Privacy Policy

How Caolú Consultants collects, uses, stores, and protects your personal data.

Effective: 1 May 2025
Last updated: April 2026 (v4)
Applies to: app.caolu.ie & account.caolu.ie
Law: GDPR & Irish Data Protection Acts 1988–2018
1

Who We Are

Caolú Consultants ("Caolú", "we", "us", or "our") is a company registered in the Republic of Ireland under Company Registration Number 783041. Our full company registration and contact details are available on our Contact page.

We operate the Caolú Irish Solar Edition — a field sales and solar quoting platform for SEAI-registered solar installers, accessible at app.caolu.ie and managed at account.caolu.ie.

Caolú Consultants is the Data Controller under the GDPR for personal data collected through our platform. This means we determine the purposes and means by which your data is processed and are responsible for ensuring it is handled lawfully.

Where you use our platform to generate quotes for your own end customers (homeowners or businesses), you are the Data Controller for that customer data, and Caolú acts as your Data Processor. You are responsible for ensuring you have a lawful basis to collect and process your customers' personal information before entering it into our system.

Data protection contact: For any questions, requests, or concerns about how we handle your personal data, contact us at [email protected]. We aim to respond within 5 working days.
2

What Personal Data We Collect

We collect only the personal data that is necessary to provide the Caolú platform. Below is a complete description of each category.

Account & Identity Data

  • Full name — to identify you within your company account and to appear on generated quotes and proposals
  • Email address — for account login, subscription management, and transactional communications
  • Phone number — optional; provided at your discretion to allow managers or customers to contact you directly
  • Password — stored as a one-way cryptographic hash (bcrypt). We never store or have access to your plaintext password

Professional & Business Data

  • Company name, company registration number, and VAT number — displayed on quote documents sent to your end customers
  • Company address, company phone, and company tagline — displayed on PDF proposals generated through the tool
  • SEAI installer number and SEAI registration number — used to validate eligibility for the platform (restricted to SEAI-registered installers) and to auto-populate quote documents
  • SEAI verification status and verification timestamps — the result of our automated cross-check against the public SEAI Solar PV Company register (verified, pending, not_found, deregistered, or manual_verified), the date the check was performed, and — where a manual review was required — the date that review was completed. These fields are stored on your profile and company record and are used solely to administer the eligibility verification process described below.
  • Bank name, IBAN, and BIC — entirely optional; if provided, these are used solely to populate the payment details section of your own PDF proposals sent to customers. They are never used by Caolú for payment processing and are never shared with third parties including Stripe.

Billing & Subscription Data

  • Stripe customer ID and subscription ID — to manage your subscription lifecycle and open the Stripe billing portal
  • Subscription status, tier, and seat limit — to control access to features appropriate to your plan
  • Trial end date and billing period end date — to display accurate account information and send trial expiry reminders
  • All card and payment details are handled exclusively by Stripe. We never see, store, or process card numbers, CVV codes, or bank account details used for payment.

Usage & Technical Data

  • Session tokens stored in your browser's local storage — to keep you signed in between visits
  • Login timestamps — recorded by our authentication provider (Supabase) for security purposes
  • We intend to introduce anonymised, aggregated usage analytics (such as Google Analytics) in the future. We will update this policy before doing so and will display a cookie notice and seek appropriate consent where required by law.

Quote & Survey Data You Enter

Solar quotations you create through the tool — including customer energy usage profiles, roof survey data, equipment selections, and financial projections — are stored in your account. This data may relate to identifiable individuals (your end customers). As noted above, you are the Data Controller for this customer data, and you must ensure you have a lawful basis for collecting it. We process it solely to provide you with the service you have subscribed to.

This data may include, but is not limited to: customer name, email address, phone number, property address, Eircode, MPRN (Meter Point Reference Number), grant eligibility status, energy usage profile, and GDPR consent records. The MPRN is a unique property-level identifier used for SEAI grant applications and ESB Networks notification submissions (NC6/NC7). It is treated with the same care as other personal identifiers.

Where you have configured a webhook integration (available on Enterprise plan), certain customer and system data collected during the quoting process may be transmitted to a third-party endpoint — such as a CRM system — chosen and operated by you. Caolú transmits data to your configured webhook endpoint as a technical service only and does not control, store, or take responsibility for the receiving system. You, as the Data Controller, are solely responsible for the security, compliance, and lawful operation of your webhook endpoint, including ensuring any third-party system receiving personal data complies with GDPR and applicable Irish data protection law.

