Recordflow PV — Privacy Policy

1. What the app does

Recordflow PV monitors and controls home energy inverters (such as GivEnergy systems) over your local network. It connects directly to hardware on your Wi-Fi — either via the inverter's own Modbus TCP port or via GivTCP, an open-source middleware that runs on your home network.

All inverter data (power flows, battery state, schedules, settings) is read from and written to your local hardware. None of it passes through any server operated by Recordflow Ltd.

2. What personal data we process

We process very little personal data. Here is a complete list of every category, what it includes, why we process it, the lawful basis, and how long we keep it.

2.1 Connection settings (on-device only)

What: IP address of your inverter or GivTCP instance, port number, REST path prefix.

Where stored: On your device in SharedPreferences (iOS Keychain-backed, Android encrypted preferences).

Sent anywhere? No. Never leaves your device.

Why: So the app can reconnect to your hardware without you re-entering the address each time.

Lawful basis: Contract performance (UK GDPR Article 6(1)(b)) — necessary to deliver the service you downloaded the app to use.

Retention: Kept until you disconnect, forget the device, or uninstall the app.

2.2 Known devices list (on-device only)

What: For each inverter you have connected to: host IP, port, connection mode, model name, serial number, firmware version, device type code, hardware specifications (max power ratings, phase count, slot counts), timestamps of first and last connection.

Where stored: On your device in SharedPreferences as a JSON string.

Sent anywhere? No. Never leaves your device.

Why: So the Settings screen can show your devices and let you switch between them without rescanning your network.

Lawful basis: Contract performance (Article 6(1)(b)).

Retention: Kept until you use "Forget device" or "Forget all" in Settings, or uninstall the app.

2.3 Inverter telemetry (on-device only)

What: Power flow readings (solar, battery, grid, house load in watts), battery state of charge, voltages, currents, temperatures, cell-level data, energy totals, fault codes, operating mode, charge/discharge schedules, rate limits, reserve settings.

Where stored: In the app's working memory while it is running. Not persisted to disk beyond a last-known battery percentage used to show state on next launch.

Sent anywhere? No. Never leaves your device.

Why: This is the core function of the app — displaying your energy system's live status.

Lawful basis: Contract performance (Article 6(1)(b)).

Retention: Held in memory during the current session only. The last-known battery percentage persists until overwritten by the next reading or app uninstall.

2.4 GDPR consent preference (on-device only)

What: A flag recording whether you accepted or declined Diagnostic Mode.

Where stored: On your device in SharedPreferences.

Sent anywhere? No.

Why: So the app respects your choice across sessions without asking you repeatedly.

Lawful basis: Legitimate interest (Article 6(1)(f)) — we have a legitimate interest in recording your consent decision so we can honour it. This is also a PECR requirement (see section 7).

Retention: Kept until you change your preference in Settings or uninstall the app.

2.5 Purchase information

What: Whether you have purchased the Recordflow PV upgrade. The app stores a local flag indicating your licence status (free, paid, trial).

Where stored: The licence status flag is on your device in SharedPreferences. The actual purchase transaction, payment details, and receipt are handled entirely by Apple (App Store) or Google (Play Store). Recordflow Ltd does not receive your name, email, payment card, or Apple/Google account ID.

Sent anywhere? The local flag stays on your device. Apple/Google process the purchase on their platforms under their own privacy policies.

Why: To unlock paid features after purchase and to restore your purchase on a new device.

Lawful basis: Contract performance (Article 6(1)(b)) — necessary to deliver the product you paid for.

Retention: The local flag persists until you uninstall the app. Apple/Google retain purchase records under their own policies.

2.6 Diagnostic Mode (on by default during beta; opt-in for public release)

During the TestFlight beta, Diagnostic Mode is on by default so every beta tester contributes device-compatibility data from their first connection. The default will change to off for the public App Store release. You can toggle it at any time in Settings → Advanced. When enabled (and after you accept the first-enable consent dialog), Recordflow PV captures and uploads device-compatibility data so we can grow support for more GivEnergy devices.

