APP Privacy Policy Tedee

TEDEE APP
Privacy Policy
of 25.01.2024
 
Table of contents
§ 1 Definitions. 2
§ 2 General information. 3
§ 3 What types of Personal Data we collect 3
§ 4 Why do we collect Personal Data. 4
§ 5 How long we keep Personal Data. 5
§ 6 What are the rights of Users. 5
§ 7 Do we transfer Personal Data to third countries. 7
§ 8 Do we pass on Personal Data to third parties. 7
§ 9 DPA.. 8
§ 10 Liability and copyright 8
§ 11 Change of policy. 9
 
 

  1. § 1 Definitions
    • Personal Data
      any information related to an identified or identifiable natural person (referred to as the “data subject”). A natural person is considered identifiable if they can be recognized, directly or indirectly, particularly through an identifier such as a name. In simple terms, Personal Data is any information that can be linked to an individual;
    • Controller
      a natural or legal person, public authority, agency, or other entity that, alone or jointly with others, determines the purposes and means of processing Personal Data when Tedee App is accessed by the User;
    • User/ You
      any natural person or legal person accessing the Tedee App for his/her personal or business needs respectively
    • Tedee App
      ‘Tedee App’ mobile application available on iOS and AndroidOS;
    • GDPR
      Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);
    • Processor
      a natural or legal person, public authority, agency, or other entity that processes Personal Data of third parties on behalf of the Personal Data controller;
    • Privacy Policy
      this privacy policy;
  2. § 2 General information
    Tedee attaches particular importance to protecting the confidentiality and privacy of the information that Users entrust to us. One of our key responsibilities is to ensure an appropriate level of security and proper use of Users’ personal information collected through our website.
    The controller of Your Personal Data is:
    TEDEE Spółka z ograniczoną odpowiedzialnością entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw, 12th Commercial Division of the National Court Register under KRS number: 0000712451, NIP: 7010795542, REGON: 369188621 with its registered office in Warsaw, 02-127, Karola Bohdanowicza 21/57 Street, e-mail address: [email protected]
    The Controller informs that it performs the duties of the controller independently and has not appointed a Data Protection Officer for this purpose, within the meaning of Article 37 of the DPA.
    Tedee processes Users’ Personal Data for various purposes and therefore, depending on the specific purpose, different methods of collection, legal basis for processing, use, disclosure and retention periods may apply. We only collect Personal Data voluntarily provided to us by Users who wish to receive information or use our services.
    In this Privacy Policy, we describe how we collect and use Users’ Personal Data, as well as your rights and your ability to exercise control in relation to the data we hold. All capitalized terms in this Privacy Policy have the meanings given to them in § 2 Definitions.
    If you have any questions about how Tedee processes your Personal Data, we encourage you to contact us at: [email protected]
  3. § 3 What types of Personal Data we collect
    Tedee collects the following types of Personal Data of the User:
    email address;
    GPS location of the User and the User’s end-device;
    User’s IP Address, Date and time of access, operating system, language, country;
    user ID;
    telemetric data of the User’s device
    (jointly: “Personal Data”).
    The provision of your Personal Data to the Controller is entirely voluntary, although the provision of true and complete data may be necessary in order to perform a particular service or to achieve a specific purpose for Tedee or the User. For example, in the case of:
    registering a user account on the Tedee App – it is necessary to provide the Controller with the: (i) the User’s username (ID) and (ii) e-mail address in order to provide the User with the Tedee App user account service;
    beginning the use of the features of the Tedee App –   it is necessary to provide the Controller with the (i) GPS location of the User and the User’s end-device, (ii) user ID, (iii) telemetric data of the User’s device, (iv) language and (v) country in order to enable the use of such features for the User;
    integrating the User’s device with third-party smart home integrator (e.g. Amazon Alexa, Google Home) – it is necessary to provide the Controller with the: (i) the User’s username (ID) and (ii) e-mail address in order to facilitate the integration;
    monitoring the proper functioning of Tedee App and troubleshooting – it is necessary to provide the Controller with the: (i) User’s IP Address, (ii) Date and time of access, (iii) operating system, and (iv) email address in order to allow monitoring, troubleshooting and informing the User about any potential issues and important matters related to the Tedee App.
    (jointly: “Services”)
    Tedee only processes the Personal Data that the User provides to us himself/herself, with the exception of monitoring and troubleshooting data collected automatically in order to ensure continuous operationality of Tedee App.
  4. § 4 Why do we collect Personal Data
    Tedee collects Your Personal Data for the following purposes:
    registering a user account on the Tedee App
    the performance of contractual obligations, i.e.: to conclude and perform Tedee’s obligations under a contract for the provision of the Tedee App user account service – on the basis of Article 6(1)(b) of the GDPR and Article 6(1)(a) of the GDPR;
