Version: V1.0
Scope: OSS Platform (PV Intelligent O&M Cloud Platform, hereinafter referred to as "OSS" or "the Platform")
Please read this Policy carefully before using OSS. When you first log in to the Platform, this Policy will be displayed to you via a pop-up window. You may also view the latest version at any time via "Settings → Privacy Policy" within the Platform.
If you are a United Kingdom (UK) user:
Growatt New Energy Technology Limited is the Data Controller of your personal data.
>
Company Registration Number: 08660706
>
Registered Address: Unit 1, The Cromwell Centre, Hainault Business Park, Roebuck Road, Ilford, England, IG6 3UG, UK
If you are a user in Mainland China or any other region:
Shenzhen Growatt New Energy Co., Ltd. is the Data Controller of your personal data.
>
Registered Address: A401, 4-13F, Block A, Sino-German European Industrial Demonstration Park, Hangcheng Avenue, Guxing Community, Xixiang Street, Bao'an District, Shenzhen, China
The development, technical operations, and customer support of OSS are provided by our affiliated companies located around the world. Each affiliated company processes your data as a Data Processor, is bound by a Data Processing Agreement (DPA), and follows the Group's unified data protection standards.
We collect only the information necessary to provide the functions of the OSS Platform, based on the principles of lawfulness, fairness, and necessity. The personal data we collect depends on the specific functions you use. OSS is a B2B PV plant O&M management platform for installers and distributors. We primarily collect data from enterprise administrators and enable you to access end-user device data through the Platform.
Information you actively provide when registering for and using an OSS account:
When you connect PV plant equipment to the OSS Platform for O&M management, we collect the following equipment-related data:
Special Note: The OSS Platform itself does not directly collect personal data from end users (i.e., PV plant owners). However, as an installer/distributor, you may view and manage equipment data of end users associated with you through the OSS Platform.
If you access end-user data through this Platform, you act as an independent Data Controller and must ensure that you have a lawful basis for processing (including but not limited to end-user consent or contractual necessity) and comply with applicable data protection laws. Growatt Group accepts no liability for your data processing activities as an independent Data Controller.
Automatically collected when you use the OSS Platform:
The OSS Platform uses cookies and similar technologies. For detailed information, please see Section 10 "Cookies and Similar Technologies."
To ensure the stable operation of the OSS Platform and to enable you to fully enjoy and use its various functions, OSS integrates SDKs or similar applications from authorized partners. We conduct rigorous security assessments of the APIs and SDKs through which authorized partners obtain relevant information and agree on strict data protection measures with third-party companies, requiring them to process your personal information in accordance with this Privacy Policy and other relevant confidentiality and security measures.
Details of each SDK are as follows:
| No. | SDK Name | Provider | Purpose | Types of Personal Information Collected | Privacy Policy Link |
|---|---|---|---|---|---|
| 1 | Alipay SDK | Ant Group | Payment | Order number, username, SIM card information ID | https://opendocs.alipay.com/open/54/01g6qm |
| 2 | WeChat Pay SDK | Shenzhen Tencent Computer Systems Co., Ltd. | Payment | Order number, username, SIM card information ID | https://pay.weixin.qq.com/index.php/public/apply_sign/protocol_v2 |
The following table sets out each specific purpose for which we process your personal data and its corresponding lawful basis:
| Processing Purpose | Data Involved | Lawful Basis |
|---|---|---|
| Creating and managing your enterprise account | Account data | Contractual Necessity — Performance of the service agreement with you (Art. 6(1)(b)) |
| Providing you with PV plant remote O&M management services | Equipment and product data | Contractual Necessity — Core function of OSS, providing you with real-time equipment data display and management (Art. 6(1)(b)) |
| Equipment fault alarms and remote diagnostics | Equipment operational data, fault/alarm codes | Contractual Necessity — Ensuring normal equipment operation and timely maintenance (Art. 6(1)(b)) |
| Responding to your customer service requests and technical support | Account data, equipment data | Contractual Necessity — Handling your service requests and complaints (Art. 6(1)(b)) |
| Processing payment transactions | Order number, transaction data | Contractual Necessity — Completing payments initiated by you (Art. 6(1)(b)) |
| Improving product functionality and user experience | Technical data, aggregated equipment data (anonymized) | Legitimate Interests — Understanding how users use OSS to continuously improve service quality (Art. 6(1)(f)) |
| Ensuring system security and preventing fraud | IP address, login information, device information | Legitimate Interests — Protecting our systems and users from unauthorized access, cyber attacks, and fraudulent activities (Art. 6(1)(f)) |
| Sending you equipment alarms and service-related notifications | Account data, equipment information | Legitimate Interests — Sending you necessary notifications closely related to normal service operation (e.g., equipment faults, important security alerts) (Art. 6(1)(f)) |
| Conducting data statistics and analysis (aggregate level) | Anonymized usage data and equipment data | Legitimate Interests — Used for industry trend research, product planning, energy efficiency analysis, etc., without identifying you personally (Art. 6(1)(f)) |
