Privacy Policy
Last updated: April 19, 2026
Version 3.0
1. About this policy
1.1 Data controller
Energify Group Co., Ltd. ("Energify", "we", "us") is the data controller for the processing of your personal data in accordance with this privacy policy.
1.2 Scope of the policy
This policy applies to all services and websites provided by Energify, including:
- Energify.se, Energify.no, Energify.dk, Energify.co.uk, Energify.de
- Solara.se
- Spotprisidag.se
- Bostadsvärde.se
1.3 Applicable legislation
We process personal data in accordance with the EU General Data Protection Regulation (GDPR), Swedish data protection legislation, and other applicable national legislation in the countries where we operate.
1.4 Connection to other policies
This privacy policy should be read together with our terms of service and our cookie policy, which contains detailed information about cookies and similar technologies.
2. Categories of personal data
We may collect and process the following categories of personal data:
2.1 Data you provide to us
| Category | Examples of data |
|---|---|
| Contact details | Name, email address, phone number, postal address, postal code |
| Identification data | Personal identity number (when required for identification), customer number |
| Inquiry data | Desired products, budget, timeline, specific requests |
| Property data | Dwelling type, roof type, area, energy consumption, property designation |
| Company data | Organisation number, company name, industry, contact person |
| Account data | Username, password (encrypted), settings, preferences |
2.2 Data we collect automatically
| Category | Examples of data |
|---|---|
| Technical information | IP address, browser type and version, operating system, device type |
| Usage data | Pages visited, clicks, time on website, page transitions |
| Location data | Approximate geographic location based on IP address |
| Cookies | See our cookie policy for details |
2.3 Data from third parties
| Category | Source and purpose |
|---|---|
| Credit reports | Credit reporting agencies – for risk assessment (where applicable) |
| Public registers | Property registers, company registers – for verification |
| Supplier feedback | Partner companies – regarding completed installations and customer satisfaction |
3. Purposes and legal basis
We process your personal data for the following purposes based on the stated legal basis:
| Purpose | Legal basis | Categories |
|---|---|---|
| Handle your inquiry and facilitate contact with Suppliers | Consent / Performance of contract | Contact, Inquiry, Property |
| Create and manage your User account | Performance of contract | Contact, Account |
| Provide and improve the Service | Legitimate interest | Technical, Usage |
| Send information about offers and services | Consent | Contact |
| Analyse and improve user experience | Legitimate interest | Technical, Usage |
| Prevent fraud and abuse | Legitimate interest | Technical, Contact |
| Fulfil legal obligations | Legal obligation | All relevant categories |
3.1 Legitimate interest
When we base processing on legitimate interest, we have performed a balancing test where we have determined that our interest outweighs any impact on the data subject's rights, taking into account reasonable expectations based on the relationship.
You have the right to object to processing based on legitimate interest. Contact us to exercise this right.
4. Sharing of personal data
4.1 Categories of recipients
We may share your personal data with the following categories of recipients:
| Recipient | Purpose | Role |
|---|---|---|
| Suppliers and installers | Facilitate quotes and services you have requested | Independent data controller |
| IT providers | Hosting, operation and support of the Service | Data processor |
| Communication providers | Email, SMS and other messages | Data processor |
| Analytics partners | Web analytics and improvement of the service | Data processor |
| Authorities | Fulfil legal requirements | Independent data controller |
4.2 Data processing agreements
All service providers acting as data processors on our behalf are bound by data processing agreements ensuring that they:
- only process data according to our instructions,
- implement appropriate security measures,
- do not forward data without our approval,
- assist us in fulfilling our obligations under the GDPR.
4.3 We never sell your data
Energify never sells your personal data to third parties. Sharing occurs only to provide the Service or fulfil legal requirements.
