Privacy and Cookie Notice Hero

Privacy and Cookie Notice

ABOUT US AND THIS NOTICE

This Privacy and Cookie Notice is provided by PassivSystems Limited (“PassivSystems” or “we” or “us”)

If you submit an enquiry on our web site, have bought our services directly from us, or we have advised you to this effect when you signed up for your account, we process your data as a ‘controller’ for the purposes of the General Data Protection Regulation (EU) 2016/679.

However where you have been provided access to our services by another company (such as the company who sold you the in-home hub or company which installed the in-home hub, the “Seller“), we process personal data as a “processor” on behalf of the controller and the Seller will be the controller.

In both instances, this Privacy and Cookie Notice describes how we handle your information in order to provide our services and cookies used on our website, portal and applications. We take your privacy very seriously. We ask that you read this Privacy and Cookie Notice carefully as it contains important information about our processing and your rights.

How to contact us

If you need to contact us about this Privacy and Cookie Notice, use the details below

  • The Data Protection Manager
  • Address: Benyon House, Newbury Business Park, Newbury, Berkshire, RG14 2PZ, United Kingdom
  • Telephone number: +44 1635 525050
  • Email: Dataprotectionmanager@passivsystems.com

Changes to this Privacy and Cookie Notice

The Privacy and Cookie Notice will be provided to you when you open an account with us and the latest version can always be found on our website.

We may change this Privacy and Cookie Notice from time to time. We will alert you by posting a notice on our website when changes are made.

Current version: Privacy and Cookie Notice 15 October 2018

USEFUL WORDS AND PHRASES

Please familiarise yourself with the following words and phrases (used in bold) as they have particular meanings in the Data Protection Laws and are used throughout this Privacy and Cookie Notice:

Term Definition
controller This means any person who determines the purposes for which, and the manner in which, any personal data is processed.
criminal offence data This means any information relating to criminal convictions and offences committed or allegedly committed.
Data Protection Laws This means the laws which govern the handling of personal data. This includes the General Data Protection Regulation (EU) 2016/679 and any other national laws implementing that Regulation or related to data protection.
data subject The person to whom the personal data relates.
ICO This means the UK Information Commissioner’s Office which is responsible for implementing, overseeing and enforcing the Data Protection Laws.
personal data This means any information from which a living individual can be identified.

This will include information such as names, and telephone numbers, addresses and e-mail addresses when associated with names. It will also include expressions of opinion and indications of intentions about data subjects (and their own expressions of opinion/intentions).

It will also cover information which on its own does not identify someone but which would identify them if put together with other information which we have or are likely to have in the future.

processing This covers virtually anything anyone can do with personal data, including:

  • obtaining, recording, retrieving, consulting or holding it;
  • organising, adapting or altering it;
  • disclosing, disseminating or otherwise making it available; and
  • aligning, blocking, erasing or destroying it.
processor This means any person who processes the personal data on behalf of the controller.
special categories of data This means any information relating to:

  • racial or ethnic origin;
  • political opinions;
  • religious beliefs or beliefs of a similar nature;
  • trade union membership;
  • physical or mental health or condition;
  • sexual life; or
  • genetic data or biometric data for the purpose of uniquely identifying you.

WHAT PERSONAL DATA DO WE COLLECT?

Information provided by you

We collect the following information from you:

  • Account information: When you sign up to participate in or receive a service from PassivSystems or register with PassivLiving we will ask for personal information about you, including your name and e-mail address. Different webpages may ask for different personal information. If you have technical issues and raise a support call or otherwise make enquiries about your account, we will keep that information together with the contact details you supply such as your home or mobile telephone number on record with your account.
  • Access information: When you access PassivSystems’ services via a browser or application, our system automatically records certain information such as your web request, your interaction with a service, Internet Protocol Address (IP Address – a number that can uniquely identify a specific computer or other network device on the internet), browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser or your account.
  • Location information: PassivSystems’ services relate to your home, and as such if you use those services, PassivSystems will receive information about the actual location of your home e.g. post code so that we may obtain local weather information.
  • Occupancy information: our in-home hub device records your occupancy schedule, which (depending on the services you take from us) may include the times you use energy, how you use your household appliances, your lighting and heating, the energy efficiency of your home and the amount of energy generated from Solar PV installations.
  • General enquiry information: If you submit a general enquiry to us, we will need to know your name and contact details in order to respond to your query. If you already have an account with us, we may link the enquiry to your account information.

