π Privacy & GDPR Compliance
Stand: 25. Oktober 2025
Version: 1.0
Purpose: Data Protection Architecture
π― CORE PRINCIPLE
"Data stays on Pi, only insights leave."
ββββββββββββββββββββββββββββββββββββββββββββββββ
β USER'S RASPBERRY PI (ON-PREMISES) β
ββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
Solar Production Data (Raw) β
β β
Battery State (Real-time) β
β β
Inverter Stats (Historical) β
β β
Grid Provider Invoices (PDF/Excel) β
β β
User Settings (Preferences) β
β β
β Encryption: AES-256 β
β Access: Local Network Only β
β Backup: User-controlled β
ββββββββββββββββββββββββββββββββββββββββββββββββ
β
β Aggregated Metadata Only
β (Anonymous, Opt-in)
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββ
β CLOUD (KI-ANALYSE SERVICE) β
ββββββββββββββββββββββββββββββββββββββββββββββββ€
β β NO Raw Data β
β β
Aggregated Stats (e.g. "kWh avg") β
β β
Anonymized Patterns (no PII) β
β β
Invoice OCR (processed, not stored) β
β β
β GDPR: Art. 6(1)(b) - Contract β
β Retention: 30 days max β
β Deletion: On-demand β
ββββββββββββββββββββββββββββββββββββββββββββββββ
π GDPR COMPLIANCE CHECKLIST
β Article 5 - Data Processing Principles
| Principle | Implementation | Status |
|---|---|---|
| Lawfulness | User consent + Contract | β |
| Purpose Limitation | Only for KI analysis | β |
| Data Minimization | Only aggregated metadata | β |
| Accuracy | User reviews before upload | β |
| Storage Limitation | 30 days cloud, forever local | β |
| Integrity | AES-256 encryption | β |
| Accountability | Audit logs + DPA | β |
β Article 6 - Legal Basis
1. Contract (Art. 6(1)(b)):
- KI-Analyse Service = Contract with user
- Processing necessary for service delivery
- User buys analysis β We process data
2. Consent (Art. 6(1)(a)):
- Optional telemetry (system stats)
- Newsletter subscription
- Community data sharing
- Explicit opt-in required
3. Legitimate Interest (Art. 6(1)(f)):
- Fraud detection (license verification)
- Security monitoring (anomaly detection)
- Product improvement (crash reports)
- Balancing test passed
β Article 7 - Consent
Implementation:
// First-Run Setup (Pi Image)
{
"consent": {
"ki_analysis": {
"required": true, // For service
"description": "Upload aggregated data for KI invoice verification",
"legal_basis": "Contract (GDPR Art. 6(1)(b))"
},
"telemetry": {
"required": false, // Optional
"description": "Send anonymous system stats for product improvement",
"legal_basis": "Consent (GDPR Art. 6(1)(a))",
"opt_in": false // Default: disabled
},
"data_sharing": {
"required": false,
"description": "Share anonymized data with community (research)",
"legal_basis": "Consent (GDPR Art. 6(1)(a))",
"opt_in": false
}
}
}
User Controls: - Settings β Privacy β Manage Consent - Withdraw consent anytime (Grafana UI) - Automatic data deletion after withdrawal
β Article 13/14 - Information to Data Subjects
Privacy Notice (Displayed at Setup):
βββββββββββββββββββββββββββββββββββββββββββββββββββ
π DATA PROTECTION INFORMATION
βββββββββββββββββββββββββββββββββββββββββββββββββββ
Controller:
SolarLog GmbH
MusterstraΓe 123, 12345 Berlin, Germany
Email: privacy@solarlog.io
DPO: dpo@solarlog.io
Purpose of Processing:
- KI-Analyse: Invoice verification service
- Telemetry: Product improvement (optional)
- Security: Fraud detection
Data Processed:
β
Local (on your Pi):
- Solar production data (kWh)
- Battery state (%, kWh)
- Inverter stats (V, A, W)
- Grid invoices (PDF/Excel)
β οΈ Cloud (only if you use KI service):
- Aggregated kWh per month
- Invoice metadata (date, provider, total)
- NO raw data, NO personal info
Retention:
- Local: Forever (user-controlled)
- Cloud: 30 days max, then deleted
Your Rights:
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure (Art. 17)
- Portability (Art. 20)
- Objection (Art. 21)
Contact: privacy@solarlog.io
