Privacyverklaring ModbusCloud

1. Introduction

This privacy statement describes how Avanta Systems ("we", "us", "ModbusCloud") processes personal data in providing the ModbusCloud platform and the associated webshop. We take your privacy seriously and process personal data in accordance with the General Data Protection Regulation (GDPR), the Dutch GDPR Implementation Act and the Dutch Telecommunications Act.

ModbusCloud is a B2B cloud portal that allows professional installers to remotely monitor, read and control industrial Modbus equipment (inverters, heat pumps, energy meters, HVAC systems) via the MCG-1 gateway. This statement applies to all processing activities via modbuscloud.com and portal.modbuscloud.com.

2. Controller

The controller within the meaning of Article 4(7) GDPR is:

Avanta Systems Registered office in Zwolle, the Netherlands Business address: Ceintuurbaan 15, 8022 AW Zwolle Chamber of Commerce number: 97761362 VAT number: NL005287244B70 Turnover tax number: 228173425B02 Telephone: +31 85 333 2576 General email address: info@modbuscloud.com Privacy contact: privacy@modbuscloud.com

We have no statutory obligation to appoint a Data Protection Officer (DPO) (Article 37 GDPR), but you can contact the privacy contact above for any privacy-related questions. Responses are handled by the privacy officer within Avanta Systems.

3. Role allocation: controller and (sub)processor

The allocation of roles under the GDPR is as follows.

3.1 Account data of the installer (Customer). For the personal data we process concerning the installer and its employees (account data, payment data, support correspondence, portal usage statistics), ModbusCloud is itself the controller.

3.2 Device and end-customer data. For personal data that the installer processes via the portal concerning its own end customers (location address details, site name, any contact persons, device and measurement data insofar as traceable to a natural person), the installer is itself the controller. ModbusCloud acts as processor in that context. Where the installer acts as processor for its end customer, ModbusCloud acts as sub-processor.

For this processing, we conclude a Data Processing Agreement (DPA) with every installer in accordance with Article 28 GDPR. The DPA forms an integral part of the agreement and is made available when a business account is created.

4. Which personal data we process

We process the following categories of personal data.

4.1 Account data

First and last name, business email address, company name, position or role within the company, language preference, hashed passwords (bcrypt or comparable) or OAuth tokens when logging in via Google or Microsoft, two-factor authentication seed or backup codes (if activated).

4.2 Payment and invoicing data

Billing address, company name, Chamber of Commerce number, VAT number, order history, payment status, last four digits of the payment method. Full card details or IBAN are processed exclusively by Stripe; we do not receive or store these.

4.3 Device and telemetry data

Serial numbers of gateways, Modbus register values (for example current, voltage, temperature, COP, flow rate, setpoints), timestamps, connectivity status, firmware versions. Insofar as this data is traceable to a natural person (for example because the gateway is located at a residential address), this qualifies as personal data.

4.4 Location and end-customer metadata

Address of the installation location, site name, optional contact person at the end customer, note fields.

4.5 Log and audit-trail data

Login data (time, IP address, user agent), pages viewed, API calls performed, and (importantly) the full audit trail of write commands to Modbus registers: who wrote which value to which register of which device at what time. This audit trail is legally necessary for liability purposes and security.

4.6 Support communication

Emails, chat messages and ticket contents in support requests.

4.7 Cookies and similar techniques

See section 10 for an extensive explanation.

5. Purposes and legal bases

We process personal data exclusively for the purposes described below and on the basis of the legal basis from Article 6 GDPR stated.

6. Automated decision-making and profiling

We do not use fully automated decision-making with legal effects or similarly significant effects on the data subject within the meaning of Article 22 GDPR. Alarm rules, threshold values and automation scripts that the Customer configures in the portal do not constitute automated decision-making about natural persons, but technical operational management of equipment.

7. Recipients and processors

We engage carefully selected processors for hosting, authentication, payment, communication and analysis. With every processor we conclude a data processing agreement in accordance with Article 28 GDPR.

A current sub-processor list is published as an annex to our DPA. Changes are announced to the Customer at least 30 days in advance; the Customer may submit a reasoned objection against a new sub-processor.

7.1 Specific explanation Google Analytics

For website statistics, we may use Google Analytics 4, provided by Google Ireland Ltd. We configure this service in accordance with the "Guide to privacy-friendly configuration of Google Analytics" from the Dutch Data Protection Authority:

A data processing agreement with Google (Google Ads Data Processing Terms) has been concluded.
IP addresses are not fully stored; Google Analytics 4 processes IP addresses only temporarily for geographical approximation.
Data is not shared with Google for its own purposes. "Google signals", personalised advertisements and data sharing with other Google products are disabled.
The retention period in Google Analytics is set to the minimum setting of 2 months.
Google Analytics cookies are placed exclusively after explicit consent via our cookie banner.

