor system health and provide you with insights via the app.
• — Transaction and Financial Data: For customers participating in energy transactions (for example, retail customers trading energy or receiving payments), we may collect data related to those transactions. This can include your address (for billing or eligibility) and bank account number or payment details that you provide. We use your bank account number only to detect and facilitate authorized transactions (such as credits for surplus energy or payments) and for no other purpose. No payment card details are collected through our app. If we need to process any payment, we will use secure third-party payment processors in compliance with applicable standards.
• — Usage and Analytics Data: When you use our mobile app or website, we automatically collect certain technical information to help us understand how the Services are used. This includes device information (such as device type, operating system, unique device IDs), log information (IP address, timestamps, and errors), and usage information (features used, pages viewed, buttons clicked). We use cookies or similar technologies in our website and app to remember your preferences and to gather usage analytics. For example, we use Google Analytics to collect aggregate information about app/website usage. Google Analytics may set cookies or collect device identifiers to help us analyze user interactions. We have configured our analytics to respect privacy – for instance, Google Analytics 4 does not log or store IP addresses of EU users, and we do not send personally identifying information in analytics events. You can opt out of analytics as described in Your Rights and Choices below.
• — Error and Crash Data: To maintain a high-quality service, we use an error tracking service (Sentry) to automatically report app crashes or errors. When the app experiences a crash or malfunction, a report is sent to us via Sentry. This report may include technical information about the state of the app leading to the error (e.g., software version, device state) and a portion of the app’s activity log. We do not intentionally send personal data in these reports, and we have enabled Sentry’s data scrubbing features to remove or mask personal or sensitive information. In some cases, Sentry’s error reports may include a snapshot of the app interface (often called a “screen replay”) to help us reproduce the issue. We configure this feature to censor/anonymize any personal data on the screen, so your sensitive information (like names, emails, or bank details) is blurred or not recorded. Error and crash data is used only for debugging and improving our app’s stability.

We collect personal information either directly from you (for example, when you sign up or input data in the app) or automatically through your use of the Services (for example, through the IoT device or app interactions). If we ever collect information from third parties, we will do so only with your authorization or as allowed by law.

How We Use Your Information

We use the collected information for the following purposes:

• — Providing and Improving the Service: We use your personal and device data to operate the Services and provide you with features. For example, we use your account info to log you in and personalize your app dashboard, and we use battery telemetry data to show you performance metrics and alerts. We also analyze usage and telemetry data to improve the performance and reliability of our battery systems and the user experience of the app.
• — Analytics and Product Development: Usage and analytics data help us understand user behavior and preferences in order to improve our Services. We analyze this data (mostly in aggregate form) to debug issues, optimize our user interface, and add new features. For instance, we might use telemetry trends to develop better battery optimization algorithms, or app interaction data to simplify certain workflows. We ensure any analytics we perform that involves personal data is done in compliance with applicable laws and, where feasible, uses anonymized or aggregated data.
• — Transactions and Account Management: If you are involved in energy trading or transactions through our platform, we use your information to enable and track those transactions. For example, we might use your bank account information to verify when a payment for surplus energy has been received or to facilitate a payout to you. Transaction data (such as amounts and dates) may be used to update your in-app dashboards or history. We also use your contact information to send you transaction confirmations, receipts, or alerts related to your account. Note: While we assist in tracking transactions (like identifying when you earn credit from your energy generation), actual financial transactions (such as bank transfers) are handled by you and your financial institution outside of our system. We do not directly debit or credit your account; we only detect and inform you of relevant transactions.
• — Communications: We may use your email address or other contact info to send you important notices about the Service. This includes confirmations, technical or security alerts, updates on new features, or changes to this Policy or the Terms and Conditions. We may also send newsletters or promotional communications about new products or offers, but only if you have opted in to such marketing. You can opt out of marketing emails at any time (each such email will include unsubscribe instructions).
• — Personalization: We might use data about your usage or device to personalize your experience. For example, we could recommend optimal battery usage schedules based on your historical data, or customize the app interface with your location’s relevant information (like local grid data or weather, if that affects the battery). Personalization aims to make the Service more relevant and useful to you.
• — Safety and Security: Information (like device logs or account behavior) may be used to protect the security of the Services, our users, and others. For instance, we monitor for suspicious login attempts or unauthorized access. Telemetry data from the battery (like temperature or performance anomalies) may be used to detect potential safety issues (e.g., an overheating battery) and proactively alert you or take action. We also use data to enforce our Terms and Conditions and to prevent fraud or misuse of our Services.
• — Legal Compliance and Enforcement: In certain cases, we may need to use or disclose your information to comply with legal obligations. For example, we could process your data to fulfill tax or accounting requirements, or disclose information in response to a valid legal request (subpoena, court order, or government demand). We may also use your data as necessary to enforce our own legal rights or agreements (for instance, to investigate and address violations of our Terms, or to handle user disputes).