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β I agree to process my data for KI-Analyse Service
β I agree to optional telemetry (recommended)
[Continue Setup] [Read Full Privacy Policy]
β Article 15-22 - Data Subject Rights
Implementation:
# Backend API: /api/v1/privacy/
@app.post("/privacy/access")
async def access_request(user_id: str, email: str):
"""Art. 15 - Right to Access"""
# Generate ZIP with all user data
data = {
"user_profile": get_user_profile(user_id),
"ki_analyses": get_all_analyses(user_id),
"consent_history": get_consent_log(user_id),
"cloud_data": get_cloud_metadata(user_id)
}
return create_zip_download(data, f"solarlog_data_{user_id}.zip")
@app.post("/privacy/rectification")
async def rectify_data(user_id: str, corrections: dict):
"""Art. 16 - Right to Rectification"""
# Update incorrect data
update_user_data(user_id, corrections)
log_audit("rectification", user_id, corrections)
return {"status": "updated"}
@app.post("/privacy/erasure")
async def delete_account(user_id: str, reason: str = None):
"""Art. 17 - Right to Erasure (Right to be Forgotten)"""
# Delete cloud data
delete_cloud_data(user_id)
delete_analyses(user_id)
anonymize_audit_logs(user_id)
# Keep license on blockchain (immutable)
# But mark as "deleted" in metadata
log_audit("erasure", user_id, reason)
return {"status": "deleted", "note": "Blockchain licenses remain (immutable)"}
@app.post("/privacy/portability")
async def export_data(user_id: str, format: str = "json"):
"""Art. 20 - Right to Data Portability"""
# Export in machine-readable format
data = get_all_user_data(user_id)
if format == "json":
return JSONResponse(data)
elif format == "csv":
return create_csv(data)
elif format == "xml":
return create_xml(data)
@app.post("/privacy/object")
async def object_processing(user_id: str, objection: str):
"""Art. 21 - Right to Object"""
# Stop non-essential processing
disable_telemetry(user_id)
disable_data_sharing(user_id)
log_audit("objection", user_id, objection)
return {"status": "processing_stopped"}
@app.post("/privacy/restrict")
async def restrict_processing(user_id: str, reason: str):
"""Art. 18 - Right to Restriction"""
# Temporarily stop processing (e.g. during dispute)
set_restriction(user_id, reason)
pause_ki_analyses(user_id)
log_audit("restriction", user_id, reason)
return {"status": "restricted"}
β Article 25 - Data Protection by Design
Privacy-First Architecture:
1. Local-First Design:
- All data stored on user's Pi (edge computing)
- No cloud dependency for core functionality
- Offline-capable (Grafana, Monitoring)
2. Encryption Everywhere:
- At Rest: AES-256 (PostgreSQL TDE)
- In Transit: TLS 1.3 (HTTPS, WSS)
- Backups: GPG-encrypted
3. Minimal Data Collection:
- Cloud receives ONLY aggregated metadata
- No PII (name, address, email) in analytics
- Anonymized invoice data (no line items)
4. Pseudonymization:
- User ID: UUID (not email/name)
- Device ID: SHA-256 hash of MAC
- IP Address: Not logged
5. Access Control:
- Local Network Only (firewall)
- API Auth: JWT tokens (30 min expiry)
- Admin UI: 2FA required
6. Logging & Audit:
- Audit log for all data access
- Retention: 1 year (compliance)
- Immutable (write-only)
β Article 28 - Data Processing Agreement (DPA)
Third-Party Processors:
OpenAI (GPT-4):
- Purpose: Invoice OCR & Analysis
- Data Shared: Invoice text (no PII)
- Retention: 30 days (OpenAI API policy)
- DPA: β
Signed (2024-01-15)
- Location: USA (EU-US Data Privacy Framework)
- Safeguards: Standard Contractual Clauses
Cloudflare:
- Purpose: CDN & DDoS Protection
- Data Shared: Public docs only (no user data)
- Retention: 24 hours (logs)
- DPA: β
Signed (via Terms of Service)
- Location: EU (Frankfurt)
- Safeguards: ISO 27001, SOC 2
ArWeave:
- Purpose: Immutable Web App Storage
- Data Shared: Public apps (no user data)
