2. Tibber as Controller
Company name: Tibber AS
Company Registration Number: 916 276 338 (Norway)
Email address: firstname.lastname@example.org
3. Personal data processed
Personal data, or personal information, means any information about a physical individual person which may directly or indirectly be related to that person. It does not include data where the identity has been removed (anonymous data). Tibber may collect, use, store and transfer different kinds of personal data in the following categories:
Contact information, which includes name, email and physical address, phone no. etc. Contact information includes access information, such as username and encrypted password.
Information of your house/apartment such as size, number of residents, means for heating, etc.
Sensor data from connected apps or devices such as smart meters and smart thermostats. Sensor data includes technical data of the device, such as model; state of device, such as if the device is on or off; measurements, such as energy usage, temperature and humidity.
Data from electric car, including technical data of the car, such as model and customisation codes; and the state of the car, such as GPS coordinates, energy usage and battery level.
Financial information, such as credit card number, expiration date, and billing address.
Transactional data, such as purchase products or services, status of delivery.
Technical data are data provided or collected when using the applications and services, including internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the applications and services.
User data includes information generated when using the applications and services, such as transactions, purchases, referral source, the visit period on the applications, page views and link clicks.
Communication data, content of any contact with Tibber by use of email, phone chat or otherwise completed online forms, or surveys.
4. Basis and purposes for Processing personal data
Tibber processes personal under the following legal basis:
The processing is permitted by previous consent provided by you as the data subject (Article 6(1)(a) GDPR.
The processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract (Article 6 (1) (b) GDPR).
The processing is necessary for compliance with a legal obligation to which Tibber is subject (Article 6 (1)(c) GDPR).
Where the processing is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (Article 6 (1) (f) GDPR).
To comply with a legal or regulatory obligation means processing the data subject’s personal data where it is necessary for compliance with a legal or regulatory obligation that Tibber is subject to.
By legitimate interest is understood the interest of Tibber business in conducting and managing our business to enable us to give the customers good services.
When the above is not enough to process personal data, we will collect the consent from the data subject prior to the processing. In this case you can withdraw your consent at any time. You can do that by contacting us at email@example.com or via our chat.
|Personal data that is being processed||Purpose||Legal basis for the processing|
|User data, Technical data.||When using our website for information purposes only, we collect the personal data that your browser transmits to our server for proper connection establishment, presentation of the contents of the service, detection of attacks on our site based on unusual activities or error diagnosis.||Legitimate interest/ Art. 6 (1) (f). The legitimate interest is based on the interest in the proper functioning of services, security of data and business processes, prevention of misuse, prevention of damage caused by interventions in information systems.|
|Contact information, Communication data, Technical data||Customer service: Customers contacting Tibber with questions regarding services or products via e-mail, phone or chat.||Performance of the contract/ Article 6 (1) (b) GDPR.|
|Contact information, User data, Information of your house/apartment||Signing up for services in the Tibber App.||Performance of the contract/ Article 6 (1) (b) GDPR.|
|Contact information, Information of your house/apartment, Transactional data, Financial data||Signing up for an electricity contract with Tibber||Performance of the contract/ Article 6 (1) (b) GDPR.|
|Information of your house/apartment, Sensor and meter data from apps or devices that are connected to Tibber.||This information is necessary in order to make an analysis of your electricity usage and provide you with electricity usage plans, such as smart charging and smart heating.||Performance of the contract/ Article 6 (1) (b) GDPR.|
|Data from electric car||Tibber uses the data from the electric car to provide its smart charging service. Algorithms analyse the geolocation of the car in order to charge it when the car is at home.||Performance of the contract/ Article 6 (1) (b) GDPR.|
|Information of your house/apartment||To make comparisons with other users to provide users recommendations to lower your energy cost.||Performance of the contract/ Article 6 (1) (b) GDPR; Legitimate interest/ Art. 6 (1) (f). The legitimate interest is based on the interest in the proper and efficient functioning of services.|
|Information of your house/apartment, Sensor and meter data from apps or devices that are connected to Tibber.||To provide users recommendations to lower your energy costs.||Performance of the contract/ Article 6 (1) (b) GDPR; Legitimate interest/ Art. 6 (1) (f). The legitimate interest is based on the interest in the proper and efficient functioning of services.|
|Sensor and meter data from apps or devices that are connected to Tibber.||To provide information of your electricity usage in categories, such as behavioural, always on and electric car charging.||Performance of the contract/ Article 6 (1) (b) GDPR; Legitimate interest/ Art. 6 (1) (f) The legitimate interest is based on the interest in the proper and efficient functioning of services.|
|Transactional data, User data, Financial data||This information is necessary in order to process your order in Tibber Store and to handle eventual guarantee errands.||Performance of the contract/ Article 6 (1) (b) GDPR.|
|Contact information||To be able to follow up feature requests and bug reports.||Legitimate interest/ Art. 6 (1) (f). The legitimate interest is based on the interest to provide answers to your feature requests and bug reports.|
5. Retention and deletion of personal data
Tibber will only retain your personal data for as long as necessary to fulfil the purposes the personal data was collected for, including any legal, accounting, or reporting requirements.
