POWERFILL PRIVACY POLICY
Effective Date: March 27, 2025
This Privacy Policy describes how Powerfill, LLC ("PowerFill," "we," "us," or "our") and its parent company, Powerfill Technologies Ltd. (collectively, the "PowerFill Group"), collect, use, disclose, and protect personal information in connection with our Platform, website, and services.
The PowerFill Group is committed to transparency and to complying with applicable data protection laws, including the EU General Data Protection Regulation ("GDPR"), the Israeli Privacy Protection Law, 5741-1981, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable privacy legislation.
1. Data Controller and Processor
The data controller for the purposes of applicable data protection law is:
Powerfill, LLC (a Delaware limited liability company) 32300 Northwestern Hwy, #215 Attn. Powerfill Farmington Hills, MI 48334, United States Email: privacy@powerfill.io Website: powerfill.io
Parent Company and Joint Controller/Processor:
Powerfill Technologies Ltd. (an Israeli limited liability company) 33 Tura Street, Jerusalem, Israel 94102 Email: privacy@powerfill.io
Powerfill Technologies Ltd. is the parent company and sole owner of Powerfill, LLC. Employees of Powerfill Technologies Ltd. may access personal data remotely for development, operational, and support purposes.
1.1 Our Role: Controller and Processor
As Controller: PowerFill acts as the data controller for personal data related to Customer accounts — including account registration, billing, communications with PowerFill, and Platform usage data.
As Processor: PowerFill acts as the data processor when Customers (Charge Point Operators) create driver profiles, end-user accounts, or administrator accounts through the Platform. In this capacity, the Customer is the data controller and PowerFill processes such data solely on the Customer's documented instructions. If you are a driver or end user whose information was entered by a Charge Point Operator, please direct data protection inquiries to that operator in the first instance.
1.2 EU/EEA Representative (GDPR Article 27)
As required by Article 27 of the GDPR, our designated representative in the European Union is:
PowerFill EU Representative Hamburg, Germany Email: privacy@powerfill.io
Our EU representative is available to data subjects and supervisory authorities on all matters related to the processing of personal data under the GDPR.
2. Information We Collect
2.1 Information You Provide
Customer Account Information: Name, email address, company name, billing address, and other information submitted during registration or account management.
Payment and Billing Information: Payment card and billing details are collected and processed by our payment processor, Stripe, Inc. PowerFill does not store complete payment card numbers on its systems.
Charge Point Configuration: Charger identifiers, names, OCPP settings, firmware versions, and location configurations.
Driver and End-User Profiles: When Customers create driver profiles through the Platform, we store driver names, email addresses, phone numbers, RFID card identifiers, and app authentication keys, as provided by the Customer on behalf of its drivers and end users.
Administrator Accounts: When Customers invite additional administrators, we collect the administrator's email address through our opt-in invitation process. Administrators must affirmatively accept the invitation before their account is activated.
Communications: Support requests, feedback, correspondence, and other communications with PowerFill.
2.2 Information Collected Automatically
When the Platform is accessed or used, we automatically collect: charging session data (start/stop timestamps, energy delivered in kWh, session duration, and connector type); Charge Point status and diagnostic data transmitted via OCPP (firmware versions, error codes, connectivity events); Charge Point location data (GPS coordinates as configured by the Customer); RFID card usage and authentication events associated with charging sessions; IP addresses, browser type and version, device identifiers, and usage patterns; server log data and application analytics; and cookies and similar technologies as described in our Cookie Policy at powerfill.io/cookies.
2.3 Information We May Collect in the Future
As the Platform evolves, we may collect additional categories of data, including: vehicle identification numbers (VINs) for session attribution and fleet management; energy pricing and tariff data from utility providers for smart charging optimization; grid demand and frequency data for demand response and virtual power plant services; and driver payment information for end-user billing features. We will update this Privacy Policy before collecting any new categories of personal data and, where required by law, obtain appropriate consent or provide a valid legal basis.
