Data Privacy Policy for VELUX ACTIVE with NETATMO

Effective from 1st October 2018

1. Purpose of document

This Privacy Policy outlines how VELUX A/S  manage your personal data (including your personal information as defined in the Privacy Act 1988 (Cth) (the Privacy Act)) and protect your privacy.

Collecting, processing and storing data is essential to deliver the key benefits of VELUX ACTIVE, namely indoor climate control. We continuously aim to improve the VELUX ACTIVE products and services, including the VELUX application, for a relevant and safe up-to-date user experience (hereinafter “the products and services”). 

It is fundamental to us that your personal data is protected and that you as the customer can easily understand what personal data we collect, process and store and for what purposes. We are completely open and informative about how we handle your data and we go to great lengths to keep your personal data safe. The purpose of this document is to clearly inform you about how we collect, process and store your personal data.  

2. Our promise 

Based on our corporate principles, as well as our commitment to comply with the European Data Protection Regulation (2016/679 of 27 April 2016), “GDPR” and national data privacy laws in the countries that we operate in, including the  Privacy Act in Australia, we promise the user the following: 

  • VELUX A/S will only collect the personal data outlined in table 3. Only selected, trusted employees at VELUX A/S (hereinafter referred to as “VELUX”), NETATMO and the VELUX sales companies operating in different jurisdictions around the world, including VELUX Australia Pty Ltd (ABN 68 001 841 541) (the data processors) have access to your personal data and will treat it confidentially.
  • To be transparent and open about our collection, processing, use and disclosure of personal data.

3. What personal data are we collecting and for what purposes? 

3.1 Contact information

Data type

Location, user name and email provided by the user through account registration in the VELUX application.

Directly/indirectly identifiable personal data

Your email, location and user name are considered as information that can directly identify a user. This information is thus directly identifiable data fields.

What we are collecting, using and disclosing it for (processing & purpose)

Contact information is needed to enable you to use the products and services, send you account notifications, product and service updates, software updates and upgrades.

If you sign up to receive information and marketing material from VELUX (under a separate consent), we will use your contact information for this purpose as well.

To whom do we disclose it (including who has access)?

We may disclose your Contact information to our other Velux companies and trusted partners, such as NETATMO and VELUX sales companies in certain overseas jurisdictions (as set out in section 9).

If you sign up to receive information and marketing material, your acceptance hereof and your email account will be disclosed to the VELUX sales company established in your home country (including Velux Australia Pty Ltd in Australia). During the period, where you receive information and marketing material, this personal data will be stored at NETATMO's data centre and in VELUX.

3.2 User data

Data type

User data relates to your activity in the application, the settings in the app, and has a unique ID attached to you as a user.

Directly/indirectly identifiable personal data

When tracking movements in the app, we cannot see who is using the app. However, in the rare case of an app continuously crashing, we have the option of taking the unique ID of the user ID in the app analytics system and cross-checking it against the user email in another system. User data is hence indirect personal data.

What we are collecting, using and disclosing it for (processing & purpose)

User data enables us to improve the product functionalities and services and to ensure that the product functionalities are continuously up-to-date with new technologies etc.

Examples of User data are: how frequent certain functions or buttons in the app are used to interact with the VELUX products (for example a manual “open window”), frequency of manual interventions in the algorithms and how many times the functions are executed.

To whom do we disclose it (including who has access)?

VELUX & NETATMO and VELUX sales companies operating in certain overseas jurisdictions (as set out in section 9).

3.3 Product status data, information & sensor data

Data type

Information about the user's VELUX ACTIVE software version, IP address, product IDs, hardware version and installation.

Further, the sensor values measured, the number of rooms & houses and actuator movements.

Directly/indirectly identifiable personal data

Unique identifiers such as the IP address and the MAC address of your devices are considered directly identifiable personal information. Hardware version, software version and sensor values are considered as indirectly identifiable, as they, if isolated, cannot lead to anyone identifying a person.

What we are collecting, using and disclosing it for (processing & purpose)

The product information and sensor data enable the algorithms to provide you with the core services of VELUX ACTIVE to ventilate and automatically regulate your indoor climate. Further, it enables us to improve our software and hardware, and understand and respect your preferences for a better service experience.

To whom do we disclose it (including who has access)?

VELUX and selected individuals within the VELUX sales companies as listed below will have access to this data for support purposes (including Velux Australia Pty Ltd in Australia). The data is collected and stored by NETATMO & VELUX.