4.4 Specific providers we use
Below we list the specific service providers that process your personal data on our behalf. All are bound by data processor agreements and only process data according to our instructions.
| Provider | Data processed | Jurisdiction | Purpose |
|---|---|---|---|
| PostHog | Email, name, phone (hashed), product selection, city, funnel events | EU (eu.posthog.com, Germany) | Product analytics, funnel optimization |
| Convex | All personal data you provide | EU (Ireland, eu-west-1) | Main database for the service |
| Clerk | Email, login credentials | GDPR-compliant via SCC and EU-US Data Privacy Framework | Authentication for admins and partners |
| Brevo (formerly Sendinblue) | Email, name, product selection | EU (France) | Transactional emails, reminders |
| Vercel | IP address, user agent, technical logs | EU/Global edge network | Hosting and CDN operations |
You have the right to request deletion of your personal data. Contact us at privacy@energify.se and we will forward your request to all relevant providers listed above. You do not need to contact them individually — as the data controller, we handle it for you.
PostHog-specific information: Phone numbers are pseudonymized (SHA-256 hashed) before being sent to PostHog for cross-channel matching of campaign signals. For full information about how PostHog processes your data, see PostHog's privacy policy. For direct deletion at PostHog you may also use PostHog's data deletion documentation — but feel free to contact us first at privacy@energify.se so we can coordinate deletion across all our providers.
5. Transfer to third countries
5.1 General rule
We strive to process personal data within the EU/EEA. Where transfer to a third country (countries outside the EU/EEA) is necessary, we ensure that appropriate safeguards are in place.
5.2 Safeguards
When transferring to third countries, we apply one of the following safeguards:
- Adequacy decision: The recipient country has been approved by the European Commission as ensuring an adequate level of protection.
- Standard contractual clauses (SCC): The European Commission's standard contractual clauses for the transfer of personal data.
- Binding corporate rules (BCR): Approved rules for intra-group transfers.
- Consent: In exceptional cases, transfer may be based on your explicit consent.
5.3 Information about specific transfers
You may contact us to obtain information about which third countries your data may be transferred to and which safeguards are applied.
6. Retention period
We retain your personal data for as long as necessary to fulfil the purposes of the processing. The following retention periods apply:
| Category | Retention period | Justification |
|---|---|---|
| Quote requests | 24 months after last activity | Follow-up and quality assurance |
| Customer relationships | Contract period + 10 years | Accounting Act, limitation period |
| User accounts | Until you close the account | Performance of contract |
| Marketing | Until you unsubscribe | Consent |
| Web analytics | 26 months | Legitimate interest |
| Server logs | 90 days | Security and troubleshooting |
6.1 Anonymisation
After the retention period expires, personal data is deleted or anonymised. Anonymised data may be used for statistical purposes without time limitation.
7. Your rights
Under the GDPR, you have the following rights regarding your personal data:
7.1 Right of access (Article 15)
You have the right to obtain confirmation of whether we process personal data about you, and if so, access to the data and information about the processing. You have the right to receive a copy of your personal data free of charge.
7.2 Right to rectification (Article 16)
You have the right to have inaccurate personal data about you corrected without undue delay. You also have the right to have incomplete data supplemented.
7.3 Right to erasure ("right to be forgotten") (Article 17)
Under certain circumstances, you have the right to have your personal data erased, for example if:
- the data is no longer necessary for the purposes,
- you withdraw your consent and there is no other legal basis,
- you object to processing based on legitimate interest,
- the data has been unlawfully processed.
7.4 Right to restriction of processing (Article 18)
You have the right to request restriction of processing if:
- you contest the accuracy of the data (during the verification period),
- the processing is unlawful but you oppose erasure,
- we no longer need the data but you need it for legal claims,
- you have objected to processing (during the assessment period).
7.5 Right to data portability (Article 20)
You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and the right to transmit that data to another data controller.
7.6 Right to object (Article 21)
You have the right to object at any time to the processing of your personal data based on legitimate interest. Upon objection, we may no longer process the data unless we can demonstrate compelling legitimate grounds that override.
You always have the right to object to processing for direct marketing purposes.
7.7 Right to withdraw consent
Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.
7.8 Right not to be subject to automated decision-making (Article 22)
You have the right not to be subject to decisions based solely on automated processing, including profiling, where the decision has legal effects or similarly significantly affects you.
