SATEC (Australia) Pty Ltd | ABN 21 142 640 417 | Effective 4 March 2026
eXpertConnect™ - App Privacy Policy
1. About This Policy
This Privacy Policy explains how SATEC (Australia) Pty Ltd (“SATEC”, “we”, “us”, “our”) collects, uses, discloses and protects your personal information when you use the eXpertConnect™ mobile application (the “App”).
This Policy applies to the App available on Apple App Store (iOS) and Google Play Store (Android). By using the App, you acknowledge that you have read and understood this Policy.
We are committed to complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Policy does not limit or exclude any of your rights under the Privacy Act.
This Policy should be read together with:
- SATEC Core Privacy Policy — our general privacy practices (https://satec-global.com.au/satec-privacy-policy/)
- Expertpower Platform Privacy Policy — how we handle metering data, platform accounts, and B2B operator relationships (https://www.expertpower.com/our-commitment-to-privacy/)
2. How the App Works — Two Systems
The eXpertConnect™ App connects to two separate systems to deliver your energy data. Understanding this helps you know where your information goes and who is responsible for protecting it.
| System | What It Does | Managed By | Hosted |
| eXpertConnect App Backend | Handles login (OTP), push notifications, session management; acts as a secure bridge to fetch energy data from Expertpower | SATEC | Railway, United States |
| Expertpower Platform | Stores and processes all metering data, site information, tariff configurations, and billing data | Expertpower Ltd | Microsoft Azure, Europe |
Why this matters: Your login credentials, push notification preferences, and session data are stored on the App backend (Railway, US). Your energy readings, meter data, and billing information are stored on the Expertpower platform (Azure, Europe). Each system has its own security measures, described in Section 12.
3. What You Can Do With the App
The eXpertConnect™ App allows you to:
- View electricity usage data from check meters and private meters
- Monitor energy consumption and demand — data is synced periodically from the Expertpower platform and cached locally for up to 24 hours; it is not a live feed
- Receive push notifications for peak pricing alerts and high usage warnings
- View indicative billing information and tariff schedules, where enabled by your operator
- Manage your notification preferences and push notification subscriptions
- View temperature and usage correlation – see how daily temperatures affect your energy consumption, with personalised insights based on your site’s historical data.
Important: The App displays the same data available on the Expertpower web portal. Energy data shown in the App is periodically synchronised — it reflects the most recent data available from your meters, not a live stream.
4. App Permissions
The App requests a limited set of device permissions. Here is exactly what we ask for and why:
| Permission | Why We Need It | Can You Decline? |
| Internet Access | Required to connect to the App backend and Expertpower platform, authenticate your login, and fetch your energy data | No — the App cannot function without internet |
| Push Notifications | To send you alerts about peak pricing, high energy usage, and other notifications you subscribe to | Yes — you can decline or disable at any time in your device settings |
Permissions We Do NOT Request
The App does not request or use any of the following:
- Location — we do not access GPS, Wi-Fi location, or any location data
- Camera or Microphone — never requested
- Contacts, Calendar, or Phone — never requested
- Storage / Files — we do not access files on your device beyond the App’s own sandboxed storage
- Bluetooth or NFC — never requested
- Background Location — never requested
- Advertising ID — we do not use advertising identifiers or any tracking frameworks
5. Information We Collect
5.1 Account Information
When you use the App, we store:
- Email address — your login identifier
- Display name — from your Expertpower account
- Encrypted Expertpower credentials — your Expertpower username and password, encrypted using AES-256-GCM, stored solely to synchronise your energy data on your behalf
Note: You cannot create an account in the App. Accounts are created through the Expertpower web portal or by your organisation’s administrator.
5.2 Authentication Data
- One-time passwords (OTPs) — sent to your email for login; hashed using HMAC-SHA256 before storage; we never store the plain-text code
- Session tokens — access tokens, ID tokens, and refresh tokens used to keep you logged in
- Login timestamps — when you logged in
5.3 Security & Session Data
To protect your account and prevent abuse, we collect:
- IP addresses — stored only in hashed (anonymised) form using SHA-256 with a secret pepper. We do not store your raw IP address. Used for rate limiting, session security, and abuse prevention.
