Ubiant, creative solutions for smart buildings

Privacy Policy

(last updated on 10/10/17)

Version V.1.0

Download the PDF file

KEY POINTS TO KNOW ABOUT PERSONAL DATA PROCESSING WHEN USING THE HEMIS SOLUTION

The data controller is Ubiant, a limited liability company with a capital of €2,185,416, incorporated in the Lyon Register of Companies under number 384 565 149, and whose registered office is located at Immeuble Le Silex – Espace Nextdoor, 15, rue des Cuirassiers – 69487 Lyon Cedex 03.
Some of the data that Ubiant collects and processes are classed as sensitive. The processing of such data is subject to specific rules (for more details, refer to Section 2).
The purposes for which personal data are processed include managing and monitoring contractual and pre-contractual relations with users and subscribers of the Hemis solution, delivering the services in the Hemis solution to users and subscribers, organising loyalty-building programmes, managing user and subscriber reviews, checking the quality of the services provided by Ubiant’s subcontractors, generating sales statistics, carrying out direct marketing operations by Ubiant and its partners, resolving any past due invoices and disputes, complying with the legal obligations binding upon Ubiant, monitoring traffic and simplifying navigation on the Application (for more details, refer to Section 3).
There are many legitimate reasons for processing personal data. Depending on the purpose and whether or not data are sensitive, processing is based on consent, express or otherwise, from users, subscribers and third parties, the legitimate interests of Ubiant or the interests of its users or subscribers, the execution of contracts between users / subscribers and Ubiant or a third party, the implementation of any pre-contractual measures taken at the request of the solution’s users and subscribers, and compliance with the legal obligations binding upon Ubiant (for more details, refer to Section 3).
Whether the provision of data is mandatory or optional is specified on the different account registration and subscription forms if Ubiant collects personal data using such forms. In addition, data must be collected from at least one connected device in order to use the services in the Hemis solution. In some cases, Ubiant may also require proof of identity or proof of the user’s presence in the connected building. These provisions are either statutory or contractual requirements. The consequences of failing to provide such data depend on the situation. The main consequences will include users not being able to create an account on the Hemis application, sign up for a subscription or benefit from the services in the Hemis solution (for more details, refer to Section 4).
The recipients to whom data may be disclosed are, subject to express consent from subscribers in certain cases, other users and subscribers when sharing or transferring virtual buildings, connected object manufacturers, clients, contractors and construction firms of buildings that are connected using the Hemis solution, energy utilities, property managers, facility managers of buildings that are connected using the Hemis solution and hosting providers with which users have decided to store some of their data (for more details, refer to Sections 5 and 6).
Privacy protection for third parties: subscribers, users and certain third parties are likely to disclose third parties’ personal data to Ubiant. Such data must be processed in accordance with applicable regulations. Any people disclosing such data are advised that they are required to notify the data subjects accordingly, that they may need consent from those people and that some types of data may be sensitive. Third parties disclosing personal data make specific commitments to Ubiant (for more details, refer to Section 7).
You have rights. You have the right to access, rectify and delete your personal data. You also have the right to prevent your personal data from being processed and the right to define specific instructions regarding your personal data after your death. In addition, you have the right to lodge a complaint with CNIL (France’s data protection authority) or any other competent supervisory authority. As of 25 May 2018, you also have the right to ask Ubiant to restrict the processing of your personal data, and the right to data portability (for more details, refer to Section 8).
The retention times for your personal data vary up to five years and commence when your contract(s) with Ubiant terminate(s) or expire(s), depending on the type of data, the connected objects used and the services involved, except in cases of pre-litigation or disputes (for more details, refer to Section 9).
Transfer of data outside the European Economic Area: personal data are hosted and processed by Ubiant and its subcontractors within the European Economic Area. However, Ubiant may be required to transfer data to recipients, particularly connected object manufacturers, outside the EEA (or to the servers of those recipients outside the EEA). If applicable, such data transfers will be governed by contracts signed between Ubiant and the data recipients, including the standard contractual clauses adopted by the European Commission in its Decision 2010/87/EU of 5 February 2010 (for more details, refer to Section 10).

