Privacy Policy for the Homematic IP Smartphone App

I. Name and address of the controller, data protection officer

The controller (“we”) within the sense of the EU General Data Protection Regulation (“GDPR”) and other national data protection laws of the member states and other data protection regulations is:

eQ-3 AG, Maiburger Str. 29, 26789 Leer, Germany (hereinafter: “eQ-3”); see our legal disclosures.

Our data protection officer is:

Heiko Janssen, Lawyer
Janssen & Enninga Notar und Rechtsanwälte
Julianenburger Str. 19
26603 Aurich

Phone: 04941–97440

Email: datenschutz@eq-3.de

 

II. General information regarding data processing

 

1. Scope of the collection of personal data

(1) We will provide to you below information about the collection of personal data when you are using the Homematic IP App (hereinafter: “App”). Personal data are any and all data that can specifically identify you such as name, address, email addresses, user behaviour.

(2) We always collect and use the personal data of App users solely to the extent necessary to provide a functional App and our content and services. 

Users’ personal data are generally collected and used solely with the user’s consent. One exception is in those cases when, owing to factual circumstances, it is not possible to obtain the user’s prior consent and statutory provisions permit the processing of the data.

 

2. Legal grounds for the processing of personal data

(1) Provided that we obtain the user’s consent for the processing of personal data, point (a) of Art. 6 (1) GDPR serves as the legal grounds for the processing of personal data.

(2) During the processing of personal data that are required for the fulfilment of a contract to which the user is a party, the legal grounds are set forth in point (b) of Art. 6 (1) GDPR. The above provision also applies to processing operations required for the performance of measures prior to entering a contract.

(3) Insofar as personal data must be processed to comply with a lawful obligation to which our company is subject, point (c) of Art. 6 (1) GDPR serves as the legal grounds.

(4) In the event that vital interests of the user or another natural person require the processing of personal data, point (d) of Art. 6 (1) GDPR serves as the legal grounds.

(5) If the processing is required in the pursuit of a legitimate interest of our company or a third party and the interests, fundamental rights and fundamental freedoms of the user do not override such interest, point (f) of Art. 6 (1) GDPR serves as the legal grounds for the processing.

 

3. Erasure of the data and storage period

The user’s personal data will be erased or blocked as soon as the purpose of the storage ceases to exist. The data may continue to be stored if a continuation is required by European or national legislation or other regulations to which we as the controller are subject. Data will be blocked or erased as well whenever a storage period prescribed by the aforementioned standards expires unless the continued storage of the data is required for the conclusion or fulfilment of a contract.

 

4. Your rights

(1) You have the following rights vis-à-vis us with respect to the personal data concerning you:

  • Right of access
  • Right of rectification or erasure
  • Right to restrict processing
  • Right to object to processing
  • Right to data portability

(2) You also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data in our company.

(3) You have the right under data protection law to withdraw your declaration of consent at any time. Withdrawal of your consent is without prejudice to the lawfulness of processing that had previously been carried out with your consent prior to the withdrawal.

(4) Please send any requests and queries for information or objections to the data processing by email to datenschutz@eq-3.de or to the address shown in section I above.

 

III. Collection of personal data when using the App

 

1. Downloading the app

(a) Description and scope of the data processing

When the App us downloaded from an app store, the information required for the download is transferred to the specific app store, in particular user name, email address and customer number of your account, time of download and the unique device identification number. We do not have any control over this data collection, however, and are not responsible for it. We process the provided data to the extent necessary to download the App to your smartphone. They are not stored for any further purpose.

(b) Legal grounds for the data processing

The legal grounds for the data transfer to the app store and temporary storage of data are provided in point (b) of Art. 6 (1) GDPR insofar as this serves to fulfil the user contract, or otherwise for the pursuit of our legitimate interests in accordance with point (f) of Art. 6 (1) GDPR.

(c) Purpose of the data processing

Transfer to the app store and temporary storage of the data are necessary to fulfil the user contract with the user and to enable the user to download the App. These purposes also establish our legitimate interest in the data processing pursuant to point (f) of Art. 6 (1) GDPR.

(d) Storage period

The data will be erased as soon as they are no longer required for the purposes for which they were collected.

(e) Possibility of objection and erasure

The transmission to the app store and the temporary storage of the data are required for the download of the App. It is not possible for the user to object to these measures.

 

2. Use of the App

(a) Description and scope of the data processing

During your use of the App, i.e. when you use it to install, configure, control and operate the devices of the Homematic IP solution, we collect or use the following data:

 

  • ID of the anonymous user account (automatically assigned)
  • ID provided by Apple or Google of the device you are using
  • SGTIN (type code and serial number) of the Homematic IP access point (router that connects your device to the Homematic IP devices via the Homematic IP Cloud) 
  • PIN you have defined (to prevent unauthorised learning of other devices to an installation with an access point)
  • Configuration of the installation by the user; in particular all devices, their serial numbers (in the form of SGTINs), their settings and links, the definition of rooms, time schedules, and rules for actions
  • References for the integration of voice platforms (e.g. Amazon Alexa, Google Assistant) insofar as you use them
  • Time zone difference to Greenwich Mean Time (GMT) of the installation
  • Date and time of requests with the App or voice integration
  • Content of queries (status info, query, commands, changes)
  • Access status/HTTP status code
  • Version of the App used
  • Version of the operating system of your device
  • Type of your device (smartphone, tablet, manufacturer)
  • IP address of the access point and the device operating the App
     

These data are stored in the Homematic IP Cloud. An anonymous user account identified by a unique number (user account ID; hereinafter: “ID”) is created for you during the installation of the App. This ID is a unique identification number for your account and the devices you control with the App. Your full IP address is stored only temporarily, namely, for the duration of each use of the App. The ID and/or the IP address are not stored in conjunction with any other personal data of the user. During installation of the access point, its IP address is stored and assigned to the anonymous user account.

