Legal

Privacy Policy

Last updated: 1 May 2026 · Effective date: 1 May 2026

1. Who we are

Vampire.Energy (trading as v.energy) is the data controller for personal data collected through our website (vampire.energy) and our Charging Station Management System (CSMS) platform.

Our registered email address for data protection enquiries is hello@vampire.energy.

Where we act as a data processor on behalf of our business customers (for example, processing the charging session data of a hotel's guests), the business customer is the data controller and their own privacy policy governs how they use that data. We process such data only on their documented instructions.

2. What personal data we collect

2.1 Website visitors

When you browse our website we may collect:

IP address and approximate location (country / city)
Browser type, operating system, and referring URL
Pages visited and time spent on each page
Cookies and similar identifiers (see Section 8)

2.2 Contact form and demo requests

When you submit a demo request or contact us, we collect:

Full name and business email address
Company or property name
Your role and number of charge points
Free-text description of your use case

2.3 Platform accounts (operators and their staff)

When an operator organisation signs up to the v.energy CSMS, we collect for each user account:

Name, work email address, and role
Authentication credentials (password stored as a salted hash; we never store plaintext passwords)
Log-in timestamps and IP addresses
Configuration settings and preferences saved within the platform

2.4 EV charging session data (processed on behalf of operators)

The v.energy platform processes charging session data on behalf of our operator customers. This may include data relating to the drivers who charge at their sites:

RFID token identifiers, eMAIDs, or hotel room / PMS folio identifiers used to authorise a session
Vehicle plug-in and plug-out timestamps
Energy delivered (kWh) and power levels
Session cost, tariff applied, and payment reference
Charge point identifier and location
OCPI roaming token data where the session involves an external network (e.g. ENAPI)

We are a data processor for this category. The operator who deployed the charge points is the controller. If you are a driver and have questions about how your session data is stored and shared, please contact the operator of the site where you charged.

2.5 Billing and financial data

We hold the subscription billing contact (name, email, company) for each operator account, and invoicing records. Payment card details are not stored by us — payments are handled by our third-party payment processor who is PCI-DSS compliant.

3. Why we process it — legal bases

We process personal data under the following legal bases set out in Article 6 of the GDPR:

Performance of a contract (Art. 6(1)(b))

Processing account data, platform usage data, session records, and billing data to deliver the CSMS service under the terms of our customer agreement.

Legitimate interests (Art. 6(1)(f))

Website analytics to improve the site, fraud prevention, security logging, and following up on demo requests from businesses that have expressed interest in our product. Our legitimate interests do not override your privacy rights — you may object at any time (see Section 9).

Legal obligation (Art. 6(1)(c))

Retaining invoicing and financial records to comply with tax and accounting law.

Consent (Art. 6(1)(a))

Non-essential cookies and marketing communications, where we have asked for and received your explicit consent. You may withdraw consent at any time without affecting prior processing.

4. How we use your data

→Delivering the platform. Creating and managing your account, providing CSMS features, processing charging sessions, and generating reports.
→Customer communication. Responding to demo requests, providing technical support, sending invoices, and notifying you of platform updates or incidents that affect your installation.
→Security and fraud prevention. Monitoring for unauthorised access, verifying identity, and maintaining audit logs.
→Improving the service. Aggregated, anonymised usage analytics to understand how operators use the platform and to prioritise product development.
→Legal compliance. Retaining records as required by applicable law.

We do not sell your personal data to third parties. We do not use personal data for automated decision-making that produces legal or similarly significant effects.

5. Who we share data with

We share personal data only with trusted subprocessors under written data processing agreements, and only to the extent necessary to deliver the service:

Recipient / category	Purpose
Cloud infrastructure provider	Hosting platform data and backups
Payment processor	Processing subscription payments; PCI-DSS compliant
Transactional email provider	Sending account notifications, invoices, and support replies
ENAPI / OCPI roaming hub	Exchanging session and token data for roaming interoperability where applicable
Website analytics	Aggregated, privacy-respecting visitor statistics (no cross-site tracking)
Legal or regulatory authorities	When required by law, court order, or to protect rights and safety

If we are involved in a merger, acquisition, or asset sale, personal data may be transferred to the acquiring entity, subject to the same data protection commitments. We will notify affected users if this occurs.

6. How long we keep data

contact_mail

Demo and contact enquiries

Retained for up to 24 months from last contact to allow us to follow up. Deleted on request.

manage_accounts

Platform accounts

Active for the duration of the subscription. Following termination, account data is deleted or anonymised within 90 days, except where retention is required by law.

bolt

Charging session records

Retained for the period specified by the operator in their data processing agreement (typically 2–5 years to support billing disputes and financial audits). Operators may configure a shorter retention period.

receipt_long

Financial and invoicing records

Retained for 7 years from the end of the relevant fiscal year to meet legal accounting obligations.

security

Security and access logs

Retained for 12 months for fraud prevention and incident investigation.

7. International transfers

We primarily store and process data within the European Economic Area (EEA). Where we use subprocessors located outside the EEA, we ensure adequate safeguards are in place, such as:

The European Commission's Standard Contractual Clauses (SCCs), or
An adequacy decision covering the destination country.

You may request a copy of the relevant safeguards by contacting hello@vampire.energy.

8. Cookies and analytics

Our website uses cookies and similar technologies. We group them as follows:

Strictly necessary

Always on

Session management and security tokens required to operate the platform. These cannot be disabled.

Analytics and performance

Cookieless

Anonymised, cookieless statistics on page visits, navigation paths, referrers, and campaign parameters. We do not use analytics cookies, advertising IDs, or cross-site tracking for this website analytics.

Marketing and retargeting

Consent required

Currently not used. If we introduce these in future we will update this policy and request fresh consent.

If we add cookie-based analytics, retargeting pixels, chat widgets, or similar non-essential tracking in future, we will update this policy and request consent before those tools run. You can also contact us at hello@vampire.energy.

9. Your rights

Under the GDPR you have the following rights with respect to your personal data:

Right of access

Obtain a copy of the personal data we hold about you.

Right to rectification

Correct inaccurate or incomplete data without undue delay.

Right to erasure

Request deletion of your data where there is no overriding legal basis to retain it.

Right to restrict processing

Ask us to pause processing while a dispute or objection is resolved.

Right to data portability

Receive your data in a structured, machine-readable format.

Right to object

Object to processing based on legitimate interests or for direct marketing.

Right to withdraw consent

Where we rely on consent as the legal basis, you may withdraw it at any time. This will not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email hello@vampire.energy. We will respond within 30 days. Where requests are complex or numerous we may extend this by a further two months and will notify you accordingly.

You also have the right to lodge a complaint with the supervisory authority in your country of residence. In Romania this is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) at dataprotection.ro. In other EU member states you may contact your local supervisory authority.

10. Children's privacy

Our platform and website are directed at business users. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it.

11. Changes to this policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top and, for material changes, notify active platform users by email at least 14 days before the changes take effect.

Continued use of our services after the effective date constitutes acceptance of the updated policy.

12. How to contact us

For any question, access request, or complaint relating to this policy or your personal data:

Vampire.Energy
Data Protection enquiries

Email: hello@vampire.energy

We aim to acknowledge all data protection enquiries within 5 business days and resolve them within 30 days.