Privacy Policy

WordPress infrastructure, accurately incorporating requirements from GDPR, CCPA/CPRA, and industry best practices.

1. Introduction and Scope of Policy

This Privacy Policy and Data Protection Notice (the "Policy") describes how Sunpal Power Co., Ltd., along with its parent company, subsidiaries, global affiliates, and associated brands (collectively referred to as "SUNPAL GROUP", "we", "us", or "our" collects, uses, stores, shares, and protects your Personal Information.

This Policy comprehensively applies to your interaction with our matrix of official websites (sunpalsolar.com, sunpalpv.com, sunpal-energy.com, and sunpalsys.com), our online applications, your communications with our customer service teams, and the deployment of our intelligent solar arrays and energy storage hardware devices (collectively, the "Services"). By continuing to access our Platforms or submitting an inquiry, you acknowledge the data practices described in this Policy. This framework is strictly designed to comply with the most rigorous global data privacy laws, including the European Union's General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA).

2. Categories and Sources of Personal Data We Collect

SUNPAL GROUP strictly adheres to the principle of data minimization, collecting only the Personal Information absolutely necessary for specific commercial purposes. Depending on the depth of your interaction with us, we may collect the following categories of data:

  • Directly Provided Business Contact Information: When you submit inquiries via our "Free to Contact Us", distributor recruitment, exclusive pricing, or warranty claim forms, we collect your full name, company name, job title, email address, physical/project address, and phone/WhatsApp numbers. We also collect specific technical requirements or questions entered into the message fields.
  • Automated Web Interaction and Telemetry Data: As you navigate our digital platforms, our servers and integrated third-party systems automatically capture your Device IDs, Internet Protocol (IP) address, browser type, operating system, timestamp of visit, and the "SourceLink" attribution parameters (used to analyze the marketing campaign or referral path that directed you to our Platforms).
  • Connected Hardware and Industrial IoT Data: For users operating SUNPAL PV intelligent lithium Battery Management Systems (BMS) or SUNPAL SYS large-scale grid-tied photovoltaic equipment, our networking hubs (such as wireless gateways or smart inverters) continuously report energy production efficiency, power consumption patterns, grid interaction status, and cumulative counters to our servers once connected to the internet. If this telemetry data can be linked to your specific account, name, or physical address, it is treated with the same stringent protections as Personal Information.
  • Information from Trusted Third Parties: We may receive Personal Data from business partners—such as regional solar installers, grid services aggregators, or logistics carriers—regarding your warranty registration, installation progress, or support requirements.

3. Purposes and Legal Basis for Processing Personal Data

SUNPAL GROUP will never sell or rent your personal contact information for short-term financial gain. We process your data strictly for the following operational purposes, backed by established legal bases under the GDPR:

  • Contractual Necessity (Fulfilling Services): To process your solar or storage product inquiries, design customized PV system solutions, process payments, execute logistics, and technically validate warranty claims.
  • Legitimate Interest (System Maintenance & R&D): To continuously monitor the health of online inverters and batteries, diagnose potential hardware failures, and send urgent firmware upgrade notices. We also de-identify and aggregate telemetry and web traffic data to optimize PV module designs, analyze market trends, and evaluate regional promotional campaigns.
  • Consent (Marketing Communications): Subject to your explicit, opt-in consent (e.g., subscribing to MFA Mail), we may send you B2B customized solutions, industry insights, and promotional updates regarding SUNPAL technologies.
  • Legal Obligation & Security: Utilizing IP logs and Google reCAPTCHA technologies to monitor malicious bot attacks against our WordPress infrastructure, prevent form spam, and protect our corporate networks from unauthorized access.

4. Data Sharing and Disclosure Practices

To ensure the efficient operation of our global supply chain and deliver a seamless B2B customer experience, SUNPAL GROUP may disclose your information to the following entities under strictly controlled conditions:

  • Intra-Group Sharing: We may disclose Personal Information between and among any of our global locations, parent companies, subsidiaries, and affiliates in accordance with local laws. For instance, data submitted on sunpalpv.com may be utilized by engineers at sunpalsys.com to provide you with a comprehensive, cross-product line solar and storage solution.
  • Authorized Third-Party Processors: We engage industry-leading cloud hosting providers, CRM service providers, and logistics carriers. These entities are bound by rigorous Data Processing Agreements (DPAs) and are only authorized to process your data on our behalf and according to our strict instructions.
  • Corporate Restructuring: In the event of a merger, consolidation, restructuring, or the sale of substantially all of our assets, Personal Information held by us will be transferred as a business asset to the acquiring entity.
  • Legal Obligations: We will disclose Personal Information to law enforcement, judicial courts, or regulatory authorities if we believe in good faith that such action is necessary to comply with a legal obligation, protect our intellectual property, investigate fraud, or ensure the safety of our employees and the public.

