Enel X Way USA Privacy Policy


Last updated: December 22, 2020


This Privacy Policy applies to Enel X Way USA, LLC., (“Enel X”, “we”, “us” and “our”).


Enel X is committed to ensuring the privacy of your personal information. We are further committed to preventing unauthorized access to that information. Our Privacy Policy details what personal information is collected from our members, participants, users, business representatives, and others and explains how we use it, how it is stored, and your choices related to our use of your information.




Enel X is a global innovator of smart value-added services and solutions that enables businesses and communities to create, store, use, and manage energy more efficiently, sustainably, and strategically. To achieve our mission of becoming a global producer of sustainable, innovative, and simple technology solutions, we develop custom energy strategies to enable our customers meet their energy goals.


We have a reputation in the market for addressing the key business problems of our clients through better energy intelligence, tackling the biggest drivers of unnecessary energy costs. We have also developed products, including smart grid electric vehicle charging solutions.


Enel X, incorporated as Enel X Way USA, LLC., is headquartered in Boston, Massachusetts, in the United States. Enel X is part of a global enterprise. We operate the Enel X the website located at https://www.enelx.com/n-a/en, web applications for business, utilities, and procurement, mobile applications, and related customer support, services and other solutions (collectively referred to as “Services”).


We respect your privacy and take safeguarding your data seriously. Please read this Privacy Policy to understand what Personal Information (defined below) we collect from you, how we use it, and your choices related to our use of your Personal Information. If you do not agree with this Privacy Policy, please do not use the Services.




"Personal Information" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Under specific laws, Personal Information may include any information relating to a household.




We process Personal Information that you actively submit to us, that we automatically collect through your use of our Services, and that we collect from third-party sources. We may process your Personal Information with or without automatic means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of your Personal Information. We do not sell the Personal Information we collect to other parties.


We process the Personal Information of data subjects that includes our customers, users, business representatives, potential clients, and others.


Personal Information that you actively submit to us.


We collect Personal Information that you actively submit to us through an account, mobile applications, website forms, email subscriptions, surveys, customer service, inquiries, social media, and other interactions. You will know when we collect your Personal Information through these interactions because we will directly ask you for the information. We will require certain Personal Information for you to use our Services or for us to be able to contact you. There may also be circumstances where providing Personal Information is optional and does not impact your access to Services.

  • Your Account. When you register an account with us, either through the website or a mobile application, we ask you to provide your name, email, and password. The mobile applications provide an alternative option to register with a Facebook or Google account, and web applications may also offer your Twitter ID or Apple ID as a login option. Additional information collected may include your phone number, address, country/nationality, and, where relevant, your credit card information for payment. Mobile applications may offer you an option to use a Face ID login.
  • Shopping. We sell a range of products online, where we collect payment information such as your billing address, credit card number and expiration date, and your shipping address for delivery.
  • Email Subscriptions. Users have an option to sign up on our website to receive news and offers through email.
  • Contact Us. We provide online forms for users to contact us on specific topics like customer support, sales questions, interest in a partnership, or expert advice. We collect your name, email address, a description of the request, and also ask for your job title and company name when relevant.
  • Support. Our online form provides support for our product sales. We collect your name, email address, country, nature of your inquiry, and allow you to upload an attachment.
  • Social Media. We invite users to join us on social media, through platforms like Twitter, Facebook, and Instagram, with links available directly from the Enel X website.
  • Surveys. We occasionally conduct surveys in order to gather data central to assessing our business objectives and understanding our customers and the market. Participation in surveys is always optional. Information provided in surveys is anonymized and aggregated for analysis.
  • Events. We collect your name and contact information to register you for events.


Personal Information we automatically collect through your use of the Services.


We receive some Personal Information automatically when you visit Enel X Services. This includes information about the device, browser, and operating system you use when accessing our Services, your IP address, the website that referred you, which pages you request and visit, and the date and time of each request you make.


Personal Information of minors.


The Services are not intended for users younger than 13 years of age. We do not actively collect or otherwise process Personal Information from users under the age of 13. If we become aware that an individual under the age of 13 has submitted Personal Information without verifiable parental consent, we will remove his or her information from our files.


Special Categories of information.