For further information, we would advise you to read the terms of the privacy policy below.

This privacy policy (hereinafter the “Privacy Policy“) defines the terms and conditions according to which Ubiant collects and processes data, especially personal data, as part of its Hemis home monitoring solution, which allows subscription and non-subscription users (“Users“) to run an application on a PC or certain web-enabled smartphones (the “Application“) in order to control various aspects of their living environment (homes, offices, shops, etc.) using connected objects fitted in their buildings by Users, manufacturers or previous occupants of the said buildings (“Connected Objects“).

The standard terms of service for the Hemis home monitoring solution are described in a separate document available at https://www.ubiant.com/legal1/ .

The data collected and processed as part of the Hemis solution may concern Users, whether they have taken out a subscription plan with Ubiant or simply opened an account on the Application. Data may also concern third parties (“Third Parties“).

Data are collected and processed by Ubiant, a limited liability company with a capital of €2,185,416, incorporated in the Lyon Register of Companies under number 384 565 149, and whose registered office is located at Immeuble Le Silex – Espace Nextdoor, 15, rue des Cuirassiers – 69487 Lyon Cedex 03 (« Ubiant »).

As part of its determination to respect the privacy of Users and Third Parties as well as maintain the confidentiality of all information relating to Users and Third Parties, Ubiant, in its capacity as the controller, complies with applicable legislation governing the protection of Users’ personal data, especially France’s Data Protection Act 1978 and, commencing on 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR“).

Ubiant may also be required to process the personal data of Users and Third Parties in its capacity as a subcontractor on behalf of third-party companies, particularly for hosting the said data. As such, Ubiant will also comply with applicable legislation. However, these types of data processing are not covered by this Privacy Policy. Users and Third Parties are advised to refer to the documents and information provided by such third-party companies.

Ubiant may be required to update the Privacy Policy to reflect changes in its contractual relations with Users and changes in the rights of Users and Third Parties. Each User will receive prior notice of any updates to the Privacy Policy and the User’s consent will be sought if applicable.  Users who have disclosed third-party data may be required to send prior notice thereof to each Third Party concerned and obtain their consent as applicable.

1. Data collected and processed by Ubiant

Ubiant may be required to collect and process:

  • Data to identify Users who are creating an account and potentially subscribing to the Hemis solution, as well as to schedule subscription fee payments (“Contract Data“).

For example: first name, surname, age, subscription plan chosen, bank details, etc.

  • Data disclosed by Users when using the Application (“Usage Data“).

For example: information about the Connected Objects installed in the buildings, geographic location, dates, times and types of actions performed remotely via the Application (such as for controlling switches), photos of the rooms or objects, sets of action scenarios to be implemented during such events as holidays, predefined objectives regarding energy consumption or production, and so on. 

  • Data generated by the Connected Objects fitted in buildings by Users, manufacturers or previous occupants of the said buildings (“Raw Data“).

For example: temperature measurements, electricity or gas consumption measurements, open or closed status of a window, presence detection, etc.

  • Data resulting from calculations, cross-referencing and analyses performed by Ubiant as part of the Hemis solution (“Enriched Data“).

For example: curve showing trends in energy consumption, times when energy consumption thresholds have been exceeded, User’s preferred average temperature, etc.

  • Data relating to potential interactions and exchanges between Users / Third Parties and Ubiant (“Customer Service Data“).

For example: enquiries about a subscription form, technical support, and so forth.

  • Data relating to the use of the Application through cookies and other web-based trackers (“Navigation Data”).

For example: dates and times when signing into the Application, IP address, types of protocols and browsers used, etc.

  • Data relating to the specific instructions that Users or Third Parties may give Ubiant regarding the use of their personal data after their death, including details of a designated third party to whom their personal data should be sent (“Death Instruction Data“).

For example: first name, surname and any other information that can be used to clearly identify the said third party, etc.

(collectively the “Data“).

For further information about the cookies and other web-based trackers that Ubiant uses, Users are advised to view the Hemis cookie policy available at https://www.ubiant.com/legal4/.

