Privacy policy for the area of the QIVICON platform requiring registration

General

 

Deutsche Telekom AG attaches great importance to protecting your personal data. We always inform you what personal data we collect, how your data is used, and how you can influence the process.

 

1. Where can I find the information that is important to me?

This data privacy information provides an overview of the items which apply to Deutsche Telekom processing your data in this web portal. Further information, including information on data privacy on specific products, is available at https://www.telekom.com/de/verantwortung/datenschutz-und-datensicherheit/datenschutz and at http://www.telekom.de/datenschutzhinweise.

 

2. Who is responsible for data processing? Who should I contact if I have any queries regarding data privacy at Deutsche Telekom?

Deutsche Telekom AG is responsible for your data. Our address is Friedrich-Ebert-Allee 140, 53113 Bonn (Germany). If you have any queries, please contact our Customer Services department or the Group Data Privacy Officer, Dr. Claus D. Ulmer, Friedrich-Ebert-Allee 140, 53113 Bonn, datenschutz@telekom.de.

 

3. What rights do I have?

You have the right

a) To request information regarding categories of the processed data, processing purposes, possible recipients of the data, and the planned storage duration (Article 15 GDPR);
You can download all the saved data in your personal area as "My QIVICON" at https://www.qivicon.com/account/export as a .csv file.
b) To request that incorrect or incomplete data be rectified or supplemented (Article 16 GDPR);
c) To withdraw consent at any time with effect for the future (Article 7 (3) GDPR);
d) To object to the processing of data on the grounds of legitimate interests, for reasons relating to your particular situation (Article 21 (1) GDPR);
e) To request the erasure of data in certain cases under Article 17 GDPR – especially if the data is no longer necessary in relation to the purposes for which it was collected or is unlawfully processed, or you withdraw your consent according to (c) above or object according to (d) above;
f) To demand under certain circumstances the restriction of data where erasure is not possible or the erasure obligation is disputed (Article 18 GDPR);
g) To data portability, i.e., you can receive your data that you provided to us, in a commonly used and machine-readable format such as CSV, and can, where necessary, transfer the data to others (Article 20 GDPR);
h) To file a complaint with the competent supervisory authority regarding data processing (for telecommunications contracts: the German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit); for any other matters: State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (Landesbeauftragter für den Datenschutz und die Informationsfreiheit Nordrhein-Westfalen).

 

4. Who does Deutsche Telekom pass my data on to?

To processors, i.e., companies we engage to process data within the legally defined scope, Article 28 GDPR (service providers, agents). In this case, Deutsche Telekom also remains responsible for protecting your data. We engage companies particularly in the following areas: IT, sales, marketing, finance, consulting, customer services, HR, logistics, printing.

 

To cooperation partners who, on their own responsibility, provide services for you or in conjunction with your Deutsche Telekom contract. This is the case if you order services of these partners from us, if you consent to the involvement of the partner, or if we involve the partner on the basis of legal permission.

 

Owing to legal obligations: In certain cases, we are legally obliged to transfer certain data to a state authority that requests it.

 

5. Where is my data processed?

As a general rule, your data will be processed in Germany and other European countries.
If, in exceptional cases, your data is also processed in countries outside the European Union (i.e., in third countries), this is done only if you have explicitly given your consent, if it is required so we can provide you with services, or if it is prescribed by law (Article 49 GDPR). Furthermore, your data is only processed in third countries if certain measures ensure a suitable level of data protection (e.g., EU Commission's adequacy decision or suitable guarantees, Article 44 et seq. GDPR).

 

6. What data is collected and how is it used?

In the following section we describe the various areas of our platform in which personal or pseudonymous data is required, which data is recorded and processed there, and why we require this. This refers specifically to QIVICON, the Smart Home platform of the provider, Deutsche Telekom AG.
This comprises the QIVICON Home Base including operating software and firmware, the protected area of the QIVICON web portal at.qivicon.com and the QIVICON backend and cloud systems.

 

6.1 Visit to the QIVICON.com web portal

Technical features: When you visit our websites, the web server temporarily records the domain name or your computer's IP address, the file requested (file name and URL) by the client, the http response code, and the website from which you are visiting us.
The recorded data is used solely for data security purposes, particularly to protect against attempted attacks on our web server (Article 6 (1f) GDPR). We do not use it to create individual user profiles nor do we share this information with third parties. It is erased after seven days at the latest. We reserve the right to statistically analyze anonymized data records.

