Data protection at VREEDA
Dear customer, thank you for using the VREEDA services and your interest in our data protection information. So that you can really use all the advantages that your smart devices offer, we have to process some data from you and your devices. It goes without saying that we operate our activities in the app and in the backend systems of our Internet of Things (IoT) platform in accordance with the laws on data protection and data security.
It is of the utmost importance to us that you feel comfortable using our products and that you can always determine which data you want to share - because it is only your data. Our philosophy is that all data from smart, digital products should always be used transparently and in the interests of the user. We would like to gain your trust through the greatest possible transparency and enable you to get the best out of your smart products for yourself. Because we are convinced that data protection and innovative digital products and services do not have to be a contradiction in terms. We therefore see data protection and the transparent use of data to your advantage as a VREEDA quality feature. You can rely on us!
With the following data protection declaration, we would like to inform you in detail about which personal data we may collect from you and how we specifically deal with it.
This data protection declaration applies in addition to the general data protection provisions for apps, which you can view on the providing app platforms (Apple iOS App Store, Google PlayStore).
In order to be able to explain everything to you in detail, we first need a few definitions of terms.
I. Definitions of terms
· Personal Data: information relating to an identified or identifiable natural person.
· Platform: umbrella term for the summarized IoT systems of VREEDA GmbH (for the sake of simplicity we will only speak of “VREEDA” in the following), in particular the app, the end devices and the backend system. The IoT services are provided via the platform.
· App: All apps developed and operated by VREEDA that enable users to install, configure, control and monitor IoT devices and use services and connect to the platform's back-end system.
· IoT devices / end devices: Household appliances or products manufactured by hardware manufacturers that use an additional integrated component to record data and, connected to a wireless network, transmit it to the platform.
· Platform partners: VREEDA partners who integrate their components or services into VREEDA's IoT services.
· Service providers: Carefully selected and commissioned service providers or service partners who perform tasks and services for VREEDA (e.g. client developers).
· User: The respective user of VREEDA's IoT services.
II. Name and address of the person responsible for the processing
The person responsible within the meaning of the EU GDPR, other data protection laws applicable in the member states of the European Union and other provisions of a data protection nature is:
III. Processing of personal data provided by you directly
Basically for VREEDA, the protection of your personal data is of the utmost importance to us. Therefore, we do not collect any personal data about our platform or devices connected to the IoT services without your knowledge. You alone decide whether you want to disclose this data to us or not, for example in the context of a registration, survey, installation / configuration or similar. Depending on the specific processing and data category, we use Article 6 (1) (a) GDPR (consent) or Article 6 (1) (b) GDPR (contract initiation, contract fulfillment) as the legal basis for processing.
We generally use the personal data you provide directly to answer your request, to process your order, to carry out system maintenance and configurations or to provide you with access to special information or offers, e.g. via e-mail newsletters.
VREEDA may have individual tasks and services carried out by carefully selected and commissioned service providers and platform partners who have their headquarters strictly within the EU or the EEA (since this is the optimal processing space from a data protection point of view), and only to the extent that it is is necessary for the implementation of the contract to provide our services or for the further development and maintenance of VREEDA's IoT services. Should it ever be really necessary to exchange your data with a partner or service provider who is based outside the EU or the EEA, we do this as data-sparingly as possible and only with the greatest possible contractual security.
As part of the relationships with our partners and service providers, data protection agreements corresponding to the legal requirements - e.g. order processing contracts in accordance with Art. 28 EU GDPR - are bindingly concluded with these contractual partners to create an appropriate level of data protection, as well as appropriate data protection guarantees in accordance with Art. 44-46 EU- GDPR agreed in the event that personal data must be transferred to third countries outside the EU or the EEA.
A transfer of certain data to our platform partner to ensure a function required for one of our services - for example the confirmation of a certain use of an end device in order to be able to use a special service at the platform partner - takes place on the basis of Art. 6 Para . 1 lit. b EU GDPR (performance of contract). Any further transfer of your data to our partners - for example for advertising purposes or for other purposes not required to fulfill the contract - will only take place if you have expressly consented to this transfer. We will point this out to you at the appropriate point and then ask you for your explicit consent, which can be revoked at any time for the future. This ensures that the requirements of Article 7 EU GDPR and Article 6 (1) (a) with regard to compliant consent are the legal basis.
