This Privacy Policy explains what personal data we collect, why we collect it, how it is used, and your rights regarding that data. It applies to the SuPia mobile application ("the App") and the associated website.
We are committed to handling your data minimally and transparently. We collect only what is necessary for the App to function, and nothing more.
2.1 Account Information
When you create an account, we collect your email address and display name. This is used to identify your account, authenticate you, and communicate with you regarding your account status (for example, to send a reactivation link if your account has been deactivated).
2.2 GPS Coordinates — Installation Registration
When you register a renewable energy installation, your device's GPS coordinates are collected once at the time of registration. These coordinates are used solely to detect and prevent duplicate registration of the same physical installation. No continuous location tracking occurs at any time.
2.3 GPS Coordinates — Meter Reading Verification
GPS coordinates are collected each time you submit a meter reading. These are compared against the registered coordinates of your installation to verify that the reading originates from the correct physical source and to prevent fraudulent submissions. These coordinates are not used for any other purpose.
2.4 Export Electricity Data
When you upload an XML or CSV file for meter reading verification, only your export (net-metered) electricity value and its recorded date are extracted from the file. This data is used for export electricity verification and is retained solely to resolve possible disputes or complaints about verification results. It is permanently deleted when you delete your account.
Consumption data present in uploaded files is discarded immediately upon receipt and is never stored, processed, or shared.
The uploaded file itself is permanently deleted from our servers as soon as the export value and date have been extracted. The file is never retained.
2.5 Firebase Authentication
We use Google Firebase Authentication to manage sign-in. Firebase processes your email address and authentication credentials in accordance with Google's Privacy Policy. We do not store your password.
We do not collect:
| Data | Purpose |
|---|---|
| Email address | Account authentication, account management communications |
| Display name | In-app display only |
| GPS coordinates (registration) | Duplicate installation detection |
| GPS coordinates (meter reading) | Reading source verification |
| Export electricity value and date | Export electricity verification; dispute resolution |
We do not sell, rent, or share your personal data with third parties for commercial purposes.
| Data | Retention Period |
|---|---|
| Account information | Retained until you delete your account |
| GPS coordinates | Retained while your account is active |
| Export electricity value and date | Retained until you delete your account |
| Uploaded files (XML / CSV) | Deleted immediately after extraction |
| Consumption data | Never stored |
When you delete your account, all personal data associated with your account is permanently deleted from our systems.
Your data is transmitted over encrypted HTTPS connections. Access to stored data is restricted to authorized systems only. Uploaded files are processed server-side and deleted immediately after the relevant values are extracted — they are never written to long-term storage.
You have the right to:
To exercise any of these rights, contact us at the address in Section 12.
If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) requires us to identify a legal basis for each type of personal data we process.
| Data | Legal Basis |
|---|---|
| Email address and display name | Contract performance (Article 6(1)(b)) — necessary to create and manage your account |
| GPS coordinates — installation registration | Contract performance (Article 6(1)(b)) — necessary to register your installation and prevent duplicate registrations |
| GPS coordinates — meter reading | Contract performance (Article 6(1)(b)) — necessary to verify that meter readings originate from your registered installation |
| Export electricity value and date | Contract performance (Article 6(1)(b)) for verification; legitimate interests (Article 6(1)(f)) for retention for dispute resolution purposes |
Your additional rights under GDPR:
For EU/EEA users, the data controller is CarbonVenue. Contact details are in Section 12.
If you are located in the Republic of Korea, the Personal Information Protection Act (PIPA, 개인정보 보호법) applies to the processing of your personal data.
Consent: By agreeing to this Privacy Policy and the in-app privacy consent notice, you provide consent under Article 15(1)(1) of PIPA for the collection and use of your personal data as described in this policy.
Items collected and purpose of collection:
| 항목 (Item) | 수집 목적 (Purpose) |
|---|---|
| 이메일 주소 (Email address) | 계정 인증 및 계정 관리 (Account authentication and management) |
| 표시 이름 (Display name) | 앱 내 표시 (In-app display) |
| GPS 좌표 — 설치 등록 (GPS coordinates — registration) | 중복 설치 등록 방지 (Duplicate installation detection) |
| GPS 좌표 — 계량기 검침 (GPS coordinates — meter reading) | 검침 출처 검증 (Reading source verification) |
| 수출 전력량 및 날짜 (Export electricity value and date) | 수출 전력량 검증 및 분쟁 해결 (Export electricity verification and dispute resolution) |
Retention and destruction: Personal data is retained for the period necessary to fulfil the purposes described above and is destroyed without delay when no longer needed or when you delete your account, in accordance with Article 21 of PIPA.
Rights of data subjects: Under PIPA, you have the right to access, correct, delete, and suspend the processing of your personal data. To exercise these rights, contact us at the address in Section 12. You may also lodge a complaint with the Personal Information Protection Commission (PIPC) at www.pipc.go.kr or the Korea Internet & Security Agency (KISA) privacy helpline at 118.
Age restriction: Users under 14 in Korea require separate consent handling in accordance with Article 22 of PIPA. The global minimum age of 13 applies elsewhere; Korean users must be at least 14.
The App is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will delete it promptly.
Where local law sets a higher minimum age, that age applies. In the Republic of Korea, the minimum age is 14 under PIPA. In the European Union, the minimum age of digital consent varies by member state (typically 13–16).
If you are under 18, your parent or legal guardian must have agreed to these Terms on your behalf.
If we make material changes to this Privacy Policy, we will notify you through the App before the changes take effect and update the effective date at the top of this document. Continued use of the App after notification constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or how your data is handled, please contact us at:
This policy is available at all times within the App under Settings → Privacy Policy.