This Privacy Policy contains details of the manner, scope and purpose of the processing of personal data (hereinafter referred to as "data") within the CONTI+ Service App. With regard to the terminology used, such as "processing" or "controller", we refer you to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

Controller

CONTI Sanitärarmaturen GmbH
Hauptstraße 98
35435 Wettenberg, Germany

Email address: info(at)conti.plus
Managing Director: Andreas Kregler
Email address of the Data Protection Officer: datenschutz(at)conti.plus

Types of data processed

During register to the APP the following data will be collected and saved on the end user device and within the CONTI+ cloud.

· User name and password
· Contact data (emails and phone numbers)
· Contact data (name and surname) in case of user level upgrade
· Date and time of register
· Usage data (e.g. product information)
· Communication data (e.g. device information)

Categories of data subjects

All users of the online offer (hereinafter the persons concerned are referred to collectively as "users").

Purpose of the processing

Verifying of user rights Operation with the security structure and functionality of the APP
Responding to enquiries and communication with users.
Security measures
Simplifying of individual product settings
Statistic data information for communication

Digital data storage until uninstalling of the APP and cancellation of the user account within CONTI+ cloud by the user.

Sensitive authorisations on the terminal device

For the use of the APP the following authorisation for the end user device are necessary:

INTERNET
BLUETOOTH_ADMIN
BLUETOOTH
ACCESS_FINE_LOCATION
ACCESS_COARSE_LOCATION
READ_EXTERNAL_STORAGE
WRITE_EXTERNAL_STORAGE
ACCESS_NETWORK_STATEF

For simplifying the service support additional authorisation of the end user device could be necessary (request during installation)

• Access to phone function (take calls and administration of calls)
• Access to camera

Authorisation for the end user device could be cancelled by user at any time.

Terminology used

"Personal data" means all the information relating to an identified or identifiable natural person (hereinafter referred to as "person concerned"). A natural person is considered to be identifiable if they can be identified, directly or indirectly, particularly by assigning an identifier such as a name, identification number, location data, online identifier (e.g. cookie) or one or more specific characteristics, which are an expression of the physical, physiological, genetic, psychological, financial, cultural or social identity of this natural person.

"Processing" means any process which is completed, with or without the help of automated procedures, or any such series of processes in connection with personal data. The term is far-reaching and covers virtually every type of data handling.

"Controller" means the natural or legal person, authority, institution or other body which, alone or jointly with others, determines how and for what purpose the processing of personal data takes place.

"Data processor" refers to a natural or legal person, authority, institution or other body, which processes personal data on behalf of the controller.

Relevant legal basis

In accordance with Article 13 GDPR, we are able to inform you of the legal basis for our data processing. Unless the legal basis is specified in the privacy policy, the following shall apply: The legal basis for obtaining consent is Article 6(1)(a) and Art. 7 GDPR, the legal basis for processing in order to fulfil our performance and to implement contractual measures as well as the answering of queries is Article 6(1)(b) GDPR, the legal basis for processing in order to fulfil our legal obligations is Article 6(1)(c) GDPR, and the legal basis for processing to protect our legitimate interests is Article 6(1)(f) GDPR. In the event that vital interests of the person concerned or another natural person make the processing of personal data necessary, the legal basis will be Article 6(1)(d) GDPR.

Security measures

In accordance with Article 32 GDPR, taking into account the latest technology, the cost of implementation and the type, scope, circumstances and purpose of data processing, as well as the probability and seriousness of risks occurring for the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures to ensure an adequate level of protection against the risk.

The measures include, in particular, the safeguarding of confidentiality, integrity and availability of data by controlling physical access to the data, as well as the relevant access, input, disclosure, safeguarding of availability and separation of this data. Furthermore, we have established processes to ensure observation of the rights of the persons concerned, the deletion of data and response to the exposure of data. In addition, we also take into account the protection of personal data as early as the development stage, or selection of hardware, software and procedures, according to the principle of data protection through technical design and through privacy-friendly preselection (Article 25 GDPR).

Cooperation with data processors and third parties

If we disclose data to any other person or business (data processors or third parties) as part of our processing, transmit the data to these parties or otherwise grant them access to the data, this will only be done on the basis of legal authorisation (e.g. when the transmission of data to third parties, such as to payment service providers, is necessary to fulfil the contract in accordance with Article 6(1)(b) GDPR) for which you have given your consent, subject to a legal obligation or on the basis of our legitimate interests (e.g. the use of representatives, web hosters).

If we appoint third parties to process data on the basis of a "data processing contract", this will be done on the basis of Article 28 of the GDPR.

Transmission to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) process or this happens within the framework of the use of services by third parties or data is disclosed or transmitted to third parties, this is done only to fulfil our (pre)contractual obligations, on the basis of your consent, based on a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual authorisation, we process the data or have the data processed in a third country only where the special provisions of Article 44 ff. GDPR exist. In other words, processing is performed on the basis of special guarantees, such as the official recognition of an EU-equivalent level of privacy (e.g. for the USA the "privacy shield") or compliance with officially recognised special contractual obligations (known as "standard contractual clauses").

Rights of the persons concerned

You have the right to request confirmation whether the data concerned is processed and to request information about this data, as well as additional information and a copy of the data in accordance with Article 15 GDPR.

