PROSPECT DATA PROTECTION POLICY
Version: 3.0 Last Updated: 2026-05-24 Effective Date: 2026-05-25
PROSPECT, a data platform operated by Access to Energy Institute.
PROSPECT provides its software on an open source, free of charge basis, to help its users collect, aggregate, analyze and display data from any modern renewable energy solution.
This PROSPECT Data Protection Policy applies to all PROSPECT domains and services, including but not limited to prospect.energy, app.prospect.energy, and a2ei.org.
1. CONTROLLER AND CONTACT INFORMATION
The party responsible for the processing of your personal data (the "controller") is:
Access to Energy gGmbH (A2EI) Paul-Lincke-Ufer 8D 10999 Berlin, Germany E-Mail: prospect@prospect.energy Website: https://a2ei.org
For precise legal details, see our Impressum.
For data protection-related inquiries, please contact our Data Protection Officer (DPO) at dpo@prospect.energy.
2. DATA PROCESSING ACTIVITIES
This section describes the personal data we process, the purposes, the lawful basis, whether provision is mandatory or voluntary, and the categories of recipients.
2.1 Our Role: Controller and Processor
A2EI processes personal data in two capacities:
- As a PII Controller: When we process personal data for our own purposes (e.g., managing our employees, handling support requests, operating the PROSPECT platform infrastructure).
- As a PII Processor: When we process personal data on behalf of our customers who operate Energy Access (such as Result Based Finance RBF) programs through PROSPECT. In this capacity, we process data according to the instructions of the PII Controller (the organization running the Energy Access program). Retention periods and processing purposes for RBF program data are defined by the respective PII Controller.
2.2 Overview of Processing Activities
| Processing Activity | Our Role | Personal Data Processed | Purpose | Lawful Basis (GDPR Art. 6) | Mandatory / Voluntary |
|---|---|---|---|---|---|
| Prospect User Registration Form | PII Controller | Contact details (name, title, email, phone), organization profile (name, address, country, website, region, ownership, type, activities), technical/hardware details, CRM/payment integration info, technology focus, program participation, comments | Assessing fit, tailoring onboarding, inviting qualified organizations to a demo | Consent (6(1)(a)) | Voluntary |
| Account Registration & Management | PII Controller | Name, email address, organization | User account creation, authentication, role management | Contractual Necessity (6(1)(b)) | Mandatory for service use |
| Server Logs | PII Controller | IP address, browser type/version, operating system, referrer page, accessed page, timestamp | Service availability, security monitoring, troubleshooting, statistical analysis | Legitimate Interest (6(1)(f)) | N/A (automatically collected) |
| CrowdSec WAF Security Monitoring | PII Controller | IP address, geolocation data (derived from IP), security event metadata (attack type, timestamp, machine identifier), scenario information (name and version of triggered security rules) | Protection against cyber attacks (admin interface probing, backdoor attempts, malicious user agents, unauthorized crawling, CVE probing, sensitive file scanning), threat intelligence sharing with CrowdSec community | Legitimate Interest (6(1)(f)) | N/A (automatically collected) |
| Support Requests | PII Controller | Contact details (name, email, phone), account identifiers (organization name, user ID), case details (issue description, timestamps, attachments), device/technical data | Receiving and resolving support requests, troubleshooting technical issues, maintaining service quality | Legitimate Interest (6(1)(f)) | Voluntary |
| Anonymized Website Analytics | PII Controller | Aggregated metrics (page views, sessions, timestamps), device/technical data (device type, OS, browser), traffic/source metadata (referrer, landing pages) — no IP addresses or identifiable personal data | Website analytics for usage monitoring, product optimization, capacity planning, UX improvements | Legitimate Interest (6(1)(f)) | N/A (automatically collected, anonymized) |
| RBF Program Data | PII Processor | Program participant data, system measurements, GPS coordinates | Renewable energy program management and reporting | Contractual Necessity (6(1)(b)) or Legal Obligation (6(1)(c)) | Mandatory for program participants |
2.3 Processing Activity Notes
Processing activities marked as "PII Controller" are activities where A2EI determines the purposes and means of processing. Activities marked as "PII Processor" are performed on behalf of the organization running the RBF program, which acts as the PII Controller.
