Privacy Policy for PureLine SmartMate

SmartMate app

This privacy notice explains how we process your personal data when you use our SmartMate app. Personal data means any information relating to an identified or identifiable natural person.

1 Name and contact details of the controller

Unless otherwise stated, CWS International GmbH ("CWS") is the controller of the processing of your personal data described in this privacy notice.

Address:	Franz-Haniel-Platz 1b, 47119 Duisburg
Phone:	+49 6103 309-0
E-mail:	info@cws.com

2 Contact details of the data protection officer

You can reach our data protection officer at the following e-mail address: datenschutzbeauftragter@cws.com.

In addition, you can reach our data protection officer via our aforementioned postal address. In this case, please mark the envelope "To the Data Protection Officer".

3 Nature, scope, purpose and legal basis of the processing of personal data in connection with the use of the app

In order to access the content of the respective company that has a contractual relationship with us regarding our services in the area of integrated hygiene and washroom solutions, e.g. your employer or your client ("CWS-Customer"), the following steps – and the associated data processing – are necessary:

3.1 Download the app

When downloading this app, certain personal data required for this purpose will be transmitted to the corresponding app store (Google Play and App Store iOS).

When you download the app, the app store operator collects your e-mail address, your user name, your customer number that is assigned to your account, your individual device identification number, payment information and the time of the download.

We have no influence on the collection and processing of this data, which is carried out exclusively by the app store operator. Accordingly, we are not responsible for this collection and processing; the responsibility for this lies solely with the app store operator.

3.2 Registration

Our SmartMate app is available to you as a user free of charge. The respective CWS-Customer informs us which persons shall be granted access to the contents of the respective CWS-Customer within the app and, via the app, to the respective (dispenser) data in our IT system. In order to initiate your registration process for the app, this respective CWS-Customer must provide us with your following personal data:

First name, last name;
E-mail address;
User role within the app (two possible roles are offered for CWS client users:
- Employee
  - Access to dispenser status in app;
  - Access to data analysis in the web portal (cf. our privacy notice on the web portal).
- Building maintenance
  - Access to dispenser status in app;
  - Access to data analysis in the web portal (cf. our privacy notice on the web portal).
  - Can change dispenser settings in the app.

The submission of this data is necessary for us to send you an e-mail to complete your registration. After clicking on the link in this e-mail, you can complete your registration by selecting a password. We will automatically generate your user name and you cannot change it freely. We will generate your user name from your e-mail address (the e-mail address firstname.lastname@company.com results in the following user name: firstname.lastname@company.smart). After logging in to the app, you can then access the content of the respective CWS-Customer within the app. After completing your registration, we process your following data:

First name, last name;
E-mail address;
Username;
Password;
Language, time zone;
User role within the app;
Organisational assignment to the respective CWS-Customer.

We store this personal data at least for the duration of your access to the app. After the respective CWS-Customer has informed us that your authorisation to use the app has expired, we will initially deactivate your access in order to enable a quick reactivation if necessary. We will erase your user data no later than one (1) year after deactivation of your user account.

3.3 App use

We also collect the following app usage data from you:

Date and time of the last application;
Your IP address;
Content of the request (content visited);
the amount of data transferred in each case;
Operating system;
Device Identification – Google Advertising ID.

In order to use the app, you must grant us the following permissions, which may result in processing of your personal data:

Access to Bluetooth and your location to search for dispensers and read dispenser data. The location authorisation required for technical purposes by the smartphone operating system to read out the dispenser data. Your location data will not be processed beyond this.
Camera access to scan QR codes on dispensers, to read out dispenser data.

The processing of this data is necessary to enable the use of our app offer.

We store this data to ensure the security of our app, to ensure the proper operation of the app and to enable the prosecution of criminal offences or security measures in the event of concrete indications.

Legal basis for data processing under section 3 are our legitimate interests in accordance with Art 6 para 1 lit f) GDPR. Our legitimate interests lie in the secure provision of our app content.

4 Passing on data to the respective CWS-Customer

The respective CWS-Customer does not receive any personal data about you as an app user.

5 Disclosure of data to other third parties

5.1 Service providers bound by instructions

We pass on your personal data in particular to the service providers listed below who are bound by instructions and who support us (e.g. in the maintenance and administration of the app or the design of administrative processes) or the provision of functions within the framework of the app:

5.1.1 Hagleitner Hygiene International GmbH ("Hagleitner")

Hagleitner processes the aforementioned personal data in connection with app maintenance for us and uses the Google Firebase services described below.

