Privacy Policy - Kasa Smart Home
Last Updated : May, 15 2023
TP-Link Corporation Limited (collectively, “TP-Link,” “we” “us,” or “our”) takes your privacy seriously. We abide by applicable privacy laws and regulations to protect your personal data. Accordingly, we developed this privacy policy ("Policy”) in order for you to understand what types of personal data we collected, how we use it, for what reason do we need to process your personal data, who we share it with, when and how we destroy it, what rights do you have concerning your personal data and what measures we take to protect it.
TP-Link Corporation Limited is the controller (i.e., we are responsible for, and control the processing of, your personal data) with regard to the data processing activities described herein. If you have any questions or concerns, please feel free to contact our Data Protection Officer at privacy@tp-link.com.
TP-Link provides:
(1) TP-Link hardware products (“Products”), (2) website(s) that may be accessed at https://www.tp-link.com and https://www.kasasmart.com (“Site”), (3) services, including technical support and services accessible through the Site(s) (“Web Apps”), (4) software that may be downloaded to your smartphone or tablet to access services (“Mobile Apps” such as Kasa), and (5) subscription services, including services that can be accessed using the Web Apps and Mobile Apps (“Subscription Services”). The term “Services” means the Sites, Web Apps, Mobile Apps, and Subscription Services, which may be used in conjunction with Products and in other ways provided by TP-Link. Some Products and Services of TP-Link can be used together or in ways that integrate with products and services from third parties
1. CHANGES TO OUR PRIVACY POLICY
This Policy may change at any time as we improve and change our Products/Services. We may notify you by placing a prominent notice on our Products/Services. You should check the Products/Services frequently for updates. If you do not agree with the terms of the updated Policy, you must stop using the Products/Services.
2. SOURCES AND CATEGORIES OF PERSONAL DATA WE COLLECT
We collect personal data to the minimum scope which is necessary for the provision of our Products/Services. The personal data we collect may be freely provided by you, received from third parties under your authorization, or, in case of usage data, collected automatically when using our Products/Services.
2.1 Personal Data You Knowingly Provide to Us
When you register or update your Kasa account, we collect or process your TP-Link ID, location, user avatar, user nickname, user country code, user mobile phone identifier, etc.
When you enable device binding, we collect or process your TP-Link ID, device identifier and credentials, user personalized settings (such as device avatar, device family management, etc.).
When you enable Geofencing Smart Action, we collect or process your precise location(longitude and latitude), map position settings.
When you subscribe KasaCare through the website, we collect or process your user name, user address (including zip code), order data (including third-party platform transaction ID, third-party platform subscription ID, third-party purchase certificate, etc.), billing data (including purchase amount, commodity information, etc.). We only collect or process order data (including third-party platform transaction ID, third-party platform subscription ID, third-party purchase certificate, etc.), billing data (including purchase amount, commodity information, etc.) if your Kasa is subscribed through in-app purchase.
When you join our User Experience Improvement Program, we collect and process your general information of the mobile phone, including IMEI number (MEID number), system version number, SDK version number, system information, etc. and the usage status of the product functions based on your consent. If you wish to withdraw your consent, please go to Section 8 7) Right to withdraw your consent. You can also disable the function in “Settings-About-User Experience Program”, disabling the function means you opt out of the program.
Note: TP-Link is not responsible for the privacy practices it does not own or otherwise control. Applicable privacy laws in your country/region may impose certain obligations on you and your use of cameras or cloud storage products. You are solely responsible for ensuring that you comply with the regulation in your country/region. Depending on your country/region, you may be required to inform your guest, visitor, client, etc. that you are using a camera to record audio and video. You may need to consider their privacy rights before sharing the video or clip that involves others.
2.2 Personal Data We Receive from Third Parties
Some third-party services that you choose to integrate with may transmit personal data into your account with us. You authorize that such “Third Party Information” is covered under this Policy and we may use it just as we use your personal data. This information may include but is not limited to, for example, account credentials, names, avatars, profile information, configuration information, images, and linked users (e.g., friends).
You may also voluntarily provide your personal data to us via third-party service providers that help us operate our Services.
2.3 Personal Data We Collect Automatically
When using our Products/Services, we collect your usage data (such as user photo clicks, volume, video, voice, image quality switching, camera privacy mode, etc.), device name.
When you report abnormal problems through the feedback function of Kasa App for the purpose of customer support, we collect your TP-Link ID, user nickname, user email address, user country code, user collection data (including mobile platform, platform version, etc.), device data (including device name, device logs, etc.).