    beginning the use of the features of the Tedee App
    the performance of contractual obligations, i.e.: to conclude and perform Tedee’s obligations under a contract for the provision of the Tedee App features – on the basis of Article 6(1)(b) of the GDPR and Article 6(1)(a) of the GDPR;
    integrating the User’s device with third-party smart home integrator (e.g. Amazon Alexa, Google Home)
    facilitating User’s use of third-party integration via Tedee App – on the basis of Article 6(1)(a) of the GDPR;
    monitoring the proper functioning of Tedee App and troubleshooting
    allowing for continuous improvement of the Tedee App and general quality of service, as well as performance monitoring and data usage optimization – on the basis of Article 6(1)(f) of the GDPR.
    archiving
    compiling records of the processing of Personal Data, as required by the GDPR and separate legislation – on the basis of Article 6(1)(c) and Article 6(1)(f) of the GDPR;
    archiving of information for evidential purposes, in order to prove relevant facts – on the basis of Article 6(1)(c) of the GDPR.
  5. § 5 How long we keep Personal Data
    Tedee collects and processes (uses) Your Personal Data upon registration of the user account in Tedee App and continues to do so throughout the provision of the Services, and:
    until the contract for provision of services under the Tedee App Terms of Use and this Privacy Policy is expired;
    until the expiry of the limitation period for pecuniary/personal claims under the relevant legislation – with regard to the data of the Users;
    until the expiry of the obligation to keep records resulting from separate legal regulations, including tax law – with regard to the data of the Users,
    whichever of the above falls first.
  6. § 6 What are the rights of Users
    Pursuant to the provisions of Articles 15 – 20 of the GDPR, each User shall have the following rights regarding his/her Personal Data processed by Tedee:
    Right to request access to Personal Data (Article 15 GDPR)
    The data subject has the right to obtain confirmation from the Controller as to whether his or her Personal Data are being processed. If so, this person also has the right to access this data.
    If the User’s Personal Data is transferred to a third country or international organisation, the User has the right to be informed of the appropriate safeguards relating to the transfer.
    Right to rectification of Personal Data (Article 16 GDPR)
    The data subject has the right to request from the Controller the immediate correction of incorrect Personal Data relating to him/her.
    Furthermore, the user also has the right to request the completion of incomplete Personal Data, and this includes the possibility of providing an additional statement.
    The right to erasure (right to be “forgotten”) (Article 17 GDPR)
    The data subject has the right to request from the Controller that his/her data be deleted from the Controller’s database without delay.
    The Controller may choose not to delete data in the case of withdrawal of consent by the User, if consent was not the only primary motive for the processing of his/her data. This is particularly the case when the processing is necessary for the further fulfilment of the obligations arising from the contract between the User and the Controller, or when the processing is necessary for the fulfilment of a legal obligation incumbent on the Controller, for the performance of a public task by the Controller, for statistical purposes, or for the establishment, investigation or defence against claims.
    Right to restrict the processing of Personal Data (Article 18 GDPR)
    The data subject has the right to request the restriction of the processing of his/her data by the Controller in situations such as:
    questioning by the User of the correctness of his/her Personal Data (for a period of time allowing the Controller to verify its correctness);
    processing unlawfully, with the User objecting to the deletion of the data and instead requesting the restriction of processing;
    a situation in which the Controller no longer needs the Personal Data for the purposes of the processing, but they are still necessary for the User to establish, assert or defend claims;
    where the User has objected to the processing pursuant to Article 21(1) of the GDPR, until it is determined whether the legitimate grounds on the part of the Controller override the grounds for objection raised by the data subject.
    Right to data portability (Article 20 GDPR)
    The data subject shall, upon request, receive the Personal Data concerning him or her in a structured, commonly used machine-readable format (e.g. .doc, .docx, .pdf, etc.).
    This data has been provided to the Controller by the User and is processed by the Controller. Furthermore, the User has the right to request that this data be sent to another controller. He also has the right to transfer this data to another controller without hindrance from the Controller.
    Right to object (Article 21 GDPR)
    The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of Personal Data concerning him or her for the purposes of the legitimate interests of the Controller or by a third party, including profiling on the basis of these provisions.
    From the moment you lodge an objection until it is successful or unsuccessful, the Controller is not allowed to process your Personal Data unless he/she demonstrates that there are valid legitimate grounds for the processing, overriding your interests, rights and freedoms, or grounds for establishing, asserting or defending claims.