3.4 Service history

Data type

Service history is the accumulation of service calls or requests, visits and other online support. Further, when provided by the user in tickets, it includes name, phone number, email address and home address.

Directly/indirectly identifiable personal data

The accumulated service history is both directly and indirectly personal information. When requesting support online, you are asked to fill in personal information, for us to contact you. When filling in this information and sending it to us, you agree that we may contact you concerning the request and save your information for this purpose. 

What we are collecting, using and disclosing it for (processing & purpose)

Service history enables us to provide you with service on the product. Further, it enables us to support you concerning questions on guarantee and troubleshooting. In the unlikely event of a more general problem occurring on several products, we can quickly rectify and remedy the issue.

To whom do we disclose it (including who has access)?

VELUX and selected individuals within the VELUX sales companies as listed below will have access to this data for support purposes. The data is collected and stored by VELUX.

4. Erasure of personal data

We store your personal data for the entire period you use your products and services and until you disconnect the products from the server plus one year. Hereafter, we either delete your personal data or anonymise/aggregate it so that you can no longer be identified on the basis of your personal data.

In case you have signed up for VELUX information and marketing material, we store your contact information until you unsubscribe from VELUX information and marketing material. 

5. Limitations

The privacy policy governs the data retrieved by VELUX through VELUX's own products and services. VELUX will generally collect information directly from the individual to whom it relates through its own products and services. However, VELUX may also collect information about an individual from a third party, such as other VELUX sales companies (including Velux Australia Pty Ltd in Australia), or via third party service providers. 

If the user employs other smarthome control systems (for example Apple Homekit) to execute functions with VELUX products and services, these systems or kits may collect, process and share personal data, for which VELUX cannot be held responsible and/or liable. Please make sure to read the privacy policies of such third-party providers.

VELUX implements a number of physical and electronic measures to protect personal data. It restricts access to VELUX'S physical and electronic databases, maintains firewalls and encrypts certain data where practicable to do so. Please note, however, that the internet is not a secure environment and although all care is taken, VELUX cannot guarantee the security of information provided to it via electronic means.

6. Rights of the individual

The user of the products and services has the right to be forgotten, meaning that the user can request to have his or her account closed and have all direct personal data information deleted. When the direct personal data has been deleted, you will no longer be identifiable on the basis of the remaining data held by VELUX. 

The user can at any point in time contact VELUX to get an overview of the personal data stored and processed on the user by VELUX and request a copy of the personal data stored by VELUX. 
Moreover, you may request your personal data to be rectified or corrected if it is inaccurate or out of date (such as a name change). Contact us via the mobile application or at active-support@velux.com for the above-mentioned requests. 

In some circumstances, it may not be possible for VELUX to provide you with any or all of your personal data, or an exemption under the Privacy Act may apply. For instance, VELUX may not provide access to certain personal data if disclosing that data would impact on the privacy of another individual. Where VELUX will not provide access to personal data held about you, VELUX will inform you of the reason. 

If you have given your consent to receive VELUX information and marketing material, and you no longer wish to receive it, you can always revoke your consent at the end of information and marketing emails or by contacting the above support email address or following the unsubscribe link in the marketing email.

In case you want to file a complaint about VELUX's processing of your personal data, you may address your complaint to:

VELUX A/S
Aadalsvej 99
2970 Hørsholm
Denmark
E-mail: active-support@velux.com 

You may also address your complaint to VELUX Australia, who will forward your complaint to VELUX A/S, as follows:

VELUX Australia Pty. Ltd.
78 Henderson Road 
Alexandria, New South Wales, 2015
Australia
E-mail: customer.service@velux.com.au

If a complaint is made, you will need to provide your name and contact details, as well as details of the complaint. VELUX'S Privacy Officer will investigate the complaint and respond promptly. If you consider that VELUX has failed to resolve the complaint satisfactorily, then you may complain to the Office of the Australian Information Commissioner as follows: 

Phone: 1300 363 992 or + 61 2 9284 9749

Email: enquiries@oaic.gov.au

Fax: +61 2 9284 9666

Post: GPO Box 5218, Sydney NSW 2001, Australia

7. The users, homes and guests

One user of the products and services can have several homes, in which case this privacy policy applies to all the user’s homes and to the entire setup. 

The user of a home can also invite up to 20 guests to operate the products and services. In case of the latter, these guest accounts are governed by the same privacy policy, and will be subject to the same data and operational setup as the host. 

