iHaus AG: Privacy Statement for ihaus.com, ihaus.de, the iHaus Apps as well as magazin.ihaus.com and support.ihaus.de (as of June 2018)

A. Name and address of the data controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States as well as other data protection provisions is
iHaus AG
legally represented by the Chairman of the Executive Board Mr. Robert Klug
Siedlerstr. 2
85774 Unterföhring
Germany
Phone: +49-89-995 90 590
Email: datenschutz@ihaus.de
Website: https://ihaus.com

B. Name and address of the data protection officer

The data protection officer of the data controller is:
IDR Weller
Mr. Sascha Weller
Ziegelbräustraße 7
85049 Ingolstadt
Germany
Phone: +49-0841-885 167 15
Email: ra-weller@idr-datenschutz.de
 

C. General information on data processing

I. Scope of processing of personal data

We only process personal data of our users if this is necessary to provide a functioning website  or to establish contact between the user and us via this website. The processing of personal data of our users usually only takes place with the user’s consent. An exception applies in those cases in which prior consent cannot be obtained for factual reasons and/or the processing of the data is permitted by provisions of statutory law.

II. Legal basis for the processing of personal data

To the extent we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 subpara. 1 lit. a GDPR serves as a legal basis.
If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 subpara. 1 lit. b GDPR serves as a legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
To the extent the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 subpara. 1 lit. c GDPR serves as a legal basis.
In the event that the vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para.1 subpara. 1 lit. d GDPR serves as a legal basis.
If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first interest, Art. 6 para. 1 subpara. 1 lit. f GDPR serves as a legal basis.

III. Data erasure and storage time

The personal data of the data subject will be erased or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for in EU or Member State regulations, laws or other provisions to which the data controller is subject. The data will also be blocked or deleted if a storage period prescribed in one of the aforementioned provisions expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

D. Data processing in detail

I. Provision of the website and creation of log files

1. Description and scope of data processing
Every time you visit our website (this basically refers to ihaus.com, ihaus.de, magazin.ihaus.com and support.ihaus.de), our system automatically collects data and information from the computer system of the calling computer.
 
The following data is collected:
(1) Information about the browser type and version used
(2) The user’s operating system and user interface
(3) Language and version of the browser software
(4) The user’s internet service provider
(5) The IP address of the user
(6) Date and time of access
(7) Time zone difference to Greenwich Mean Time (GMT)
(8) Content of the request (specific page)
(9) Access Status/HTTP Status Code
(10) The amount of data transferred in each case
(11) Websites from which the user’s system reaches our website
(12) Websites accessed by the user’s system through our website
The data is also stored in the log files of our system. This data is not stored together with other personal data of the user, unless the user is a registered user of our web shop (see Section VI.) or a user with an iHaus app account (see Section VII.).

2. Legal basis for the processing of personal data

The legal basis for the temporary storage of data and log files is Art. 6 para. 1 subpara. 1 lit. f GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the website to be made available to the user’s computer. To that effect the IP address of the user must remain stored for the duration of the session.
The data is stored in log files to ensure the functionality of the website. In addition, the data serves us to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
Our legitimate interest in data processing therefore results from Art. 6 para. 1 subpara. 1 lit. f GDPR.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of collection of data for the provision of the website, this is the case when the respective session has ended.
If the data is stored in log files, this is the case after seven days at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or alienated, so that an identification of the calling client is no longer possible.

5. Possibility of objection and removal

The collection of the data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

II. Use of cookies

1. Description and scope of data processing
Our website uses cookies. Cookies are text files that are stored in the internet browser or by the Internet browser on the user’s computer system. If a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables a unique identification of the browser when the website is called up again.
We use cookies to make our website more user-friendly. Certain elements of our website require that the calling browser can be identified even after a page change.

The following data is stored and transmitted in the cookies:
(1) Language settings
(2) Items in a shopping cart
(3) Log-in information
We also use cookies on our website which enable an analysis of the user behavior on our website. In this way, the following data can be transmitted:
(1) Entered search terms
(2) Frequency of page views
(3) Use of website functions
The user data collected in this way is pseudonymized by technical precautions. Therefore, it is no longer possible to assign the data to the calling user. The data will not be stored together with other personal data of the user.
When accessing our website, the user is informed about the use of cookies for analytical purposes and his or her consent to the processing of personal data used in this context is obtained. In this context, reference is also made to this privacy statement.

2. Legal basis for the processing of personal data

The legal basis for the processing of personal data using cookies is Art. 6 para. 1 subpara. 1 lit. f GDPR.
The legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 subpara. 1 lit. f GDPR.
The legal basis for the processing of personal data using cookies for analysis purposes is Art. 6 para. 1 subpara. 1 lit. a GDPR.

3. Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For this it is necessary that the browser is recognized even after a page change.

We need cookies for the following applications:
(1) Shopping cart
(2) Remembering language settings
(3) Remembering search terms

The user data collected by technically necessary cookies are not used to create user profiles.
The analysis cookies are used to improve the quality of our website and its content. Through the analysis cookies we learn how the website is used and can thus continuously optimize our offer.
For these purposes, our legitimate interest also lies in the processing of personal data in accordance with Art. 6 para. 1 subpara. 1 lit. f GDPR.

4. Duration of storage / possibility of objection and removal

Cookies are stored on the user’s computer and transmitted to our site. Therefore, users also have full control over the use of cookies. By changing the settings in his internet browser, the user can deactivate or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website in full.

III. Newsletter

1. Description and scope of data processing

You can subscribe to a free newsletter on our website. When registering for the newsletter, the data from the input mask is transmitted to us. This applies to the following data:

(1) First name (optional)
(2) Family name (optional)
(3) Form of address [Mr. / Mrs.] (optional)
(4) Email address

In addition, the following data is collected upon registration:
(1) IP address of the calling computer
(2) Date and time of registration

The user’s consent is obtained for processing the data as part of the technical registration process and reference is made to this privacy statement.
In connection with data processing for the dispatch of newsletters, no data is passed on to third parties. The data will be used exclusively for sending the newsletter.

2. Legal basis for the processing of personal data

The legal basis for the processing of data after registration for the newsletter by the user is Art. 6 para. 1 subpara. 1 lit. a GDPR.

3. Purpose of data processing

The collection of the user’s email address serves to subsequently send the newsletter.
The collection of other personal data as part of the technical registration process serves to prevent misuse of the services or the email address used.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. The name and email address of the user will therefore be stored for as long as the subscription to the newsletter is active.
Other personal data collected during the technical registration process will normally be deleted within a period of seven days.

5. Possibility of objection and removal

The subscription to the newsletter can be cancelled by the user at any time. For this purpose, there is a corresponding link in every newsletter.
By doing so, it is also possible to revoke the consent to the storage of personal data collected during the technical registration process.

IV. Contact buttons/forms and email contact / telephone contact

1. Description and scope of data processing

On our website there are contact buttons (with “Mail-To”-function), which can be used by the user for the electronic contact to us by email. By pressing the contact button, the draft of an email is opened within the user’s standard email client, in the address field of which the email address provided by us for the purpose of establishing contact is already entered.

When a contact button is pressed, the following data is collected:
(1) IP address of the calling computer
(2) Date and time of the call

In the event that the user subsequently sends an email to us, the user’s personal data transmitted with the email will be stored.
Personal data of the user will be stored to the same extent if the user contacts us via one of the telephone numbers provided on our website and transmits personal data to us by telephone (if necessary also using a telephone contact button).
Alternatively, it is also possible to contact us via one of the contact forms provided on our website, e.g. for the purpose of communicating about a possible cooperation as an iHaus Business Partner. In this case, the data entered in the input mask will be transmitted to us and stored.

This data is:
(1) First name
(2) Family name
(3) Telephone number
(4) Email
(5) Corporation
(6) if applicable, the contents of the user’s request

At the time the message is sent, the following data is also stored:

(1) The IP address of the user
(2) Date and time the message was sent

For the processing of the data, the user’s consent is obtained and reference is made to this privacy statement within the sending process.
In all the cases mentioned above, the data will not be passed on to third parties. The data is used exclusively for processing the conversation.

2. Legal basis for the processing of personal data

The legal basis for the processing of data is Art. 6 para. 1 subpara. 1 lit. a GDPR to the extent the user has provided his or her consent.
The legal basis for the processing of data transmitted in the course of sending an email or made known to us by telephone is Art. 6 para. 1 subpara. 1 lit. f GDPR.
If the contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 subpara. 1 lit. b GDPR.

3. Purpose of data processing

The processing of the personal data transmitted by the user serves us solely to process the establishment of a contact. This also constitutes the necessary legitimate interest in the processing of the data.
The other personal data processed during the sending process serves to prevent misuse of the contact button/form and to ensure the security of our information technology systems.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. This is the case for the personal data entered into the input mask of the contact form and the data transmitted by email or telephone, when the respective conversation with the user has ended. The conversation is terminated when it can be assumed according to the circumstances that the issues in question have been finally clarified.
The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

5. Possibility of objection and removal

The user has the possibility to revoke his consent to the processing of personal data at any time. In such a case, the conversation cannot be continued.
The user can revoke his consent and object to the storage of personal data at any time by sending an email to privacy@ihaus.com or by writing to our address (iHaus AG, Siedlerstr. 2, 85774 Unterföhring, Germany).
All personal data stored in the course of contacting us will be deleted in this case.
The foregoing does not apply on an exceptional basis if there is a concrete suspicion that the user in question might have acted illegally in the context of making contact (e.g. in the case of offensive or other statements that violate personal rights) and a continued storage of the data concerned is at least directly permitted by Art. 6 para. 1 subpara. 1 lit. f GDPR.