7.2 Specific explanation PostHog

For product analytics in the portal we use PostHog on the EU Cloud environment in Frankfurt, so that data does not leave the EEA. PostHog is configured with autocapture in disabled or limited mode, session recording only with explicit consent, and IP anonymisation. PostHog cookies are placed exclusively after explicit consent.

8. Transfer outside the European Economic Area

Some of our processors have a parent entity in the United States. For transfer of personal data to these third countries, we rely on:

The EU-U.S. Data Privacy Framework (Adequacy Decision of the European Commission of 10 July 2023), insofar as the recipient concerned is on the current DPF list.
The Standard Contractual Clauses (Module 2 or Module 3, Implementing Decision (EU) 2021/914) as additional or alternative safeguard.
Additional technical and organisational measures in line with the EDPB Recommendations 01/2020 on supplementary measures, including encryption at rest and in transit, strict access rights, and logging of export requests.

On request, we provide a copy or summary of the applicable safeguards.

9. Retention periods

We do not retain personal data longer than necessary. Specific periods:

After expiry, data is deleted or irreversibly anonymised. Aggregated or anonymised product statistics may be retained longer, as they no longer contain personal data.

10. Cookies and similar techniques

We place cookies on the basis of art. 11.7a Dutch Telecommunications Act. There are three categories.

10.1 Functional and strictly necessary cookies. Placed without consent. This includes session cookies, CSRF tokens, language preference, cookie banner choice, and authentication tokens. Without these cookies, the portal does not work.

10.2 Analytical cookies with minor privacy impact. Where possible configured without unique user identification, with IP anonymisation and without data sharing with third parties. Depending on configuration, without consent or with consent.

10.3 Other analytical, profiling or marketing cookies. Only after explicit consent via our cookie banner. This includes Google Analytics 4 and PostHog. You can change your choice at any time via the cookie settings in the footer of our websites.

A current overview of specific cookies, their purpose, supplier and retention period can be found in the cookie statement at modbuscloud.com/cookies.

11. Your rights

Under Chapter III GDPR (Articles 15 to 22), you have the following rights, insofar as the legal basis and context permit.

Right of access (Art. 15).
Right to rectification (Art. 16).
Right to erasure or "right to be forgotten" (Art. 17).
Right to restriction of processing (Art. 18).
Right to data portability (Art. 20).
Right to object (Art. 21), in particular to processing on the basis of legitimate interest.
Right not to be subject to fully automated decision-making (Art. 22). We do not apply this, see section 6.
Right to withdraw given consent at any time (Art. 7(3)). Withdrawal operates for the future and does not affect the lawfulness of earlier processing.

For a request, send an email to privacy@modbuscloud.com. We respond within one month, extended by two months for complex requests where necessary (Art. 12(3) GDPR). For requests relating to end-customer data for which your installer is the controller, we refer you to the installer concerned. We support the installer in handling such requests on the basis of our DPA.

You have the right at all times to lodge a complaint with the Dutch Data Protection Authority via autoriteitpersoonsgegevens.nl.

12. Security

We take appropriate technical and organisational measures as referred to in Article 32 GDPR, including:

Encryption in transit (TLS 1.2 or higher) and encryption at rest (AES 256 or equivalent via hosting providers).
Row Level Security and strict tenant isolation at database level (Supabase PostgreSQL).
Role-based access control, principle of least privilege, mandatory two-factor authentication for employees with production access.
Centralised logging, monitoring and alerting on unusual activity.
Regular backups with geographical redundancy within the EEA.
Periodic security tests, including dependency scans, code reviews and, where reasonable, penetration tests.
A documented incident response process.
Confidentiality obligations for employees and processors.
Encrypted MQTT communication (TLS 1.2 or higher) between gateway and EMQX broker.
Hardware security features on the MCG-1 gateway in line with the Cyber Resilience Act.

13. Data breaches

We apply a data breach procedure in accordance with Articles 33 and 34 GDPR. In the event of a data breach with a risk to data subjects, we notify this within 72 hours of discovery to the Dutch Data Protection Authority. In case of a high risk, we inform data subjects directly. In cases where ModbusCloud acts as (sub)processor, we notify the breach without delay to the relevant controller, with the information needed to meet its own notification obligation.

As of 11 September 2026, additional notification obligations apply in case of actively exploited vulnerabilities and serious incidents on the basis of the Cyber Resilience Act (Regulation (EU) 2024/2847). We will make these notifications via the ENISA single reporting platform as soon as available.

14. Minors

Our service is aimed exclusively at business customers and is not intended for natural persons under 16 years of age. We do not knowingly collect data from minors.

