Surpl
Get started

Last updated: 4 June 2026

Privacy Policy

This Privacy Policy explains how Surpl Energy Limited processes personal data in connection with the Surpl website, apps, member accounts, business accounts, community branch features, connected energy-device services, support, payments, and related services.

Controller

Surpl Energy Limited

VENTURE HUB, 136 CAPEL STREET, DUBLIN 1, DUBLIN, D01 T2C9, IRELAND

Email: DPO@surpl.ie

This policy is intended to help data subjects understand what personal data is collected, why it is collected, how it is used, who it is shared with, how long it is retained, and what rights data subjects have under applicable data protection law, including the GDPR and the Data Protection Act 2018.

Scope

This Privacy Policy applies to:

  • visitors to the Surpl website;
  • members who create consumer accounts;
  • business users and payers;
  • community branch members and branch administrators;
  • users who connect devices, portals, APIs, bank or payout details, smart meter data, inverter data, EV data, or similar energy-related services;
  • installers, partners, and service providers interacting with Surpl through authorised workflows.

This policy does not override terms or notices that apply to a specific regulated service, partner flow, or product feature. Where a service depends on a third-party platform or regulated access pathway, Surpl may provide an additional just-in-time notice at the point of collection or connection.

Categories of personal data

Depending on the service used, Surpl may process the following categories of personal data.

Surpl aims to collect only the data reasonably necessary for the relevant service, feature, or legal requirement.

Identity and account data

  • name, email address, phone number, account identifiers, branch membership details, profile data, authentication credentials, MFA or passkey settings, support history, and preferences.

Contact and communications data

  • email content, support correspondence, transaction-related notices, consent records, notification settings, and records of messages sent through support, account, or community workflows.

Energy, home, and device data

  • address-level or premises-related information provided by the user;
  • Eircode or partial location data where required for branch, grid, installer, export, payout, or GO-related features;
  • solar generation data, inverter telemetry, export/import metrics, battery status, charger state, heat-pump or appliance-related status where supported;
  • smart meter usage or export data where available through lawful access routes;
  • member-declared device information such as EV ownership, EV brand, heat-pump ownership, device counts, and similar onboarding information.

API and integration data

  • access tokens, refresh tokens, API keys, device identifiers, consent grants, connection metadata, logs, and limited account information returned by connected vendors or platforms.

Payments, subscriptions, and payout data

  • business billing details, subscription records, invoices, tax-related billing data, payment status, payout instructions, beneficiary details, and transaction references.

Community and branch data

  • branch membership, branch roles, participation records, event participation status, public-facing branch administrator profile data where the user chooses or accepts such a role, and anonymised branch-level energy or carbon metrics.

Regulatory, audit, and safety data

  • records needed for security, fraud prevention, incident response, dispute handling, compliance, audit trails, lawful requests, and policy engagement disclosures where applicable.

Sources of personal data

Personal data may be collected:

  • directly from the user;
  • from devices or service providers connected by the user;
  • from installers, branch administrators, or authorised business account users acting with the user’s permission or under an applicable contract;
  • from payment and banking service providers;
  • from communications systems and support tools;
  • from public or regulated data access channels where the user has authorised access or the law otherwise permits processing.

Where personal data is not obtained directly from the data subject, Surpl will provide the information required by Articles 13 and 14 GDPR, unless an exemption applies.

Purposes and legal bases

Surpl processes personal data for the following purposes and, depending on context, on the following legal bases.

Where consent is relied on, consent may be withdrawn at any time, without affecting the lawfulness of processing carried out before withdrawal.

PurposeExamplesLegal basis
Account creation and administrationcreating and maintaining accounts, authentication, login security, account recovery, preferencesContract; legitimate interests
Delivering Surpl servicesoperating dashboards, connected device services, branch participation, support, analytics shown to the userContract
Device and API connectivityconnecting inverter APIs, EV APIs, smart meter pathways, and similar services authorised by the userContract; consent where required
Installer and partner disclosure workflowssharing selected solar or device metrics with an installer or partner where the user authorises thisConsent; contract where applicable
Flexibility, scheduling, and optimisation featuresforecasts, estimates, device scheduling, event eligibility, member notifications, branch-level aggregationContract; legitimate interests; consent where required
Payments, subscriptions, and payoutscharging business fees, processing subscriptions, invoicing, and paying members where applicableContract; legal obligation
Security and fraud preventionsecuring accounts, monitoring misuse, preventing fraud, responding to incidentsLegitimate interests; legal obligation
Compliance, audit, and record-keepingtax, accounting, legal claims, regulated disclosures, audit trailsLegal obligation; legitimate interests
Product improvement and service analyticsimproving services, reliability, and usability, including aggregated trends and reportingLegitimate interests
Marketing and non-essential updatesnewsletters or promotional updatesConsent or soft opt-in where legally permitted

Connected services and specific disclosures

Inverter and solar platform connections

Where a user connects an inverter, solar monitoring portal, or related service, Surpl may process telemetry, system metadata, generation/export metrics, site identifiers, and connection tokens provided through the relevant integration. Surpl aims, where possible, to use secure vendor-approved APIs, tokens, or delegated authentication methods rather than retaining a user’s portal password in usable form. If a connection method requires token or credential storage to maintain the service, that information is protected using appropriate technical and organisational measures, including encryption and access controls.

