GROHE App Privacy Policy

We as GROHE appreciate your interest in our company and our products. We take the protection of your privacy very seriously. In the following we inform you how your personal data is being processed while using GROHE’s Sense or Ondus mobile application (collectively “GROHE App”) in connection with our devices, the GROHE Sense, the GROHE Sense Guard and the GROHE Blue (collectively “GROHE Devices”), as well as the rights you have under the European General Data Protection Regulation (“GDPR”).

A. Who is responsible for the data processing and who can you contact?
Responsible as controller for the processing of your personal data is:

GROHE AG
Address: Feldmühleplatz 15, 40545 Düsseldorf, Germany.
You can reach our data protection officer under the following contact information:
Data protection officer of GROHE AG
Address: Feldmühleplatz 15, 40545 Düsseldorf, Germany.
Email: dataprotection@grohe.com

B. How do we process personal data?
We process various personal data you provide to us when using GROHE Devices via the GROHE App for several purposes.
In principle, the following can be considered as the purposes of the processing: the processing for the initiation of contractual relationships and the performance of contracts (Art. 6 (1) lit. b GDPR), the processing for the protection of legitimate interests (Art. 6 (1) lit. f DSGVO), the processing based on your consent (Art. 6 (1) lit. a GDPR) and/ or the processing subject to statutory provisions (Art. 6 (1) lit. c GDPR).
You can find in the following further information on the specific personal data and the purposes we process such personal data for as well as the legal basis for such processing.
I. User registration and login
To fully use the functionalities of the GROHE App and connected GROHE Devices it is necessary to create a user account and login each time you use the GROHE App. For this purpose we collect the following registration and login data: name, email-address, password.
In this event we use the so-called double-opt-in procedure for registration, which means that your registration is not finalised until you confirm your registration by clicking on the link contained in a confirmation email we send you for this purpose. In case your confirmation is not received promptly, your details will be automatically deleted from our database within 10 days.
Alternatively, you may also register and login via your Facebook or Google account (so-called “Single Sign On”). In this case we store the following registration and login data provided by Facebook or Google: name, email-address.
The processing of your personal data is necessary to provide the GROHE App and its functionalities. Legal basis for the processing is Article 6 para 1 lit b) GDPR (performance of a contract).
II. Usage of connected GROHE Devices
We process certain personal data if you use the GROHE App in connection with GROHE Devices.

1. GROHE Sense Guard
When using the GROHE App in connection with GROHE Sense Guard the following data categories are collected:
• Usage Data (including use-based information over time, such as water pressure, water temperature and water flow measured by the device, type, time and frequency of alarm, valve status, timestamps, water heating type, water costs and costs for water heating).
• Technical Data (including device-related information, such as device-ID and serial no., firmware version, battery status, WIFI settings and signal strength, error codes, IP address, as well as time zone related data and information on other installed appliances).
• User Contact Data (including user contact information, such as e-mail address, home address, phone number, first name, last name).
• Emergency Contact Data (including contact information regarding the emergency contact provided by the user, such as name, email-address).
• Installer Contact Data (including contact information regarding the installer provided by the user, such as name, company address, email-address, telephone, country).
The processing of such data is necessary to provide the full functionalities of the device as a protection system to detect volume and time-based leakages and micro leakages, to alert the user in case of emergency, to monitor the usage of the device and to provide the user with statistical information (e.g. on water consumption, on energy consumption and probable costs). The legal basis for the processing of personal data relating to the user is Art. 6 (1) lit. b GDPR (performance of a contract). The processing of personal data relating to the emergency contact and the installer is based on Art. 6 (1) lit. f GDPR (legitimate interest).

2. GROHE Sense
When using the GROHE App in connection with GROHE Sense the following data categories are collected:
• Usage Data (including use-based information, such as ambient temperature, humidity level and flooding status measured by the device, type, time zone related data and frequency of alarms).
• Technical Data (including device-related information, such as device-ID and serial no., firmware version, battery status, WIFI settings and signal strength, time stamps, error codes, IP address).
• User Contact Data (including user’s contact information, such as e-mail address, telephone number, home address provided for emergency cases, first name, last name of the user).
• Emergency Contact Data (including contact information of the specified emergency contact, such as name, email-address).
The processing of such data is necessary to provide the full functionalities of the device as a protection system to detect increasing/ decreasing humidity, too high temperature or unwanted water and other liquids on surfaces, to alert the user in case of emergency, to monitor the usage of the device and to provide the user with statistical information. Legal basis for the processing of personal data relating to the user is Art. 6 (1) lit. b GDPR (performance of a contract). The processing of personal data relating to the emergency contact is based on Art. 6 (1) lit. f GDPR (legitimate interest).

