Blumfeldt Privacy Policy

Privacy Policy

In addition to the online services we also provitde you with a mobile app ("Blumfeldt App") that can be downloaded on your mobile device. In the following, we will inform you about how we record personal data when you use our Blumfeldt app. Personal data are data that are personal to you, e.g., your name, address, email address, and user behaviour.

1.Provider/maintainer of the app

(1) The service provider and responsible body in accordance withArticle 7 EU General Data Protection Regulation(GDPR) is

Chal-Tec GmbH, Wallstrasse 16, 10179 Berlin ("Chal-Tec", "we", "us").

Email:appsupport@go-bbg.com

Tel: +49(0)30 408 173 508,

Fax: +49(0)30 408 173 505

(2) Our Data Protection Officer can be contacted at privacy@chal-tec.com or via our postal address using the title "Data Protection Officer".

2. What are personal data?

(1) "Personal data" is legally defined as "individual details about the personal or material circumstances of a specific or identifiable natural person". This includes details such as name, email address, or other details able to be traced back to a natural person.

(2) When you contact us via email or by using the contact form, your email address and, if specified, your name and telephone number will be retained by us so we can answer your queries. The data collected in this regard will be deleted after they are no longer required to be retained or further processing restricted in the case of a legal requirement to preserve records.

(3) If we use contracted providers to render certain functions within our service or would like to utilise your data for commercial purposes, we will inform you of the necessary steps as is outlined in detail below. Here we specify the criteria for how long data may be retained.

3.Your rights with respect to your personal data

(1) You are able to make the following rights applicable to us, in accordance with criteria stipulated for applicable standards, in regard to the personal data we retain about you:

- You have the right to withdraw, prospectively and at any given time, any previous consent to the processing of your data (Art. 7(3) GDPR).

- You have the right to obtain information about the personal data we retain about you at any given time (Art. 15 GDPR).

- You have the right to have your data rectified or erased (Art. 16, 17 GDPR).

- You have the right to restrict the processing of your data in the event that said processing was not authorised (Art. 18 GDPR).

- You have the right to have communicated to each recipient, to whom data have been disclosed, any rectification, erasure, or restriction of personal data. (Art. 19 GDPR).

- You have the right to receive personal data concerning you, which has been provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another body without hindrance (Art. 20 GDPR).

- You have the right to object to the processing of personal data in specific cases (Art. 21 GDPR).

(2) You have the right to complain to a data protection regulatory authority about processing your personal data by our company.

4. Type and usage of personal data

(1) When you download the mobile app, required information such as user name, email address and the customer number of your account, time of download, payment information and unique device number, will be transmitted to the online platform from which the download took place. We are not able to influence this data collection and are therefore not responsible for it. We only process data insofar as it is required to be able to download the mobile app to your mobile end device.

(2) When using the mobile app we collect the following personal data from you in order to ensure convenient usage of all functions. The following data are technically necessary so that we can offer all functions of our mobile app to you as well as ensure safety and stability (Legal basis is Art. 6(1)(1) lit. f GDPR):

a. Email address

b. Usage data (in particular a list with a record of all devices connected to the app service, the time window of device activity in the cloud (via the app or on the device connected to the cloud), report of faulty products)

c. Unambiguous identification of a device for technical customer support

d. Firmware version

e.Hardware model

f. Timestamp for the first and last activation required for customer support

g. IP address

h. Mac address

i. IMEI (International Mobile Equipment Identity)

j. IMSI (International Mobile Subscriber Identity)

k. Mobile Subscriber Integrated Services Digital Network Number (MSISDN)

l. Name of the mobile end device

m. Access status/HTTP status code

n. The respective amount of data transferred

o. Browser

p. Operating system and interface

q. Language and browser software version

r. The signal strength of the WiFi for technical customer service.

The data provided can be revoked prospectively and at any time without reason. The user must note that the normal functions of the app may be impeded by the revocation of data.

(3) You must create a personal user account to use our app. You have the opportunity to create the user account using your email address or a social media account (Facebook, Twitter, Google). When creating your user account with an email address, the following information will be required in addition to that already provided:

a. Surname

b. First name(s)

c. Personally chosen password

d. Personally chosen user name

When creating a user account using your chosen social media account, an identity verification request will be sent to the social media platform and, once the identity of the person registering for a user account to be used on our app has been confirmed, the account will be verified and activated. The profile picture currently in use for your chosen social media account will also be used as the profile picture for the user account within our app.