V. Purchase of goods or services via the iHaus web shop

1. Description and scope of data processing

Our website contains a web shop through which users can carry out e-commerce transactions, i.e. obtain goods and services offered by us (in particular installation services for smart home devices). The data is entered by the user into an input mask and transmitted to us and stored. The following data is collected during the registration process:

(1) First name
(2) Family name
(3) Email
(4) Ordered goods or services
(5) Billing address
(6) Different delivery address, if applicable
(7) Payment details (credit card, PayPal account or bank account details)

In addition, the following data is collected upon registration:

(1) IP address of the calling computer
(2) Date and time of registration

This data will not be passed on to third parties unless one of the following exceptions applies:

Furthermore, we use the data transmitted by the user during the registration process to provide users who have already purchased goods or services from us with advertising information about other goods or services sold by us within the framework of advertising to existing customers – to the extent otherwise permitted by law.

2. Legal basis for the processing of personal data

The legal basis for the processing of data collected during the registration process is Art. 6 para. 1 subpara. 1 lit. b GDPR.
The legal basis for passing on data to SCHUFA Holding AG is Art. 6 para. 1 subpara. 1 lit. f GDPR.
The legal basis for advertising to existing customers is Art. 6 para. 1 subpara. 1 lit. f GDPR.

3. Purpose of data processing

The processing of personal data transmitted by the user serves the conclusion and fulfilment of a contract and, in the case of advertising to existing customers, also our entrepreneurial interest in the sale of further goods and services. These also constitute the necessary legitimate interests in the processing of the data.
The passing on of personal data to SCHUFA Holding AG and the obtaining of credit information is also carried out in order to minimize credit risks within the framework of the conclusion and implementation of the contractual relationship.
The other personal data processed during the technical sending process serve to prevent misuse of our web shop functionality and to ensure the security of our information technology systems.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. As already mentioned, we will continue to store the data collected beyond the actual processing of the eCommerce transaction for the purpose of providing advertising to existing customers. Data from users who have not purchased goods or services from us over a period of several years will be deleted by us unless an obligation to continue to store the data exists anyway due to contractual or statutory law obligations.
The additional personal data collected during the technical sending process will be deleted after a period of seven days at the latest.

5. Possibility of objection and removal

The user has the option at any time to object to the continued storage of his personal data for the purpose of providing advertising to existing customers.

VI. Registration for the web shop

1. Description and scope of data processing

On our website we offer users the opportunity to register for our web shop by providing personal data (registration of a shop account). The data is entered by the user into an input mask and transmitted to us and stored. The data will not be passed on to third parties. The following data is collected during the registration process:

(1) User names
(2) Email

At the time of registration, the following data is also stored:

(1) The IP address of the user
(2) Date and time of registration
In the course of the registration process, the user’s consent to the processing of this data is obtained.

2. Legal basis for the processing of personal data

The legal basis for the processing of data is Art. 6 para. 1 subpara. 1 lit. a GDPR.
If the registration serves the fulfilment of a contract to which the user is a party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Art. 6 para. 1 subpara. 1 lit. b GDPR.

3. Purpose of data processing

A registration of the user is necessary for the provision of certain contents and services on our website, this in particular in order to be able to place orders via the web shop using existing customer data, to view the status of individual orders or to administer the order history.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. This is the case for the data collected during the registration process if the registration for the web shop on our website is cancelled or changed.
If the data collected during registration is required to fulfil a contract or to carry out pre-contractual measures, the data may also be stored for a longer time, at least until the main contractual obligations have been fulfilled. Even after this point in time, it may be necessary to continue to store the user’s personal data in order to comply with contractual or statutory law obligations.

5. Possibility of objection and removal

As a user you have the possibility to delete your registration at any time. You can change the data stored about you at any time.
If the data is required to fulfil a contract or to carry out pre-contractual measures, an early deletion of the data is only possible to the extent there are no contractual or statutory law obligations to the contrary.

VII. Setting up an app account

1. Description and scope of data processing

Users who have downloaded and installed an iHaus app on their mobile device can set up an app account via the app user interface. The data is entered by the user into an input mask and transmitted to us and stored. The data will not be passed on to third parties. The following data is collected during the registration process for the app account:

(1) First name
(2) Family name
(3) if applicable, an additional user name
(4) Address
(5) Email
(6) Telephone number

At the time of registration, the following data is also stored:

(1) The IP address of the user
(2) Date and time of registration

In the context of the registration process (or, if necessary, again in the context of a possible update of the terms of use), the user’s consent to the processing of this data is obtained.
Furthermore, we use the data transmitted by the user during the registration process to provide the app account holder who uses our software products with advertising information about other goods or services sold by us within the framework of advertising to existing customers – to the extent otherwise permitted by law.