2. Sensitive data collected and processed by Ubiant

Ubiant may be required to process data that are deemed by applicable legislation to be sensitive, since they may incidentally reveal Users’ religious beliefs or sexual orientation.

This may be the case if electricity and the Application are not recorded as being used between Friday night and Saturday night (which could suggest that users belong to the Jewish faith) or if only one room

(such as a bedroom) is registered on the Application for a home shared by two people of the same sex (which could suggest the occupants’ homosexual or bisexual orientation).

In addition, Ubiant may be required to process other types of data classed as being sensitive, insofar as they implicitly reveal Users’ racial or ethnic origin, political opinions, philosophical beliefs, trade union membership or sex life.

This may happen with photos revealing any one of the above cases or information that Users or Third Parties volunteer to Ubiant during their exchanges and interactions with Ubiant.

Any such information disclosed to Ubiant and constituting sensitive data will not be exploited as such by Ubiant, which will not discriminate or draw any inferences.

The processing of other sensitive data disclosed via the Application is subject to Users providing their express consent when entering into contracts with Ubiant, as well as consent from Third Parties in cases where Users disclose Data about those Third Parties to Ubiant (refer to Section 7).

3. Purposes and lawfulness of processing

In pursuance of Section 7 of France’s Data Protection Act and Article 6 of the GDPR, personal data processing will be lawful only if and to the extent that at least one of the legal bases specified in the said Section and Article applies.

The following table specifies the different aims that Ubiant may pursue when processing data and the legal grounds for supporting each aim.

Aims pursued

Legal grounds

Manage and monitor contractual and pre-contractual relations in order to:
✓ Send the information that Users and Third Parties require when planning to create an account on the Application or take out a subscription
✓ Manage contracts between Ubiant and Users
✓ Enter into contracts and subsequently monitor contract performance
✓ Manage accounts on the Application
✓ Collect and retain proof of Users’ consent when entering into contracts with Ubiant
✓ Process Users’ requests relating to the provision of the services provided by Ubiant
In terms of the Data concerning Users (not including banking details): performance of the contract to which the User is a party or implementation of the pre-contractual measures taken at the request of a User or Third Party

In terms of Users’ banking details: specific consent obtained from Users (collected when entering into contracts with Users)

Compliance with the legal obligations binding upon Ubiant, including:
✓ Verification of its direct marketing files by the organisation responsible for managing the official opt-out register for unsolicited and marketing calls
✓ Manage the rights of Users and Third Parties as specified in Section 7
Compliance with the legal obligations binding upon Ubiant
Provision of part of the services in the Hemis solution, which involves:
✓ Collecting and hosting Raw Data on servers for the needs of the Hemis solution, at the request of Users or on behalf of third parties authorised by the Users.
For example: storage of temperature, humidity, brightness and sound measurements for a specific room, electricity, water and gas consumption measurements, open or closed status of windows, etc.
✓ Ensuring the secure transmission of Data to the Users and third parties authorised by the Users, with all parties pursuing their own Data processing aims. For example:   disclosure of specific types of Data to Connected Object manufacturers, third-party hosting providers, other occupants in the same building, and so on.
✓ Formatting, analysing and enriching the Data in order to provide Enriched Data to the Users and any third parties authorised by the Users, with all parties pursuing their own Data processing aims.
For example: analysis of the User’s energy use to determine objectives for reducing consumption.
✓ Providing an interactive software solution by means of the Application, allowing Users to remotely control appliances and systems via Connected Objects (such as turning off the heating or air-conditioning system) and define sets of actions that are triggered when predetermined events occur (e.g. close all doors and shutters, and arm the alarm system when leaving on holiday).
For non-sensitive Data concerning Users: execution of the contract to which the User is a party or implementation of the pre-contractual measures taken at the User’s request.