3. How We Use Your Information
We process personal information for the following purposes:
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Providing and operating the Platform | Account data, charger data, session data | Performance of contract (Art. 6(1)(b)) |
| Payment processing and invoicing | Billing information (via Stripe) | Performance of contract (Art. 6(1)(b)) |
| Customer support | Account data, communications | Performance of contract (Art. 6(1)(b)) |
| Driver profile management (on behalf of CPO) | Driver name, email, phone, RFID identifier | Performance of contract with Customer (Art. 6(1)(b)); PowerFill acts as processor |
| Driver email notifications (charging alerts) | Driver email, session data | Consent of driver (Art. 6(1)(a)) — driver verifies identity and opts in |
| Administrator invitation and access management | Admin email, role assignment | Consent (Art. 6(1)(a)) — admin accepts invitation |
| Platform improvement and analytics | Usage analytics, session data, diagnostics | Legitimate interest (Art. 6(1)(f)) |
| Aggregated analytics, demand response, and grid optimization research | Anonymized and aggregated data | Legitimate interest (Art. 6(1)(f)) |
| Security monitoring and fraud prevention | IP addresses, log data, usage patterns | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance (tax, audit, regulatory) | As required by law | Legal obligation (Art. 6(1)(c)) |
| Marketing communications (opt-in only) | Email address, name | Consent (Art. 6(1)(a)) |
3.1 Aggregated and Anonymized Data
We may derive Aggregated Data — anonymized, de-identified, and aggregated data that cannot reasonably identify any individual — from the information we collect. Aggregated Data is not personal data under applicable law and may be used without restriction for purposes including: analyzing energy consumption and charging patterns; developing demand response, smart charging, and grid optimization capabilities; generating industry benchmarks and reports; and research and development. Our Terms of Service describe Customers' consent to this use in detail.
3.2 Driver Email Notifications
PowerFill sends email notifications to drivers only when all of the following conditions are satisfied: (a) the Customer (Charge Point Operator) has enabled and configured email notifications through the Platform; (b) the driver has used their unique RFID card or app authentication key at a Charge Point managed through the Platform; and (c) the driver has independently verified their identity through the Platform's verification process. Drivers who have not completed identity verification will not receive any email communications from the Platform, regardless of CPO configuration.
4. How We Share Your Information
PowerFill does not sell personal information. We do not share personal information for cross-context behavioral advertising. We may disclose your information to the following categories of recipients:
PowerFill Group entities: Powerfill Technologies Ltd. (our parent company) and its employees, for development, operational, and support purposes under appropriate internal data-sharing arrangements.
Your Charge Point Operator: If your personal data was provided by a Charge Point Operator (e.g., you are a driver or invited administrator), that operator retains access to your data through the Platform in its capacity as data controller.
Service providers and sub-processors: Third-party vendors who process data on our behalf under written data processing agreements, including Stripe, Inc. (payment processing), cloud infrastructure providers (currently AWS, Google Cloud, and Supabase), analytics providers, and customer support tools. All sub-processors are contractually required to process personal data only on our instructions and to maintain appropriate technical and organizational security measures.
Legal and regulatory compliance: Where disclosure is required by applicable law, regulation, legal process, or binding governmental request.
Business transfers: In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets. We will provide notice of any such transfer and any choices available to you regarding your information.
With your consent: Where you have directed us to share information with a specified third party.
5. International Data Transfers
Your personal data is hosted on third-party cloud infrastructure in the following locations:
European Union (Germany): Our default hosting region. Customer Data is stored in the EU by default, meaning no cross-border transfer occurs for EU/EEA data subjects under standard configurations.
United States: Certain infrastructure services and payment processing (Stripe) may process data in the United States. Such transfers are subject to the cloud providers' own Standard Contractual Clauses (SCCs) and/or the EU-U.S. Data Privacy Framework, as applicable.
Israel (remote access only): No Customer Data is stored in Israel. Employees of Powerfill Technologies Ltd. located in Israel may access data remotely for development and operational purposes. Israel has been recognized by the European Commission as providing an adequate level of data protection under Article 45 of the GDPR; no additional transfer mechanism is required.
Enterprise deployments: Enterprise Customers may request dedicated region deployments with data isolation. Data residency for such deployments will be specified in the applicable Enterprise agreement.
6. Data Retention
We retain personal data only as long as necessary to fulfill the purposes for which it was collected or as required by applicable law. Our standard retention periods are:
Active account data: Duration of your active account.
Charging session data: Duration of your account plus thirty (30) days following termination.
Driver and end-user profiles: Duration of the Customer account that created them. Upon termination of a Customer's account, associated driver profiles are included in the 30-day data export window and are subsequently deleted.
Administrator accounts: Duration of the Customer's account or until removed by the Customer or the administrator, whichever is earlier.
Billing and transaction records: Seven (7) years, for tax, accounting, and legal compliance purposes.
Support communications: Three (3) years from resolution of the inquiry.
Aggregated Data: Retained indefinitely, as Aggregated Data is not personal data.