We will only use your personal information for the purposes above and will not use it in a way that is incompatible with those purposes. If we need to use your data for a new purpose, we will update this Policy and, if required, seek your consent.

How We Share Your Information

We understand the importance of your personal data and we do not sell or rent your information to third parties. We share your data only in the following circumstances:

• — With Service Providers (Processors): We use reputable third-party companies to support our Services. These providers process data on our behalf and are contractually obligated to protect it and use it only for the tasks we specify. Key service providers include:
• — Cloud Hosting and Infrastructure: We host our backend systems and databases on Amazon Web Services (AWS). Your data (including account info and telemetry data) is stored in secure AWS data centers. AWS implements robust security measures and we utilize features like encryption at rest and in transit. (Our IoT platform also uses AWS Greengrass for edge processing on the battery device, which means some data processing may occur on the device itself to improve performance, under our control.)
• — Database and Storage: Your data may be stored in our AWS-hosted PostgreSQL database and related storage systems. These databases are encrypted and access is strictly limited to authorized personnel.
• — Analytics: We use Google Analytics (GA) to help analyze usage of our app and website. GA will receive certain usage data (described in Usage and Analytics Data above). Google may process this data on servers in various countries, but we have configured our GA implementation to enhance privacy (for example, using GA4 which anonymizes IP addresses by default for EU traffic). Google acts as a data processor for us and is obligated not to use the data for other purposes. You can learn more about how Google handles data in analytics in Google’s own privacy documentation.
• — Error Monitoring: We send crash reports and error logs to Sentry (operated by Functional Software Inc.) as described earlier. Sentry acts as our processor to store and organize error information so we can debug. We have enabled Sentry’s privacy features (such as PII data scrubbing) to prevent sensitive data from being shared. Sentry may store this technical data on servers in the US or EU (we utilize the option to host data in regions that ensure compliance with relevant laws; Sentry is certified under EU-U.S. and Swiss-U.S. data transfer frameworks).
• — Communication Tools: If we use third-party email or notification services (for example, an email service to send out newsletters or an SMS gateway for alerts), we will share your necessary contact info with those providers strictly for the purpose of sending those communications.
• — Other Providers: We may use additional services for specific functions (e.g., an identity verification service, or mapping service to show your battery location on a map). We will disclose those in this Policy or at the point of usage, and ensure they are bound to protect your data.
• — These service providers are given only the information needed to perform their functions, and they are not allowed to use your information for any other purpose. We choose providers carefully to ensure they have strong privacy and security standards.
• — With Authorized Third Parties at Your Direction: We will share your information with other parties if you specifically request or authorize it. For example, if the app allows you to integrate with a third-party service (such as linking your Aotea Energy data with a smart home platform or a utility company), we will send data to that third party only with your explicit instruction and consent. Similarly, if you engage in peer-to-peer energy trading with another user, we might share necessary details with that other party as part of the transaction (with your knowledge). We will make it clear at the time what information will be shared and with whom, and we will honor the choices you make.
• — For Legal Reasons: We may disclose personal information if required to do so by law or legal process, or if we have a good-faith belief that such action is necessary to (a) comply with applicable laws or respond to valid legal requests (e.g., from law enforcement or regulators), (b) protect and defend our rights or property, (c) prevent or investigate possible wrongdoing in connection with the Services (such as fraud or security incidents), or (d) protect the safety of our users, customers, or the public. For instance, if a government authority with jurisdiction demands certain data for an investigation, we will comply if legally obligated, and we will attempt to notify you unless legally prohibited.
• — Business Transfers: If Aotea Energy is involved in a merger, acquisition, investment, financing, reorganization, or sale of all or part of our business or assets, your information may be disclosed to the parties involved in the transaction as part of due diligence or transferred to the successor or new owner. If such a transfer happens, your personal information will remain subject to the protections in this Privacy Policy (unless you agree otherwise). We will notify you of any change in ownership or use of your personal information as required by law.