2.4 CrowdSec WAF
To protect our services against cyber attacks, we use CrowdSec, an open-source Web Application Firewall (WAF) that monitors and blocks malicious traffic in real-time.
Data Processed: IP address, geolocation data (derived from IP), security event metadata (attack type, timestamp, machine identifier), and scenario information (name/version of triggered security rules).
Community Sharing: CrowdSec operates a community-driven threat intelligence model. Security events detected on our infrastructure contribute to a shared database of threat indicators, helping protect all CrowdSec users. Only anonymized threat data (IP addresses and attack patterns) is shared — no personal data about our users is shared.
Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR) — Protection against cyber attacks and ensuring service availability. Retention: 12 months.
2.5 Source of Personal Data
Unless stated otherwise, all personal data is collected directly from you. In specific cases, data may be obtained from:
- Third-party authentication providers (e.g., Google, Microsoft) when you log in using a single sign-on (SSO) option
2.6 Mandatory vs. Voluntary Data Provision
- Mandatory data: Required to create an account and use the PROSPECT platform (name, email address). Failure to provide this data means the service cannot be provided.
- Voluntary data: Prospect User Registration Form and support requests are optional. You will not be disadvantaged if you choose not to provide voluntary data.
2.7 Special Category Data
We do not process special category personal data as defined in Article 9 of the GDPR (e.g., health data, racial or ethnic origin, political opinions, religious beliefs, biometric data, sexual orientation).
2.8 Automated Decision-Making
RBF Program Instances: Within PROSPECT instances that operate Result Based Finance programs, automated processing is used to evaluate uploaded sales data against Controller-defined criteria to determine subsidy eligibility. In these cases:
- A2EI acts as a data processor implementing automated decision logic that is provided and authorized by the Data Controller (the organization running the RBF program)
- All decisions about data subjects are made under the Controller's instructions — we do not independently design, change, or interpret the decision rules
- We do not make legal or similarly significant decisions about individuals
- The Data Controller retains full responsibility for defining the criteria, reviewing decisions, and ensuring compliance with applicable laws
- If our role changes to include autonomous decision-making, we will update this policy and inform affected data subjects accordingly
All Other Processing: Outside of RBF-enabled PROSPECT instances, we do not engage in automated individual decision-making or profiling that produces legal or similarly significant effects on you, as referred to in Article 22 of the GDPR. This means your account registration, support requests, and platform usage are not subject to automated decisions that would significantly impact your rights or obligations.
If our processing practices change to include automated decision-making with legal or similarly significant effects, we will inform you and explain the logic involved and the safeguards in place.
3. COOKIES AND TRACKING TECHNOLOGIES
PROSPECT Application (app.prospect.energy): PROSPECT uses necessary cookies and similar technologies to provide core functionality, including maintaining login sessions and authentication state. Some authentication cookies may persist beyond the browser session where needed to keep users logged in securely.
We do not use marketing or advertising cookies. Where analytics are enabled, they are configured without advertising or cross-site marketing purposes.
Websites (prospect.energy and a2ei.org): Our informational websites do not use cookies.
4. YOUR RIGHTS
Under the GDPR, you have the following rights regarding your personal data:
| Right | Description | GDPR Article |
|---|---|---|
| Right of Access | Request confirmation as to whether your personal data is being processed, and access to that data and information about the processing | Art. 15 |
| Right to Rectification | Request correction of inaccurate personal data and completion of incomplete data | Art. 16 |
| Right to Erasure | Request deletion of your personal data under certain conditions ("right to be forgotten") | Art. 17 |
| Right to Restriction of Processing | Request restriction of processing under certain conditions (data is blocked and not processed for other purposes) | Art. 18 |
| Right to Data Portability | Receive your personal data in a structured, commonly used, machine-readable format, and have it transmitted to another controller | Art. 20 |
| Right to Object | Object to the processing of your personal data at any time, particularly for direct marketing or processing based on legitimate interests | Art. 21 |
| Right to Withdraw Consent | Withdraw your consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal | Art. 7(3) |
| Right to Lodge a Complaint | Lodge a complaint with a supervisory authority if you believe the processing of your personal data violates data protection law | Art. 77 |
5. EXERCISING YOUR RIGHTS
To exercise any of your rights, please contact us at dpo@prospect.energy.