Personal data that are no longer required will be deleted immediately if there is no longer a business purpose and there is no other legal basis in accordance with Art. 6 Para. 1 lit. correspond to.
IV. Processing of access data
With every interaction with our app and the devices, access and system data are transmitted and, if necessary, saved. A data record can contain the following content and is generally fully encrypted on its way through the Internet:
· ID and access token of your user account
· IP address of your device (smartphone)
· ID of your IoT devices
· MAC address of your IoT devices
· Status of your IoT devices (on / off, color, scenes, online status, time of last change, etc.)
· Configuration of your IoT devices (serial number, name, time profiles, public fingerprint of the certificate, hardware / firmware version)
· Date and time of interaction
· Version of the app
· Operating system of the terminal device
· System data from the app insights analyzes (see below)
These data stored by us are used exclusively for the technical fulfillment of the IoT services offered and evaluated for statistical purposes, or for maintenance, protection and improvement of our services, the development of new services and the protection of VREEDA IoT and our users.
The legal basis for this processing is usually our legitimate interest in accordance with Art. 6 Paragraph 1 lit.f GDPR, as well as, in cases in which we need this data for the provision of a contractually guaranteed service, the fulfillment of the contract in accordance with Art. 6 Paragraph 1 lit.b EU GDPR
V. App Insights
In order to expand the range of functions of our offer in the app, to make it more convenient for you to use it and to recognize and correct possible errors at an early stage, we use so-called app insights, among other things. With the help of this technology, which can also contain certain personal data about you at the app level, data can be stored on your device when you call up our app and diagnostic data, e.g. about errors and crashes of the app, can be anonymously transmitted to our backend system, ie a reference to you is no longer possible due to the data received in the backend system.
The transferred data from the app insights can contain the following, anonymized content:
- Frequency of use of the app (daily, weekly, monthly)
- Frequency and duration of use daily
- End device of use (smartphone model) and its software version
- country of use
- Language setting used on the smartphone
- Software version of the VREEDA app used
- Number and error messages for failed login attempts
- Number and error messages in the event of failed device WLAN integration
- Number & error messages for failed connections when controlling the devices
The legal basis for this processing is our legitimate interest in accordance with Article 6 (1) (f) GDPR.
VI. Recording of the device activity of the IoT devices
VREEDA and commissioned service providers will record the activities of the IoT devices registered by you in the platform as this is necessary for the provision of the respective service.
This process records all activity of the device as well as physical measured values such as luminous colors, brightness, power consumption etc. and saves these states and their changes. This activity data is particularly important for us to be able to offer you an optimal user experience and to enable you to use the full range of VREEDA services, especially digital services.
The legal basis for this processing of personal data in the context of this activity recording is the fulfillment of the contract in accordance with Article 6 (1) (b) EU GDPR.
Personal data that you provide to us or that arise when using our services (e.g. activities of the IoT devices you have registered on the platform) are also continuously pseudonymised and then analyzed in a separate data store in order to develop further attractive services for our users be able. The development of new services is an important part of VREEDA's range of services as an innovative "interaction platform " that should enable the user to provide the user with added value from smart devices that goes beyond standard functions. The pseudonymised data will not be traced back to your person.
VII. Collection and processing of voluntarily provided additional data
After the VREEDA system has been put into operation, you will be asked in the IoT platform to provide the necessary data for managing your user account (e-mail address, password) as well as additional data e.g. user name, first name, surname and address. Providing this data is voluntary and can be skipped at any time, the information can be changed or deleted in the app at any time.
The legal basis for this processing is your explicit consent in accordance with Article 6 (1) (a) GDPR.
(1) User access
The additional data collected is available to you.
(2) Access by VREEDA and platform partners
This additional information will be processed from the start of the use of services for which it is required in order to provide you with these services.
VIII. Device configuration, protocol data
The IoT platform automatically creates the system configurations required for the operation of the system, such as device names and user assignments, scenarios, time profiles, etc., and saves them securely in the IoT central system and in the app on your smartphone / tablet. The system configuration of the devices is backed up in the VREEDA data center and is only used for any data recovery that you initiate yourself.
The central system and the IoT app record the status updates of the devices in a special database.
