Privacy Policy - Kasa Smart Home
This Privacy Policy ("Policy") by TP-Link Corporation Limited located at Suite 901, New East Ocean Centre, Tsim Sha Tsui, Hong Kong ("TP-Link", "we", "our") inform you about the personal data we collect when you use the Kasa Smart Home Devices and Services.
Below you will find information on how we use your personal data, for which purposes your personal data is used, with whom it is shared and what control and information rights you may have.
Kasa Smart Home
Kasa Smart Home is our product line for smart home devices. These devices include our Smart Home Routers, Kasa Cam, Smart Wi-Fi LED Bulbs, Smart Wi-Fi Plug, Smart Wi-Fi Light Switch and Range Extender + as well as future developments in the field of home automation (collectively "Devices"). The Devices are supported by the Kasa App and Kasa Care Services (collectively "Services").
Summary of Our Processing Activities
When you use our Devices and/or the Services we collect personal data. Personal data is any information relating to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, or an online identifier. In this section we will summarize how we collect data and what we do with it. You will find more detailed information under the indicated sections below.
-
When you use the Devices without setting up an account, no personal data will be processed. Please note that without account registration the use of our Devices and Services will be very limited.
-
In case you register a user account for one of our Services ("Kasa Account"), personal data will be processed in order to deliver such services.
-
Your personal data might be disclosed to third parties that are located outside your country of residence; potentially, different data protection standards may apply.
-
We have implemented appropriate safeguards to secure your personal data and retain your personal data only as long as necessary.
Processing Activities
Kasa Account Registration and Delivery of Services
In addition to the above, with regard to the registration of a Kasa Account and its subsequent use, we process:
-
Information (such as your name, user name and email address) that is provided by registration;
-
Information in connection with an account sign-in facility (e.g. log-in and password details);
-
Communications sent by you (e.g. via e-mail or website communication forms);
-
Device data (e.g. Device ID, MAC address, IP address)
-
Location data
-
Device/Service usage data (e.g. device activation (such as friendly name of device), motions of motion sensors);
-
Content data (e.g. audio and video recordings);
-
Payment information (e.g. credit card number).
The information which is necessary for the performance of the service is labelled accordingly. All further information is provided voluntarily.
We will process the personal data you provide to:
-
identify you at sign-in;
-
provide you with the Services and information which you request;
-
administer your Kasa Account;
-
communicate with you;
-
process payments.
For this, the legal basis is Art. 6 (1) b) GDPR.
Your personal data is, in the absence of exceptions within the specific services mentioned below, retained for as long as your Kasa Account is used. After deletion of your account, your personal data will be erased without undue delay. Statutory storage obligations or the need for legal actions that may arise from misconduct within the Services or payment problems can lead to a longer retention of your personal data. In this case, we will inform you accordingly.
Your credit card information entered within and linked to your Kasa Account may be processed for all Devices and/or Services due and payable.
Improvement of Our Devices/Services
We further might use your personal data in order to improve our Devices/Services. This might include all data under Section Kasa Account Registration and Delivery of Services above. Your personal data will be anonymized where possible.
For this, the legal basis is Art. 6 (1) f) GDPR. Our legitimate interest pursued is the state of the art development of our products in order to ensure safety and remain competitive.
Your personal data will be stored, for as long as this is necessary for the development of a respective improvement. Once completed your personal data will be deleted immediately.
Marketing
In case you have granted consent, we use your personal data for direct marketing purposes. Legal basis for this is Art. 6 (1) a) GDPR. You might revoke that consent at any time.
In order to provide you with our marketing services, we use The Rocket Science Group LLC d/b/a MailChimp, (Atlanta, GA, USA) as service provider for the processing on our behalf.
We will delete your personal data for marketing purposes, either, if you object to the processing of your data or withdraw the consent immediately.
Cookies
The Services use cookies in several cases. Cookies serve to make our offer more user-friendly, more effective, and safer. Cookies are small text files that are stored on your computer. This data does not contain information that we could allocate to a natural person.
Cookies do not harm your computer and do not contain any viruses. You can prevent the use of cookies by adjusting your browser settings. Please note that in this case you may not be able to fully utilize all functions of this website.
We use cookies in order to enhance your customer experience. Legal basis for this is Art. 6 (1) f) GDPR. Our legitimate interest pursued is the sale of further products and/or services to you.
Recipients of your Personal Data
We may transfer your personal data to third-parties, if this is required for the fulfilment of the Services. This is in particular the case, if third-party services form part of our Services. For the processing of your credit card and billing information your personal data is transferred to Recurly, Inc. (San Francisco, CA, USA) and Stripe, Inc. (San Francisco, CA, USA).
We further may engage third-party companies including companies from our corporate family and other individuals to perform services on our behalf (e.g., without limitation, software maintenance services, e-mail service providers, delivery services, database management, web analytics). These third parties may have access to your personal information. If they do, this access is provided so that they may perform these tasks on our behalf and they are not authorized by us to otherwise use or disclose your personal information, except to the extent required by law.
Other than that, your personal data is only shared with your prior consent (e.g. when using voice integration services of Google LLC or Amazon.com Inc (both US)).
Third-Party Services
Our Services and Devices can be used in combination with third-party services. We have no influence on the processing of personal data by such third-parties. For more information on the processing of your personal data, please confer their respective privacy policies.
Cross-Border Data Transfers
Your personal data will be transferred to other countries (including countries outside the EEA) which may have different data protection standards than your country of residence. Please note, that data processed in a foreign country may be subject to foreign laws and accessible to foreign governments, courts, law enforcement, and regulatory agencies. However, we take all measures necessary to keep up an adequate level of data protection also when sharing your personal data with such countries (e.g. conclusion of EU SCCs or selection of Privacy Shield certified service providers).
Security
We have implemented measures, including encryption and SSL technology, designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure.
Your account's privacy and security is protected by your password. In order to prevent unauthorized access to your account and personal information, you should select a strong password and protect it by limiting access to your computer, device, browser or application and by signing off after you have finished accessing your account. If you use a third-party service to sign into your account, you should protect that account accordingly as well.
While we strive to always protect the privacy of your account and personal information in our records, we cannot always guarantee it will be completely secure. The security of your personal information may be compromised by unauthorized entry, unauthorized use, hardware failure, software failure, and other factors at any time.
Data Retention
We strive to keep our processing activities with respect to your personal data as limited as possible. In the absence of specific retention periods set out in this Policy, your personal data will be retained only for as long as we need it to fulfil the purpose for which we have collected it and, if applicable, as long as required by statutory retention requirements. The retention periods of your audio and video recordings depends on the specific device and subscription plan.
Your Rights
You may receive information about your personal data that we store at any time, free of charge. You do not need to give reasons.
If personal data is inaccurate or no longer needed, you can also block, correct or delete such personal data.
In case the processing of your data is based on Art. 6 GDPR (Legitimate Interest, cf. above) for example in regard to direct marketing purposes, you have the right to object to the processing of your personal data. If the statutory requirements are met, you can also exercise your rights to restrict the processing and data transferability of your personal data.
You can revoke your consent to us at any time. As a result, we may not continue the processing based on this consent for the future without affecting the legality of the processing based on the consent until revocation. If you consider that the processing of your personal data is in breach of data protection rules, you may, without prejudice to administrative or judicial remedies, apply to a supervisory authority, in particular in the Member State in which you are established or in which the alleged infringement took place.
Our Data Protection Officer / Contact
If you have any questions that this policy could not answer, or if you require further information on a particular point, please do not hesitate to contact us at any time. You can reach our data protection officer by writing an e-mail to privacy.tpra@tp-link.com.