(4) Our app enables you to connect several Smart-Blumfeldt-products (e.g., heating, thermostat etc.), all of which are equipped with a WiFi chip and able to be centrally controlled via the app (creating a so-called "hub"). Depending on the Smart-Blumfeldt-product in use, further parameters such as temperature, humidity, timers etc. can be controlled, which are all measured by the Smart-Blumfeldt-product thanks to built-in sensors and subsequently portrayed in the app. To better manage individual Smart-Blumfeldt-products it may be necessary to specify the number of rooms within which Smart-Blumfeldt-products are currently in use and then define them. In addition, the Smart-Blumfeldt-products will also provide us the following information:

a. Location of the device

b. Device ID

c. Serial number

d. Product code

e. IP address

f. If necessary, the layout of the cleaned areas in the event of an error reported by a robot vacuum cleaner

(5) The data collected are to enable services in the app as well as for other purposes, including the creation of a user account, contact with the user, device permissions, access to personal data, interaction with external social networks, surveillance of infrastructure, analysis and maintenance of contact data as well as to send messages. If the required data are not specified, services in the app may not be able to be provided.

(6) The user can assign verified users access rights to the Smart-Blumfeldt-product or hub including all connected devices so that they are able to either remotely control or monitor Smart-Blumfeldt-products. This authorisation may be revoked by the user at any time. If an assigned user is not yet verified, the registered user can invite them to be verified by providing their email address. They will then receive an invitation to register via email.

(7) It is also possible to use the Amazon Alexa Voice Services in our Blumfeldt app. To do so, so-called Alexa Skills are required. These include third-party services (Skills) such as digital content, software, the Amazon Alexa app as well as customer service, and other associated services. To activate Skills and generally utilise Amazon Alexa, you are normally required to make an account with Amazon. If you use Alexa Skills, your personal data will be disclosed to Amazon via end devices compatible with Alexa. We are unable to influence the data collected, processed, and used to this end. The sole responsible body for this is Amazon.

Alexa Skills are operated based on the infrastructure of Amazon Media EU S.à.r.l. More information can be found in the Alexa Terms of Use www.amazon.co.uk/gp/help/customer/display.html. The Blumfeldt Skill is available in the Amazon Alexa Skill Store which is operated by Amazon. The Blumfeldt Skill will not collect, process or save personal data and does not have any control over any personal data or language commands that may be collected by Amazon. We are unable to view any personal data conceivably related to you when you access a Skill. This also includes potential preferences or usage of Skills by other users in particular. The legal basis for data processing is Art. 6 (1) a) GDPR in cases where consent is given. The Blumfeldt Skill is not age-restricted but is not aimed at children under 13 years. There are no purchase options nor are there any digital, physical or other fee-based services with Blumfeldt Skill. An analysis of your user behaviour will not be carried out via Blumfeldt Skill. There will be no advertisements played via the Amazon Alexa Voice Service within Blumfeldt.

Please note that by registering with Alexa and utilising Alexa Services provided by Amazon Media EU S.à.r.l., you give consent for your personal data to be retained and processed. The purpose and extent of data collection can be taken from the aforementioned Terms of Use and the Privacy Policy of Amazon Media EU S.à.r.l. on www.amazon.co.uk/gp/help/customer/display.html

(8) You must provide this data in order to use services in our app. Depending on the desired function of the services provided in our app, there may be additional data provided that is not absolutely necessary in order to use the app. In this case, they will be defined as such and you are free to provide this data should you so wish.

(9) Data retention will be in place for as long as your user account is active. You can delete this at any time. Your data will, therefore, only be retained for as long as this is legally required (e.g., retention period in line with commercial or tax laws) or in order to be able to provide the services in our app. Once this period has elapsed, all associated data will be routinely removed unless they are required for contract fulfilment of negotiations and/or there is no legitimate interest in their retention on our part and/or we have your consent to use them.

5.The legal basis for processing your personal data,

We process your personal data as follows:

- To render a service using our app (Art. 6(1) lit. b GDPR);

- To contact customers (Art. 6(1) lit. b GDPR);

- To create and manage your user account (Art. 6(1) lit. b GDPR);

- For device authorisation in order to access personal data ((Art. 6(1) lit. a GDPR);

- To interact with external social networks (see 3.2 Verification of a user's identity);

- To monitor infrastructure (Art. 6(1) lit. b, lit. f. GDPR)

- Analysis (Art. 6(1) lit.b, lit.f. GDPR);

- To comply with requests for information from official authorities (Art. 6(1) lit. c GDPR).