We will not collect any special categories of data from you

Personal information provided by third parties

If you bought our services from a Seller, the Seller will in some cases have provided us with personal data such as Account information (set out above) so we can verify that you are entitled to access our services.

WHY DO WE PROCESS YOUR PERSONAL DATA?

We use your personal data for the following purposes listed in this section. We are allowed to do so on certain legal bases (please see section ‘How is processing your data lawful’ for further detail).

Purpose Explanation Legal base
General enquiries
  • To respond to questions and enquiries from potential and existing customers
Legitimate interests
Access to the portal
  • To enable you to create your own account on PassivLiving so you can access information about your energy consumption.
  • So we can maintain your account e.g. reset your password if you forget it and resolve technical issues that require support.
  • Data about your energy consumption. This data is also analysed and presented back to you on the PassivLiving portal and app.
Contract
In order to provide our services in accordance with the contract you have with us or the Seller
  • To analyse your household’s energy use, to monitor selected systems for underperformance that could lead to a triggering of a service call, advise you how you might use your household appliances, heating and lighting more efficiently, and changes you may need to make to your home to reduce your energy consumption.
  • For “service administration purposes”, which means that we may contact you for reasons related to the service you have signed up for (e.g. to provide you with password reminders, or to notify you that a particular service has been suspended for maintenance).
Contract
Managing and improving our website, portal and apps
  • To personalise the way our content is presented to you.
  • To analyse and improve our products and services and the service offered on PassivLiving e.g. to provide you with the most user-friendly experience.

See the Cookies section for more information about how this information is obtained and the controls you have over it.

Legitimate interests
Marketing Where you have consented, or where you are a direct customer of ours, we may send you information about our other products and services which we think will be of interest to you. Legitimate interests or consent

We may use information generated through our customers’ use of our services for research and product development purposes but information used in this way is always anonymised so it does not reveal your identity or anything about you.

HOW IS PROCESSING YOUR PERSONAL DATA LAWFUL?

Personal data

We are allowed to process your personal data for the following reasons and on the following legal bases:

Legitimate Interests

We are permitted to process your personal data if it is based on our ‘legitimate interests’ i.e. we have good, sensible, practical reasons for processing
your personal data which is in the interests of PassivSystems or a third party, such as the Seller. To do so, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible. The table below explains the personal data processed on this basis.

You can object to processing that we carry out on the grounds of legitimate interests. See the section headed “Your Rights” to find out how.

Contract

It is necessary for our performance of the contract you have agreed to enter with us or which you have entered with a third party, such as the Seller. If you do not provide your personal data to us, we will not be able to carry out our obligations under the terms of your contract.

Consent

Sometimes we want to use your personal data in a way that is entirely optional for you, such as to provide you with information relating to other products and services that you may be able to obtain from us. On these occasions, we will ask for your consent to use your information. You can withdraw this consent at any time.

WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA?

Our key service providers that act as our processors who will store and process your personal data are Rackspace Limited, Amazon Web Services and Mailchimp.

Like any business, we rely on a variety of providers of other services to operate. If you would like to know the names of our other service providers please contact us using the details at the start of this Privacy and Cookie Notice.

Other than as set out in this Privacy and Cookie Notice, we will only share your personal data with other companies or individuals outside PassivSystems if we have your specific consent or where required to do so to comply with law, the police or other law enforcements or regulators.

We may share ‘anonymised’ information (such as statistical data which does not refer to any individual specifically and which is not therefore classified as personal data), with other parties for example for the purposes of product enhancement.

Transfers of your personal data outside the EEA

We use Mailchimp to send registration and other service emails to you. It may transfer your personal data outside the European Economic Area, for the purpose of delivering emails to you. MailChimp participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S Privacy Shield Framework. It is committed to subjecting all Personal Information received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles

Any transfer of your data will be carried out in accordance with the law to safeguard your privacy rights and give you remedies in the unlikely event of a security breach or to any other similar approved mechanisms. If you want to know more about how data is transferred, please contact us using the details in the section above.

How we keep your personal data secure?

We strive to implement appropriate technical and organisational measures in order to protect your personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access and any other unlawful forms of processing. We aim to ensure that the level of security and the measures adopted to protect your personal data are appropriate for the risks presented by the nature and use of your personal data. We follow recognised industry practices for protecting our IT environment and physical facilities.