Sales Rep Performance Data (Teams & Enterprise plans)

Where a subscriber has a Teams or Enterprise plan and enables the Manager Dashboard, Caolú records structured behavioural data about each sales rep's use of the quoting tool. The purpose is to allow the subscriber's managers to oversee team performance. The data collected is limited to work-product metrics and does not include keystroke logging, screen capture, geolocation, or any observation of activity outside the Caolú platform.

The rep performance categories are:

  • Session events: assessment opened, PDF generated, configuration saved, configuration reloaded, login, logout, session timeout
  • Technical metadata per quote: system size (kWp), battery attach yes/no, EV charger yes/no, immersion diverter yes/no, orientation, county, estimated annual savings, SEAI grant eligibility
  • Deal pipeline state: in progress / won / lost, and where applicable the categorised loss reason (price, competitor, timing, financial, planning, etc.)
  • Assignment: which rep created which saved configuration

Where a subscriber is also the rep's employer, the subscriber is the Data Controller for the rep's performance data and carries the legal responsibility for notifying the rep that monitoring is in place. Caolú provides an employee notification template to subscribers for this purpose. Caolú acts as the Data Processor and applies the safeguards described in Section 9.1 (Manager Dashboard & Rep Performance Monitoring), including pseudonymisation by default and a 90-day retention ceiling on individual-level metrics.

Reps can see everything Caolú holds about them at any time via the "My Data & Privacy" screen in their profile dropdown, and can export their data as a JSON file.

3

Why We Collect It — Our Lawful Bases

Under GDPR Article 6, we must have a documented lawful basis for every type of personal data processing we carry out. We rely on the following:

Contract performance (Article 6(1)(b))
The majority of the data we process — your name, email address, company details, subscription data, and tool usage — is necessary to deliver the service you have subscribed to. Without this data we cannot create your account, generate quotes, manage your team, or provide billing. This is our primary lawful basis. Customer MPRN data collected during the quoting process is processed on the same basis, where required for SEAI grant application workflows or ESB Networks NC6/NC7 notification submissions. Where webhook integrations are configured by Enterprise subscribers, technical transmission of data to the subscriber's chosen endpoint is carried out on the basis of contract performance (delivery of the subscribed service feature).

Legitimate interests (Article 6(1)(f))
We process your SEAI installer number and professional registration details to verify that you meet our eligibility criteria (the platform is exclusively for SEAI-registered solar installers). Specifically, we carry out the following automated processing on account creation and on a nightly basis thereafter:

  • Your SEAI installer number is cross-referenced against the public SEAI Solar PV Company register, which Caolú syncs nightly from the SEAI website.
  • The result is stored as a verification status on your profile: verified (number found and active), pending (number not yet found — 35-day grace period applies for new registrants), not_found (number not found after the grace period), deregistered (number previously verified but since removed from the register), or manual_verified (confirmed directly by a member of the Caolú team).
  • Every check is logged in an audit table with a timestamp, the result, and the trigger (account creation, nightly sync, or manual review).
  • If your status is not_found or deregistered, you will see an in-app notice and may be contacted at your registered email address. No automated account suspension or termination occurs — any action requires human review by a member of the Caolú team.

This processing does not constitute automated decision-making within the meaning of Article 22 GDPR — no decision producing legal or similarly significant effects is made automatically. All account-level decisions require human review. We have assessed this processing as proportionate to our legitimate interest in ensuring platform integrity, and as not overriding your rights or freedoms given the safeguards described above. We also rely on legitimate interests for basic platform security and fraud prevention.

Legitimate interests for sales rep performance data (Teams & Enterprise plans)
Where a subscriber enables the Manager Dashboard, the lawful basis for the subscriber's processing of rep performance data is legitimate interest in team management. We, as Data Processor, rely on the subscriber's own legitimate-interest balancing test but also apply a conservative default posture at the platform level: pseudonymous rep cards by default, 90-day automated anonymisation of individual metrics, no automated scoring or evaluative labels, and full rep transparency via the in-app "My Data & Privacy" screen. These safeguards tip the balance in favour of legitimate interest for the subscriber's balancing test. Reps retain the right to object under Article 21 via the procedure described in Section 7, and objections are handled on a case-by-case basis with the subscriber.

Legal obligation (Article 6(1)(c))
We may retain or disclose certain data where required to comply with Irish company law, revenue obligations, or a lawful request from a competent regulatory authority or court.

