Skip to content
Legal

Privacy Policy

Last updated: 3 July 2026

This notice explains what personal data backyard.energy collects when you use the service, why we process it, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR). We describe only what the product actually does.

Who is responsible

The data controller is the operator of backyard.energy. For any privacy question or to exercise your rights, contact info@backyard.energy.

What we collect

  • Account data: your first and last name, email address, username, password (stored only as a bcrypt hash) and — if you use Google sign-in — your Google account identifier.
  • Estonian national ID code (isikukood), optional: collected only if you provide it, to establish billing / e-invoice identity.
  • Preferences: interface language, country, timezone, theme and notification settings.
  • Energy data: meter readings for your metering points at hourly or 15-minute resolution, plus the node / branch / meter structure, contracts and parameters you configure. Consumption timeseries can reveal household occupancy patterns, so we treat it as personal data.
  • Session and security data: a session cookie (JWT) and audit-log records of security-relevant actions (logins, profile changes) including IP address and browser user-agent.

Why we process it

  • To provide the energy-analytics service — computing your energy and cash flows, costs, forecasts and reports.
  • To authenticate you and keep your account secure.
  • To send transactional email (email verification, password reset and the alerts you opt into).
  • To meet legal and accounting obligations where they apply.

Legal basis

We process account and energy data to perform the service you request (contract). Security logging and abuse prevention rely on our legitimate interest. Optional data such as the national ID code, and marketing consent, rely on your consent — which you can withdraw at any time.

How long we keep it

  • Account and energy data: for as long as your account is active.
  • On account deletion: your identifying details are erased (pseudonymised) immediately, and the consumption timeseries of nodes you solely own is permanently purged after a short grace period (currently 30 days) that lets you recover from an accidental deletion. Nodes owned by an organisation stay with that organisation.
  • Audit logs: retained about 12 months, then deleted automatically; identifiers relating to a deleted account are redacted at erasure.

Who processes data on our behalf

  • Hosting and database: our self-hosted PostgreSQL infrastructure.
  • Email delivery: an SMTP email provider for verification, password-reset and alert messages.
  • Google: only if you choose Google sign-in (identity verification).
  • Estonian energy data exchange (Estfeed): only if you connect it, to import your metering data.
  • Elering NPS: public electricity-market prices (no personal data).
  • Self-hosted monitoring (Grafana, Loki, Prometheus) for operational logs.

Your rights

  • Access — request a copy of your data. You can download a machine-readable export of your personal data from your profile, and a CSV of each node's meter readings from the app.
  • Rectification — correct inaccurate data.
  • Erasure — delete your account and data from your profile settings.
  • Portability — receive your data in a structured, machine-readable format (the JSON export).
  • Restriction and objection — limit or object to certain processing.
  • Complaint — lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

Cookies and sessions

We use a single strictly-necessary session cookie (an httpOnly JWT named bem-token) to keep you signed in. We do not use advertising or third-party tracking cookies. Your theme preference is stored locally in your browser.

Contact

For privacy questions or to exercise any of the rights above, email info@backyard.energy.