At Sun.energy, we care about your privacy and always strive for a high level of data protection. Your personal data is not being sold neither shared with other companies. This privacy policy explains how we collect and use your personal information. It also describes your rights and how you can assert them. You accept this privacy policy (the “Privacy Policy”) whenever you access or use Svea Solar products, services, features, and technologies including the Sun.energy mobile app and sun.energy (the “Sun.energy Services”). It is important that you read and understand the privacy policy and feel confident about our treatment of your personal information. You are always welcome to contact us for any questions. Using the table of contents below, you can easily navigate to the sections of particular interest to you.

What type of information does Sun.energy collect?

Sun.energy collects two types of information from you in conjunction with your use of the Sun.energy Services (collectively, your “personal information”): (1) personally identifiable information; and (2) non-personally identifiable information.

• Personally Identifiable Information is any information that can identify you. Examples include your name, national identification number, e-mail address, mobile phone number, bank details for invoicing, postal address, device identifiers, IP addresses. This information is mainly collected during your onboarding processes, for example: Solar Installation information you provide, Information you provide during your Svea Energy subscription.
• Non-personally identifiable information is information that does not identify you directly, but may be linkable to you. This includes household information, general location information and Energy metering data (production, consumption, storage), environmental data from various sensors that are built-in or connected to third-party products such as temperature, configuration of home automation products and appliances.technical information from products such as software or software version, system alerts.

What data do we collect about you as a potential customer?

• Purpose – To manage a request for a quote and answer your questions regarding solar cells, batteries, EV chargers and trading in electricity.
• Processing done – Calculation of preliminary prices and final price for quotes. Maintain a dialogue with you by phone and email about your questions. • Categories of Personal Data – Name, Contact details (address, email, telephone number and similar). Roof surface, location of the property, Your electricity trading partner, Your electricity consumption, Solar cell selection.
• Legal Basis – Legitimate interest. This collection of your personal data is required in order to answer your questions and to provide a quote. • Retention Period – When you order solar cells and/or sign an agreement for trade in electricity, you become a customer (see below). If you do not become a customer and there is no ongoing dialogue with us, your information will be deleted in April, after two calendar years of inactivity. The reason for the relatively long retention period is that the process for purchasing solar cells can sometimes be relatively long, for example in new construction and replacing of roofs.

What data do we collect about you as a customer?

• Purpose – In order to manage orders/purchases and subsequently to manage our warranty commitments and other commitments under contract.
• Processing done – Delivery (including notification and contacts for delivery), Identification, Processing of payment (including analysis of possible payment solutions which may include checking payment history and obtaining credit scores), Checking addresses against the national database SPAR, Handling of claims and warranty matters.
• Categories of Personal Data – Name, Contact details (address, email, telephone number and similar), Roof surface, Choice of solar cells, Credit Report from Credit Reference Companies, Purchase information (for example, what is ordered or if the item should be delivered to another address. (For Solar User) – Sun.energy processes and store your production data from inverter providers linked to your choice of solar installation.
• Legal Basis – Completion of the Purchase Agreement. This collection of your personal data is required in order to fulfil our obligations under the purchase agreement. If the data is not provided, our commitments cannot be completed and we would therefore be forced to refuse the purchase. We have special procedures for anyone with a protected identity, please specify this before placing orders.
• Retention Period – Our warranty commitments are long, often at least 25 years. We need to manage your information for this entire period. In the event that the property changes owners, we can delete your personal information in consultation with you. We do not automatically delete customer information without having a dialogue with you first.

What data do we collect about you as a supplier?

• Purpose – To manage orders/purchases.
• Processing done – Contact details Quotes and Pricing, Proposals Invoice, Processing/Payments.
• Categories of Personal Data – Name, Contact details (address, email, telephone number and similar), Invoices with invoice details.
• Legal Basis – Fulfilment of Delivery Agreements. This collection of your personal data is necessary to enable us to fulfil our business commitments to you as a supplier.
• Retention Period – Until the purchase has been completed (including delivery and payment) and for a period of 24 months after, for the purpose of managing any claims and warranty matters. In the event that no activity has occurred with you as a supplier over the last two calendar years, the data is deleted in April.