WHEN WILL WE DELETE YOUR DATA?

We will hold your personal information on our systems for as long as is necessary to enable us to continue to provide the service to you.

In the case that you wish to cease receiving services from us, you should write to us at support@passivsystems.com and we will mark your account for deletion.

When an account is marked for deletion, your personal data stays on the system for a period of up to one year before being deleted. We retain the data for up to one year in order to enable us to have a reasonable amount of time to deal with any queries which you may have in relation to the services which we have provided to you.

YOUR RIGHTS

As a data subject, you have the following rights under the Data Protection Laws:

  • the right to object to processing of your personal data;
  • the right of access to personal data relating to you (known as data subject access request);
  • the right to correct any mistakes in your information;
  • the right to ask us to stop contacting you with direct marketing;
  • the right to prevent your personal data being processed;
  • the right to have your personal data ported to another controller;
  • the right to withdraw your consent;
  • the right to erasure; and
  • rights in relation to automated decision making.

These rights are explained in more detail below. If you want to exercise any of your rights, please contact us (please see “How to contact us”).

We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.

Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the Data Protection Laws.

Right to object to processing of your personal data

You may object to us processing your personal data where we rely on a legitimate interest as our legal grounds for processing.

If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so. We believe we have demonstrated compelling grounds in the section headed “How is processing your personal data lawful“.

Right to access personal data relating to you

You may ask to see what personal data we hold about you and be provided with:

  • a copy of the personal data;
  • details of the purpose for which the personal data is being or is to be processed;
  • details of the recipients or classes of recipients to whom the personal data is or may be disclosed, including if they are overseas and what protections are used for those overseas transfers;
  • the period for which the personal data is held (or the criteria we use to determine how long it is held);
  • any information available about the source of that data; and
  • whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling.

To help us find the information easily, please provide us as much information as possible about the type of information you would like to see.

Right to correct any mistakes in your information

You can require us to correct any mistakes in your information which we hold. If you would like to do this, please let us know what information is incorrect and what it should be replaced with.

Right to restrict processing of personal data

You may request that we stop processing your personal data temporarily if:

  • you do not think that your data is accurate. We will start processing again once we have checked whether or not it is accurate;
  • the processing is unlawful but you do not want us to erase your data;
  • we no longer need the personal data for our processing, but you need the data to establish, exercise or defend legal claims; or
  • you have objected to processing because you believe that your interests should override our legitimate interests.

Right to data portability

You may ask for an electronic copy of your personal data which we hold electronically and which we process when we have entered into a contract with you. You can also ask us to provide this directly to another party.

Right to withdraw consent

You may withdraw any consent that you have given us to process your personal data at any time. This means that we will not be able to carry out any processing which required use of that personal data.

Right to erasure

You can ask us to erase your personal data where:

  • you do not believe that we need your data in order to process it for the purposes set out in this Privacy Notice;
  • if you had given us consent to process your data, you withdraw that consent and we cannot otherwise legally process your data;
  • you object to our processing and we do not have any legitimate interests that mean we can continue to process your data; or
  • your data has been processed unlawfully or has not been erased when it should have been.

Rights in relation to automated decision making

We do not make any decisions by automated means regarding your personal data.

What will happen if your rights are breached?

You may be entitled to compensation for damage caused by contravention of the Data Protection Laws.

Complaints to the regulator

It is important that you ensure you have read this Privacy and Cookie Notice – and if you do not think that we have processed your data in accordance with this notice – you should let us know as soon as possible. You may also complain to the ICO. Information about how to do this is available on his website at www.ico.org.uk.

COOKIES

We use cookies and analyse the information they provide to enhance your user experience. This information is not used to develop a personal profile of you.

What is a cookie?

A cookie is a small amount of data, which often includes a unique identifier that is sent to your computer or mobile phone (referred to here as a “device”) browser from a website’s computer and is stored on your device’s hard drive. Each website can send its own cookie to your browser if your browser’s preferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other sites. Many sites do this whenever a user visits their website in order to track online traffic flows.

If personal data is collected, websites and apps must get consent to send cookies to your computer or mobile device unless the cookies are strictly necessary to provide services to you. You can withdraw your consent to those cookies at any time even if you have previously consented. Our website and app only collect personal data through cookies which are strictly necessary to provide services to you.