| Sending you marketing and promotional information | Account data, marketing preferences | Consent — Only sent with your explicit consent. You may withdraw consent at any time without affecting other services (Art. 6(1)(a)) |
| Complying with legal obligations | Account data, transaction data | Legal Obligation — Including but not limited to tax filings, regulatory reporting, lawful requests from judicial or administrative authorities (Art. 6(1)(c)) |
| Protecting your or another person's vital interests | Relevant necessary data | Vital Interests — Protecting your or another person's life, health, or safety in emergencies (Art. 6(1)(d)) |
| Responding to data requests from statutory public authorities | As required by law | Public Interest — Cooperating in public interest matters as prescribed by law (Art. 6(1)(e)) |
Note on "Legitimate Interests":
Where we rely on "legitimate interests" as the lawful basis for processing your data, we have completed a Legitimate Interests Assessment (LIA) confirming that the processing does not override your rights and freedoms. You have the right to object at any time to our processing based on legitimate interests — please see Section 3 "Right to Object" below.
Note on "Consent":
Most core functions (equipment O&M, fault alarms, customer support, etc.) are based on "contractual necessity" or "legitimate interests" and do not require your consent. We only request your separate consent for:
You can manage your consent at any time in the Platform settings. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Under applicable data protection law, you have the following rights. We will not discriminate against you for exercising your rights.
You have the right to obtain a copy of the personal data we hold about you, along with information about how we process that data. You can access, modify, and update your registration information and other personal information while using OSS.
How to exercise: Send an email to the DPO mailbox explaining your request. We will provide a copy of your data after verifying your identity.
You have the right to have inaccurate or incomplete personal data corrected.
How to exercise: You can modify basic information via the "Personal Settings" page on the OSS Platform. For equipment-related data, please contact customer service or email the DPO.
You have the right to request the deletion of your personal data in the following circumstances:
How to exercise: You may submit a cancellation request via "Settings → Account Security → Cancel Account" on the OSS Platform. You may also email the DPO. Following account cancellation, we will delete or anonymize your data within 30 days, unless extended retention is required by law.
You have the right to request the restriction of our processing of your data in the following circumstances:
How to exercise: Send an email to the DPO explaining the grounds and scope of the restriction.
You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to have that data transmitted directly to another controller (where technically feasible).
How to exercise: Send an email to the DPO specifying which categories of data you wish to obtain. We will provide the data within one month.
You have the right to object to our processing of your data in the following situations:
How to exercise: Send an email to the DPO, or manage via "Privacy Settings" within the Platform. You may also unsubscribe at any time via the "unsubscribe" link in marketing emails.
You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
We do not currently engage in such automated decision-making. If we introduce such functionality in the future, we will notify you in advance of the logic involved, the potential consequences, and the measures available to you.
You have the right to withdraw consent you have given at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
How to exercise: You can view and manage all consents given via "Settings → Privacy Settings" on the OSS Platform.
You have the right to lodge a complaint with the applicable data protection supervisory authority. For specific regulatory bodies and complaint channels by region, please see Section 14 "Region-Specific Terms" below.
Response Time and Fees:
| Recipient | Data Shared | Purpose |
|---|---|---|
| Our Group affiliated companies | All data categories | Technical support, product development, server operations, and customer service. All affiliated companies are bound by unified data protection standards and DPAs |
| Distributors/installers (i.e., you) | End-user equipment data | Providing you with after-sales O&M, troubleshooting, and repair services. You access data through the Platform as an independent Data Controller |
| Cloud service providers | All data categories (hosting) | Data hosting and storage infrastructure. DPAs compliant with GDPR/PIPL requirements are in place |
| Third-party SDK service providers | See Section 1.6 SDK List | Providing payment functionality. DPAs have been signed |
| Payment service providers | Transaction data | Processing payments. We do not store your complete payment card information |
| Authorities as required by law | As required by law | Compliance with legal obligations, such as regulatory reporting, lawful law enforcement requests, and court orders |
All third parties receiving your personal data must:
We will not transfer your personal information to any company, organization, or individual except in the following circumstances:
We will only publicly disclose your personal information under the following circumstances:
Your data may be transferred to and stored on servers outside your country/region. Currently, the core data of global users is stored by default on servers in Mainland China, and some data may be stored on servers in other regions.
