Privacy Policy – AI Load Management for EV Charging & Commercial Buildings

Effective Date: January 20, 2025

1. Who We Are

Plugcy (“Plugcy,” “we,” “us,” or “our”) is an AI-driven energy technology company headquartered in Ciudad de México (CDMX), México, with corporate presence in Dover, Delaware, United States, and operations extending to Bogotá D.C., Colombia. Plugcy builds and operates the world’s first AI Energy Nerve Network, a real-time, adaptive intelligence layer that connects electric vehicles (EVs), home chargers, commercial charging stations, renewable energy sources, and the broader energy grid into a single intelligent ecosystem.

Our products and services include:

The Plugcy App (iOS and Android) — enabling EV drivers to find, reserve, and pay for charging sessions, and enabling homeowners to list and monetize their chargers.
The AI Energy Nerve Network — a cloud-based AI engine that predicts and optimizes energy demand, distribution, and storage in real time.
The Plugcy Fast Charger — smart home and commercial EV charging hardware distributed across North America and Latin America.
The Plugcy Website (plugcy.com) — including our blog, contact forms, and informational resources.

For the purposes of applicable data protection legislation — including Mexico’s Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, “LFPDPPP”) and, where applicable, the EU General Data Protection Regulation (GDPR) and U.S. state privacy laws — Plugcy acts as the data controller for the personal information described in this Privacy Policy.

2. Scope & Application

This Privacy Policy applies to all personal information Plugcy collects and processes in connection with:

Visitors to plugcy.com and any subdomain thereof.
Users who download and use the Plugcy App on any mobile or smart device.
Individuals who purchase, register, or interact with Plugcy hardware (Fast Charger and related accessories).
Charger Hosts who list their charging equipment on the Plugcy network.
Businesses, partners, and developers who integrate with the Plugcy API or AI platform.
Individuals who contact us for customer support, sales inquiries, or general communications.

Note: This Policy does not cover third-party websites, apps, or services linked to or from Plugcy platforms. We encourage you to review the privacy policies of those third parties independently.

By accessing or using any Plugcy product or service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, please discontinue your use of our services.

3. Information We Collect

We collect information in three primary ways: information you provide directly, information collected automatically, and information received from third parties.

3.1 Information You Provide Directly

Category	Examples	When Collected
Account & Identity	Full name, email address, phone number, profile photo, date of birth, username and password	Registration, profile setup
Vehicle Information	EV make, model, year, battery capacity, license plate (optional), connector type, charging preferences	Onboarding, session setup
Charger Host Data	Property address, charger specifications, availability schedule, payout bank details, photos of charging space	Host listing creation
Payment Information	Credit/debit card numbers (tokenized), billing address, PayPal or wallet identifiers, business invoicing details	Payment setup, transactions
Communications	In-app messages, support tickets, email correspondence, survey responses, feedback and reviews	Ongoing use, support
Identity Verification	Government-issued ID images, selfies for liveness checks, tax identification numbers for Hosts	Host onboarding, fraud prevention
Preferences & Settings	Notification preferences, language/region settings, charging schedule preferences, saved favorite stations	App settings, account management

3.2 Information Collected Automatically

Device Information: Device type, make and model, operating system and version, unique device identifiers (IDFA, GAID), hardware serial numbers for Plugcy hardware, screen resolution, mobile carrier.
Usage Data: Features accessed, screens viewed, interactions, session duration, crash logs, error reports, and diagnostic information.
Network & Connection Data: IP address, Wi-Fi network identifiers used by the charger, cellular network, and connection quality.
Charging Session Data: Session start/end times, energy delivered (kWh), charging speed (kW), session interruptions, charger status codes, station ID, and cable type. (See Section 6.)
Location Data: GPS coordinates, Wi-Fi triangulation data, and inferred location from IP. (See Section 8.)
Log Data: Server logs including request timestamps, pages visited, referring URLs, user-agent strings, and HTTP status codes.
Cookies and Tracking Technologies: As described in Section 9.