- User agent strings — your device/browser identifier, stored for session binding and security verification
- Audit logs — records of authentication events (login, logout, OTP requests, failed attempts) with hashed IP addresses and truncated user agent strings
5.4 Energy and Platform Data
The App accesses the following data from the Expertpower platform. This data is stored on the Expertpower platform (Azure, Europe), not on the App backend — the App fetches and displays it:
- Metering data — energy usage (kWh), demand (kW), voltage, current, power factor, frequency
- Site information — postcode, meter identifiers
- Tariff and billing data (where enabled by your operator)
- Alerts and notifications
For full details, see the Expertpower Platform Privacy Policy at https://www.expertpower.com/our-commitment-to-privacy/.
5.5 Weather Data
To generate temperature and usage correlation insights, the App backend fetches weather data on your behalf:
- Site coordinates (latitude and longitude) derived from your site’s address (typically a postcode or suburb, sourced from the Expertpower platform or set by your operator). These are approximate location coordinates for the premises, not your personal GPS. The site address string is sent to the Open-Meteo Geocoding API to resolve coordinates.
- Daily high temperature — fetched from the Open-Meteo weather API using site coordinates and date range. No personal information is sent to Open-Meteo.
- Weather data is stored on the App backend (Railway, United States) and used solely to power the temperature vs. usage chart and correlation insights. It is stored against the site (not your individual account) and is retained while the site remains in service.
5.6 Device & Technical Data
Collected only to deliver push notifications and maintain app compatibility:
- Device brand and model (e.g., “Apple iPhone 14 Pro”) — collected when you enable push notifications
- Device operating system and version
- App version
- Expo Push Token — a unique identifier assigned by Expo to route push notifications to your specific device
5.7 Data Cached on Your Device
To improve performance and reduce loading times, the App temporarily stores some data on your device:
- Recent energy readings and meter data (cached for up to 24 hours, then automatically expired)
- Tariff information and pricing schedules
- Your preferences (energy display unit, date format, theme)
- Push notification history (titles, messages, timestamps)
- Authentication tokens (stored in your device’s encrypted secure storage — iOS Keychain or Android KeyStore)
How secure is cached data? Authentication tokens are stored in hardware-level encrypted storage. Other cached data is stored in the App’s sandboxed local storage, protected by your device’s own security (passcode, biometrics) but not separately encrypted by the App.
6. Information We Do NOT Collect
- Location data or GPS coordinates — the App never accesses your location
- Contacts, photos, camera, or microphone data
- Biometric data — we do not collect fingerprint or face scan data; your device may use biometrics to unlock the phone, but the App does not access this
- Advertising identifiers or tracking data — we do not participate in any ad network
- Analytics or behavioural tracking — we do not use any analytics SDKs, crash reporting SDKs, or third-party tracking tools
- Health, financial, or government identity data
7. How Login Works
The App uses passwordless email-based authentication. You do not set or store a password for the App itself.
Here is how it works:
- You enter your registered email address
- We send a one-time password (OTP) to that email
- You enter the OTP code in the App to log in
| Measure | Detail |
| OTP Codes | Expire after 10 minutes, single-use only, hashed before storage — we cannot read them after generation |
| Access Tokens | Expire after 30 minutes |
| Refresh Tokens | Expire after 30 days. When used, a new one is issued and the old one is immediately revoked (token rotation) |
| Session Binding | Refresh tokens are bound to the originating device (identified by user-agent). If the device changes, the token is rejected. Network/IP is intentionally not enforced so that switching between Wi-Fi and cellular does not force re-authentication. |
| Rate Limiting | Max 3 OTP sends per 15 min per email. Max 5 verification attempts per 10 min. Automatic temporary lockout after excessive failures. |
| Key Rotation | JWT signing keys automatically rotated every 90 days |
8. How We Use Your Information
We use your information only for the following purposes:
| Purpose | What This Means |
| Authenticate you | Verify your identity via OTP, create and maintain your login session |
| Display your data | Fetch and show your energy readings, billing, and tariff information from the Expertpower platform |
| Send notifications | Deliver push notifications for peak pricing, high usage alerts, and other subscribed alerts |
| Sync energy data | Periodically connect to the Expertpower platform using your encrypted credentials to retrieve updated meter readings |
| Protect your account | Detect and prevent security threats through audit logging, rate limiting, session monitoring, and abuse detection |
| Legal compliance | Meet our obligations under Australian law |
We do NOT use your data for: advertising, marketing, behavioural profiling, selling to third parties, building user profiles beyond providing the App service, or any form of tracking.