When we transfer your data from one country to another, we ensure that at least one of the following safeguards is in place:
For UK users:
Your data transfers are protected by the following mechanisms:
>
- UK International Data Transfer Agreement (UK IDTA), or
- UK Addendum to the EU SCCs
>
These are lawful cross-border transfer mechanisms approved by the UK Information Commissioner's Office (ICO).
For Mainland China users:
Your data transfers comply with the requirements of China's Personal Information Protection Law (PIPL), including:
>
- Passing the security assessment conducted by the Cyberspace Administration of China (CAC)
- Signing the Personal Information Outbound Transfer Standard Contract
- Obtaining the required personal information protection certification
>
We store personal information collected within Mainland China domestically. We will not transfer your personal data from within Mainland China to unauthorized overseas recipients.
For users in all other regions:
Your data transfers are protected by the following mechanisms:
>
- EU Standard Contractual Clauses (EU SCCs, 2021 version), or
- European Commission Adequacy Decision (for countries deemed by the EU to provide an adequate level of data protection)
>
These are lawful cross-border transfer mechanisms approved under GDPR Art. 46. If your jurisdiction has additional data transfer requirements, we will implement the corresponding safeguards. For any queries, please contact the DPO.
To obtain a copy of the relevant cross-border transfer agreements (SCCs/IDTA), please contact our DPO.
We provide appropriate security safeguards for your information to prevent loss, misuse, and unauthorized access or disclosure.
Despite our best efforts to protect your data, no internet transmission or electronic storage can be guaranteed to be 100% secure.
We retain your personal data only for the period necessary to fulfill the purposes of collection:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account existence + 30 days after cancellation (for handling potential subsequent complaints and disputes) |
| Equipment and product data | Duration of account existence + deleted or anonymized after cancellation |
| Technical data | Retained for 1 year (for security audits and troubleshooting) |
| Payment transaction data | Retained in accordance with applicable law (typically 5-7 years for tax and audit purposes) |
| Marketing consent records | Duration of consent validity + 6 years after withdrawal of consent (as proof of compliance) |
| Backup data | Rolling retention of 3 months (for disaster recovery; expired backups are deleted immediately after restoration) |
Upon expiry of the above periods, data will be securely deleted or irreversibly anonymized. Where extended retention is required by law, we will retain data only to the extent and for the period required by law. After the retention period has elapsed, we will delete your personal information in accordance with applicable legal requirements.
In the event that OSS ceases operations, we will notify you via push notifications, announcements, etc., and delete your personal information within a reasonable period.
We attach great importance to the protection of minors' personal information. Our services are a B2B platform intended for enterprise users (installers/distributors) and are not directed at children below the statutory age of consent.
If you are a parent or guardian and discover that your child has provided personal data to us, please contact us immediately. Upon verification, we will promptly delete the relevant data.
To support the functionality of the OSS Platform, we integrate Software Development Kits (SDKs) provided by third parties. These SDKs include:
For detailed collection information, providers, and privacy policy links for each SDK, please refer to the table in Section 1.6.
We conduct security assessments of all integrated SDKs, require SDK providers to sign Data Processing Agreements (DPAs) that meet data protection requirements, and rigorously monitor these SDKs, agreeing on strict data protection measures with third-party companies to ensure they process your personal information in accordance with this Privacy Policy and other relevant confidentiality and security measures. We will not refuse to provide core services because you decline non-essential SDK data collection.
Please note that this Privacy Policy does not apply to services provided by other companies or individuals. Your use of such third-party services is subject to their privacy policies (and not this Privacy Policy), and you should carefully read their policy content.
The OSS Platform uses cookies and similar technologies to enhance your user experience and ensure platform security. When you first visit the OSS Platform, we will present you with a Cookie Banner explaining our use of cookies and seeking your consent (for non-essential cookies).
| Cookie Type | Purpose | Consent Required |
|---|---|---|
| Essential Cookies | Session management (keeping you logged in), security protection (CSRF protection), load balancing (traffic distribution) | No — necessary for the normal operation of the Platform |
| Analytics Cookies | Measuring visit volume, analyzing usage behavior to improve services | Yes — enabled only with your consent |
| Functional Cookies | Remembering your preference settings (e.g., language, region) | Yes — enabled only with your consent |
When you first visit the OSS Platform, the Cookie Banner will clearly inform you about our use of cookies and provide options to "Accept All" / "Essential Only" / "Customize Settings."