    In order to exercise any of the rights referred to above, please contact the Controller at the physical address indicated in § 1 of the Privacy Policy or at the e-mail address: [email protected], indicating in the body of the message the scope of the User’s request. The deadline for responding to the request is 30 days from the date of effective delivery of a correctly completed request.
    The Controller would like to point out that the exercise of the above rights is not absolute and does not apply to the same extent to all Personal Data processing activities undertaken by the Controller. Detailed information regarding the limitations referred to above is available in the text of the GDPR Regulation.
    In addition to being able to enforce their rights directly with the Controller, each User has the right to lodge a complaint with the supervisory authority for the protection of Personal Data, which is the President of the Office for the Protection of Personal Data, ul. Stawki 2, 00-193 Warsaw at: [email protected] or by means of the Electronic Submission Box (ESP) at: https://uodo.gov.pl/pl/83/153.
  7. § 7 Do we transfer Personal Data to third countries
    The Controller informs that the User’s Personal Data may be transferred outside the European Union and the European Economic Area to third countries, subject to all security requirements under the relevant legislation, including the GDPR.
    The maintenance of the aforementioned standards is due to the fact that Personal Data is only shared with those entities (processors) that:
    are established in a country for which the EU Commission has issued an implementing decision declaring an adequate level of protection for Personal Data (e.g. https://eur-lex.europa.eu/legal content/EN/TXT/?uri=CELEX%3A32021D0915&locale-en);
    have concluded so-called standard contractual clauses (SCC) in their contracts with the Controller, which guarantee the level of Personal Data protection required by the applicable legislation;
  8. § 8 Do we pass on Personal Data to third parties
    The Controller informs that, in order to properly perform the services referred to in the Privacy Policy and the Terms of Use, the User’s Personal Data may be made available to third parties with whom the Controller cooperates, while complying with all security requirements arising from the relevant legislation, including the GDPR.
    User data may be made available to the following entities:
    Smart-home integration business partners (e.g. Amazon Alexa, Google Home, Fibaro, Homey, Krossbooking) – in the event that the User decides to integrate his/her devices with any third-party integrator via the Tedee App, the User may authorize Tedee to share his/her Personal Data with such integrator;
    To public administration bodies (e.g. law enforcement authorities, the President of UOKiK) – in the event of a request by an authorised body to provide the User’s Personal Data in order to fulfil a legal obligation;
    Suppliers of ancillary services (e.g. legal, accounting, IT service providers) – to the extent that these entities provide legal/human resources/IT support services to the Controller, with the requirement to minimise the Personal Data shared with these entities.
    IMPORTANT: The use of the User’s Personal Data by any third party smart home integration business partners is facilitated by way of personal data sharing on the grounds of User’s explicit consent. Since such integration does not constitute an entrustment as per Article 28 of the GDPR, the specific terms and conditions for User’s Personal Data processing are accessible via the respective privacy policy documentation made available by such third party integrators. It is advisable to always carefully review these documents prior to granting consent for sharing user personal data.
  9. § 9 DPA
    In the event that you (the User) act as a controller of Personal Data of any third parties, and, upon registration and setup of the Tedee App user account, such Personal Data is to be processed, transferred, disclosed or otherwise made available to the Controller through any use of the Tedee App, by accepting this Privacy Policy, You and Tedee are entering into, without any other action in this regard, a Data Processing Agreement, as defined in the Article 28 of the GDPR (DPA), in which You shall act as the controller of the entrusted Personal Data and Tedee shall act as the Processor of the Personal Data so received, the content of which is enclosed as Attachment No. 1 to this Privacy Policy.
    All capitalized terms used in the DPA shall have the same meaning as per defined for the purposes of this Privacy Policy.
  10. § 10 Liability and copyright
    The Controller informs that all content contained in this Privacy Policy is the exclusive property of the Controller and is protected by copyright, as defined in the Act on the Protection of Copyright and Related Rights.
    Any attempt to copy the contents of the Privacy Policy made without the Controller’s express written consent shall constitute an unlawful infringement of copyright, subject to legal sanctions provided for in the relevant provisions of commonly applicable law.
  11. § 11 Change of policy
    This Privacy Policy is effective as of 25 January 2024.
    Tedee retains the right to amend this policy from time to time in connection with the ongoing development of the Tedee App which shall be binding to You upon your acceptance of the newly published version thereof, displayed in the Tedee App.
     