9. Third-Party Services
The App relies on the following third-party services. We only share the minimum data each service needs:
| Service | Role | Data Shared | Location | Privacy Policy URL |
| Expertpower Ltd | Meter data platform (Azure) | User accounts, metering data, site data, billing | Europe | microsoft.com/trust-center/privacy |
| Railway | App backend hosting | Accounts, auth data, sessions, push subs | United States | railway.com/legal/privacy |
| Expo (EAS) | Push notifications, OTA updates | Push tokens, device IDs, app version | United States | expo.dev/privacy |
| Google Gmail SMTP | OTP email delivery (Nodemailer) | Email address, OTP code (in transit) | US / Global | policies.google.com/privacy |
| Firebase (FCM) | Push notifications (Android) | Device tokens | United States | firebase.google.com/support/privacy |
| Apple (APNs) | Push notifications (iOS) | Device tokens | United States | apple.com/legal/privacy |
| Open-Meteo | Weather data provider — geocoding (postcode → coordinates) and daily temperature (historical archive & 7-day forecast) | Site coordinates (lat/lon) derived from site postcode. No personal information (no name, email, or account data). | Global (open-source project, EU-based) | open-meteo.com/en/terms |
We do not sell, rent, or share your personal information with any third party for their own marketing or advertising purposes.
10. Where Your Data Is Stored
| What | Where | Managed By |
| Login, sessions, push subscriptions, audit logs | United States (Railway) | SATEC |
| Energy readings, meter data, tariffs, billing | Europe — Microsoft Azure | Expertpower Ltd |
| Push notification routing | United States | Expo / Firebase / Apple |
| OTP delivery emails | United States / Global | Google Gmail SMTP |
| Cached energy data, preferences, notification history | Your device only | You |
| Weather data (daily temperatures for your site) | United States (Railway) | SATEC |
Where we disclose personal information to overseas recipients, we take reasonable steps to ensure it is handled in accordance with the Australian Privacy Principles.
11. Data Stored on Your Device
The App stores some data locally on your device to reduce loading times and allow faster access to recently viewed information.
What Is Stored Locally
| Data | How Long | Encryption |
| Energy readings and meter data | Up to 24 hours (auto-expires) | Device-level only |
| Tariff and pricing information | Until sign-out or update | Device-level only |
| Preferences (units, theme, date format) | Until sign-out | Device-level only |
| Push notification history | Until sign-out | Device-level only |
| Authentication tokens | Up to 30 days (refresh token life) | Hardware-encrypted (Keychain / KeyStore) |
How to Clear Local Data
- Sign out — all cached data is automatically cleared
- Uninstall — all locally stored data is removed from your device
- Energy data cache expires automatically after 24 hours even if you remain signed in
Before selling, giving away, or recycling your device: Sign out of the App first to ensure all cached data is cleared.
12. How We Protect Your Data
Because the App uses two separate systems (Section 2), each has its own security measures. Here is what protects your data at each layer.
12.1 eXpertConnect App Backend (Railway, United States)
This is the system SATEC directly manages. It handles your login, sessions, and push notifications.
Encryption
- All communication between the App and our server is encrypted via HTTPS/TLS
- Expertpower credentials encrypted at rest using AES-256-GCM (authenticated encryption)
- OTP codes hashed using HMAC-SHA256 before storage — we cannot reverse them
- IP addresses hashed using SHA-256 with a secret pepper — raw IPs never stored
- Authentication tokens on your device stored in hardware-encrypted secure storage (iOS Keychain / Android KeyStore)
Authentication & Access Control
- Passwordless OTP authentication — no password to steal or guess
- Automatic token rotation on every refresh
- Session binding — refresh tokens tied to originating device
- JWT signing keys rotated every 90 days
- Role-based access control (user vs. administrator)
Abuse Prevention
- Rate limiting on authentication endpoints (3 OTP sends per 15 min; 5 verify attempts per 10 min)
- Automatic temporary lockout after excessive failed attempts (5-minute block)
- IP-based rate limiting across all API endpoints
- Automatic cleanup of invalid or expired push notification tokens
Monitoring & Hardening
- Security audit logging of all authentication events (logins, logouts, OTP requests, failures)
- Sensitive data (passwords, tokens, OTP codes) redacted from all application logs
- HTTP security headers (Helmet) applied to all server responses
- CORS whitelist restricts API access to authorised domains only
12.2 Expertpower Platform (Microsoft Azure, Europe)
This system is managed by Expertpower Ltd. It stores your energy readings, metering data, and billing information. SATEC does not directly manage this infrastructure.
