Legal
Privacy Policy
Last updated: April 2026
Zavepower Innovative Technology AB (publ) ("Zavepower", "we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our products and services, including Spapilot, E.W.A., and our mobile and web applications.
1. Data Controller
The data controller responsible for your personal data is:
2. Data We Collect
We collect and process the following categories of personal data:
Account Information
When you create an account, we collect your name, email address, and a password hash. If you purchase hardware, we also collect your billing address and, through our payment processor, payment method details.
Device and Sensor Data
Spapilot and E.W.A. continuously collect operational data from your spa or pool, including water temperature, pH levels, ORP (oxidation-reduction potential), energy consumption, jet activity, and heating schedules. This data is associated with your account to provide the core service.
Usage Analytics
We collect anonymized data about how you interact with the Zavepower app, such as features accessed and session duration. This data is aggregated and cannot identify you individually. It helps us improve the product.
3. Why We Process Your Data
Providing the service
Operating Spapilot and E.W.A., sending alerts, processing commands from the app.
Energy optimization
Analyzing usage patterns to generate personalized heating schedules that reduce energy consumption.
Product improvement
Using aggregated device data to improve algorithms, add features, and enhance reliability.
Order fulfillment
Processing payments, shipping hardware, and handling returns and warranty claims.
Customer support
Diagnosing device issues and responding to support requests.
4. Legal Basis (GDPR Article 6)
We rely on the following legal bases for processing your data:
- Contract performance — processing your account data and device data is necessary to deliver the service you subscribed to.
- Legitimate interest — usage analytics and product improvement are carried out under our legitimate interest in providing a high-quality, secure product. These interests do not override your rights.
- Legal obligation — certain data may be retained to comply with Swedish and EU tax and accounting regulations.
5. Data Storage and Security
All personal data is stored on servers located within the European Union. Data is encrypted in transit (TLS 1.3) and at rest (AES-256). We implement access controls, audit logging, and regular security reviews to safeguard your information.
No data is transferred to countries outside the EEA without appropriate safeguards in place (such as Standard Contractual Clauses approved by the European Commission).
6. Data Retention
We retain your data for as long as your account is active. When you close your account, we will delete your personal data within 30 days, except where retention is required by law (e.g., financial records retained for 7 years under Swedish accounting law).
Anonymized, aggregated device data (from which you cannot be identified) may be retained indefinitely to improve the product.
7. Third-Party Processors
We work with a limited number of trusted third-party processors, each bound by data processing agreements:
Stripe
Payment processingHandles payment card data. We never store raw card numbers.
Cloud infrastructure provider
Hosting and data storageEU-based servers. Processes data under our instructions only.
Email delivery service
Transactional emailsSends account notifications and alerts. Access limited to delivery metadata.
8. Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights:
- Right of access — Request a copy of the personal data we hold about you.
- Right to rectification — Ask us to correct inaccurate or incomplete data.
- Right to erasure — Request deletion of your personal data ("right to be forgotten"), subject to legal obligations.
- Right to portability — Receive your data in a structured, machine-readable format and transfer it to another provider.
- Right to object — Object to processing based on legitimate interest, including profiling for product improvement.
- Right to restrict processing — Ask us to limit how we use your data while a complaint or query is resolved.
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
To exercise any of these rights, contact us at privacy@zavepower.com. We will respond within 30 days. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.
9. Cookies
We use a minimal set of cookies on our website. We do not use advertising cookies or track you across third-party websites.
| Cookie | Purpose | Duration |
|---|---|---|
| session | Keeps you logged in | Session |
| csrf_token | Security — prevents request forgery | Session |
| preferences | Remembers UI settings (language, theme) | 1 year |
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a notice in the Zavepower app. The date at the top of this page indicates when the policy was last revised.
11. Contact
For any questions about this Privacy Policy or how we handle your personal data, contact our privacy team at privacy@zavepower.com.