3.3 Information From Third Parties

Social Login Providers: If you sign in with Google or Apple, we receive your name, email, and profile photo from that provider.
Payment Processors: Stripe or equivalent providers share tokenized card information and transaction status.
Identity Verification Partners: KYC/AML services return a verification status and risk score.
Energy Utilities & Grid Operators: Where integration agreements exist, utilities may share grid status, tariff rates, and demand data.
Map & Navigation Providers: Google Maps or Apple Maps may share place data and routing information when you search for chargers.
Analytics & Marketing Partners: We may receive aggregated audience data from advertising or analytics platforms to measure campaign performance.

4. How We Use Your Information

4.1 Providing and Operating Our Services

Creating and managing your Plugcy account and maintaining your session.
Processing EV charging session requests, reservations, and payments.
Displaying nearby chargers and calculating routes to stations.
Enabling Hosts to list, manage, and receive payments for their chargers.
Facilitating in-app messaging between Drivers and Hosts.
Activating and managing Plugcy Fast Charger hardware registered to your account.

4.2 AI Energy Optimization

Feeding anonymized and aggregated energy data into our AI models to predict demand, balance grid load, and improve charging efficiency.
Providing personalized energy insights such as the best times to charge based on your habits and local grid conditions.
Alerting users and Hosts to grid events, demand surges, or renewable energy availability windows.
Improving our AI models’ accuracy through machine learning on historical session data.

4.3 Customer Support

Responding to support requests, questions, and complaints.
Diagnosing technical issues with the app, hardware, or network connectivity.
Resolving billing disputes and processing refunds or chargebacks.

4.4 Safety, Security & Fraud Prevention

Verifying your identity to prevent unauthorized account access.
Detecting and preventing fraudulent transactions, chargebacks, and platform abuse.
Monitoring for cybersecurity threats and unauthorized API access.
Complying with anti-money laundering (AML) and know-your-customer (KYC) requirements.

4.5 Communications & Marketing

Sending transactional notifications (charging session confirmations, receipts, refund status).
Sending product updates, new feature announcements, and policy changes.
Sending marketing communications where you have opted in.
Conducting user research, surveys, and interviews (participation is always voluntary).

4.6 Analytics & Product Improvement

Analyzing usage patterns to identify product improvements and fix issues.
A/B testing new features and interfaces.
Building aggregated, de-identified reports on network performance, energy savings, and CO₂ reduction.

4.7 Legal & Regulatory Compliance

Complying with applicable laws in Mexico (LFPDPPP), the United States, Colombia, and other jurisdictions in which we operate.
Responding to lawful requests from government authorities, courts, or regulators.
Enforcing our Terms & Conditions and protecting our legal rights.

5. Legal Basis for Processing

Legal Basis	Processing Activities Covered
Consent	Marketing emails, push notifications, location tracking (background), sharing data with advertising partners, participation in research
Contractual Necessity	Account creation and authentication, processing payments and payouts, fulfilling charging sessions, hardware activation, customer support
Legal Obligation	KYC/AML compliance, responding to court orders and regulatory requests, tax record-keeping, fraud reporting to authorities
Legitimate Interests	Security monitoring, fraud detection, analytics and product improvement, AI model training on anonymized data, network optimization
Vital Interests	Emergency situations involving grid failure or safety hazards related to EV charging infrastructure

Under the LFPDPPP, this Privacy Policy constitutes our comprehensive Aviso de Privacidad (Privacy Notice) as required by Mexican law. You may request a simplified version by contacting us at [email protected].

6. Charging Session Data

Charging session data is central to our service. We collect and process the following per session:

Session identifier: A unique ID assigned to each charging event.
Charger and station ID: The specific physical charger and charging station used.
Session start and end timestamps: Date, time, and duration of the session.
Energy delivered: Total kilowatt-hours (kWh) transferred to the vehicle.
Charging rate curve: Power output (kW) recorded at regular intervals throughout the session.
Connector type: CCS, CHAdeMO, J1772, or Type 2.
Vehicle state of charge (SoC): Start and end battery percentage, where communicated via OCPP protocol.
Session interruptions: Any errors, plug disconnections, or power interruptions recorded.
Pricing and payment: Session cost, applicable tariff, currency, discount codes applied, and payment method type.
Grid conditions at time of session: Local grid demand, renewable energy percentage, and pricing tier (where available from grid partners).
CO₂ offset: Calculated carbon offset based on regional energy mix data.