We do not currently engage in decisions based solely on automated processing (including profiling) that produce legal effects concerning you or similarly significantly affect you.
If we introduce such functionality in the future, we will inform you in advance of:
In the event of a security breach involving your personal data, we will:
We may amend this Privacy Policy from time to time. We will notify you in the following circumstances:
We recommend that you review this Policy periodically to stay informed of the latest version.
The following supplementary terms apply depending on your location. Please refer to the corresponding section below based on your actual location.
Applicable Data Protection Law: UK GDPR and the Data Protection Act 2018.
Supervisory Authority:
You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) about how we process your personal data.
>
- Website: https://ico.org.uk/make-a-complaint/
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK
- Telephone: 0303 123 1113
>
We recommend that you contact us before lodging a complaint with the ICO. We will endeavor to resolve your concerns.
International Data Transfers:
When your personal data is transferred from the UK to other countries, we use one of the following mechanisms to ensure adequate protection:
Lawful Basis: The lawful bases cited in Section 2 of this Policy are based on UK GDPR Art. 6. References to "EU or Member State law" in Art. 6(1)(c) shall be read as "UK law," and "public interest" in Art. 6(1)(e) shall be read as "public interest recognized under UK law."
Data Subject Rights: All rights listed in Section 3 are based on the relevant provisions of the UK GDPR (Arts. 15–22 and Art. 77).
Governing Law and Dispute Resolution:
This Policy is governed by the UK GDPR and the laws of England and Wales. Disputes relating to this Policy shall first be resolved through friendly negotiation between the Parties. If negotiation fails, the dispute shall be submitted to the exclusive jurisdiction of the courts of England and Wales. You retain your statutory right to lodge a complaint with the ICO.
Language: This Policy is available in both Chinese and English versions. In the event of any inconsistency, the English version shall prevail.
Applicable Data Protection Law: The *Personal Information Protection Law of the People's Republic of China* (PIPL), the *Data Security Law of the People's Republic of China*, the *Cybersecurity Law of the People's Republic of China*, and related laws and regulations.
Personal Information Processing Notice:
Personal information collected and generated by us during operations within Mainland China is in principle stored within Mainland China.
Sensitive Personal Information:
Where we need to process your sensitive personal information, we will:
>
- Inform you of the necessity of the processing and its impact on you
- Obtain your separate consent
- Implement stricter security protection measures
Data Subject Rights:
Under Chapter IV of the PIPL, you enjoy the right to information and decision-making (Art. 44), the right to access and copy (Art. 45), the right to rectification (Art. 46), the right to erasure (Art. 47), the right to explanation (Art. 48), and the right to data portability. You also enjoy the right to restrict and refuse processing, as well as rights in relation to automated decision-making (Art. 24).
>
How to exercise: Please refer to Section 3 "Your Rights" of this Policy. The substantive content of each right is consistent with the requirements of Chinese law.
Withdrawal of Consent:
You have the right to withdraw consent for processing based on consent. Withdrawal of consent does not affect the lawfulness of personal information processing activities carried out based on consent before the withdrawal.
Personal Information Protection Officer:
Our personal information protection-related matters in Mainland China are uniformly managed by the DPO (contact details in Section 15).
Right to Complain:
You have the right to complain and report to the authorities responsible for personal information protection (such as the Cyberspace Administration of China).
Child Protection:
OSS is not directed at minors under 14 years of age. If we inadvertently collect personal information of a minor under 14, please contact us and we will promptly delete it upon verification.
The core provisions of this Privacy Policy apply to all users. Where your jurisdiction imposes additional data protection requirements:
To exercise your data subject rights, or if you have any questions, comments, or complaints about this Policy, please contact us:
| Item | Information |
|---|---|
| Name | Linda Wang (王清媛) |
| linda@growatt.com | |
| Mailing Address | Same as the registered office address; please mark "Attn: DPO" |
This Policy is published in both Chinese and English. In the event of any inconsistency between the versions, the requirements of the applicable law in the user's location shall prevail. For users in the UK, if there is any inconsistency between the Chinese and English versions, the English version shall prevail.
>
*This Privacy Policy was last updated on: June 15, 2026*