For non-sensitive Data concerning Third Parties: Users’ legitimate interests (personalisation of the services provided by Ubiant)

For sensitive Data concerning Users: specific consent obtained from Users (collected when entering into contracts with Users or via the Application)

For sensitive Data concerning Users: specific consent obtained from Third Parties (acting under the Users’ responsibility – refer to Section 7)

Provision of the other part of the services in the Hemis solution, which involves ensuring the secure transmission of Data to the Users and third parties authorised by the Users, with all parties pursuing their own Data processing aims (except for the hosting providers with which Users have chosen to entrust their Data). For Data concerning Subscription Users: consent from the Subscription Users for each authorised third party (obtained by the authorised third party, when entering into contracts with the Subscription Users or via the Application) OR compliance with the legal obligations binding upon Ubiant OR execution of the contract with the authorised third party to which the Subscription User is a party OR implementation by the authorised third party of the pre-contractual measures taken at the Subscription User’s request.

For Data concerning Non-Subscription Users and Third Parties: consent obtained from Non-Subscription Users and Third Parties (acting under the Subscription Users’ authority – refer to Sections 6 and 7). OR compliance with the legal obligations binding upon Ubiant OR Users’ legitimate interests (especially compliance with the contracts entered into with third parties – in case of a lease agreement that provides for the transfer of certain types of Data to the property management company – and access to the services provided by third parties – such as if the Data are hosted by a third party chosen by the Subscription User)

Organisation of loyalty-building programmes Ubiant’s legitimate interests (reinforcement of the company’s existing customer base)
Management of User reviews, quality control of the services provided by Ubiant’s subcontractors and generation of sales statistics Ubiant’s legitimate interests (improved services and solutions)
Direct marketing by Ubiant and its partners Specific consent obtained from Users (collected when entering into contracts with Users)
Audience tracking and simplified navigation on the Application Legitimate interests (improved services and solutions)

4. Mandatory and optional Data

To create an account on the Application without subscribing directly to the Hemis solution, Users are required to provide their first name, surname, date of birth and email address. Otherwise, Users will not be able to create their account on the Application, subscribe to the Hemis solution and use the services that Ubiant provides as part of the Hemis solution.

To subscribe to the Hemis solution after creating an account, Users must also identify the physical building for which the solution will be used and specify whether they are the building’s owner or simply an occupant. Otherwise, they will be unable to subscribe to the Hemis solution, which must be associated with at least one building.

To use the services in the Hemis solution, Raw Data must be collected from at least one Connected Object. Otherwise, Users will not be able to use any building-related services on the Application.

In some cases, Ubiant may also require proof of presence in the connected physical building.

The provision of Data in this case is a contractual requirement.

Users and Third Parties will be required to furnish proof of identity in order to exercise the rights specified in Section 8. If Users or Third Parties fail to provide proof of their identity, Ubiant may be unable to respond to requests relating to their rights.

The provision of Data in this case is a statutory requirement.

Ubiant may be required to collect other types of Data. Users will be notified of all the Data that must be collected. They will also be informed whether the obligation to provide Data is contractual or statutory, as well as the consequences of failing to provide Data.

Ubiant shall not be held liable for the aforementioned consequences if Users refuse to disclose their Data.

5. Recipients, confidentiality and Data security

Ubiant is required to disclose Data to:

