Privacy Policy

Effective date: 18 March 2026

We take the protection of your personal data seriously. We process your personal data confidentially and in accordance with applicable data protection law, in particular the General Data Protection Regulation (GDPR), and this Privacy Policy.

1. Controller

The controller responsible for data processing on this website and in connection with the HAPO wallbox management platform is:

HAPO Energy GmbH
Siemensring 22
73557 Mutlangen
Germany

Email: info@hapo.energy
Phone: +49 (0) 7171 66557-0
Website: hapowallbox.com
2. Scope of This Privacy Policy

This Privacy Policy applies to the use of the website hapowallbox.com and the HAPO wallbox management platform, including account registration, login, wallbox management, charging session administration, billing, payment processing, fault handling, support, and transactional communications.

3. Categories of Personal Data Processed

When you use our wallbox management platform, we may process the following categories of personal data:

a) Account and user data
  • Name, username, email address
  • Login credentials and password hash
  • Language and account preferences
  • Customer number and contract-related account information
b) Wallbox and device data
  • Wallbox serial number
  • Device identifiers
  • Firmware version
  • Connection and status information
  • Operational and diagnostic data transmitted by the wallbox, including via MQTT where applicable
  • Fault and event histories relating to the assigned wallbox
c) Charging and usage data
  • Charging session records
  • Start and end time of charging sessions
  • Energy consumed
  • Charging point used
  • RFID card UID or other access identifier
  • Usage history relevant for operation, administration, billing, and support

RFID UIDs are not necessarily directly assigned to a named user by themselves. However, in the context of account administration, charging authorization, payment allocation, and billing, charging and access data may be attributable to an identifiable user.

d) Billing and payment-related data
  • Billing address
  • Invoice data
  • Tariff and pricing information
  • VAT-related data
  • Payment status
  • Payment reference data

Where payments are made via Stripe, payment data is processed by Stripe. We do not store full credit card numbers or full bank account details entered for payment processing.

e) Technical and log data
  • IP address
  • Date and time of access
  • Browser type and version
  • Operating system
  • Referrer URL
  • Requested pages and actions
  • Server log files
  • Security, error, crash, and diagnostic logs generated within the web application
f) Communication data
  • Contents of inquiries sent to us
  • Contact details provided in support requests
  • Contract and service communications
  • Transactional emails, such as registration confirmations, login-related notices, billing notices, service messages, and support-related communications
4. Purposes and Legal Bases of Processing

We process personal data for the following purposes and on the following legal bases:

a) Performance of a contract and pre-contractual measures

Art. 6(1)(b) GDPR

We process your data to:

  • create and manage user accounts
  • authenticate users and provide login functionality
  • connect and administer wallboxes
  • manage charging access and authorization
  • record and display charging sessions
  • allocate charging activity for payment and billing purposes
  • calculate consumption and charges
  • generate invoices
  • process paid services
  • identify which wallbox is assigned to which customer account
  • diagnose faults and handle device-related incidents
  • provide customer support
  • communicate with you in relation to your contract, account, payments, and service use
b) Compliance with legal obligations

Art. 6(1)(c) GDPR

We process data where necessary to comply with legal obligations, in particular:

  • commercial and tax retention obligations
  • accounting and invoicing obligations
  • obligations relating to the establishment, exercise, or defense of legal claims
c) Legitimate interests

Art. 6(1)(f) GDPR

We process data where necessary for our legitimate interests, provided your interests or fundamental rights and freedoms do not override those interests. This includes:

  • ensuring the security, availability, and integrity of the platform
  • fraud prevention and abuse detection
  • prevention of unauthorized access
  • troubleshooting, maintenance, and error analysis
  • internal telemetry, crash analysis, and technical diagnostics within the web application
  • product and service improvement
  • enforcement of contractual claims
  • secure operation of communication interfaces and connected wallboxes
d) Consent

Art. 6(1)(a) GDPR

Where we request your consent, we process your data on the basis of that consent, for example for optional notifications or optional functions that are not strictly necessary for the performance of the contract. You may withdraw your consent at any time with effect for the future.

5. Cookies and Similar Technologies

We use only technically necessary cookies and similar technologies that are required to provide the website and platform functionality, such as:

  • maintaining login sessions
  • preserving language settings
  • ensuring secure operation of the application

These cookies are necessary for the operation of the service and do not require consent under the applicable rules for strictly necessary technologies.

We do not use advertising cookies or external analytics cookies unless separately disclosed and, where required, only on the basis of your consent.