3. GROHE Blue
When using the GROHE App in connection with GROHE Blue and GROHE Blue Professional devices the following data categories are collected:
• Usage Data (including carbonation preference / water temperature / flow rate to create individual settings, use statistics, personal and total water consumption per device and per account, tracking of stock levels and orders of consumables, order tracking on GROHE Webshop, time zone related data and other time-related usage information).
• Technical Data (including filter capacity levels, CO2 capacity, control settings, device-ID and serial no., firmware version, projected reorder times, battery status, automated run times, WIFI settings settings and signal strength, error codes, timestamps, IP address, cleaning status, cleaning reminder, flush status, flush reminder).
• User Contact Data (including e-mail address, telephone number).

The processing of such data is necessary to provide the full functionalities of the device as a faucet to provide you with filtered potable water with or without carbonation or as a faucet to provide you with unfiltered tap water. Legal basis for the processing is Art. 6 (1) lit. b GDPR (performance of a contract).
III. Contacting us via email or contact form
When you contact us by e-mail or via the contact form, your e-mail as well as any other details provided by you will be processed by us in order to best answer any questions or issues you may have.
Legal basis for the processing of personal data is Art. 6 (1) lit. f GDPR (legitimate interests). Our legitimate interest for the processing is the offering of good customer care and optimal handling of your requests.
IV. Handling of incidents and provision of support services
We process certain personal data in case of a malfunction or damage reported by the GROHE Devices used by you or reported by you directly, including the accessing of your personal data by the GROHE support team for analysing and solving the malfunction or damage reported and for the purpose of contacting you. This includes your contact details and the required information regarding the specific incident (“Incident Data”).
In order to provide optimal support and service and to reach out to you, the Incident Data may be transferred to the regionally competent GROHE service group company, located in your country of residence (“Regional Support Entity”). We may also share your contact details and information regarding the specific incident personal data with external service providers (e.g. installers), which act on our behalf in case service requests require on-site visits.
Legal basis for the processing of personal data is Art. 6 (1) lit. b GDPR (performance of a contract).
V. Connecting user’s account with Cooperation Partners
We process certain personal data for connecting your account with partners we cooperate with (“Cooperation Partners”), such as insurance companies, and to enable you to receive specific offers and benefits relating to the use of GROHE Devices from such Cooperation Partners. You can find further information about how your personal data is processed in this context in our Partner Data Access Policy.
If a specific Cooperation Partner is not available for connecting your account in the GROHE App yet, we will contact you via your email-address as soon as the respective Cooperation Partner is available to be connected, provided that you give us your consent. Legal basis for the processing is in this case Art. 6 (1) lit. a GDPR (consent).
VI. Connecting user’s account with Smart Home Partners
We process the following personal data for connecting your account with partners, which allow you to connect selected GROHE Devices with the partner’s smart home devices and/or services (“Smart Home Partners”): User ID, device ID, house name (given by user), room name (given by user), event type (e.g. flooding), language.
Legal basis for the processing of your personal data is Art. 6 (1) lit. f GDPR (legitimate interest). We have a legitimate interest to process your personal data in order to allow the Smart Home Partner to provide it’s smart home devices and services offered to you.
For detailed information regarding the further use of your personal data we share with the respective Smart Home Partner, please refer to the Smart Home Partner’s Privacy Policy, if any.
VII. Communication for marketing purposes
We will process your personal data (e.g. e-mail, telephone number) to provide you with market specific products from GROHE or an affiliated company of GROHE.
If you agree, we may also share your personal data with affiliated companies of LIXIL Group, i.e. the mother company of GROHE or other companies belonging to the LIXIL Group, to send you marketing information.
Legal basis for such processing of personal data is Art. 6 (1) lit. a GDPR (consent).
VIII. Tracking and web analytics
The GROHE App uses Google Analytics, a web tracking tool by Google Inc. (hereafter: “Google”). Google Analytics uses cookies to analyze your use of the GROHE App. The data created by the cookie is usually transferred to a server of Google in the USA and stored there.
In case the anonymization of IP-addresses is active on GROHE App, the user’s IP-address will be truncated inside the European Union or the European Economic Area. Only in exceptional cases the user’s full IP-address will be transmitted to a server of Google in the US and truncated there. Please note that on this app, Google Analytics code is supplemented by anonymizeIp to ensure an anonymised collection of IP addresses (so called IP masking).

On behalf of us, Google will process this data in order to analyze your use of our app, to generate reports on app activity and to render further services regarding the use of our app. The IP-address transmitted by your browser will not be associated with other data in possession of Google.
You may refuse the use of cookies by selecting the appropriate settings in the GROHE App. Furthermore, you can prevent Google's collection and use of data (cookies and IP address) by deactivating the tracking function under settings in the app menu. However, please note that if you do this, you may not be able to use the full functionality of the GROHE App.