How do we use cookies?

The table below explains what cookies we use on our website and app and why we use them.

It notes whether they are:

  • strictly necessary cookie. These cookies are essential to enable you to receive a service on a website or app such as logging in to the portal or app
  • functionality cookie. These cookies allow the website or app to remember choices you make (such as your log in details) and customised preference settings (e.g. your Fahrenheit / Centigrade preference). They also enable enhanced, more personal features, e.g. a website or app may be able to provide you with local weather reports by using a cookie to remember which region you are in. Information collected by “functionality” cookies may or may not be anonymised, but they cannot track your browsing activity on other websites
  • performance cookie. These cookies collect information about how visitors use a website or app, for instance, which pages visitors go to most often and if they get error messages from web pages or screens. These cookies do not collect information that identifies a visitor. Any information collected by these cookies is anonymous. We only use such information to improve our website and app.

We also state in the table whether a cookie is a “persistent” or “session” cookie. The difference is that:

  • Persistent cookies remain on your device between browsing sessions. They are activated each time you visit the website that created that particular cookie. For example, where a “persistent cookie” is used on a website to remember your log-in details, you will not need to enter those details each time you visit that website.
  • Session cookies allow website operators to link the actions of a user during a browser session. A browser session starts when you open the browser window and finishes when you close the browser window. Session cookies are created temporarily. Once you close the browser, all session cookies are deleted.

If you can’t see the entire table below, please scroll left and right to reveal columns.

Cookie Name Purpose Strictly Necessary Cookie Functional Cookie Performance Cookie Persistent/Session More Info
PassivLiving Accepted Cookies Records that the user acknowledged the cookie policy when they logged in Session Stores a simple true/false value
Registered Records that the user has successfully logged in Persistent Stores a simple true/false value
Username Records the username of the currently logged in user Persistent if ‘stay logged in’ selected, session otherwise Stores the current username
Secret Records information required to support user’s login Persistent if ‘stay logged in’ selected, session otherwise Stores a value know to the browser and server for carrying out verification of the user
Token Records the current user’s authentication token Persistent if ‘stay logged in’ selected, session otherwise Stores the access token for the current user
PassivPro Agent Name Records the name of the agent that the currently logged in user is associated with Persistent if ‘stay logged in’ selected, session otherwise Stores the name of the business current user has logged as
Agent Id Records the internal identification for the agent that the currently logged in user is associated with Persistent if ‘stay logged in’ selected, session otherwise Stores our reference for business current user has logged as
Agent Country Code Records the country code for the agent that the currently logged in user is associated with Persistent if ‘stay logged in’ selected, session otherwise Stores the country code of the business current user has logged in as (e.g. GB)
Username Records the username of the currently logged in user Persistent if ‘stay logged in’ selected, session otherwise Stores the current username
Token Records the current user’s authentication token Persistent if ‘stay logged in’ selected, session otherwise Stores the access token for the current user
Registration Registration Flow State Records all the details entered as part of the registration process Session Captures all the input registration data in an encoded form. Data is held until the end of the registration process when it is used to set up the user’s account and services
PassivLiving App User Details Records the user details and authentication information to allow the user to remain logged in Persistent within the App while the user is logged in. Cleared on logout Stores the current username, encrypted password, current access token and server on your device
User Settings Records the user’s settings for the App Persistent within the App while the user is logged in. Cleared on logout Stores temperature unit settings, app preferences and onboarding status on your device
passivsystems.com cookie_message_hidden Used to save if the user has hidden the cookie challenge Persistent, Expires after 1 year
_ga Used to distinguish users Persistent, Expires after 2 years 3rd Party Part of Google Analytics integration
_gat Used to throttle request rate Persistent, Expires after 1 minute 3rd Party Part of Google Analytics integration
_gid Used to distinguish users Persistent, Expires after 24 hours 3rd Party Part of Google Analytics integration
__sharethis_cookie_test__ Used to test if cookies are enabled Persistent, Never expires 3rd Party Part of ShareThis social share buttons
__stid Used to identify user sessions Persistent, Expires after 1 year 3rd Party Part of ShareThis social share buttons
__unam Monitors “click-stream” activity Persistent, Expires after 1 year 3rd Party Part of ShareThis social share buttons