Privacy Policy - Kasa Smart Home
Last Updated on: Sep 19, 2022.
TP-Link Corporation Limited (collectively, “TP-Link,” “we” “us,” or “our”) takes your privacy seriously. We abide by applicable privacy laws and regulations to protect your personal data. Accordingly, we developed this privacy policy ("Policy”) in order for you to understand what types of personal data we collected, how we use it, for what reason do we need to process your personal data, who we share it with, when and how we destroy it, what rights do you have concerning your personal data and what measures we take to protect it.
TP-Link Corporation Limited is the controller (i.e., we are responsible for, and control the processing of, your personal data) with regard to the data processing activities described herein. If you have any questions or concerns, please feel free to contact our Data Protection Officer at privacy@tp-link.com. We also have appointed an EU representative, whom you can contact at privacy@tp-link.com.
TP-Link provides:
(1) TP-Link hardware products (“Products”), (2) website(s) that may be accessed at https://www.tp-link.com and https://www.kasasmart.com (“Site”), (3) services, including technical support and services accessible through the Site(s) (“Web Apps”), (4) software that may be downloaded to your smartphone or tablet to access services (“Mobile Apps” such as Kasa), and (5) subscription services, including services that can be accessed using the Web Apps and Mobile Apps (“Subscription Services”). The term “Services” means the Sites, Web Apps, Mobile Apps, and Subscription Services, which may be used in conjunction with Products and in other ways provided by TP-Link. Some Products and Services of TP-Link can be used together or in ways that integrate with products and services from third parties.
1. CHANGES TO OUR PRIVACY POLICY
This Policy may change at any time as we improve and change our Products/Services. We may notify you by placing a prominent notice on our Products/Services . You should check the Products/Services frequently for updates. If you do not agree with the terms of the updated Policy, you must stop using the Products/Services.
2. SOURCES AND CATEGORIES OF PERSONAL DATA WE COLLECT
We collect personal data to the minimum scope which is necessary for the provision of our Products/Services. The personal data we collect may be freely provided by you, received from third parties under your authorization, or, in case of usage data, collected automatically when using our Products/Services.
2.1 Personal Data You Knowingly Provide to Us
When you register or update your Kasa account, we collect or process your TP-Link ID, location, user avatar, user nickname, user country code, user mobile phone identifier, etc.
When you enable device binding, we collect or process your TP-Link ID, device identifier and credentials, user personalized settings (such as device avatar, device family management, etc.).
When you subscribe Kasacare through the website, we collect or process your user name, user address (including zip code), order data (including third-party platform transaction ID, third-party platform subscription ID, third-party purchase certificate, etc.), billing data (including purchase amount, commodity information, etc.). We only collect or process order data (including third-party platform transaction ID, third-party platform subscription ID, third-party purchase certificate, etc.), billing data (including purchase amount, commodity information, etc.) if your Kasa is subscribed through in-app purchase.
When you join our User Experience Improvement Program, we collect and process your general information of the mobile phone, including IMEI number (MEID number), system version number, SDK version number, system information, etc. and the usage status of the product functions based on your consent. If you wish to withdraw your consent, please go to Section 8 7) Right to withdraw your consent. You can also disable the function in “Settings-About-User Experience Program”, disabling the function means you opt out of the program.
Note: TP-Link is not responsible for the privacy practices it does not own or otherwise control. Applicable privacy laws in your country/region may impose certain obligations on you and your use of cameras or cloud storage products. You are solely responsible for ensuring that you comply with the regulation in your country/region. Depending on your country/region, you may be required to inform your guest, visitor, client, etc. that you are using a camera to record audio and video. You may need to consider their privacy rights before sharing the video or clip that involves others.
2.2 Personal Data We Receive from Third Parties
Some third-party services that you choose to integrate with may transmit personal data into your account with us. You authorize that such “Third Party Information” is covered under this Policy and we may use it just as we use your personal data. This information may include but is not limited to, for example, account credentials, names, avatars, profile information, configuration information, images, and linked users (e.g., friends).
You may also voluntarily provide your personal data to us via third-party service providers that help us operate our Services.