Users are responsible for keeping their own credentials, API keys, backup codes, and account recovery methods secure, for not sharing them with third parties, and for using strong unique passwords and MFA or passkeys where available. Surpl may suspend or restrict a connection if there is a reasonable security concern.

Where a user authorises disclosure to an installer or similar partner, Surpl may share selected system or generation metrics, site-related details, and contact information strictly for the authorised purpose, such as diagnostics, support, installation follow-up, or performance review. Such sharing is optional and should be controlled through the relevant consent or workflow settings.

Smart meter data and ESB Networks pathways

The Smart Meter Data Access Code (SMDAC), published by the CRU in February 2025, provides a framework by which eligible parties with a lawful basis may access smart meter data, and ESB Networks is implementing the systems and processes established by that Code. Where Surpl receives or accesses smart meter data through a lawful pathway, Surpl processes that data only for the authorised purpose and subject to applicable law, consent flows, and platform permissions.

ESB Networks also publishes non-personal smart meter data reports. Those reports are aggregated so they cannot be used to identify an individual customer, are produced monthly, and are available for up to 24 months on the ESB Networks website. Surpl may use non-personal and aggregated grid or smart meter reports for analytics, forecasting, trend reporting, branch-level insights, or public-interest information where no individual is identifiable.

EV APIs and OEM relationships

Where a user connects an EV, charger, or related mobility service, Surpl may process vehicle identifiers, charge state, charging session data, energy usage, battery level, location-related metadata where relevant to the enabled feature, account connection metadata, and command/status information made available through the chosen integration. In some cases, this may involve integrations with vehicle OEM ecosystems or authorised intermediaries, including EV brands such as Tesla or Volkswagen Group brands where support exists.

Surpl does not control the independent privacy practices of OEMs or mobility platforms. When a user links an EV through an external provider or OEM authentication flow, that provider or OEM may act as an independent controller for data collected on its own platform. Users should review the privacy information supplied by the relevant OEM or provider at the time of connection.

Community branches and branch administrators

Surpl may support community branch structures. Where a user joins a branch, Surpl may process branch membership, role, participation status, local energy-related metrics, and branch-level aggregated insights. Some branch roles, including branch administrators or public-facing branch leads, may involve limited profile information being visible to other members or the public, such as a name, role title, public contact channel, or branch biography, where that is part of the role. Users accepting such roles should ensure any published details are accurate and appropriate.

For branch analytics, Surpl may display or publish anonymised or aggregated branch-level information, such as the amount of energy generated within the branch, overall participation levels, total estimated carbon saved, or aggregated branch flexibility metrics, provided the information is presented in a way that is not intended to identify an individual household.

GO credits, GO pooling, and related features

GO-related features may be unavailable, limited, pilot-based, or dependent on licensed counterparties and regulatory pathways. If a user opts into a GO-related pooling or matching feature, Surpl may need to process additional location and generation-related information, which may include Eircode-level information, system attributes, export data, solar asset details, and participation records, because such features may require matching or evidence of origin, system location, or eligibility.

Where GO pooling or similar features are enabled, Surpl will provide additional notices explaining the specific data required, the counterparties involved, and any visibility or disclosure implications. Users should not opt into such features unless comfortable with the required level of data sharing for that service.

Who personal data may be shared with

Surpl may share personal data with the following categories of recipients, subject to contracts, confidentiality obligations, and applicable law.

Service providers and processors

Processors act on Surpl’s instructions under appropriate contractual arrangements where required by Article 28 GDPR.

  • Hetzner for cloud or server infrastructure and hosting;
  • Zoho for email, customer communication, and transactional email workflows;
  • Stripe for business payments, card processing, subscriptions, invoicing, and related payment operations;
  • Revolut Business for certain business banking and member payout workflows where applicable;
  • analytics, logging, security, support, and infrastructure vendors used to operate the service.

Energy, device, and platform partners

  • inverter or solar portal providers;
  • EV OEMs, charger providers, or authorised integration partners;
  • installers, support partners, and technical service providers where the user has authorised the sharing or the service requires it;
  • ESB Networks or other market or network participants where a lawful access route, regulated process, or user-authorised workflow applies.

Community and branch recipients

  • branch administrators or branch members, only to the extent necessary for branch operations, public-facing branch functions, or authorised community features;
  • the public, where only anonymised or aggregated branch-level information is displayed.