6.Push notifications

We will send you a push notification dependent on whether you have activated this option within your user account, whereby a message will be shown on your display to actively inform you about the status of your devices as well as technical updates. In addition to this, we will send you an in-app notification, which you will receive when using the app.

7. The disclosure of your data to third parties

(1) Your personal data will only ever be disclosed to third parties

- if you have provided your explicit consent or

- there is a legal obligation that requires us to disclose your data, e.g. a request for information from an official authority;

- if it is required in order to execute a contract (so-called Transfer of Function);

- if we are required to utilise the services of a third party in order to render a service by means of a data processing relationship (so-called contract processing). This can take place in order to run the app or to render technical services. It is particularly important to note that we remain the responsible body for the lawful processing of your data

(2) The personal data collected about you, in particular:

a. A list of connected Smart-Blumfeldt-products and protocols regarding activity;

b. The user account with which the Smart-Blumfeldt-products are controlled;

c. The data transmitted by the Alexa Voice Service by Amazon (Skills);

d. Locations of Smart-Blumfeldt-products;

e. Activity time frames for Smart-Blumfeldt-products;

f. Registration in the app;

g. Information collected and transmitted now and, in the past, (e.g., temperature, humidity, automatic timers, Wi-Fi reset etc.) or applied functions including the rotation speed of a fan, energy-saving modes etc. and the corresponding time frame;

h. Error reports

are processed within the European Union in cloud servers provided by Tuya, Inc., a GDPR-certified company based in Frankfurt am Main. The transfer of your data to contract data processors outside of the European Economic Area will only take place on the basis of data processing contracts if the additional conditions stipulated for data processing in third countries are fulfilled in line with Art. 44 ff GDPR (Appropriate levels of protection within the respective third country and appropriate safeguards as per Art. 46 GDPR).

(3) If you use a social media account to create your user account, you will be transferred to the login page of the chosen social network. If you log into your account by logging into a social network, the social network you have used will be sent an identity verification request (OAuth0, OAuth1, ggf. OAuth2).

(4) The Blumfeldt-App is based on Google 'Firebase' as a backend system. All user-relevant data, in particular

a. email address

b. password

c. username

d. list of connected Smart-Blumfeldt-products

are processed within the European Union in cloud servers provided by Firebase, Inc., a GDPR-certified company and part of the Google Consortium based in Frankfurt am Main.

(5) In order to send you push and in-app notifications, we use services provided by Kumulos Ltd, based in Dundee One, UK. If you receive push and in-app notifications from us, Kumulos Ltd. will evaluate if and when you have acknowledged them.

8.Data security

Chal-Tec will always attempt to process personal data in a way that utilises appropriate technical and organisational measures to protect your data and render them inaccessible to unauthorised persons. Please note that full data security cannot be guaranteed when communicating via email.

To best protect your data from random or intentional manipulation, loss, destruction or being accessed by unauthorised persons, we utilise appropriate technical and organisational security measures that are continuously optimised in line with technical developments.

9.Your rights with respect to your personal data

You are able to make the following claims applicable to us, in accordance with criteria stipulated for applicable standards, regarding the personal data we retain about you:

- You have the right to revoke, prospectively and at any given time, any previous consent to the processing of your data (Art. 7(3) GDPR).

- You have the right to obtain information about the personal data we retain about you at any given time (Art. 15 GDPR).

- You have the right to have your data rectified or erased (Art. 16, 17 GDPR).

- You have the right to restrict the processing of your data if said processing was not authorised (Art. 18 GDPR).

- You have the right to have communicated to each recipient, to whom data have been disclosed, any rectification, erasure, or restriction of personal data. (Art. 19 GDPR).

- You have the right to object to the processing of personal data in specific cases (Art. 21 GDPR).

If you have questions relating to the collection, processing, or usage of your personal data or if you would like to request information, rectification, blocking, or the erasure of data as well as the revocation of any consent previously given or would like to object to a particular form of data usage, please contact our Data Protection Officer via email here: appsupport@chal-tec.com or the address specified in Section 1. Your requests will be answered as soon as possible and always within one month. You also have the option to complain to a regulatory authority.