While the IP addresses of the devices and the access point are either not stored or are stored solely as described above, they are inevitably required for the technical operation of the App’s functions and are held as transient (visible) information in the memory of the computer systems of the Homematic IP Cloud. Moreover, there is also a function that devices can use to generate a “token” — a random, multi-digit identification number — for use during technical support. If the user gives a token to technical support, the service can access the data of the related installation for a limited period of time. This access does not impact the user’s anonymity.

We also store IP addresses and strictly technical log data in an upstream system of the Homematic IP Cloud — a “firewall” to ensure the security of the system — so that we can detect attempted attacks by “hackers” and initiate and control countermeasures. We reserve the right to store selected IP addresses if we have reason to suspect misuse, to carry out required evaluations and to pursue criminal and civil legal action.

(b) Legal grounds for the data processing

The legal grounds for the data processing are set forth in point (b) of Art. 6 (1) GDPR insofar as the processing serves the fulfilment of a use contract with the user and in other respects in the pursuit of our legitimate interest, particularly regarding the safety measures we take, in accordance with point (f) of Art. 6 (1).

(c) Purpose of the data processing

The collection of the above data is technically necessary so that we can offer to you the functions of our Homematic IP solution with the App and ensure its stability and security. The temporary storage of the IP address during processing is mandatory as the App and the access point would otherwise not be able to function.

 

Furthermore, the storage of the ID is also necessary so that the devices can be controlled using the App. The data processing serves the fulfilment of the contract for use. Moreover, the above purposes also constitute our legitimate interest in data processing pursuant to point (f) of Art. 6 (1) GDPR, in particular with regard to the storage and processing of IP addresses for security purposes.

(d) Storage period

The data will be erased as soon as they are no longer required for the purposes for which they were collected. This is the case during the recording of the data for provision of the App when the current session is terminated. The ID is marked as erased as soon as the user deletes his/her account with the delete function in the App. Continued access with or to the ID is subsequently no longer possible.

The IP addresses are held and stored transiently as long as there is a connection between the access point and the Cloud (i.e. for the duration of the use of the App). The access point data stored in the Cloud are erased by a reset of the access point. The IP addresses and strictly technical log data stored in the upstream system of the Homematic IP Cloud (firewall) for the security of the system are erased after a reasonable period of time.

(e) Possibility of objection and erasure

The collection of data for the provision and use of the App and the storage of the data are absolutely essential for the secure operation of the App. The use of an ID is mandatory for the identification of the anonymously managed user account as no other data are available for this purpose. The user’s objection to this use is consequently not possible.

 

3. Use and collection of location data

(a) Description and scope of the data processing

We use GPS and your IP address to collect your location data in anonymised form (subject to your consent) so that we can offer to you certain functions in the App (e.g. shading, interior air-conditioning). You cannot use these functions until you have given your consent in a pop-up that we may collect your location data in anonymised form using GPS and your IP address for the purposes of providing services.

(b) Legal grounds for the data processing

The legal grounds for the data processing are set forth in point (b) of Art. 6 (1) GDPR insofar as the processing serves the fulfilment of a use contract with the user and in other respects in the pursuit of our legitimate interest in accordance with point (f) of Art. 6 (1) GDPR.

(c) Purpose of the data processing

The use of the location data is necessary so that the user can utilise the related location-based functions that are owed pursuant to the contract.

(d) Storage period

Your location is transmitted to us solely if, when using the app, you utilise functions that we can offer to you only if we know your location. The data are erased as soon as they are no longer required to achieve the purpose for which they were collected or if you revoke our rights to use the data. Your location data are not stored after this time.

(e) Possibility of objection and erasure

You can allow or block this function in the settings of the App or your operating system at any time by deactivating the function in “Settings”. You are also welcome to contact our data protection officer or the address given in the legal disclosures to lodge your objection.  

 

4. Statistical evaluation of anonymous utilisation data

(a) Description and scope of the data processing

We use anonymised use data for the statistical evaluation of the App users' use behaviour. The anonymised utilisation data are not stored in conjunction with any other personal data of the users. 

(b) Legal grounds for the data processing

The legal grounds for the anonymisation and processing of utilisation data are based on our legitimate interest pursuant to point (f) of Art. 6 (1) GDPR.

(c) Purpose of the data processing

We use the anonymised utilisation data to optimise the App’s functions and to develop new or improved applications for the App. These purposes also constitute our legitimate interest in data processing pursuant to point (f) of Art. 6 (1) GDPR.

(d) Storage period

The anonymised utilisation data are erased as soon as they are no longer required for the purposes for which they were collected.

(e) Possibility of objection and erasure

Owing to the exclusive use of anonymous utilisation data, it is not possible for users to object.

 

IV. Updating this privacy policy

eQ-3 reserves the right to update this privacy policy as necessary for its adaptation to technical developments or because of the offer of a new service or product. You can always view the current version on the start page of the app store for your device.