Privacy Policy for the Homematic IP Smartphone App

I. Name and address of the responsible party, data protection officer

The responsible party ("we") within the meaning of the EU General Data Protection Regulation ("GDPR") and other national data protection laws of the member states as well as other data protection regulations is:
eQ-3 AG, Maiburger Str. 29, 26789 Leer, Germany (hereinafter "eQ-3"), cf. our imprint.
Our data protection officer is:

Attorney Heiko Janssen
Janssen & Enninga Notary and Attorneys at Law
Julianenburger Str. 19
26603 Aurich
Tel.: +49 4941-97440
E-mail: datenschutz@eq-3.de

 

II General information on data processing

 

1. Scope of the collection of personal data

(1) In the following, we provide information about the collection of personal data when using the Homematic IP App (hereinafter "App"). Personal data is all data that can be related to you personally, e.g. name, address, email addresses, user behavior.

 

(2) As a matter of principle, we collect and use personal data of app users only to the extent necessary to provide a functional app and our content and services. 
The collection and use of users' personal data is regularly only carried out after the consent of the user. An exception applies in those cases where obtaining prior consent is not possible for factual reasons and the processing of the data is permitted by legal regulations.

 

2. Legal basis for the processing of personal data

(1) Insofar as we obtain the consent of the user for processing operations of personal data, Art. 6 (1) lit. a DSGVO serves as the legal basis for the processing of personal data.

 

(2) When processing personal data that is necessary for the performance of a contract to which the user is a party, Art. 6 (1) lit. b DSGVO serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

 

(3) Insofar as processing of personal data is necessary for the fulfillment of a legal obligation to which our company is subject, Art. 6 (1) lit. c DSGVO serves as the legal basis.

 

(4) In the event that vital interests of the user or another natural person make processing of personal data necessary, Art. 6 (1) lit. d DSGVO serves as the legal basis.

 

(5) If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the user do not outweigh the first-mentioned interest, Art. 6 (1) lit. f DSGVO serves as the legal basis for the processing.

 

3. Data deletion and period of storage 

The user's personal data will be deleted or blocked as soon as the purpose of storage no longer applies. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other regulations to which we are subject as the responsible party. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.

 

4. Your rights

(1) You have the following rights vis-à-vis us with regard to the personal data concerning you:

  • Right to information,
  • Right to correction or deletion,
  • Right to restriction of processing,
  • Right to object to processing,
  • Right to data portability.

 

(2) You also have the right to complain to a data protection supervisory authority about the processing of your personal data in our company.

 

(3) You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

 

(4) Please direct all requests for information, requests for information or objections to data processing by e-mail to datenschutz@eq-3.de or to the address given in I. above.

 

III. Collection of personal data when using the app

 

1. Download of the app

(a) Description and scope of data processing

When downloading the app in the App Store, the necessary information is transmitted to the respective App Store, i.e. in particular user name, e-mail address and customer number of your account, time of download and the individual device identification number. However, we have no influence on this data collection and are not responsible for it. We process this provided data insofar as this is necessary for downloading the app to your smartphone. They are not stored further beyond this. 

 

(b) Legal basis for the data processing

The legal basis for the transfer to the respective app store and the temporary storage of the data is, insofar as this serves the fulfillment of the usage contract with the user, Art. 6 para. 1 lit. b DSGVO, otherwise our legitimate interest Art. 6 para. 1 lit. f DSGVO.


(c) Purpose of the data processing

The transfer to the respective app store and the temporary storage of the data is necessary to fulfill the usage contract with the user and to enable the user to download the app. These purposes also constitute our legitimate interest in data processing pursuant to Art. 6 (1) lit. f DSGVO.

 

(d) Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.

 

(e) Possibility of objection and removal.

The transfer to the respective app store and the temporary storage of the data is mandatory for the download of the app. Consequently, there is no possibility of objection on the part of the user.

 

2. Use of the App

(a) Description and scope of data processing

When using the app, i.e., when you use it to install, configure, control and operate the devices of the Homematic IP solution, we collect or use the following data:

  • ID of the anonymously managed usage account (is assigned automatically),
  • ID provided by Apple or Google of the end device you are using,
  • SGTIN (type code and serial number) of the Homematic IP access point (router that connects your end device to the Homematic IP devices via the Homematic IP Cloud),  
  • PIN chosen by you (to prevent unauthorized learning of further end devices to an installation with an access point),
  • Configuration of the installation at the user's site; in particular, all devices, their serial numbers (in the form of SGTINs), their settings and associations, the definition of rooms, time programs, and rules for actions,
  • References for integration of voice platforms (e.g. Amazon Alexa, Google Assistant), if used by you,
  • Time zone difference from Greenwich Mean Time (GMT) of the installation,
  • Date and time of requests with the app, or voice integration,
  • Content of requests (status info, query, commands, changes),
  • Access status/HTTP status code,
  • Version of the app used,
  • Version of the operating system of your end device,
  • Type of your end device (smartphone, tablet, manufacturer),
  • IP address of the access point and the end device operating the app.