You have the right to obtain human intervention, express your point of view, and contest automated decisions.
8. How to exercise your rights
8.1 Contact
To exercise your rights under section 7, contact us at privacy@energifygroup.com. Please clearly state:
- which right you wish to exercise,
- your name and contact details,
- any additional information that helps us identify your request.
8.2 Identity verification
We may need to verify your identity before processing your request. This is done to protect your personal data from unauthorised access.
8.3 Response time
We will respond to your request without undue delay and no later than within 30 days. If your request is complex or if we have many requests, the deadline may be extended by an additional 60 days, of which we will inform you.
8.4 Fees
Exercising your rights is normally free of charge. If a request is manifestly unfounded or excessive, particularly if repetitive, we may charge a reasonable administrative fee or refuse to comply with the request.
9. Security
9.1 Technical measures
We implement appropriate technical security measures to protect your personal data:
- Encryption: SSL/TLS encryption for data in transit, encryption of sensitive data at rest.
- Access control: Role-based access management, two-factor authentication for staff.
- Monitoring: Continuous monitoring of systems and networks to detect threats.
- Backup: Regular, encrypted backups at geographically separate locations.
9.2 Organisational measures
- Training: Regular training of staff in data protection and information security.
- Policies: Internal policies for the handling of personal data.
- Incident management: Documented procedures for handling personal data breaches.
- Supplier assessment: Assessment of suppliers' security before entering into agreements.
9.3 Personal data breaches
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours. If the risk is high, we will also inform you directly.
10. Automated decision-making and profiling
10.1 Usage
Energify uses automated processes for:
- matching users with appropriate Suppliers,
- calculating estimated savings and costs,
- personalising content and recommendations,
- fraud prevention and risk assessment.
10.2 Legal effects
Our automated decision-making is not intended to make decisions with legal effects or that similarly significantly affect you. Matching and recommendations constitute decision support, not legally binding decisions.
10.3 Your rights
You have the right to:
- obtain information about the logic behind automated processes,
- request human review of decisions,
- object to automated processing.
11. Cookies
We use cookies and similar technologies to improve your experience, analyse usage, and enable certain functionality. Detailed information about which cookies we use, their purpose, and how you manage your settings can be found in our cookie policy.
12. Children
The Service is not directed at children under 18, and we do not knowingly collect personal data from children. If we discover that we have collected data from a child, we will delete that data as soon as possible.
If you are a parent or guardian and believe your child has provided personal data to us, please contact us at privacy@energifygroup.com.
13. Changes to the policy
13.1 Right to amend
We may update this privacy policy as needed, for example due to changes in legislation, our operations, or the processing of personal data. The latest version is always available on our websites.
13.2 Notice of material changes
In the event of material changes affecting your rights, we will inform you via:
- email to your registered email address,
- a clear notice in the Service,
- update of the "Last updated" date at the top of this page.
14. Complaints
14.1 Contact us first
If you have complaints about our processing of personal data, we ask you to first contact us so that we can try to resolve the issue:
14.2 Supervisory authority
If you are not satisfied with our response or believe that we process your personal data in violation of data protection legislation, you have the right to file a complaint with the supervisory authority:
| Country | Authority | Website |
|---|---|---|
| Sweden | Swedish Authority for Privacy Protection (IMY) | www.imy.se |
| Norway | Datatilsynet | www.datatilsynet.no |
| Denmark | Datatilsynet | www.datatilsynet.dk |
| United Kingdom | Information Commissioner's Office (ICO) | ico.org.uk |
| Germany | Federal Commissioner for Data Protection | www.bfdi.bund.de |
15. Contact details
Data controller:
Energify Group Co., Ltd.
WHA Tower, 9th Floor
777 Bang Na-Trat Road
Samut Prakan, Thailand
| Matter | Contact |
|---|---|
| Data protection matters and exercising rights | privacy@energifygroup.com |
| General inquiries | hej@energify.se |
| Phone | 08-502 803 57 |
This privacy policy is effective as of January 21, 2026.