What is captured: Modbus protocol frames exchanged between this app and your GivEnergy inverter, only when you are connected via a Direct Modbus connection. User actions you take inside the app (e.g. "tapped Set Charge Slot 1: 02:00–05:00 @ 95%"), timing, connection state changes, and any Modbus errors or timeouts. A once-a-day full register scan that reads all known device register pages. Every inverter snapshot and settings poll (the decoded values that drive the live Dashboard and Control screens, paired with raw hex bytes on the Direct Modbus path). Every screen navigation (tab switches and page push/pop). Network-discovery scan events during onboarding (interfaces surveyed, candidate subnets, and the per-device classification outcome). No other network traffic on your home network is observed, captured, or transmitted.

Metadata attached to every upload: Inverter serial number, battery serial number, device type code, ARM and DSP firmware versions, connection mode (always "Direct Modbus" in v1), app version, platform and OS version, the timestamp of your consent, and the timestamp of the scan. Full LAN IP addresses are included in log entries to help us diagnose network-level issues — we do not mask them.

Where stored on device: In RAM only. No files are written to your device. Events accumulate in a 10,000-event ring buffer that is flushed directly to our cloud storage when the app goes to background, on each app launch, and opportunistically whenever the buffer reaches 80% of capacity.

Sent where: Direct HTTPS PUT to an Amazon S3 bucket operated by Recordflow Ltd in the eu-west-2 (London) region. Uploads are authenticated with a write-only credential; no read, list, or delete permissions are included.

Transport: TLS 1.2+ (HTTPS to Amazon S3). Data is encrypted in transit. The bucket has server-side encryption enabled so data is also encrypted at rest.

Retention at Recordflow Ltd: 90 days. The S3 bucket is configured with an automatic object-lifecycle expiry — files older than 90 days are deleted automatically with no manual intervention.

Why: To improve Recordflow PV's compatibility with the full range of GivEnergy devices (including ones we don't personally own for testing). We may read the logs to reproduce bugs reported by customers, to identify firmware quirks, and to design tests that cover edge cases.

Lawful basis: Consent (Article 6(1)(a)) — you explicitly opt in via a first-enable consent dialog. You can withdraw consent at any time in Settings → Advanced. Withdrawal stops all capture and upload immediately; previously uploaded data is retained per the 90-day bucket lifecycle.

Third parties: Amazon Web Services (our cloud-storage processor). AWS is the only entity that receives this data aside from Recordflow Ltd. We do not share diagnostic data with any other third party, and we do not use it for marketing or advertising.

How to request deletion: Contact support@recordflow.co.uk with a description of the data you want removed. Because uploads are keyed by inverter serial number, we can locate and delete your records without needing any other personal identifier.

2.7 User-submitted feedback (opt-in, user-initiated)

Available from Settings → Diagnostic Mode → "Send feedback or report a bug" whenever Diagnostic Mode is on. Distinct from the automated capture in §2.6: here the user explicitly fills in a form and taps Send.

What: A short title, a freeform description (up to 5,000 characters), a category (bug / feedback / feature request), an app-area tag (Dashboard / Control / Schedule / Battery / Settings / Pairing / Power-flow diagram / Other), and — when the category is "bug" — a severity (Blocks me / Annoying / Cosmetic). Optionally an email address if the user wants a reply.

Auto-captured context: App version and build, platform (iOS / Android / macOS), OS version, device model (e.g. "iPhone 14 Plus"), current connection mode (Direct Modbus / GivTCP / Demo), inverter model name and device-type code if connected, inverter serial number if connected, timestamp of first Diagnostic Mode consent.

Where stored on device: Only the optionally-remembered email address is persisted (SharedPreferences key feedback_remembered_email). Everything else lives in memory while the form is open and is discarded when the form closes.

Sent where: Direct HTTPS PUT to a feedback/ prefix in the same Amazon S3 bucket as §2.6, in the eu-west-2 (London) region. Same write-only credential, same TLS/at-rest encryption.

Retention at Recordflow Ltd: 90 days, matching the §2.6 bucket lifecycle.

Why: So users can report bugs, send feedback, or request features without leaving the app. The auto-captured context lets us triage reports without having to ask the user what device they have.

Lawful basis: Consent (Article 6(1)(a)) — the user explicitly fills in the form and taps Send. The form cannot be opened without Diagnostic Mode being on, so the user has already given §2.6 consent as a prerequisite.

Third parties: Amazon Web Services (cloud-storage processor). Nothing else.

How to request deletion: Contact support@recordflow.co.uk quoting the 12-character reference shown in the "Sent — thanks!" confirmation. We can also delete all records associated with your inverter serial on request.