- Response Time: We will respond to your request within one month of receipt. Where necessary (e.g., due to complexity or number of requests), this period may be extended by two further months. We will inform you of any extension within one month of receipt.
- Identity Verification: To protect your personal data, we may request additional information to verify your identity before processing your request.
- Format: Requests can be submitted via email or post. We will process your request in accordance with applicable data protection laws.
- Fees: Requests are generally free of charge. If a request is manifestly unfounded or excessive, we may charge a reasonable fee based on administrative costs, or decline to act.
If we choose not to respond to a request, we will provide an explanation, inform you of your right to lodge a complaint with a supervisory authority, and your right to a judicial remedy.
6. SUPERVISORY AUTHORITY
If you believe that the processing of your personal data violates data protection law, you have the right to lodge a complaint with the competent supervisory authority:
Berlin Commissioner for Data Protection and Freedom of Information Alt-Moabit 93-95 10559 Berlin, Germany Phone: +49 30 138 89-0 Website: https://www.datenschutz.berlin.de
7. DATA BREACH NOTIFICATION
In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, A2EI will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it.
If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. The notification will include, in clear and plain language:
- A description of the nature of the breach
- The contact details of our Data Protection Officer
- The likely consequences of the breach
- The measures taken or proposed to be taken to address the breach, including measures to mitigate its effects
8. DATA RETENTION
A2EI retains your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations. The retention period depends on the type of data and its purpose:
- Account Data: Retained for the duration of your account and for a limited period after termination to allow for data export and compliance with legal obligations.
- Server Logs: Retained for a limited period necessary for security monitoring and troubleshooting.
- CrowdSec Security Logs: Retained for 12 months for security monitoring and threat intelligence purposes.
- Support Requests: Retained until the inquiry is resolved and for a limited period thereafter for follow-up purposes.
- RBF Program Data: Retained as long as the RBF program is operated by the PII Controller (RBF Management). Retention periods are defined by the respective PII Controller.
When data is no longer needed for its original purpose and no legal retention obligation applies, it is either deleted or anonymized. If legal obligations prevent deletion, processing is restricted (data is blocked and not used for other purposes).
Personal data contained in system backups may be retained for disaster recovery purposes even after deletion rights have been exercised, provided that such data is not actively processed and access is strictly restricted. Backup data is stored securely (encrypted) and is only used in the event of system restoration. Any personal data that was deleted prior to backup creation must be re-deleted without undue delay after restoration.
9. SUBPROCESSORS
A2EI engages third-party service providers (subprocessors) to process personal data on our behalf. All subprocessors are bound by written data processing agreements and are required to comply with applicable data protection laws. We conduct due diligence and monitor subprocessors in accordance with our supplier management policy (ISO 27001 A.5.19).
| Subprocessor | Purpose | Data Location | Certifications |
|---|---|---|---|
| Hetzner Online GmbH | Data center hosting, cloud VMs, networking, storage | Helsinki, Finland | ISO 27001, BSI C5 |
| Wasabi | Encrypted backup storage | EU Central (Frankfurt) | ISO 27001, ISO 27701, SOC 2 |
| Vercel | PROSPECT website hosting, web development | World Wide | ISO 27001, SOC 2 |
| IONOS SE | S3 bucket backups | Frankfurt, Berlin | ISAE 3000, BSI C5, ISO 27001 |
| Identity provider, office suite, messaging, video conferencing, email | World Wide | ISO 27001, ISO 27701, SOC 2 | |
| Microsoft | Identity provider, Office 365, Azure | World Wide | ISO 27001, ISO 27701, SOC 2 |
| Gandi | Domain hosting, WordPress hosting | Paris, France | ISO 27001 |
| TrooperAI | Hosting of AI models | EU | ISO 27001 certified data center |
| CrowdSec | Web Application Firewall (WAF) for security monitoring and threat intelligence | EU (Community Cloud) | Open Source (Community-driven) |
You have the right to request an updated list of subprocessors by contacting us at dpo@prospect.energy.
