Privacy Policy

1. Definitions.

1. Controller: Terma Sp. z o.o. (limited liability company) with its registered office in Czaple, Czaple 100, 80-298 Gdansk, Poland, NIP (VAT No.): 5831018844, KRS number 0000069067.
2. Personal Data:  any information relating to a natural person who is identified or identifiable by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including image, voice recording, contact data, location data, information included in correspondence, information collected by means of recording equipment or any other similar technology.
3. Policy: this Privacy Policy.
4. GDPR : Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
5. Data Subject: every natural person whose Personal Data is processed by the Controller, e.g. application User.

2. The processing of data by the Controller.

In connection with its economic activity, the Controller collects and processes Personal Data in line with relevant regulations, particularly with the GDPR and the data processing rules set out therein.

The Controller ensures transparency of data processing, in particular it always informs about data processing at the time of collection, including the purpose and legal basis of processing. The Controller always makes sure that the data is collected only in such scope as is necessary for the specified purpose, and that it is processed within the necessary timeframe only.

When processing the data, the Controller ensures data security and confidentiality, and facilitates access to the information on said processing for Data Subjects. Should a Personal Data breach (e.g. a “leak” or loss of data) occur despite the security measures applied, the Controller shall, in a manner compliant with regulations, notify the Data Subjects whose data has been breached.

3. Contacting the Controller.

The Controller can be contacted by e-mail at: service@termasmart.com  or by post addressed to: Terma Sp. z o.o., Czaple 100, 80-298 Gdańsk, Poland.

4. Security of Personal Data.

The Controller makes all necessary efforts to protect the Personal Data of customers and users against unauthorized access by third parties. In this respect, it applies high-level organizational and technical security measures. The Controller does not share Personal Data with any unauthorized entities. The Controller may entrust another entity, by way of a written contract, to process Personal Data on behalf of the Controller. Personal Data may be disclosed to the Controller’s employees or associates and entities providing support to the Controller on the basis of outsourced services and in accordance with the entrustment agreements concluded. The Controller also takes all necessary steps to ensure that its subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process Personal Data on behalf of the Controller. Personal Data may also be made available to entities authorized to receive them under the mandatory provisions of law.

The Controller analyses risk on an ongoing basis and monitors the adequacy of applied data safeguards to identified threats. If necessary, the Controller implements additional measures to increase the security of data.

5. The method of collecting the User’s Personal Data.

We collect and use the Personal Data provided by the User while interacting with the Controller, as well as while downloading and using the Controller’s application.

Personal Data may include:

• User’s name,
• User’s ID number,
• User’s address data,
• products or services used by the User or his or her company,
• e-mail address,
• User’s opinions and preferences regarding the product,
• model and version of the device used by the User,
• User’s communication preferences,
• User’s feedback on services,
• any location data that the User decides to share,
• Cloud ID,
• User’s IP address,
• telephone number,
• specific information collected from the control device, including log files and network information and, depending on the services selected, location data.

The User does not have to provide the above-mentioned Personal Data, but should be aware that failure to provide them will prevent the use of the application or its selected functionalities.

6. Purposes and legal basis for the processing of data by the Controller.

The Controller processes Personal Data of Users in order to enable the use of services offered via mobile applications. Users’ data is processed in order to register and use mobile applications. The legal basis for data processing in this regard is its indispensability to perform the contract (Article 6 (1) (b) of the GDPR).

In addition, the Controller processes Users’ Personal Data in order to manage and maintain business relationships, including creating and maintaining accounts in systems, managing Users’ orders, answering all Users’ questions and recording and sharing such questions internally, as well as analysing and creating statistics in order to improve Controller’s products or services (Article 6 (1) (a) and (b) of the GDPR).

By means of mobile applications, the User may in particular: control the heating system, optimize the heating process by controlling it with geolocation, as well as use heating modes and other functionalities available within them.

7. Data recipients.

In connection with the economic activity which requires the processing of Personal Data, said data may be disclosed to external entities, including providers responsible for the operation and service of the IT systems and hardware, providers of legal, accounting, auditing, consulting services and marketing agencies. The data shall also be disclosed to the affiliates of the Controller (Terma Group). The Controller reserves the right to disclose selected information about the Data Subject to the competent authorities or third parties, who request to be provided with such information, on the basis of appropriate legal grounds and in line with applicable laws.

