ViGuide Privacy Policy

We, Viessmann Werke GmbH & Co. KG (hereafter referred to as "Viessmann" or "we"), as part of the Viessmann Group, take the protection of your personal data very seriously and strictly adhere to the currently applicable data protection regulations. These primarily include the General Data Protection Regulation (hereafter: "GDPR"), Regulation (EU) 2016/679 of the European Parliament and of the Council.

This Policy provides an overview of how we assure data protection with the ViGuide application, what type of data is collected for what purpose, and the legal basis behind its collection and processing.

Responsible body/data controller as defined by the German Federal Data Protection Act/GDPR:

Viessmann Werke GmbH & Co. KG
Viessmannstrasse 1
35108 Allendorf (Eder)
Germany

Telephone: +49 6452 70-0
Fax: +49 6452 70-2780
Email: info@viessmann.com

This Privacy Policy applies solely to the ViGuide application ("apps" or, if only one is being referred to, "app"). Apps from Viessmann may include links to the websites of other suppliers, but this Privacy Policy does not cover such sites.

The collection, transfer, storage, processing and other use of personal data will be collectively referred to hereafter as "processing".

The Viessmann Group are companies affiliated with Viessmann Werke GmbH & Co. KG. They are those over which we can assert a decisive influence.

Personal data is data by which you can be personally identified or other related data.

The following companies carry out work for us, Viessmann Werke GmbH & Co. KG:

• Viessmann Deutschland GmbH for sales purposes and marketing
• VC/O GmbH for the operation of the websites and apps as well as marketing
• Viessmann IT Service GmbH for the operation of the backend systems

The data collected can be processed by other companies belonging to the Viessmann Group or passed on to them if:

• you have been informed of this and have expressly consented to it elsewhere (e.g. message in the app),
• it is necessary for specific purposes and the division of labour within the Viessmann Group; corresponding contractual agreements have been concluded within the Viessmann Group for this,
• the data has been provided having already been pseudonymised by the responsible body/data controller, who guarantees that the Group company tasked with processing cannot reverse this process, or
• the data has been saved in anonymous form by the responsible body/data controller and the data saved in this manner is no longer subject to the data protection regulations.

The data collected by the apps or entered by you whilst using the apps is used by us for the purposes explained in this Privacy Policy. The only exception to this is when you have given your express consent. Any consent you have given relating to data protection can be withdrawn at any time with future effect. You can withdraw your consent at any time by sending an email to datenschutz@viessmann.de.

Stored personal data is erased if you withdraw your consent to its storage, if the data is no longer required in order to fulfil the purpose intended by its storage, or if its storage is not permissible for other legal reasons. Where stipulated by a statutory retention period, data is not erased, but is blocked for further use. The legal basis for this is sentence 1, point (c) of Art. 6(1) GDPR. Anonymised data is not necessarily erased.

The companies of the Viessmann Group process/transfer the data provided by you in/to locations in Germany, the European Union and third countries (including the USA) that have an appropriate level of data protection as per Art. 45 GDPR or that provide suitable guarantees per Art. 46 GDPR.

We automatically process data in "server log files", which the apps transfer to our servers. The following data is automatically saved in server log files:

• Operating system used by the mobile device
• The IP address of your mobile device
• Time of the server request
• Device ID of the mobile device

This is necessary for the technical operation of the apps and for the purpose of making all the functions of the apps available. The legal basis for this is sentence 1, point (b) of Art. 6(1) GDPR.

Furthermore, personal data in the server log files is processed on the basis of point (f) of Art. 6(1) GDPR. This permission allows the processing of personal data within the scope of the "legitimate interest" of the data controller, unless overridden by your fundamental rights, freedoms or interests. Our legitimate interest is to facilitate administration and be able to detect and track hacking. You can object to this data processing at any time if there are reasons which exist in your particular situation and which make data processing inadvisable. All you need to do is send an email to the data protection officer. Our legitimate interest follows from the purposes listed above for the collection of data. Under no circumstances do we use the data collected for the purpose of drawing conclusions about you as an individual.

The server log files with the aforementioned data are automatically erased after 30 days or, in the case of usage for statistical purposes, are anonymised. We reserve the right to store the server log files for longer if facts are known which imply unauthorised access has been attempted (such as a hacking attempt or a DDoS attack).

The purpose of the apps is to commission a heat generator from Viessmann.

1. As soon as a heat generator has been activated with your app via the corresponding communication component, its initial configuration and operating data (summarised as "heating data") are processed within the app. The app reads the data and makes it available, along with functions based on this data. The legal basis for this is sentence 1, point (b) of Art. 6(1) GDPR.

2. The data is used to provide the app functions, generate push notifications (e.g. messages, maintenance, faults), increase system operational reliability, improve system efficiency and rectify faults. For the purpose of operating the app, the data is processed by the app itself and only locally for Viessmann Werke GmbH & Co KG. The legal basis for this is sentence 1, point (b) of Art. 6(1) GDPR. The data is also used to improve service and system development. The legal basis for this is sentence 1, point (f) of Art. 6(1) GDPR. Our legitimate interest is to improve service and system development.