Charging session data is used to: generate your session receipts; calculate Host payouts; train our AI demand models; generate personal energy reports; produce environmental impact statistics; and detect anomalous or fraudulent sessions. Your session history is retained for as long as your account is active, plus six (6) years for financial and tax compliance. You may download your full session history from the app at any time.

7. AI & Machine Learning

7.1 What Data Is Used for AI Training

Anonymized and aggregated charging session data — stripped of direct identifiers — is used to train demand forecasting, load balancing, and energy routing models.
Anonymized location clusters (never individual GPS traces) are used to model geographic demand patterns.
Energy grid telemetry from utility partners (no personal user data) is integrated into the grid optimization layer.
Personalized AI features (e.g., your charging schedule recommendations) use your individual data within your account context only — not shared with other users’ models.

7.2 Automated Decision-Making

Plugcy’s AI may make automated decisions in limited contexts:

Fraud detection: Automated systems may flag or temporarily suspend a transaction or account if anomalous patterns are detected. You have the right to request human review of any automated decision that materially affects you.
Dynamic pricing recommendations: AI may suggest optimal charging times or prices to Hosts based on demand patterns. These are recommendations only and do not constitute binding decisions without Host confirmation.
Grid load balancing: The AI may automatically adjust charging speeds during peak demand events if you have opted into smart charging features.

7.3 Your Right to Opt Out of AI Training

You may opt out of having your data used for AI model training beyond what is necessary for your individual service. Navigate to Settings → Privacy → AI Data Preferences in the app, or contact us at [email protected]. Opting out will not affect core service functionality.

8. Location Data

Type	When Collected	Purpose	Can Be Disabled?
Precise GPS (foreground)	While app is in use	Show nearby chargers, navigate to station, confirm arrival	Yes — disables map features
Precise GPS (background)	During active charging session only	Session monitoring, geofence-based session end	Yes — session confirmation becomes manual
Coarse location	App open, no active session	City-level charger search, regional pricing display	Yes — manual city selection available
Charger location	When you list a charger as Host	Display charger on the Plugcy map for Drivers	No — required for Host listing
IP-based location	Website and app sessions	Region detection for pricing, language, and legal compliance	Via VPN (not controlled by Plugcy)

We do not build persistent location profiles of your movements. Location data used for AI demand modeling is aggregated and anonymized before use. We do not sell individual location histories to third parties. For Hosts, the approximate charger address is displayed publicly on the Plugcy map; the exact address is shared with Drivers only after a booking is confirmed.

9. Cookies & Tracking Technologies

Plugcy uses cookies and similar technologies on our website (plugcy.com) and, to a limited extent, within the mobile app environment.

9.1 Types of Cookies We Use

Strictly Necessary Cookies: Required for the website and app to function. These cannot be disabled. Examples: session authentication tokens, CSRF protection tokens, load balancer cookies.
Analytics Cookies: Help us understand how users interact with our website. We use tools such as Google Analytics (with IP anonymization enabled). These can be disabled via our cookie consent manager or your browser settings.
Marketing & Advertising Cookies: Used to measure the effectiveness of our advertising campaigns (e.g., Facebook Pixel, Google Ads conversion tracking). Only placed with your explicit consent, which you may withdraw at any time.
Functional / Preference Cookies: Remember your preferences such as language, region, and consent choices. Disabling these may affect the personalization of your experience.

9.2 Managing Cookies

You can control cookies through our Cookie Consent Banner displayed on your first visit to plugcy.com, through your browser settings, or by using opt-out tools provided by third parties (e.g., Google Analytics Opt-out Browser Add-on). Note that disabling certain cookies may impair website functionality.

