Privacy policy

Below you will find the information to be provided in accordance with Articles 13 and 14 of the General Data Protection Regulation ("GDPR") on the processing of your personal data by KOSTAL Solar Electric GmbH (hereinafter "we" or "us") when you use the KOSTAL Solar App "Solar4me" ("App").

 

A. Controller and data protection officer under data protection law

KOSTAL Solar Electric GmbH, Hanferstr. 6, 79108 Freiburg i. Br., info-solar@kostal.com,
Phone +49 (0) 761 47744-100.

Data Protection Officer of the KOSTAL Group, An der Bellmerei 10, 58513 Lüdenscheid,
datenschutz@kostal.com.

 

B. Information on the processing of personal data

Below you will find information about the processing of your personal data for the purposes listed in more detail and, among other things, about the legal basis for this processing. If the legal basis for the processing is stated there as the balancing of interests, you can request further information on the balancing of interests from us using the contact details given in section A.

I. Registration of a user account for the Solar Portal and display of performance data in the app

The app is used to display the performance data of the inverters that have been linked to your Solar Portal user account. To be able to use the app, you therefore need a user account for our Solar Portal. Registration for digital business processes takes place via the Kostal Solar Terminal, as a single sign-on solution.

To do this, you must register at terminal.kostal-solar-electric.com/registration. You can access this directly via a button in the app.

When registering a user account, we collect your master data such as e-mail address, password, first name, surname, country and language. For further details on data processing in connection with your use of the Solar Portal and the display of the performance data of the linked inverters via the app, please refer to the KOSTAL Solar Portal privacy policy, which also applies when using the app. You can view it here.

 

II. Analysis data

1. "Firebase Crashlytics"

The Solar4me app uses "Firebase Crashlytics", a tool offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for people from Europe, the Middle East and Africa (EMEA) and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google") for all other people. The personal data described below will be transmitted to Google as our processor and thus possibly also to the USA in the event of the app crashing; we have concluded standard contractual clauses for this case:

• Universally Unique Identifier (UUID) of your smartphone or tablet and
• Background information that led to the app crashing, such as the function used, the version of the app, etc.
• IP address of the device.
• Firebase installations ID
• Crash traces
• Breakpad minidump formatted data
• (NDK crashes only)

We would like to point out that US companies may be obliged to disclose personal data to security authorities without you as the data subject being able to take legal action against this.

We have no influence on this processing activity and it cannot be ruled out that US authorities (e.g. secret services) may process, analyse and permanently store your data on US servers for monitoring purposes.

Crash reports are only sent with your express consent. When using iOS apps, you can give your consent in the app settings or after a crash. With Android apps, you have the option of generally consenting to the transmission of crash notifications to Google and app developers when setting up the mobile device. You can revoke your consent for this processing at any time by deactivating the "Crash reports" function in the settings of the iOS apps (in the magazine apps, the entry can be found in the "Communication" menu item).

For the Android apps, the deactivation is basically done in the Android settings. To do this, open the Settings app, select the "Google" item and then the "Usage & Diagnostics" menu item in the three-dot menu at the top right. Here you can deactivate the sending of the corresponding data. Further information can be found in the help for your Google account.

The legal basis for data transmission is consent pursuant to Art. 6 para. 1 lit. a GDPR. Your consent is given in the cookie banner, which you give via the consent banner or in the respective tool itself by individually authorising its use via a banner (overlay) placed above it. The access to and storage of information in the end device then takes place on the basis of the implementation laws of the e-Privacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. You can revoke your consent to use the tools at any time. To do so, click on "Data protection" in the app settings, which will call up the cookie banner again. Within the banner, you will find the individual tools under "More information" > "Services" and can select or deactivate them.

The data is stored for ninety (90) days.

Further information on data protection can be found in Firebase Crashlytics' privacy policy at firebase.google.com/support/privacy and https://docs.fabric.io/apple/fabric/data-privacy.html#data-collection-policies

2. Localise

Solar4me uses "Localise", a tool from Localise Inc. 3500 South DuPont Highway, Suite BZ-101, Dover, DE 19901, USA ("Localise"), which acts for us as a processor. The personal data described below is used when the app is called up in order to load translations via an OTA (Over the Air) update and to make the app available to the user in multiple languages,

• Universally Unique Identifier (UUID) of your smartphone or tablet
• Device model and manufacturer and
• IP address of the device.

The legal basis for this processing - including the setting and reading of cookies - is a consent to be given separately by you (Art. 6 para. 1 sentence 1 lit. a GDPR). Your consent is given in the cookie banner, which you give via the consent banner or in the respective tool itself by individually authorising its use via a banner (overlay) placed above it. The access to and storage of information in the end device then takes place on the basis of the implementation laws of the e-Privacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. You can revoke your consent to use the tools at any time. To do so, click on "Data protection" in the app settings, which will call up the cookie banner again. Within the banner, you will find the individual tools under "More information" > "Services" and can select or deactivate them.

