We transport electricity consumption data — securely, encrypted, and without using it for our own purposes. Here we explain in plain language how we handle your data.
Four clear commitments that apply to all customers and all plans.
We do not create behavioural profiles. We do not analyse when you are at home, which devices you use, or what your daily routine looks like. That is not our business.
Consumption data is never sold, rented, or shared with third parties. Data is passed exclusively to the business customer to whom you have granted consent.
Your electricity consumption data is not used to train artificial intelligence or machine learning models — neither by us nor by any third party acting on our behalf.
No automated decisions are made about end consumers. No scores, no ratings, no classifications.
Our business model is simple: we make EDA data accessible. Nothing more, nothing less.
Before we receive any data, the end consumer must confirm authorisation through their grid operator's portal. This official CCM process (Customer Consent Management) is standardised in the Austrian energy sector and GDPR-compliant. Without this consent, we receive no data.
After authorisation, we receive the previous day's consumption data daily via the EDA network. Data is stored encrypted on servers in Germany — never outside the EU.
Data is forwarded exclusively to the business customer who was granted consent — via API, webhook, CSV, or SFTP. We do not decide what happens with the data. That is determined by the business customer within the scope of their own data protection obligations.
Once the plan-dependent retention period expires, consumption data is deleted automatically. Upon revocation of consent or contract termination, data is also removed. We retain no copies.
End consumers retain full control at all times. Data consent can be revoked directly through the grid operator's portal — without needing to contact us. After revocation, no new data will be transmitted and stored data will be deleted.
We protect data at every layer — from transmission to storage.
All data is transmitted using TLS 1.2+ — between EDA and our platform, and between the platform and business customers.
Sensitive data is stored encrypted in the database. Backups are encrypted as well.
All data is hosted on Hetzner servers in Germany. No data processing outside the EU.
Role-based permissions ensure that each user only sees data belonging to their own account.
Consumption data is automatically deleted once the plan-dependent retention period expires. No manual processes, no forgetting.
Automated monitoring detects technical errors in real time so we can respond quickly.
Every business customer receives a DPA in accordance with Art. 28 GDPR. The agreement is accepted upon registration and can be viewed and downloaded as a PDF at any time in the account settings.
Data access is based on the standardised CCM process of the Austrian energy sector. End consumers grant and revoke their consent directly through their grid operator's portal.
We publish a complete list of all sub-processors in our privacy policy and notify business customers in advance of any changes.
energiedaten.at is operated by PHIVA CORE SL — a company headquartered in the European Union. The GDPR applies to us directly and in full.
We are happy to answer any questions about our security approach, the DPA, or data protection.