The transmission of control commands from the central system and the communication between it and your IoT devices and the app are of course encrypted and authenticated.
The legal basis for this processing is the fulfillment of the contract in accordance with Article 6 (1) (b) GDPR.
(1) User access
Access by you to restore data is secured. Any such data recovery will be initiated by you, e.g. if you reset devices that have already been connected and reintegrate them into the system.
(2) Access by VREEDA
VREEDA analyzes and evaluates the settings of your account in the central system and control commands that arise when connecting via the VREEDA data center in order to be able to intervene in the event of a malfunction or technical problems, in order to guarantee the availability of the IoT solution.
(3) Access by platform partners
Access by authorized platform partners only takes place when necessary for error analysis and troubleshooting.
(4) Deletion of the data
Log data that are no longer required as well as outdated configuration data are deleted immediately if there is no longer a business purpose and there is no other legal basis - e.g. statutory retention requirements - in order to comply with the principle of data economy in accordance with Art. 5 EU GDPR.
IX. Pseudonymized data to develop new services
The legal basis for this processing is the fulfillment of our contract with you in accordance with Article 6 Paragraph 1 lit. b GDPR.
X. Personal value-added offers
If you also give us your explicit consent, we will be able to make you value-added offers from our partners based on your individual use of the VREEDA services . In order to be able to do this, we have to link your data, which was processed pseudonymously for analysis purposes up to the point in time you gave your consent, back to your person. From the time you give your consent, we will no longer pseudonymise your personal data, as described in Chapter IX, but will save and analyze it on a personal basis.
However, we will never pass on your personal data to third parties without further explicit consent.
The legal basis for this processing is your explicit consent in accordance with Article 6 Paragraph 1 lit. a GDPR.
If you revoke your consent, your personal data will be pseudonymised and processed separately from this point onwards, as described in Chapter IX, and will be analyzed without relating it to your person.
If you leave VREEDA as a customer, all activity data from your devices will be anonymized so that they can then be used for statistical analyzes and optimization of our offer. However, they can no longer be related to you. The legal basis for this anonymization is our legitimate interest in accordance with Article 6 Paragraph 1 lit. f EU GDPR. XI. Termination of Customers use of our services
XII. IT security, privacy-friendly design and default settings
Without an appropriate technical architecture and current security measures, a platform like VREEDA cannot guarantee effective protection of your personal data. For this reason, we have used extensive security technologies in accordance with generally recognized, current standards to secure your data and the platform. These include encryption of all communication paths between IoT devices, clients (apps) and platform services, certificate-based authentication and authorization of IoT devices and clients (apps), OAuth2 login, IP network segmentation, firewalls, over -the-air updates of all components, access rights management, pseudonymization.
In addition, we strictly follow the principles of Privacy by Design & by Default from the EU-GDPR according to Art. 25, i.e. the VREEDA platform was developed with the aim of making processes and default settings as data protection-friendly as possible.
XIII. Commitment of VREEDA GmbH employees to confidentiality and data protection
All employees who have access to personal data on the IoT platform have been newly committed to confidentiality and data protection in accordance with the EU GDPR and BDSG and are regularly trained in data protection.
In addition, VREEDA demands a corresponding confirmation of an undertaking of the same kind from all platform partners and service providers for their respective employees.
XIV. Your rights as a data subject
When using the VREEDA IoT platform, you are of course entitled to your rights as a data subject in accordance with Art. 12ff. EU-GDPR to, in particular
· Right to information
· Right of access
· Right to rectification
· Right to erasure (right to be forgotten)
· Right to restriction of processing
· Right to data portability
· Right to object
· Right to withdraw consent under data protection law
· Right to not exclusively automated decision in individual cases including profiling
In order to assert your data subject rights against VREEDA, please use the email address firstname.lastname@example.org
In addition, you have the right to lodge a complaint with a data protection supervisory authority at any time.
XV. Change of our data protection regulations
We reserve the right to change our security and data protection measures insofar as this becomes necessary due to technical developments. In these cases, we will also adapt our information on data protection accordingly. Please therefore note the current version of our data protection provisions for our VREEDA IoT services.
In the event of extensive planned adjustments to our data protection regulations, we will inform you in advance of the changes being made.
VREEDA GmbH, Essen, July 01st, 2022