Neunucleus Energy Corp

    Privacy Policy

    Last updated: 6 September 2025 (MYT)

    This Privacy Policy explains how Neunucleus Energy Corp (“NEC”), the Neunucleus Energy System (“NES”), Neunucleus System Open Platform (“NSOP”) “blockchain-secured integration layer”; PowerOnAir (“POA”) “SaaS real-time AI analytics & reporting”; AI Switching Engine “solar, grid, kinetic, or hybrid optimization, Plug-and-Play Retrofit”; and Neubec Nexus (“Neubec”) “ central reporting & billing engine” (“Neubec”, “we”, “our”, “us”) collect, use, disclose, and protect Personal Data when you use our websites, portals, dashboards, APIs, software, devices, and related services (collectively, the “Services”).

    Plain-English summary (non-binding): We operate energy-management and billing software (not a utility). We collect contact, account, and metering data to run the system, issue invoices, and improve performance with AI. We minimise what is stored on an immutable ledger; where blockchain is used, we prefer hashes/IDs over raw personal data. You can access, correct, or request deletion of your data subject to legal/contractual limits.

    1) Who is responsible (Controller)

    Unless stated otherwise in a project-specific contract, NEC is the data controller for the Services. Where NEC acts for a Landlord/Developer under a service agreement, we may act as a processor (or “data intermediary”).
    Contact (DPO): Data Protection Officer, email: privacy @ neunucleus.com, mailing address available upon request.

    2) Scope & Users

    This Policy covers Tenants (end users), Landlords (property owners/co-investors), Developers (System-as-a-Service operators), finance partners, installers/integrators, and portal visitors.

    3) What we collect

    A. Identification & account data – name, role, company, emails, phone numbers, login IDs, access logs, role-based permissions (RBAC), SSO identifiers.
    B. Commercial & billing data – invoices, payment status, revenue-share statements, bank remittance references (we do not store full card/bank credentials—handled by licensed payment processors).
    C. Technical & usage data – device/browser info, IP addresses, timestamps, cookies, telemetry, API/gateway logs.
    D. Energy & site data – meter reads (kWh), PV/BESS performance, state-of-charge, grid import/export, alarms/fault codes, tariff rules, site identifiers.
    E. Support & communications – tickets, emails/WhatsApp messages, call notes.
    F. Optional – photographs of equipment/labels, documents for KYC/vendor onboarding where required by contract or law.

    4) Sources of data

    • You or your organisation (during onboarding, portal use, forms, uploads).
    • Landlords/Developers/Integrators that manage your site(s).
    • Gateways, meters, inverters, BESS, and third-party platforms via API or edge devices.
    • Payment service providers (confirmation/settlement metadata).
    • Public records or sanctioned screening vendors where legally required.

    5) Why we use your data (Purposes) & legal bases

    Service delivery & operations (contract; legitimate interests): user authentication, role assignment, site configuration, energy monitoring, forecasting, dispatch optimisation, alerts.
    Billing & settlements (contract; legitimate interests; legal obligation): metered billing, revenue-share computation, invoice issuance, payment reconciliation, audit trails.
    Security & integrity (legitimate interests; legal obligation): access controls, fraud/abuse detection, incident response, logging.
    Analytics & improvement (legitimate interests; consent where required): model training/tuning, feature performance, benchmarking (aggregated/pseudonymised where possible).
    Compliance (legal obligation): tax/financial recordkeeping, responding to lawful requests.
    Marketing/communications (consent/legitimate interests): demos, updates, surveys; you may opt out anytime.

    6) Cookies & similar technologies

    We use necessary cookies (security, session), functional (preferences), and analytics (usage). Where required, we present a cookie banner to manage your preferences.

    7) AI & automated processing

    Our AI features provide forecasts, anomaly detection, and optimisation. These are probabilistic and may be inaccurate. We do not make solely automated decisions that produce legal or similarly significant effects without human review. You may request information about the logic, significance, and consequences, and to obtain human intervention where applicable.

    8) Blockchain security layer

    To provide tamper-evident auditability, certain event hashes, timestamps, and identifiers may be anchored on a permissioned blockchain. We avoid placing raw Personal Data on-chain. Where an on-chain record is necessary, we use hashing/pseudonymisation to reduce identifiability. Because blockchain entries may be immutable, we satisfy erasure requests by delinking Personal Data from on-chain references and deleting off-chain mappings, where legally permissible.

    9) Sharing & disclosures

    We share data only as needed:

    • Processors / service providers – hosting, security, support, analytics, messaging, payment processing.
    • Project parties – Landlords/Developers/Financiers for billing, reconciliation, performance reporting (as per contracts and role-based access).
    • Legal & compliance – regulators, law enforcement, courts, or professional advisers where legally required or to protect rights, safety, and security.
    • Business changes – merger, acquisition, or asset transfer subject to confidentiality and notice.

    We do not sell Personal Data.

    10) International transfers

    Data may be processed in countries other than yours. We use appropriate safeguards (e.g., Standard Contractual Clauses, intra-group agreements, or other lawful transfer mechanisms) and technical measures (encryption, access controls).

    11) Retention

    We retain Personal Data only as long as necessary for the purposes above and to meet legal, tax, accounting, and audit requirements. Typical ranges:

    • Account & contract records: 7–10 years after termination.
    • Metering & billing data: 7–10 years (statutory/contractual).
    • Logs & telemetry: 12–24 months (unless needed for security or dispute).
      When no longer required, data are deleted or irreversibly anonymised.

    12) Security

    We apply defence-in-depth: encryption in transit/at rest, RBAC/SSO/2FA, network segmentation, key management, backups, disaster recovery, vulnerability management, and auditing. No system is 100% secure; you share responsibility for safeguarding credentials and devices.

    13) Your rights

    Depending on your jurisdiction (e.g., Malaysia PDPASingapore PDPAGDPR in the EEA/UK, Indonesia PDP LawCCPA/CPRA in California), you may have rights to:

    • Access your Personal Data;
    • Rectify inaccuracies;
    • Erase (subject to legal/contractual limits);
    • Restrict or object to processing;
    • Data portability;
    • Withdraw consent (does not affect prior processing);
    • Lodge a complaint with your local data authority.

    Requests: email privacy @ neunucleus.com. We will verify your identity and respond as required by law.

    14) Third-party links & services

    Third-party websites, devices, gateways, payment processors, or platforms operate under their own terms and privacy policies. We do not control and are not responsible for their practices.

    15) Children’s data

    Our Services are not directed to children. We do not knowingly collect Personal Data from children without appropriate consent as required by law.

    16) Changes to this Policy

    We may update this Policy from time to time. Material changes will be posted with a new “Last updated” date. Your continued use of the Services signifies acceptance of the updated Policy.

    17) Contact & complaints

    For questions, requests, or complaints about privacy or this Policy, contact the DPO at privacy@neunucleus.com.
    You may also contact your local data protection authority (e.g., Jabatan Perlindungan Data Peribadi in Malaysia, PDPC in Singapore, or the supervisory authority where you reside).

    18) Dispute resolution (privacy matters)

    Subject to non-waivable consumer rights and applicable law, privacy disputes arising from this Policy may be referred to confidential, binding arbitration under the SIAC Rules in Singapore (English language). Either party may seek injunctive relief in a competent court to protect confidentiality, IP, or data security.

    Note: This Policy describes our general practices. Specific projects or jurisdictions may require supplemental notices or agreements (e.g., Data Processing Addendum) that prevail in case of conflict.