Last updated April 14, 2026

Privacy Policy

WattAhead is a global energy market intelligence platform serving customers in North America, Europe, and worldwide. We process personal data on one principle: collect the minimum needed, keep it for the shortest time possible, never resell.

This policy applies to users worldwide, with specific provisions for GDPR (European Union), CCPA / CPRA (California), and PIPEDA (Canada).

1. Data controller

  • Publisher: WattAhead, [À COMPLÉTER : legal form and registration number]
  • Address: [À COMPLÉTER : adresse postale du siège]
  • Legal representative: [À COMPLÉTER : legal representative]
  • Privacy contact: [email protected]

2. Data we collect

2.1. Data you provide

  • Account: email, password (hashed with bcrypt or equivalent, never stored in plaintext), name, organization.
  • API key: identifier and optional name you assign. Keys are stored as hashes.
  • Billing: name, billing address, tax ID. Payment data (card, IBAN) is handled directly by our payment processor and never touches our servers.
  • Communications: content of emails you send us.

2.2. Data collected automatically

  • Server logs: IP address, user-agent, timestamp, route, status code. Retained 180 days for security and debugging.
  • API usage: request volume and metadata per key, used for quotas and billing. Retained 90 days.
  • Session cookies: encrypted authentication token (see cookie policy).

2.3. Data we do not collect

  • No third-party advertising trackers, no Facebook / Google Ads pixels.
  • No browser fingerprinting.
  • No sale of data to third parties. Ever.
  • No use of your API request content to train third-party models.

3. Purposes and legal bases

  • Service delivery (contract performance, GDPR art. 6.1.b): authentication, API requests, dashboard.
  • Security (legitimate interest, GDPR art. 6.1.f): abuse detection, attack prevention.
  • Billing (contract performance and legal obligation): usage metering, invoicing, accounting retention.
  • Communication (legitimate interest or consent): replies to your messages, critical service notices.
  • Legal obligations (GDPR art. 6.1.c): responses to lawful requests from authorities.

4. Retention

  • Active account: for as long as the account exists.
  • Closed account: deletion within 30 days, except where legal obligations apply.
  • Invoices: 10 years (accounting obligation).
  • API logs: 90 days.
  • Security logs: 180 days.
  • Backups: 30-day rotation, encrypted.

5. Subprocessors

We use a minimal set of technical subprocessors. Each is bound by a data processing agreement consistent with GDPR article 28. None is allowed to use your data for other purposes.

  • Cloud infrastructure providers (compute, storage, database) operating within the European Union and the United States.
  • Cloudflare, Inc. : global edge distribution, DDoS protection, object storage.
  • Anthropic PBC : language model inference for market commentary generation. No personal data transmitted.
  • Payment and billing providers for payment processing and invoice issuance.

A detailed, current list of subprocessors is available upon written request to [email protected] for legitimate legal or compliance purposes.

6. Market data sources

Market data we publish comes from public operators and regulators: ENTSO-E, EIA, OpenEI, AEMO, ERCOT, CAISO, ISO-NE, NYISO, MISO, PJM, SPP, IESO, AESO, Nord Pool, OMIE, Elexon, RTE, JEPX, Open-Meteo. This data is public and not personal.

7. International transfers

Some subprocessors may be located outside the European Union. Transfers rely on the European Commission's Standard Contractual Clauses (decision 2021/914) and, where applicable, the EU-US Data Privacy Framework, complemented by technical safeguards (TLS 1.3 in transit, AES-256 at rest).

8. Your rights (GDPR)

If you reside in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:

  • Access to your personal data.
  • Rectification of inaccurate data.
  • Erasure (right to be forgotten).
  • Restriction of processing.
  • Portability in a machine-readable format.
  • Objection to processing based on legitimate interest.
  • Withdrawal of consent at any time, without retroactive effect.
  • Lodge a complaint with a supervisory authority (CNIL in France, ICO in the UK, equivalents elsewhere).

To exercise any of these rights, write to [email protected]. We respond within 30 days.

9. Your rights (PIPEDA, Canada)

Canadian residents, under the Personal Information Protection and Electronic Documents Act (PIPEDA), have the right to access and correct their data and to withdraw consent. Complaints may be filed with the Office of the Privacy Commissioner of Canada.

10. Your rights (CCPA / CPRA, California)

  • Right to know what categories of data are collected and shared.
  • Right to delete.
  • Right to correct.
  • Right to opt-out of sale or sharing: WattAhead does not sell or share your personal data for advertising purposes. No opt-out mechanism is needed because no sale occurs.
  • Right to non-discrimination: exercising these rights does not degrade your service.

11. Security

TLS 1.3 in transit, AES-256 at rest. Passwords hashed (argon2id or bcrypt). API keys shown once, stored as hashes. Least-privilege internal access. Audit logs. Encrypted daily backups. We follow OWASP best practices.

If a breach affects your rights and freedoms, we notify the relevant supervisory authority within 72 hours and affected users without undue delay, in accordance with GDPR articles 33 and 34.

12. Minors

WattAhead is a B2B service for professional users. It is not directed at people under 16 and we do not knowingly collect their data.

13. Cookies

See our dedicated cookie policy.

14. Changes

We may update this policy. Material changes are notified by email to account holders at least 15 days before they take effect. The date at the top always reflects the latest revision.

15. Contact

Any question: [email protected]. Postal mail: [À COMPLÉTER : adresse postale du siège].

Living document. Questions: [email protected]