8. Governing legislation

The GDPR (and the Privacy Act in Australia) applies to personal data from which an individual is identifiable, whether directly or indirectly. 

VELUX and the VELUX sales companies comply with the GDPR entering into force on 25 May 2018, and all relevant national data privacy laws (including the Privacy Act in Australia) in force from time to time.

9. Location of personal data and overseas transfers

As VELUX, through its related entities (the Velux Group), has operations in over 40 countries globally, VELUX may disclose personal information to recipients that are located outside of Australia, including the United States of America, Denmark and other countries. A list of the countries in which the Velux Group operates is available at http://www.velux.com/. 

In all cases, when an individual provides personal information to VELUX, he or she consents to the disclosure of his or her personal information outside Australia, and acknowledges that Velux is not required to ensure that overseas recipients handle that personal information in compliance with Australian privacy law. However, VELUX will take reasonable steps to ensure that any overseas recipient will deal with such personal information in a way that is consistent with the Privacy Act in Australia. 

Personal data will be stored on a server located in the European Union. VELUX instructs the data processor responsible for the server to have technical and safety measures in place to keep your personal data safe.

10. Updates

It is the responsibility of the user of the product to stay updated on the privacy policy relating to the products and services. We recommend that you read the privacy policy from time to time to keep yourself updated.

11. The parties

The role of the provider(s) of the products and services is:

Data controller: VELUX A/S, Ådalsvej 99, 2970 Hørsholm, Denmark - CVR 46 91 14 15, is accountable for collecting, processing and storing your personal data. 

Data processor 1: VELUX sales companies, which are owned 100 % by VELUX. VELUX sales companies in each country are responsible for the sales and services of VELUX ACTIVE products to end-users in the country where they are located. Please see the list of VELUX sales companies at the end of this privacy policy.

Data processor 2: NETATMO SAS, 93 Rue Nationale, 92100 Boulogne-Billancourt, France, Reg no. 532501848, is responsible for developing the VELUX ACTIVE products and for transferring personal data to VELUX. VELUX instructs NETATMO SAS to have technical and safety measures in place to keep your personal data safe.

See appendix 1 for VELUX affiliates. 

12. Legal requirements for data sharing

We will not share personal data with any third-party company, except from the listed parties below or in section 11. We will under no circumstances sell your personal data. 

VELUX discloses personal data to particular third-party service providers, dealers or independent installers.  From time to time, we use third-party IT consultants to service and maintain the products and IT systems, but such third-party IT consultants will be under confidentiality obligations and instructions from VELUX. 

For the purposes described in this policy, VELUX may disclose personal data to parties listed in the table in section 3 above.

In certain cases, we are required or authorised by law or legal processes to share specifically required data with the relevant legislative body requesting access to the personal data. This is relevant only under strict legal requirements, such as by request of a court order, and will be treated with due care. If we must share your personal data with the above-mentioned legal entities, we will do our best to provide you with notice in advance by email or by other means, unless we are prohibited by a court order from doing so or where the request or legal process is directly related to a regulatory investigation. In the latter case, we will ensure that your disclosed personal data is treated as confidential.