    Archived versions of the Privacy Policy:
    Tedee privacy policy of 2 June 2023;
    Tedee privacy policy of 25 January 2025

     

Attachment No. 1
 
DATA PROCESSING AGREEMENT (DPA)
concluded in Warsaw, Poland
between:
the User,
hereinafter referred to as Controller
and
Tedee,
hereinafter referred to as the Processor,
hereinafter referred to collectively as the Parties and each individually as a Party.

  1. § 1 Subject of the contract
    In connection with the conclusion of the agreement for provision of the Services, the Controller entrusts the Processor with the processing of the Personal Data indicated in § 3 of the Agreement (Personal Data) (processing order).
    The Processor will process the Personal Data entrusted by the Controller solely for the purpose of performing the Services.
    The Processor shall be entitled to perform, in a non-automated manner, processing operations on Personal Data, such as: collecting, recording, organising, structuring, storing, modifying, retrieving, viewing, using, disclosing by transmission, dissemination or otherwise making available, restricting, erasing or destroying, but only to the extent necessary for the performance of this Agreement.
    The Parties agree that the Processor will not process the entrusted data in an automated manner, within the meaning of the provisions of Article 22 of the GDPR, including the use of profiling.
  2. § 2 Controller’s declarations
    The Controller hereby declares that, within the scope of this Agreement, it:
    acts as a controller of Personal Data, within the meaning of the GDPR Regulation;
    processes Personal Data in a fully lawful manner;
    the Personal Data was obtained in a lawful manner, for legitimate purposes;
    complies with the legal requirements to which the controller is subject;
    entrusting the processing of Personal Data does not violate any contractual provisions or third party rights.
    The Controller undertakes to cooperate with the Processor in the performance of the agreement, including providing the Processor with all information necessary for the performance of the agreement.
    The Controller undertakes to document in writing any instructions regarding the processing of Personal Data given to the Processor.
  3. § 3 Categories of data subjects and types of Personal Data
    The Processor shall process such types and kinds of Personal Data as are entrusted to it by the Controller in connection with the Controller’s use of the Services.
  4. § 4 Obligations of the Processor
    The Processor undertakes to process Personal Data only for the purpose for which they have been entrusted to it.
    The Processor processes Personal Data only on the documented instructions of the Controller, unless the obligation to process Personal Data arises from law, in which case the Processor shall inform the Controller of this legal obligation prior to the start of processing, unless such information is prohibited by law due to an important public interest.
    The Processor is obliged to inform the Controller immediately if, in its opinion, the Controller’s instruction is unlawful.
    The Processor declares that it has implemented appropriate technical and organisational measures to ensure the security of processing so as to provide a degree of security appropriate to the risk of infringement of the rights or freedoms of natural persons. The technical and organisational measures used by the Processor are described in § 5 of the Agreement.
    The Processor will authorise only those members of staff for whom access to the entrusted data is necessary and only to the extent necessary to process the Personal Data, with any person who gains access to the Personal Data under the authority of Processor committing to keep it confidential.
    The Processor declares that the personnel referred to above have been made aware of the regulations concerning the protection of Personal Data as well as the responsibility for protecting the data from unauthorised access, modification, loss, publication or acquisition.
    The Processor declares that has not appointed a Data Protection Officer. For all matters related to the GDPR and the processing of Personal Data, please contact [email protected].
    The Processor undertakes to cooperate with the Controller, taking into account the nature of the processing, in fulfilling the obligation to respond to the data subject’s requests for the exercise of his or her right to information, right of access, right of rectification, erasure, restriction of processing, data portability and right to object, by appropriate technical and organisational means. In the event of receipt of such a request, the Processor shall promptly communicate it to the Controller by e-mail to: [email protected], but no later than three days after receipt of the request.
    The Processor undertakes to cooperate with the Controller in fulfilling the obligations set out in Articles 32 to 36 of the GDPR, i.e. securing the data, reporting the data breach, notifying the data subjects of the breach, carrying out a data protection impact assessment and consulting the supervisory authority in advance regarding the entrusted data.
    The Processor undertakes to notify the Controller immediately, and no later than within 48 hours, of any identified data protection violations by e-mail to [email protected]
  5. § 5 Technical and organisational measures
    In connection with the performance of its obligations under this Agreement, taking into account the nature, scope, context and purposes of the processing of Personal Data, as well as the risk of violation of the rights and freedoms of natural persons, taking into account the degree of likelihood and consequences of their violation, the Processor declares that it has implemented the following technical and organisational measures in its organisation, within the meaning of the provisions of Article 32 of the GDPR;
    pseudonymisation and encryption of Personal Data;
    technical measures to ensure the confidentiality, integrity, availability and non-infringement of Personal Data processed in the systems;
    technical measures to ensure that can access Personal Data efficiently in the event of a technical or physical security incident;
    cyclical testing, analysis and evaluation of the technical and organisational measures used.
