WeSmart Logo

Privacy Policy

Last updated: October 1, 2025

1. Data controller identification

WeSmart, a public limited company with capital of 3,104,350 euros, whose registered office is located at Avenue Louise 231, 1050 Brussels, Belgium, registered with the Brussels RCS under number BE 0749.518.669, represented by its President Mr. François Bordes.

DPO Contact: privacy@wesmart.com
Phone: +32 (0)2 588 10 80
Address: Avenue Louise 231, 1050 Brussels, Belgium

2. Confidentiality commitment

WeSmart is committed to protecting your privacy and personal data in accordance with the General Data Protection Regulation (GDPR) and applicable national legislation in Belgium, France and Spain.

This policy explains how we collect, use, store and protect your information as part of our energy community management and energy optimization services.

3. Personal data collected

3.1 Identification and contact data

  • Title, last name, first name
  • Complete postal address
  • Professional and personal email address
  • Landline and mobile phone number
  • Function and organization name

3.2 Technical and usage data

  • IP address and geolocation data
  • Browser and device information
  • Connection timestamps and actions performed
  • Activity logs on our platforms
  • Cookies and similar technologies

3.3 Energy and contractual data

  • Energy consumption and production data
  • Energy installation information
  • Contractual data (subscribed offers, billing methods)
  • Transaction and payment history

3.4 Sensitive data

WeSmart does not collect sensitive data within the meaning of Article 9 of the GDPR (racial origin, political opinions, health data, etc.).

4. Processing purposes and legal bases

4.1 Execution of contracted services

  • Legal basis: Contract execution (art. 6.1.b GDPR)
  • Purposes: Provision of Nexgen and EMS platforms, energy community management, energy flow optimization
  • Duration: Contract duration + 3 years (accounting obligations)

4.2 Commercial management and billing

  • Legal basis: Contract execution (art. 6.1.b GDPR)
  • Purposes: Quote establishment, billing, recovery, dispute management
  • Duration: 10 years (commercial prescription)

4.3 Service improvement

  • Legal basis: Legitimate interest (art. 6.1.f GDPR)
  • Purposes: Usage analysis, new feature development, performance optimization
  • Duration: 26 months maximum

4.4 Legal and regulatory compliance

  • Legal basis: Legal obligation (art. 6.1.c GDPR)
  • Purposes: Compliance with accounting, tax and regulatory obligations in the energy sector
  • Duration: Applicable legal durations

4.5 Marketing communication

  • Legal basis: Consent (art. 6.1.a GDPR)
  • Purposes: Newsletter sending, service information, event invitations
  • Duration: Until consent withdrawal

5. Data recipients

5.1 Internal recipients

Data is accessible to WeSmart employees within the scope of their functions: technical, commercial, customer support, accounting teams.

5.2 Sub-contractors and partners

Technical sub-contractors:

  • Data hosts (OVH, AWS) - European Union
  • IT service providers - European Union
  • Maintenance and technical support providers

Commercial partners:

  • Distribution network operators (energy data exchange)
  • Energy suppliers (within energy communities)
  • Financial organizations (for payments)

5.3 Public authorities

Possible transmission to competent authorities in case of legal obligation or judicial requisition.

6. Data transfers outside the European Union

Principle: Data is processed exclusively within the European Union.

Limited exceptions: In case of exceptional use of providers outside the EU, appropriate guarantees are put in place (standard contractual clauses, adequacy decisions).

7. Data security

7.1 Technical measures

  • Data encryption in transit (HTTPS/TLS) and at rest (AES-256)
  • Automated and encrypted backups
  • Role-based access control (RBAC)
  • Continuous system monitoring and anomaly detection

7.2 Organizational measures

  • Regular staff training on data protection
  • Confidentiality clauses in all employment contracts
  • Security incident management procedures
  • Regular security audits

7.3 Breach notification

In case of data breach presenting a risk to your rights and freedoms, you will be informed within 72 hours in accordance with GDPR.

8. Your rights over your personal data

8.1 Right of access (art. 15 GDPR)

You can obtain confirmation that data concerning you is processed and access this data.

8.2 Right to rectification (art. 16 GDPR)

You can request correction of inaccurate data or completion of incomplete data.

8.3 Right to erasure (art. 17 GDPR)

You can request deletion of your data in certain cases (consent withdrawal, unnecessary data, etc.).

8.4 Right to restriction (art. 18 GDPR)

You can request processing limitation in case of dispute or objection.

8.5 Right to data portability (art. 20 GDPR)

You can retrieve your data in a structured format and transmit it to another data controller.

8.6 Right to object (art. 21 GDPR)

You can object to processing for reasons relating to your particular situation.

8.7 Consent withdrawal

You can withdraw your consent at any time for processing based on this legal basis.

8.8 Exercise procedures

To exercise your rights, contact us:

Response within 30 days. ID may be requested to verify your identity.

9. Cookies and similar technologies

9.1 Technical cookies (mandatory)

  • Authentication and security
  • User interface preferences
  • Cart and browsing session

9.2 Analytical cookies (consent)

  • Google Analytics 4 (anonymized data)
  • Audience measurement and UX optimization
  • Retention: 26 months maximum

9.3 Cookie management

You can set your preferences via our consent banner or your browser settings.

10. Minor data

WeSmart does not intentionally collect personal data from minors under 16 years old. If we became aware of such data, it would be immediately deleted.

11. Policy changes

This policy may be updated to reflect legal, technical or service changes. You will be informed of important modifications by email or notification on our platforms.

12. Complaints and appeals

12.1 DPO contact

For any question regarding this policy or exercising your rights:
privacy@wesmart.com

12.2 Supervisory authority

In case of unsatisfactory response, you can contact the competent data protection authority:

Belgium: Data Protection Authority (APD)
Rue de la Presse 35, 1000 Brussels
contact@apd-gba.be

France: National Commission for Information Technology and Civil Liberties (CNIL)
3 Place de Fontenoy, 75007 Paris
https://www.cnil.fr

Spain: Spanish Data Protection Agency (AEPD)
C/ Jorge Juan 6, 28001 Madrid
https://www.aepd.es

13. Additional information

13.1 Impact assessment (DPIA)

Our high-risk processing undergoes impact assessments in accordance with Article 35 of GDPR.

13.2 Detailed retention periods

Data type Retention period Justification
Active customer data Contract duration + 3 years Commercial guarantee
Billing data 10 years Commercial prescription
Technical logs 12 months Security and debugging
Marketing data Until objection Legitimate interest
Analytical cookies 26 months CNIL recommendation

13.3 Contact

WeSmart - Data Protection Service
Avenue Louise 231, 1050 Brussels, Belgium
Email: privacy@wesmart.com
Phone: +32 (0)2 588 10 80

This privacy policy is established in accordance with GDPR and applicable national legislation. It complements our General Terms of Use and Sale.

We use cookies

We use cookies to improve your experience and analyze our traffic. You can choose your preferences below. Learn more