2. Legal basis for the processing of personal data

The legal basis for the processing of data is Art. 6 para. 1 subpara. 1 lit. a GDPR to the extent the user has provided his consent.
If the registration serves the fulfilment of a contract to which the user is a party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Art. 6 para. 1 subpara. 1 lit. b GDPR.
The legal basis for advertising to existing customers is Art. 6 para. 1 subpara. 1 lit. f GDPR.

3. Purpose of data processing

A registration of the user for an app account is necessary for the provision of certain contents and functionalities of the iHaus app and serves accordingly the fulfilment and administration of the contractual relationship.
The processing of personal data transmitted by the user also serves the entrepreneurial interest in the sale of further goods and services in the case of advertising to existing customers. This also constitutes the necessary legitimate interest in the processing of the data.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. This is the case for the data collected during the registration process if the registration for the app account is cancelled or changed.
If the data collected during registration is required to fulfil a contract or to carry out pre-contractual measures, the data may also be stored for a longer time, at least until the main contractual obligations have been fulfilled. It may also be necessary beyond this point in time to continue to store personal data of the other contracting party in order to fulfil contractual or statutory law obligations.

5. Possibility of objection and removal

Users have the possibility to delete the registration for the app account at any time; this can be done either via a functionality provided within the iHaus app or by email to support@ihaus.de. The user can have the data stored about him modified at any time.
If the data is required to fulfil a contract or to carry out pre-contractual measures, early deletion of the data is only possible to the extent there are no contractual or statutory law obligations to the contrary.

VIII. Use of the iHaus app and the corresponding app account

1. Description and scope of data processing

a) Activity log

As long as the user is registered in his iHaus app account and/or visits as registered user our website, the iHaus server automatically collects data about how the iHaus app and iHaus website are used by the user in addition to the data mentioned in Section I. 1. in a so-called activity log. The following data is recorded:

(1) Functionalities used
(2) Number of registrations
(3) Cookie ID
(4) Amount of data transferred

b) Connecting the iHaus app with smart home systems

Further personal data of the registered user will only be collected by us if and to the extent that the user connects the iHaus services with certain smart home systems (SHS) of his choice. The user solely decides which SHS (devices or services) supported by the iHaus app he connects to the iHaus services. These can be, for example, cameras, smoke detectors, systems for controlling heating or roller shutters, lighting systems, consumer electronic devices or other services, such as traffic or weather information. The user selects the relevant SHS within the user interface of the iHaus app. The user alone is responsible for the lawful operation and configuration of these devices and services (see in particular sections 3.1 and 3.4 of our applicable general terms and conditions).
Depending on the functional scope of the SHS and the configuration selected by the user and possibly also determined by the user through the use of other applications, we therefore only collect the data that is collected and transmitted by the relevant SHS.

This can include the following data in particular:
(1) Still images of a camera installed by the user in or on the building
(2) Contact details (e.g. email addresses or telephone numbers) for alarm calls
(3) Time information regarding the time of commissioning and decommissioning (e.g. activation or deactivation of alarm systems)
(4) Configurations and other device information
(5) Switching states
(6) Brightness or color values
(7) Level of noise
(8) Consumption data

The respective SHS is integrated into the user’s home network via TCP/IP (Ethernet or Wi-Fi). The SHS in the home network are then addressed either directly, via third-party gateways or via a building bus system. The user profile, configuration and switching states of the user’s home are synchronized with the iHaus cloud servers. Communication is conducted exclusively via SHA256-encrypted SSL/TLS connections and the connection can only be established from the user’s home to the iHaus cloud, but not from the Internet to the user’s home. To enable control from other TCP/IP networks (e.g. 3G / LTE), the user’s smartphone or tablet is synchronized with the iHaus cloud via encrypted connections.
The data collected in this way is stored on a primary iHaus server and assigned to the app account of the user concerned.
The user can manage this data in his user account and delete it individually if necessary (e.g. camera still images no longer required). The user can also terminate the connection of individual devices or services with the iHaus services as a whole; the relevant data stored for an individual SHS will then be deleted by us without delay.

