Privacy Statement
Last updated: November 12, 2025 · Effective: January 15, 2024
1. Who we are
This Privacy Statement is issued by EVOLY Sàrl ("Evoly", "we", "our", "us"), a company organized under the laws of Switzerland. Evoly operates digital products in the smart-metering and waste-management space, including the Evoly Energy Metering platform and the Evoly Waste Management platform (collectively, the "Services").
For the purposes of the EU/EEA General Data Protection Regulation ("GDPR") and the Swiss Federal Act on Data Protection ("FADP"), Evoly is the data controller of the personal data described in this statement.
For any privacy-related question or to exercise your rights, contact us at yahya@evolyenergy.com.
2. Scope
This statement applies whenever you create or use an Evoly account, including when you sign in via a third-party identity provider (Google or Microsoft). It covers personal data collected through the Services, our authentication flow, and supporting infrastructure. It does not cover third-party websites linked from our Services or the processing performed by your identity provider on its own platform.
3. Personal data we collect
We collect the following categories of personal data:
- Account and identity data. When you sign up using email and password, we collect your email address, your chosen password (stored only as a salted hash) and the name you provide.
- Data from third-party identity providers. When you sign in with Google OAuth or Microsoft Entra ID, the provider transmits to us the data you have authorized them to share — typically your email address, your full name, your profile picture URL, your unique provider identifier and, where you grant it, basic profile attributes. We never receive your provider password.
- Application data. Data that you or your organization submit while using the Services (e.g. site configuration, meter or container identifiers, readings, support messages).
- Session and technical data. Session cookies issued by our authentication layer (Better Auth), IP address, user agent, timestamps of authentication events, and error or audit logs needed to operate the Services securely.
- Communications. Email correspondence you send to us, including support requests and contact-form submissions.
We do not knowingly collect special-category personal data (e.g. health, political opinions, biometric data) and we ask you not to submit such data through the Services.
4. Why we use your data and on what legal basis
| Purpose | Legal basis (GDPR / FADP) |
|---|---|
| Create and manage your account; authenticate you | Performance of a contract |
| Provide, operate and improve the Services | Performance of a contract; legitimate interest |
| Secure the Services, prevent fraud and abuse, and keep audit trails | Legitimate interest; legal obligation |
| Reply to your support and information requests | Performance of a contract; legitimate interest |
| Comply with applicable laws and regulatory requests | Legal obligation |
| Optional product analytics and service-quality improvements | Legitimate interest, or consent where required |
5. Cookies and similar technologies
We use the minimum set of cookies needed for the Services to work safely:
- Strictly necessary cookies. Session cookies issued by our authentication layer (Better Auth) to keep you signed in and to protect against cross-site request forgery. These cannot be disabled without breaking sign-in.
- Analytics cookies (where deployed). Aggregated, privacy-respecting product analytics to understand which features are used. Where required by law, we ask for your consent before these are set.
6. Where your data is stored
Personal data is stored in a managed PostgreSQL database hosted on Amazon Web Services (AWS) in the eu-central-2 region (Zurich, Switzerland). Backups are kept in the same region. Some operational sub-processors (e.g. email delivery, error monitoring) may process limited data outside Switzerland and the EU/EEA; in such cases we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and equivalent Swiss mechanisms.
7. Who we share your data with
We do not sell your personal data and we do not share it for third-party advertising. We share personal data only with:
- Identity providers — Google and Microsoft — strictly to the extent needed to authenticate you;
- Infrastructure providers — in particular AWS (hosting in eu-central-2) — acting as processors on our behalf;
- Operational sub-processors for tasks such as transactional email, error monitoring and customer support tooling, under written data-processing terms;
- Professional advisors (e.g. lawyers, auditors) under confidentiality obligations;
- Public authorities, where we are legally required to do so or where it is necessary to protect our rights, our users or third parties.
8. How long we keep your data
We keep account and identity data for as long as your account is active and for a reasonable period afterwards to comply with legal obligations, resolve disputes and enforce our agreements. Application data is retained according to the contractual terms in place with your organization. Authentication and audit logs are retained for a limited period proportionate to security and accountability needs and are then deleted or anonymized.
9. Your rights
Subject to the conditions set out in the GDPR and the Swiss FADP, you have the following rights regarding your personal data:
- Right of access — obtain confirmation of whether we process data about you and a copy of that data;
- Right to rectification — have inaccurate or incomplete data corrected;
- Right to erasure ("right to be forgotten") — have your data deleted where the legal conditions are met;
- Right to data portability — receive certain data in a structured, machine-readable format;
- Right to restrict or object to certain types of processing, including processing based on our legitimate interest;
- Right to withdraw consent at any time where the processing is based on consent, without affecting the lawfulness of prior processing;
- Right to lodge a complaint with a supervisory authority — in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC); in the EU/EEA, the data protection authority of the country where you live or work.
To exercise any of these rights, email us at yahya@evolyenergy.com. We may need to verify your identity before acting on a request and we aim to respond within the time limits required by applicable law.
10. Security
We apply technical and organizational measures appropriate to the risk, including encryption in transit (TLS), encryption at rest for our managed database and backups, hashed password storage, role-based access control, environment isolation, audit logging and routine patching. No system can be guaranteed perfectly secure; if we become aware of a personal-data breach affecting you, we will notify you and the competent authorities as required by law.
11. Children
The Services are not directed at children under 16 and we do not knowingly collect their personal data. If you believe a child has provided us with personal data, please contact us so we can delete it.
12. Changes to this statement
We may update this Privacy Statement from time to time. The "Last updated" date at the top reflects the latest revision. If we make material changes, we will take reasonable steps to notify you, for example by email or through the Services.
13. Contact
EVOLY Sàrl — Switzerland
Email: yahya@evolyenergy.com