Security Standards
- Designed to meet ISO 27001 information security management requirements
- Defence-in-depth strategy across five layers: data, application, host, network, and perimeter
- Annual third-party penetration testing using OWASP Top 10 methodology
Encryption
- Data at rest: AES-256 with SHA-512
- Data in transit: TLS 1.2 / HTTPS
Access & Network Controls
- Role-based access following the principle of least privilege
- IPsec VPN gateways for secure private connectivity
- Web Application Firewall (WAF) and network segmentation
- Perimeter firewalls and session timeout for inactive users
Operations
- Regular encrypted backups to secure off-site locations
- Disaster recovery plan
- Active monitoring and anomaly detection
- Regular security audits
12.3 Microsoft Azure Infrastructure Commitments
The Expertpower platform runs on Microsoft Azure. Microsoft provides these foundational guarantees:
- Data ownership — your data belongs to you; Microsoft does not claim ownership of customer data
- No advertising use — Microsoft does not mine or use customer data for advertising or profiling
- Encryption by default — AES-256 at rest (FIPS-validated) and TLS in transit
- Data residency — Azure documents where data is stored and provides regional residency controls
- Secure deletion — when data is deleted, Microsoft applies secure removal standards and destroys decommissioned storage media
- Tenant isolation — platform-level isolation prevents cross-customer access
For more detail, see the Microsoft Trust Center (https://www.microsoft.com/en-us/trust-center) and Service Trust Portal (https://servicetrust.microsoft.com/).
For the full Expertpower Platform Privacy Policy, visit https://www.expertpower.com/our-commitment-to-privacy/.
13. Your Rights and Choices
Access and Correction
You can view your profile information within the App. To update your information, contact your organisation’s administrator or SATEC support.
Account Deletion
You can delete your account and personal data at any time, directly from the App. Account deletion is in-app, free, and does not require contacting support.
In the App: Settings -> Account -> Delete Account. You will be asked to confirm the action and to type the phrase DELETE MY ACCOUNT to prevent accidental deletion. Once you confirm, the deletion runs immediately on our backend; you are signed out and your sign-in credentials, profile, and personal data are removed straight away.
You can also reach us through the following alternative channels:
– By email: [email protected]
– Online: https://satec-global.com.au/contact/
– Or contact your organisation’s administrator
What Happens When Your Account Is Deleted?
When you delete your account, we remove your identity and personal data, while retaining a limited set of service records that we are required (or legitimately entitled) to keep. The detail is below.
| What is removed | Detail |
| Sign-in access | Removed immediately – you can no longer log in to the App. |
| Profile data on the user record | Email address, display name and stored ExpertPower credentials are scrubbed from the user record. |
| Sessions and tokens | All active sessions, refresh tokens and the cached ExpertPower platform session are deleted. |
| Push notifications | All push notification subscriptions for your account are removed. |
| Notification preferences | All notification preference settings are deleted. |
| Device pairing | The links between your account and any assigned meters are removed (the meters themselves remain on the platform for service continuity). |
| Sync state | All synchronisation state, OTP codes, and queued sync metadata for your account are deleted. |
| Data on your device | Cleared automatically as part of the deletion sign-out, and again on app uninstall |
| Reversibility | Deletion is permanent and cannot be reversed. |
If you access the App through an organisation: Metering data may be controlled by your organisation’s Expertpower account. Contact your administrator for deletion of organisational data. SATEC can only delete the data we hold on the App backend.