We do not actively collect or otherwise process special categories of personal data as identified in the EU General Data Protection Regulation (“GDPR”) including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. We do not actively collect or otherwise process personal data relating to criminal convictions and offences.


California Consumer Privacy Act of 2018 (“CCPA”).


The categories of Personal Information we have collected about consumers in the preceding 12 months are:

  • Identifiers such as a real name, alias, postal address, email address, unique personal or online identifier, Internet Protocol address, and account name;
  • Debit card number, credit card number, and other financial information;
  • Products or services purchased, obtained, or considered and other purchasing or consuming histories or tendencies;
  • Internet or other electronic network activity information on our website(s) and applications, including, browsing history, search history, and information regarding a consumer’s interaction with an internet website, or advertisement;
  • Geolocation data;
  • Visual information;
  • Professional or employment-related information; and
  • Inferences drawn from any of the information identified to create a profile about a consumer reflecting the consumer’s preferences, intelligence, abilities, and aptitudes.




We (and the third-party service providers working on our behalf) use various technologies to collect Personal Information. This may include saving cookies to your device. For information on what cookies are, which ones we use, why we use them, and how you can manage their use, please see our Cookie Policy at https://evcharging.enelx.com/cookie-policy.




We use your Personal Information to operate our Services, deliver products, find and book charging stations, fulfill our contractual obligations in our service contracts with customers, to review and enforce adherence to our Terms, to analyze the use of the Services in order to understand how we can improve our content and service offerings and products, and for administrative and other business purposes. We process Personal Information for our business purposes, including sales leads, subscriptions services, payments, employee training, data analysis, security monitoring, auditing, research, and to comply with applicable laws, exercise legal rights, and meet tax and other regulatory requirements.


In this context, the legal basis for our processing of your Personal Information is either the necessity to perform contractual and other obligations, our legitimate business interest as a provider of services, regulatory requirements, or in some instances your explicit consent.




We may share your Personal Information in the following circumstances:

  • Third-party Service Providers. We may share information we collect about you with third-party service providers to perform tasks on our behalf in supporting the Services. The types of service providers, or sub-processors, to whom we entrust Personal Information include: (i) payment providers; (ii) providers of hosting services; (iii) sales and marketing providers; (iv) providers of analytic data services; and (v) other services such as system support.
  • Regulatory Bodies, Agencies, and Law Enforcement. We may access and disclose your Personal Information to regulatory bodies if we have a good-faith belief that doing so is required under applicable law or regulation. This may include submitting Personal Information required by tax authorities. We may disclose your Personal Information in response to lawful requests by public authorities or law enforcement, including to meet security or law enforcement requirements. If we are going to release your Personal Information in this instance, our policy is to provide you with notice unless we are prohibited from doing so by law or court order.
  • Merger, Sale, or Other Asset Transfers. If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, then your Personal Information may be transferred as part of such a transaction as permitted by law and/or contract. Should such an event occur, Enel X will endeavor to direct the transferee to use Personal Information in a manner that is consistent with the Privacy Policy in effect at the time such Personal Information was collected.
  • Other Disclosures. We may also disclose your Personal Information to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of the Services, of any individuals, or of the general public; to maintain and protect the security and integrity of our services or infrastructure; to protect ourselves and our services from fraudulent, abusive, or unlawful uses; or to investigate and defend ourselves against third-party claims or allegations. Disclosures may be made to courts of law, attorneys and law enforcement, or other relevant third parties in order to meet these purposes.
  • Please note that we share aggregated information and non-identifying information with third parties for industry research and analysis, demographic profiling, and other similar purposes. In addition, our Services may contain links to other websites not controlled by us, and these other websites may reference or link to our Services; we encourage you to read the privacy policies applicable to these other websites.


If we transfer Personal Information of individuals located in the European Economic Area ("EEA") or United Kingdom ("UK") that we have received under the EU-U.S. Privacy Shield Framework to a third party, Enel X remains liable for such Personal Information and the actions of such third party.


CCPA (For California Residents).


