PRIVACY POLICY OF LOQED
in force as of 31.08.2024
This Privacy Policy shall apply to the processing of personal data, that is or might be performed when using LOQED.com website (“the Website”), the LOQED IOS App and/or the LOQED Android App, (both “the Application”) and Loqed Devices, referred to all hereinafter as “the Loqed Services” / “the Services”.
When you interact with the Loqed Services, Shelly Europe Ltd. (“We”) are processing your Personal Data. We have developed this Privacy Policy to provide you with information about what information we collect, why we collect it, and what are your rights under the applicable data protection laws, including the European Union’s General Data Protection Regulation (“GDPR”).
The Personal Data related to the Services are processed by Shelly Europe Ltd., UIC: 202320104, having its seat and registered address in Europe, Bulgaria, 1407 Sofia, No 103 Cherni Vruh Blvd herein after referred to “the Controller” “Data Controller”.
You may address all your requests about the processing of your Personal Data to our Data Protection Officer via e-mail at dpo@shelly.com
The following words and expressions when commencing with a capital letter (including when used with a definitive article and/or used in plural) shall have the meaning and content stated herein unless the context requires otherwise:
We process the following categories of personal data for the provision of the Services:
User Account Details: names, email addresses, and passwords are collected when user creates accounts with the App or the Website.
Contact Information: email address, delivery address and phone number for the purposes of fulfillment of purchase orders;
Lock Usage Data: data on lock/unlock events, including timestamps and the method used (app, touch, or physical key).
Device Identifiers: Unique identifiers of the LOQED Device and connected devices (e.g., smartphones, tablets).
Geolocation Data: Precise geolocation data from mobile devices upon User’s permission for enabling features such as auto-unlock.
Log Data: IP addresses, browser types, internet service providers (ISPs), referring/exit pages, date/time stamps, and clickstream data are collected when the User accesses the Services.
App Usage Data: Information on how Users interact with the App, including feature usage and duration.
Support and Feedback: Records of users’ communications with Our support teams. Among the types of Personal Data that the Application collects, by itself or through third parties, there are: Tracker; Usage Data; email address; Precise location permission (non-continuous); Approximate location permission (continuous); HomeKit permission; Motion sensors permission; Bluetooth sharing permission; Google Home permission; various types of Data; first name; last name; phone number; physical address; company name; country; state; website; billing address; shipping address; User ID; language; city; Data communicated while using the service; Universally unique identifier (UUID); ZIP/Postal code; payment info; purchase history.
Complete details on each type of Personal Data collected are provided in the dedicated sections of this Privacy policy or by specific explanation texts displayed prior to the Data collection.
Personal Data may be freely provided by the User, or, in case of Usage Data, collected automatically when using any of the Services and/or the Device. Unless specified otherwise, all Data requested by this Services is mandatory and failure to provide this Data may make it impossible for Us to provide the Services. In cases where this Services specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Data controller.
Any use of Cookies – or of other tracking tools — by the Services or by third-party services used by this Services serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document.
Users are responsible for any third-party Personal Data obtained, published or shared by them through any of the Service.
We use the categories of collected personal data for:
Account Management: to create and manage User accounts and provide access to our Services.
Functionality and Security: to operate and enhance the functionality of the Loqed Devices, ensure security, and prevent unauthorized access.
Customer Support: to assist with troubleshooting, respond to inquiries, and improve customer support services.
Product Enhancements: to analyze usage data and feedback for improving LOQED products and services.
Marketing and Communication: to send updates, promotional materials, and other relevant information to Users who have opted in to receive such communications.
The Data controller takes appropriate security measures to prevent unauthorised access, disclosure, modification, or unauthorised destruction of the Personal data. The Data processing is carried out using computers and/or IT enabled tools, following organisational procedures and modes strictly related to the purposes indicated. In addition to the Data controller, in some cases, the collected Personal data may be accessible to certain types of persons in charge, involved with the operation of the Services (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Data controller.