This data is stored in the Homematic IP Cloud. When the app is installed, an anonymous usage account is set up for you, for which a unique number (usage account ID; hereinafter "ID") is created. This ID is a unique identification number for your account and the end devices you control with the App. Your full IP address is stored only temporarily, namely for the duration of the respective app usage. A storage of the ID and/or the IP address together with other personal data of the user does not take place. When the access point is installed, its IP address is stored and assigned to the anonymous user account.

While the IP addresses of the end devices and the access point are not stored, or only as described above, they are inevitably required for the technical operation of the app's functionalities and are kept transient (visible) for this purpose in the memory of the computer systems of the Homematic IP Cloud. A function is also available for technical support by means of which a "token" - a random, multi-digit identification number - can be generated with the end device. When the user gives a token to technical support, they can access the data of the corresponding installation for a limited period of time. The anonymity of the user is not removed by this access.

In a pre-system of the Homematic IP Cloud - a "firewall" for the security of the system - we also store IP addresses and purely technical log data in order to detect attempted attacks by "hackers" and to be able to initiate and control defensive measures. We reserve the right to store selected IP addresses in the event of suspected misuse, in order to carry out appropriate evaluations, as well as to pursue criminal and civil legal action.

 

(b) Legal basis for data processing

The legal basis for data processing is, insofar as this serves the fulfillment of the usage contract with the user, Art. 6 para. 1 lit. b DSGVO, otherwise, in particular with regard to the security measures taken by us, our legitimate interest pursuant to Art. 6 para. 1 lit. f DSGVO.

 

(c) Purpose of the data processing

The collection of the above data is technically necessary for us to offer you the functions of our Homematic IP solution with the app and to ensure stability and security. The temporary storage of the IP address is mandatory during processing to enable the function of the app and the access point.
Furthermore, the storage of the ID is also necessary to enable the control of the end devices by the app. The data processing serves the fulfillment of the usage contract. In addition, the above purposes also constitute our legitimate interest in data processing pursuant to Art. 6 (1) lit. f DSGVO, in particular with regard to the storage and processing of IP addresses for security purposes.

 

(d) Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the App, this is the case when the respective session has ended. The ID is marked as deleted as soon as the user deletes his account through the corresponding function in the app. Further access with or to the ID is no longer possible after this.
The IP addresses are kept and stored transiently as long as there is a connection between the access point and the cloud (i.e., for the duration of the use of the app). The access point data stored in the cloud is deleted by resetting the access point. The IP addresses and purely technical log data stored in the pre-system of the Homematic IP Cloud (firewall) for the security of the system are deleted after a reasonable period of time.

 

(e) Possibility of objection and removal.

The collection of data for the provision and use of the app and the storage of the data is mandatory for the secure operation of the app. The use of an ID is mandatory for the identification of the anonymous managed usage account, as no other data is available for this purpose. Consequently, there is no possibility of objection on the part of the user.


3. Use and collection of location data

(a) Description and scope of data processing

In order to be able to offer you certain functions of the app (e.g. shading, room climate), we collect your position data by means of GPS and your IP address in anonymized form, if you allow this. You can only use these functions after you have agreed via a pop-up that we can collect your location data by means of GPS and your IP address in anonymized form for the purposes of service provision.

 

(b) Legal basis for data processing
The legal basis for data processing is, insofar as this serves the fulfillment of the usage contract with the user, Art. 6 para. 1 lit. b DSGVO, otherwise our legitimate interest pursuant to Art. 6 para. 1 lit. f DSGVO.

 

(c) Purpose of the data processing

The use of the location data is necessary to enable the user to use the corresponding location-based functionalities as contractually owed.

 

(d) Duration of storage

Your location is only transmitted to us if you make use of functions when using the app, which we can only offer you if we know your location. The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected or if you revoke the rights to use the data. Your location data will not be stored beyond this.

 

(e) Possibility of objection and elimination

You can allow or revoke this function in the settings of the app or your operating system at any time by unsubscribing in under "Settings". You are also welcome to contact our data protection officer or the address given in the imprint to object.  

 

4. Statistical analysis of anonymous usage data

(a) Description and scope of data processing

We use anonymized usage data for the statistical evaluation of the app users' usage behavior. The anonymized usage data is not stored together with other personal data of the users. 

 

(b) Legal basis for data processing

The legal basis for the anonymization and processing of usage data is our legitimate interest pursuant to Art. 6 (1) lit. f DSGVO.

 

(c) Purpose of the data processing

We use the anonymized usage data to optimize the functionalities of the app and to develop new or improved applications of the app. These purposes are also our legitimate interest in data processing according to Art. 6 para. 1 lit. f DSGVO.

 

(d) Duration of storage

The anonymized usage data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.

 

(e) Possibility of objection and removal.

Due to the exclusive use of anonymous usage data, there is no possibility for the user to object.

 

IV. Updating of this privacy policy

 

eQ-3 reserves the right to update this data protection declaration as necessary to adapt it to technical developments or in connection with the offer of new services or products. You can always view the current version on the start page of the respective app store.