15. Changes

We may amend this privacy statement. Material changes are announced at least 30 days in advance via the portal or by email to the account contact known to us. The current version is always available at modbuscloud.com/privacy with the version date stated.

16. Contact

For questions about this statement or your privacy rights:

Privacy email: privacy@modbuscloud.com General: info@modbuscloud.com Telephone: +31 85 333 2576 Post: Avanta Systems, Ceintuurbaan 15, 8022 AW Zwolle

Complaints about the processing of your personal data can also be submitted to the Dutch Data Protection Authority, Postbus 93374, 2509 AJ Den Haag, autoriteitpersoonsgegevens.nl.

Providing the portal and the gateway (account management, authentication, technical operation)	Account, devices, logs	Performance of the contract, Art. 6(1)(b) GDPR
Invoicing and debtor management	Payment and invoicing data	Performance of the contract, Art. 6(1)(b) GDPR, and legal obligation, Art. 6(1)(c) GDPR (art. 52 Dutch General Tax Act (AWR))
Customer service and incident handling	Account, support communication	Performance of the contract, Art. 6(1)(b) GDPR
Security, fraud prevention, audit trail	Logs, audit trail, IP addresses	Legitimate interest, Art. 6(1)(f) GDPR (continuity, security, evidence)
Product improvement based on anonymised or aggregated data	Device and usage statistics after anonymisation	Legitimate interest, Art. 6(1)(f) GDPR
Service messages (outages, releases, changes to terms)	Account data	Performance of the contract, Art. 6(1)(b) GDPR
Commercial emails about similar products to existing customers (soft opt-in)	Email address	Legitimate interest, Art. 6(1)(f) GDPR, within the framework of art. 11.7 Dutch Telecommunications Act
Newsletter or marketing to prospects	Email address	Consent, Art. 6(1)(a) GDPR
Analytics and product usage measurements (PostHog and Google Analytics)	Cookies, event data, anonymised IP address	Consent, Art. 6(1)(a) GDPR and art. 11.7a Dutch Telecommunications Act
Compliance with legal obligations (taxes, information requests from competent authorities)	All relevant categories	Legal obligation, Art. 6(1)(c) GDPR

Vercel Inc.	Hosting frontend portal and marketing site	Parent entity US, execution in EU region Frankfurt (fra1)	EU-U.S. Data Privacy Framework (DPF) and Standard Contractual Clauses (SCC) (EU) 2021/914 as additional safeguard
Supabase Inc.	PostgreSQL database, authentication, storage	Parent entity US, execution in EU West 1 (Ireland)	EU-U.S. DPF and SCC 2021/914
Railway Corp.	Backend workers, cron jobs	Parent entity US, execution in EU region	EU-U.S. DPF if certified, otherwise SCC 2021/914
EMQX Cloud (EMQ Technologies Inc.)	MQTT broker for gateway communication	Serverless deployment in EU Central 1 (Frankfurt)	SCC 2021/914
Stripe Payments Europe Ltd.	Payment processing	Ireland (EEA)	No transfer required, within EEA
Google Ireland Ltd.	OAuth login (Google Sign-in) and, if configured, Google Analytics 4	Ireland (EEA), sub-processors in the US	EU-U.S. DPF and SCC 2021/914
Microsoft Ireland Operations Ltd.	OAuth login (Microsoft Entra ID)	Ireland (EEA)	Within EEA, sub-processors partly in the US under EU-U.S. DPF
Resend B.V.	Transactional email (invoices, account notifications, password reset)	EU region Ireland	Within EEA
Moneybird B.V.	Accounting and invoicing	The Netherlands	Within EEA
PostHog Inc.	Product analytics (only with consent)	EU Cloud, Frankfurt (Germany)	Parent entity US, SCC 2021/914

Account data (profile, login credentials)	Duration of the subscription plus 90 days after termination
Invoicing and accounting data	7 years after the end of the financial year (art. 52 Dutch General Tax Act (AWR), tax retention obligation)
Device and telemetry data	Duration of the subscription, thereafter 90-day export window, full deletion within 30 days thereafter, backups roll out within 35 days thereafter
Audit trail of commands and security logs	24 months, longer if necessary for incident investigation or legal claim
Support correspondence	Maximum 24 months after closure of the ticket
Marketing emails and newsletter	Until unsubscription, thereafter only a minimal unsubscribe list
Cookies (non-essential)	Session or maximum 12 months
Consent registration	Duration of the processing plus 5 years for evidence
Google Analytics event data	Maximum 2 months (shortest possible setting)
PostHog session and event data	Maximum 6 months after last activity

ModbusCloud Privacy Statement