Energy Arena

Privacy Policy

Last updated: March 23, 2026

1. Controller

The controller for the official hosted instance of Energy Arena is:

Max Kleinebrahm
Institute for Industrial Production (IIP)
Karlsruhe Institute of Technology (KIT)
Hertzstr. 16 - Building 06.33
76187 Karlsruhe
Germany
Email: [email protected]
Phone: +49 721 608 44579

2. Personal Data We Process

2.1 Account Data

  • Email address: Required for registration, verification, and account communication
  • Username / handle: Your public participant identifier on leaderboards and charts
  • Affiliation: Optional profile field that is displayed publicly only if you provide it

2.2 Participation and Submission Data

  • Forecast submissions: Submitted values, timestamps, challenge identifiers, and related metadata
  • Challenge profile data: Optional methodological descriptions and forecast-visibility settings
  • Leaderboard data: Rankings, aggregated scores, and participation statistics derived from submissions

2.3 Technical and Security Data

  • IP addresses: Processed in server-side access and abuse-prevention logs
  • Browser / client metadata: User-agent and request metadata in operational logs
  • Authentication state: A JWT access token stored in your browser after successful verification or sign-in

3. Public Nature of the Platform

Energy Arena is a public benchmarking platform. The following information may be visible to any visitor of the official hosted instance:

  • Your chosen username / handle
  • Your optional affiliation, if you provide one
  • Your forecast submissions and challenge metadata, subject to the selected forecast-visibility setting
  • Your leaderboard position, aggregated metrics, and participation history
  • Visualizations that compare submitted forecasts with public ground-truth data

Important: Only submit forecasts and public profile information that you are comfortable making visible on a public benchmarking website.

4. Purposes and Legal Bases

We process personal data only to the extent necessary for operating the platform. The main purposes and legal bases for the official hosted instance are:

  • Registration, email verification, authentication, account management, submission intake, scoring, and leaderboard operation: Art. 6(1)(b) GDPR (performance of a contract / taking steps at your request before entering into a contract)
  • Public display of your chosen handle and of submission-related benchmark results:Art. 6(1)(b) GDPR, because public benchmarking is a core platform function
  • Public display of your optional affiliation: Art. 6(1)(a) GDPR (consent), because this field is optional and can be removed later in your profile
  • Security logging, rate limiting, abuse prevention, and defence against misuse or legal claims:Art. 6(1)(f) GDPR (legitimate interests)
  • Preparation of aggregated or anonymized platform statistics and research summaries:Art. 6(1)(f) GDPR where personal data processing is still required; otherwise such outputs are generated from non-personal or anonymized data

5. Recipients and Service Providers

The official hosted instance currently uses the following categories of recipients / processors:

  • bwCloud: Infrastructure hosting for the official instance (Ubuntu VM with Docker Compose and PostgreSQL, region Germany)
  • Mailgun: Transactional email delivery for verification and account-related messages (mg.energy-arena.org)

Public energy market data displayed on the platform is sourced from SMARD and, for internal evaluation workflows, may additionally be processed from ENTSO-E. These are external data sources, not user-tracking tools. We do not intentionally disclose your account data to those data sources as part of the ordinary charting workflow.

6. International Data Transfers

The official hosted instance runs on bwCloud infrastructure in Germany. Depending on the routing and subprocessors of the configured transactional email provider, limited email-related metadata may be processed outside the EEA. Where such transfers occur, they must rely on an adequacy decision or appropriate safeguards such as the European Commission's Standard Contractual Clauses.

7. Retention

  • Account profile data: Stored until account deletion, unless statutory retention duties apply
  • API keys: Stored until revocation or account deletion; only key hashes are retained, not plaintext keys
  • Forecast submissions, leaderboard records, and challenge profiles linked to your account: Stored until account deletion in the primary application database
  • Verification tokens: Expire after 60 minutes and are no longer accepted after expiry
  • Access and abuse-prevention logs: Typically retained for up to 90 days
  • Backups: Removed according to the operational backup rotation schedule

8. Browser Storage, Cookies, and TDDDG

We do not use analytics or advertising trackers on the official hosted instance.

  • Local storage: After successful verification or sign-in, a JWT access token is stored in your browser to keep you authenticated for the dashboard and other protected account functions
  • No analytics cookies: We do not currently load Google Analytics or comparable tracking services on the public site
  • Logout: Logging out removes the locally stored JWT from the browser

The browser-side authentication token is used solely to provide the service explicitly requested by the user (authenticated account access).

9. Your Rights

If you are covered by the GDPR, you generally have the following rights:

  • Access: Request information about the personal data we process about you
  • Rectification: Request correction of inaccurate or incomplete data
  • Erasure: Request deletion of your account and participant-linked data, subject to legal exceptions
  • Restriction: Request restriction of processing in the cases provided by law
  • Portability: Request a machine-readable export of data you provided to us where applicable
  • Objection: Object to processing based on legitimate interests where applicable
  • Withdraw consent: Withdraw consent for your optional public affiliation by editing or clearing it in your profile
  • Complaint: Lodge a complaint with a supervisory authority

For privacy-related requests, contact [email protected] or call +49 721 608 44579.

You can also lodge a complaint with the competent supervisory authority, for example:
State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg

10. Security

We implement technical and organizational measures intended to protect personal data, including:

  • HTTPS encryption for the official hosted instance
  • Hashed storage of API keys and verification tokens
  • Rate limiting and abuse prevention
  • Access controls for authenticated endpoints
  • Operational updates and infrastructure hardening

No internet-based service can guarantee absolute security. Please protect your email account and any generated API keys.

11. Self-Hosted Deployments

This privacy notice describes the official hosted instance of Energy Arena. Self-hosted deployments may use different hosting providers, email infrastructure, security measures, and retention settings. Operators of self-hosted instances are responsible for their own legal documentation.

12. Changes to This Policy

We may update this policy if the platform, legal requirements, or service-provider setup changes. The version published on this page is the current version for the official hosted instance.