- Retention: Forever (blockchain)
- DPA: N/A (public blockchain)
- Location: Decentralized
- Safeguards: No personal data stored
Solana:
- Purpose: License NFTs
- Data Shared: Wallet addresses (public)
- Retention: Forever (blockchain)
- DPA: N/A (public blockchain)
- Location: Decentralized
- Safeguards: Pseudonymous (no KYC)
β Article 30 - Records of Processing
Data Processing Register:
| Activity | Purpose | Categories | Recipients | Transfers | Retention |
|----------|---------|------------|------------|-----------|-----------|
| KI Invoice Verification | Contract | Aggregated kWh, Invoice metadata | OpenAI GPT-4 | USA (SCC) | 30 days |
| Telemetry | Consent (opt-in) | System stats (CPU, RAM, Disk) | Internal analytics | None | 90 days |
| Audit Logs | Legal obligation | User actions, API calls | Internal security | None | 1 year |
| User Accounts | Contract | Email, UUID, License key | None | None | Until deletion |
| Blockchain Licenses | Contract | Wallet address, License UUID | Solana (public) | Decentralized | Forever (immutable) |
β Article 32 - Security of Processing
Technical Measures:
Confidentiality:
- Encryption: AES-256 (data at rest)
- TLS 1.3: All network traffic
- Firewall: iptables (local network only)
- API Auth: JWT with short expiry (30 min)
Integrity:
- Checksums: SHA-256 for firmware
- Code Signing: Binaries signed (GPG)
- Immutable Logs: Write-only audit trail
- Backup Verification: Monthly integrity checks
Availability:
- Uptime: 99.9% target (local Pi)
- Backups: Daily (user-controlled)
- Failover: N/A (single-node by design)
- Recovery: Restore from backup (tested monthly)
Resilience:
- Offline Capable: Core functions work without internet
- Graceful Degradation: KI service fails β manual review
- Rate Limiting: 10 API calls/min (DDoS protection)
- Monitoring: Prometheus alerts (disk full, high CPU)
Testing:
- Penetration Testing: Annual (external)
- Vulnerability Scanning: Weekly (Trivy, OWASP ZAP)
- Incident Response Plan: Documented + tested
- Security Updates: Auto-applied (NixOS)
β Article 33/34 - Data Breach Notification
Incident Response Plan:
Detection:
- Automated Alerts: Prometheus + Grafana
- Anomaly Detection: Unusual API calls
- User Reports: privacy@solarlog.io
- Security Scans: Weekly automated
Assessment (within 24h):
- Severity: Low / Medium / High / Critical
- Scope: How many users affected?
- Data Type: PII? Sensitive? Aggregated?
- Risk: What harm could occur?
Notification (within 72h to DPA):
- If High/Critical severity
- If PII exposed
- Report to: German BfDI (Federal DPA)
- Content: Nature, consequences, measures
User Notification (immediate if high risk):
- Email to affected users
- In-app notification (Grafana banner)
- Public statement (if widespread)
- Remediation steps provided
Remediation:
- Patch vulnerability immediately
- Revoke compromised credentials
- Force password reset (if applicable)
- Forensic analysis
- Update security measures
Documentation:
- Incident Report (internal)
- Root Cause Analysis
- Lessons Learned
- Process Improvements
β Article 35 - Data Protection Impact Assessment (DPIA)
DPIA for KI Invoice Verification:
Processing Description:
- User uploads grid provider invoice (PDF/Excel)
- OCR extracts text (Tesseract + GPT-4)
- Compare with local historical data
- Generate difference report (Β± kWh, β¬ cost)
- Delete invoice after analysis
Necessity & Proportionality:
β
Necessary: Core service feature (contract)
β
Proportionate: Minimal data (aggregated only)
β
Alternative: Manual comparison (more error-prone)
Risks to Data Subjects:
β οΈ Risk 1: Invoice contains PII (name, address)
Mitigation: OCR extracts ONLY kWh + β¬ amounts
Residual Risk: LOW
β οΈ Risk 2: Cloud breach exposes invoices
Mitigation: Delete after processing (30 day max)
Residual Risk: LOW
