Privacy Policy
By using any Solarius product or service ("Services"), you agree to the terms of this Privacy Policy. This policy applies to all Solarius offerings unless a product-specific agreement supersedes it in part (without negating this Privacy Policy).
Scope
This Privacy Policy applies to all Solarius products and services ("Services"). We process minimal data necessary to provide the Services, and we do not sell or share personal data with third parties for marketing purposes.
Data We Collect
Essential Data
Solarius collects only the essential data required to provide our Services. This includes:
- Account information (e.g., email address, username)
- Usage data (e.g., service interactions, logs)
- Device information (e.g., IP address, browser type)
Payment Information
Processed by PCI-compliant third parties (Stripe, PayPal). We only store billing contact details (name, email, address) and never store sensitive payment information like credit card numbers. Stripe's Privacy Policy and PayPal's Privacy Policy govern their handling of payment data.
What We Do Not Collect
- No tracking pixels, behavioral tracking, or analytics tools that collect personal data.
- No third-party advertising or marketing data collection.
- No unnecessary data collection beyond what is required for service delivery.
Exceptions include law enforcement compliance, where we may be required to provide data in response to valid legal requests. See more in our law enforcement compliance document.
Legal Basis & Purpose of Processing
We process your data based on the following legal bases:
- Contractual necessity: To provide the Services you request.
- Legitimate interest: To ensure security, prevent fraud, and maintain service integrity.
- Legal obligation: To comply with applicable laws and regulations.
Concerning account data - we retain it until you delete your account, plus an additional 30 days for security purposes. IP logs are retained for 90 days to prevent abuse and fraud. Payment records are kept for 7 years to comply with tax laws.
Data Sharing & Disclosure
Service Providers
We use subprocessors only for:
- Cloud infrastructure (AWS, OVH)
- Payment processing
- Customer support tools
All subprocessors undergo GDPR compliance reviews and sign Data Processing Agreements (DPAs) with Solarius.
Legal Compliance
We may disclose data when legally required (e.g., court orders) after validating request legitimacy in accordance with our law enforcement compliance policy. Requests must be made through official channels, and we will not respond to informal requests per our policy.
International Data Transfers
Data is primarily processed in EU data centers. Any extra-EU transfers use standard contractual clauses (SCCs) to ensure GDPR compliance. We do not transfer data to countries without adequate protection unless explicitly stated in a product-specific agreement.
User Rights
Access & Portability
You may:
- Request data access (Article 15 GDPR)
- Rectify inaccurate data (Article 16)
- Request deletion (Article 17)
- Restrict processing (Article 18)
- Object to processing (Article 21)
Exercising Rights
To exercise your rights, contact us at dpo@solarius.me with a valid request. We will respond within one month, extendable by two months for complex requests.
Automatic Decisions
We do not make automated decisions that significantly affect you, including profiling. Any automated processing is limited to service functionality (e.g., spam filtering) and does not involve personal data beyond what is necessary for service delivery.
Security Measures
Technical & Organizational Measures
Solarius implements appropriate technical and organizational measures to protect your data, including encryption, access controls, and regular security audits. We undergo regular penetration testing and vulnerability assessments to ensure our systems remain secure.
We maintain a bug bounty program to encourage responsible disclosure of security vulnerabilities in return for monetary rewards. External security audits are conducted annually by independent third parties to validate our security posture.
Data Breach Notification
In the event of a data breach, we will notify affected users within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Notifications will be sent via email and posted on our disclosures portal. We will also notify relevant supervisory authorities if required by law.
Affected users will receive information about the nature of the breach, potential consequences, and measures taken to mitigate risks. We will also provide guidance on steps users can take to protect themselves.
Changes to This Policy
We may update these terms with 30 days notice (email or in-platform notification). Continued use constitutes acceptance.
Contact Us
For questions or concerns about these terms, please contact us at: legal@solarius.me or through our support portal at solarius.me.