The categories of Personal Information we have disclosed about consumers for a business purpose in the preceding 12 months are:

  • Identifiers such as a real name, alias, postal address, email address, unique personal or online identifier, Internet Protocol address, or account name;
  • Debit card number, credit card number, and other financial information;
  • Products or services purchased, obtained, or considered; other purchasing or consuming histories or tendencies;
  • Internet or other electronic network activity information, including, browsing history, search history, and information regarding a consumer’s interaction with an internet website, or advertisement;
  • Geolocation data;
  • Visual information;
  • Professional or employment-related information; and
  • Inferences drawn from any of the information identified to create a profile about a consumer reflecting the consumer’s preferences, intelligence, abilities, and aptitudes.


Again, we do not sell Personal Information.




Enel X retains Personal Information for a reasonable time period to fulfill the processing purposes mentioned above. Personal Information is then archived for time periods required or necessitated by law or legal considerations. When archival is no longer required, Personal Information is deleted from our records.


We retain your account information, including Personal Information in your profile, while your account is active. After termination or deactivation of your account, we delete your account as part of our standard delete function. If you participated in market research, your contribution becomes part of the market data is retained indefinitely, with data anonymized and aggregated.


We retain purchase information for a relevant time to align with warranties associated with the product. Please note we may retain information within our internal systems for backup, archival, audit, or other purposes.


We retain Personal Information that we are required to retain to meet our regulatory obligations including tax records and transaction history. We regularly review our retention policy to ensure compliance with our obligations under data protection laws and other regulatory requirements. We regularly audit our databases and archived information to ensure that Personal Information is only stored and archived in alignment with our retention policies.




Enel X uses technical and organizational measures to protect the Personal Information that we store, transmit, or otherwise process, against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. We regularly consider appropriate new security technology and methods as we maintain and develop our software and systems.


However, you should keep in mind that the Services are run on software, hardware, and networks, any component of which may, from time to time, require maintenance or experience problems or breaches of security beyond our control. Please also be aware that despite our best efforts to ensure the security of your data, we cannot guarantee that your information will be 100% secure.


Please recognize that protecting your Personal Information is also your responsibility. We urge you to take every precaution to protect your information when you are on the Internet, such as using a strong password, keeping your password secret, and using two-factor authentication.




Your Personal Information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to provide your Personal Information to us, we will transfer your Personal Information to the United States and process it there. Where we transfer your Personal Information, we will take all reasonable steps to ensure that your privacy rights continue to be protected.


In the case of transfers of data out of Europe, we have committed to comply with the Privacy Shield and implement Standard Contractual Clauses as required. We endeavor to utilize third-party service providers from the United States that have certified with Privacy Shield or alternatively provide adequate protections that are compliant with the EU General Data Protection Regulation ("GDPR") such as implementing Standard Contractual Clauses or Binding Corporate Rules.




Enel X complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the EEA and UK to the United States in reliance on Privacy Shield. Enel X has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.


As part of its participation in Privacy Shield, Enel X is subject to the investigatory and enforcement powers of the Federal Trade Commission. Organizations participating in the Frameworks must respond within 45 days of receiving a complaint.


If you have not received a timely or satisfactory response to your question or complaint, please contact one of the independent recourse mechanisms listed below:


EU Data Protection Authorities (“DPAs”)


Please note that this independent dispute resolution body is designated to address complaints and provide appropriate recourse free of charge to the individual.


Under certain circumstances, individuals located in the EEA and the UK may invoke binding arbitration to resolve a Privacy Shield related dispute. In order to invoke arbitration, you must take the following steps prior to initiating an arbitration claim: (1) raise your complaint directly with Enel X and provide us the opportunity to resolve the issue; (2) make use of the independent recourse mechanism listed above; and (3) raise the issue through your relevant Data Protection Authority to the U.S. Department of Commerce and afford the U.S. Department of Commerce an opportunity to use best efforts to resolve the issue at no cost to you. For more information on binding arbitration, see the U.S. Department of Commerce’s Privacy Shield Framework: Annex I (Binding Arbitration) at:




In compliance with the Privacy Shield, individuals have the right to access Personal Information and to correct, amend, restrict, or delete that information where it is inaccurate, or has been processed in violation of the Privacy Shield principles, except where the burden or expense of providing access is disproportionate to the risks to the individual's privacy in the case in questions, or where the rights of persons other than the individual will be violated.