9.3 Do Not Track

Plugcy does not currently respond to browser-level “Do Not Track” (DNT) signals because no uniform standard has been adopted. However, you can use our Cookie Consent Manager to opt out of non-essential tracking at any time.

10. Sharing & Disclosure

Plugcy does not sell your personal information to third parties for their own marketing purposes. We share your information only in the following circumstances:

10.1 Between Drivers and Hosts

The Driver’s first name and profile photo are shared with the Host to facilitate the session after a booking is confirmed.
The Host’s name, property address, and charger details are shared with the Driver after booking confirmation.
Billing and payment details are never shared between Drivers and Hosts — all payment flows are managed by Plugcy.

10.2 Service Providers (Data Processors)

We share data with trusted third-party vendors under strict contractual data protection agreements. Categories include: cloud infrastructure (AWS, Google Cloud); payment processing (Stripe); identity verification; customer support software; push notification services (Firebase, APNs); analytics tools; email delivery providers; and mapping services (Google Maps Platform).

10.3 Legal Requirements

We may disclose your information if required to do so by law or in good-faith belief that such action is necessary to comply with a legal obligation, protect the rights or property of Plugcy, prevent wrongdoing, protect the personal safety of users or the public, or protect against legal liability.

10.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal information may be transferred to the acquiring entity. We will notify you via email or prominent notice before your information is transferred and becomes subject to a different privacy policy.

10.5 Aggregated & De-Identified Data

We may share aggregated, anonymized, and de-identified data with partners, press, or the public. This data cannot reasonably be used to identify any individual.

11. Third-Party Services

Service	Purpose	Data Shared
Google Maps Platform	Map display, routing, place search	Location coordinates, search queries
Stripe	Payment processing	Card data (tokenized), billing address, transaction amounts
Firebase (Google)	Push notifications, analytics, crash reporting	Device ID, app events, crash logs
Meta Pixel (Facebook)	Advertising measurement (with consent)	Hashed email, page views, conversion events
Apple Sign In / Google OAuth	Social login	Name and email (from the provider)
KYC Provider	Identity verification for Hosts	Government ID image, selfie, verification result
WhatsApp Business API	Customer support chat	Phone number, message content

Each of these providers has its own privacy policy. Plugcy enters into Data Processing Agreements (DPAs) with all processors to ensure your data is protected.

12. Data Retention

Data Type	Retention Period	Reason
Account profile data	Life of account + 3 years post-deletion	Dispute resolution, fraud prevention
Charging session records	Life of account + 6 years	Financial records, tax compliance (SAT, IRS)
Payment transaction records	7 years	Tax and accounting obligations (Mexico, U.S.)
KYC / identity documents	5 years post-account closure	AML regulatory requirements
Support tickets	3 years from ticket closure	Quality assurance, legal reference
Marketing consent records	Until consent is withdrawn + 3 years	Proof of consent under LFPDPPP/GDPR
App analytics (raw events)	24 months, then aggregated only	Product improvement
Website cookies	Up to 13 months (analytics); session (necessary)	Consent management compliance
Location data (raw GPS)	90 days, then anonymized	Service operation; anonymized form used for AI training
Server and security logs	12 months	Security monitoring, incident response

When we no longer need your personal information, we securely delete or anonymize it. If complete deletion is not immediately possible (e.g., data in backup archives), we isolate that data from further processing until deletion is feasible.

13. Security Measures

Protecting your personal information is a core commitment at Plugcy. We implement the following technical and organizational security measures:

Encryption in Transit: All data transmitted between the Plugcy App, website, hardware, and our servers is encrypted using TLS 1.2 or higher (TLS 1.3 preferred). We enforce HSTS on all web properties.
Encryption at Rest: All databases and file storage systems are encrypted using AES-256. Database backups are also encrypted.
Access Controls: Internal access to personal data is restricted by role-based access control (RBAC). Employees access only the data necessary for their job function. All internal access is logged and audited.
Multi-Factor Authentication (MFA): Required for all Plugcy internal systems. We encourage users to enable MFA on their Plugcy accounts in app settings.
Penetration Testing: We conduct regular third-party security audits and penetration tests on our applications and infrastructure, with critical findings remediated within defined SLAs.
Hardware Security: Plugcy chargers communicate over encrypted OCPP 1.6/2.0 protocols. Firmware is cryptographically signed and verified before deployment.
Incident Response: We maintain a documented data breach response plan. In the event of a breach, we will notify you and relevant regulators within legally required timeframes.
PCI-DSS Compliance: Payment data is handled through PCI-DSS Level 1 compliant payment processors. Plugcy never stores raw card numbers on our servers.

Important: No system is 100% secure. While we take every reasonable measure, we cannot guarantee absolute security. If you suspect unauthorized access to your account, contact us immediately at [email protected] or call +52 1 55 6020 4072.

14. International Data Transfers

Plugcy operates globally, which means your personal information may be transferred to and processed in countries other than your country of residence — specifically between Mexico, the United States, and Colombia, where we have operational infrastructure.

When we transfer personal data across borders, we implement appropriate safeguards including:

Standard Contractual Clauses (SCCs) for transfers from the EU/EEA to third countries, where applicable.
Data Transfer Impact Assessments for transfers to countries without an adequacy decision.
Contractual protections with all data processors requiring compliance with the data protection standards of the originating jurisdiction.
LFPDPPP Article 36 compliance for cross-border transfers involving data of Mexican residents: all transfers to international entities are governed by contracts ensuring equivalent data protection standards.

15. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data. Plugcy respects and facilitates these rights for all users regardless of location.

Right of Access: Request a copy of all personal data we hold about you, including categories of data, why we process it, and with whom we share it.
Right to Rectification: Request correction of inaccurate or incomplete personal data. Most profile information can be updated directly in the app.
Right to Erasure (“Right to Be Forgotten”): Request deletion of your personal data, subject to legal retention obligations and active dispute resolution needs.
Right to Restriction: Request that we limit how we use your data in certain circumstances, such as while a rectification request is being processed.
Right to Data Portability: Receive your personal data in a structured, machine-readable format (JSON or CSV) to transfer to another service.
Right to Object: Object to processing based on legitimate interests or for direct marketing purposes. For marketing objections, we will honor your request immediately.
Rights Related to Automated Decision-Making: Request human review of any automated decision that significantly affects you, and provide input before a final decision is made.
LFPDPPP ARCO Rights (Mexico): Rights of Acceso (Access), Rectificación (Rectification), Cancelación (Cancellation), and Oposición (Opposition), enforceable against Plugcy as a Mexican-domiciled entity.

How to Exercise Your Rights

Email [email protected] with the subject line “Privacy Rights Request — [Your Right]”
Call +52 1 55 6020 4072 (Monday–Friday, 9:00 AM – 6:00 PM CST)
Submit a written request to our CDMX office

We will respond to all verifiable requests within 20 business days (LFPDPPP). We may need to verify your identity before processing certain requests. There is no charge for exercising your rights, except in cases of manifestly unfounded or excessive requests.

If you believe we have not adequately addressed your request, you may lodge a complaint with Mexico’s data protection authority: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) — www.inai.org.mx.

16. Children’s Privacy

Plugcy’s services are designed for and directed at adults aged 18 and older. We do not knowingly collect personal information from children under the age of 18 (or the applicable age of digital consent in your jurisdiction, which may be 13 in the United States under COPPA).

If you are a parent or legal guardian and believe your child has provided us with personal information without your consent, please contact us immediately at [email protected]. We will take prompt steps to investigate and, if necessary, delete the child’s information from our systems.

