Privacy Policy

1. Introduction

Xplug, Inc. ("Xplug," "we," "us," or "our") operates an AI-defined energy coordination platform that provides non-binding software recommendations for electric vehicle charging and energy coordination services.

Xplug is not a utility, not a charging network operator, and does not control third-party infrastructure. We provide software services that generate recommendations based on system signals and coordination data.

This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our services. We are committed to complying with the European Union General Data Protection Regulation ("GDPR") and applicable United States privacy laws, including the California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA") where applicable.

2. Information We Collect

We collect information necessary to provide our coordination services. We follow data minimization principles and prefer system signals over personal identity where possible.

Account Information: When you create an account, we collect your email address and credentials necessary for account authentication and service access.

Operational and Contextual Data: If enabled by you, we may collect:

• Location data related to charging needs and trip planning
• Trip intent and destination information
• Charging metadata, including battery levels, charging preferences, and vehicle information
• Energy coordination signals and system state data

Usage Signals and Analytics: We collect usage data, system performance metrics, and reliability signals to maintain service quality, detect and prevent fraud, and improve system accuracy. This includes aggregated coordination signals and system health indicators.

Device, Log, and Performance Data: We automatically collect technical information including device identifiers, IP addresses, browser type, operating system, log files, and performance metrics necessary for service delivery and security.

We emphasize that our system is designed to operate on coordination signals rather than personal identity. Where possible, we process aggregated or anonymized data to minimize personal information collection.

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area ("EEA"), we process your personal information based on the following legal grounds:

Contract Performance: We process your information to perform our contract with you, including providing coordination services, generating recommendations, and maintaining your account.

Legitimate Interests: We process information for our legitimate interests in:

• Ensuring system reliability and service quality
• Preventing fraud and security threats
• Improving our services and coordination accuracy
• Maintaining system security and preventing abuse

Consent: Where required by law, we obtain your consent before processing certain categories of personal information, such as precise location data or sensitive information. You may withdraw your consent at any time.

4. How We Use Information

We use the information we collect to:

• Operate our services: Provide energy coordination recommendations, manage your account, and deliver platform functionality
• Generate non-binding recommendations: Create software-generated suggestions for charging decisions and energy coordination based on system signals
• Improve accuracy, reliability, and security: Analyze usage patterns, system performance, and coordination signals to enhance service quality and prevent security incidents
• Legal compliance: Comply with applicable laws, regulations, legal processes, and enforceable governmental requests

We do not use your information for advertising purposes, behavioral profiling, or any purpose unrelated to providing our coordination services.

5. Data Sharing

We share your information only in the following limited circumstances:

Third-Party Infrastructure Providers: We may share information with third-party infrastructure providers (such as charging network operators, cloud service providers, and data processors) strictly as necessary to execute and deliver our coordination services. These providers are contractually obligated to protect your information and use it only for the purposes we specify.

Service Providers: We engage service providers who assist us in operating our platform, including hosting, analytics, security, and customer support services. These providers are bound by confidentiality agreements and may only use your information to provide services to us.

Legal or Regulatory Disclosure: We may disclose information if required by law, regulation, legal process, or governmental request, or to protect our rights, property, or safety, or that of our users or others.

No Sale of Personal Data: We do not sell your personal information. We do not share your information with third parties for their advertising or marketing purposes.

No Advertising or Profiling Use: We do not use your information for advertising purposes or create behavioral profiles for marketing. Our use of information is limited to providing and improving our coordination services.

6. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country.

When we transfer personal information from the EEA to countries that are not recognized as providing an adequate level of data protection, we implement appropriate safeguards, including standard contractual clauses approved by the European Commission, to ensure your information receives adequate protection.

7. Data Retention

We retain your information only for as long as necessary to provide our services and fulfill the purposes described in this Privacy Policy.

Real-Time Signals: Coordination signals and real-time operational data are retained with short time-to-live (TTL) periods, typically not exceeding the duration necessary for service delivery and system reliability.

Aggregated and Anonymized Metrics: We may retain aggregated, anonymized, or de-identified data for longer periods to analyze system performance, improve coordination accuracy, and maintain service quality. This data cannot be used to identify you personally.

Account Information: We retain account information for as long as your account is active or as needed to provide services. You may request deletion of your account and associated information at any time.

We may also retain information when necessary to comply with legal obligations, resolve disputes, enforce agreements, or protect our legitimate interests.

8. User Rights

Depending on your location, you may have certain rights regarding your personal information:

Access: You have the right to request access to the personal information we hold about you.

Correction: You may request that we correct inaccurate or incomplete information about you.

Deletion: You may request that we delete your personal information, subject to certain exceptions for legal compliance and legitimate business interests.

Withdrawal of Consent: Where we process your information based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

EU GDPR Rights: If you are located in the EEA, you have additional rights under GDPR, including:

• The right to restrict processing of your information
• The right to data portability
• The right to object to processing based on legitimate interests
• The right to lodge a complaint with a supervisory authority

California Consumer Rights: If you are a California resident, you have rights under CCPA/CPRA, including:

• The right to know what personal information we collect, use, and disclose
• The right to delete your personal information
• The right to opt-out of the sale or sharing of personal information (we do not sell or share personal information)
• The right to non-discrimination for exercising your privacy rights

To exercise these rights, please contact us at privacy@xplug.ai.

9. Security

We implement reasonable technical, administrative, and physical safeguards designed to protect your information against unauthorized access, alteration, disclosure, or destruction.

These measures include encryption of data in transit and at rest, access controls, regular security assessments, and employee training on data protection practices.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You use our services at your own risk.