2.3 Personal Data We Collect Automatically
When using our Products/Services, we collect your usage data (such as user photo clicks, volume, video, voice, image quality switching, camera privacy mode, etc.), device name.
When you report abnormal problems through the feedback function of Kasa App for the purpose of customer support, we collect your TP-Link ID, user nickname, user email address, user country code, user collection data (including mobile platform, platform version, etc.), device data (including device name, device logs, etc.).
For the purpose of marketing push, we based on your consent collect your associated device, App activity data, App function usage, device usage behavior data, etc. If you wish to withdraw your consent or object to the personalization of adverts and content, please go to Section 8 7) Right to withdraw your consent.
In addition, we may also request related access permissions for the execution of related functions and services in the case where you use our Products/Services, especially where you install and launch our Products/Services.
3. HOW WE USE PERSONAL DATA
We process your personal data for specific purposes and process only the personal data relevant for achieving that purpose. Depending on our relationship with you and the Products/Services that we are providing, we use collected personal data for following purposes as assigned to the above description of the respective processing activity:
1) for provision, management and administration of Products/Services
2) for improvement and optimization of Products/Services and user experience
3) for customer support
4) for statistics and internal management
5) for security risk management
6) for compliance with legal obligations
7) for marketing offers
4. LEGAL BASIS FOR PROCESSING
We process personal data relating to you if one of the following applies:
1) necessary for entry into, or performance of, any contract(s) with you (Art 6(1)(b) of the GDPR). This applies to Section 3.1) for provision, management and administration of Products/Services; 3.3) for customer support.
2) necessary for the legitimate interests of us, where these are not overridden by your interests or fundamental rights and freedoms (Art 6(1)(f) of the GDPR). This applies to 3.4) for statistics and internal management; 3.5) for security risk management.
Note: Our legitimate interests include maintaining and administrating the Products/Services, providing the Products/Services to you, improving the content of our Products/Services, ensuring your account is adequately protected as well as compliance with any contractual, legal or regulatory obligations under any applicable law.
3) necessary for compliance with a legal obligation to which we are subject (Art 6(1)(c) of the GDPR). This applies to Section 3.6) for compliance with legal obligations.
4) in limited circumstances and to the extent the legal bases for processing set out above do not apply, processed with your consent (Art 6(1)(a) of the GDPR). This applies to Section 3.2) for improvement and optimization of Products/Services and user experience; 3.7) for marketing offers.
5. SHARING YOUR PERSONAL DATA
In order to provide you with more convenient and prompt services, we share your personal data with our partners and entrust other companies with such tasks. We share your personal data with third-party service providers provided these third parties assume confidentiality obligations regarding your personal data collected. We have concluded related data processing agreements as required in accordance with applicable data protection laws, with such third-party service providers.
5.1 Authorized Partners
We may share the information we collect about you with our authorized partners. We only share aggregated statistic data reflecting user subscription and functionality of our Products/Services.
5.2 Service Providers and Other Third-Parties
We have engaged:
1) Google Assistant, Alexa, Smarthings, IFTTT, Brilliant, virtual assistant management technology service providers, to provide device discovery, device management, device control, and live view services for platform users. We provide account credentials, device list, device alias, and the camera's live broadcast data which can be viewed via third-party players with such third parties based on your consent. If you wish to withdraw your consent, please go to Section 8 7) Right to withdraw your consent. We suggest you check the privacy policy of Google Assistant, Alexa, Smart Things, IFTTT, Brilliant.
2) Stripe, PayPal and Recurly, third-party payment channels to provide web payment services for platform users. We provide your email address, nationality and address with such third parties. We suggest you check the privacy policy of Stripe, PayPal and Recurly.
3) Google Play and App Store, application distribution platforms and payment channels, to provide payment services and distribute applications to platform users.
4) Google Firebase, third-party SDK, for the purpose of App feedback function. We provide your TP-Link ID, user nickname, user email address, user country code, user collection data (including mobile platform, platform version, etc.), Kasa device data (including device name, device logs, etc.). We suggest you check the privacy policy of Firebase.
5) AWS as our cloud storage and computing service provider. We suggest you check the privacy policy of AWS.
