Privacy & Data Protection

1. Who we are

Grid.Local (the “service”, “we”, “us”) is a free hobby project that lets UK households compare regional grid carbon intensity against their own home energy use. It is operated by an individual based in the United Kingdom and is not a registered company. We are not affiliated with GivEnergy, Octopus Energy, or National Grid ESO.

For any privacy-related question or to exercise your rights under the UK GDPR, contact us via the “Buy me a coffee” page linked in the header.

2. Data we collect

Account data: the email address and password hash you provide when you sign up. Passwords are hashed by our authentication provider — we never see or store them in plain text.
Configuration: your chosen DNO region, optional postcode, and any GivEnergy API key or Octopus Energy account/MPAN details you choose to enter.
Home energy data: half-hourly import, export, battery charge/discharge and solar figures fetched from the GivEnergy or Octopus APIs on your behalf, cached so we don’t have to keep re-querying those services.
Derived carbon data: calculated CO₂ figures based on your usage and the public National Grid ESO carbon intensity feed.
Technical logs: standard server logs (IP address, user agent, request path, timestamp) kept for a short period for security and troubleshooting.

We do not use advertising cookies, run third-party analytics trackers, sell your data, or share it with marketing partners.

3. Legal basis (UK GDPR)

Contract: processing needed to give you the dashboard you signed up for (account, settings, energy data caching).
Legitimate interests: keeping the service secure and debugging errors (technical logs).
Consent: connecting third-party services such as GivEnergy or Octopus Energy — you choose to enter those credentials.

4. How your data is stored

All data is stored in a managed Postgres database hosted in the EU/UK region by our backend provider. Access is restricted by row-level security policies so that only your authenticated account can read or modify your rows.

API keys and tokens (GivEnergy, Octopus) are stored encrypted at rest and are only ever transmitted over TLS. They are sent to the respective third party from our server, never exposed to other users, and never embedded in client-side code.

5. Third-party services

When you use Grid.Local, data is exchanged with the following independent services, each governed by their own privacy policies:

Lovable Cloud (Supabase): authentication and database hosting.
National Grid ESO Carbon Intensity API: public grid carbon data — no personal data is sent.
GivEnergy API: fetches your inverter readings using the API key you provide.
Octopus Energy API: fetches your tariff and consumption data using the account details you provide.
Ko-fi: the “Buy me a coffee” link goes to an external page operated by Ko-fi.

6. Cookies

We use strictly-necessary cookies and browser local storage to keep you signed in and to remember UI preferences. No advertising or cross-site tracking cookies are set.

7. Retention

Account, configuration and cached energy data are retained for as long as your account exists. Technical/server logs are retained for up to 30 days. When you delete your account, your personal data and cached energy readings are removed within 30 days (backups may persist for a short period before rotation).

8. Your rights

Under the UK GDPR you have the right to access, rectify, erase, restrict, port and object to processing of your personal data, and to lodge a complaint with the Information Commissioner’s Office (ico.org.uk). You can:

Remove your GivEnergy or Octopus credentials from the Settings page at any time.
Request account deletion by contacting us — this purges your row from every table.
Export your cached data on request.

9. Children

Grid.Local is not directed at children under 13 and we do not knowingly collect data from them.

10. Changes to this notice

We’ll update the “last updated” date above when this notice changes. Material changes will be highlighted on the dashboard.

Privacy & data protection