You have the right, in accordance with Article 16 GDPR, to request the completion of data or the amendment of inaccurate data held about yourself.

You have the right, in accordance with Article 17 GDPR, to request that data be deleted immediately or, alternatively, in accordance with Article 18 GDPR, to request that processing of the data be restricted.

You have the right to request that the data you have provided to us is maintained and transmitted to other responsible persons in accordance with Article 20 GDPR.

You also have the right, in accordance with Article 77 GDPR, to file a complaint with the relevant supervisory authority.

Der Hessische Beauftragte für Datenschutz
Postfach 3163
65021 Wiesbaden
poststelle(at)datenschutz.hessen.de

Right of revocation

You have the right to revoke all consent in accordance with Article 7(3) GDPR with respect to future use.

Right of revocation for direct marketing

You can revoke the future processing of your data in accordance with Article 21 GDPR at any time. Revocation can apply in particular to the processing of data for the purpose of direct marketing.

Deletion of data

The data processed by us will be deleted or the processing restricted in accordance with Articles 17 and 18 GDPR. Unless expressly stated in this privacy policy, the stored data will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any legal obligations to retain data. If the data is not deleted because it is required for other purposes permitted by law, its processing will be restricted. In other words, the data will be locked and will not be used for other purposes. This applies, for example, to data that must be kept for commercial or tax reasons.

In accordance with statutory requirements in Germany, the data will be kept for 10 years in accordance with §§ 147 para. 1 AO, 257 para. 1 No. 1 and 4, para. 4 of the German Commercial Code (books, records, management reports, bookkeeping vouchers, account books, taxation documents, etc.) and 6 years in accordance with § 257 para. 1 No. 2 and 3, para. 4 of the German Commercial Code (commercial letters).

In accordance with statutory requirements in Austria, the data will be kept for 7 years in accordance with § 132 para. 1 of the Austrian Federal Tax Code (bookkeeping records, receipts/invoices, accounts, supporting documents, business papers, statement of income and expenditure, etc.), for 22 years in connection with property and for 10 years for documents relating to services delivered electronically, telecommunications, radio and television services that are provided to consumers in EU Member States and for which the Mini-One-Stop-Shop (MOSS) has been applied.

Hosting

Our hosting services will be used to provide the following services: Infrastructure and platform services, computing capacity, storage space, database services, security services as well as technical maintenance services, which we use to operate this online offer.

We, or our hosting provider, will process inventory data, contact data, content data, contract data, usage data, metadata and communication data from customers, prospects and visitors to this online offer on the basis of our legitimate interests with respect to the efficient and secure provision of this online offer in accordance with Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (completion of data processing contract).

Collection of access data and log files

We, or our hosting provider, on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR, will collect data about each access to the server on which this service is located (known as server log files). Access data includes the name of the accessed page, file, date and time of access, volume of data transferred, notification of successful access, web browser and version, user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.

For security reasons (e.g. for the investigation of abuse or fraud), log file information will be stored for a maximum period of 7 days and then deleted. Data which needs to be retained for evidential purposes will not be deleted until the relevant investigation has been completed.

Integration of services and content of third parties

As part of our online offer, and on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and financial operation of our online offer in accordance with Article 6(1)(f) GDPR), we will use content or service offers from third party providers in order to integrate their content and services, such as videos or fonts (hereinafter referred to collectively as "Content").

This always assumes that the third party provider of this content knows the IP address of the user, as without the IP address they could not send the content to the browser. The IP address is therefore required in order to display this content. We strive only to use content for which the respective provider uses the IP address only for the purpose of delivering such content. Third party providers can also use "pixel tags" (invisible graphics, also known as "web beacons") for statistical or marketing purposes. These "pixel tags" can be used to evaluate information such as visitor traffic to the pages of this website. The pseudonymised information can also be stored in cookies on the user's device and contain, among other things, technical information about the browser and operating system, referring websites, visit time and other information about the use of our online offer, as well as a link to such information from other sources.

Email contact

Whenever you contact us (e.g. via a contact form or email), we process your information in order to deal with your enquiry, and to handle any connection issues that may arise.

If data processing is carried out in order to implement pre-contractual measures resulting from your enquiry, or if you are already our customer, the legal basis for this data processing to ensure completion of the contract is Article 6(1)(1b) GDPR.

We will only process further personal data if you give your consent (Article 6(1)(1a) GDPR) or if we have a legitimate interest in the processing of your data (Article 6(1)(1f) GDPR). For example, a legitimate interest would include the ability to answer your email.

Terms of use for reCAPTCHA

You acknowledge and are aware of the fact that the functionality of reCAPTCHA API is based on the collection of hardware and software information, e.g. device and application data, and transmission to Google for purposes of analysis. The information gathered when using the service is used in order to improve reCAPTCHA and for general security purposes. It is not used by Google for personalised advertising. Users in the EU: our API clients comply with the EU user consent policy.

Geolocation

In order to localise and display content applicable to a certain country, we use GeoLite2 by Maxmind (www.maxmind.com). You can object to your country being identified by selecting the appropriate objection in the cookie settings. If you object, we cannot guarantee the display of advertisements for products that are available in your country.