c) Pseudonymized user profiles

The so collected data is also encrypted by us and stored on another separate iHaus server without any personal reference, i.e. in a pseudonymized  manner. For purposes of non-personalized advertising, market research and demand-oriented design of the offer, we create user profiles on the basis of this data using pseudonyms. This data is not combined with other personal data, unless this would be indispensable for the provision of certain extended functionalities and services of the iHaus apps selected by the user (see below). This data will not be passed on to third parties.
The integration of certain SHS by the user enables the user to possibly use extended functionalities and services of the iHaus apps, e.g. automated proposal functions for energy optimization or comfort functions for other optimized use of the relevant SHS. If and as long as the user integrates such SHS and activates the relevant extended functionalities and services of the iHaus apps, their provision may also require that we access the user’s device, consumption and usage data stored on a pseudonymized basis to the respective SHS for a limited purpose, analyze them and to this extent create a specific SHS usage profile. This data will not be passed on to third parties.
In this case, the user will be informed separately and his consent to the processing of the relevant personal data will be obtained. In this context, this privacy statement will also be referred to.

d) Individualization of usage profiles

Logged-in users who are also interested in a further analysis of the device, consumption and usage data stored by us in a pseudonymized manner in accordance with lit. c) above in order to receive appropriate usage recommendations based on an individualized usage profile and corresponding individualized advertising for products and services from our portfolio or such products and services that we sell via our web shop can register for this via dialogue fields provided within the iHaus apps.
  
This registration is voluntary. The user can revoke his consent to the extended data analysis by iHaus, the creation of an individualized user profile and the transmission of individualized advertising by us at any time.
The user can declare the revocation at any time by pressing a button provided for this purpose in the settings of the iHaus apps, by email to support@ihaus.de or by sending a message to the contact data stated in the imprint. The data provided will not be passed on to third parties. All data will be completely deleted upon revocation.

The consent given by the user has the following wording:

I would like to receive advertising about products and services of iHaus or such products and services that iHaus sells through the iHaus Store, as well as individualized usage recommendations for Smart Home systems, each based on an individual analysis of the device, consumption and usage data of the Smart Home systems I have connected to the iHaus app.
For this purpose, I hereby consent to iHaus analyzing these device, consumption and usage data individually and creating an individualized usage profile for my Smart Home systems. This consent may be revoked by me at any time.

I would like to be informed about individualized advertising and usage recommendations on the following channels using the contact data stored by me in my user account:
[Checkbox] Email
[Checkbox] Post
[Checkbox] Phone
[Checkbox] Telefax message
[Register here]

All information is voluntary. Consent to the additional data analysis described above by iHaus, the creation of an individualized usage profile and the transmission of individualized advertising and usage recommendations by iHaus is revocable at any time by pressing a button provided for this purpose in the settings of the iHaus apps or by email to support@ihaus.de or to the contact data specified in the imprint. The revocation takes place according to the privacy statement [Link] of iHaus.

2. Legal basis for the processing of personal data

The legal basis for the processing of data collected within the framework of the activity log is Art. 6 para. 1 subpara. 1 lit. b and f GDPR.
The legal basis for the processing of data collected by SHS and stored on the primary iHaus server is Art. 6 para. 1 subpara. 1 lit. b GDPR.
The legal basis for the creation and use of pseudonymized user profiles is Art. 6 para. 1 subpara. 1 lit. b and f GDPR, to the extent the user gives his consent, Art. 6 para. 1 subpara. 1 lit. a GDPR.
The legal basis for the creation and use of individualized usage profiles is Art. 6 para. 1 subpara. 1 lit. a GDPR.

3. Purpose of data processing

The data collected within the scope of the activity log is used by us to provide the iHaus services, to create anonymous statistics and to check compliance with the contractual provisions (in particular the contractual use and the prohibition of the use of iHaus services by robots).
Data is collected and stored on the primary iHaus server in order to maintain the functionality and correct operation of the respective SHS, to ensure the functionalities and services of the iHaus apps and to create backup copies of the SHS configuration.
The creation and use of pseudonymized usage profiles is for the purposes of non-personalized advertising, market research and demand-oriented design of the offer, in order to enable the customer to use appropriate usage recommendations and corresponding individualized advertising for current goods and services from our portfolio.
Creation and use of individualized usage profiles is conducted to enable the customer to use appropriate usage recommendations and corresponding individualized advertising for current goods and services from our portfolio.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. This is the case at the latest when the customer deletes his app account (see Section VII. 5.), unless an obligation to continue to store individual data exists anyway due to contractual or statutory law obligations.

5. Possibility of objection and removal

The user can manage the data in his user account and delete it individually if necessary (e.g. camera stills no longer required). The user can also terminate the connection of individual devices or services with the iHaus services as a whole; the relevant data stored for a single SHS and any user profiles created will be deleted by us within seven days.
The user can object to the use of the data at any time by pressing a button provided for this purpose in the settings of the iHaus apps or by contacting support@ihaus.de or the address given in the imprint for this purpose.