β οΈ Risk 3: OpenAI stores invoice data
Mitigation: DPA signed, 30-day retention
Residual Risk: MEDIUM (third-party dependency)
Measures to Address Risks:
β
Data Minimization: Only send kWh + β¬ (no full invoice)
β
Encryption: TLS 1.3 in transit
β
Pseudonymization: User ID = UUID (no email)
β
Access Control: API auth required
β
Audit Logging: All uploads logged
β
User Control: Can delete anytime
Conclusion:
β
DPIA passed
β
Residual risks acceptable
β
Measures sufficient
β Article 37 - Data Protection Officer (DPO)
DPO Appointment (required if >250 employees OR special data):
Current Status: Not required (< 250 employees)
But appointed anyway (best practice):
- Name: [To be hired]
- Email: dpo@solarlog.io
- Phone: +49 30 123456789
- Tasks:
- Monitor GDPR compliance
- Conduct DPIAs
- Train employees
- Handle data subject requests
- Liaise with supervisory authority (BfDI)
- Advise on new features
π INTERNATIONAL DATA TRANSFERS
EU to USA (OpenAI)
Legal Basis:
- EU-US Data Privacy Framework (DPF)
- OpenAI certified (July 2023)
- Standard Contractual Clauses (SCC) as fallback
Safeguards:
- OpenAI DPA signed
- Data Minimization (no PII sent)
- 30-day retention (OpenAI policy)
- Encryption in transit (TLS 1.3)
Alternative:
- Self-Hosted LLM (Llama 3)
- Run on-premises (user's Pi)
- No international transfer
- Phase 9b implementation option
π PRIVACY DASHBOARD (Grafana)
User-Facing Controls:
Settings β Privacy:
1. Data Overview:
[Chart] Local Data: 123 GB (Your Pi)
[Chart] Cloud Data: 5 MB (KI Service)
[Button] Download All Data (GDPR Art. 15)
2. Consent Management:
[x] KI-Analyse Service (required for service)
[ ] Telemetry (optional, helps improve product)
[ ] Community Data Sharing (optional, research)
[Button] Save Preferences
3. Data Deletion:
[Button] Delete All Cloud Data
[Warning] This will delete KI analysis history
[Button] Delete Account (irreversible!)
4. Access Logs:
[Table] Recent API Calls:
- 2025-10-25 14:32 | KI Analysis | Invoice-123.pdf | Success
- 2025-10-24 09:15 | Dashboard View | - | Success
[Button] Export Audit Log
5. Privacy Policy:
[Link] Full Privacy Notice (PDF)
[Link] Data Processing Agreement (PDF)
[Link] Contact DPO (dpo@solarlog.io)
π― COMPETITIVE ADVANTAGE
Our Privacy vs. Cloud Solutions:
| Aspect | SolarLog (Us) | Traditional Cloud |
|---|---|---|
| Data Location | User's Pi (home) | AWS/Azure (USA) |
| Data Ownership | User 100% | Platform π€ |
| GDPR Compliance | By Design | By Adaptation |
| Surveillance | Impossible | Possible (ToS) |
| Data Portability | Native (local files) | Export request (weeks) |
| Deletion | Instant (user-controlled) | Request (days/weeks) |
| Costs | One-time (β¬90) | Monthly (β¬9.99) |
| Trust | High (self-hosted) | Medium (blind trust) |
Marketing Message:
"Your data, your Pi, your control. We're GDPR-compliant because we don't want your data in the first place."
π LEGAL DISCLAIMER
β οΈ IMPORTANT LEGAL NOTICE
This documentation provides guidance on GDPR compliance
for the SolarLog project. However:
1. NOT LEGAL ADVICE
- Consult a qualified data protection lawyer
- GDPR interpretation varies by jurisdiction
- Supervisory authorities may have different views
2. IMPLEMENTATION REQUIRED
- Documentation alone is NOT sufficient
- Technical measures must be implemented
- Regular audits and updates necessary
3. ONGOING OBLIGATION
- GDPR compliance is continuous, not one-time
- Monitor regulatory changes (EDPB guidelines)
- Update processes as needed
4. JURISDICTION-SPECIFIC
- This assumes German/EU law
- Other countries may have different requirements
- Check local data protection laws
For questions: privacy@solarlog.io
For legal review: dpo@solarlog.io
See also: - Revenue Model - Licensing Strategy - Blockchain Architecture - PROJECT_STATUS_ROADMAP.md - Phase 9b (KI-Analyse)