Consent (Article 6(1)(a))
Where you choose to provide optional data such as your phone number or bank details, you do so voluntarily and can withdraw or remove this data at any time from your account settings. We will also seek explicit consent before introducing any analytics tracking or marketing communications.

Note on bank details: If you enter your bank name, IBAN, or BIC, this information is stored solely to auto-populate your own PDF proposals. It is encrypted at the field level using AES-256 symmetric encryption (pgcrypto) before being written to the database — decryption occurs exclusively server-side within a secured Edge Function, and the encryption key is never exposed to the browser or any client. Bank details are never visible to other users, never transmitted to Stripe or any payment processor, and never used by Caolú for any financial transaction.
4

How Long We Keep Your Data

We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by law. Our specific retention periods are as follows:

  • Active accounts: All account data is retained and accessible for the full duration of your active subscription.
  • Individual rep performance metrics (Teams & Enterprise plans): Individual-level performance metrics visible in the Manager Dashboard are automatically anonymised after 90 days by a nightly scheduled job. Beyond 90 days, behavioural rows can no longer be attributed to a specific rep. Aggregate team-level statistics (which cannot be linked back to an individual) may be retained longer to support year-over-year trend reporting.
  • Won and lost deal records: When a deal reaches "won" or "lost" status, its locked commercial values (quote total, system size, battery capacity) are retained for 7 years as commercial records in line with Irish Revenue requirements under the Taxes Consolidation Act 1997. These records are exempt from the 90-day individual anonymisation described above, but the rep name associated with a closed deal can be scrubbed on erasure request without removing the commercial figure.
  • After subscription cancellation: Your account and all associated data (including saved quotes) is retained for 30 days from the date of cancellation. This gives you the opportunity to export or retrieve anything you need. After 30 days, your personal profile data will be deleted or irreversibly anonymised, subject to the 7-year commercial-record exception above.
  • Financial and transactional records: We may retain records of subscription transactions for up to 7 years to comply with Irish Revenue obligations under the Taxes Consolidation Act 1997. These records are kept in minimal form (transaction ID, amount, date, tier) and do not include card details.
  • Security and authentication logs: Login records held by our authentication provider are retained for up to 90 days for security monitoring purposes.
  • Deleted invites and former team members: When a manager removes a team member or cancels an invite, their profile is unlinked from the company immediately. Their Supabase authentication account is retained for 30 days and then deleted.
  • Company offboarding: When a subscriber offboards entirely, their complete dataset (live tables, saved configurations, deal status history, team goals, assessment events) is copied into a service-role-only cold storage schema and the live tables are cleared. Cold storage is retained for 10 years to cover the statute of limitations for Irish commercial disputes.

You may request deletion of your personal data at any time by contacting [email protected]. We will action erasure requests within 30 days, subject to any overriding legal retention obligations.

5

Who We Share Your Data With

We do not sell, rent, or trade your personal data. We share data only with trusted third-party service providers (Data Processors) who process it on our behalf, under contract, for specific purposes only.

The following table lists every sub-processor we use and why:

Provider Purpose Data shared Location
Supabase
Privacy policy ↗		 Database, authentication, file storage, and edge computing for the platform All profile data, subscription data, quote data, session tokens EU West (Ireland) — AWS eu-west-1
Stripe
Privacy policy ↗		 Subscription billing, payment processing, and customer portal Email address, subscription tier, Stripe customer ID. Card details are entered directly into Stripe and never pass through our servers. EU (Stripe Ireland Limited)
Netlify
Privacy policy ↗		 Hosting and delivery of app.caolu.ie and account.caolu.ie IP address and request metadata (standard web hosting logs) EU CDN edge nodes
Zoho Mail
Privacy policy ↗		 Transactional email delivery (account invites, password resets, notifications) Email address and the content of transactional emails EU data centre
Zoho CRM
Privacy policy ↗		 Customer relationship management and business email communications (Caolú internal use) Name, email address, company name, subscription tier EU data centre
Google Maps Platform
Privacy policy ↗		 Satellite imagery and geocoding for roof survey within the quoting tool Property address entered during a roof survey session Global (Google LLC)
Google Analytics (planned)
Privacy policy ↗		 Anonymised usage analytics (not yet active — this policy will be updated before activation) Anonymised behavioural and usage data; no personal identifiers Global (Google LLC)
Installer-configured webhook endpoints (Enterprise plan) Transmission of quotation and customer data to third-party CRM or business systems configured by the installer subscriber. Caolú acts as a technical conduit only — the installer is the Data Controller for this data flow. Customer name, email, phone, property address, Eircode, MPRN, system specification, SEAI grant eligibility, GDPR consent record, rep and company identifiers Determined by the installer subscriber. May be located inside or outside the EEA. The installer is responsible for ensuring appropriate transfer safeguards are in place where data is transmitted outside the EEA.
Anthropic PBC (Claude)
Privacy policy ↗		 AI-assisted software development tooling used internally by Caolú engineering to author, review and debug the Caolú codebase. No Personal Data about end users or installer customers is ever intentionally transmitted to this processor — see the "AI-Assisted Development & Tooling" section below for the full data-minimisation policy. Source code, bug reports, technical configuration, and anonymised or synthetic test data only. Under no circumstances is real customer Personal Data (names, addresses, eircodes, MPRNs, phone numbers, email addresses, GDPR consent records or saved quotations) shared with this processor. United States — transfers governed by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable

Sub-Processor Change Procedure

We will provide all active subscribers with no less than fourteen (14) days' advance written notice via email before engaging any new sub-processor or replacing an existing sub-processor. Subscribers may object to the appointment of a new sub-processor on reasonable grounds relating to the protection of Personal Data within fourteen (14) days of receiving the notification. Where a subscriber objects and Caolú cannot reasonably accommodate the objection, either party may terminate the affected Services upon thirty (30) days' written notice without penalty.

AI-Assisted Development & Tooling

Caolú's engineering team uses AI coding assistants — currently Anthropic's Claude (including the Claude Code command-line tool) — to help author, review, and debug the Caolú platform source code. We disclose this openly because it affects how we handle your data during development.

Our absolute rule is that no real end-user or customer Personal Data is ever shared with these AI tools. We enforce this through the following controls, which are documented in full in our internal Claude Workflow Data Minimisation Policy and summarised in our Security Overview:

  • Synthetic data only. All development and testing sessions use anonymised or fabricated records (fake customer names, dummy eircodes, placeholder MPRNs, invented phone numbers). Production data is never copied into a development prompt.
  • Source-code scope only. The AI tool may read and modify the Caolú codebase (HTML, JavaScript, SQL migrations, configuration) and general technical documentation. It is not granted read access to the live production Supabase database containing real customer rows.
  • No exported customer data in prompts. Exported quotations, CSV downloads, saved configurations, webhook payloads, or screenshots containing real customer identifiers must not be pasted into an AI prompt. Engineers must redact or substitute before sharing.
  • Restricted Supabase access. Where the Supabase Model Context Protocol (MCP) integration is used, it is scoped to schema inspection, non-sensitive tables, and read-only operations against a development or sanitised snapshot where possible.
  • Separation from runtime. The AI tool is used only by Caolú engineering during development. It is not embedded into the Caolú product and does not process any subscriber or customer data at runtime.

Controller acknowledgement & Article 28 status. We recognise that GDPR Article 28 requires a written Data Processing Agreement ("DPA") with any processor of Personal Data on our behalf. Anthropic's DPA with Standard Contractual Clauses is automatically incorporated into Anthropic's Commercial Terms of Service (which apply to Claude Team, Claude Enterprise, and the Claude API). Because we operate on commercial terms where a DPA applies — or, where we use plans governed by Anthropic's Consumer Terms, we do not transmit any Personal Data to the tool at all, so Article 28 is not engaged — we remain compliant on both routes. If our posture changes (for example if we begin processing Personal Data through any AI tool), we will update this Privacy Policy and notify subscribers under the Sub-Processor Change Procedure above.

Subscribers and data subjects who have questions about our use of AI development tooling may contact us via the details in the Contact Us section.

6

International Data Transfers

We store and process your data primarily within the European Economic Area (EEA). Our primary infrastructure provider (Supabase) operates on AWS EU West servers located in Ireland. Our billing provider (Stripe) operates as Stripe Ireland Limited, an EU entity.

Google Maps Platform and Google Analytics (when activated) involve transfers of data to Google LLC in the United States. These transfers are carried out under Google's Standard Contractual Clauses (SCCs) approved by the European Commission, which provide an appropriate level of protection for your personal data.

Zoho Corporation operates data centres within the EU. Data processed through Zoho Mail and Zoho CRM is stored in their EU region. Zoho's compliance with GDPR is documented in their Data Processing Addendum, which we have in place.

