custodi

Privacy Policy

This privacy policy explains how we process personal data when you use the platform.

Data Controller

This project is currently operated by a private individual. A full controller disclosure will follow once the company is incorporated. Please use the contact information in the Impressum.

Data Protection Contact

No dedicated data protection officer is required at this stage (Art. 37 GDPR thresholds are not met). This will be reassessed as the scope evolves.

Purposes & Legal Bases

  • Authentication and session management (Art. 6(1)(b) GDPR)
  • Organization and membership administration (Art. 6(1)(b) GDPR)
  • Meter reading capture and reporting (Art. 6(1)(b) GDPR)
  • Security monitoring and abuse prevention (Art. 6(1)(f) GDPR)
  • Analytics (with consent) (Art. 6(1)(a) GDPR)
  • Real-time data synchronization across devices using Redis for temporary technical coordination (Art. 6(1)(f) GDPR)

Your Rights

  • Access, rectification, deletion (Art. 15-17 GDPR)
  • Restriction and objection (Art. 18-21 GDPR)
  • Data portability (Art. 20 GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Subprocessors

We rely on trusted infrastructure providers to deliver the service:

Vercel Inc.

Added: Oct 5, 2025
Purpose:Hosting & CDN
Location:USA
Server Location:Deutschland (Frankfurt)
Safeguards:Standard Contractual Clauses (SCC)

Neon Tech Inc.

Added: Oct 5, 2025
Purpose:Database Hosting
Location:USA
Server Location:Deutschland (Frankfurt)
Safeguards:Standard Contractual Clauses (SCC)

Resend Inc.

Added: Oct 5, 2025
Purpose:Email Service
Location:USA
Server Location:Ireland
Safeguards:Standard Contractual Clauses (SCC)

Perplexity AI Inc.

Added: Oct 18, 2025
Purpose:AI-powered meter reading analysis
Location:USA
Server Location:USA
Safeguards:Standard Contractual Clauses (SCC)
Legal Basis:Art. 6(1)(b) GDPR - Contract performance; Art. 6(1)(f) GDPR - Legitimate interest in automated meter reading
Data Categories:
  • Meter reading images (utility consumption data)
  • Property identification data
  • Timestamp and location metadata
  • Processing results and accuracy metrics

Redis Labs Ltd.

Added: Oct 19, 2025
Purpose:Real-time synchronization infrastructure
Location:USA/Israel
Server Location:Deutschland (Frankfurt)
Safeguards:Standard Contractual Clauses (SCC)
Legal Basis:Art. 6(1)(f) GDPR - Legitimate interest in providing real-time data synchronization across user devices
Data Categories:
  • Technical synchronization identifiers (non-personal)
  • Cache invalidation events
  • Temporary session coordination data

Mapbox Inc.

Added: Nov 12, 2025
Purpose:Address geocoding, map visualization, and location services
Location:USA
Server Location:Global CDN (EU nodes available)
Safeguards:Standard Contractual Clauses (SCC)
Legal Basis:Art. 6(1)(b) GDPR - Contract performance; Art. 6(1)(f) GDPR - Legitimate interest in providing accurate location-based services
Data Categories:
  • Property addresses (search queries)
  • Geographic coordinates (latitude/longitude)
  • IP address (for rate limiting)
  • Browser user agent (technical requirement)

Cookies & Tracking

See the Cookie Policy for detailed tracking information.

Security Measures

We implement role-based access control, optional two-factor authentication, and activity logging.

International Transfers

Some subprocessors operate outside the EU but offer safeguards such as Standard Contractual Clauses (SCCs).

Retention Periods

We apply the following retention periods:

  • User accounts: Until the account is deleted
  • Meter readings: Until account deletion or mandatory statutory retention ends
  • Activity logs: 12 months
  • Backups: 30 days
  • Consent records: 3 years
  • Real-time sync data: 60 seconds (automatic expiration)

You may request deletion at any time, subject to statutory retention obligations.

Last Updated: November 12, 2025

Privacy Policy | custodi