Legal and compliance recipients

  • professional advisers, auditors, insurers, courts, regulators, law enforcement, tax authorities, and counterparties involved in legal claims or compliance processes where disclosure is required or justified by law.

Policy and lobbying disclosures

Where applicable, records of lobbying or public-policy engagement may be published or disclosed in accordance with Irish lobbying law. The Register of Lobbying is publicly available, there is no fee to register, and reporting obligations can arise after lobbying activity begins. Surpl may therefore process limited personal data relating to employees, officers, or representatives involved in reportable lobbying or public-policy engagement where required by law.

International transfers

Some service providers may process personal data outside the EEA. Where personal data is transferred internationally, Surpl will seek to ensure that an appropriate transfer mechanism is used, such as an adequacy decision, standard contractual clauses, or another lawful safeguard recognised by applicable data protection law.

Retention

Personal data is retained only for as long as necessary for the purposes described in this policy, including for service delivery, security, legal compliance, dispute resolution, accounting, and audit requirements. Retention periods may vary depending on the type of data and the service context, for example:

  • account and profile data: for the life of the account and a limited period afterwards where needed for security, support, or legal reasons;
  • device and integration data: for as long as the connection remains active and for a limited period afterwards for logs, troubleshooting, integrity, and audit;
  • billing and payout records: for the period required by tax, accounting, and legal obligations;
  • consent and audit records: for as long as required to demonstrate compliance, manage disputes, or satisfy regulatory obligations;
  • anonymised or aggregated data: potentially longer, where it no longer identifies a person.

Where deletion is requested, Surpl will delete or anonymise personal data unless retention is required by law or necessary for the establishment, exercise, or defence of legal claims.

Security

Surpl uses technical and organisational measures appropriate to the risk, which may include encryption at rest and in transit, access controls, logging, role-based restrictions, vulnerability management, supplier management, and security monitoring. No method of storage or transmission can be guaranteed to be completely secure, but reasonable measures are used to protect confidentiality, integrity, and availability of personal data.

Users are also responsible for protecting their accounts and credentials, including:

  • using strong, unique passwords;
  • enabling MFA or passkeys where available;
  • keeping API keys, tokens, backup codes, and connected-vendor credentials confidential;
  • not sharing accounts with others;
  • informing Surpl promptly of suspected unauthorised access.

Automated decision-making and profiling

Surpl may use rules, analytics, or models to provide estimates, scheduling suggestions, branch insights, anomaly detection, savings projections, or similar service outputs. Such outputs are generally intended to assist users and may be based on assumptions, historical data, or connected-device data. Unless expressly stated otherwise for a specific regulated feature, such outputs are estimates and should not be interpreted as guaranteed outcomes.

Where a feature involves legally significant automated decision-making, Surpl will provide additional information required by law.

Children

Surpl’s services are not intended for children unless expressly stated for a particular programme. If it becomes apparent that personal data has been collected from a child in a manner that is not authorised by applicable law, Surpl will take appropriate steps to delete or restrict that data.

Data subject rights

Subject to applicable law, data subjects may have the right to:

  • access personal data;
  • rectify inaccurate personal data;
  • erase personal data;
  • restrict processing;
  • object to certain processing;
  • receive personal data in a portable format where applicable;
  • withdraw consent where consent is relied on;
  • complain to the Irish Data Protection Commission.

Privacy notices are a key transparency tool under Articles 12 to 14 GDPR and should explain purposes, recipients, and retention to data subjects. Requests may be sent to DPO@surpl.ie.

Complaints

If a person has a concern about how Surpl processes personal data, that concern can be raised first with Surpl at DPO@surpl.ie. A complaint may also be made to the Irish Data Protection Commission.

Cookies and similar technologies

The Surpl website and services may use cookies or similar technologies for essential service operation, security, performance, analytics, and user preferences. Where non-essential cookies are used, Surpl should seek consent in accordance with applicable law and provide a separate cookie notice or consent tool where appropriate.

Changes to this policy

This Privacy Policy should be treated as a living document and may be updated from time to time to reflect legal, technical, product, or operational changes. Where changes are material, Surpl may provide a prominent notice, in-product message, email, or other appropriate communication.

Contact

Questions, requests, or complaints about this Privacy Policy or Surpl’s processing of personal data can be sent to:

Data Protection Officer — Surpl Energy Limited — VENTURE HUB, 136 CAPEL STREET, DUBLIN 1, DUBLIN, D01 T2C9, IRELAND — Email: DPO@surpl.ie

Cookies on Surpl

We use strictly necessary cookies to keep you signed in and remember your choices. Optional cookies help with preferences and, if enabled in future, analytics. You can accept, reject, or manage categories. See our Cookie Policy.