 

6.2 Registration on QIVICON.com (Article 6 (1b) GDPR)

In order to use the product of one of our cooperation partners (e.g., Magenta Smart Home from Telekom Deutschland GmbH – you may refer to the overview of all available products at https://www.qivicon.com/de/produkte/pakete/). Registration and the creation of a customer account are necessary for clear identification and in order to ensure that you are the only one to have access to your Smart Home installation.

 

We therefore require the following from you:

  • A valid e-mail address
  • A password known only to you
  • Your first and last names

 

After you enter your e-mail address, you will receive an e-mail from us requesting you to confirm the address. In this way we ensure that you have access to the e-mail account in question. The password is not stored in plain text format, but as a so-called hash value. Naturally, none of the provider's employees are aware of the password.

 

You may also let us know your postal address. This makes it easier for our Customer Services to identify you. However, it is not strictly necessary to provide this information.

 

It is also necessary for you to pass on to us the serial number of your Home Base so that we can provide your Smart Home software and our Customer Services can support you in the event of any problems.

 

In order for us to send you important information regarding your product, it is necessary for you to review your data regularly and to update it if required.

 

6.3 Setup and use of your QIVICON Home Base (Article 6 (1b) GDPR)

QIVICON Home Base is the name of all compatible devices to manage your smart devices, such as Home Base or Speedport Smart, for example.
In order to set up your QIVICON Home Base we will ask for your IP address on one occasion and pass it on to T-Systems International AG. This is necessary to set up the correct timezone for your Home Base. After ascertaining the timezone, the IP address will immediately be deleted.
In addition, in order to ensure smooth operations we record the MAC address of the Homematic chip on your QIVICON Home Base or of your Homematic USB stick and store it in the system.

 

For the use of your Home Base and communication with the smart sensors and actuators connected with them (e.g., heating controls, motion sensors, cameras, etc.) it is necessary to store additional data locally on your Home Base. This concerns the control via a mobile device or via voice control using the device of a third party provider.

 

  • Configuring situations
  • Configuring the alarm system
  • Configuring the heating
  • Configuring the house sitter
  • Configuring the switches
  • Notification settings
  • IDs of the connected devices
  • Status reports of the devices
  • Measured values
  • Switching operations
  • Possibly user-defined names of Home Base and rooms
  • Possibly lock code of your keypad if it is connected

 

For smooth operation, we store the ID of your Home Base, and to investigate the correct license we store the license ID locally on your Home Base.

 

In order to provide a notification by SMS, it is necessary to store on the Home Base the SMS numbers that you have stated (Article 6 (1a) GDPR), along with the sent messages.

 

To be able to send a push notification (Article 6 (1a) GDPR) to your device, it is also necessary for us to store a device ID and the telephone number of your device.

 

IMPORTANT: Deutsche Telekom AG has no access to this data without your authorization or prior anonymization (see also Sections 6.5, 6.13).

 

6.4 Your remote access to your Home Base via web or by app.

So that you can also have access to your Home Base and the connected devices when you are not at home, it is necessary for secure communication between your device and your QIVICON Home Base to be established. The identification of your customer account and sending of your QIVICON customer ID is necessary for this purpose. Then the details required for remote control of your Smart Home installation will be transferred via an existing, encrypted connection. This comprises sensor and actuator data such as device and space configurations and rules.

 

6.5 Use of the backup function of the QIVICON Home Base (Article 6 (1a) GDPR)

QIVICON offers its customers the possibility of storing important data and settings to ensure against downtime, in order to restore the previous state of the configuration in the event of an update, a reset, or a downtime of the QIVICON Home Base. Customers have two options as to how to save their backups: storing backups locally on the QIVICON Home Base, and storing them in the QIVICON Cloud. When storage takes place in the QIVICON Cloud, the data is transferred in encrypted and stored form. In both cases the backup data may only be used for the purpose described above and cannot be seen by employees of Deutsche Telekom or third parties.

 

The following data is saved when a backup is created for restore purposes:

 

  • State-of-the-art sensor and actuator states
  • Configuration data for situations
  • Default temperatures
  • The personal time program
  • Events (for example, windows opened, low batteries)
  • Notifications of events
  • Access data for the QIVICON customer account
  • The devices used and the device configurations
  • The rooms controlled and room configurations

 

If required, additional information is transferred from your Smart Home product to your backup for storage purposes. More precise information on which data the application you are using provides for the backups is available in the Data Privacy Notes for the Smart Home product you are using.

