Privacy Policy

Last updated: April 20, 2026 | Version: 3.0

Executive Summary

Smart Light never sells your data. We only collect the minimum information necessary to compare tariffs and, if you choose, manage your supplier switch. You own your data: you can access, rectify, or delete it at any time.

1. Data Controller

Identity: Smart Light Energy S.L. (in process of incorporation)
Address: Paseo de la Castellana, Madrid, Spain
Email: [email protected]

2. What data do we collect?

  • Email and password: To create your account and save comparisons.
  • Consumption data: kWh consumed, contracted power, postal code (from your bill).
  • Preferences: Alerts, favorite tariffs.
  • For contracting: Full name, DNI/NIE, CUPS, supply address, IBAN, phone.

3. How do we use your data?

Tariff comparison

We calculate how much you would save with each tariff using your real consumption.
Legal basis: Performance of contract (Art. 6.1.b GDPR).

Contracting management

If you contract through our platform, we process your personal and banking data to manage the switch.
Legal basis: Performance of contract (Art. 6.1.b GDPR) + explicit consent.

Analysis and improvement

We analyze anonymous usage statistics to improve the website and detect errors.
Legal basis: Consent (analytical cookies).

4. Who do we share your data with?

Direct contracting: When you contract a tariff through Smart Light, we collect your personal data (DNI, IBAN, address) within our platform. This data is shared exclusively with the supplier you choose to process the supply contract. We act as intermediaries (representatives) on your behalf, but the final contract is between you and the selected supplier.

Third parties processing data for us (Data Processors):

  • Supabase: Database and authentication (Hosted in EU - Frankfurt).
  • Cloudflare: Hosting and security (Hosted in EU).
  • Brevo (Sendinblue): Transactional email sending (Hosted in France - EU).
  • Plausible Analytics: Privacy-respecting web analytics (Hosted in EU).

Suppliers (with your explicit consent):

  • Only when you complete the contracting process on our platform.
  • Data shared: name, DNI, CUPS, address, IBAN, contracted power.
  • Purpose: to process the supply activation or switch.
  • Legal basis: performance of contract (Art. 6.1.b GDPR) and your explicit consent.

We do NOT share your data with:

  • ❌ Other suppliers you have not selected.
  • ❌ Advertising agencies or ad networks.
  • ❌ Data brokers or lead sellers.
  • ❌ Commercial partners without your specific authorization.

5. How long do we keep your data?

  • PDF bill: 7 days (automatic security deletion).
  • Comparison data (no account): 7 days.
  • User account: Until you request deletion.
  • Contracting data (DNI, IBAN, address): 5 years (fiscal and legal obligation) after completing the process.
  • IBAN after successful contracting: Immediate deletion after confirming activation with the supplier.
  • Error logs: 90 days.

Banking Data (IBAN)

Your IBAN is only used to set up direct debits with the selected supplier. It is only stored during the contracting process (maximum 30 days) and is automatically deleted after confirming activation. We do not store banking data permanently.

6. Your Rights (GDPR)

You can exercise your rights free of charge by writing to [email protected]:

  • Access: Consult what data we have about you.
  • Rectification: Correct incorrect or outdated data.
  • Erasure: Delete your account and all your data ("Right to be forgotten").
  • Portability: Download your data in JSON/CSV format.
  • Objection: Stop receiving communications or alerts.
  • Restriction: Temporarily pause the processing of your data.

We will respond to your request within a maximum of 30 calendar days.

7. Security and Cybersecurity (NIS2)

In compliance with the NIS2 Directive (EU) 2022/2555 and its transposition into Spanish law (Royal Decree-Law 7/2024 and implementing regulations), we implement advanced technical and organizational measures to ensure the security of our networks and information systems:

  • HTTPS encryption (TLS 1.3) across the entire site and communications.
  • Secure authentication via Supabase with JWT and optional MFA.
  • Row Level Security (RLS) in PostgreSQL database for data isolation.
  • Password hashing with bcrypt (we never see your passwords).
  • Automatic daily backups encrypted with geographic redundancy (EU).
  • 24/7 security monitoring via Cloudflare and intrusion detection systems.
  • Vulnerability management: Periodic audits and automated security patches.
  • Team training: Staff trained in cybersecurity and phishing prevention.

Security Officer (CISO): designated internally. NIS2 supervisory authority: INCIBE (incibe.es) / CCN-CERT for public sector.

8. Ethics Channel and Whistleblowing

In compliance with Directive (EU) 2019/1937 (Whistleblowing) and Law 2/2023 of February 20, we have established a confidential channel for reporting irregular conduct that may affect Smart Light or third parties:

  • Scope: Regulatory breaches, fraud, harassment, corruption, GDPR/NIS2 violations.
  • Confidentiality: Communications may be anonymous or identified, always confidential.
  • Protection: We guarantee non-retaliation against those who report in good faith.
  • Response time: 3 months maximum (7 days for acknowledgment of receipt).

Ethics channel contact: [email protected] (independent mailbox with external audit).

9. Cookies

See our Cookie Policy for more details.

  • Essential: Necessary for the website to function (login, session). No consent required.
  • Analytical: We use Plausible for anonymous statistics. Require your consent.

10. Changes to this Policy

We will notify significant changes by email to registered users and update the "Last updated" date at the beginning of this document.

11. Contact

For any privacy questions: [email protected]
Supervisory authority: Spanish Data Protection Agency (AEPD).