6) OhmConnect,energy saving project platform, for the energy consumption statistics. We provide account credentials, device list, device status, device alias and device usage power data with OhmConnect.
5.3 Change of Control
TP-Link may elect to buy or sell assets. When buying or selling assets, customer information may be one of the assets that is transferred. Personal and non-personal data may also be transferred or acquired by a third-party in the event that TP-Link is acquired, enters bankruptcy, or goes through some other change of control, as far as and to the extent permitted by applicable laws.
5.4 Legal and Law Enforcement
Please be advised that we may disclose information that you have provided us if we have a good faith belief that such disclosure is necessary to comply with the law or legal process served on us; or protect and defend the rights and property of TP-Link or others. In any event, we will disclose information only in accordance with applicable regulations.
6. CROSS-BORDER TRANSFER OF PERSONAL DATA
Generally, we will process your personal data in the country/region where we conduct business or provide our Products/Services. However, as part of the Products/Services offered to you, the personal data which you provide to us may be transferred to countries outside the European Union (e.g., Singapore and the United States). To exemplify: this may happen if any of our servers are, from time to time, located in a country outside the EU. These countries may not have similar data protection laws as the EU. We will however take all necessary measures to protect your personal data in accordance with applicable law.
In particular,
1) if your personal data is transferred to countries/territories with adequacy decision (e.g., Japan), the cross-border transfer is subject to the mechanism of an adequacy decision. (Art 45 of the GDPR)
2) if your personal data is transferred to other countries/territories, we will evaluate the ability of personal data protection and network security safeguards and take measures from the catalogue set out in (Art 46(2) of the GDPR).
You can obtain copies of the applicable safeguards from us by sending a respective request to the contact details outlined below.
7. SECURITY
We have implemented measures, including encryption and TLS technology, designed to secure your personal data from accidental loss and from unauthorized access, use, alteration, and disclosure. In addition, we restrict the number of staff in charge with access to your personal data to the minimum level and frequently conduct training s and educations so that they comply with the confidentiality obligations with respect to your personal data.
Your account’s privacy and security is protected by your password. In order to prevent unauthorized access to your account and personal data, you should select a strong password and protect it by limiting access to your computer, device, browser or application and by signing off after you have finished accessing your account. If you use a third-party service to sign into your account, you should protect that account accordingly as well.
While we strive to always protect the privacy of your account and personal data in our records, we cannot always guarantee it will be completely secure. The security of your personal data may be compromised by unauthorized entry, unauthorized use, hardware failure, software failure, and other factors at any time.
8. YOUR RIGHTS
You have the right to request: access to your data, data portability, erasure of your data, the rectification of any errors, to place restrictions on processing and you can also object to the processing of your data. Where you have given consent to any data processing, you have the right to withdraw that consent at any time. If you would like to exercise any of the following rights, please contact us privacy@tp-link.com. You can also request account information and data deletion at https://account-delete.tplinkcloud.com/. We will not do anything with your data not outlined in this Policy.
1) Right of access
According to Art 15 of the GDPR, you have the right to receive information about your personal data processed by us upon request.
2) Right to rectification
According to Art 16 of the GDPR, you have the right to correct your personal data if it is incorrect.
3) Right to erasure
According to Art 17 of the GDPR, you have the right to obtain from us, under the following conditions, the deletion of your personal data:
a) the respective processing purpose has been achieved;
b) we have unlawfully processed your personal data;
c) you have withdrawn your consent without another legal basis applying to the data processing;
d) you have successfully objected to the data processing;
e) in cases where there is an obligation to delete personal data on the basis of EU law or the law of an EU member state to which we are subject; or
f) the personal data have been collected in relation to the offer of information society services referred to in Art 8(1) of the GDPR.
4) Right to restriction of processing
According to Art 18 of the GDPR, you have the right to request us to process your personal data only to a restricted extent under the following conditions:
a) the accuracy of your personal data is contested;
b) you request limited processing instead of deletion under the conditions of a justified right of erasure;
c) the data is no longer required for the purposes pursued by us, but you need the data to assert, exercise or defend legal claims; or
d) the success of an objection is still disputed.
