Sunpliance

Privacy Policy

Effective Date: April 19, 2026 · Last Updated: April 19, 2026

1. Introduction

This Privacy Policy describes how Sunpliance collects, uses, and protects information in connection with the Sunpliance solar panel decommissioning compliance platform. It applies to data collected through sunpliance.com, app.sunpliance.com, the Sunpliance mobile application, and any related services (collectively, the “Services”).

Sunpliance is operated by Sunpliance LLC, a Delaware limited liability company (formation pending as of the Effective Date of this Policy; this Policy will be countersigned and ratified by Sunpliance LLC upon its formation). References to “Sunpliance” in this Policy include the operating entity upon its formation and, in the interim, any predecessor sole proprietor or unincorporated operation conducting the business under the Sunpliance brand.

Sunpliance is a business-to-business platform. Most information handled by the Services is business data submitted by a Customer’s authorized Users in the course of documenting solar panel decommissioning work. Individual User accounts are associated with named individuals, and portions of this Policy address how that individual information is treated. Terms capitalized but not defined in this Policy have the meanings given in our Terms of Service.

2. Information We Collect

Account information

When a User registers, we collect name, email address, phone number (if provided), company name, job role, and states of operation.

Usage data

We collect information about how Users interact with the Services, including pages visited, features used, time of access, IP address, device type, operating system, and browser information. This data is collected through standard web server logs and application instrumentation.

Compliance Records

Users submit business data constituting Compliance Records, including solar panel serial numbers and specifications, photographs of panels and removal sites, GPS coordinates of decommissioning locations, chain-of-custody events (pickup, transfer, storage, recycling), recycler partner information, and compliance certificates. Compliance Records may incidentally include personal information (such as a User’s name) when the Services log which User recorded a given event.

Billing information

Payment processing is handled by Stripe, Inc. Sunpliance receives confirmation that a payment has succeeded or failed and retains billing metadata (e.g., amount charged, invoice date). Sunpliance does not store full payment card numbers.

Communications

When a User contacts Sunpliance for support, submits a feature request, or otherwise communicates with us, we retain the content of the communication and related metadata.

Marketing site submissions

Sunpliance retains form submissions from sunpliance.com, including demo requests and access requests. These submissions include name, company, email, phone (optional), states of operation, estimated panel volume, tier of interest, and how the submitter heard about Sunpliance.

3. How We Use Information

We use the information we collect to:

  • Deliver the Services and carry out the contract with Customer;
  • Authenticate Users and secure accounts;
  • Generate Compliance Records, reports, and regulatory certificates;
  • Perform cross-tenant fraud and duplicate-disposition detection as described in Section 7;
  • Provide customer support and respond to inquiries;
  • Process billing and collect Fees;
  • Improve the Services, including through analysis of aggregated and de-identified data;
  • Detect, investigate, and prevent fraud, abuse, or security incidents;
  • Comply with legal obligations and respond to lawful legal process; and
  • Communicate with Users about service availability, product changes, and — where permitted and with opt-out — marketing.

4. Legal Bases for Processing

We rely on the following legal bases for processing personal information:

  • Performance of a contract with the Customer for whom the User is an authorized representative;
  • Legitimate business interests in securing, operating, and improving the Services, including fraud prevention and cross-tenant verification;
  • Legal obligation in responding to lawful legal process and in retaining compliance and billing records; and
  • Consent for marketing communications, which may be withdrawn at any time by using the unsubscribe link in any email.

5. How We Share Information

We share information only as described below.

Service providers

We rely on the following service providers to operate the Services:

  • Supabase — hosted database and authentication infrastructure;
  • Vercel — application hosting and content delivery;
  • Resend — transactional email delivery;
  • Stripe — payment processing (upon integration);
  • LLM Provider — automated processing of User-submitted photographs to extract structured information and support compliance workflows (see Section 6).

These providers process data on Sunpliance’s behalf under contractual obligations consistent with this Policy.

Legal process

We may disclose information in response to a valid subpoena, court order, or similar binding legal request, or where disclosure is required to comply with applicable law or to protect the safety or rights of Sunpliance, our Customers, or the public.

Business transfers

In the event of a merger, acquisition, financing, or sale of assets, information may be transferred as part of the transaction. Affected Customers will receive notice and, where legally required, an opportunity to object.

Aggregated and de-identified data

We may share aggregated or de-identified data that cannot reasonably be used to identify a Customer or individual (for example, industry benchmarks, state-level processing volumes, or research findings).

What we do not do

We do not sell personal information. We do not share Customer-identifying information for third-party marketing. We do not use Customer Content to train any third-party AI models.

6. AI Processing Disclosure

The Services use reputable large language models for certain features, including automated processing of User-submitted photographs to extract structured information and support compliance workflows. When a User submits a photograph or similar input to one of these features, the input is transmitted to a third-party LLM Provider via the LLM Provider’s API for processing, and the resulting response is returned to the Services.

