Version 1.3 dated 01.07.2022
Data Protection at VREEDA
Dear customer, thank you for using the VREEDA services and your interest in our data protection information. In order for you to truly benefit from all the advantages your smart devices offer, we need to process some data from you and your devices. We naturally conduct our activities in the app and in the backend systems of our Internet of Things (IoT) platform in compliance with data protection and data security laws.
It is of the utmost importance to us that you feel comfortable when using our products and that you can always determine which data you want to share — because it is exclusively your data. Our philosophy is that all data from smart, digital products should always be used transparently and in the interest of the user. Through maximum transparency we want to earn your trust and enable you to get the best out of your smart products for yourself personally. We are convinced that data protection and innovative digital products and services do not have to be a contradiction. We therefore see data protection and the transparent use of data to your advantage as a VREEDA quality feature. You can rely on us!
With the following privacy policy we would like to inform you in detail about what personal data we may collect from you and how we handle it specifically.
This privacy policy applies in addition to the general data protection provisions for apps, which you can view on the providing app platforms (Apple iOS App Store, Google Play Store).
In order to be able to explain everything to you precisely, we first need a few definitions.
I. Definitions
· Personal data: Information relating to an identified or identifiable natural person.
· Platform: Collective term for the combined IoT systems of VREEDA GmbH (hereinafter, for the sake of simplicity, we will only refer to "VREEDA"), in particular the app, the end devices and the backend system. IoT services are provided via the platform.
· App: All apps developed and operated by VREEDA that enable users to install, configure, control and monitor IoT end devices and use services, connecting to the backend system of the platform.
· IoT devices/end devices: Household appliances or products manufactured by hardware producers that can capture data via an additionally integrated component and transmit it to the platform via a wireless network.
· Platform partners: Partners of VREEDA who integrate their components or services into VREEDA's IoT services .
· Service providers: Carefully selected and commissioned service providers or service partners who perform tasks and services for VREEDA (e.g. client developers).
· Users: The respective user of VREEDA's IoT services.
II. Name and Address of the Controller
The controller within the meaning of the EU GDPR, other data protection laws applicable in the member states of the European Union and other provisions of a data protection nature is:
VREEDA GmbH
Alfredstr. 81
45130 Essen
Germany
You can reach us by e-mail at datenschutz@vreeda.com or via our website www.vreeda.de / www.vreeda.com
III. Processing of Personal Data
As a general principle, VREEDA places the highest importance on protecting your personal data. We therefore do not collect any personal data about you via our platform or via devices connected to the IoT services without your knowledge. All personal data that we ask you for at the start of use as necessary is also required for providing the VREEDA platform and the services available on it. With regard to further processing for the purpose of making you interesting offers based on your individual use of the VREEDA platform services, we ask for your explicit consent. The legal basis for processing is, depending on the specific processing and data category, Art. 6(1)(b) GDPR (initiation of contract, performance of contract) or Art. 6(1)(a) GDPR (consent).
We generally use your personal data provided directly by you to respond to your enquiry, process your order, provide you with VREEDA's platform services, carry out system maintenance and configurations, or provide you with access to special information or offers (e.g. via e-mail newsletter).
Where necessary, VREEDA may have individual tasks and services performed by carefully selected and commissioned service providers and platform partners who are strongly preferred to be based within the EU or EEA (as this is the optimal processing area from a data protection perspective), and only to the extent necessary for the performance of the contract for the provision of our services or for the further development and maintenance of VREEDA's IoT services. Should it ever be truly unavoidable to exchange your data with a partner or service provider based outside the EU or EEA, we do so with as little data as possible and exclusively with the greatest possible contractual safeguards.
In the context of relationships with our partners and service providers, data protection agreements complying with legal requirements — e.g. data processing agreements pursuant to Art. 28 EU GDPR — are bindingly concluded to establish an adequate level of data protection with these contractual partners, and appropriate data protection guarantees pursuant to Art. 44–46 EU GDPR are agreed in the event that personal data must be transferred to third countries outside the EU or EEA.
The transfer of certain data to our platform partners to ensure a function required for one of our services — for example the confirmation of a specific use of an end device in order to be able to use a special service at the platform partner — is carried out on the basis of Art. 6(1)(b) EU GDPR (performance of contract). Any transfer of your data to our partners beyond this — for example for advertising purposes or for other purposes not required for the performance of the contract — takes place exclusively if you have expressly consented to this transfer. We will notify you at the appropriate point and then ask you for an explicit consent that can be revoked at any time for the future. This ensures that the requirements of Art. 7 EU GDPR and Art. 6(1)(a) with regard to compliant consent as a legal basis are met.