We do not share your personal data with any third parties for their own marketing or advertising purposes without your consent. Outside of the scenarios above, no unauthorized third-party sharing occurs. In particular, we do not sell personal information to data brokers or social media companies. Any third-party links or integrations in our app (for example, a link to a social media or a knowledge base article) are provided for your convenience; we do not automatically send them your data, though if you choose to use those third-party services, you should review their privacy policies separately.

Data Storage and Security

We take the security of your data seriously and implement a range of measures to protect it:

• — Encryption in Transit and at Rest: All communications between your mobile app, the battery IoT device, and our servers are encrypted using industry-standard protocols like TLS/SSL. This means any data transmitted (such as telemetry or login credentials) is encrypted so that third parties cannot eavesdrop or tamper with it in transit. Our IoT device communication uses lightweight messaging protocols secured with TLS 1.2/1.3 – to ensure telemetry data is safely sent to the cloud. Our IoT platform follows best practices by using mutual TLS (mTLS) authentication, where both the device and server present digital certificates to verify each other. This adds an extra layer of security, ensuring that only authorized Aotea Energy devices and servers can communicate. Data at rest (stored on our servers) is also encrypted – for example, our databases use encryption so that the data is unreadable if accessed without authorization. Sensitive fields (e.g. passwords) are additionally hashed or encrypted using best practice secure algorithms like Argon2, bcrypt, or scrypt.
• — Secure Authentication: Account access to the app is protected by your email and password (and any multi-factor authentication we may offer). Passwords are never stored in plaintext; we use strong one-way hashing (bcrypt with salt) so that even in the unlikely event of a database breach, your actual password remains secure. We advise you to use a unique, strong password for our Service to further protect your account. Additionally, communication between the app and device may use device-specific credentials or keys (for example, the IoT device uses cryptographic keys for mTLS). We ensure these keys are generated and stored securely. On the battery device itself, any critical network configuration data (such as Wi-Fi credentials or certificates) is stored securely (often in a secure element or encrypted file system) to prevent unauthorized access if someone has physical access to the device.
• — Access Controls: Internally, our team’s access to personal data is limited on a need-to-know basis. Only personnel who need to service your account or develop our product (for example, support staff or engineers working on a relevant issue) have access to systems with personal data, and even then they can only access the minimum data necessary. We employ administrative and technical access controls (like role-based access and audit logging) to prevent unauthorized data access internally. All staff are trained on privacy and security practices.
• — Monitoring and Testing: We monitor our systems for possible vulnerabilities and attacks. Our security team (or contractors) perform regular assessments, such as penetration testing and code reviews, to identify and fix potential security issues. We keep our software and third-party libraries up to date to patch known security vulnerabilities. The IoT devices are also periodically updated (firmware updates) to maintain security; updates are delivered securely (signed by us to prevent tampering).
• — Error Handling and Logs: As mentioned, we use Sentry for error logging. We have configured it to scrub personal data. Additionally, any system logs that might contain personal information are protected and only accessible to authorized engineers. We apply log retention limits and secure log storage to avoid indefinite retention of possibly sensitive data.
• — Physical Security: While we primarily use cloud infrastructure, those data centers (e.g., AWS data centers) have robust physical security controls (guard patrols, biometric access, surveillance, etc.). Our own offices (if any data is stored locally) are secured to prevent unauthorized entry. Backups of data (for disaster recovery) are encrypted and stored securely.
• — Data Retention: We retain personal information only as long as necessary for the purposes outlined in this Policy or as required by law. For example, we keep your account information while your account is active. If you delete your account or request deletion, we will securely erase or anonymize your personal data, except for information we are required to keep for legal or regulatory obligations (such as transaction records for tax or audit purposes) or information stored in routine backups (which will be deleted in the normal backup retention cycle). Telemetry data may be aggregated or anonymized after a certain period for long-term trend analysis, but personal identifiers are removed from such historical datasets.