Place
The Personal data is processed at the Data controller’s operating offices and in any other places where the parties involved in the processing are located. Depending on the User’s location, data transfers may involve transferring the User’s personal data to a country other than their own. To find out more about the place of processing of such transferred Data, Users can check the section containing details about the processing of Personal Data.
The Data concerning the User is collected to allow the Controller to provide its Services, comply with its legal obligations, respond to enforcement requests, protect its rights and interests (or those of its Users or third parties), detect any malicious or fraudulent activity, as well as the following: Cookies Third Party Services (incl. Advertising cookies, Analytics, Heat mapping and online survey, Tag management, User data base management), Data Management (for the purposes of support, management of purchase orders and warranty claims), Contacting the user, Device permissions for Personal Data access, Handling payment, Hosting and backend infrastructure, Interaction with online survey platforms, Managing contacts and sending e-mail and In app massages, Managing data collection and online surveys, Tax, Legal and Compliance advising services, Delivery services.
For specific information about the Personal Data used for each purpose, the User may refer to the section “Detailed information on the processing of Personal Data”.
The controller may disclose Your Data internally within its business group and to the following entities, but only for the purposes described above. The following categories of Third-Party Service Providers may process your Personal Data as part of our operations:
⦁ Affiliates – other companies within the group of Shelly Group PLC to which Shelly Europe Ltd. belongs to carry out business activities on a regular basis;
⦁ Integrators of third-party products or services to which you can connect the Service to control those products or services. These business partners control and manage Your personal information only upon your explicit consent to share Your Data with them which you can withdraw anytime. These business partners process Your Data in compliance with their own privacy policies and rules and therefore before deciding to share Your Access to the Service or a Shelly Device with them, You should read these carefully;
⦁ Service providers – carefully selected companies that provide services for or on our behalf, such as providers of cloud services, customer support services, e-mail and messaging services, including direct marketing services, infrastructure supply and IT services;
⦁ Payment service providers – licensed payment institutions which facilitate the payment process for pre-paid subscription Services
⦁ Professionals in various fields (such as but not limited to external marketing, product and service consultants, auditors, legal, finance and accountancy advisors) for maintenance and improvement the quality of the Service, ensuring compliance with regulatory requirements, protection of our legitimate rights and interests in court and administrative proceedings;
⦁ State bodies and public authorities to which we might be obliged to disclose Your Data when this is required by law, legal process, administrative or court order to disclose your information.
⦁ Other parties in connection with corporate transactions as part of a merger or transfer, acquisition or sale, or in the event of bankruptcy; In this case, you will receive a clear notification via email and/or our website regarding the change of ownership, the incompatibility of new use of personal information, and the choice of personal information.
In addition to the disclosures described in this Privacy Policy, we may share information about You with third parties when you separately consent to or request such sharing.
In regards to private individuals, we require and pay attention that the above stated third parties apply all required technical and organizational measures for the protection of the Personal Data shared with them.
Depending on the User’s specific device, the Application may request certain permissions that allow it to access the User’s device Data as described below.
By default, these permissions must be granted by the User before the respective information can be accessed. Once the permission has been given, it can be revoked by the User at any time. In order to revoke these permissions, Users may refer to the device settings or contact the Controller for support at the contact details provided in the present document.
The exact procedure for controlling app permissions may be dependant on the User’s device and software.
Please note that the revoking of such permissions might impact the proper functioning of this Application.
If User grants any of the permissions listed below, the respective Personal Data may be processed (i.e accessed to, modified or removed) by this Application.
Used for accessing the User’s approximate device location. This Application may collect, use, and share User location Data in order to provide location-based services.
Used for accessing Bluetooth related functions such as scanning for devices, connecting with devices, and allowing data transfer between devices.
Used for accessing devices/services provided by third parties and enabling the Application to interact with physical accessories in the User’s surrounding environment.
Used for accessing the User’s device motion sensors to measure the User’s activity such as step counts, stairs climbed, and movement type (walking, cycling, etc.).