 

6.6 Customer Services and QIVICON remote diagnosis

If, while using QIVICON, you need to make use of Customer Services (you can find contact information on the individual providers at https://www.qivicon.com/de/support/), we or the respective Smart Home product provider whose product you have acquired, create so-called tickets with your customer data and your problem, so that you and other Customer Services employees can track the progress of your request. (Article 6 (1b) GDPR)

 

Though the staff are experts in dealing with questions concerning Smart Home products, there are situations where further information is necessary to resolve your query. In these cases, you can authorize the Customer Services staff to check for additional data from your QIVICON Home Base and all connected devices. Your explicit consent is required for this purpose (Article 6 (1a) GDPR).
Depending on the situation you may give your consent to a one-time data transfer or a permanent data transfer for up to fourteen days. The data collected in this way is used exclusively for customer services purposes and is deleted when the last open ticket in Customer Services is closed, and after 28 days at the latest.

 

Of course you may also revoke your consent for data transfer at My QIVICON => Settings => Home Base => Remote diagnosis (Mein QIVICON => Einstellungen => Zentrale =>Ferndiagnose).
https://www.qivicon.com/account/diagnostics
The data transferred during the diagnosis includes the following information:

 

  • Fault reports and warnings that are received at the QIVICON Home Base (so-called logfiles)
  • Information on the technical status of your QIVICON Home Base (e.g., memory utilization)
  • Information on the status of the devices connected to your Home Base (e.g., change from switched on to switched off)
  • Information on measured values of the devices connected to your Home Base (e.g., temperatures)
  • Information on time-controlled processes (e.g., activation time of a sensor or actuator)
  • Access to established rules, situations, rooms, and other configuration parameters
  • Access to log data of the Smart Home products used

 

6.7 Adding of devices with a cloud or platform connection

Some devices of our cooperation partners for devices require a connection to the cloud or the platform of the respective device provider. Normally, advance registration in the portal of the respective device provider is required for this purpose.
Depending on the provider, it may then be necessary for you to authenticate yourself when connecting, either by entering the access details of the portal to the cloud of the device provider vis-à-vis QIVICON, or to authenticate yourself in the provider's portal with your QIVICON registration details, in order to render an exchange of information possible.
This exchange may require the transfer of personal data such as the exchange of a room temperature between the QIVICON platform and the platform of the device provider, in order to enable the correct presentation of the values in your Smart Home product or at the device supplier's.
Please check what information is transferred in detail in individual cases before consenting to the data transfer.

 

6.8 Use of cameras to display or store images or videos (Article 6 (1a) GDPR)

QIVICON provides its customers with the opportunity to integrate devices for the transfer, recording, and storage of images and videos into the Smart Home installation.

 

Live transfer of images
In the event of remote access to the camera images (e.g., via an app on a tablet), it is necessary for the image data to be transferred via part of the QIVICON platform. For this purpose, a secure, encrypted communications channel and live data access only able to be called upon for the duration of usage by the QIVICON platform is provided for communicating between your device (e.g., your smartphone) and your Home Base. The images and videos are not saved and CANNOT be seen by employees of QIVICON or Deutsche Telekom AG.

 

Storage of images on a cloud platform (Article 6 (1a) GDPR)
For the temporary or long-term storage of images and videos, the QIVICON platform permits access to already existing cloud services, such as the Magenta Cloud of Telekom Deutschland GmbH. For this purpose it is necessary to enter your access details so that direct storage in your cloud account is possible. The access details are also stored locally on your Home Base.
Depending on the Smart Home product used, storage of the video data takes place on servers of Strato AG. For this purpose, cloud accounts are set up at Strato AG if required and connected to your QIVICON customer account. Your details are stored exclusively on servers in Germany or the EU. Other information on data privacy at Strato AG is available at https://www.strato.de/datenschutz/.

 

Please note that access to these images may be provided to security firms for monitoring purposes, depending on the Smart Home product used. However, this only takes place if you have ordered an appropriate security product from one of our cooperation partners and this is required to perform the service for this security product (Article 6 (1b) GDPR). For further information, please also check the data privacy notes of your Smart Home product provider.

 

6.9 Use of components for voice control (Article 6 (1a) GDPR)

For the use of components for voice control it may be necessary for personal details to be transferred from the Smart Home platform to the respective device provider.
Thus some of the Smart Home products available for our platform (e.g., Magenta Smart Home) permit voice control via Amazon Echo via the Magenta Smart Home Skill. For this purpose, depending on the provider it may be necessary to transfer personal details.
However, to use this it is necessary first to activate the relevant Skill for Amazon Echo in your account, and to subsequently connect to your QIVICON customer account.

 

Further information on this subject is available from the data privacy information and notes regarding the Smart Home product you are using (e.g., www.smarthome.de/app).

 

6.10 Use of data from your Smart Home installation (Article 6 (1a) GDPR)

Individual application cases (e.g., the display of a longer-term use or activity history of your Smart Home installation) require a pseudonymized or personal storage of your user data on our servers. This only takes place with your consent, which we require from you before the first data transfer and storage, and only for the respective purpose. Of course you can revoke this consent at any time.