5) Right to data portability
According to Art 20 of the GDPR, you have the right to receive from us personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, as well as the right to request us to forward this personal data to another controller under the following conditions:
a) the data processing is based on consent (Art 6(1)(a) of the GDPR) or the contract (Art 6(1)(b) of the GDPR); or
b) the processing is carried out by automated means.
6) Right to object
According to Art 21 GDPR, you have the right to object to the processing of your personal data. If you object, we will no longer process your personal data unless we can prove compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims on our part.
7) Right to withdraw your consent
According to Art 7(3) of the GDPR, you have the right to withdraw consent given to us at any time. As a result, we are no longer allowed to continue the processing based on this consent in the future. This does not affect the legality of the processing carried out on the basis of the consent up to the point of withdrawal. At any time, you may withdraw your consent:
a) in the page “Settings-Privacy”
b) by activating “Limit Ad Tracking” on Apple telephones or activating “Opt-out of Ads Personalization” on Android telephones to object to the personalization of advertisements.
c) contact us at privacy@tp-link.com
Specifically, TP-Link gives you choices in how you receive a variety of information that complements our Products/Services. You can also contact us to change your privacy preferences. For example, you can control how and when you want to receive notifications from us by following instructions within the notices (e.g., clicking on “unsubscribe” at the bottom of notification emails). You may not opt-out of administrative emails for your registered account (e.g., emails about your transactions, policy changes, forgot password and confirmation emails).
With simple controls in apps and Web management page's 'Privacy settings', you can turn on or off different types of information collection, such as TP-Link Cloud services and Kasa usage stats in Kasa App. Please note that some features may not function with certain privacy settings turned off, and some information (such as the association of your TP-Link Cloud account to your Kasa) is stored by TP-Link even if all privacy controls are turned off.
8) Complaints
In addition, you have the right to file a complaint with a data protection authority on our collecting and processing of your personal data. Please see this directory https://edpb.europa.eu/about-edpb/board/members_en for more details with regard to the local data protection authorities.)
9. COOKIES AND SIMILAR TECHNOLOGIES
We will transfer "Cookies" to your device when you subscribe Kasacare services or interact with our support center. These Cookies allow us to recognize your device and browser and keep track of how you interact with our Products/Services. We only use cookies and similar tracking technologies with your consent except for the cookies or tracking technologies strictly necessary for the operation or use of our Products/Services.
10. CHILDREN’S PRIVACY
The Products/Services are directed to a general audience and are not intended for children under the age of 13. We do not knowingly collect personal data via our website or online services from users in this age group. We do not guarantee that our websites are suitable for children. If you believe your child has provided personal data to us, please contact us via the email listed in Section 13 below.
11. RETENTION PERIODS
Your data will be held in accordance with the Company’s retention policy, which is available on request via the email listed in Section 13 below. We only process and store your personal data for as long as required by the purposes they have been collected for, until you object the use of your personal data in case of the legitimate interest being the legal basis for processing (Art 6(1)(f) of the GDPR) or until you withdraw your consent (Art 6(1)(a) of the GDPR).
In general, we will store your personal data during your use of our products or services, unless the retention of your personal data is necessary to meet legal or regulatory requirements, especially to comply with commercial and tax retention obligations, to resolve potential disputes or to preserve evidence within the scope of the statutory limitation provisions. Should this be the case, we will retain the personal data concerned until the end of the respective statutory period.
Thereafter, your personal data will be securely deleted or destroyed. Personal data stored in an electronic file format will be erased by a technical tool which prevents the recovery of the information. Personal data printed in a paper record, print media or a document is destroyed into scrap.
12. DIRECT MARKETING
Information relating to you will be used to notify you by post, email or other electronic means of our services and those of our group companies and third party business partners, in particular [identify/specify] in which we believe you may be interested. You can withdraw your consent to use of personal data for marketing at any time by contacting us at privacy@tp-link.com.
13. CONTACT US
If you have any questions that this policy could not answer, or if you require further information on a particular point, please do not hesitate to contact us at any time. You can reach our Data Protection Officer at privacy@tp-link.com or at:
TP-Link Corporation Limited
Room 901,9/F.,New East Ocean Centre, 9 Science Museum Road, Tsim Sha Tsui, Kowloon, Hong Kong