Used for accessing the User’s precise device location. This Application may collect, use, and share User location Data in order to provide location-based services. The geographic location of the User is determined in a manner that isn’t continuous. This means that it is impossible for this Application to derive the exact position of the User on a continuous basis.
Personal Data is collected for the following purposes and using the following services:
The Controller and some of its service providers use information collected through cookies and similar technologies to improve the User’s experience within the Application, to analyze how the User uses it and for marketing purposes. As a User you have the right to choose not to allow some types of cookies. However, blocking some types of cookies may impact your experience of the Application and the services you are offered with. In some cases, data obtained from cookies is shared by the Controller with third parties for analytics or marketing reasons. You can exercise your right to opt-out of that sharing at any time by disabling cookies.
1.1. Advertising:
This type of service allows User Data to be utilised for advertising communication purposes. These communications are displayed in the form of banners and other advertisements within the Services, possibly based on User interests. This does not mean that all Personal Data are used for this purpose. Information and conditions of use are shown below.
Some of the services listed below may use Trackers for identifying Users, behavioural retargeting i.e. displaying ads tailored to the User’s interests and behaviour, or to measure ads performance. For more information, please check the privacy policies of the relevant services.
Services of this kind usually offer the possibility to opt out of such tracking. In addition to any opt-out feature offered by any of the services below, Users may learn more on how to generally opt out of interest-based advertising within the dedicated section “How to opt-out of interest-based advertising” in this document.
1.1.1. Google Ads conversion tracking (Google Ireland Limited)
Google Ads conversion tracking is an analytics service provided by Google Ireland Limited that connects data from the Google Ads advertising network with actions performed by the Services.
Personal Data processed: Trackers; Usage Data.
Place of processing: Ireland – Privacy Policy.
1.1.2. Google Ad Manager (Google Ireland Limited)
Google Ad Manager is an advertising service provided by Google Ireland Limited that allows the Controller to run advertising campaigns in conjunction with external advertising networks that the Controller, unless otherwise specified in this document, has no direct relationship with.
In order to understand Google’s use of data, consult Google’s partner policy.
This service uses the “DoubleClick” Cookie, which tracks use of the and User behaviour concerning ads, products and services offered.
Users may decide to disable all the DoubleClick Cookies by going to: Google Ad Settings.
Personal Data processed: Tracker; Usage Data.
Place of processing: Ireland – Privacy Policy.
1.1.3. Meta ads conversion tracking (Meta pixel) (Meta Platforms Ireland Limited)
Meta ads conversion tracking (Meta pixel) is an analytics service provided by Meta Platforms Ireland Limited that connects data from the Meta Audience Network with actions performed through the Services. The Meta pixel tracks conversions that can be attributed to ads on Facebook, Instagram and Meta Audience Network.
Personal Data processed: Trackers; Usage Data.
Place of processing: Ireland – Privacy Policy. The opt-out information and procedure are described within the Privacy policy.
1.1.4. Microsoft Advertising (Microsoft Corporation)
Microsoft Advertising is an advertising service provided by Microsoft Corporation.
Personal Data processed: Trackers; Usage Data.
Place of processing: United States – Privacy Policy – Opt Out.
1.2. Analytics
The services contained in this section enable the Controller to monitor and analyse web traffic and can be used to keep track of User behaviour.
1.2.1. Google Analytics (Universal Analytics) (Google Ireland Limited)
Google Analytics (Universal Analytics) is a web analysis service provided by Google Ireland Limited (“Google”). Google utilises the Data collected to track and examine the use of the Services, to prepare reports on its activities and share them with other Google services.
Google may use the Data collected to contextualise and personalise the ads of its own advertising network.
In order to understand Google’s use of Data, consult Google’s partner policy.
Personal Data processed: Tracker; Usage Data.
Place of processing: Ireland – Privacy Policy – Opt Out.
1.2.2. Meta Events Manager (Meta Platforms Ireland Limited)
Meta Events Manager is an analytics service provided by Meta Platforms Ireland Limited. By integrating the Meta pixel, Meta Events Manager can give the Owner insights into the traffic and interactions when using the Services.