Why not Apple ID email? iOS does not expose Apple ID or iCloud account identifiers to third-party apps. The optional email field is therefore always user-typed and always optional; we never have a way to contact the user unless they choose to give us one.

3. What we do not collect

To be explicit:

• No names, email addresses, or phone numbers. There are no user accounts and no login.
• No GPS location. Network discovery uses IP subnet scanning, not location services.
• No advertising identifiers. We do not use ad networks or advertising SDKs.
• No photos, contacts, calendars, health data, or financial data.
• No inverter serial numbers leave your device in the default configuration. Serial numbers are stored locally for the known-devices list and are never transmitted to any server unless you have explicitly opted in to Diagnostic Mode (section 2.6), in which case the serial accompanies each upload as the folder name in our cloud storage.
• No browsing history, search history, or user content.
• No data is shared with third parties for marketing or advertising.

4. Lawful basis summary

• Connection settings — Contract performance. Necessary to provide the service.
• Known devices list — Contract performance. Necessary to provide the service.
• Inverter telemetry — Contract performance. The core function of the app.
• Consent preference — Legitimate interest. Recording your choice to honour it; required by PECR.
• Purchase status — Contract performance. Necessary to deliver paid features.
• Diagnostic Mode capture and upload — Consent. On by default during beta; opt-in for public release; can disable at any time in Settings → Advanced.
• User-submitted feedback — Consent. User-initiated; requires Diagnostic Mode to be on.

5. International data transfers

Data that stays on your device (sections 2.1–2.5) is not transferred internationally. It does not leave your phone or tablet.

Diagnostic Mode uploads (section 2.6) and user-submitted feedback (section 2.7) are stored in Amazon S3 in the eu-west-2 (London) region. The data stays in the UK at rest. AWS acts as a processor to Recordflow Ltd under AWS's standard GDPR terms. Transit to AWS is via TLS 1.2+ direct from the device. No personal data is transferred to countries outside the United Kingdom.

6. Your rights

Under the UK GDPR and the Data Protection Act 2018, you have the following rights. Because we process very little personal data — and most of it never leaves your device — some of these rights have limited practical application, but we list them all for completeness.

Right of access

You can ask us for a copy of any personal data we hold about you. For data stored only on your device (connection settings, known devices, telemetry), you already have direct access — it is on your phone. For Diagnostic Mode and feedback data, we can provide the uploads associated with your inverter serial on request.

Right to rectification

You can ask us to correct inaccurate personal data. In practice, on-device data can be corrected by you directly (edit the connection, forget a device). Diagnostic captures contain automatically generated technical data that is not meaningfully "correctable", but contact us if you believe something is wrong.

Right to erasure

You can ask us to delete your personal data. For on-device data, uninstalling the app or using "Forget device" / "Forget all" in Settings achieves this immediately. For Diagnostic Mode and feedback data, contact us using the email address in section 11 with your inverter serial number and we will delete your records. Uploads are also automatically deleted after 90 days regardless.

Right to restrict processing

You can ask us to limit how we use your data. The most practical way to exercise this right is to disable Diagnostic Mode in the app's Settings → Advanced. This immediately stops all data transmission.

Right to data portability

Where processing is based on consent or contract and is automated, you can ask for your data in a structured, machine-readable format. On-device data is already under your control. We will provide any Diagnostic Mode uploads and feedback associated with your inverter serial in a standard format on request.

Right to object

You can object to processing based on legitimate interest. The only processing we carry out under legitimate interest is storing your consent preference (section 2.4), which is necessary to honour your choices.

Right not to be subject to automated decision-making

We do not make any automated decisions about you. The app does not profile you or make decisions that produce legal or similarly significant effects.

Right to withdraw consent

Where we process data based on your consent (Diagnostic Mode), you can withdraw consent at any time by going to Settings → Advanced in the app and disabling Diagnostic Mode. Withdrawal does not affect the lawfulness of processing carried out before you withdrew.

Right to complain

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office:

• Website: ico.org.uk/make-a-complaint
• Telephone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the chance to address your concerns directly first. Please contact us using the details in section 11.

How to exercise your rights

Contact us at the email address in section 11. We will respond within one month. If your request is complex or we receive a large number of requests, we may extend this by a further two months, but we will let you know within the first month.