  • Its subcontractors. These subcontractors are bound by an obligation to ensure Data confidentiality and security, as well as other obligations stipulated in the GDPR as from 25 May 2018. Ubiant exercises the greatest care when choosing its subcontractors and in any case shall be liable for the Data processing performed by its subcontractors in accordance with France’s Data Protection Act and the GDPR.
  • Other Users with whom the User wishes to share a building on the Application, meaning certain Contract Data, Raw Data, Usage Data and Enriched Data. All Users carry out themselves data processing for which they are accountable. When Users process Data on behalf of a legal person or if they process Data in the course of an activity that is not purely personal or household in nature and is thus with connection to a professional or commercial activity, Users are personally liable for the Data processing implemented and are bound by the obligations stipulated in France’s Data Protection Act and the GDPR.
  • Other Users with whom the User shares a building on the Application, meaning certain Contract Data, Raw Data, Usage Data and Enriched Data. All Users carry out themselves data processing for which they are accountable. When Users process Data on behalf of a legal person or if they process Data in the course of an activity that is not purely personal or household in nature and is thus with connection to a professional or commercial activity, Users are personally liable for the Data processing implemented and are bound by the obligations stipulated in France’s Data Protection Act and the GDPR.
  • Connected Object manufacturers, where Users’ express consent is obtained when entering into contracts with Users or via the Application. If applicable, Ubiant will only disclose to each Connected Object manufacturer the Raw Data issued by their own Connected Objects. Connected Object manufacturers are personally liable for the Data that they process and are consequently bound by the obligations stipulated in France’s Data Protection Act and the GDPR.
  • Clients, contractors and construction firms of buildings that are connected using the Hemis solution, where Users’ express consent is obtained when entering into contracts with Users or via the Application. These third parties are personally liable for the Data that they process and are consequently bound by the obligations stipulated in France’s Data Protection Act and the GDPR.
  • Energy utilities, where Users’ express consent is obtained when entering into contracts with Users or via the Application. These third parties are personally liable for the Data that they process and are consequently bound by the obligations stipulated in France’s Data Protection Act and the GDPR.
  • Property managers (such as commonhold associations), where Users’ express consent is obtained when entering into contracts with Users or via the Application. These third parties are personally liable for the Data that they process and are consequently bound by the obligations stipulated in France’s Data Protection Act and the GDPR.
  • Facility managers of buildings that are connected using the Hemis solution, where Users’ express consent is obtained when entering into contracts with Users or via the Application. These third parties are personally liable for the Data that they process and are consequently bound by the obligations stipulated in France’s Data Protection Act and the GDPR
  • Hosting providers to which Users may decide to entrust the storage of certain types of Data. Depending on the case, these third parties are personally liable for the Data that they process (and are consequently bound by the obligations stipulated in France’s Data Protection Act and the GDPR) or subcontractors acting on behalf of the Users (who are then personally liable for the processing and may be bound by the obligations stipulated in France’s Data Protection Act and the GDPR – see above). Notwithstanding the foregoing, Ubiant agrees to never disclose the Data that it processes, except where express consent has been obtained from the User or the Third Party acting under the User’s authority, or in special circumstances, such as those specified above and below:
  • Ubiant may be required to disclose Data by law, legal process, litigation and/or requests from public and governmental authorities.
  • Ubiant may disclose Data if disclosure is necessary for purposes of national security, law enforcement or other issues of public importance.

6. Assignment and management of access to the Raw Data and Enriched Data generated by the Connected Objects

The Raw Data and Enriched Data generated by the Connected Objects can be accessed via the Application. They are arranged in the Application by physical buildings, to which they refer within virtual doubles of those physical buildings (Hemis Virtual Buildings“).

Each of the roles defined during the creation, sharing, transfer (lease or complete assignment) or forced ungrouping/grouping of a Hemis Virtual Building allows Users to access all or part of the Raw and Enriched Data.

The degree of access to the Raw and Enriched Data initially depends on whether the corresponding physical building is occupied. By default, Users who do not occupy the physical building cannot access the Raw and Enriched Data that are collected and produced while the physical building is occupied by third parties (Users or otherwise), insofar as the data may reveal personal details about those third parties.

For example, users who have leased the Hemis Virtual Building to their tenant cannot access the Raw and Enriched Data generated while the building is occupied by the tenant.

The degree of access to the Raw and Enriched Data also depends on the goodwill of the Users who have taken out a subscription for the Hemis Virtual Building (irrespective of whether they are the building’s owner or a tenant).

For example, Subscription Users have the option of sharing their Hemis Virtual Building and the Raw and Enriched Data generated during their subscription (or beforehand where authorisation is obtained from former Users) with other Users, such as those occupying the same physical building. If a Subscription User invites another User to share their Hemis Virtual Building, the other User’s attention is drawn to the fact that accepting the invitation includes sharing the Raw and Enriched Data produced during the subscription (or beforehand).

Subscription Users also have the option of transferring certain types of Raw and Enriched Data to Users at the same time as the Virtual Building if deemed useful, such as to the new occupants of the physical building that they are vacating. The Application will prompt Subscription Users to provide their consent before carrying out this type of transfer.

