Privacy Policy
How BreakPoint Energy Ltd, operating SitePower.ai, collects, uses, and protects personal information across the matching, qualification, and deal facilitation services we provide to energy technology companies, site developers, and infrastructure financiers.
- SitePower is a curated B2B matching platform. We collect what we need to qualify counterparties and make introductions — nothing more.
- We do not sell personal information. We do not run advertising on this platform. We do not use your data to train external AI models.
- We use AI to assist matching and qualification. Humans review every outbound introduction. You can object to fully automated decisions.
- We share counterparty identities only after both parties have an executed non-disclosure agreement.
- You have the right to access, correct, export, or delete your personal information. Email privacy@sitepower.ai and we respond within 30 days.
Who we are
SitePower.ai (the "Platform") is operated by BreakPoint Energy Ltd, a company incorporated in New Zealand (collectively "SitePower", "we", "us", or "our"). For the purposes of the EU General Data Protection Regulation, the United Kingdom General Data Protection Regulation, the California Consumer Privacy Act as amended by the California Privacy Rights Act, and the New Zealand Privacy Act 2020, BreakPoint Energy Ltd is the data controller of personal information processed through the Platform.
This Privacy Policy explains what personal information we process, why we process it, the legal bases on which we rely, who we share it with, how long we keep it, where it is stored, and what rights you have. It applies to visitors to sitepower.ai, applicants to the Platform, and Partners onboarded under our Platform Participation Agreement.
Information we collect
2.1 Information you provide
- Account and application data — name, business email, job title, company, country, LinkedIn URL, and information submitted through our application forms (technology specifications, site characteristics, investment mandates).
- Qualification data — information submitted as part of our counterparty qualification process, including financial information about your business, technology readiness level documentation, site control documentation, and references.
- Contractual data — non-disclosure agreements, Platform Participation Agreements, and signature metadata captured via our e-signature provider.
- Payment information — billing name, address, and the last four digits and brand of your payment card. Full card numbers are processed directly by our payment provider and never stored on our systems.
- Communications — emails, meeting notes, and information you share with us by phone, video call, or within secure data rooms.
2.2 Information collected automatically
- Technical and usage data — IP address, device type, browser type, operating system, referring URL, pages visited, time spent, and approximate geographic location derived from IP.
- Cookies and similar technologies — see Section 11 below.
- Email engagement data — open rates and click-throughs on emails we send, where permitted by law.
2.3 Information from third parties
- Business enrichment data — publicly available information about your company from sources such as company registries, regulatory filings, professional networks, and news media, used for counterparty due diligence.
- Referral data — if you were referred by a Relationship Partner or other introducer, we record the referral source for commission attribution.
We do not knowingly collect sensitive personal information (race, ethnicity, religion, health, sexual orientation, biometric or genetic data). Please do not submit such information through the Platform.
How we use personal information
We process personal information for the following purposes, relying on the legal bases shown below where the EU GDPR or UK GDPR applies.
| Purpose | Legal basis (EU / UK) |
|---|---|
| Operating the Platform, qualifying counterparties, and facilitating curated introductions | Performance of a contract, or our legitimate interest in operating a curated B2B marketplace |
| Verifying business credentials, technology readiness, site control, and financier mandates | Legitimate interest in maintaining platform integrity and protecting counterparties from misrepresentation |
| Processing payments and managing subscriptions | Performance of a contract; compliance with legal and tax obligations |
| Sending service communications (matches, deal updates, account notices) | Performance of a contract; legitimate interest in operational continuity |
| Sending marketing communications about SitePower | Consent, or legitimate interest where permitted under the business-to-business soft opt-in regime |
| Security, fraud prevention, abuse monitoring, and safeguarding of confidential information | Legitimate interest in protecting our Platform, our Partners, and the public; compliance with legal obligations |
| Complying with legal, regulatory, tax, and law enforcement obligations | Compliance with a legal obligation |
| Improving the Platform, including refining our matching and qualification methodologies | Legitimate interest in improving service quality, using aggregated or anonymised data wherever practicable |
AI-assisted matching and automated decisions
SitePower uses artificial intelligence to support — not replace — human judgement in three areas: (i) extracting and structuring information from application forms and uploaded documents, (ii) scoring compatibility between technologies, sites, and financiers, and (iii) drafting outbound communications and qualification notes for our team to review.
Human oversight is mandatory. No introduction is made, no qualification decision is finalised, and no deal is structured solely by automated means. A SitePower team member reviews every outbound match before disclosure of identity between counterparties.
We do not use your personal information or your confidential business information to train external or third-party AI models. Where we use third-party AI services (such as large language model providers), we do so under contractual terms that prohibit those providers from training their models on our data.
Where the EU GDPR or UK GDPR applies, you have the right to obtain human intervention, express your point of view, and contest any decision based solely on automated processing. To exercise this right, contact privacy@sitepower.ai.
