Privacy Policy for Geberit Mobile Apps and IoT Services

This Privacy Policy applies to the use of the Geberit mobile apps (“Mobile App(s)”) and Internet of Things services (“IoT Services”), and the services they provide. Use of Mobile Apps and IoT Services requires us to process your personal data when you access certain services. By personal data, we mean any information relating to an identified or identifiable natural person.

2.1 The operator of Mobile Apps and IoT Services and the controller responsible for processing your personal data is Geberit International AG, Schachenstrasse 77, 8645 Rapperswil-Jona, Switzerland (“Geberit”).

2.2 Our data protection officer can be reached by email at dataprotection@geberit.com or at the postal address above for the attention of “The data protection officer”. To contact our data protection officer in confidence, please use DPO@geberit.com.

This section provides further information about what personal data we collect from you and how we process it. The legal basis for some of our data processing is our legitimate interest according to point f) of Article 6(1) of the General Data Protection Regulation (“GDPR”) together with the Protection of Personal Information Act, No 4 of 2013 (“POPI”). If you would like further information about our legitimate interest, please contact us using the details provided in Section 2. You have the right to object at any time to the processing of personal data relating to you, on grounds relating to your particular situation.

3.1 Download of Mobile Apps

When downloading Mobile Apps, certain information is passed on to your chosen online store for mobile applications (so-called apps). As this data is processed exclusively through the respective online store, the handling of this data is beyond our control. For more information, please refer to the terms of use and privacy policy of the respective online store provider.

3.2 Use of Mobile Apps and IoT Services

3.2.1 When you open Mobile Apps for the first time, we ask you to specify the country in which you intend to use it so that we can offer you services in the appropriate language and with the intended functionality. The legal basis for this is our contractual relationship with you pursuant to the “Terms of Use for Geberit Mobile Apps and IoT Services” and point b) of Article 6(1) of the GDPR and paragraph 2 of POPI.

3.2.2 When using Mobile Apps and IoT Services, the backend servers used to provide, for example, user manuals of Geberit products or remote support connectivity, automatically and temporarily collect information transmitted by your mobile end device in server log files. This data is as follows:

• IP address of the mobile end device sending the request
• Request path and arguments
• Request time
• Operating system of the mobile end device sending the request

The data in these server log files is not analysed in a way that identifies individual persons. In cases where the information listed above contains personal data (in particular the IP address), the legal basis for collecting this data is point (f) of Article 6(1) of the GDPR. The legitimate interest we pursue in collecting this data is to ensure the proper functioning of our Mobile Apps and IoT Services. The logging and analysis of the data also helps us ensuring the security of our IT systems. Your personal data is not processed further. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed, after 30 days at the latest. If the data is stored for other, similar reasons, your personal data is anonymised and de-identified so that you cannot be associated with or identified from this data.

3.2.3 If the Geberit ID is used for user authentication in Mobile Apps, the following information is stored locally on your mobile end device: unique identifier (“UID”) of the Geberit ID, your name, email address, phone number, and country. The UID is transmitted to a backend server to allow you to reset passwords of password-protected Geberit products. The legal basis is our legitimate interest according to point (f) of Article 6(1) of the GDPR and POPI in the ability to trace back unauthorised manipulations of Geberit products. The data is deleted as soon as it is no longer required for the purpose for which it was processed, generally after 30 years.

3.2.4 When using Mobile Apps, you have the option to voluntarily submit personal data, e.g. by registering your Geberit product, contacting us via email or contact form. This data is used by us to provide our services and handle your requests. This data will be solely collected by the responsible Geberit sales company. The data collection is subject to a separate privacy policy that is accessible on the corresponding Geberit website.

3.2.5 Service technicians commissioned by Geberit companies or representatives of Geberit companies’ customer service can retrieve technical data from your Geberit product via Mobile Apps and IoT Services in the course of service work and transmit the data to Geberit. This technical data comprises device data, statistical and diagnostic data such as model, article number, serial number (only in case of IoT Services), manufacturing date, installation date, firmware version, device settings, profile settings, meter readings from the device components, error codes, and event logs (e.g., errors, descaling events, flush events). This can be done on site by a service technician via Mobile Apps or, if initiated by you, remotely by a customer service representative via IoT Services. We require this data in order to provide you with our services based on our contractual relationship according to point (b) of Article 6(1) of the GDPR and stipulations in POPI, and to improve our range of products and services and their functions and performance characteristics through anonymised data analyses based on our legitimate interests according to point (f) of Article 6(1) of the GDPR and POPI. In the case of IoT Services, the data is either deleted or fully anonymised as soon as it is no longer required for the purpose for which it was processed, generally after two years.

3.2.6 When using IoT Services, personal data associated with you or your Geberit ID is also collected for the purpose of the efficient handling of a service request and subsequent provision of service and support of compatible Geberit Connect and Geberit AquaClean products (e.g., remote configuration, maintenance, troubleshooting and fault clearance). This data will be solely collected by the responsible Geberit sales company.