Finally, Subscription Users have the option of granting certain third parties (whether or not Users) access to all or part of the Raw and Enriched Data (refer to the list of recipient third parties in Section 5 above). The Application will prompt Subscription Users to give their authorisation for each recipient third party or category of recipient third party, except where access is required by law or regulations, or if Subscription Users had previously given their authorisation directly to the third party via a contract or any other means.

If several Users share the same Hemis Virtual Building, the User who has taken out a subscription for the Hemis Virtual Building shall be liable for obtaining consent from all the other Users with respect to the access that he or she has granted to third parties to the Raw and Enriched Data.

7. Privacy protection for third parties and compliance with applicable regulations

Users and Third Parties are likely to disclose Third Parties’ personal data to Ubiant. This may occur when using the Application for the other people occupying the buildings that are linked to a given account (such as when naming a room in the building, sending a photo of a room or inviting other Users to share access), when a User discloses a Third Party’s email address to invite that Third Party to share or transfer his or her access to a Hemis Virtual Building or when designating a Third Party to whom personal data will be sent in the event of the User’s death.

Note: Article 4(1) of the GDPR defines personal data as “any information relating to an identified or identifiable natural person […]; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person“. A similar definition is provided in Section 2 of France’s Data Protection Act.

As with the processing of Users’ personal data, the processing of Third Parties’ personal data is subject to the requirements stipulated in France’s Data Protection Act and, as of 25 May 2018, the GDPR.

The attention of Users and Third Parties is drawn to the fact that:

  • They are advised to minimise, wherever possible, the disclosure of Third Parties’ personal data to Ubiant (Users must only disclose User Data that they consider are strictly necessary to freely use the services provided by Ubiant without infringing third parties’ privacy, particularly the privacy of the other occupants in the building).
  • Applicable regulations require Users to provide Third Parties whose Data are disclosed to Ubiant with a number of details about the processing of their data. With respect to the processing of Data under Ubiant’s responsibility, Users and Third Parties are liable for communicating this Privacy Policy to the Third Parties concerned. With respect to the processing of the Data for which they may be personally liable, Users and Third Parties are invited to refer to the list of information that they are required to disclose about the processing and the terms for providing information (see Section 32 of France’s Data Protection Act, Sections 90 et seq. of French Regulation 2005-1309 of 20 October 2005 and, as of 25 May 2018, Articles 12 to 14 and Whereas clauses 58 to 62 of the GDPR).
  • Applicable regulations also require consent to be obtained from Third Parties before pursuing certain processing aims. With respect to the processing of Data under Ubiant’s responsibility, Users and Third Parties who disclose data about Third Parties to Ubiant are liable for obtaining consent from the Third Parties concerned (prior to disclosing Data to Ubiant) for the aims identified in Section 3 that require such consent. With respect to the processing of the Data for which they may be personally liable, Users and Third Parties are invited to refer to the list of legal grounds on which all or part of the processing may be based and, if necessary, obtain consent from the Third Parties concerned (see Section 7 of France’s Data Protection Act, Article 2 h) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 and, as of 25 May 2018, Articles 5, 7 and 8 and Whereas clauses 32, 38, 42 and 43 of the GDPR).
  • Applicable regulations also provide strict guidelines concerning the processing of sensitive data, such as defined in Section 2. With respect to the processing of Data under Ubiant’s responsibility, Users and Third Parties who disclose sensitive data about Third Parties to Ubiant are liable for obtaining express and specific consent from the Third Parties concerned (prior to disclosure) for the collection and processing of their sensitive data (this consent must be separate from the general consent required for the data processing indicated in the previous bullet point). With respect to the processing of the Data for which they may be personally liable, Users and Third Parties are invited to refer to the rules governing the processing of sensitive data (refer to Section 8 of France’s Data Protection Act and, as of 25 May 2018, Article 9 and Whereas clauses 51 et seq. of the GDPR – the special categories of personal data indicated in the GDPR and the aforementioned Directive 95/46/EC corresponding to sensitive data).

Users and Third Parties agree to abide by applicable regulations and shall hold Ubiant harmless against any related claims.

Users and Third Parties generally warrant to Ubiant that they hold all the rights and authorisations required to process the information disclosed directly to Ubiant or generated by means of the Connected Objects, and they agree to provide evidence of such rights and authorisations upon request by Ubiant.