For the purpose of marketing push, we based on your consent collect your associated device, App activity data, App function usage, device usage behavior data, etc. If you wish to withdraw your consent or object to the personalization of adverts and content, please go to Section 8 7) Right to withdraw your consent.
In addition, we may also request related access permissions for the execution of related functions and services in the case where you use our Products/Services, especially where you install and launch our Products/Services.
3. HOW WE USE PERSONAL DATA
We process your personal data for specific purposes and process only the personal data relevant for achieving that purpose. Depending on our relationship with you and the Products/Services that we are providing, we use collected personal data for following purposes as assigned to the above description of the respective processing activity:
- for provision, management and administration of Products/Services
- for improvement and optimization of Products/Services and user experience
- for customer support
- for statistics and internal management
- for security risk management
- for compliance with legal obligations
- for marketing offers
4. LEGAL BASIS FOR PROCESSING
We process personal data relating to you if one of the following applies:
- necessary for entry into, or performance of, any contract(s). This means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. This applies to Section 3.1) for provision, management and administration of Products/Services; 3.3) for customer support for the legitimate interests of us, where these are not overridden by your interests or fundamental rights and freedoms. This applies to 3.4) for statistics and internal management; 3.5) for security risk management.
- Note: Our legitimate interests include maintaining and administrating the Products/Services, providing the Products/Services to you, improving the content of our Products/Services, ensuring your account is adequately protected as well as compliance with any contractual, legal or regulatory obligations under any applicable law. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required permitted to by law). You can obtain further information about how we access our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
- necessary for compliance with a legal obligation to which we are subject. This means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to. This applies to Section 3.6) for compliance with legal obligations, extent the legal bases for processing set out above do not apply, processed with your consent. This means processing your personal data where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us. This applies to Section 3.2) for improvement and optimization of Products/Services and user experience; 3.7) for marketing offers.
5. SHARING YOUR PERSONAL DATA
In order to provide you with more convenient and prompt services, we share your personal data with our partners and entrust other companies with such tasks. We share your personal data with third-party service providers provided these third parties assume confidentiality obligations regarding your personal data collected. We have concluded related data processing agreements as required in accordance with applicable data protection laws, with such third-party service providers.
5.1 Authorized Partners
We may share the information we collect about you with our authorized partners. We only share aggregated statistic data reflecting user subscription and functionality of our Products/Services.
5.2 Service Providers and Other Third-Parties
We have engaged:
- Google Assistant, Alexa, Smarthings, IFTTT, Brilliant, virtual assistant management technology service providers, to provide device discovery, device management, device control, and live view services for platform users. We provide account credentials, device list, device alias, and the camera's live broadcast data which can be viewed via third-party players with such third parties based on your consent. If you wish to withdraw your consent, please go to Section 8 7) Right to withdraw your consent. We suggest you check the privacy policy of Google Assistant, Alexa, Smart Things, IFTTT, Brilliant.
- Stripe, PayPal and Recurly, third-party payment channels to provide web payment services for platform users. We provide your email address, nationality and address with such third parties. We suggest you check the privacy policy of Stripe, PayPal and Recurly.
- Google Playand App Store, application distribution platforms and payment channels, to provide payment services and distribute applications to platform users.
- Google Firebase, third-party SDK, for the purpose of App feedback function. We provide your TP-Link ID, user nickname, user email address, user country code, user collection data (including mobile platform, platform version, etc.), Kasa device data (including device name, device logs, etc.). We suggest you check the privacy policy of Firebase.
- AWS as our cloud storage and computing service provider. We suggest you check the privacy policy of AWS.
- OhmConnect,energy saving project platform, for the energy consumption statistics. We provide account credentials, device list, device status, device alias and device usage power data with OhmConnect.
5.3 Change of Control
TP-Link may elect to buy or sell assets. When buying or selling assets, customer information may be one of the assets that is transferred. Personal and non-personal data may also be transferred or acquired by a third-party in the event that TP-Link is acquired, enters bankruptcy, or goes through some other change of control, as far as and to the extent permitted by applicable laws.
5.4 Legal and Law Enforcement
Please be advised that we may disclose information that you have provided us if we have a good faith belief that such disclosure is necessary to comply with the law or legal process served on us; or protect and defend the rights and property of TP-Link or others. In any event, we will disclose information only in accordance with applicable regulations.
6. CROSS-BORDER TRANSFER OF PERSONAL DATA
Generally, we will process your personal data in the country/region where we conduct business or provide our Products/Services. However, as part of the Products/Services offered to you, the personal data which you provide to us may be transferred to countries outside the UK (e.g., Singapore and the United States). To exemplify: this may happen if any of our servers are, from time to time, located in a country outside the UK.