    The Processor declares compliance with at least the minimum data protection requirements, including:
    organisational measures:
    Implementation of documentation setting out the basis for the protection of Personal Data in the Processor’s company;
    Conduct initial and recurrent training on the protection of Personal Data processing among the Processor’s staff;
    application of physical access control to the Processor’s premises;
    technical measures:
    identification of secure premises where data can be processed;
    implementation of appropriate security measures, e.g. access control, locking of access to equipment;
    access control security measures:
    each member of the Processor’s staff has a separate, unique password to access the computer and IT system where the Personal Data is processed
    implementation of a policy of strong, cyclically changed access passwords
    implementing encryption of Personal Data processed on company mobile devices;
    remote access to Personal Data is centrally managed and monitored.
    operational security measures:
    the applications and IT systems used by the Processor to process Personal Data are regularly updated, verified and tested for vulnerability to cyber-attack, and protected with anti-virus software;
    implement measures to protect against unauthorised access to systems and the company network by means of a firewall;
    implementation of systems for network traffic monitoring, anomaly detection and rapid response.
    The Processor declares that it maintains a register of the categories of Personal Data processed covering the Personal Data entrusted for processing, in accordance with Article 30(2) of the GDPR, unless exempted from this obligation under Article 30(5) of the GDPR.
  6. § 6 Audit
    At the request of the Controller, the Processor will make available any information necessary to perform or demonstrate compliance with its obligations under the GDPR.
    The Controller reserves the right to inspect the performance of the contract, at least every 12 months and always in the event of a breach of data protection by the Processor.
    The Processor is obliged to duly cooperate with the Controller with regard to control activities. In particular, the Processor undertakes to:
    provide the Controller with documentation of the processing of Personal Data;
    provide the Controller with access to the premises where the Personal Data are processed;
    allow the Controller to make copies of documents related to the processing of Personal Data.
    The audit will be carried out after the Processor has been notified of the audit date. The audit will be conducted during the Processor’s working hours.
    The Processor undertakes to remedy the deficiencies found during the inspection and to implement the Controller’s recommendations within no more than 30 days. The Processor will promptly provide the Controller with information on the actions taken for this purpose.
    The Controller reserves the right to use third parties to carry out audits (auditors), as well as to carry out such audits itself.
  7. § 7 Sub-processing
    The Processor may entrust certain Personal Data operations for further processing under an agreement with another processor (sub-processing).
    The Processor undertakes to ensure that the entity entrusted with the further processing of Personal Data pursuant meets at least the same guarantees and requirements for the protection of Personal Data as those imposed on the Processor under the Agreement. In particular, this requirement concerns the obligation to provide sufficient guarantees for the implementation of appropriate technical and organisational measures so that the processing of meets the requirements of the GDPR.
    The Processor is obliged to inform the Controller immediately of any intended changes concerning the addition or replacement of other processors. The Controller has the right to object to the Processor’s intended changes.
    The processor may not entrust another processor with the execution of the contract in its entirety.
    The Processor shall be fully liable to the Controller for the subcontractor’s failure to perform its obligations under this agreement.
  8. § 8 Processing location
    The Processor declares that in connection with the execution of this Agreement, no transfer of data to a third country, within the meaning of the GDPR, will take place, either as a result of an action/inaction of the Processor or of further processors, unless otherwise required by the legal obligations imposed on the Processor by the relevant legislation.
    If the Processor intends to transfer Personal Data covered by this Agreement to a third country, the Processor shall inform the Controller of such intention in writing and allow the Controller to participate in the process of ensuring compliance of such transfer or termination of this Agreement.
  9. § 9 Duration
    The Agreement is concluded for an indefinite period of time and shall be binding until the agreement for provision of the Services is terminated or the associated Tedee App user account is expired or removed.
    Upon termination of the Agreement, the Processor shall, depending on the Controller’s request, return or delete the data entrusted to the Controller and delete any existing copies thereof, unless Union or Member State law requires the retention of Personal Data. Lack of providing such a decision upon termination of the Agreement shall result in automatic deletion of all Personal Data entrusted to the Processor.
  10. § 10 Final provisions
    The Agreement has been drawn up electronically, in a documentary form.
    Any changes and additions to the provisions of this contract shall be made in documentary form on pain of nullity.
    The Processor is not entitled to separate remuneration for the performance of its contractual obligations.
    The provisions of the Polish Civil Code, the GDPR, as well as the provisions of other laws regulating the protection of Personal Data shall apply to matters not covered by this Agreement.
    Any disputes that may arise in connection with the conclusion or performance of the contract shall be settled by the court having jurisdiction over the Controller’s registered office.