3.2.7 If you configure the Geberit Gateway via Mobile Apps and the Geberit Gateway is permanently connected to the internet (e.g., via Ethernet or Wi-Fi), you have the option of activating the cloud services and thus the periodic transmission of the technical data listed in section 3.2.5 to Geberit to improve our range of products and services and their functions and performance characteristics through anonymised data analyses. This transmission is voluntary and must be initiated by you via Mobile Apps (opt-in). The legal basis is your consent according to point (a) of Article 6(1) of the GDPR and POPI. You can object to the processing of your data at any time with future effect by opting out of the cloud services in Mobile Apps. The data is either deleted or fully anonymised as soon as you object or when it is no longer required for the purpose for which it was processed, generally after two years.

3.2.8 If the cloud services are activated according to 3.2.7, you also have the option of activating notifications to be notified of important events related to the Geberit Gateway. For this purpose, your Geberit ID is linked to the serial number of the Geberit Gateway so that email notifications can be sent to the email address stored under the corresponding Geberit ID. The notifications are optional and must be activated by you via Mobile Apps (opt-in). The legal basis is your consent according to point (a) of Article 6(1) of the GDPR. You can object to the processing of your data at any time with effect for the future by deactivating the notifications in Mobile Apps. The link will then be removed again and you will no longer receive notifications.

3.3 Analytic data

3.3.1 When using Mobile Apps, your chosen online store for apps and/or operating system provider may collect usage and diagnostics data such as, e.g., frequency of Mobile Apps usage and information on Mobile Apps crashes and provide it to us in aggregated and anonymised form. The collection of such data is governed by the terms of use and privacy policy of the online store and/or operating system provider and is thus beyond our control. The legal basis for viewing and evaluating this data on our side is a legitimate interest in the analysis, optimisation and economic operation of Mobile Apps according to point (f) of Article 6(1) of the GDPR.

3.3.2 We collect certain information automatically while Mobile Apps are in use, such as the type of your mobile end device, the version and language of your operating system, the screen resolution, the time of access, and various usage data such as statistics on the usage of certain functions of Mobile Apps and the type of and state of connected Geberit products. We don’t collect any personal data, but only anonymised and aggregated information that does not allow us to identify any user. To collect the information we use the technology Microsoft App Center Analytics’ (Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399 USA; “Microsoft Analytics”). We use the information for the following purposes: (1) to allow you to use Mobile App and its associated functions, (2) to improve the functions and performance characteristics of Mobile Apps, and (3) to prevent and eliminate misuse and malfunctions. The legal basis for processing this data is (1) that it is essential to the provision of Mobile Apps, and (2) and (3) that we have a legitimate interest in ensuring the operability and trouble-free operation of Mobile Apps and of their connection with Geberit products. The collected data is deleted as soon as it is no longer required for the purpose for which it was processed, generally after 30 days. You can prevent this information from being collected by deactivating the “Send analytics data” setting in Mobile Apps.

3.4 Mobile Apps also use or link to one or more of the following tools and technologies

3.4.1 movingimage video hosting for functional movies

Functional movies for selected Geberit products are provided in Mobile Apps. These functional movies can assist you in the maintenance and care of your Geberit product. The video files are hosted on servers of a third-party service called movingimage (movingimage EVP GmbH, Tempelhofer Ufer 1, 10961 Berlin Germany) and from there they are downloaded to your mobile end device when you open the videos in Mobile Apps. During this process, certain information such as your IP address may be stored in the server log files of movingimage, which is beyond our control. More information can be found in the privacy policy of movingimage (please refer to https://www.movingimage.com/gtc/privacy-policy-of-movingimage-evp-gmbh/).

3.4.2 Geberit tools and web calculators in the Geberit Pro Mobile App

The Geberit Pro Mobile App embeds Geberit tools and web calculators such as, e.g., the SilentPanel Assistant and a tool for the determination of pipe diameters. The usage of these tools is governed by a separate privacy policy. More information can be found in the cookie settings banner that appears automatically when launching one of the tools in the Geberit Pro Mobile App.

Your personal data will never be shared with third parties without your express prior consent. The only exceptions to this apply in the following cases, which are based on our legitimate interests according to point f) of Article 6(1) of the GDPR and paragraph 6 of POPI. If you would like further information about our legitimate interest, please contact us using the details provided in Section 2. You have the right to object at any time to the processing of personal data relating to you, on grounds relating to your particular situation.

4.1 For prosecution reasons

Where required in order to investigate the unlawful use of our services or for the purposes of prosecution, personal data will be disclosed to the relevant law enforcement authorities and, where applicable, to any third-party claimants. However, such a course of action will only take place if there is concrete evidence of unlawful conduct or misuse. In such cases, your data may also be shared if this is required for the fulfilment of terms and conditions of use or other agreements. If requested, we are also legally obliged to disclose such data to certain public authorities, such as law enforcement bodies, authorities that penalise offences, and financial authorities.