The following acts and regulations are available via the links provided below:

  • France’s Data Protection Act
  • GDPR
  • Regulation 2005-1309 of 20 October 2005
  • Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995

8. Rights of Users and Third Parties

Until 24 May 2018 and in pursuance of Sections 38 et seq. of France’s Data Protection Act, Users and Third Parties have the rights set forth below, unless otherwise stipulated:

  • The right to obtain the following from Ubiant:
    • Confirmation as to whether or not the personal data concerning them are being processed.
    • Information concerning the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed (all this information is featured in this Privacy Policy).
    • If applicable, information concerning the potential transfer of personal data to a recipient in a country outside the European Economic Area (refer to Section 10).
    • Communication of their personal data in an easily accessible form and any available information about the source from which the personal data originated.
    • Information allowing them to know and contest the logic involved in any automatic personal data processing where the decision is based solely on automated processing and which produces legal effects concerning Users or Third Parties

(right of access – Section 39 of France’s Data Protection Act).

  • The right to obtain from Ubiant the rectification, completion, updating, locking or erasure of inaccurate, incomplete, ambiguous and outdated personal data concerning them, or whose collection, use, disclosure or retention is prohibited (right to rectification and erasure – Section 40 I of France’s Data Protection Act).
  • The right to obtain from Ubiant the erasure of personal data concerning them without undue delay where such data have been collected in relation to the offer of information society services where the User or Third Party was a minor when the data were collected (right to digital death – Section 40 II of France’s Data Protection Act).
  • The right to object, on legitimate grounds, to the processing of personal data concerning them (right to object – Paragraph 1, Section 38 of France’s Data Protection Act).
  • The right to object, free of charge, to the processing of their personal data for the purposes of direct marketing by Ubiant or any subsequent controller (right to object – Paragraph 2, Section 38 of France’s Data Protection Act).

From 25 May 2018 onwards, Users and Third Parties have the rights set forth below, unless otherwise stipulated, in pursuance of Articles 15 et seq. of the GDPR:

  • The right to withdraw their consent at any time concerning the parts of the processing implemented by Ubiant that are based on the said consent (refer to the parts concerned in Section 3) (Article 7.3 of the GDPR).
  • The right to obtain confirmation from Ubiant as to whether or not the personal data concerning them are being processed and, where that is the case, access to the personal data and information about the processing (the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipient to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period, and so forth) (all this information is provided in this Privacy Policy) (right of access – Article 15 of the GDPR).
  • The right to obtain from Ubiant without undue delay the rectification of inaccurate personal data concerning them (right to rectification – Article 16 of the GDPR).
  • The right to obtain from Ubiant the erasure of personal data concerning them without undue delay in certain cases (right to erasure – Article 17 of the GDPR).
  • The right to obtain from Ubiant restriction of processing in certain cases (right to restriction of processing – Article 18 of the GDPR).
  • The right to receive the personal data concerning them, which they have provided to Ubiant, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from Ubiant where processing is based on consent or a contract and where processing is carried out by automated means (refer to Section 3) (right to data portability – Article 20 of the GDPR).
  • The right to object at any time, on grounds relating to their particular situation, to processing of personal data concerning them by Ubiant in certain cases (right to object- Article 21(1) of the GDPR).
  • The right to object at any time to processing of personal data concerning them for direct marketing purposes (right to object to direct marketing – Article 21(2) of the GDPR).
  • The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them (Article 22 of the GDPR).

Both before and after 25 May 2018, Users and Third Parties also have:

  • The right to lodge a complaint with CNIL, France’s data protection authority, or any other competent supervisory authority.
  • The right to define, modify and rescind instructions at any time regarding the retention, erasure and disclosure of their personal data following their death in pursuance of Section 40-1 of France’s Data Protection Act. Such instructions may be general or specific. Ubiant may only act as a depository for the specific instructions relating to the Data that it processes, insofar as general instructions may be collected and retained by a digital trusted third party certified by CNIL. Users and Third Parties also have the right to designate a third party to whom their data may be disclosed after their death. In accordance with Section 7 above, they agree to notify the said third party of their intentions and the fact that data which can be used to clearly identify them will be sent to Ubiant, to notify the designated third party of this Privacy Policy and to obtain their consent to the ensuing processing of personal data concerning the Third Party.

