Privacy Policy

Last updated: April 2026

KITFUNSO LTD trading as Mure ("Mure", "we", "us", "our") is a company registered in England and Wales. This privacy policy explains how we collect, use, store, and protect your personal data when you use the Mure platform and related services.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. What We Collect

We collect the following categories of personal data:

Account Information

Email address (for authentication, service communications, and waitlist registration)
Password (stored as a one-way cryptographic hash; we never store or see your plain-text password)
Display name (optional, for personalisation within the app)

Location Data

Postcode (used solely to determine your Octopus Agile pricing region; we do not store or use your full address)

Device and Battery Data

Battery device serial numbers (to identify your hardware for scheduling commands)
Manufacturer API tokens (encrypted at rest using Fernet symmetric encryption; used to communicate with your battery via the manufacturer's API)
Battery telemetry: state of charge (SOC%), power flow readings, charge/discharge rates
Battery configuration: capacity, model, firmware version

Energy and Pricing Data

Electricity price data from your tariff provider (e.g. Octopus Agile half-hourly rates)
Computed savings calculations and schedule history

Usage Analytics

Anonymous usage data: pages visited, features used, session duration
Error reports sent to Sentry (anonymised, no personally identifiable information)

2. Why We Collect It

We process your data for the following purposes:

Service delivery: to authenticate your account, connect to your battery hardware, retrieve electricity pricing, compute optimal charge/discharge schedules, and execute those schedules on your behalf.
Savings tracking: to calculate and display your energy cost savings over time.
Service communications: to send you important service emails such as schedule alerts, device status notifications, and account security notices.
Product improvement: to understand how the platform is used so we can improve performance, reliability, and features.
Error monitoring: to detect and resolve technical issues quickly using anonymised error data.

3. Legal Basis (UK GDPR)

We rely on the following legal bases for processing your data:

Contract performance (Article 6(1)(b)): processing your account details, device data, and pricing data is necessary to provide the battery optimisation service you have signed up for.
Legitimate interests (Article 6(1)(f)): anonymous usage analytics and error monitoring to maintain and improve the service. We have assessed that these interests do not override your rights given the minimal and anonymised nature of the data involved.
Consent (Article 6(1)(a)): for marketing communications. You can withdraw consent at any time by clicking the unsubscribe link in any marketing email or by contacting us.

4. Data Storage and Security

Your data is stored in the following infrastructure:

Primary database: Neon PostgreSQL, hosted in US-East-1 (Virginia, USA). Contains account data, device configurations, telemetry readings, and schedule history.
Cache layer: Upstash Redis, hosted in US-East-1 (Virginia, USA). Used for session management, rate limiting, and temporary schedule data. Data is ephemeral and automatically expires.
Frontend:Cloudflare Pages, served from Cloudflare's global CDN edge network. No personal data is stored at the edge.

As our primary data storage is in the United States, your personal data is transferred outside the UK. We rely on appropriate safeguards for these transfers, including the data processing agreements provided by our infrastructure providers (Neon, Upstash), which incorporate Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA) where applicable.

We implement appropriate technical and organisational measures to protect your data, including:

Encryption of API tokens at rest using Fernet symmetric encryption
Passwords hashed using bcrypt with salting
TLS encryption for all data in transit
Database access restricted by IP allowlisting and authentication
Rate limiting on all API endpoints

5. Data Retention

Account data (email, display name, device configurations): retained for as long as your account is active. Deleted within 30 days of account deletion.
Raw telemetry (SOC%, power flow readings): retained for 90 days, then automatically deleted.
Aggregated telemetry (daily/weekly summaries, savings calculations): retained for 1 year, then automatically deleted.
Waitlist email addresses: retained until beta launch, after which they are either converted to accounts or deleted within 30 days.
Error logs (Sentry):automatically expired after 90 days per Sentry's data retention policies.

6. Third-Party Services

We share data with or use the following third-party services:

GivEnergy Cloud API:we send your GivEnergy API token (which you provided to us) to GivEnergy's own servers to read battery status and send charge/discharge commands. This is necessary to operate the service. Your token is sent directly to GivEnergy; we do not share it with any other party.
Octopus Energy API:we query Octopus Energy's public pricing API to retrieve Agile tariff rates for your region. No personal data is sent to Octopus in these requests; only the region code (derived from your postcode) is used as a query parameter.
Sentry: we use Sentry for error tracking and performance monitoring. Error reports are anonymised and do not contain personally identifiable information.
Cloudflare:our frontend is served via Cloudflare Pages. Cloudflare may process IP addresses and request metadata as part of their CDN and security services, subject to Cloudflare's own privacy policy.

We do not sell your personal data to any third party. We do not use your data for advertising or profiling.

7. Your Rights (UK GDPR)

Under the UK GDPR, you have the following rights regarding your personal data:

Right of access: you can request a copy of the personal data we hold about you.
Right to rectification: you can ask us to correct inaccurate personal data.
Right to erasure: you can ask us to delete your personal data. You can also delete your account directly from the Settings page in the app.
Right to data portability: you can request your data in a structured, commonly used, machine-readable format (JSON).
Right to object: you can object to processing based on legitimate interests.
Right to withdraw consent: where processing is based on consent (e.g. marketing), you can withdraw it at any time.
Right to lodge a complaint:you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Cookies and Local Storage

Mure uses only essential storage mechanisms:

Authentication token: stored in localStorage to keep you signed in between sessions.
Theme preference: stored in localStorage to remember your light/dark mode choice.

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. We do not use Google Analytics or similar tracking services.

9. Children

Mure is not designed for or directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

10. Changes to This Policy

We may update this privacy policy from time to time. For material changes, we will notify registered users by email before the changes take effect. Non-material changes (such as formatting or clarifications) may be made without notice. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

11. Contact Us

If you have any questions about this privacy policy or our data practices, contact us at:

KITFUNSO LTD trading as Mure

Email: [email protected]

Read our Terms of Service