For personal data processed due to fulfil legal requirements, we will process the personal data until the legal requirement is fulfilled, or until the data will not be required by public authorities, is not necessary for the processing or if the personal data is not necessary to ensure our legal position. However, in some circumstances, Tibber may anonymise personal data (so that it can no longer be associated with the data subjects) for research or statistical purposes, including to develop and improve our services, in which case Tibber may use this information indefinitely.
For personal data processed based on your consent, we will process the personal data until you withdraw your consent, or if the processing of personal data is not necessary, if earlier.
6. Processing of personal data for marketing purposes
Tibber uses personal data to offer products or services, including special offers, promotions, contests or entitlements that may be of interest to the data subjects or for which the data subject may be eligible.
Marketing messages may be sent to the data subjects in various modes including but not limited to electronic mail, short message service, and other mobile messaging services. The provision of marketing will only be made in compliance with relevant regulation, and with the consent of the receiver if required. If we have an ongoing relationship with the receiver and the receiver has not indicated to us that it does not wish to receive marketing, consent may not be required.
Consent can be withdrawn at any time. Please contact us via email at firstname.lastname@example.org or sign out at the end of a marketing message via the shown link.
In case the processing is based on our legitimate interest you have the right to object to the processing at any time. You can contact us via e-mail
7. Sharing and transfer of personal data
Tibber may have to share personal data with our data processors or third parties if Tibber wishes to sell, transfer, or merge parts of the business or assets. If a change happens to Tibber business, any acquirer may use your personal data in the same way as set out in this privacy notice. This may include potential buyers of assets or shares in Tibber; other entities in the Tibber group, such as subsidiaries or holding companies or other third parties, such as payment services.
Tibber requires all third parties to respect the security of your personal data and to treat it in accordance with the law. Tibber does not allow our third-party service providers to use personal data for their own purposes and only permit them to process personal data for specified purposes and in accordance with our instructions.
Tibber share personal data within the Tibber group of companies. If this involve transferring your data also outside the European Economic Area (EEA), the personal data will be protected by requiring all group companies to follow the same rules when processing personal data. Whenever personal data is transferred outside the EEA, Tibber will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
Transfer of personal data will only be done to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
Where certain service providers are used, Tibber will use the EC Model Clauses approved by the European Commission which give personal data the same protection it has in Europe.
Where providers based in the US are used, Tibber may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
8. Rights related to personal data
When Tibber is processing your personal data, you have the right to:
Request access to your personal data. Upon your request, Tibber will confirm whether we are processing your personal data and provide you with information on how we process the personal data. If requested, we provide you with a copy of that personal data. You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
Request correction of the personal data that we hold about you. By having access to personal data, you may be able to ensure the accuracy of your personal data. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. You may yourself correct some personal data throughout the Tibber app.
Request deletion of your personal data. This enables you to ask us to delete or remove personal data, which we have no purpose for continuing to process. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data unless we demonstrate compelling legitimate grounds for the processing. This enables you to ask us to suspend the processing of your personal data if you want us to establish the data’s accuracy; where our use of the data is unlawful but you do not want us to erase it; where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or if you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request to object to have automated decision‐making and profiling as you have the right to not be subject to decisions based solely on automated processing of your personal data, including profiling, that affect you, unless such processing is necessary for entering into, or the performance of, a contract between you and us or you provide your explicit consent to such processing.
Request the transfer of your personal data to you or a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format, provided that the information requested to be transferred is provided by you, is processed on the basis of fulfilling an agreement or based on consent, and provided that the processing of personal data is carried out by automated means.
Withdraw consent at any time where we are relying on consent to process your personal data if we rely on your consent to process your personal data. You have the right to withdraw that consent at any time. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
The right to complain to a supervisory authority in your country of residence. If you believe that our processing of your personal data infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. If you are a resident of an EU or EEA member state, you may do so in the state of your residence. However, the responsible lead supervisory authority for Tibber is the Norwegian Data Inspectorate (Datatilsynet) for its cross-border processing activities, in accordance with GDPR Article 56.
If you wish to exercise any of the rights set out above, you can contact Tibber on the contact information provided above.
9. Security of data
Tibber will use its reasonable efforts to ensure that recorded data, including personal data, credit card data, password and any confidential information, will not be disclosed, transferred, given to, or illegally used by unauthorised persons. In connection with this, Tibber will regularly audit its system in order to prevent possible vulnerabilities and attacks. However, since the internet is not a 100% secure environment, Tibber cannot, from time to time, ensure or warrant the security of information transmitted to the Tibber app and our services. While information sent via the app and our services are encrypted, Tibber advises you to be prudent with any confidential information communicated through this means.