Upon account termination, you may export your data within thirty (30) days. After this period, personal data will be deleted or irreversibly anonymized, except where longer retention is required by applicable law.
7. Your Rights
7.1 Rights Under EU/EEA GDPR
If you are located in the European Union or European Economic Area, you have the following rights under the GDPR: access to your personal data (Art. 15); rectification of inaccurate data (Art. 16); erasure ("right to be forgotten") (Art. 17); restriction of processing (Art. 18); data portability — to receive your data in a structured, commonly used, machine-readable format (Art. 20); objection to processing based on legitimate interests (Art. 21); withdrawal of consent at any time, without affecting the lawfulness of prior processing (Art. 7(3)); freedom from solely automated decision-making with legal or similarly significant effects (Art. 22); and the right to lodge a complaint with your local supervisory authority (listed at https://edpb.europa.eu/about-edpb/about-edpb/members_en).
7.2 Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the right to: know what personal information we collect, use, and disclose; request deletion of your personal information; correct inaccurate personal information; opt out of the sale or sharing of personal information (note: we do not sell or share personal information for behavioral advertising); limit the use of sensitive personal information; and non-discrimination for exercising your rights.
7.3 Rights Under Israeli Privacy Law
If you are an Israeli resident, you have the right to access, correct, and request deletion of your personal data under the Privacy Protection Law, 5741-1981. You may contact the Privacy Protection Authority at https://www.gov.il/en/departments/the_privacy_protection_authority.
7.4 Exercising Your Rights
Customers (Charge Point Operators): Contact us directly at privacy@powerfill.io. We will respond within thirty (30) days (or within the shorter timeframe required by applicable law). We may need to verify your identity before processing your request.
Drivers and end users: Please contact the Charge Point Operator who manages your charging account in the first instance. The CPO is the data controller for your information and is responsible for handling your data rights requests. PowerFill will provide reasonable cooperation to the CPO in fulfilling such requests.
Administrators: You may contact us directly at privacy@powerfill.io or contact the Customer organization that invited you.
If you are unsatisfied with our response, you have the right to lodge a complaint with the competent supervisory authority in your jurisdiction.
8. Data Security
We maintain appropriate technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction, including: encryption of data in transit (TLS 1.2+) and at rest; role-based access controls and multi-factor authentication; regular security assessments and penetration testing; automated monitoring and logging of access to personal data; and documented incident response and business continuity procedures. No method of transmission or storage is completely secure. While we employ commercially reasonable safeguards, we cannot guarantee absolute security.
8.1 Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, PowerFill will: (a) notify the competent supervisory authority within seventy-two (72) hours of becoming aware of the breach, as required by GDPR Article 33 and equivalent laws; (b) notify affected Customers (as data controllers for driver data) without undue delay to enable them to meet their own notification obligations; (c) notify directly affected individuals without undue delay where the breach involves data for which PowerFill is the controller and is likely to result in a high risk to their rights and freedoms; and (d) document all breaches, their effects, and the remedial actions taken.
9. Children's Privacy
The Platform is not directed to individuals under eighteen (18) years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@powerfill.io and we will promptly delete such information.
10. Third-Party Links and Services
The Platform may contain links to third-party websites or services not operated by PowerFill. This Privacy Policy does not govern those third parties. We encourage you to review the privacy policies of any external services you access through links on the Platform.
11. Automated Decision-Making
PowerFill does not currently engage in solely automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you. If we introduce such processing in the future, we will update this Privacy Policy and provide you with information about the logic involved, the significance, and the envisaged consequences, as required by Article 22 of the GDPR.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. Material changes will be communicated via email or the Platform at least thirty (30) days before they take effect. The "Effective Date" at the top of this policy indicates the most recent revision. We encourage you to review this policy periodically.
13. Contact Us
For privacy-related inquiries or to exercise your data rights:
Powerfill, LLC 32300 Northwestern Hwy, #215 Attn. Powerfill Farmington Hills, MI 48334, United States Email: privacy@powerfill.io Website: powerfill.io
Parent Company: Powerfill Technologies Ltd. 33 Tura Street, Jerusalem, Israel 94102 Email: privacy@powerfill.io
EU/EEA Representative: Hamburg, Germany Email: privacy@powerfill.io
For EU/EEA residents, you may also contact your local data protection supervisory authority. For Israeli residents, you may contact the Privacy Protection Authority at https://www.gov.il/en/departments/the_privacy_protection_authority. For California residents, you may contact the California Attorney General at https://oag.ca.gov.