IX. Disclosure of personal data to third parties: Hosting provider

1. Description and scope of data processing

Our website (including the central functions of the iHaus app) is hosted on the server of a hosting provider (currently: QSC AG) in the Federal Republic of Germany. The personal data processed by us and described in detail in sections I. to VIII. above is stored on this server. All our systems are encrypted according to the state of the art. Therefore, access to personal data by the hosting provider should normally hardly be possible. Nevertheless, we have concluded a data processing agreement with the hosting provider as a precautionary measure.

2. Legal basis for the processing of personal data

The legal basis for passing on the data to the hosting provider is Art. 6 para. 1 subpara. 1 lit. b, 28 GDPR.

3. Purpose of data processing

The data is passed on to the hosting provider in order to enable the operation of the website and to make the content available to users.

4. Duration of storage

The data passed on to the hosting provider will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. The duration of the passing on of the data to the hosting provider is identical to the duration of the storage of the data by us in accordance with the sections I. to VIII. Above.

5. Possibility of objection and removal

The above described passing on of the data to the hosting provider as our technical service provider is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

X. Disclosure of personal data to third parties: active Java script content from Facebook, Google+ and Twitter

1. Description and scope of data processing

Active JavaScript content from external social media providers is used on our website. When accessing our website, these external providers may receive personal information about the user’s visit (IP address of the user, time of access) to our website. The user can prevent this by installing a Java script blocker such as the browser plug-in “NoScript” (www.noscript.net) or by deactivating Java script in his browser. However, this may result in functional restrictions for the user within the scope of using our website. In detail, these are the following providers:

(a) Facebook
Java script code of the social network Facebook Inc. 1601 South California Avenue, Palo Alto, CA 94304, USA, is downloaded from our website. If the user has activated Java-Script in his browser and has not installed a Java-Script-Blocker, his browser may transmit personal data to Facebook. We do not know what data Facebook links to the data received and for what purposes Facebook uses this data. For more information, please see Facebook’s Privacy Policy. If the user does not want Facebook to be able to associate the visit to our website with his Facebook account, he can log out of his Facebook account to prevent this and deactivate the execution of Java Script in his browser.

(b) Facebook Remarketing
Our website also uses the remarketing function “Custom Audiences” of Facebook Inc. This function is used to present interest-based ads (“Facebook Ads”) to users of our website when they visit the social network Facebook. For this purpose, the Facebook remarketing tag has been implemented on our website. This day establishes a direct connection to the Facebook servers when you visit our website. It is transmitted to the Facebook server that the user has visited our website and Facebook assigns this information to the user’s personal Facebook user account. For more information about Facebook’s collection and use of the information and your rights and choices about your privacy, please see the Facebook Privacy Statement at https://www.facebook.com/about/privacy/. Alternatively, you can deactivate the remarketing function “Custom Audiences” at https://www.facebook.com/settings/?tab=ads _=_. You must be logged in to Facebook to do this.

c) Google+ / Google +1 button
The Google +1 button is a plug-in of the social network Google+, an offering of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”), which is also included into our website.
With the help of the Google +1 button, information can be published on a worldwide basis. The Google +1 button allows users to receive personalized content from Google and other partners. Google saves both the information which is relayed for a +1 as well as information on the page that was viewed while clicking on +1. A user’s +1s can be displayed together with his profile name and the image in Google services such as search results or in the user’s Google profile or in other places on websites and advertisements on the internet.
Google registers information on +1 activities.
A globally visible Google profile, which has to include at least the name chosen for the profile, is necessary in order to be able to use the +1 button. This name is used in all of Google’s services. In some cases this name can also replace another name which was used while sharing content via the Google account. The identity of the Google profile can be shown to third parties who know the user’s email address or have other identifying information on the user.
Details on Google’s approach to privacy as well as rights and settings for the protection of personal data can be found in the privacy policy of Google+ and the Google +1 button.

(d) Twitter
Functions of Twitter are also included in our website. These functions are provided by Twitter, Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA. By using Twitter and the “Re-Tweet” function, the websites visited by the user are linked to his Twitter account and made known to other Internet users. Data is also transmitted to Twitter. We point out that we as the provider of the iHaus website are not aware of the content of the transmitted data or its use by Twitter. Users can find more information in the Twitter Privacy Policy at http://twitter.com/privacy. Users can change their Twitter privacy settings in the account settings at http://twitter.com/account/settings.

2. Legal basis for the processing of personal data

The legal basis for the processing of the relevant data is Art. 6 para. 1 subpara. 1 lit. f GDPR.

3. Purpose of data processing

The data is passed on to the relevant social network in order to enable those users who have user accounts with the relevant social networks to use an expanded range of information and communication services and to share the contents of our website with friends or contacts and thereby enter into communication with them.