6. Recipients and Categories of Recipients

Your personal data may be disclosed to the following recipients or categories of recipients where necessary:

  • internal departments of HAPO Energy GmbH responsible for platform operation, billing, support, and administration
  • authorized web application administrators, strictly to the extent necessary for technical administration, support, security, billing, and fault handling
  • hosting and infrastructure providers
  • payment service providers
  • email delivery or transactional mail service providers
  • IT service providers and processors acting on our behalf
  • tax advisors, auditors, legal advisors, and authorities where disclosure is legally required

Charging data, billing-related usage data, and device diagnostics are accessible only to the respective user and authorized administrators of the web application to the extent necessary for platform operation, support, fault handling, and billing.

7. Payment Processing via Stripe

If you use paid services and make payments via Stripe, payment processing is carried out by Stripe. In this context, personal data required for payment processing may be transmitted to and processed by Stripe. Depending on the processing activity, Stripe may act as an independent controller and/or as a processor. Further information is available in Stripe's privacy information.

Stripe Privacy Policy: https://stripe.com/privacy

8. Email Delivery and Transactional Communications

We send transactional emails required for account operation and service delivery, for example:

  • registration and account verification emails
  • password reset messages
  • login-related notifications
  • billing and invoice communications
  • service and support communications

For the delivery of such emails, we use Brevo (formerly Sendinblue) as our email service provider. In this context, your email address and the data necessary to send, receive, and document transactional emails may be processed by Brevo on our behalf.

Brevo Privacy Policy: https://www.brevo.com/legal/privacypolicy/

9. Hosting and Infrastructure

Our platform is hosted using infrastructure provided by Contabo GmbH. Our primary hosting environment is operated in the European Union / Germany.

Where third-party providers process personal data on our behalf, we conclude the required data processing agreements where applicable.

10. International Data Transfers

As a rule, we seek to process personal data within the European Union or the European Economic Area.

However, when using certain service providers, in particular payment providers such as Stripe and potentially other communications or infrastructure providers, personal data may be transferred to countries outside the EU / EEA. Where such transfers occur, they take place in accordance with the GDPR requirements for international data transfers, for example on the basis of an adequacy decision or appropriate safeguards such as the European Commission's Standard Contractual Clauses.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

In particular:

  • data transmission via the website is encrypted using TLS/SSL
  • communication with compatible wallboxes may be secured via TLS, including MQTT over TLS where applicable
  • access to systems is restricted on a need-to-know basis
  • passwords are stored only in hashed form and never in plaintext
  • security monitoring and logging are used to protect the platform
12. Storage Periods

We store personal data only for as long as necessary for the purposes stated in this Privacy Policy, unless a longer retention period is required by law.

In particular:

  • Account data is stored for the duration of the user relationship and thereafter as long as required for legal obligations or the establishment, exercise, or defense of legal claims.
  • Charging, billing, invoice-related, and payment allocation data is retained for the statutory retention periods applicable under commercial and tax law, generally up to 10 years.
  • Fault histories, device assignment data, and technical support records are retained for as long as necessary for contract performance, support, warranty handling, security, and legal defense, and thereafter only as long as legally required or justified.
  • Server log files are generally deleted after 30 days unless longer retention is necessary for security incident investigation or legal defense.
  • Support requests and correspondence are retained for as long as necessary to process the request and, where relevant, for documentation and legal retention purposes.

If you request deletion of your account, we will delete personal data that is no longer required, unless legal retention obligations or overriding legitimate grounds require continued storage.

13. Source of Data

We collect personal data:

  • directly from you when you register, log in, contact us, use the platform, or enter billing information
  • from connected wallboxes and associated infrastructure when operational, diagnostic, fault, and charging data are transmitted to the platform
  • from payment service providers in connection with payment confirmations, payment status, and transaction references
  • from our email service provider in connection with delivery status and technical processing of transactional emails, where applicable
14. Requirement to Provide Data

The provision of certain personal data is necessary for the conclusion and performance of the contract and for the use of the platform. Without the required data, we may not be able to create your account, provide the platform, operate your wallbox services, process payments, send necessary service communications, or handle device faults correctly.

If consent-based data is requested, providing such data is voluntary. Failure to provide such data may result in certain optional functions not being available.

15. Your Rights

Under the GDPR, you have the following rights, subject to the applicable legal requirements:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent at any time with effect for the future, where processing is based on consent

To exercise your rights, please contact us using the contact details set out above.

16. Right to Object

Where we process your personal data on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR, you have the right to object to such processing on grounds relating to your particular situation, in accordance with Art. 21 GDPR.

17. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates applicable data protection law.

The competent supervisory authority for our company is:

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Postfach 10 29 32, 70025 Stuttgart, Germany
Email: poststelle@lfdi.bwl.de

Further contact information is available at: https://www.baden-wuerttemberg.datenschutz.de/

18. Automated Decision-Making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you, unless expressly stated otherwise in a separate notice.

19. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy from time to time so that it always complies with current legal requirements and reflects changes to our services or data processing. The version published on this page is the current version.

Legal Notice
Legal Notice Privacy Policy