Since Hagleitner provides these services for us in accordance with instructions as a so-called data processor, a separate legal basis for data processing by Hagleitner is not required.

5.1.2 Google Firebase

Hagleitner uses the Google Firebase services of the provider Google Cloud EMEA Limited ("Google") described below:

Remote Config: To be able to adjust the appearance or content of the app without updating the app;
Crashlytics: For tracking and fixing stability problems.

Your personal data will be stored for this purpose for a maximum period of 90 days. After this period, the data is automatically erased.

According to the agreement with Google, a transfer of your personal data to third countries outside the EU or EEA takes place on the basis of standard data protection clauses pursuant to Art 46 para 2 lit c) GDPR (cf. https://firebase.google.com/terms/data-processing-terms as well as https://firebase.google.com/terms/crashlytics and https://firebase.google.com/terms/crashlytics-app-distribution-data-processing-terms). Your customer data may be processed in any country from which Google or the respective sub-processors provide the data processing. In some cases, the third countries in which the data centres are located or from which processing is carried out do not have an adequate level of data protection on the basis of a decision by the European Commission (a list of so-called safe third countries can be found at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de). The transfer to unsafe third countries is associated with risks for your personal data, in particular insofar as access by the respective state authorities cannot be excluded. These risks cannot be excluded solely by concluding standard contractual clauses between the data exporter (Hagleitner) and the respective party in the third country (Google). Nevertheless, the provisions of Hagleitner's agreement with Google contain a large number of technical and organisational measures designed to ensure the security of your personal data.

Basic information on the processing of your personal data by Google can be found here: https://firebase.google.com/support/privacy#data_protection and https://firebase.google.com/support/privacy.

Since Google provides this service for Hagleitner as a so-called order processor bound by instructions, a separate legal basis for data processing by Google is not required.

5.2 Responsible third parties and state institutions

In addition, we also transmit personal data to third parties in individual cases, such as management consultants, tax advisors and lawyers. These recipients then process the data under their own responsibility. The legal basis for this processing is Art 6 para 1 lit f) GDPR; we have a legitimate interest in making our business processes more effective by using external service providers and in safeguarding our rights and interests through professional advisors.

Within the scope of our legal obligations, personal data may also be transferred to public authorities entitled to receive information, such as authorities or courts. The legal basis for the transfer is Art 6 para 1 lit c) GDPR in conjunction with the respective legal basis of our legal obligation.

6 Automated individual decisions or profiling measures

We do not use automated processing to make an individual decision or profiling.

7 Local storage

The app transmits all the information listed in section 3 to us. In addition, the app stores this data locally on your end device to enable offline use of the app. This locally stored data is erased when the app is uninstalled.

8 Cookies and similar technologies

In order to make visiting our app attractive and to enable the use of certain functions, we and certain third parties use cookies in our app. These are small text files that are stored on your terminal device. Some of the cookies we use are deleted again after the end of the app use (so-called session cookies). Other cookies remain on your end device and enable us or our partner companies to recognise you for the next time you use the app (so-called persistent cookies).

8.1 Technically necessary cookies

In our app, we use the following technically necessary cookies for the operation of our app:

Name	Provider	Duration	Function	Category
CookieConsentPolicy	Salesforce Lab	Validity 1 day	Used to apply end-user cookie consent preferences set by our client-side utility.	Necessary
LSKey-c$CookieConsentPolicy	Salesforce Lab	Validity 1 day	Implements several technical functions, such as forwarding server requests within the Salesforce infrastructure, capturing the consent status for the current domain in relation to the cookie dialogue and storing the language selection.	Necessary
PicassoLanguageb3183ac3-34b5-44b7-ab58-8220173574baPublished	Salesforce Lab	Validity unlimited	Used to store a user’s language selection for this Experience Builder site. The site doesn’t load without this cookie if the user changes the site’s language.	Necessary
force-proxy-stream	Salesforce Lab	Validity 3 hours	Ensures that client requests hit the same proxy hosts and are more likely to retrieve content from cache.	Necessary
force-stream	Salesforce Lab	Validity 3 hours	Used to redirect server requests for sticky sessions.	Necessary
oid	Salesforce Lab	Validity 1 year	Stores the last logged in org for redirecting requests. Used for logging whether the cookie is present in site and community guest-user requests.	Necessary
pctrk	Salesforce Lab	Validity 1 year	Used to track unique page visitors in Experiences.	Necessary
renderCtx	Salesforce Lab	Validity unlimited	Used to store site parameters in the session for reuse across requests by a single client for functionality and performance reasons.	Necessary
sfdc-stream	Salesforce Lab	Validity 3 hours	Used to properly route server requests within Salesforce infrastructure for sticky sessions.	Necessary
BrowserId	Salesforce Lab	Validity 1 year	Used for IT-security protection reasons.	Necessary
BrowserId_sec	Salesforce Lab	Validity 1 year	Used for IT-security protection reasons.	Necessary
autocomplete	Salesforce Lab	Validity 2 months	Determines if the login page remembers the user's username.	Necessary
oinfo	Salesforce Lab	Validity 2 months	Tracks the last logged in person.	Necessary

8.2 Other cookie categories

In addition, if you provide us with your consent, we will use the following cookies from other cookie. Your consent includes all cookies selected by you and the associated storage of information on your terminal device as well as their subsequent reading out and the processing of personal data. The legal basis for your consent with regard to the storage and reading of information is Sec 25 para 1 of the Telecommunications Telemedia Data Protection Act (TTDSG) and, with regard to the processing of personal data, Art 6 para 1 lit a) GDPR.

9 Contact

If you send us enquiries (e.g. by telephone or e-mail), we process the information you provide about the enquiry, including your contact details (in particular your name and, if applicable, your e-mail address or telephone number), for the purpose of processing the enquiry and any follow-up questions.

The processing is based on Art 6 para 1 lit f) GDPR. We have a legitimate interest in effectively processing your request. The data you transmit to us by way of contacting us will remain with us until the purpose for the data processing no longer applies (e.g. after the processing of your enquiry has been completed).

10 Erasure of your data

Unless otherwise stated in this privacy notice, we will erase your data as soon as it is no longer required for the purposes for which we have collected or used it in accordance with the above paragraphs. Further storage will only take place if this is necessary for legal reasons, in particular for the assertion, safeguarding or defence of claims.

The storage is based on our legitimate interest, the proper documentation of our business operations and the protection of our legal positions (Art 6 para 1 lit f) GDPR).

11 Your data subject rights

The EU General Data Protection Regulation ("GDPR") and the German Federal Data Protection Act ("BDSG") grant you a number of data subject rights. You can exercise these rights by contacting us via our previously mentioned contact details (see section 1). Depending on the reason and type of processing of your personal data, you have the following rights:

11.1 Your right to information

Pursuant to Art 15 GDPR and Sec 34 BDSG, you have the right to receive from us, upon request, information about the personal data processed by us that concerns you, to the extent and under the conditions specified therein.

11.2 Your right to rectification

In accordance with Art 16 GDPR, you have the right to demand that we correct personal data relating to you that you consider to be inaccurate without delay. You also have the right to request us to complete such personal data that you consider incomplete.

11.3 Your right to erasure

According to Art 17 GDPR and Sec 35 BDSG, you have the right under certain conditions to demand that we erase your personal data.

11.4 Your right to restriction of processing

According to Art 18 GDPR, you have the right under certain conditions to demand that we restrict the processing of your personal data.

11.5 Your right to data portability

Pursuant to Art 20 GDPR, you have the right to receive from us the personal data concerning you that you have provided to us in a structured, common, machine-readable format.

11.6 Right to withdraw consent

If we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time in accordance with Art 7 para 3 GDPR. Your withdrawal of consent does not affect the lawfulness of processing based on your consent before its withdrawal.

11.7 Right to object

If the processing of your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority pursuant to Art 6 para 1 lit e) GDPR or if we process your data on the basis of our legitimate interest pursuant to Art 6 para 1 lit f) GDPR, you have the right to object to the processing in accordance with Art 21 GDPR.

11.8 Data processing when exercising your rights

We process the personal data provided by you when exercising your data subject rights, together with your personal data already stored by us, for the purpose of implementing your data subject rights and providing evidence thereof. This data processing is based on the legal basis of Art 6 para 1 lit c) GDPR in conjunction with the previously listed legal basis for the respective asserted data subject right. Insofar as we process the personal data for the purpose of legal defence, this is also our legitimate interest according to Art 6 para 1 lit f) GDPR.

We store your personal data in connection with the exercise of your data subject rights to fulfil the legal documentation obligations under the GDPR, in particular to prove our timely compliance with your rights, for the duration of the regular statute of limitation period of three years, starting with the end of the year in which we finalised the processing of your request.

You are neither contractually nor legally obliged to provide personal data; however, we may refuse to implement your data subject rights pursuant to Art 12 para 2 sen 2 GDPR if you do not provide us with the data required for your clear identification, if necessary after a request to do so.

11.9 Right of appeal to a data protection supervisory authority

In accordance with Art 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority of your choice if you believe that the processing of your personal data violates data protection law.

12 Changes to the privacy notice

CWS regularly adapts this privacy notice to provide all necessary information concerning the data processing carried out and to comply with legal changes. The current version of the privacy notice is always available under the "Data protection" section within the app.

SmartMate Webportal

This privacy notice explains how we process your personal data when you use our SmartMate web portal (“web portal”). Personal data means any information relating to an identified or identifiable natural person.

1 Name and contact details of the controller

Unless otherwise stated, CWS International GmbH ("CWS") is the controller of the processing of your personal data described in this privacy notice.

Address:	Franz-Haniel-Platz 1b, 47119 Duisburg
Phone:	+49 6103 309-0
E-mail:	info@cws.com

2 Contact details of the data protection officer

You can reach our data protection officer at the following e-mail address: datenschutzbeauftragter@cws.com.

In addition, you can reach our data protection officer via our aforementioned postal address. In this case, please mark the envelope "To the Data Protection Officer".

3 Nature, scope, purpose, and legal basis of the processing of personal data in connection with the use of the web portal

Your employer or your client ("CWS customer") has a contractual relationship with us regarding our services in the area of integrated hygiene and washroom solutions. By means of the web portal provided by us, you can access various contents of the CWS customer. For example, you can access the location of the devices you are maintaining, the device and connection status, or the current consumption of the devices.

For this purpose, the following steps - and associated data processing - are necessary.

3.1 Visiting the web portal

When visiting our web portal, but without registering and without otherwise providing us with information, we process the following personal data that your browser submits to our server:

IP address of the accessing end device.
Date and time of the request.
Content of the request.
Access status/http status code.
Browser type.
Operating system.

The data is technically necessary for us to display our web portal and to ensure its stability and security. The legal basis for the collection and processing in this respect is Art 6 para 1 lit f) GDPR. Our legitimate interest is ensuring the proper functioning of our web portal.

3.2 Initiation of the registration process

Our web portal is available to you as a user free of charge. Within the framework of concluding the contract with us, the CWS customer defines which of his employees or contractors shall be granted access to the web portal. To initiate your registration process for the web portal, the respective CWS customer must provide us with your following personal data:

First name, last name.
Email address.
User role within the web portal:
- Employee
  - Access to data analysis.
  - Device and connection status.
  - Device-by-location.
- Building maintenance
  - Access to data analysis.
  - Device and connection status.
  - Device-by-location.
Preferred language.

The submission of this data is necessary for us to send you an email to complete your registration. After you click on the link in this email, you can complete your registration by selecting a password. Your username is automatically generated by us and cannot be changed freely by you. The username derives from your email address (the email address first name.last name@company.com results in the following username: first name.last name@company.smart). After logging in, you can access the content of the respective CWS customer within the web portal. The legal basis for the collection and processing of the data is Art 6 para 1 lit f) GDPR. Our legitimate interest lies in the secure provision of our web portal content.

3.3 Registration of an account

After completing your registration, we process your following data:

First name, last name.
Username.
Email address.
Language, time zone.
User role in the system.
Organisational assignment to the respective CWS customer.
Password.
Date and time at time of log-in.
Date and time of last activity.
IP address.

The legal basis for processing your data is Art 6 para 1 lit f) GDPR. Our legitimate interest lies in the secure provision of our web portal content.

We store this personal data at least for the duration of your access to the web portal. After the respective CWS customer has informed us that your authorisation has lapsed, access will initially be deactivated by us to enable rapid reactivation if necessary. At the latest, one (1) year after deactivation of your user account we delete your user data.

4 Passing on data to the respective CWS-Customer

The respective CWS customer does not receive any personal data about you as a web portal user.

5 Disclosure of data to other third parties

5.1 Service providers bound by instructions

In particular, we pass your personal data on to the service providers listed below who are bound by instructions and who support us (e.g., with the maintenance and administration of the web portal or the design of administrative processes) or the provision of functions within the framework of the web portal:

5.1.1 Hagleitner Hygiene International GmbH („Hagleitner“)

Hagleitner processes the aforementioned personal data in connection with the web portal maintenance for us.