4. Duration of storage / possibility of objection and removal

The user can prevent the disclosure of data to any of the above social networks by using a Java-Script-Blocker or by logging out of the user account of the social network concerned. Further information (including the extent to which the data are processed and how long they are stored by the relevant social network) can be found in section 1. above and in the privacy statements of the social networks linked there.

XI. Disclosure of personal data to third parties: Website analysis service Google Analytics

1. Description and scope of data processing

As part of our website we also use Google Analytics, a web analysis service provided by Google Inc. (“Google”). Google Analytics uses cookies to analyze the use of our website. The information generated by the cookie about the use of our Internet site is usually transmitted to a Google server in the USA and stored there. The IP address transmitted by the browser within the framework of Google Analytics and anonymized with anonymizeIP is not merged with other Google data. We have a data processing agreement with Google.

2. Legal basis for the processing of personal data

The legal basis for the transmission of data (anonymized IP address of the user) to Google is Art. 6 para. 1 subpara. 1 lit. f, 28 GDPR.

3. Purpose of data processing

The data is passed on to Google in order to be able to assess the use of the website by all users more reliably and to be able to continually improve the content and technical features of the website in line with customer requirements.

4. Duration of storage / possibility of objection and removal

The user can prevent the use of Google Analytics as a whole or restricted to our website as follows:
The collection of data generated by the Google cookies and related to the use of the website (including the IP address) by Google and the processing of this data by Google can be completely prevented by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=en.

When using our website, the user can also prevent Google Analytics from collecting data via his browser by clicking on the following link: Disable Google Analytics. An opt-out cookie is then set which prevents the future collection of data when visiting this website.
Further information (including the extent to which data is processed and how long it is stored by Google) can be found in Google’s privacy policy at http://www.google.com/analytics/terms/de.html.

XII. Disclosure of personal data to third parties: Purchase of our goods or software applications via Amazon, Apple App Store and Google Play Store

1. Description and scope of data processing

Our website links to the offers of our goods or software applications at amazon.de (offered by: Amazon Europe Core S.à.r.l., 5 Rue Plaetis, L-2338 Luxembourg), the Apple App Store (offered by Apple Inc., Infinite Loop, Cupertino, CA 95014, USA) and the Google Play Store (Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA).
For example, users can be redirected from our web shop to Amazon by clicking on the “Buy alternatively at Amazon” button or to the Apple or Google app platforms by confirming the “Download in the Apple App Store” or “Download in the Google Play Store” button in order to carry out transactions via the goods or software applications offered by us. When the buttons are pressed, only the IP address of the calling computer and the date and time of the call are transmitted to these third-party providers.

Further information can be found in the data protection regulations of these third parties linked below:
https://www.amazon.de/gp/help/customer/display.html?nodeId=3312401
https://www.apple.com/legal/privacy/de-ww/
https://policies.google.com/privacy?hl=en&gl=en

2. Legal basis for the processing of personal data

The legal basis for the processing of data is Art. 6 para. 1 subpara. 1 lit. a GDPR to the extent the user has provided his consent.
If the registration serves the fulfilment of a contract to which the user is a party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Art. 6 para. 1 subpara. 1 lit. b GDPR.

3. Purpose of data processing

The data is passed on to the third-party provider concerned in order to enable the user to purchase the goods and software applications offered by us via the platforms of the third-party providers

4. Duration of storage / possibility of objection and removal

The user can prevent the transfer of data to one of the aforementioned third-party providers by not pressing the relevant buttons.
As a rule, the personal data collected by us during transfer will be deleted within a period of seven days.
Further information (including the extent to which the data are processed and how long they are stored by the third-party provider concerned) can be found in the information referred to in Section 1. and in the privacy statements of the third-party providers linked there.

E. Rights of the data subject

If personal data is processed by you as a user, you are affected within the meaning of GDPR and you are entitled to the following rights vis-à-vis the data controller:

I. Right to information

You can ask us to confirm whether your personal data is processed by us.

If such processing has taken place, you can request the following information from the data controller:
(1) the purposes for which the personal data is processed;
(2) the categories of personal data being processed;
(3) the recipients or categories of recipients to whom your personal data concerning has been or is still being disclosed;
(4) the planned duration of the storage of your personal data, if specific information on this is not possible, criteria for determining the storage period;
(5) the existence of a right to rectification or erasure of your personal data, a right to limitation of processing by the controller or a right to object to such processing;
(6) the existence of a right of appeal to a supervisory authority;
(7) any available information on the origin of the data if the personal data is not collected from the data subject;
(8) the existence of automated decision making including profiling in accordance with Art. 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information as to whether your personal data is transferred to a third country or to an international organization. In this context, you can request the appropriate guarantees in accordance with Art. 46 GDPR in connection with the transmission.