What data do we collect about you as a job applicant?

• Purpose – To manage any job applications.
• Processing done – CV and personal letter, Job Applications, Personal and contact details from the job applications.
• Categories of Personal Data – Name, Contact details (address, email, telephone number and similar), CV and references.
• Legal Basis – Legitimate interest, for completing your job application and recruitment process.
• Retention Period – Two calendar years after the position is added. Is deleted in April of the following years. We need to retain information for at least two years for legal reasons in the event of any requests from the discrimination ombudsman or similar. We may also need to check the information in connection with a possible, future recruitment.

Who is responsible for the personal information we collect?

Svea Renewable Solar AB Company Reg. No. 556955-1350 and Sun.energy Park Energy AB Company Reg. No. 559172-6327 with address Bergkällavägen 35A, 192 79 Sollentuna, are responsible for the personal information we collect. Sun.energy has a special person appointed to be the data controller and the best way to contact this person is by email data@sveasthouse.com.

Third Party Disclosure

We do not sell, trade or otherwise transfer information that can be linked to a person to third parties, unless required by law. This does not include trusted third parties that help us operate our website or company, with the requirement that these parties agree to keep the information confidential. When, for example, data is stored by a third party, a personal data processor agreement is established with that party to ensure GDPR compliance by that party. We believe it is necessary to share information for the purpose of investigating, preventing or taking action against illegal activities, suspected fraud, situations that pose a potential risk to a person’s physical security, breaches of our Terms of Use or other occasions required by law.

Information Protection

We take a variety of security measures to protect your personal information. Only employees who are to perform a specific job (such as invoicing or customer service) will have access to personally identifiable information. The computers/servers used to store personally identifiable information are stored in a secure environment according to the supplier. Agreements compliant with GDPR are drawn up with those who store the information

What are your rights as a data subject?

Right of access (such as data extracts). We are always open and transparent with how we process your personal data and if you wish to obtain a deeper insight into which personal data we process about you, you can request access to the data (the information is provided in the form of a register extract with designation of purpose, categories of personal data, categories of recipients, storage periods, information from where the information was collected and the existence of automated decision-making). Keep in mind that if we receive a request for access, we may ask for additional information to ensure efficient handling of your request and that the information is provided to the right person.

Right to rectification

If the information is incorrect, you can request that your personal data be updated. Within the framework of the stated purpose, you also have the right to supplement any incomplete personal data.

Right to deletion

You can request deletion of personal data we process about you if:

• The data is no longer necessary for the purposes for which they were collected or processed
• You object to a balance of interests we have made based on legitimate interest and your reason for objection outweighs our legitimate interest
• The personal data is processed illegally
• The personal data must be deleted in order to fulfil a legal obligation to which we are subject
• Personal data has been collected about a child (younger than 13 years) for whom you have parental responsibility and the collection has taken place in connection with the provision of information society services (such as social media).

Please note that we may have the right to deny your request if there are legal obligations that prevent us from immediately deleting certain personal data. Such obligations come from accounting and tax legislation, banking and money laundering legislation, but also from consumer law legislation. It may also be that the processing is necessary for us to be able to establish, assert or defend legal claims. Should we be prevented from fulfilling a request for deletion, we will instead block the personal data from being used for purposes other than the purpose that prevents the requested deletion.

Right to restriction

You have the right to request that our processing of your personal data be restricted. If you dispute that the personal data we process is correct, you can request a restricted processing for the time we need to check whether the personal data is correct. If we no longer need the personal data for the stated purposes, but you do need them to be able to establish, assert or defend legal claims, you can request restricted processing of the data from us. This means that you can request that we not delete your information. If you have objected to a balancing of legitimate interest that we have made as a legal basis for a purpose, you can request restricted processing for the time we need to check whether our legitimate interests outweigh your interests in having the data deleted. If the processing has been restricted due to any of the situations above, we may only, in addition to the actual storage, process the data to establish, assert or defend legal claims, to protect someone else’s rights or if you have approved this.

The right to object to certain types of processing

You always have the right to avoid direct marketing and to object to any processing of personal data based on a balance of interests.