Subject to providing proof of their identity and pursuant to the aforementioned elements, Users and Third Parties may exercise these rights by writing to Ubiant at the following email address: [email protected] or at the following postal address: Immeuble Le Silex – Espace Nextdoor, 15, rue des Cuirassiers – 69487 Lyon Cedex 03.

Users may also rectify or delete certain types of data via the account that they have created on the Application.

Users and Third Parties may contact Ubiant at the aforementioned email and postal addresses for any enquiries relating to the Privacy Policy.

9. Retention times

Data are retained for as long as strictly necessary for the purposes described in Section 3.

Data concerned

Retention times in a form permitting identification of data subjects either directly or indirectly (barring exceptions*)

Contract data (not including accounting documents and bank details), Usage Data and Customer Service Data Five years from the expiration or termination date of the contracts between the User and Ubiant
Accounting documents (invoices, order forms, etc.) Ten years from the date of issue
Bank details (credit card number and expiry date) Until the termination / expiration of the contracts between the User and Ubiant or until the expiration of the credit card’s validity
Bank details (security code) The time required to perform the initial transaction
Email addresses of the Third Parties disclosed by Users for sharing or transferring access to a Hemis Virtual Building Time required to send the email to the third party
Raw Data Three years, commencing when collected in a detailed form and ending upon expiration or termination of the contracts between the User and Ubiant in an
Enriched Data Three years, commencing when produced in detailed form and ending upon expiration or termination of the contracts between the User and Ubiant in aggregate
Navigation Data associated with a User or Third Party Thirteen months from the date of collection
Death Instruction Data For as long as the data concerned by the directives are retained
Copy of the proof of identity submitted by a User or Third Party to exercise their rights One year from the date received by Ubiant
Data relating to the exercise of a right to access, rectification, erasure or portability One year from the date exercised
Data relating to the exercise of a right to object or withdraw consent Three years from the date exercised
Data relating to the exercise of a right to restrict processing One year from the end of the restriction of processing

At the end of the foregoing retention times, the Data concerned will either be deleted or anonymised.

* Exceptions to the previous paragraphs:

  • Users may decide not to benefit from Ubiant’s learning-based services using Raw and Enriched Data (e.g. to predict energy consumption over the next few months). If applicable, Ubiant will not produce Enriched Data and will only keep Raw Data for the time required to supply the other services in the Hemis solution associated with the connected objects (e.g. a week for a seven-day programmable thermostat or a year for calculating the annual energy consumption).
  • In the event of a dispute, all or some of the Data may be kept on record for a longer period if deemed conducive to resolving the said dispute.
  • Unless specific instructions are otherwise received according to the terms and conditions stipulated in Section 8, Ubiant will delete all Data concerning a User or Third Party within one (1) month of receiving notice of their death by registered or certified mail with return receipt requested.

10. Transfer of data outside the European Economic Area

Ubiant hosts the Data within the European Economic Area.

However, Ubiant may be required to transfer Data to Connected Object manufacturers outside the European Economic Area, where such manufacturers and/or their servers are based in countries outside the EEA.

A list of these countries cannot actually be provided, insofar as the contents do not depend on Ubiant’s goodwill but rather the manufacturers of the Connected Objects that Users may decide to install in their buildings.

In such cases, the data transferred will be Raw Data and certain types of Contract Data. They will be sent for transmission purposes, especially to Connected Object manufacturers, who will be pursuing their own aims.

These data transfers will be governed by contracts signed between Ubiant and the data recipients, including the standard contractual clauses adopted by the European Commission in its Decision 2010/87/EU of 5 February 2010. Users and Third Parties may obtain a copy of the standard contractual clauses signed by Ubiant and each Connected Object manufacturer concerned by writing to Ubiant at the following email address: [email protected] or at the following postal address: Immeuble Le Silex – Espace Nextdoor, 15, rue des Cuirassiers

– 69487 Lyon Cedex 03.