You can find further information about terms and conditions as well as data protection on https://www.google.com/policies/privacy/.
The processing of personal data through Google Analytics is based on Art. 6 (1) lit. f GDPR. Purpose and our legitimate interest are analysis of the use of our services as well as improved functionality with regard to GROHE App.

C. Are you obliged to provide personal data?
There is no legal or contractual obligation to provide us with your personal data, except for such personal data which is required for registering and login in the GROHE App. Otherwise, we only ask you to provide us with the data necessary for providing our services. Without these personal data, we are not able to offer you the full functionalities of the GROHE App and GROHE Devices and our services may be limited.

D. With whom do we share personal data?
I. Engagement of service providers
We sometimes use external service providers to process personal data when providing the GROHE App and its functionalities and services to you. Processing of personal data by such service provider is carried out on our behalf and in accordance with our instructions (so-called “Processors”, see Art. 4 (8) GDPR). We engage the following service providers or categories of services providers:
• IT Service Providers (including hosting, security reviews, algorithm testing, account management, web analytics).
• Support Service Providers (including handling of support incidents).
II. Transfer of personal data to third parties
We may also share personal data with recipients, which process personal data under their own responsibility for own purposes (see Art. 4 (7) GDPR). This includes transfer to the following recipients or categories of recipients:
• GROHE affiliates and Regional Support Entities.
• Cooperation Partners (for further information see our Partner Data Access Policy)
• Smart Home Partners
E. Do we transfer personal data to third countries?
We may transfer personal data to service providers and recipients located in countries outside of the European Economic Area (EEA), if such transfer is necessary for the purposes mentioned in this Privacy Policy. Such transmission takes place in the following cases:
• Handling of user requests and incidents by GROHE service group company (“Regional Support Entity”) or other external service companies engaged by GROHE and located outside the EEA, see Section B.IV.
• Sharing of personal data with Cooperation Partners located outside the EEA, see Section B. V.
• Sharing of personal data with Smart Home Partners located outside the EEA, see Section B.VI.
• Processing of personal data by services providers acting on our behalf, including tracking and web analytics by Google (see Section B.VIII) and hosting of our services by Amazon Web Services.
Any transfer to a third country shall take place only in compliance with the applicable data protection regulations, in particular the assurance of an adequate level of data protection. We have implemented appropriate safeguards, i.e. standard contractual clauses according to Art. 46 (2) lit. c GDPR, ensuring the safety of your personal data. For further information regarding this or a copy of said safeguards you can contact us under the contact information given in Section A.

F. How long do we store personal data?
In general, we process personal data only as long as it is necessary in relation to the initial specified, explicit and legitimate purpose.
In addition, we are subject to various statutory filing and documentation obligations. The retention periods for such storage and documentation obligations can be up to ten years.
In light of possible legal claims, the retention period is also determined by statutory time limitations, which can be up to thirty years, whereby the regular limitation period is three years.

G. How do we secure personal data?
We maintain up-to-date technical measures to safeguard data security, in particular to protect your personal information from threats when transferring data and from prior knowledge gained by third parties. These measures are constantly adapted to the latest state of the art.
In order to prevent unauthorised access by third parties to your personal data, the connection is encrypted using SSL technology.

H. Which rights do you have?
You have the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR) and the right to data portability (Art. 20 GDPR).
When personal data is processed based on your consent, you have the right to withdraw your consent according to Art. 7 (3) GDPR. Please keep in mind that your withdrawal only affects future processing based on your consent.
As far as the personal data is processed for the purpose of our legitimate interest according to Art. 6 (1) lit. f GDPR, you have the right to object according to Art. 21 GDPR. You can find further information regarding your right to object at the end of this Privacy Policy.
To exercise the aforementioned rights, you can contact us, in particular via email under ONDUS_UK@GROHE.com. To facilitate the processing of your request it is helpful, if you could indicate in your communication information on where you were in contact with us (e.g. in which country and under which circumstances). Please note that we may require you to present proof of identity to verify the eligibility of your rights execution.
If you are of the opinion that the processing of your personal data is unlawful, you have the right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR). This right to complain is without any prejudice to any other administrative or judicial remedy.

Information about your right to object in accordance with Art. 21 General Data Protection Regulation (GDPR)
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you on the basis of Art. 6 (1) lit. f GDPR (processing of personal Data based on a balancing of interests); this includes profiling based on those provisions (Art. 4 No. 4 GDPR).
Should you decide to object the processing, we will stop to process personal data concerning you, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the purpose of establishment, exercise or defence of legal claims.
You also have the right to object at any time to processing of personal data concerning you for the purpose of advertising; this also applies to profiling insofar as it is associated with advertising.
Should you decide to object to the processing for advertising purposes, we will stop to process personal data concerning you for these purposes.
The objection is not subject to any form. Ideally, it should be lodged via email at the bodies mentioned in Section H.