International data transfers
SitePower is operated from New Zealand and the United States, and our sub-processors may be located in other jurisdictions including the European Union and the United Kingdom. As a result, personal information may be transferred to, and processed in, countries other than your country of residence.
Where personal information is transferred out of the European Economic Area, the United Kingdom, or Switzerland to a country that has not been recognised as providing an adequate level of data protection, we put in place appropriate safeguards. These include the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and supplementary technical and organisational measures. New Zealand has been recognised by the European Commission as providing adequate protection for personal data.
You may request a copy of the safeguards in place for transfers from your jurisdiction by contacting privacy@sitepower.ai.
Data retention
We retain personal information for as long as necessary to fulfil the purposes for which it was collected, including to provide the Platform, comply with legal, accounting, and tax obligations, resolve disputes, and enforce our agreements. Indicative retention periods are set out below.
| Category | Retention period |
|---|---|
| Application data (unsuccessful applicants) | Up to 24 months from last activity, then deletion or anonymisation |
| Partner account and qualification records | Duration of relationship + 6 years |
| NDA and contractual records | Duration of agreement + statutory limitation period (typically 6 years) |
| Financial and tax records | 7 years (or longer where required by applicable law) |
| Marketing email subscribers | Until you unsubscribe or after 24 months of inactivity |
| Web analytics and cookie data | Up to 26 months |
| Security and incident logs | 12 to 24 months |
Where personal information no longer needs to be retained in identifiable form, we either delete it or anonymise it so that it can no longer be linked to you.
Security
We protect personal information with administrative, technical, and physical safeguards proportionate to the sensitivity of the information and the risks posed by processing. These include:
- Encryption in transit using industry-standard TLS for all data moving between your device and our infrastructure.
- Encryption at rest for personal information, NDAs, contractual documents, and data room contents.
- Multi-factor authentication on internal access to sensitive systems.
- Role-based access controls limiting access to personal information to staff with a defined need to know.
- Sub-processor due diligence, including review of security certifications such as SOC 2, ISO 27001, or equivalent.
- Internal policies on confidentiality, data handling, and incident response.
No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected individuals, within the timeframes mandated by applicable law.
Your rights
Subject to applicable law, you have rights in respect of the personal information we hold about you. These include the right to:
- Access — request a copy of the personal information we hold about you.
- Rectification — request correction of inaccurate or incomplete personal information.
- Erasure — request deletion of personal information in certain circumstances.
- Restriction — request that we limit how we process your information in certain circumstances.
- Portability — receive personal information you have provided to us in a structured, commonly used, machine-readable format.
- Objection — object to processing based on legitimate interests, and to direct marketing at any time.
- Automated decisions — request human review of any decision based solely on automated processing that has legal or similarly significant effects on you.
- Withdraw consent — where we rely on consent, withdraw it at any time without affecting the lawfulness of processing before withdrawal.
- Lodge a complaint — with the data protection authority in your jurisdiction.
To exercise any of these rights, email privacy@sitepower.ai. We will respond within 30 days, or sooner where required by law. We may ask for information to verify your identity before acting on a request. We do not charge a fee for responding to a valid request unless the request is manifestly unfounded, excessive, or repetitive.
Region-specific notices
10.1 European Union, United Kingdom, and Switzerland
BreakPoint Energy Ltd is the data controller. We are based in New Zealand, which has been recognised as providing adequate protection for personal data under the EU GDPR. You have the right to lodge a complaint with your local supervisory authority, including the Irish Data Protection Commission, the UK Information Commissioner's Office, and the Swiss Federal Data Protection and Information Commissioner.
10.2 California residents
Under the California Consumer Privacy Act as amended by the California Privacy Rights Act, you have the right to know what personal information we collect, the right to delete it, the right to correct inaccurate information, the right to limit the use of sensitive personal information, the right to opt out of sale or sharing, and the right to non-discrimination for exercising your rights. We do not sell or share personal information for cross-context behavioural advertising. To exercise your CCPA rights, email privacy@sitepower.ai.
10.3 New Zealand
Under the New Zealand Privacy Act 2020, you have the right to access and correct personal information we hold about you. You may also lodge a complaint with the Office of the Privacy Commissioner at privacy.org.nz.
10.4 Other jurisdictions
Residents of Brazil, Canada, Australia, and other jurisdictions with applicable data protection laws have the rights conferred by those laws. We apply equivalent standards globally.
Children
The Platform is intended for business-to-business use by representatives of qualified counterparties and is not directed to children. We do not knowingly collect personal information from children under the age of 16. If you believe we have collected information from a child, email privacy@sitepower.ai and we will delete it.
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The "Effective" date at the top of this policy indicates when it was last revised. Where changes are material, we will provide additional notice (such as by email to Partners, or by displaying a notice on the Platform) before the changes take effect.
Operating SitePower.ai
Email: privacy@sitepower.ai
General enquiries: atlas@sitepower.ai