5. International Data Transfers

As a global solar enterprise, SUNPAL GROUP operates data centers in multiple jurisdictions, including our headquarters in China and cloud nodes in the EU and the US. When transferring the Personal Data of European Economic Area (EEA) or UK residents to countries lacking an Adequacy Decision from the European Commission, we rely on legally recognized transfer mechanisms, primarily the execution of Standard Contractual Clauses (SCCs), reinforced by state-of-the-art encryption protocols, to ensure your data maintains an equivalent level of protection.

6. Data Security and Retention

We maintain robust organizational, technical, and administrative safeguards—including enterprise firewalls, data encryption in transit, and role-based access controls—to protect your highly sensitive B2B project data against unauthorized access or alteration. However, no internet-based transmission is completely secure; any transmission of data is done at your own risk.

Retention Policy: We retain your data only for as long as reasonably necessary to fulfill the purposes outlined in this Policy. Active customer project and contact data are retained throughout the product warranty lifecycle (up to 25 years for PV panels and 10 years for inverters) and applicable statutory record-keeping periods. Unconverted prospect leads are subject to physical deletion or irreversible de-identification after 2 years of inactivity.

7. Your Global Privacy Rights and Choices

Depending on your jurisdiction, you are entitled to exercise significant control over your Personal Information:

For California Residents (CCPA/CPRA):

  • Right to Know and Access: The right to request disclosure of the specific pieces and categories of personal information we have collected, the sources, and the commercial purposes for collection.
  • Right to Delete and Correct: The right to request the deletion of your data from our systems or the correction of inaccurate information, subject to legal exceptions.
  • Right to Limit Sensitive Personal Information: The right to restrict our use of highly sensitive data to what is strictly necessary for providing our services.
  • Right to Opt-Out of Sale or Sharing: While we do not sell your data for money, deploying third-party tracking pixels for cross-context behavioral advertising may be considered "sharing" under the CPRA. You have the absolute right to opt-out via the "Do Not Sell or Share My Personal Information" link in our website footer.
  • Right to Non-Discrimination: We will never deny services or alter pricing in retaliation for exercising your privacy rights.

For EEA/UK Residents (GDPR):

In addition to rights of access, rectification, and erasure (the "right to be forgotten"), you hold the right to Data Portability (receiving your data in a structured, machine-readable format) and the right to object to or restrict processing, particularly for direct marketing purposes based on legitimate interests.

To exercise these rights, please submit a verifiable request via the contact channels provided at the end of this Policy.

8. Cookies, Tracking Technologies, and Global Privacy Control (GPC)

To maintain our WordPress infrastructure and measure our digital marketing performance, we deploy cookies, web beacons, and pixels:

  • Strictly Necessary Cookies: Essential for basic site functions, such as load balancing and executing Google reCAPTCHA. No consent is required.
  • Advertising and Behavioral Pixels: Certain sites (e.g., sunpalsys.com and sunpal-energy.com) utilize Facebook Pixel and Yandex Metrica to measure B2B engagement and deliver targeted industry advertisements.
  • Global Privacy Control (GPC) Compliance: GPC is a signal sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicates your choice to opt-out of the "sharing" of personal data for targeted advertising. Our WordPress Consent Management Platform (CMP) is technically configured to automatically detect and honor the Sec-GPC: 1 HTTP header. Upon detection, our systems will instantly block Meta, Yandex, and other non-essential tracking scripts from loading.

9. Restrictions on Generative AI Applications

Recognizing the rapid advancement of artificial intelligence, SUNPAL GROUP establishes a firm ethical boundary regarding your proprietary B2B data. We strictly commit that we will not create, store, share, or use your confidential project designs, exclusive pricing negotiations, or energy consumption telemetry data to produce generative AI content or train public AI models without your explicit, prior written approval.

10. Children's Privacy

SUNPAL GROUP's products—industrial-grade solar arrays and commercial energy storage—and our online platforms are intended strictly for adults and corporate entities. We do not knowingly collect, sell, or share Personal Information from children under the age of 18. If we become aware that we have inadvertently collected such data, we will take immediate steps to permanently delete it from our databases.

11. Policy Updates and Contact Information

We reserve the right to update or change our Policy at any time to reflect technological advancements or evolving legal frameworks. Substantial changes will be communicated via a prominent notice on our website or direct email.

If you have questions regarding this Policy, wish to file a privacy grievance, or intend to exercise your statutory data rights, please contact the SUNPAL GROUP Global Legal and Compliance Department via our dedicated channels: