Seluxit Privacy Notice

We take security very seriously

Privacy

This is the Privacy Notice of Seluxit, founded on the basis of the General Data Protection Regulation (GDPR), with the purpose of informing you about, but not limited to, the type, scope and purpose of the collection, processing and use of personal data on our websites and through our products either by Seluxit or Seluxit stakeholders.
Managing, securely protecting, and enabling the secure sharing of data is a cornerstone feature in the products Seluxit offers by their design.

Products offered

Seluxit offers the following two products: (1) the Seluxit IoT Platform and (2) Wappsto (hereafter “Seluxit products”). These products are deployed in the same server environment and feature share a common architecture and resources. Furthermore, they share common traits with respect to the processing of data. Therefore we can present here a unified Privacy Notice, where differences between the two products in this regard is made clear in this document, where differences arise.

In addition to these two products, Seluxit has performed and will continue to perform other project-based work for customers, especially with regards to embedded systems development, where privacy concerns may also be relevant. In these instances, the handling of data will be generally consistent with the policy outlined in this document. Additional considerations may be handled independently in contractual arrangements between Seluxit, our clients, and project stakeholders.

Please also note that currently a general terms-of-service and terms-and-conditions for Seluxit products is currently under development. This means that both products are freely available as a preliminary offering and the user of these products accepts liability of their use. Any commercial usage of Seluxit products will require a set of contractual arrangements.

Seluxit Products and their Stakeholders

Seluxit products have multiple stakeholders that may influence the handling of data. The overall categories of stakeholder can be defined as follows: (1) Seluxit, as the producer and custodian of the Seluxit products, (2) developers (enterprises or individuals) using Seluxit products and potentially other products to create an application for others to use (i.e., end-users) (3) third-parties utilized by these developers towards these ends, and (4) end-users. Refer to the diagram below.

Seluxit 3rd Party Utilization

The Seluxit IoT Platform

The Seluxit IoT Platform is a backend software system that enables end-users to control connected devices based on applications constructed by developers and third-parties. This activity is usually to provide customers (i.e., end-users) of connected product manufacturers (i.e., developers) the ability to access to control these products. Several third-party vendors may use the Seluxit IoT Platform to help provide developers with this service to the end-users, including for example data analysts and app developers.

Wappsto

Wappsto is a data market with an integrated app store. Data generated by end-users’ connected devices and digital services can be shared and combined to create meaningful applications. Developers create web apps (called ‘wapps’ in Wappsto) which work with diverse third-parties devices and digital services (i.e., third-parties). Wapps can then be shared or sold on the Wappsto store. End-users then configure these wapps to use their own accounts to the corresponding third-party devices and services and have the option to share or sell the configuration and/or data generated by the use of these wapps.

What is personal data?

According to the GDPR personal data refers to “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

In this document we may refer to the data subject as “you”.

Non-personal data is anonymized or statistical data that allows for the relation to the data subject only at a significant effort in time, cost and workload.

What, when, and why is personal data collected?

Data Collected by Seluxit

Seluxit collects personal data insofar as it is required for the operation and support of Seluxit products. Seluxit sometimes collects personal data, as an offer to, and at the request of, visitors to Seluxit product websites, which is used for the purpose of sending informative email newsletter communication.

Email address (username) and password

Accounts for Seluxit’s aforementioned products (Seluxit products) are created by providing a working email address as well as assigning a password upon registration. This is all the personal data that Seluxit needs from users of Seluxit products (i.e., developers, end-users and third-parties) to provide in order to operate securely in authenticating the user of Seluxit products. Though this information is always required, and no other personal data needs to be provided by the user, other personal data may be collected either automatically (IP addresses) or manually (additional optional personal details). Refer to the sections below.

It should be noted that the email address need only be functional and does not necessarily have to be overtly indicative of the individual’s identity. For example, an email could itself come from a service allowing for an anonymous email without direct reference to a natural person.

Additional optional personal details

Additionally, it is an option to enter a limited amount of personal information, including name and phone number. This information can be provided in the event that the user wishes to allow themselves to be found as users on the Seluxit products. Currently, the functionality for sharing and searching through the register of users is not implemented but is planned for the near future.

IP Addresses and Cookies

IP addresses are usually considered personal data, even though it is not in all cases easy to ascertain the identity of an individual from an IP address. Seluxit treats IP addresses as personal data and Seluxit collects the IP addresses of the users of Seluxit products. IP addresses are also registered for the operation of Seluxit’s websites. Seluxit uses Google Analytics to analyze the behavior of visitors to Seluxit’s websites in order to improve Seluxit’s websites. Note that this means that using our website and agreeing to the use of cookies means that the personal data of your behavior on our site will be stored on servers in the United States. It is possible to opt out of the collection of your personal data to Google by downloading a browser add-on provided by Google (Google Analytics Opt-out). Furthermore, social media plugins (see below) utilize some cookies.

Social media plugins

Seluxit product websites use on certain pages social media plugins that allow you to directly share pages. Currently, this is for the blog articles under the menupoint ‘Blog’ on the main company website, seluxit.com. These plugins currently include Facebook, Twitter, Google + and LinkedIn. In each of these instances, the Seluxit website gathers your personal information as it may exist in any of these social media which you are logged into, or may desire to log into, in order to provide you the functionality of sharing a blog post directly. Certain information may be saved locally on the visitor's computer in the form of a cookie, but none of this information is stored on Seluxit’s servers.

Email Newsletters

Seluxit product websites may include forms with offers to sign up for receiving one-time mails or to receive periodic email newsletters. The information collected will include email addresses, as well as the names of the subscribers and may include fields with optional additional information that can be given to help our marketing department understand the needs and concerns of our potential investors and customers. These will always be clearly marked and visitors who give their emails for this purpose if it is a one-time or periodic newsletter. If a visitor receives a periodic newsletter, it will always be possible for the recipient to unsubscribe to the newsletter, at which point their information will be deleted from Seluxits records as well as, if applicable, email newsletter services. The personal data may be mediated by email newsletter services or may be handled directly from internal systems. We currently use Mail Chimp as an example of the former. Please refer to the Mail Chimp privacy policy for more information.

Credit Card Information

Seluxit intends to offer the option to pay by credit card in the future but does not currently do so. At this point, it will become optional for stakeholders of Seluxit products to save their credit card information. An automatic payment system will allow Seluxit to withdraw money based on the explicitly agreed upon terms-of-service (pending).

Email correspondence

Seluxit product stakeholders and other interested parties may send emails to Seluxit that contain personal data including the sender’s email address, name and home or office address.

Data Collected by Seluxit Products Stakeholders

Personal data may be collected from applications, devices or third-party APIs in conjunction with Seluxit products. The categories of data collected are dependent on the application, device or third-party API from which they originate and may, as the case may be, include special types of personal data.

Special types of personal data

Special types of personal data are information on a person’s racial or ethnic origin, political opinions, religious or philosophical convictions, union membership, health or sex life. Additionally, there are special considerations for handling of children’s personal data for individuals under the age of 16. The handling of these data is subject to specific legal restrictions. In this context, you may be asked by the Seluxit products stakeholders to provide your consent to the processing of these data, and their handling of this data will require your consent, consistent with GDPR regulations.

Seluxit Products Stakeholders Responsibilities

With regards to Seluxit products stakeholders, it is the responsibility of Seluxit product stakeholders to adhere to the relevant GDPR laws regarding the handling and processing of this data.

Though the responsibility lies on Seluxit product stakeholders, Seluxit will take certain measures to ensure their compliance. These measures will be in the form of user terms-and-conditions and developer terms-and-conditions documents which legally stipulate the legal requirements and obligations. In the case of Wappsto, Seluxit will also undertake audits of the Wappsto web apps (wapps) to ensure that no malicious wapps are distributed, including the improper handling of personal data.

Do we share the data?

Data Collected by Seluxit

Personal data is only shared at the behest of Seluxit products stakeholders. Seluxit will never use your personal data for marketing purposes, but reserves the right to use non-personal data content and statistics for marketing purposes.

Email address (username) and password

This information will never be shared with any other parties than the data subject.

Additional optional personal details

This information is planned to be shared internally with other users in Seluxit products, but if and only if the data subject explicitly states that they would like to make their information publicly available by marking a checkbox giving their consent. This information will never be made available by Seluxit to parties outside of the context of a confirmed user of Seluxit products. In Wappsto, this information may be publicly available insofar as the developer of a Wappsto web app (wapp) explicitly gives consent for their information to be made publicly available in the Wappsto store.

In the event that the data subject wishes to share their email, they must provide that information in the additional optional personal details.

IP Addresses and Cookies

IP addresses of users of Seluxit products will not be shared by Seluxit, though it is possible that Seluxit product stakeholders do. In these instances, they will be explicitly sharing their own personal data, or explicitly consenting to have their personal data shared.

Social media plugins

Information on website visitors’ personal information as it relates to the social media for which we provide functionality, will never be saved on Seluxit’s web servers, and will thus not be shared.

Credit Card Information

Credit card information that may in the future be stored on Seluxit’s servers will never be shared aside from providing the necessary functionality of communicating with the payment portal.

Email correspondence

Seluxit will never share personal information obtained through email correspondence between Seluxit and Seluxit product stakeholders. In the event that outside consultants could be interested in aspects of the email correspondence that has occurred between Seluxit and Seluxit products stakeholders, only non-personal, anonymized data will be used. This could include excerpts from the text of the mail, insofar as it does not reveal the identity of the data subject. This could be for various purposes including, but not restricted to supporting the Seluxit products stakeholder with issues they have in the use of Seluxit products. The purpose of sharing of anonymized data could also be for promotional purposes.

Data Collected by Seluxit Products Stakeholders

Seluxit products stakeholders may, as an aspect of the usage of Seluxit products, share personal data they collect. Consent must be given from the data subject with regards to the nature of the personal data handling. Stakeholders that use Seluxit products which collect and potentially share personal data will be obliged to make the terms of the sharing of data explicit for the data subjects, consistent with GDPR regulations.

Right to export your personal data

Because the scope of the personal data that Seluxit products use is so limited, the personal data can be manually extracted by the data subject. Password and credit card information will not be exported as there is no reason to justify this transference, nor will it be possible to decipher the hashed, encrypted values without personal keys programmed into Seluxit products. IP addresses can easily be ascertained by other means (e.g., Whats my ip), and there is thus no need to export this data.

With regards to Seluxit products stakeholders, applications created that collect personal data will be obliged to enable the export of personal data insofar as the GDPR regulation stipulates.

How do we protect the data?

Transference of data

Transference of data from devices into the Seluxit IoT Platform requires the existence of Seluxit issued (self-signed) SSL certificates that the server recognizes as legitimate using a private and public key pairing. Note that Seluxit cannot prevent hacking into the hardware to obtain the certificate on the device. In this case, however, the scope of the breach is still limited to the individual product.

Transference of data from a front-end user interface involves trust from Seluxit’s side, which is established based on the encrypted transference of the user’s username and password. The client trusts Seluxit based on SSL certificates issued by the service “Let’s Encrypt” which mediates the authentication. As with the connection with devices into Seluxit products, the scope of potential security breaches is limited to the individual user in this case.

Storing of data

A consideration of the securing of stored data can be considered in three layers: getting into the system, accessing the data in the system, and reading the data in the system.

Data is stored on Seluxit’s hosting partner’s equipment, Hetzner. Security of the data on the servers that Seluxit uses is state-of-the-art. Seluxit may use additional server partners in the futures that also meet the high standards of security that Hetzner offers.

The most sensitive data that is stored in our databases (username and password and in the future credit cards) is encrypted. Based on the functionality of Seluxit products and with an eye to the anonymization of data, data is stored in such a manner that universally unique IDs (UUIDs) are assigned to every architectural layer and piece of data stored. This means in the event of a data breach, that reconstructing the raw data would be extremely difficult. Moreover, data of different types is stored on different partitions in the server area, again making reconstruction extremely difficult.

For how long will we retain your personal data?

Data Collected by Seluxit

Email address (username) and password

This information is kept indefinitely until you actively delete your account. Upon deletion of your account, the information is deleted immediately.

Additional optional personal details

This information is kept indefinitely until you actively delete your account. Upon deletion of your account, the information is deleted immediately.

IP Addresses and Cookies

IP addresses, which are saved in logs, are rotated regularly. The duration is linked to the traffic generated on our servers, and thus can vary significantly.

Cookies are only stored locally on the users browser, and they remain on the users computer until they expire as stipulated by the issuer of that cookie, or until the user deletes cookies from their browser.

There are special considerations with regards to backups, which has already surfaced as a point of contention of the GDPR. The issue is that if a user requests the deletion of their data, it can have an implication for the ability to backup and restore data for a much larger scope of people. Backups are compressed in binary format, so restoring is a resource-intensive process. Therefore, Seluxit reserves the right to keep backups of data, which we feel is responsible regarding the relatively non-sensitive nature of the personal data we hold. In the future, we plan to have personal data and non-personal data in separate backups, so non-personal data on devices can be restored without restoring the personal data of IP addresses.

Social media plugins

No information is stored on Seluxit’s servers by Seluxit’s own use of social media plugins. Be aware however that Seluxit product stakeholders may enable some functionality that does, in which case they are obliged to make this explicit. Cookies may be stored locally (refer to the previous paragraph).

Email Newsletters

Data collected for email newsletters is only kept internally by Seluxit and / or with our email newsletter services partners for the purposes of operating the email newsletter. No external party not involved with these operations will be given access to this data.

Credit Card Information

This information is kept indefinitely until you actively delete your account. Upon deletion of your account, the information is deleted immediately.

Email correspondence

This information is kept indefinitely and deleted at the discretion of Seluxit. Upon request, we can delete emails, as long as the purpose Seluxit had with the mail (for example support that may affect other users) is no longer present. Mails may also be kept in the context of settling potential disputes between Seluxit and Seluxit’s stakeholders that may arise.

Data Collected by Seluxit Products Stakeholders

This is at the discretion of Seluxit products stakeholders, and Seluxit products stakeholders will be required, as per the GDPR regulations, to make clear their handling of the data.

Your rights

In accordance with the GDPR, we highlight here that you have the right to:

Access

Request for information on your stored data and the purpose of such data storage – also in relation to the origin and recipients of the data.

Correction

Request correction of your personal data where the data is incorrect. In Seluxit products, you may simply log into your account and correct the data.

Erasure

Request to have your data deleted. This is also enabled in the user interface of Seluxit products. Note that personal information may persist in backups.

Portability

Request a transfer of your personal data. Refer to the note on the export of your personal data above in this document.

Further rights and information

You have more rights regarding the processing of your personal data, several of which are not relevant for Seluxit’s own limited processing of your personal data, but which may be relevant for Seluxit products stakeholders and their users. Refer to the GDPR for more information (EU GDPR Information).

Contact

Please do not hesitate to contact us if you think there may be a problem with the privacy of your personal data or for any clarification on the protection of your privacy at gdpr_info@seluxit.com.

Seluxit A/S
Hjulmagervej 32B
9000 Aalborg
Denmark

Changes in the Privacy Notice

This privacy notice has been last updated 27th of November, 2018.

Seluxit retains the right, in its sole discretion, to change this Privacy Notice at any time. You may access and print this Privacy Notice at any time via www.seluxit.com/privacy. As a change of legislation, as well as changes in our internal procedures, may affect the adoption of this Privacy Notice, we kindly ask you to check this Privacy Notice on a regular basis.

What is a cookie?

A cookie is a text file which is downloaded to your computer when you visit a website. In this text file, the website stores information that it would like to read the next time you visit the page. It is often information that is used for improving your experience, such as not opening a popup multiple times if you’ve already seen the content once. Cookies are also used to collect statistics on the website’s usage.

A cookie is a text file, not a program file. This means that the cookie cannot do anything on your computer itself. It cannot collect information, spread viruses or otherwise harm. The contents of cookies are read and written by the websites you visit as a user.

Cookies may have different life spans: they may stop at the end of a browser session (i.e. from the moment when the user opens a browser window until this is closed again), or they may last for a longer time and cover several browser sessions. Cookies may also be divided into first party cookies and third-party cookies, according to the party placing the cookie on the website. First party cookies are those placed by the owner of the website, who is the party that the user is interacting with in the first place. Third party cookies are those placed on a website by a third party, where the third party or others get access to the data collected.

The cookies we use

When using our website, a session cookie is set, which is required for the site to function optimally. This cookie does not collect any personal information about you and will be deleted when you close your browser.

We otherwise use cookies to analyze our traffic with Google Analytics, LinkedIn and Facebook. The services may combine information collected on your use of our site with other information that you’ve provided to them or that they’ve collected from your use of their services.

The first time you visit the site, you will be presented with a message about cookies at the bottom of the page.

Seluxit uses Google Analytics to analyze the behavior of visitors to Seluxit’s websites in order to improve Seluxit’s websites. Note that this means that using our website and agreeing to the use of cookies means that the personal data of your behavior on our site will be stored on servers in the United States. It is possible to opt out of the collection of your personal data to Google by downloading a browser add-on provided by Google (Google Analytics Opt-out).

Seluxit uses Facebook pixel and LinkedIn Insight Tag, which helps us to measure the effectiveness of our advertising by understanding the actions you take on our website. We can use these tools to make sure our ads are being shown to the right people, re-targeting ads and building advertising audiences.

Yes, thank you

If you click on "Accept" all cookies are added to your computer and the message on the front page disappears. The next time you visit the site with the same browser, you will not be asked if you want to accept cookies and cookies will still be added.

There is currently a cookie that remembers your choice of cookies.

No, thank you

If you press "Decline", only functional cookies are set. Currently, functional cookies remember your cookie setting wishes as well as your language preference.

If you do not want cookies to be saved on your computer, you must turn off cookies in your browser. You should be aware that in that case, there may be elements on the site that do not work.

Change settings for cookies

You always have the option to change your settings by clicking: Reset cookie settings

Accepting cookies

We have stored cookies on your computer, as you have previously accepted them on www.seluxit.com.

This privacy notice has been last updated 27th of March 2019.

Seluxit retains the right, in its sole discretion, to change this Cookie policy at any time. You may access and print this Cookie Policy at any time via www.seluxit.com/privacy. If significant changes are going to be made to this policy, you will be asked to accept the cookies again under the new changes. However, we recommend you check our cookie policy on a regular basis.