Privacy Policy — gridsphere.energy
Effective date: 2026-05-06 Last updated: 2026-05-06 Controller: GridSphere SA Privacy contact: privacy@gridsphere.energy
Scope of this Policy. This Privacy Policy describes how GridSphere SA processes personal data collected through the gridsphere.energy corporate website (the "Site"). It does NOT cover the SIMULA software product available at
simula.gridsphere.energy, which is governed by its own dedicated Privacy Policy.
Regulatory framework. EU Regulation 2016/679 ("GDPR"); Swiss Federal Act on Data Protection of 25 September 2020, in force since 1 September 2023 ("revFADP", SR 235.1) and its implementing ordinance (FADPO); Directive 2002/58/EC ("ePrivacy") for cookies.
1. Controller and privacy contact
1.1 Controller
GridSphere SA Via Cantonale 18 — 6928 Manno (Canton Ticino), Switzerland Swiss UID: CHE-194.828.389 Legal representative: Luca Roccia (Sole Director)
1.2 Internal privacy function
GridSphere has identified an internal privacy / data protection function as the contact point for privacy-related matters. This does NOT constitute the formal designation of a Data Protection Officer under Article 37 GDPR or Article 10 revFADP.
All privacy enquiries should be directed to privacy@gridsphere.energy.
1.3 EU representative (Article 27 GDPR)
As of the date of publication, GridSphere has NOT designated a representative in the European Union under Article 27 GDPR. We consider that processing directed at data subjects in the EU does not currently meet the threshold of regularity, large scale and non-occasional nature required by Article 3(2) GDPR in conjunction with Article 27(2)(a) GDPR, given (i) the early commercial stage of our business, (ii) the limited number of EU contacts in our database, and (iii) the absence of processing of special categories of data under Article 9 GDPR.
This assessment is reviewed periodically and whenever the volume, regularity or nature of processing directed at EU data subjects materially changes. Should the threshold be exceeded, GridSphere will appoint an EU representative and update this Policy accordingly.
EU data subjects retain the full set of rights granted by GDPR regardless of the absence of an EU representative; rights may be exercised directly by writing to privacy@gridsphere.energy or by contacting the supervisory authority listed in §8.
2. Categories of data processed
The Site is a corporate marketing site. We do NOT operate user accounts, do NOT process payments, and do NOT host any product on this domain. Data processing is limited to (i) inbound contact / RFP / advisory call requests submitted via the Site and (ii) basic technical operation of the Site.
2.1 Data submitted through forms on /contact/
| Field | Mandatory? | Legal basis (GDPR) | Purpose |
|---|---|---|---|
| Name (first + last) | Yes | Art. 6(1)(b) — pre-contractual measures at request of the data subject | Reply to enquiry, schedule advisory call, prepare proposal |
| Yes | Art. 6(1)(b) | Reply to enquiry; service communications | |
| Company name | Yes (RFP, Advisory) / No (General) | Art. 6(1)(b) + Art. 6(1)(f) (legitimate interest in B2B qualification) | Qualification of the business relationship |
| Project location, BESS size (kW), BESS energy (kWh), use case, timeline, budget range, decision-maker role, project notes | Yes (only on the Supply RFP form) | Art. 6(1)(b) | Preparation of supply offer |
| Free-text message | Yes (General form) | Art. 6(1)(b) | Reply to enquiry |
topic (hidden field: advisory / supply / general) | Auto-filled | Art. 6(1)(f) | Routing within CRM |
2.2 Data captured by HubSpot Meetings booking widget on /contact/
When you book an advisory call via the embedded HubSpot Meetings widget, HubSpot collects: name, email, company (optional), the proposed time slot, and any free-text answers to meeting prep questions.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures at request of the data subject). The data is transferred directly between your browser and HubSpot — see §3 (sub-processors).
2.3 Technical data captured automatically
| Data | Source | Legal basis | Purpose | Retention |
|---|---|---|---|---|
| IP address (truncated where feasible) | Server access log | Art. 6(1)(f) — legitimate interest in security and abuse prevention | Security, anti-abuse, troubleshooting | 90 days |
| User agent string | Server access log | Art. 6(1)(f) | Security, troubleshooting | 90 days |
Cookie consent record (gs-cookie-consent localStorage key) | Local browser storage written by the consent banner | Art. 7(1) GDPR — burden of proof of consent | Evidence of valid consent | Until cleared by user |
We do NOT operate user accounts on this Site, we do NOT process payments, we do NOT use customer support / helpdesk SaaS, and we do NOT use marketing automation that ingests Site visitor data without an explicit legal basis.
2.4 Special categories of data (Art. 9 GDPR / Art. 5(c) revFADP)
The Site does NOT process special categories of personal data (health, sexual orientation, religion, genetic / biometric data, criminal convictions). If you inadvertently include such data in a free-text field, please notify us promptly at privacy@gridsphere.energy.
2.5 Minors
The Site is intended for professional / B2B use. We do NOT knowingly collect personal data from minors under the age of 18. If we become aware of such collection without an appropriate legal basis, we will delete the data promptly.