Whenever we transfer your personal data outside of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data (in accordance with Article 45 of the UK GDPR)
- Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK (in accordance with Article 46 of the UK GDPR)
- More general information on international transfers can be found here.
A comprehensive list of the recipients of your personal data and their locations can be found in section 5 above.
Please contact us at privacy@tp-link.com. if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
7. SECURITY
We have implemented measures, including encryption and TLS technology, designed to secure your personal data from accidental loss and from unauthorized access, use, alteration, and disclosure. In addition, we restrict the number of staff in charge with access to your personal data to the minimum level and frequently conduct training s and educations so that they comply with the confidentiality obligations with respect to your personal data.
Your account’s privacy and security is protected by your password. In order to prevent unauthorized access to your account and personal data, you should select a strong password and protect it by limiting access to your computer, device, browser or application and by signing off after you have finished accessing your account. If you use a third-party service to sign into your account, you should protect that account accordingly as well.
While we strive to always protect the privacy of your account and personal data in our records, we cannot always guarantee it will be completely secure. The security of your personal data may be compromised by unauthorized entry, unauthorized use, hardware failure, software failure, and other factors at any time.
Here are some best practices to protect your TP-Link ID account:
- Use complex passwords(A mixture of upper and lower letters, numbers, symbols) when signing up.
- Use the unique password different with other website accounts to avoid involving in their accidental data breach.
- Change your passwords regularly.
- Use 2 Factor Authentication (2FA) if possible.
8. YOUR RIGHTS
You have the right to request: access to your data, data portability, erasure of your data, the rectification of any errors, to place restrictions on processing and you can also object to the processing of your data. Where you have given consent to any data processing, you have the right to withdraw that consent at any time. If you would like to exercise any of the following rights, please contact us privacy@tp-link.com. You can also request account information and data deletion at https://account-delete.tplinkcloud.com/. We will not do anything with your data not outlined in this Policy.
1). Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
2). Request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
3). Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you.
4). Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
5). Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data’s accuracy;
- Where our use of the data is unlawful but you do not want us to erase it;
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
6). Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
7). Withdraw consent at any time where we are relying on sent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. you may withdraw your consent:
- in the page “Settings-Privacy”
- by activating “Limit Ad Tracking” on Apple telephones or activating “Opt-out of Ads Personalization” on Android telephones to object to the personalization of advertisements.
- contact us at privacy@tp-link.com
8). Complaints. In addition, you have the right to make a complaint at any time to the information Commissioner’s Office (ICO), the UK regulator for data protection issues.
9). No fee usually required. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
10). What we may need from you. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
11). Time limit to respond. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
9. COOKIES AND SIMILAR TECHNOLOGIES
We will transfer "Cookies" to your device when you subscribe Kasacare services or interact with our support center. These Cookies allow us to recognize your device and browser and keep track of how you interact with our Products/Services. We only use cookies and similar tracking technologies with your consent except for the cookies or tracking technologies strictly necessary for the operation or use of our Products/Services.
10. CHILDREN’S PRIVACY
The Products/Services are directed to a general audience and are not intended for children under the age of 16. We do not knowingly collect personal data via our website or online services from users in this age group. We do not guarantee that our websites are suitable for children. If you believe your child has provided personal data to us, please contact us.
11. RETENTION PERIODS
Your data will be held in accordance with the Company’s retention policy, which is available on request via the email listed in Section 13 below. We only process and store your personal data for as long as required by the purposes they have been collected for, until you object the use of your personal data in case of the legitimate interest being the legal basis for processing (Art 6(1)(f) of the UK GDPR) or until you withdraw your consent (Art 6(1)(a) of the UK GDPR).
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonable believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Thereafter, your personal data will be securely deleted or destroyed. Personal data stored in an electronic file format will be erased by a technical tool which prevents the recovery of the information. Personal data printed in a paper record, print media or a document is destroyed into scrap.
12. DIRECT MARKETING
Information relating to you will be used to notify you by post, email or other electronic means of our services and those of our group companies and third party business partners, in particular in which we believe you may be interested. You can withdraw your consent to use of personal data for marketing at any time by contacting us at privacy@tp-link.com.
13. CONTACT US
If you have any questions that this policy could not answer, or if you require further information on a particular point, please do not hesitate to contact us at any time. You can reach our Data Protection Officer at privacy@tp-link.com or at:
TP-Link Corporation Limited
Room 901,9/F.,New East Ocean Centre, 9 Science Museum Road, Tsim Sha Tsui, Kowloon, Hong Kong