II. Right to correction

You have a right of rectification and/or completion vis-à-vis the data controller if the personal data processed concerning you is incorrect or incomplete. The data controller shall make the correction without undue delay.

III. Right to limitation of processing

Under the following conditions, you may request that the processing of your personal data be restricted:
(1) if you dispute the accuracy of your personal data for a period that enables the data controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
(3) the data controller no longer needs the personal data for the purposes of the processing, but you need them to assert, exercise or defend legal claims, or
(4) if you object to the processing pursuant to Art. 21 para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the data controller outweigh your reasons.
If the processing of your personal data has been restricted, such data may only be processed – apart from being stored – with your consent or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or on grounds of an important public interest of the European Union or a Member State.
If the processing has been restricted according to the above conditions, you will be informed by the data controller before the restriction is lifted.

IV. Right to erasure

1. Duty of erasure

You may request the data controller to delete the personal data relating to you without undue delay and the controller is obliged to delete this data without undue delay if one of the following reasons applies:
(1) Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
(2) You revoke your consent, on which the processing according to Art. 6 para. 1 subpara. 1 lit. a or Art. 9 para. 2 lit. a GDPR is based, and there is no other legal basis for processing.
(3) In accordance with Art. 21 para. 1 GDPR and there are no overriding legitimate reasons for the processing, or you submit an objection pursuant to Art. 21 para. 2 GDPR opposed to the processing.
(4) Your personal data has been processed unlawfully.
(5) The erasure of your personal data is necessary to fulfil a legal obligation under EU law or the law of the Member States to which the data controller is subject.
(6) Your personal data has been collected in relation to information society services offered in accordance with Art. 8 para. 1 GDPR.

2. Information to third parties

Has the data controller made your personal data public and is obliged to delete it in accordance with Art. 17 para. 1 GDPR, it shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data processors who process such personal data that you as the data subject have requested the erasure, including all links to this personal data or of copies or replications, of this personal data.

3. Exemptions

The right to erasure does not exist to the extent the processing is necessary
(1) to exercise freedom of expression and information;
(2) for the performance of a legal obligation required for processing under the law of the EU or of a Member States to which the controller is subject or for the performance of a task in the public interest or in the exercise of official authority conferred on the controller;
(3) for reasons of public interest in the field of public health in accordance with Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes according to Art. 89 para. 1 GDPR, to the extent that the right referred to in Section 1. above is likely to render impossible or seriously impair the attainment of the objectives of such processing; or
(5) for asserting, exercising or defending legal claims.

V. Right to information

If you have exercised your right to have the data controller correct, delete or limit the processing, the data controller is obliged to inform all recipients to whom your personal data has been disclosed of this correction or erasure of the data or restriction on processing, unless this proves impossible or involves a disproportionate effort.
The data controller shall have the right to be informed of such recipients.

VI. Right to data portability

You have the right to receive your personal data that you have provided to the data controller in a structured, common and machine-readable format. In addition, you have the right to pass this data on to another data controller without obstruction by the data controller to whom the personal data was provided, provided that

(1)  the processing is based on a consent according to Art. 6 para. 1 subpara. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract according to Art. 6 para. 1 subpara. 1 lit. b GDPR and
(2) processing is carried out using automated methods.
In exercising this right, you also have the right to request that your personal data be transferred directly from one data controller to another data controller, to the extent this is technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.

VII. Right of objection

You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which may be processed in accordance with Art. 6 para. 1 subpara. 1 lit. e or f GDPR; this also applies to profiling based on these provisions.
The data controller no longer processes your personal data, unless it can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct marketing.
If you object to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
You have the possibility to exercise your right of objection in connection with the use of Information Society services by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC.

VIII. Right to revoke the data protection related declaration of consent

You have the right to revoke your data protection related declaration of consent at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.

IX. Automated decision in individual cases including profiling

You have the right not to be subject to a decision based exclusively on automated processing – including profiling – that has legal effect against you or significantly impairs you in a similar manner. This does not apply if the decision

(1) is necessary for the conclusion or performance of a contract between you and the data controller,
(2) is admissible according to the legislation of the EU or of a Member States to which the data controller is subject and that legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests, or
(3) is reached with your express consent.

However, these decisions may not be based on special categories of personal data according to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g GDPR applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.
In the cases referred to in (1) and (3), the data controller shall take reasonable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person by the data controller, to state your own position and to challenge the decision.

X. Right of appeal to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State where you reside, work or are suspected of infringement, if you believe that the processing of your personal data is contrary to GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and the results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.
F. Changes to this privacy statement
We reserve the right to make changes to this privacy statement in the future. This applies in particular in case of implementation of changed legal requirements due to legal changes or changes in administrative or judicial practice.
Draft JURICITY EN – 02/06/2018