In these cases, data is disclosed based on our legitimate interest in combating misuse, aiding the prosecution of criminal offences, and aiding the establishment, assertion and enforcement of claims, according to point (f) of Article 6(1) of the GDPR and paragraph 6 of POPI.

4.2 Associated companies within the Geberit Group

Personal data is disclosed to the respective local sales companies associated with the Group to ensure that we can provide optimal sales support to Geberit customers in each respective country. In these cases, data is disclosed based on our legitimate interest in ensuring effective customer support.

4.3 Contract data processors

We rely on contractually bound third-party companies and external service providers (referred to as “Processors”) in order to provide our services. In such cases, personal data will be shared with these Processors in order to allow them to provide their services. The Processors have been carefully selected by us. The Processors are permitted to use the data only for the purposes specified by us. Furthermore, they are contractually obligated to handle your data exclusively in accordance with this privacy policy and in line with the applicable data protection laws.

More specifically, we use the services of the following processors in particular:

• 1. other Geberit companies for the purposes of centralised customer administration and order processing
• 2. other Geberit companies for the purposes of providing centralised IT services for the other companies in the Group
• 3. cloud computing providers who process the selected usage and device data from your Geberit product within Europe
• 4. logistics service providers, for the purpose of sending you products, marketing materials or other items that you have ordered from us
• 5. payment service providers for the purpose of processing all payments from you to us or vice versa
• 6. service providers for installation work or after-sales services
• 7. service providers for the distribution of newsletters or the execution of customer surveys
• 8. IT service providers for hosting, operation and support for IoT Services

Data is disclosed to data processors based on Article 28(1) of the GDPR and paragraphs 20 and 21 of POPI.

Personal data is not shared outside of the European Economic Area except for Switzerland and the United Kingdom, for which there is an adequacy decision to determine an adequate level of data protection.

As a data subject you are entitled to the rights outlined below. If you would like to exercise any of these rights, please send us a written request using the contact details specified above or send an email to the following address: dataprotection@geberit.com.

5.1 Right to access

You have the right to request that we provide access to the personal data concerning you that we have processed. You may exercise this right at any time within the scope outlined in Article 15 of the GDPR and paragraph 5 of POPI.

5.2 Right to rectification or erasure

Subject to the prerequisites specified in Articles 16 and 17 of the GDPR, you have the right to request from us the rectification of incorrect data or the erasure of personal data concerning you. The prerequisites provide for a right to erasure in particular where the personal data is no longer necessary for the purposes for which it was collected or otherwise processed. The ability to exercise this right is restricted in accordance with Article 17(3) of the GDPR, particularly in cases where we require your data in order to meet a legal obligation or to process legal claims.

5.3 Right to restriction of processing

You have the right to request from us restriction of processing under the terms specified in Article 18 of the GDPR.

5.4 Right to object

In accordance with Article 21 of the GDPR, you have the right to object, on grounds relating to your particular situation and at any time, to the processing of personal data concerning you on the basis of point (e) or (f) of Article 6(1) of the GDPR and paragraph 5(d) of POPI. We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms, or unless the circumstances involve the establishment, exercise or defence of legal claims.

5.5 Right to data portability

You have the right to receive the personal data concerning you which you have provided to us, in a structured, commonly used and machine-readable format under the terms specified in Article 20 of the GDPR.

5.6 Right to lodge a complaint with the relevant data protection supervisory authority

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, your place of work or the place of the alleged infringement if you consider that the processing of personal data relating to you infringes the applicable data protection legislation.

If you would like to request the erasure of your data, simply email us at dataprotection@geberit.com. Generally speaking, we erase or anonymise your personal data as soon as it is no longer needed for the purposes for which we collected or used it in accordance with the sections above. If data needs to be retained for legal reasons, it will be blocked. This means that it will no longer be available for further processing. If you require further information regarding our erasure and retention periods, please contact us using the details provided above.

Your personal data will only be processed for purposes other than those described if a legal provision requires this course of action or if you have given your consent to the changed purpose of the data processing. In cases of further processing for purposes other than those for which we originally collected the data, we will notify you of these other purposes prior to the data being processed further, and will provide you with all other information that relates to this.

We do not use any automated processing systems for coming to specific decisions – including profiling.

The current version of this privacy policy is always available in Mobile Apps (typically under the “Information” or “More” menu items).

Version: April 2024

Changes compared with the previous version of this document (November 2023):

• Added list of changes compared with the previous version of this document
• Updated and improved descriptions of data processing activities in section 3 (Information on processing your data):
  • The information is now structured in four main areas, which are about downloading Mobile Apps, using Mobile Apps and IoT Services and the use of analytic data and tools and technologies
  • Added information about server log files, Geberit ID, as well as about Geberit Connect products, the Geberit Gateway and associated IoT Services such as sending a service request
  • Updated description of analytic data and of tools and technologies used by Mobile Apps