5.1.2 Microsoft Azure

The web portal is hosted via Microsoft Azure. As part of the support in the event of software errors in the backend system or for updating the backend software, our development partner Hagleitner gains access to MS Azure to perform the corresponding tasks.

According to the agreement with Microsoft, a transfer of telemetry and diagnostic data to third countries outside the EU or EEA takes place on the basis of standard data protection clauses according to Art 46 para 2 lit c) GDPR (https://learn.microsoft.com/de-de/compliance/regulatory/offering-eu-model-clauses). In this context, your customer data may be processed in any country from which Microsoft or the respective sub-processors provide the data processing services. In some cases, the third countries in which the data centers are located or from which processing is carried out do not have an adequate level of data protection based on a decision by the European Commission (a list of so-called safe third countries can be found at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de). The transfer to unsafe third countries is associated with risks for your personal data, in particular insofar as access by the respective government authorities cannot be excluded. These risks cannot be excluded solely by concluding standard contractual clauses. Nevertheless, the agreement with Microsoft contains a large number of technical and organizational measures designed to ensure the security of your personal data.

Basic information on the processing of your personal data by Microsoft can be found here: https://privacy.microsoft.com/de-de/privacystatement.

5.2 Responsible third parties and state institution

6 Automated individual decisions or profiling measures

We do not use automated processing to make an individual decision or profiling.

7 Cookies and other technologies

To make the visit to our web portal attractive and to enable the use of certain functions, we use cookies. These are small text files that are stored on your end device. Some of the cookies we use are deleted after the end of the web portal use (so-called session cookies). Other cookies remain on your end device and enable us or our partner companies to recognise you for the next time you use the web portal (so-called persistent cookies).

7.1 Technically necessary cookies

In our web portal, we use technically necessary cookies presented below for the operation of our web portal:

Name	Provider	Storage period	Function
ARRAffinity	Microsoft Azure	This cookie is deleted when you close your browser.	This cookie forwards the request made via web browser to the same machine in the DXC Cloud environment.
ARRAffinitySameSite	Microsoft Azure	This cookie is deleted when you close your browser.	This cookie supports load balancing and ensures that requests are always sent to the same server.
CookieConsentPolicy	Salesforce Lab	1 day	Used to apply end-user cookie consent preferences set by our client-side utility.
LSKey-c$CookieConsentPolicy	Salesforce Lab	1 day	Implements several technical functions, such as forwarding server requests within the Salesforce infrastructure, capturing the consent status for the current domain in relation to the cookie dialogue and storing the language selection.
PicassoLanguageb3183ac3-34b5-44b7-ab58-8220173574baPublished	Salesforce Lab	Unlimited	Used to store a user’s language selection for this Experience Builder site. The site doesn’t load without this cookie if the user changes the site’s language.
force-proxy-stream	Salesforce Lab	3 hours	Ensures that client requests hit the same proxy hosts and are more likely to retrieve content from cache.
force-stream	Salesforce Lab	3 hours	Used to redirect server requests for sticky sessions.
oid	Salesforce Lab	1 year	Stores the last logged in org for redirecting requests. Used for logging whether the cookie is present in site and community guest-user requests.
pctrk	Salesforce Lab	1 year	Used to track unique page visitors in Experiences.
renderCtx	Salesforce Lab	Unlimited	Used to store site parameters in the session for reuse across requests by a single client for functionality and performance reasons.
sfdc-stream	Salesforce Lab	3 hours	Used to properly route server requests within Salesforce infrastructure for sticky sessions.
BrowserId	Salesforce Lab	1 year	Used for IT-security protection reasons.
BrowserId_sec	Salesforce Lab	1 year	Used for IT-security protection reasons.
autocomplete	Salesforce Lab	2 months	Determines if the login page remembers the user's username.
oinfo	Salesforce Lab	2 months	Tracks the last logged in person.

Pursuant to Sec 25 para 2 No 2 of the Telecommunications and Media Data Protection Act ("TTDSG"), consent is not required for storage and reading out these strictly necessary cookies. The legal basis for the processing of your personal data, which is also included here, is our legitimate interest (Art 6 para 1 lit f) GDPR). We have an interest in keeping our website technically accessible, secure, and usable.

7.2 Technically not necessary cookies

In addition, the following cookies are set if you give us your consent. The consent includes all cookies selected by you and the associated storage of information on your end device as well as their subsequent reading and the following processing of personal data.

Name

Provider

Storage period

Privacy Policy PureLine SmartMate

SmartMate app

SmartMate Webportal