Personal Data processed: Trackers; Usage Data.
Place of processing: Ireland – Privacy Policy.
Heat mapping services are used to display the areas of the Service that Users interact with most frequently. This shows where the points of interest are. These services make it possible to monitor and analyse web traffic and keep track of User behavior. Some of these services may record sessions and make them available for later visual playback.
Hotjar is a heat mapping service provided by Hotjar Ltd. Hotjar honours generic „Do Not Track” headers. This means the browser can tell its script not to collect any of the User’s data. This is a setting that is available in all major browsers.
The online surveys allow Users to interact with an online survey platform directly from the pages of the Website and the Application. Participation in the surveys is optional and at the sole discretion of the User.
Personal Data processed: Tracker; Usage Data; various types of Data as specified in the privacy policy of the service.
Place of processing: Malta – Privacy Policy. The opt-out information and procedure is described within the Privacy policy.
This type of service helps the Controller to manage the tags or scripts needed on the Website in a centralized fashion. This results in the Users’ Data flowing through these services, potentially resulting in the retention of this Data.
Google Tag Manager is a tag management service provided by Google Ireland Limited.
Personal Data processed: Trackers; Usage Data.
Place of processing: Ireland – Privacy Policy.
This type of service allows the Controller to build user profiles by starting from an email address, a personal name, or other information that the User provides to the Services, as well as to track User activities through analytics features. This Personal Data may also be matched with publicly available information about the User (such as social networks’ profiles) and used to build private profiles that the Controller can display and use for improving of the Services. Some of these services may also enable the sending of timed messages to the User, such as emails based on specific actions performed through the Loqed Services.
Intercom is a User database management service provided by Intercom R&D Unlimited Company. Intercom can also be used as a medium for communications, either through email, or through messages within the Services. Intercom Messenger may use Trackers to recognise and track Users behavior.
Personal Data processed: Data communicated while using the service; email address; Trackers; Universally unique identifier (UUID); Usage Data; various types of Data as specified in the privacy policy of the service.
Place of processing: Ireland – Privacy Policy.
Information on opting out of interest-based advertising
In addition to any opt-out feature provided by any of the services listed in this document, Users may follow the instructions provided by YourOnlineChoices (EU), the Network Advertising Initiative (US) and the Digital Advertising Alliance (US), DAAC (Canada), DDAI (Japan) or other similar initiatives. Such initiatives allow Users to select their tracking preferences for most of the advertising tools. The Controller thus recommends that Users make use of these resources in addition to the information provided in this document.
Users may also opt-out of certain advertising features through applicable device settings, such as the device advertising settings for mobile phones or ads settings in general.
This type of service allows the Controller to connect Data with third-party services disclosed within this privacy policy. This results in Data flowing through these services, potentially causing the retention of this Data.
This type of service allows Us to manage the creation, deployment, administration, distribution and analysis of online for the purposes of support, management of purchase orders and warranty claims. The Personal Data collected depends on the information asked and provided by the Users in the corresponding online form.
These services enable the Controller to take subsequent steps with the Data processed – e.g. managing contacts, sending messages.
2.1. Zapier (Zapier, Inc.)
Zapier is a workflow automation service provided by Zapier, Inc. that automates the movement of Data between (third-party) services. The services are used for processing User’s warranty claims and exercising warranty rights and obligations.
Personal Data processed: city; company name; country; email address; first name; language; last name; phone number; ZIP/Postal code.
Place of processing: United States – Privacy Policy.
2.2. Typeform (TYPEFORM S.L)
Typeform is a form builder and data collection platform provided by TYPEFORM S.L.
Personal Data processed: company name; country; email address; first name; last name; phone number; physical address; state.
Place of processing: Spain – Privacy Policy.