10. INTERNATIONAL DATA TRANSFERS
Some of our subprocessors process or store personal data outside the European Economic Area (EEA). The countries to which personal data may be transferred include: USA, Germany, Finland, France, and Great Britain.
In such cases, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V:
- Standard Contractual Clauses (SCCs): Approved by the European Commission and incorporated into our data processing agreements with subprocessors
- EU-U.S. Data Privacy Framework (DPF): Where applicable, subprocessors certified under the DPF adhere to strict data protection standards
- Adequacy Decisions: Where the European Commission has determined that a third country ensures an adequate level of data protection
Note on CrowdSec: Security event data (IP addresses and attack patterns) may be shared with the CrowdSec community cloud for threat intelligence purposes. This data is processed within the EU where possible. The sharing of threat intelligence is essential for the functioning of the WAF and protects our services against cyber attacks.
You have the right to request a copy of the appropriate safeguards we have put in place by contacting us at dpo@prospect.energy.
11. SECURITY MEASURES
A2EI implements appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our Information Management System (IMS) is certified to ISO 27001 (Information Security) and ISO 27701 (Privacy Information Management). Key measures include:
- Encryption: Data is encrypted in transit (TLS) and at rest
- Access Controls: Role-based access control with principle of least privilege; privileged access is monitored and logged
- Data Classification: Personal data is classified as "Sensitive" and handled accordingly
- Logging and Monitoring: All access to personal data is logged and monitored (logs retained for 62 days)
- Data Leakage Prevention: Technical controls to detect and prevent unauthorized data disclosure
- Web Application Firewall (CrowdSec): Real-time protection against cyber attacks including admin interface probing, backdoor attempts, malicious user agents, unauthorized crawling, CVE probing, and sensitive file scanning
- Regular Audits: Internal and external audits of our IMS, including annual certification audits
- Employee Training: Mandatory data protection and privacy awareness training for all personnel
- Incident Response: Documented procedures for detecting, responding to, and learning from security and privacy incidents
- Secure Development: Secure coding practices, pre-commit hooks, and separation of development, test, and production environments
- Backups: Regular encrypted backups with defined retention periods and restricted access
12. CHANGES TO THIS POLICY
We may update this Data Protection Policy to reflect changes in our practices, technologies, legal requirements, or our IMS.
- This policy is reviewed annually by our Data Protection Officer.
- Material changes will be communicated by posting the updated policy on our website and updating the "Last Updated" date below.
- Where user consent is required for changes, or where changes affect the contractual relationship, such changes will only be implemented with your consent.
We recommend that you review this policy periodically.
13. LEGAL NOTICE
We make every endeavor to ensure the correctness of all information provided on our website. Despite our best efforts, we are unable to guarantee that the content is complete, correct, or up to date at all times. We accept no liability for damage caused by the use of this service, unless such damage is proven to have been caused by premeditation or gross negligence.
Links to third-party websites are provided for convenience only. We assume no responsibility for the content or availability of third-party websites.
The layout, graphics, pictures, and articles on our websites are protected by copyright. Pages may only be reproduced for private use without amendment, and no copies may be distributed without our prior consent.
14. DISPUTE RESOLUTION
A2EI provides the PROSPECT platform for users to input and store data. While A2EI takes measures to ensure the security of the platform, it does not assume responsibility for the accuracy or reliability of data entered by users. A2EI is not liable for damages or losses resulting from the use of the platform or the data stored therein.
By using the PROSPECT platform, users agree to hold A2EI harmless from claims or liabilities arising from the use of the platform or the data stored therein, except where such liability cannot be excluded by law.
15. DEFINITIONS
For definitions of terms used in these PROSPECT Data Protection Policy, see the PROSPECT Definitions.