Personal data that is no longer needed will be deleted immediately when there is no longer a business purpose and no other legal basis pursuant to Art. 6(1)(c) GDPR — e.g. statutory retention obligations — exists, in order to comply with the principle of data minimisation pursuant to Art. 5 EU GDPR.
It may sometimes be useful to anonymise personal data from customers like you in order to then analyse it in detail for statistical purposes and system optimisations. This data can then no longer be traced back to you. Since this anonymisation is also a processing operation, we also need a legal basis for it — in this case it is our legitimate interest pursuant to Art. 6(1)(f) EU GDPR.
Personal data that is no longer needed will be deleted immediately when there is no longer a business purpose and no other legal basis pursuant to Art. 6(1)(c) GDPR — e.g. statutory retention obligations — exists, in order to comply with the principle of data minimisation pursuant to Art. 5 EU GDPR.
IV. Processing of Access Data
With every interaction with our app and devices, access and system data is transmitted and, where applicable, stored. A data record can contain the following content and is fully encrypted throughout its journey through the internet:
· ID and access token of your user account
· IP address of your end device (smartphone)
· ID of your IoT devices
· MAC address of your IoT devices
· Status of your IoT devices (on/off, colour, scenes, online status, time of last change, etc.)
· Configuration of your IoT devices (serial number, name, time profiles, public certificate fingerprint, hardware/firmware version)
· Date and time of the interaction
· Version of the app
· Operating system of the end device
· System data from App Insights analyses (see below)
The data stored by us is used exclusively for the technical fulfilment of the IoT services offered and evaluated for statistical purposes, or for the maintenance, protection and improvement of our services, the development of new services, and the protection of VREEDA IoT and our users.
The legal basis for this processing is usually our legitimate interest pursuant to Art. 6(1)(f) GDPR, and in cases where we need this data to provide a contractually guaranteed service, the performance of contract pursuant to Art. 6(1)(b) EU GDPR.
V. App Insights
In order to expand the range of functions of our offering in the app, make usage more convenient for you and detect and rectify possible errors at an early stage, we use among other things what are known as App Insights. Using this technology, which can also contain certain personal data about you at the app level, data can be stored on your end device when our app is accessed and diagnostic data, for example about errors and crashes of the app, can be transmitted anonymously to our backend system — i.e. a reference back to you is no longer possible on the basis of the data received in the backend system.
The transmitted data from App Insights can contain the following anonymised content:
- Usage frequency of the app (daily, weekly, monthly)
- Usage frequency and duration daily
- End device used (smartphone model) and its software version
- Country of use
- Language setting used on the smartphone
- Software version of the VREEDA app used
- Number & error messages for failed login attempts
- Number & error messages for failed device Wi-Fi integrations
- Number & error messages for failed connections when controlling devices
The legal basis for this processing is our legitimate interest pursuant to Art. 6(1)(f) GDPR.
VI. Recording of IoT Device Activity
VREEDA and commissioned service providers will record the activities of the IoT devices registered by you in the platform, as this is required for providing the respective service.
This process captures all activity of the device as well as physical measurements such as light colours, brightness, power consumption, etc. and stores these states and their changes. These activity data are primarily important for us to be able to offer you an optimal user experience and to enable you to access the full range of VREEDA services, especially digital services.
The legal basis for this processing of personal data in the context of this activity recording is the performance of contract pursuant to Art. 6(1)(b) EU GDPR.
VII. Collection and Processing of Voluntarily Provided Additional Data
After setting up the VREEDA system, you will be asked in the IoT platform, in addition to the necessary data for managing your user account (e-mail address, password), to also provide voluntary additional data such as username, first name, surname and address. Providing this data is voluntary and can be skipped at any time; the details can be changed or deleted in the app at any time. The legal basis for this processing is your explicit consent pursuant to Art. 6(1)(a) GDPR.
Depending on how you use VREEDA services, the legal basis for the processing of initially voluntarily provided additional data may change if the data becomes necessary for the provision of a VREEDA service you use. The legal basis for this processing is then the performance of contract pursuant to Art. 6(1)(b) EU GDPR.
(1) Access by users
The additional data collected is available to you.
(2) Access by VREEDA and platform partners
These additional details will be processed from the start of use of the services for which they are required, in order to provide you with these services.
VIII. Device Configuration, Log Data
The IoT platform automatically creates the system configurations necessary for operating the system, such as device names and user assignments, scenarios, time profiles etc., and stores these securely in the IoT central system as well as in the app on your smartphone/tablet. The system configuration of the devices is backed up in the VREEDA data centre and used only for a possible data recovery that you initiate yourself.
The central system and the IoT app record the status updates of the devices in a dedicated database.
The transmission of control commands from the central system as well as the communication between it and your IoT devices and the app is of course encrypted and authenticated.