Whenever your data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or adequacy decisions, as required by Chapter V of the GDPR.

Webhook integrations (Enterprise plan): Where an Enterprise subscriber configures a webhook endpoint that transmits customer or quotation data to a system located outside the EEA, Caolú acts solely as a technical conduit. The subscriber, as Data Controller for that data flow, is solely responsible for ensuring that appropriate transfer safeguards — such as Standard Contractual Clauses or an adequacy decision — are in place for the destination system. Caolú does not assess, verify, or warrant the data protection compliance of subscriber-configured webhook endpoints.

7

Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. You can exercise any of these rights by contacting us at [email protected]. We will respond within 30 days (or sooner where possible).

Self-service for sales reps (Teams & Enterprise plans): If you are a sales rep whose employer uses the Caolú Manager Dashboard, you can exercise your right of access (Article 15) and your right to data portability (Article 20) immediately and without contacting us — open your profile dropdown and click "My Data & Privacy". The screen shows your profile, your own performance metrics for the last 90 days, your deal pipeline status, and an access log of every time a manager has clicked "Reveal names" in the dashboard. You can export the whole file as JSON with one click. This is the fastest way to see exactly what Caolú holds about you.

Right of Access

You can request a copy of all personal data we hold about you, along with information about how we use it.

Right to Rectification

You can ask us to correct any inaccurate or incomplete personal data we hold about you.

Right to Erasure

You can request that we delete your personal data. We will comply unless we have an overriding legal obligation to retain it (e.g. tax records).

Right to Restrict Processing

You can ask us to pause processing of your data in certain circumstances, such as while a complaint is being investigated.

Right to Data Portability

You can request your personal data in a structured, machine-readable format (JSON or CSV) for transfer to another service.

Right to Object

You can object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling grounds that override your rights.

Right to Withdraw Consent

Where processing is based on your consent (e.g. optional fields, future analytics), you can withdraw consent at any time without affecting prior processing.

Right to Lodge a Complaint

If you are unhappy with how we handle your data, you have the right to complain to the Data Protection Commission (Ireland's supervisory authority).

To contact Ireland's Data Protection Commission: www.dataprotection.ie — Lo Call: 1800 437 737.

8

Cookies & Local Storage

Our platform uses browser local storage (not traditional cookies) to maintain your login session. Specifically, when you sign in to account.caolu.ie or app.caolu.ie, your authentication session token is stored in your browser's local storage under the key caolu_sess. This is essential for keeping you signed in between pages and sessions.

This use of local storage is strictly necessary for the platform to function and does not require consent under the ePrivacy Regulations (SI No. 336 of 2011). No tracking or advertising cookies are used at present.

You can clear your local storage at any time through your browser settings, which will sign you out of the platform. This will not affect your account or subscription.

Where webhook integrations are used (Enterprise plan), data is transmitted server-side or via a direct network request from the application. No additional data is written to browser local storage or cookies as part of the webhook feature.

When we activate Google Analytics in the future, we will display a cookie consent notice and will not activate analytics tracking until you have given explicit consent.

9

How We Protect Your Data

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
  • Encryption at rest: Your data is stored on Supabase, which encrypts all data at rest using AES-256.
  • Password hashing: Passwords are stored as bcrypt hashes. We never store or transmit plaintext passwords.
  • Access control: Row-Level Security (RLS) policies in our database ensure users can only access their own data. Team members can only access data belonging to their company.
  • No card data: We never handle card numbers, CVV codes, or bank details used for payment. All payment data is processed directly by Stripe.
  • EU-based infrastructure: Our primary database and authentication systems operate within Ireland (AWS eu-west-1), keeping your data within the EU.
  • Minimal access: Only authorised Caolú personnel have administrative access to production systems, and only where necessary to provide support or maintain the service.
  • Session management: Automated session timeout after 30 minutes of inactivity with re-authentication required. Users receive a visual warning at 25 minutes with the option to extend their session.
  • Audit logging: Security-relevant events are logged including authentication, data access, configuration changes, session timeouts, and project status changes.
  • Role-based database enforcement: Company-wide settings (brand, webhook, payment configuration) can only be modified by users with the manager or admin role, enforced at the database level via Row-Level Security policies.

For comprehensive details of our security measures, infrastructure, and compliance roadmap, visit our dedicated Security page.