Despite all these measures, it's important to note that no system can be guaranteed 100% secure. We follow industry best practices and continuously work to protect your data, but we cannot warrant absolute security. You should also play a role in security: protect your account credentials and notify us immediately of any unauthorized use of your account or any suspected vulnerability.

If there is any data breach that affects your personal information, we will comply with New Zealand’s Privacy Act requirements for breach notification, and in serious cases, we will notify you and the New Zealand Privacy Commissioner as appropriate.

International Data Transfers

Aotea Energy is based in New Zealand. However, the nature of cloud services means your data may be transferred to or stored in servers located in other countries. For instance, as noted, we use AWS cloud infrastructure – currently, our primary servers are located in Syndney. We choose AWS regions that are close to our users (New Zealand or nearby) to reduce latency and ensure better control. In some cases, certain data (like analytics or error logs) might be processed by providers in the United States or other jurisdictions (e.g., Google might use servers in the US or EU).

When we transfer personal information outside of New Zealand, we ensure it remains protected. New Zealand’s Privacy Principle 12 requires that comparable privacy safeguards are in place if personal data is sent overseas. We will only transfer data to countries which have robust data protection laws (such as those recognized by New Zealand as providing comparable protection), or we will use contractual agreements (such as standard data protection clauses) to ensure your data is handled with the same level of care. For example, for data sent to the US, we may rely on frameworks or contracts that require the US recipient to protect the data to New Zealand/GDPR standards. Our service providers like Google and Sentry have committed to compliance with EU and NZ privacy requirements (for instance, Sentry participates in the EU-U.S. Data Privacy Framework).

By using our Services, you understand that your personal information may be transferred to and stored in other countries as described, and consent to that transfer, storage, and processing. Regardless of where your data is processed, we will take steps to ensure your privacy rights continue to be upheld.

Your Rights and Choices

We believe you should have control over your personal information. Subject to certain legal exceptions, you have the following rights regarding the personal data we hold about you:

• — Access and Correction: You have the right to request a copy of the personal information we hold about you and to request corrections of any inaccuracies. We will provide you with access to your data, and if any information is incorrect or out-of-date, you may ask us to correct it. Most basic account information can be corrected by you through the app (for example, updating your name or email). For other data or a full access request, you can contact us (see Contact Us below). We may need to verify your identity before releasing data to you. We will respond to access or correction requests within the timeframe required by law (typically within 20 working days in NZ).
• — Deletion (Right to Erasure): You can request that we delete your personal information. You can do this by deleting your account through the app (if that feature is available) or by contacting us to request account deletion. We will delete the information that we are not legally required or otherwise permitted to retain. Note that certain data cannot be deleted if we must keep it for legal reasons (for example, records of transactions may need to be kept for a certain number of years for financial reporting). If complete deletion isn’t possible (e.g., data stored in backups), we will securely isolate and protect that data from any further use until automatic deletion is possible. In some situations, rather than deletion, we may anonymize your data (so it can no longer be associated with you). We will inform you of the outcome of your deletion request. Important: If you request deletion of essential data, this may affect our ability to provide you with service (for example, deleting telemetry data means certain app features might not function).
• — Withdrawal of Consent: If we are processing any of your personal information based on your consent (for instance, if you agreed to receive marketing communications or you consented to an optional data collection), you have the right to withdraw that consent at any time. For example, you can opt out of marketing emails by clicking “unsubscribe” in any email, or change your settings in the app to disable certain data collection (like analytics, if options are provided). Withdrawing consent will not affect the lawfulness of any processing we already performed based on your consent, but will stop the future processing of your data for that purpose.
• — Object or Restrict Processing: In certain situations, you may have the right to object to or request we limit our processing of your data. For example, if you feel our use of your data for analytics or personalization impacts your privacy rights, you can object to that. Or if you contest the accuracy of data, you can ask we restrict processing until it is corrected. We will evaluate such requests and comply if required by applicable law. Where the Privacy Act or other laws give you the right to object to certain uses or disclosures, we honor those rights.
• — Data Portability: For data you provided to us directly (for example, your account information or telemetry data tied to you), you may request a copy in a common machine-readable format. If you require it and it’s feasible, we can provide certain data exports (e.g., a CSV file of your telemetry history) so that you can use it with other services. This aligns with global best practices (such as the GDPR’s data portability concept) even if not explicitly required by NZ law.
• — Non-Discrimination: We will not discriminate against you for exercising any of these rights. For instance, we won’t deny you the Service or provide a lesser experience just because you made a data request. However, note that deleting or restricting data might affect functionality (as described), but that is a consequence of the Service being unable to operate without that data, not a punitive action.

To exercise any of your rights, please contact us at support@aoteaenergy.com. We may ask you to verify your identity (to ensure we don’t give your data to someone else). There is generally no fee for making a request, though if a request is unusually excessive or repetitive, we might charge a reasonable fee or refuse, as permitted by law (we would explain why in that case). We will do our best to respond promptly and within any legally required timeframes.

If you have an account, we also provide tools within the app or website for you to directly manage your information. For example, you can log in to see or update profile details, or download certain data.

Children’s Privacy

Our Services are not intended for use by minors. You must be at least 18 years old to create an Aotea Energy account and use our app and battery systems. We do not knowingly collect personal information from individuals under the age of 18. If you are under 18, please do not use the Services or provide any personal information to us.

In the event we learn that we have inadvertently collected personal data from a child or minor without proper consent, we will take steps to delete that information as soon as possible. If you are a parent or guardian and believe we might have any information from or about a minor, please contact us so we can investigate and address it.

(Note: At present, accounts for minors are not allowed. If our policy changes in the future (for example, if we offer a product for teenagers with parental consent), we will update this Privacy Policy and our practices accordingly, in compliance with all applicable laws such as requiring parental consent.)

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will revise the "Last Updated" date at the top of this Policy. If the changes are significant, we will provide a more prominent notice – for example, by posting an in-app alert or sending you an email notification.

We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Your continued use of the Services after any changes to this Policy constitutes your acceptance of the updated terms, to the extent permitted by law.

If we make a change that requires your consent (under applicable law), we will seek that consent.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

Aotea Energy – Privacy Team

Email: support@aoteaenergy.com

We will be happy to assist you and will address your inquiry promptly. If you are in New Zealand and feel we have not addressed your privacy-related concerns, you have the right to contact the Office of the New Zealand Privacy Commissioner and file a complaint. More information can be found on the Privacy Commissioner’s website (privacy.org.nz). If you are in another jurisdiction, you may have the right to contact your local data protection authority.

Your privacy is important to us, and we are committed to protecting it and being transparent about our practices. Thank you for trusting Aotea Energy with your information.