Mailing list or newsletter
By registering on the mailing list or for the newsletter, the User’s email address will be added to the contact list of those who may receive email messages containing information of marketing, commercial or promotional nature concerning the Services and other own by the Controller similar products or services. Your email address might also be added to this list as a result of signing up to any of the Services or after making a purchase.
Personal Data processed: email address; first name.
E-mail advertising with registration for the newsletter
If you register for our newsletter, we use the data required for this or separately provided by you in order to regularly send you our e-mail newsletter based on your consent. Unsubscribing from the newsletter is possible at any time and can be done either by sending a message to the contact option described below or via a link provided in the newsletter. After unsubscribing, we will delete your e-mail address unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted by law and about which we will inform you in this declaration.
The Application requests certain permissions from Users that allow it to access the User’s device Data as described below.
4.1. Device permissions for Personal Data access (the Application)
The Application requests certain permissions from Users that allow it to access the User’s device Data as summarized here and described within this document.
Personal Data processed: Approximate location permission (continuous); Bluetooth sharing permission; Third parties’ service permission; Motion sensors permission; Precise location permission (non-continuous).
4.2. Device permissions for Personal Data sharing
Data gathered through your mobile device permissions, including Approximate location permission (continuous), Bluetooth sharing permission, Third parties’ service permission, Motion sensors permission, and Precise location permission (non-continuous), is not use for commercial purposes.
Unless otherwise specified, the Website processes any payments by credit card, bank transfer or other means via external payment service providers. In general, and unless where otherwise stated, Users are requested to provide their payment details and personal information directly to such payment service providers. The Website isn’t involved in the collection and processing of such information: instead, it will only receive a notification by the relevant payment service provider as to whether payment has been successfully completed.
5.1. PayPal (PayPal Inc.)
PayPal is a payment service provided by PayPal Inc., which allows Users to make online payments.
Personal Data processed: billing address; email address; first name; last name; payment info; phone number; purchase history.
Place of processing: See the PayPal privacy policy – Privacy Policy.
This type of service has the purpose of hosting Data and files that enable the Services to run and be distributed as well as to provide a ready-made infrastructure to run specific features or parts of the Services.
Some services among those listed below, if any, may work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.
6.1. Amazon Web Services (AWS) (Amazon Web Services, Inc.)
Amazon Web Services (AWS) is a hosting and backend service provided by Amazon Web Services, Inc.
Personal Data processed: various types of Data as specified in the privacy policy of the service.
Place of processing: France – Privacy Policy.
6.2. Google Cloud (Google Ireland Limited)
Google Cloud is a cloud computing platform provided by Google Ireland Limited.
Personal Data processed: various types of Data as specified in the privacy policy of the service.
Place of processing: Ireland – Privacy Policy.
This type of service makes it possible to manage a database of email contacts, phone contacts or any other contact information to communicate with the User. These services may also collect data concerning the date and time when the message was viewed by the User, as well as when the User interacted with it, such as by clicking on links included in the message.
Klaviyo is an email address management and message sending service provided by Klaviyo Inc.
Personal Data processed: email address; Tracker; Usage Data, information relevant to placed purchase orders.
Place of processing: Australia, United States, United Kingdom – Privacy policy.
In order to comply with legal and tax requirements, as well as to protect our interests we might use the cervices of legal, tax and compliance professionals. These professionals are usually bound by law to treat any information with extremely high level of secrecy and confidentiality, as well as are limited to use them only within the scope of the specific advisory service provided.
In order to ensure the delivery of any purchase orders that were placed through the Website we are using different registered courier services.
Equal protection of User Data
The Services share User Data only with third parties carefully selected to ensure that they provide the same or equal protection of User Data as stated in this privacy policy and requested by applicable data protection laws. Further information on data processing and privacy practices by third parties can be found in their respective privacy policies.
The Controller may process Personal Data relating to Users if one of the following applies:
In any case, the Controller will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
Unless specified otherwise in this document, Personal Data shall be processed and stored for as long as required by the purpose they have been collected for and may be retained for longer due to applicable legal obligation or based on the Users’ consent.