Manager Dashboard & Rep Performance Monitoring

For Teams and Enterprise subscribers who enable the Manager Dashboard, Caolú applies a privacy-by-design posture to team performance visibility. The following controls operate automatically and cannot be disabled by managers:

  • Pseudonymous by default. Rep cards in the Manager Dashboard display as "Rep A", "Rep B", "Rep C" etc. Real names do not appear unless a manager explicitly clicks "Reveal names" and confirms a consent dialog.
  • Audit-logged identity reveals. Every click of "Reveal names" is recorded in the audit trail with the manager's identity, the period being viewed, and a timestamp. Reps can see these records themselves in their "My Data & Privacy" screen.
  • Time-bounded reveals. After a reveal, real names auto-hide again after 30 minutes or when the manager closes the dashboard, whichever is sooner. The next dashboard session starts pseudonymous again.
  • No automated scoring or evaluative labels. Caolú does not compute composite scores, tier labels, or automated performance judgements. Managers see raw numerical metrics (assessments, PDF rate, battery attach rate, average system size) and form their own opinions. Article 22 of the GDPR (automated individual decision-making) is not engaged because no automated decision is made.
  • No in-app coaching notes. Caolú does not provide a free-text coaching-notes feature. Managers record coaching conversations in their own HR system. This keeps evaluative commentary out of Caolú's scope entirely.
  • Team-level alerts only. Where the Manager Dashboard surfaces an "alert" (for example, low team battery attach rate), the alert is always about team-wide patterns and never names an individual rep.
  • 90-day individual retention ceiling. Individual-level rep performance data is automatically anonymised after 90 days by a nightly scheduled job. After anonymisation, the data still contributes to team aggregates but cannot be linked back to a specific rep.
  • Rep-facing "My Data & Privacy" screen. Every rep can open a first-class self-service view of everything Caolú holds about them — profile, metrics, pipeline status, access log of manager name-reveals, retention policy — and export it as JSON. This is built directly into the product.
  • Rate limiting and access logging. Every call to the Manager Dashboard is scoped by server-side access controls that verify the caller is a manager of the same company before any data is returned.

We publish the full Manager Dashboard privacy architecture at our Security page. If you are a sales rep and have a concern about how your manager is using the dashboard, you can contact us at [email protected] and we will work with your employer (the Data Controller) to address the concern.

Breach Notification

In the event of a Personal Data Breach affecting subscriber or customer data:

  • Caolú will notify affected subscribers within twenty-four (24) hours of confirmed breach detection
  • Caolú will notify the Data Protection Commission within seventy-two (72) hours as required by GDPR Article 33
  • Caolú will communicate the breach to affected Data Subjects without undue delay where required by GDPR Article 34
  • Notification will include: nature and scope of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed to mitigate the breach

Data Processing Agreement

Where Caolú acts as a Data Processor on behalf of a subscriber (the Data Controller), the processing is governed by our Data Processing Agreement (DPA). The DPA sets out the obligations of each party regarding the processing of personal data, including: security measures, sub-processor management, breach notification procedures, audit rights, data deletion on termination, and liability. Enterprise subscribers may request a countersigned copy of the DPA by contacting [email protected].

10

Children

The Caolú platform is a professional business-to-business tool intended exclusively for use by SEAI-registered solar installers and their employed team members. It is not directed at or intended for use by anyone under the age of 18.

We do not knowingly collect personal data from individuals under 18 years of age. If you believe a minor has provided us with personal data without appropriate consent, please contact us at [email protected] and we will take steps to delete that information promptly.

11

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Display a notice within the account management portal (account.caolu.ie) on your next login
  • Send an email notification to all active subscribers if the changes are significant

Your continued use of the platform after changes take effect constitutes acceptance of the revised policy. If you do not agree with any changes, you have the right to close your account and request deletion of your data.

12

Contact Us & How to Complain

If you have any questions about this Privacy Policy, wish to exercise a data subject right, or have a concern about how we handle your data, please contact our data protection point of contact:

Data Protection — Caolú Consultants

CRO No. 783041 · Republic of Ireland · Company details

Email [email protected]

We will acknowledge your request within 3 working days and respond in full within 30 days. If your request is complex or you have submitted multiple requests, we may extend this period by a further two months, in which case we will notify you.

If you are not satisfied with our response, or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Data Protection Commission of Ireland, which is the relevant supervisory authority:

  • Website: www.dataprotection.ie
  • Phone (Lo Call): 1800 437 737
  • International phone: +353 (0)761 104 800
  • Email: [email protected]
  • Post: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

You also hav