What We May Retain After Deletion
| What is retained | Why we retain it |
| Historical meter readings stored on the App backend | Required for energy retail record-keeping, billing reconciliation, and accurate historical site reporting. After deletion these records remain attached to the meter and site, not to a personally identifiable user. |
| Meter data logs stored on the App backend | Required for reconciliation, fault investigation, and accuracy of historical site data |
| Security audit logs | Retained for security, fraud prevention, and our regulatory obligations. Identifiers in these logs are hashed or pseudonymised; the log entries no longer resolve to your personal identity. |
| Metering, site, tariff and billing data on the Expertpower platform | Controlled by your organisation’s Expertpower account – not in SATEC’s sole control: See Section 14 and the Expertpower Platform Privacy Policy |
Why we keep these records: Australian energy retail and privacy law expects providers to keep accurate consumption history, billing records and security audit trails for a defined period. Apple App Store guideline 5.1.1(v), the Australian Privacy Act 1988, and EU/UK GDPR all recognise this lawful basis for retention. Retained records are detached from your personal identity; they cannot be used to identify or contact you.
Push Notification Preferences
You can manage or disable push notifications at any time through the App’s notification settings or your device’s system settings.
14. Information for Tenants and Residents
If you are a tenant, resident, or occupant using the App to view energy data for your premises:
- Your embedded network operator or building manager has given you access to the App
- Your operator controls what data you can see — SATEC provides the technology, but your operator decides what is displayed
- Indicative billing reflects rates set by your operator, not your retail electricity provider
- Data relates to your check meter or private meter, which may differ from your retail meter
For privacy questions about how your operator handles your data, contact your operator directly. SATEC processes this data on behalf of your operator — see the Expertpower Platform Privacy Policy for details.
15. App Updates
The App may receive over-the-air (OTA) code updates delivered via Expo’s update service. This means we can deliver bug fixes and minor improvements without you needing to download a new version from the app store.
During an OTA update check, your app version and runtime version are sent to Expo’s servers so the correct update can be delivered.
OTA updates only modify JavaScript code within the App. Changes to native functionality (e.g., new device permissions) will always require a full app store update that you review and approve.
16. Children’s Privacy
The App is not intended for use by children under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at [email protected] and we will promptly delete it.
17. How Long We Keep Your Data
| Data | Retention Period |
| Account data (profile, credentials) | Account data (profile, email, credentials) – As long as your account is active. Removed on account deletion (Section 13). |
| Session and authentication data | Auto-expired (access tokens: 30 min, refresh tokens: 30 days). All deleted immediately on account deletion or sign-out. |
| Audit logs | Audit logs (authentication events) – Retained for security, fraud prevention and regulatory purposes. After account deletion, log entries remain but identifiers are hashed or pseudonymised; they no longer resolve to your personal identity. |
| Historical meter readings | Historical meter readings on the App backend – Retained for energy retail record-keeping and billing reconciliation; after account deletion these records remain attached to the meter and site, no longer to a personally identifiable user. |
| Meter data logs | Meter data logs on the App backend – Retained for reconciliation and historical site accuracy. After account deletion, no longer linked to a personally identifiable user. |
| Cached data | Up to 24 hours for energy data; cleared on sign-out, uninstall, or as part of in-app account deletion. |
| Weather data | Stored against the site, not your individual account. Retained while the site remains in service. |
When you delete your account, your personal data is permanently removed from our backend. Service records (meter readings, meter data logs, security audit logs) are retained as described in Section 13, but they are no longer linked to a personally identifiable user. See Section 13 for full details.
18. Contact Us
SATEC (Australia) Pty Ltd
PO Box 82, Mulgoa NSW 2745, Australia
Email: [email protected]
We will acknowledge your enquiry and respond within a reasonable time (usually 30 days).
Complaints
If you are not satisfied with our response to a privacy concern, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
Website: https://www.oaic.gov.au/
Phone: 1300 363 992
19. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, technology, or legal requirements. The updated Policy will be available in the App and on our website.
For material changes (such as new data collection or new third-party services), we will notify you through the App or via email before the changes take effect.
Related Policies
| Policy | Covers | URL |
| Core Privacy Policy | General business, website, marketing | https://satec-global.com.au/satec-privacy-policy/ |
| Expertpower Platform Privacy Policy | Web portal, metering data, B2B operators | https://www.expertpower.com/our-commitment-to-privacy/ |
