Privacy Policy
Effective April 27, 2026
Energy Sync ("Energy Sync", "we", "us") provides procurement intelligence software to energy brokers, independent power producers, and their customers. This Privacy Policy explains what information we collect, how we use it, and your rights. Operator: Digital Bar AI · contact security@energysync.ai.
Information we collect
Account information. When you or your employer provisions an account, we collect your name, work email, role, phone (optional), timezone, and the organization you belong to. If you sign in with Google or Microsoft, we receive the verified subject identifier and any workspace tenant claim from those providers — used only to route you to your organization.
Workspace data. Energy Sync stores customer, supplier, and contract records that you or your colleagues upload or enter — including procurement documents, request-for-proposal attachments, customer load profiles, signed contracts, and commission statements. Your organization is the data controller for this information; we are the processor.
Operational telemetry. We log application events (sign-ins, file accesses, server errors) to operate and secure the service. These logs include IP address and user-agent for the actor, plus a SHA-256 hash of any share token used. We do not log the raw content of your documents or AI prompts.
How we use information
- To deliver the procurement workspace you signed up for.
- To generate AI-assisted analysis (proposal drafts, bid scoring, commission anomalies). AI processing is delegated to Anthropic; payloads are governed by Anthropic's zero-retention API terms.
- To send transactional email (account verification, share links, commission anomaly alerts) via Resend. We do not send marketing email.
- To detect abuse and respond to security incidents. The FileAccessLog audit trail is reviewed only on incident response.
Service providers
We share information with these providers solely to operate the service. Each is bound by a data-processing agreement.
- Fly.io — application hosting and managed Postgres (San Jose region).
- Tigris — encrypted, content-addressed object storage for documents and proposal PDFs.
- Anthropic — Claude model inference for AI features. Zero-retention; prompts and completions are not used to train models.
- Resend — transactional email delivery.
Security
Documents are encrypted in transit (TLS 1.2+) and at rest. Customer downloads are gated by short-lived (≤ 5 minute) presigned URLs and a per-file authorization check; every read is recorded in our audit trail. Tigris credentials are scoped to a single bucket per environment; staging and production are physically isolated. We rotate credentials at least every 90 days.
Retention
Your records are retained while your account is active. Documents remain in our object store for 30 days after a delete request, then are purged from primary storage; backups age out within 90 days. You may export or delete your data at any time by contacting security@energysync.ai.
Your rights
You may request a copy of the information we hold about you, ask us to correct it, or ask us to delete it. If you are in the EU/UK, California, or another jurisdiction with data-protection rights, you have the rights afforded under your local law (GDPR, CCPA, etc.). Email security@energysync.ai and we will respond within 30 days.
Children
Energy Sync is a business-to-business product. We do not knowingly collect information from anyone under 18.
Changes
We may update this policy. Material changes will be posted here and notified by email to active account holders.