8. Transfer of data outside the European Economic Area.

The level of Personal Data protection outside the European Economic Area (EEA) differs from the level provided by European law. For this reason, the Controller transfers Personal Data outside the EEA only when necessary and with appropriate protection level provided, primarily through:

1. co-operation with Personal Data processing entities in the countries for which a relevant decision of the European Commission was issued;
2. application of standard contractual clauses issued by the European Commission;
3. application of binding corporate rules approved by the competent supervisory authority.

The Controller always communicates its intention to transfer Personal Data outside the EEA at the collection stage.

9. Time limit for the processing of Personal Data.

The time limit for the processing of data by the Controller depends on the type of service provided and the purpose of processing. The time limit for the processing of data may also result from legal regulations, when such regulations form the basis for the processing. If the data is processed on the basis of the Controller’s legitimate interest – e.g. for security reasons – it shall be processed for a period required to accomplish that interest or until an effective objection is filed with respect to data processing. If the processing is based on a consent, the data shall be processed until the consent is withdrawn. When the processing is based upon the data being needed to conclude and perform a contract, such data shall be processed until the termination thereof.

The time limit for data processing may be extended if the processing is necessary to determine, vindicate or defend against any possible claims, and after that period — only if and to the extent required by law. After the end of the time limit for processing, the data is irrevocably removed or anonymised.

10. Rights related to the processing of Personal Data.

The Data Subject has the following rights with regard to the processing of his or her Personal Data by the Controller:

1. to obtain information on how and to what extent his or her data is processed and to request for copies thereof. If the request includes copies of data, the Data Subject should specify the scope of data in the copy he or she wants to receive. The Controller may charge a fee for the second and subsequent copies, of which the applicant shall be notified. The amount of the fee shall correspond to the cost of its preparation;
2. to request the correction of his or her data (if it has been incorrectly saved or if it has changed), its deletion (if there is no basis for the Controller to process it) or limiting the scope of processing (if the Data Subject wants the Controller to process his or her data only to a limited extent, until considering the objection or request for correction of data, as well as when he or she wants the data to be stored in connection with his or her claims);
3. to request the transfer of his or her data that has been provided to the Controller in a structured, commonly used and machine-readable format. The received data can be transferred to the data controller of their choice. In addition, if it is technically possible, while maintaining appropriate security standards, the Controller, upon request and on behalf of the data owner, may transfer the data to the designated data controller;
4. to object against the processing of their data if the Controller is doing so on the basis of a legitimate interest;
5. to notify the Controller if the processing of Personal Data by the Controller violates the law. The Controller does its best to respond to the comments and suggestions of the Users;
6. to file a complaint to the supervisory body [in Poland - the President of the Personal Data Protection Office (known as the Inspector General for Personal Data Protection until 25 May 2018).

An application regarding the exercise of Data Subjects’ rights may be submitted:

• in writing to the address: Terma Sp. z o.o., Czaple 100, 80-298 Gdańsk, Poland;
• by e-mail directed to: service@termasmart.com

The applicant is asked to precisely specify as to what his or her application/request refers to, for example:

• specify the right the applicant wants to exercise (e.g. the right to receive a copy of the data, the right to data erasure, etc.);
• specify the process the request pertains to;
• specify the processing purposes the request pertains to.

Should the Controller be unable to determine the content of the request or identify the applicant on the basis of the received application, it will request additional information from the applicant.

The Controller’s reply shall be given within one month of receipt of the application. If this time limit needs to be extended, the Controller shall notify the applicant of the reasons for such extension.

The reply shall be sent to the e-mail address from which the application was sent, and in the case of applications submitted by post, by regular mail to the address indicated by the applicant, unless the content of the letter indicates a desire to receive feedback to the e-mail address (in such case, please provide e-mail address).

11. Changes to Policy.

The Policy may change at any time without notice, except where such changes may materially affect the rights of natural persons under applicable privacy and data protection laws, in which case the User shall be notified of such changes by appropriate notification.