3. Data is used and may be transferred in fully anonymised form for the purpose of increasing system operational reliability, improving system efficiency, rectifying faults and improving service and system development by other companies in the Viessmann Group and third party companies. Anonymised means that it is not possible for third parties or Viessmann to identify individuals on the basis of system data, and individuals cannot be subsequently identified either. Personal data (such as names, addresses, system users) are not transferred.

Within the apps, Viessmann uses an analysis tool called Firebase from Google in order to analyse the way you use the apps. The data provided and used is collected and stored completely anonymously. Following complete anonymisation, this data is stored in the USA. Google LLC is registered under the Privacy Shield. The legal basis for this is point (f) of Art. 6(1) GDPR. Our legitimate interest is to analyse the use of our apps and to improve and develop them further. You can prevent the data generated by the cookie and relating to your use of the website (including your IP address) being transferred to Google, as well as its processing by Google, by downloading and installing the browser plug-in available via the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

Viessmann uses Google's Fabric developer tool in the apps to evaluate usability and user interaction within the app. The data provided and used is collected and stored completely anonymously. Google LLC is registered under the Privacy Shield. The legal basis for this is point (f) of Art. 6(1) GDPR. The use of Fabric is based on the legitimate interest (analysis, further development, improvement, optimisation, security) of ViCare and is used for the continuous improvement of the mobile application and associated services. ViCare uses the Crashlytics tool to evaluate interaction. This provides information on the use of the app as well as useful information on unforeseen crashes or other malfunctions of the application, and helps Viessmann to rectify any errors. You can prevent the data generated by cookies and relating to your use of the website being transferred to Google, as well as its processing by Google.

The apps use cookies, which are text files that are created for authentication each time a user logs in, are saved on the mobile device, and are erased again when the user logs out of their account. The legal basis for this is point (b) of Art. 6(1) GDPR; data processing is necessary for the implementation of the contract with you.

This part of the Privacy Policy provides additional information for exercising your rights, as the data subject, against us. Exercising your rights, e.g. to erasure or restriction of processing, can result in restricted app functionality or even to the app becoming unusable.

In order to comply with the rights of data subjects in accordance with the GDPR, it may be necessary for us to request further information to verify your identity, in cases of personal data collected on the basis of contractual relationships, on a random basis or in the event of justifiable doubt. This can occur in particular if there is a request for information in electronic form, but where the sender's information does not allow any inference to a natural person as the data subject.

• as per Art. 15 GDPR, to access information about the personal data related to you and processed by us. In particular, you can access information about the purposes of processing, the category of the personal data, the categories of recipients to whom your data has been or will be disclosed, the intended time for which it will be stored, the existence of a right to rectification, erasure, restriction of processing and a right to object, the existence of a right to complain, the origin of your data insofar as this was not collected by us, as well as the existence of an automated decision making system including profiling and potentially meaningful information pertaining to the details;
• as per Art. 16 GDPR, to request the immediate rectification of incorrect or incomplete personal data pertaining to you and stored by us;
• as per Art. 17 GDPR, to request the erasure of your personal data stored by us, insofar as its processing is not required to exercise the right of free speech and freedom of information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
• as per Art. 18 GDPR, to request the restriction of processing of your personal data, insofar as the correctness of the data is contested by you, the processing is unlawful but you refuse its erasure, and we no longer require the data but you need it to assert, exercise or defend legal claims, or you have objected to the processing of your data as per Art. 21 GDPR;
• as per Art. 20 GDPR, to receive the personal data that you have provided to us in a structured, current and machine-readable format or to request that it be transferred to another data controller;

To exercise these rights, please contact:

Data protection officer for the Viessmann Group
Viessmannstrasse 1
35108 Allendorf (Eder)
Germany
Tel: +49 6452 70-0
Fax: +49 6452 70-2780
Email: datenschutz@viessmann.com

• as per Art. 7(3) GDPR, to withdraw the consent that you had previously given us. This will result in us no longer being permitted to carry out data processing affected by this consent in the future;

You can withdraw your consent by emailing:

widerruf@viessmann.com

• as per Art. 77 GDPR, to complain to a supervisory authority. In general, you can apply to the supervisory authority associated with your domicile, the head office of the partner company or the head office of the Viessmann company.

Responsible supervisory authority
Der Hessische Datenschutzbeauftragte
Postfach 3163
65021 Wiesbaden
Germany
Tel: +49 611 1408-0
Fax: +49 611 1408-900
Email: poststelle@datenschutz.hessen.de

Your trust is important to us. We are therefore keen to be accountable to you at all times regarding the handling of your personal data. If you have any questions which have not been answered in this Privacy Policy, or if you would like further information about any particular point, please contact us at:

Contact details of the data protection officer:

Data protection officer for the Viessmann Group
Viessmannstrasse 1
35108 Allendorf (Eder)
Germany
Telephone: +49 6452 70-0
Fax: +49 6452 70-2780
Email: datenschutz@viessmann.com

Responsible supervisory authority
Der Hessische Datenschutzbeauftragte
3163
65021 Wiesbaden
Germany
Tel: +49 611 1408-0
Fax: +49 611 1408-900
Email: poststelle@datenschutz.hessen.de

We endeavour to make use of all available technical and organisational options to store your personal data in such a way that it is not accessible to third parties. In communication via email, we cannot guarantee full data security, and therefore recommend you send confidential information by post.