17. Financial Data & Payments

Payment method tokenization: Your full card number is never stored by Plugcy. It is immediately tokenized by our PCI-DSS compliant payment processor. We store only the last four digits, card type, and expiry for display purposes.
Payout information for Hosts: To receive earnings, Hosts must provide bank account or digital wallet details. Plugcy may collect tax identification information (RFC in Mexico, EIN/SSN in the U.S.) for reporting to tax authorities where payout thresholds are met.
Transaction history: All transactions are logged and retained for at least 6 years for tax compliance.
Fraud detection: Financial transaction data is analyzed by automated fraud detection systems to identify suspicious patterns and protect both Drivers and Hosts.
Currency: Transactions may be conducted in MXN, USD, or COP. Currency conversion is handled by our payment processor. Applicable exchange rates are displayed at the time of transaction.

18. Charger Host Accounts

Hosts — individuals or businesses who list EV chargers on the Plugcy network — are subject to additional data processing:

Enhanced identity verification: All Hosts must complete identity verification including government ID validation and, in some jurisdictions, business registration documents.
Charger telemetry: Plugcy-connected chargers continuously transmit operational data (power output, error codes, connection status, firmware version) to our cloud platform for remote diagnostics, maintenance alerts, and performance optimization.
Listing information: Host-provided information (charger type, availability, price, photos, access instructions) is displayed to Drivers and may be indexed by search engines.
Earnings and tax reporting: Host payout data may be reported to tax authorities in Mexico (SAT) and the United States (IRS — Form 1099-K where applicable) if earnings exceed statutory thresholds. Hosts are responsible for their own tax obligations.
Reviews and ratings: Drivers may leave reviews of Host chargers. Reviews are displayed publicly and associated with the listing.

19. Communications

19.1 Transactional Communications

We will always send you transactional messages related to your use of Plugcy, including account confirmations, session receipts, payment notifications, refund confirmations, security alerts, and policy update notifications. These cannot be opted out of while your account remains active.

19.2 Marketing Communications

With your prior consent, we may send you marketing communications including promotional offers, new feature announcements, and Plugcy news. You may opt out at any time by:

Clicking the “Unsubscribe” link in any marketing email.
Navigating to Settings → Notifications → Marketing in the Plugcy app.
Contacting us at [email protected] with “Unsubscribe” in the subject line.

We will process your opt-out request within 10 business days. You will continue to receive transactional messages even after opting out of marketing.

19.3 Push Notifications

You can manage push notification permissions through your device’s operating system settings (iOS: Settings → Notifications → Plugcy; Android: Settings → Apps → Plugcy → Notifications). Turning off all push notifications may affect real-time charging session updates.

19.4 WhatsApp & SMS

Where you have opted in, we may contact you via WhatsApp or SMS for customer support, session notifications, or verification codes. Standard messaging rates from your carrier may apply. Reply STOP to any SMS to opt out.

20. Policy Updates

We may update this Privacy Policy from time to time. When we make material changes, we will:

Post the updated Policy on this page with a revised “Last Updated” date.
Send an email notification to the address associated with your account at least 30 days before changes take effect.
Display an in-app notification prompting you to review the updated Policy.
Where required by law, seek your explicit consent before applying material changes to existing personal data processing.

Your continued use of Plugcy services after the effective date of any updated Policy constitutes your acceptance. If you do not agree, you may delete your account and cease using our services at any time. You may request previous versions of this Policy by contacting us at [email protected].

21. Contact & Data Protection

If you have any questions, concerns, or requests regarding this Privacy Policy or how Plugcy processes your personal data, please contact us:

Email: [email protected]
Phone / WhatsApp: +52 1 55 6020 4072
Principal Location: Ciudad de México (CDMX), México
U.S. Registered Address: 8 The Grn Ste B, Dover, DE 19901-3618, United States

Response Commitments

We aim to acknowledge all privacy-related inquiries within 10 business days.
We will fully respond to verifiable data subject rights requests within 20 business days (LFPDPPP) or 30 days (GDPR), with one possible extension of a further 30 days for complex requests, with prior notice.
Security incidents and potential data breaches will be escalated according to our Incident Response Plan, with regulatory notification within legally mandated timeframes.

AI Load Management for EV Charging & Commercial Buildings