Therefore:
The Controller may be allowed to retain Personal Data for a longer period whenever the User has given consent to such processing, as long as such consent is not withdrawn. Upon withdrawal of User’s consent, the Controller will stop processing the Data that relies on User’s consent, but it will not impact the processing of data collected prior to the withdrawal until the purposes for which such Data were collected have been achieved. Furthermore, the Controller may be obliged to retain Personal Data for a longer period whenever required to fulfil a legal obligation or upon order of an authority.
The Personal data processed in compliance with legal obligations, are processed within the statutory retention period as per the applicable law, for example the invoice information is kept for 10 years in compliance with the applicable accounting regulatory requirements.
Once the retention period expires, Personal Data shall be deleted and may not be retrieved and used any longer. Therefore, the right of access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.
The Personal data shall not be deleted but shall continue to be processed only for protection of our legitimate rights and interests or in compliance with our legitimate obligations, in the event that as of the date of expiration of the above stated time limit there is pending court, administrative and pre-court proceedings – until its closing.
Personal Data you entrust to us will primarily be processed by the Controller in European Union. However, some of our Third-Party Service Providers and specifically our providers of e-mail messaging services for direct marketing, are not located in the European Union. The main country outside the European Union where your Personal Data can be processed by such service providers, is the United States. All these international data transfers are subject to legal requirements to ensure that your personal information is processed safely and as you would expect, which means your Personal Data is likely to end up in other countries, including outside the European Union. We will process your Personal Data for marketing purposes including by sharing these with these service providers only upon your explicit consent.
Users may exercise certain rights regarding their Data processed by the Controller.
In particular, Users have the right to do the following, to the extent permitted by law:
Users are also entitled to learn about the legal basis for Data transfers abroad including to any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by the Owner to safeguard their Data.
Details about the right to object to processing
Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Controller or for the purposes of the legitimate interests pursued by the Controller, Users may object to such processing by providing a ground related to their particular situation to justify the objection.
Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time, free of charge and without providing any justification. Where the User objects to processing for direct marketing purposes, the Personal Data will no longer be processed for such purposes. To learn whether the Controller is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.
How to exercise these rights
Any requests to exercise User rights can be directed to the Controller through the contact details provided in this document. Such requests are free of charge and will be answered by the Controller as early as possible and always within one month, providing Users with the information required by law. Any rectification or erasure of Personal Data or restriction of processing will be communicated by the Controller to each recipient, if any, to whom the Personal Data has been disclosed unless this proves impossible or involves disproportionate effort. At the Users’ request, the Controller will inform them about those recipients.
The security, integrity, and confidentiality of your Personal Data are extremely important to us. We have implemented technical, contractual, organisational, and physical security measures that are designed to protect our Users Personal Data from unauthorised access, disclosure, use, and modification. We regularly review our security procedures and practices to consider appropriate new technology and methods. Please be aware that, despite our best efforts, no security measures are perfect or impenetrable.
Legal action
The User’s Personal Data may be used for legal purposes by the Controller in Court or in the stages leading to possible legal action arising from improper use of any of the Loqed Services or the related services.
The User declares to be aware that the Controller may be required to reveal personal data upon request of public authorities.
Additional information about User’s Personal Data
In addition to the information contained in this privacy policy, We may provide the User with additional and contextual information concerning particular Services or the collection and processing of Personal Data upon request.
System logs and maintenance
For operation and maintenance purposes, the Loqed Services and any third-party services may collect files that record interaction with the Services (System logs) or use other Personal Data (such as the IP Address) for this purpose.
Information not contained in this policy
More details concerning the collection or processing of Personal Data may be requested from the Controller at any time. Please see the contact information at the beginning of this document.
Changes to this privacy policy
We may update this Privacy Policy from time to time due to changes in the Service, the applicable laws and our legitimate interest. You can determine when the Privacy Policy was last revised by the date provided at the bottom of this document.
Any changes will become effective upon publishing in the Application and the Website or making them available to the User in other way.