13. Contact

Feel free to contact us for further details here: active-support@velux.com

14. Appendix 1 - VELUX Sales Companies 

UE VELUX Roof Windows, Str. L. Bedi 31 Minsk, Belarus  - Reg.no. 800013811
VELUX (CHINA) Co., Ltd., No. 21 Baihe Road Hebei Province, China - Reg. no. 131000400004111
VELUX America LLC, 104 Ben Casey Drive Fort Mill, United States of America - Reg. no. 04-2559488
VELUX Argentina S.A., Colectora Panamericana Buenos Aires, Argentina - Reg. no. 10.928, of Book 122, Volume "A"
VELUX Australia Pty. Ltd., 78 Henderson Road, Alexandria, New South Wales, 2015, Australia - ACN 001 841 541
VELUX Belgium, Boulevard de lEurope 121 Bierges, Belgium - BE 0412.621.370 (VAT)
VELUX Bosna i Hercegovina d.o.o., Dzemala Bijedica 295 Ilidza, Bosnia and Herzegovina - Reg.no. 1-18783
VELUX Bulgaria EOOD, Pelister 6 Sofia, Bulgaria - 121745393 (REG) /BG121745393 (VAT)
VELUX Canada Inc., 2740 Sherwood Heights Dr. Oakville Ontario, Canada - 016617-1 (Co. No.)/10550434RC0001 (BN – Business No.)
VELUX Çati Pencereleri Ticaret Limited Sirketi, Girne Mah. Girne Cad.Istanbul, Turkey - 9240119663 Erenkoy (REG)
VELUX Ceská, republika, s.r.o. Sokolova 654/1d, Horní Heršpice, 619 00 Brno, Czech Republic - 00532592 (IC)/ CZ00532592 (VAT)
VELUX Chile Limitada, San Patricio 4099 Santiago, Chile - Reg. on page 6926 No. 3787, year 1983
VELUX Company Ltd., Woodside Way Fife, United Kingdom - SC070286 (REG)
VELUX Danmark A/S, Breeltevej 18 Hørsholm, Denmark  - DK 46911415 (VAT)/4911415 (CVR)
VELUX Deutschland GmbH, Gazellenkamp 168 Hamburg, Germany - 10042086 (REG)/EE100272657 (VAT)
VELUX Eesti OÜ, Peterburi tee 2 A Tallinn, Estonia - DE118585357 (VAT)
VELUX France, 1 rue Paul Cézanne Morangis, France - 970200044 0083 (SIREN/SIRET)/FR05 97020044 (VAT)
VELUX Hrvatska d.o.o., Avenija Veceslava Holjevca 40 Zagreb, Croatia - 17798323753 (OIB)
VELUX Italia s.p.a., Via Strà 152 Colognola ai Colli, Italy - 03726650157 (CF – Codice Fiscale)
VELUX Japan Ltd., 1-23-14 Sendagaya Tokyo, Japan - Reg.no. 018011
VELUX Latvia SIA, Liepajas iela 34 Riga, Latvia - 40003279195 (Co. REG)/40003279195 (VAT)
VELUX Lietuva, UAB, S.┼Żukausko 49 - 8A Vilnius, Lithuania - 111543443 (Co. REG/Valst.reg.Nr.)
VELUX Magyarország Kft., Zsófia utca 1-3 Budapest, Hungary - 10192207208 (VAT)
VELUX Nederland B.V., Molensteijn 2 De Meern, Netherlands - 30090412 (KvK Nummer)/NL001763775B01 (VAT)
VELUX New Zealand Ltd., 62B Princes Street Auckland, New Zealand - 649329 (REG)/9429000070706 (NZBN -Business no.)
VELUX Norge AS, Gjerdrumsvei 10D Oslo, Norway - NO917170967MVA (VAT)
VELUX Polska Sp. z o.o., ul. Krakowiaków 34 Warszawa, Poland - 006228649 (REGON)/KRS 0000018788 /PL5210091891 (VAT)
VELUX Portugal, Lda., Travessa das Pedras Negras Lisboa, Portugal - 507564138 (Fiscal No.)/PT507564138 (VAT)
VELUX Romania S.R.L., Aurel Vlaicu 40 Brasov, Romania - RO9434380 (Registry of commerce/VAT)
VELUX Schweiz AG, Industriestrasse 7 Trimbach, Switzerland - CHE-105.915.054 (Handelsregister-Nr.)/CHE-105.915.054 MwSt (VAT)
VELUX Slovenija d.o.o., Ljubljanska cesta 51A Trzin, Slovenia - 5933951 (Company ID)/SI88149161 (VAT)
VELUX Slovensko, s.r.o., Galvaniho 7/A Bratislava, Slovakia - Sri 4901/B (Co. Reg. No.)/31348611 (ID No.)/SK1010191460 (VAT)
VELUX Spain, S.A., Calle Chile 8 Madrid, Spain - A82477571 (CIF)/ESA82477571 (VAT)
VELUX Srbija d.o.o., dr Ive Popovica Ðanija 3 Beograd, Serbia - Reg. no. BD 62807
VELUX Suomi Oy, Lämmittäjänkatu 6 Helsink, Finland - FI 03983401 (VAT)
VELUX Svenska AB, Karbingatan 22 Helsingborg, Sweden - SE556221330501 (VAT)
VELUX Ukraina TOV, Revutskoho 44 Kiev, Ukraine - 31662199 (REG)
VELUX Österreich GmbH, Veluxstrasse 1 Wolkersdorf, Austria - ATU19046100 (VAT)
ZAO VELUX ul., Nizhnyaya Syromyatnicheskaya 10 Moscow, Russian Federation - MPII 007.058