Legitimate interest.

Where we use a balance of interests as a legal basis for a purpose, you have the opportunity to object to the processing. In order to continue to process your personal data following such an objection, we need to be able to show a compelling justified reason for the processing in question that outweighs your interests, rights or freedoms. If not, we may only process the data to establish, exercise or defend legal claims.

Direct marketing (including analyses performed for direct marketing purposes)

You have the opportunity to object to your personal data being processed for direct marketing. The objection also includes such analysing of personal data (so-called profiling) that is performed for direct marketing purposes. Direct marketing refers to all types of outreach marketing measures (such as via e-mail and text messages. Marketing measures where you as a customer have actively chosen to use one of our services or otherwise sought us out to find out more about our services do not count as direct marketing (such as product recommendations or other functions and offers on My pages). If you object to direct marketing, we will discontinue the processing of your personal data for that purpose as well as discontinue all types of direct marketing measures. Remember that you always have the opportunity to influence which channels we will use for mailings and personal offers. For example, you can choose to only receive offers from us via e-mail, but not text message. If so, you should not object to the processing of personal data as such, but instead limit our communication channels (by changing the settings on My pages or contact customer service).

Right to data portability

If our right to process your personal data is based on the fulfilment of an agreement with you, you have the right to request that the data concerning you and that you have provided to us be transferred to another personal data controller (so-called data portability). A prerequisite for data portability is that the transfer is technically possible and can be automated.

How do we process personal identification numbers?

We will only process your personal identification number when it is clearly justified to do so with respect to the purpose necessary for secure identification or for any other reasonable grounds.

What are cookies and how do we use them?

Cookies are small text files consisting of letters and numbers sent from our web server and stored on your browser or device. At sun.energy, we use the following cookies:

• Session cookies (a temporary cookie that expires when you close your browser or device)
• Permanent cookies (cookies that remain on your computer until you delete them or they expire) First-party cookie (cookies set by the website you visit)
• Third-party cookies (cookies set by a third-party website (We primarily use these for analyses, such as Google Analytics.)
• Similar technologies (technologies that store information in your browser or in your device in a way similar to cookies.

The cookies we use normally improve the services we offer. Some of our services need cookies to work properly, while others improve the services for you. We use cookies for overall analytical information regarding your use of our services and to save functional settings such as language and other information. We also use cookies to be able to direct relevant marketing to Svea Renewable Solar AB Bergkällavägen 35A 19279 Sollentuna sun.energy info@sun.energy +46 (0)8-286693 you. You can read more about cookies specifically for Sun.energy at sun.energy.

Can you control the use of cookies yourself?

Yes. Your browser or device allows you to change the settings for the use and scope of cookies. Go to the settings of your browser or device to learn more about how to adjust the settings for cookies. Examples of things you can adjust are blocking all cookies, only accepting first-party cookies or deleting cookies when you close your browser. Keep in mind that some of our services may not work if you block or delete cookies. You can read more about cookies in general on the Swedish Post and Telecom Authority’s website, pts.se.

How is your personal data protected?

We use IT systems to protect the confidentiality, integrity and access to personal data. We have taken special security measures to protect your personal data against unlawful or unauthorised processing (such as unlawful access, loss, destruction or damage). Only those people who actually need to process your personal data in order for us to fulfil our stated purposes have access to them.

What does it mean that the Swedish Data Protection Authority is the supervisory authority?

The Swedish Data Protection Authority is responsible for monitoring the application of legislation and anyone who believes that a company handles personal data incorrectly can submit a complaint to the Swedish Data Protection Authority.

What is the easiest way to contact us with questions about data protection?

Because we take data protection very seriously, we have employees who handle precisely these matters, and you can always reach them on info@sun.energy. We may make changes to our privacy policy. The latest version of the privacy policy is always available here on the website. For updates that are crucial for our processing of personal data (for example, change of stated purposes or categories of personal data) or updates that are not crucial for the processing but which may be crucial to you, you will receive information on sveasolar.se and via e-mail (if you have specified e-mail) well in advance before the updates take effect. When we make information available about updates, we will also explain the meaning of the updates and how they may affect you.