 

6.11 Information on platform or product updates (Article 6 (1b) GDPR)

At irregular intervals we send our own information e-mails or other e-mails on behalf of our cooperation partners to our users. These contain information on new product versions, fault clearances, incident reports, or important contractual changes.
For sending out this information we work with Mapp Digital Germany GmbH as a processor, and for this purpose we provide it with your e-mail address, first and last names, and with information as to which product configuration you use.

 

6.12 Device monitoring (Article 6 (1 b) GDPR)

To be able to recognize difficulties on the QIVICON Home Bases used by our customers, we also transfer the data of your Home Base in pseudonymized form (that is, identification with a specific person is possible, though it involves effort) to our processor, Deutsche Telekom IT GmbH.
The technical information transferred in this connection includes:

 

  • Class of devices
  • Firmware
  • Operating software version
  • Memory utilization
  • CPU utilization
  • Error data (so-called logfiles)
  • and additional utilization of the usage habits

 

6.13 when using the QIVICON Home Base (Article 6 (1a) GDPR)

We wish to constantly develop the QIVICON platform further and adapt it to your requirements. For this purpose we and our Smart Home devices and cooperation partners require information from your QIVICON Home Base and the devices connected to it.
This data is transferred to our servers in encrypted form and anonymized and further processed there, that is, it is no longer possible to assign it to a customer. Anonymizing is performed in different ways, depending on the respective data type. For example, customer numbers are replaced by hash values. Time stamps that would allow indirect conclusions to be drawn to individual persons are recalculated through a random value.
We take your concerns regarding data transfer very seriously. Thus, if you do not consent to this transfer and storage, and although this is not statutorily prescribed, you can at any time object to this transfer at https://www.qivicon.com/account/analytics.

 

6.14 Can I deregister from the QIVICON service? (Article 6 (1b) GDPR)

Deregistration is possible at any time. Please contact QIVICON Support to do so. Please note that all your user authorizations for your Smart Home products will be deleted beforehand. Depending on the contract and termination period of your Smart Home product, it may be possible that you will continue to be charged fees by the provider of the product. If you have any questions about this, please contact the provider of your Smart Home product directly.

 

6.15 How long will my data be stored? (Article 13 (2a) GDPR)

Deutsche Telekom AG will always only store your data as long as is absolutely necessary for the provision of the service (in this case QIVICON).
After your deregistration from QIVICON, the personal details will be removed within six months, and the remaining information will only be stored to clarify billing-relevant issues and as part of statutorily prescribed retention periods.

 

7. Will my usage habits be evaluated, e.g., for advertising purposes?

7.1 Evaluation of usage habits when visiting our website

Explanations and definitions
We want you to enjoy using our websites and take advantage of our products and services. We have an economic interest in ensuring this is the case. We analyze your usage habits on the basis of anonymized or pseudonymized data so you can find the products that interest you and so we can make our websites user-friendly. We or companies commissioned by us to process data create usage profiles to the extent permitted by law. This information cannot be traced back to you directly. Subsequently we inform you generally about the various purposes and techniques. Afterwards you have the right to revoke your consent. However, please remember that in this case you may not have access to the full range of functions offered by our websites.

 

Purposes (Art. 6 (1f) GDPR)/§ 15 (3) German Telemedia Act (Telemediengesetz – TMG)

 

Profiles for designing the web portal based on needs
We use clickstream analysis to improve our websites constantly. The clickstream corresponds to your movement path on the websites. Analyzing the movement paths provides us with an insight into usage habits on our websites. This lets us identify possible structural errors in the websites and thus improve the websites so they are optimally tailored to your needs. Individual users are not identified at any time.


Techniques

 

Cookies
We use cookies for certain services. These are small text files that are stored on your computer. They enable the system to tell if you repeatedly visit websites from the same computer.

 

Session cookies are cookies that are only stored on your computer for the duration of your Internet session and are required for transactions (e.g., to log in or to complete a purchase). They simply contain a transaction ID.

 

For certain services, we use persistent cookies, which are stored on your computer for future sessions. In this case, we notify you about the cookie's storage period.

 

You can set your browser to prevent these cookies being stored or to delete the cookies at the end of your Internet session. However, please remember that in this case you may not have access to the full range of functions offered by our websites. For information about browser settings go to: https://www.sicherdigital.de/sicher-surfen#sicher-surfen-browsereinstellungen.

 

----------------------------------------------------------------------------------------------------------------------------
Deutsche Telekom AG
May 5, 2018