The LLM Provider processes these inputs per its published data-use policy for API inputs. Sunpliance will enroll in the LLM Provider’s Zero Data Retention program, where available, prior to first external Customer go-live; until enrollment, the LLM Provider’s standard API retention terms apply as published by that provider.

Customer Content is not used by Sunpliance, the LLM Provider, or any other third party to train general-purpose AI models.

7. Cross-Tenant Verification

To support the integrity of the solar decommissioning compliance ecosystem, Sunpliance checks panel serial numbers and lifecycle events submitted by each Customer against similar records across the Sunpliance network. This processing helps detect fraud, duplicate chain-of-custody records, and prior terminal disposition (for example, a serial number previously recorded as recycled by another Customer).

When a match is identified, the matching signal is surfaced to the Customer that uploaded the record so the Customer can investigate. Sunpliance does not disclose the identity of any other Customer as part of such matches.

Cross-tenant verification is a core function of the Services and is disclosed here as part of the processing Users can expect when using the Platform. Further detail is in our Terms of Service.

8. Data Retention

  • Compliance Records: seven (7) years from creation or from account termination, whichever is later, as described in our Terms of Service.
  • Account information: retained for the life of the account plus applicable backup retention (typically up to ninety (90) days).
  • Billing records: seven (7) years to meet tax record retention requirements.
  • Support tickets and related communications: three (3) years.
  • Marketing communications data: retained until a recipient unsubscribes or requests deletion.
  • Usage and server logs: thirteen (13) months.

Where longer retention is required by applicable law or legal process, we retain the information for the required period.

9. Data Security

We apply commercially reasonable administrative, technical, and physical safeguards designed to protect information:

  • Data is encrypted in transit using TLS and at rest within the Sunpliance database infrastructure.
  • Customer Content is logically isolated at the database level using row-level security.
  • Access to Customer Content by Sunpliance personnel is limited per the principle of least privilege and restricted to the circumstances described in our Terms of Service.
  • Infrastructure is hosted on Supabase (SOC 2 Type II) and Vercel.

Incident response

In the event of a confirmed data breach involving Customer Content or personal information, Sunpliance will notify affected Customers without undue delay and in any event within seventy-two (72) hours of discovery, with available information about the nature and scope of the incident and the steps Sunpliance is taking in response. Additional updates will follow as investigation progresses.

10. Your Rights

Users and Customers may request:

  • Access to the personal information Sunpliance holds about them;
  • Export of their data in a machine-readable format, at any time and free of charge;
  • Correction of inaccurate personal information;
  • Deletion of personal information, subject to the Compliance Records retention obligations described above and any other legal retention requirement; and
  • Opt-out of marketing communications via the unsubscribe link in any marketing email.

Rights requests should be submitted to privacy@sunpliance.com. Sunpliance will verify the identity of the requester and respond within the period required by applicable law (typically 30 to 45 days).

California residents

Residents of California may have additional rights under the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), including the right to know what personal information is collected, the right to deletion, the right to correct, and the right to limit the use of sensitive personal information. Sunpliance does not sell or share personal information for cross-context behavioral advertising. To exercise CCPA/CPRA rights, contact privacy@sunpliance.com.

Other U.S. state privacy rights

Residents of states with comprehensive consumer privacy laws (such as Colorado, Connecticut, Virginia, Utah, and others) may have similar rights and may submit requests to the same address.

11. Cookies and Tracking

The Services use cookies and similar technologies. Currently:

  • Essential cookies are used for authentication, session management, and security. These cannot be disabled without affecting the Services.
  • Analytics cookies may be used to measure Services usage and improve performance. Vercel Analytics is currently disabled on the marketing site.
  • Sunpliance does not use third-party advertising cookies.
  • Sunpliance does not engage in cross-site tracking or sell clickstream data.

12. Children’s Privacy

The Services are intended for business use only and are not directed to individuals under 18. Account registration requires the User to be at least eighteen (18) years of age. If Sunpliance becomes aware that it has collected personal information from a minor, it will delete that information promptly.

13. International Transfers

Sunpliance is based in the United States and processes data in the United States. Users accessing the Services from outside the United States acknowledge that their information will be transferred to and processed in the United States, where data protection laws may differ from those of their home jurisdiction.

14. Changes to This Policy

Sunpliance may modify this Policy from time to time. Material changes will be communicated with no less than sixty (60) days’ advance notice, delivered to the email address of the Customer’s account owner. Non-material changes may take effect upon posting to sunpliance.com/privacy. The Effective Date at the top of this Policy reflects the latest revision.

15. Contact

Privacy inquiries: privacy@sunpliance.com

Legal notices: legal@sunpliance.com