The legal basis for this processing is the performance of contract pursuant to Art. 6(1)(b) GDPR.
(1) Access by users
Access by you for data recovery is secured. Such a possible data recovery is initiated by you, e.g. when you reset already connected devices and re-integrate them into the system.(2) Access by VREEDA
VREEDA analyses and evaluates the settings of your account in the central system and control commands generated when connecting via the VREEDA data centre, in order to be able to intervene in the event of a malfunction or technical problems to guarantee the availability of the IoT solution.(3) Access by platform partners
Access by authorised platform partners only takes place when required for fault analysis and rectification.(4) Deletion of data
Log data that is no longer needed as well as outdated configuration data will be deleted immediately when there is no longer a business purpose and no other legal basis — e.g. statutory retention obligations — exists, in order to comply with the principle of data minimisation pursuant to Art. 5 EU GDPR.
IX. Pseudonymised Data for the Development of New Services
Personal data that you provide to us or that arises during the use of our services (e.g. activities of the IoT devices registered by you in the platform) is additionally continuously pseudonymised and then analysed in a separate data store in order to be able to develop further attractive services for our users. The development of new services is an important component of VREEDA's range of services as an innovative "interaction platform" intended to enable users to receive added value from smart devices beyond standard functions. The pseudonymised data is not traced back to you personally.
The legal basis for this processing is the fulfilment of our contract with you pursuant to Art. 6(1)(b) GDPR.
X. Personalised Value-Added Offers
If you additionally give us your explicit consent, we will be able to make you value-added offers from our partners based on your individual use of VREEDA services. In order to do this, we need to re-link your data, which up to the time of your consent was processed pseudonymously for analysis purposes, to you personally. From the time of your consent, we will then no longer pseudonymise your personal data as described in Chapter IX, but will instead store and analyse it on a personal basis.
We will, however, never pass on your personal data to third parties without a further explicit consent.
The legal basis for this processing of personal data is your explicit consent pursuant to Art. 6(1)(a) GDPR.
Upon revocation of your consent, from that point on your personal data will again be pseudonymised and processed separately as in Chapter IX and analysed without relating it to your person.
XI. Termination of Use of Our Services by the Customer
Should you leave VREEDA as a customer, all activity data from your devices will be anonymised so that it can subsequently be used for statistical analyses and optimisations of our offering. However, it can no longer be related to you. The legal basis for this anonymisation is our legitimate interest pursuant to Art. 6(1)(f) EU GDPR.
XII. IT Security, Privacy by Design and by Default
Without adequate technical architecture and up-to-date security measures, a platform like VREEDA cannot of course guarantee effective protection of your personal data. For this reason, we have used extensive security technologies based on generally recognised, current standards to protect your data and the platform. These include, among others, encryption of all communication paths between IoT devices, client apps and platform services, certificate-based authentication and authorisation of IoT devices and client apps, OAuth2 login, IP network segmentation, firewalls, over-the-air updates of all components, access rights management, and pseudonymisation.
Furthermore, we strictly follow the principles of Privacy by Design & by Default from the EU GDPR pursuant to Art. 25, i.e. the VREEDA platform was developed with the fundamental goal of the most privacy-friendly processes and default settings possible.
XIII. Commitment of VREEDA GmbH Employees to Confidentiality and Data Protection
All employees who have access to personal data on the IoT platform have been committed to confidentiality and data protection pursuant to EU GDPR and the new BDSG and are regularly trained in data protection.
Furthermore, VREEDA requires a corresponding confirmation of such a commitment from all platform partners and service providers for their respective employees.
XIV. Your Rights as a Data Subject
When using VREEDA's IoT platform, you naturally have your rights as a data subject pursuant to Art. 12 et seq. EU GDPR, in particular
· Right to information
· Right of access
· Right to rectification
· Right to erasure (right to be forgotten)
· Right to restriction of processing
· Right to data portability
· Right to object
· Right to withdraw a data protection consent
· Right not to be subject to a decision based solely on automated processing in individual cases, including profiling
To assert your rights as a data subject with VREEDA, please use the e-mail address datenschutz@vreeda.com.
Furthermore, you have the right to lodge a complaint with a data protection supervisory authority at any time.
XII. Changes to Our Privacy Policy
We reserve the right to change our security and data protection measures to the extent required by technical developments. In these cases, we will also adapt our data protection notices accordingly. Please therefore note the current version of our privacy policy for our VREEDA IoT services.
In the event of extensive planned changes to our privacy policy, we will inform you in advance before they come into effect.
VREEDA GmbH, Essen, 01.07.2022
© 2024 · VREEDA GmbH · Designed across the globe · 🌏
© 2022
VREEDA GmbH
Designed across the globe 🌏