7. Cookies and local storage (PECR)

Recordflow PV is a native mobile app, not a website. It does not use browser cookies.

However, the Privacy and Electronic Communications Regulations 2003 (PECR) apply to any technology that stores or accesses information on your device, including the local storage mechanisms used by mobile apps. Under PECR Regulation 6, we use the following on-device storage:

• SharedPreferences (connection settings, known devices, consent flag, licence status, polling intervals, last-known battery %) — strictly necessary for the app to function; you cannot monitor your inverter without storing where it is on your network. Exempt from consent under PECR Regulation 6(4) — strictly necessary for the service you requested.
• Diagnostic Mode consent flag and timestamps (SharedPreferences keys diagnostic_mode_enabled, diagnostic_mode_first_consent_at, diagnostic_mode_last_toggled_at) — records your choice to opt in or out of Diagnostic Mode so we honour it across app launches. Requires consent — covered by the first-enable consent dialog (section 2.6).
• Diagnostic Mode event ring buffer (in-memory only, never written to disk) — accumulates captured Modbus frames and app events between uploads. Requires consent — covered by the first-enable consent dialog (section 2.6).
• Feedback remembered email (SharedPreferences key feedback_remembered_email) — remembers the email address you entered in the feedback form so you don't have to retype it. Requires consent — you enter and save it explicitly in the feedback form (section 2.7).

We do not use any local storage for advertising, tracking, or profiling purposes.

8. Children

Recordflow PV is a utility for monitoring home energy equipment. It is not directed at, designed for, or marketed to children under 13. We do not knowingly collect personal data from children under 13.

Under the UK GDPR, children aged 13 and over can provide their own consent for information society services. However, as our app requires access to home network equipment and is a specialist energy management tool, we do not expect children to be a significant user group.

The ICO's Age Appropriate Design Code (the Children's Code) applies to online services likely to be accessed by children under 18. Given that Recordflow PV requires configuration of specific network hardware and is listed in the Utilities category of the app stores, we consider it unlikely to be accessed by children. If this assessment changes, we will update the app and this policy to comply with the Children's Code.

If you believe a child under 13 has provided personal data through our app, please contact us and we will take steps to delete it.

9. Data security

• Local-first architecture. The vast majority of data never leaves your device or your local network. This is a deliberate design choice, not an afterthought.
• No user accounts. There are no passwords, credentials, or authentication tokens to protect or breach.
• No cloud database. We do not operate servers that store your data. There is no central database to be compromised.
• On-device storage uses the platform's standard secure storage mechanisms (iOS Keychain-backed UserDefaults, Android EncryptedSharedPreferences where available).
• Diagnostic Mode uploads are encrypted in transit via TLS 1.2+ and stored encrypted at rest in Amazon S3 (eu-west-2).
• Local network communication between the app and your inverter uses the Modbus TCP protocol, which does not support encryption. This is a limitation of the inverter hardware, not the app. Because this traffic stays on your local network, the risk is limited to someone with access to your Wi-Fi.

10. Changes to this policy

If we make material changes to this policy, we will:

1. Update the "Last updated" date at the top.
2. Describe the changes in the app's release notes for the version that introduces them.
3. For significant changes (new categories of data collection, new third-party processors, changes to lawful basis), show an in-app notification on first launch after the update, with a link to the updated policy.

We will not reduce your rights or increase data collection without giving you clear notice and, where required, obtaining fresh consent.

The current and all previous versions of this policy will be available at the URL shown in Settings → About → Privacy Policy.

11. Contact us

If you have any questions about this policy, want to exercise any of your rights, or want to raise a concern about how we handle data:

• Email: support@recordflow.co.uk

We aim to respond to all enquiries within 5 working days, and to all formal rights requests within one calendar month as required by the UK GDPR.

12. Legal framework

This policy is governed by:

• UK General Data Protection Regulation (UK GDPR), as retained and amended by the Data Protection Act 2018 and the Data (Use and Access) Act 2025
• Data Protection Act 2018 (DPA 2018)
• Privacy and Electronic Communications Regulations 2003 (PECR), as amended
• Consumer Rights Act 2015 (in relation to the subscription/purchase contract)

Recordflow Ltd is registered with the ICO as a data controller. Registration number: ZC132416.