If you have an Enel X account, we rely upon you to keep your information up to date. You may edit your profile information at any time through your account settings. For email subscriptions, you may opt-out at any time by selecting the “Unsubscribe” link at the end of the email communication. Similarly, for email communication of a marketing nature, we provide the ability for you to unsubscribe directly from the email.


If you demonstrate the inaccuracy or incompleteness of Personal Information, Enel X will amend the information as required. If appropriate, we will send the amended information to service providers to whom the information has been disclosed.


Where we rely upon consent as a legal basis for processing, you may withdraw your consent at any time. Please note the withdrawal of your consent does not affect the lawfulness of processing based on consent before withdrawal.


Individuals in the EEA, UK, and Switzerland have certain rights that may be subject to limitations and/or restrictions. These rights include the right to: (i) request access to and rectification or erasure of their Personal Information; (ii) obtain restriction of processing or to object to processing of their Personal Information; and (iii) ask for a copy of their Personal Information to be provided to them, or a third party, in a digital format. If you wish to exercise one of the above-mentioned rights, please send us your request to the contact details set out below. Individuals also have the right to lodge a complaint about the processing of their Personal Information with their local data protection authority.




The CCPA affords certain rights to California residents concerning their Personal Information. These rights include the right to: (i) know what Personal Information is being collected about them, which is outlined above (ii) know whether their Personal Information is sold or disclosed and to whom, which is also outlined above (iii) say no to the sale of Personal information, which, as noted above, we do not do; (iv) access their Personal Information, which is explained below (v) request deletion of Personal Information, which is also explained below; and (vi) equal service and price, even if they exercise their privacy rights.


Right to Access Your Information


Under our Policy, you have a right to access the information we have collected during the last 12 months. Specifically, you have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising User Rights below), we will disclose to you:

  • The categories of Personal Information we collected about you.
  • The categories of sources for the Personal Information we collected about you.
  • Our business or commercial purpose for collecting or selling that Personal Information.
  • The categories of other businesses or persons with whom we share that personal information.
  • The specific pieces of Personal Information we collected about you.
  • If we disclosed your Personal Information for a business purpose, the Personal Information categories that each category of recipient obtained.


Right to Request Deletion


Under our Policy, you have the right to request that we delete any of your Personal Information that we collected from you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising User Rights below), we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.


We may deny your deletion request if retaining the information is necessary to:

  • Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debug products to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  • Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.


Exercising Rights under the CCPA


If you are a California resident, to exercise the rights described above, please submit a verifiable consumer request to us by one of the following methods:


Only you, or, if you are a California resident, a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. You may make a verifiable consumer request for access or data portability only twice within a 12-month period.


To verify the identity of an individual making a request, a two-step process will need to be completed. A verifiable consumer request must:

  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
  • Separately provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.


We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.


Making a verifiable consumer request does not require you to create an account with us. We will use Personal Information provided in a verifiable consumer request only to verify the requestor’s identity or authority to make the request.


Response Timing and Format


For verifiable requests made by California residents under the CCPA, we will endeavour to provide an initial response to a verifiable user request within 10 days of receipt and will attempt to fulfil a verifiable user request within 45 days of its receipt. If we require more time, we will inform you of the reason and extension period in writing.


We will deliver our written response by mail or electronically, at your option.


Any disclosures we provide will cover only the 12-month period preceding our receipt of a verifiable user request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.


We do not charge a fee to process or respond to your verifiable user request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.




We will not discriminate against anyone for exercising any of their rights under this Policy or any applicable information privacy or data protection law. Unless otherwise permitted, we will not:

  • Deny you goods or services;
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
  • Provide you a different level or quality of goods or services; or
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.


But if any part of our Services involves a financial transaction with you, we may offer you certain financial incentives permitted by applicable laws that can result in different prices, rates, or quality levels. Any financial incentive permitted under applicable law that we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time. However, we do not currently provide any financial incentives.




This document is effective as of the date indicated at the top of this Privacy Policy. This document may be amended from time to time.




Inquiries may be made through any of the following means:

Email: dataprotectionoffice-northamerica@enel.com

Toll-Free: +1 (800) 359-6615

Mail:Enel X Way USA, LLC.

Attention: Data Privacy Officer

One Marina Park Drive, Suite 400,

Boston, MA, USA 02210