3. Sub-processors
For the operation of the Site, GridSphere relies on the following sub-processors:
| # | Sub-processor | Role | Processing location | Non-EU transfer? | Transfer safeguards |
|---|---|---|---|---|---|
| 1 | AWS Amplify (Amazon Web Services EMEA SARL) | Static + edge hosting of the Site | Frankfurt, Germany (eu-central-1) | Data at rest within the EU; residual access by AWS US parent | AWS GDPR Data Processing Addendum; EU SCCs (2021/914 Module 2); AWS Swiss transfer mechanisms recognised by the FDPIC |
| 2 | HubSpot, Inc. (Meetings + Forms + CRM) | Inbound enquiry capture (Site form submissions, advisory call bookings) | EU data centre (HubSpot EU region — see §3.1 below); residual processing in the US by HubSpot, Inc. | Yes | HubSpot DPA + EU-U.S. Data Privacy Framework certification (per HubSpot's published statement); SCCs 2021/914 Module 2 + TIA on file as fallback |
3.1 HubSpot data residency
GridSphere has elected the HubSpot EU data residency option for the SIMULA / GridSphere portal (Portal ID 146402375). Personal data submitted through forms on /contact/ and meeting bookings is stored at rest in HubSpot's EU data centre. Residual administrative access by HubSpot personnel based in the US is covered by the safeguards listed in the table above.
3.2 Sub-processors expressly NOT used (on this Site)
For the avoidance of doubt:
- Google Analytics / Google Tag Manager: NOT used.
- Meta Pixel, LinkedIn Insight, Google Ads pixels: NOT used.
- Customer support / helpdesk SaaS (Intercom, Zendesk, Freshdesk): NOT used.
- Session replay (Hotjar, Contentsquare, FullStory): NOT used.
Should any of these be activated in future, this Policy will be updated and an explicit opt-in consent banner will be deployed before activation.
4. Retention
| Data | Retention |
|---|---|
Form submissions (/contact/ Advisory + Supply + General) | 24 months from last interaction, then deletion or anonymisation. Where a contractual relationship results from the enquiry, the underlying contractual data is retained for the legal terms applicable to commercial records (Art. 958f Swiss Code of Obligations — 10 years for accounting documents). |
| Meeting bookings (HubSpot Meetings) | 24 months from last interaction; same rule on contractual progression. |
| Server access logs (IP, user agent) | 90 days |
| Cookie consent record | Until cleared by the user (browser-side localStorage) |
5. Recipients of personal data
Personal data is processed exclusively by:
- GridSphere personnel authorised on a need-to-know basis (the Sole Director and any future GridSphere staff bound by confidentiality);
- The sub-processors listed in §3, under the contractual safeguards described.
We do NOT sell, rent or trade your personal data, and we do NOT share it with third parties for advertising or marketing purposes.
We may disclose personal data where required by law, regulatory authority, or in the context of legal proceedings, exercising the proportionality and minimisation principles required by GDPR / revFADP.
6. International transfers
Where processing involves transfers to third countries without an EU adequacy decision, GridSphere relies on:
- Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) where applicable;
- the EU-U.S. Data Privacy Framework ("DPF") and Swiss-U.S. DPF for sub-processors certified under those mechanisms;
- a Transfer Impact Assessment ("TIA") on file, including supplementary measures (encryption in transit and at rest, minimisation, transparency commitments).
A copy of the TIA is available to regulators and, under NDA, to business customers upon reasoned request.
7. Your rights
Under GDPR (Articles 15–22) and the revFADP, you have the right to:
- access your personal data;
- request rectification of inaccurate data;
- request erasure ("right to be forgotten");
- request restriction of processing;
- request data portability;
- object to processing based on legitimate interest;
- withdraw consent at any time, where processing is based on consent;
- not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (we do NOT carry out such automated decision-making on this Site).
To exercise any of these rights, write to privacy@gridsphere.energy. We will respond within one month of the request, extendable by two further months in case of complexity (Art. 12(3) GDPR).
8. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority. Competent authorities include:
- Switzerland — Federal Data Protection and Information Commissioner (FDPIC) —
https://www.edoeb.admin.ch; - Italy — Garante per la protezione dei dati personali —
https://www.garanteprivacy.it; - Other EU Member States — your local Data Protection Authority.
9. Security
GridSphere applies appropriate technical and organisational measures (Art. 32 GDPR; Art. 8 revFADP) including:
- TLS 1.2+ for all data in transit;
- encryption at rest (AWS KMS-managed keys) for data stored on AWS;
- access controls and audit logging on administrative interfaces;
- vendor due diligence on each sub-processor.
10. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date and, where required by law, by a notice on the Site. The current version is always available at this URL.
11. Contact
For any privacy-related question, exercise of rights, or request:
GridSphere SA — Privacy Office Via Cantonale 18, 6928 Manno (Canton Ticino), Switzerland privacy@gridsphere.energy
Privacy Policy v1 — gridsphere.energy. Adapted from the SIMULA Privacy Policy v2.3 (22 April 2026, second legal review).