The data described in this section may be transferred to Localise in the USA. However, Localise has certified itself under the Data Privacy Framework. The European Commission has determined in an adequacy decision pursuant to Art. 45 GDPR (see Commission Implementing Decision (EU) 2023/1795 of 10 July 2023, published under file number C(2023) 4745) that the United States ensures an adequate level of protection for personal data transferred from the European Union to organisations in the United States under the EU-US Privacy Shield

You can find more information on this in Localise's privacy policy (https://lokalise.com/privacy-policy)

We store the usage profiles for 5 minutes after the app is called up.

You can exercise the right to object to this processing mentioned in section C.

3. Microsoft

We use Microsoft Azure Active Directory B2C for user identification and to enable login to the app. To enable login via the device, the following personal data is collected

• Device model and manufacturer.

The legal basis for this processing - including the setting and reading of cookies - is the higher-value interest in providing the technical possibility to log in to the Solar App and to enable a link to the data of the Solar Portal (Art. 6 para. 1 lit f GDPR). Without login and linking, we cannot provide the Solar App service.

The recipient of this data is our hosting provider Microsoft Azure, which acts as a processor for us; where necessary, we will also agree standard contractual clauses with the hosting provider.

We would like to point out that US companies are obliged to hand over personal data to security authorities without you as the data subject being able to take legal action against this.

We have no influence on this processing activity and it cannot be ruled out that US authorities (e.g. secret services) may process, analyse and permanently store your data on US servers for monitoring purposes.

You can find more information at https://learn.microsoft.com/de-ch/compliance/regulatory/gdpr-arc-azure-dynamics.

4. Accuweather

Solar4me also uses the API of the "Accuweather" weather service to calculate the expected system yields. For this purpose, the city + country and the postcode of the system, if specified, are transmitted to the service. This sends back the weather data available for the location, on the basis of which the expected system yields are calculated.

We use a weather API to provide our users with up-to-date weather information. When using the weather API, the location data of the system is transmitted to Accuweather.

The legal basis for this processing is the overriding interest of the user to enable the service requested by him to monitor, control and optimise his system (Art. 6 para. 1 lit f GDPR).

The data is retrieved from the provider's website in the USA. We would like to point out that US companies are obliged to disclose personal data to security authorities without you as the data subject being able to take legal action against this.

We have no influence on this processing activity and it cannot be ruled out that US authorities (e.g. secret services) may process, analyse and permanently store your data on US servers for monitoring purposes. The data is transferred in compliance with the necessary security rules.

The data will be deleted by Accuweather immediately after retransmission.

5. Microsoft Clarity

We record your user behaviour when using the app in order to compile usage statistics and improve the user interface. The data is anonymised. The legal basis for processing: Your consent in accordance with Art. 6 para. 1 lit a GDPR. Your consent is given for the cookie banner. The access to and storage of information in the end device then takes place on the basis of the implementation laws of the e-Privacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. You can revoke your consent to use the tools at any time. To do so, click on "Data protection" in the app settings, which will call up the cookie banner again. Within the banner, you will find the individual tools under "More information" > "Services" and can select or deactivate them.

We use the web analysis software Microsoft Clarity for this purpose. The service provider is Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. The legal basis for the transfer of data to Microsoft Ireland Operations Ltd is your consent in accordance with Art. 6 para. 1 lit a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the e-Privacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. You can revoke your consent to use the tools at any time. To do so, click on "Data protection" in the app settings, which will call up the cookie banner again. Within the banner, you will find the individual tools under "More information" > "Services" and can select or deactivate them. This may also involve the transfer of personal data to a country outside the European Union.

The transfer of data to the USA is based on Art. 45 GDPR in conjunction with the European Commission's adequacy decision C(2023) 4745, as the data recipient has undertaken to comply with the data processing principles of the Data Pricacy Framework (DPF). We would like to point out that US companies are obliged to hand over personal data to security authorities without you as the data subject being able to take legal action against this. For an e-mail contact to the Data Protection Officer of Microsoft Ireland Operations Ltd: www.microsoft.com/de-at/concern/privacy. The privacy policy of Microsoft Ireland Operations Ltd: https: //privacy.microsoft.com/de-de/privacystatement.

Microsoft also uses standard contractual clauses (Art. 42 para. 2 and para. 3 GDPR). Standard contractual clauses are model contractual clauses provided by the European Union to ensure that personal data is also processed in accordance with European data protection standards in third countries (such as the USA). Microsoft undertakes to maintain the European level of data protection.

In Microsoft Clarity, click data and data from marked or favoured user sessions are automatically deleted after 13 months. Playback data (session recordings) are automatically deleted after 30 days

6. Google Analytics

If you have given your consent, we use the web analysis technology "Google Analytics" to record and analyse user behaviour in the Solar4me app using cookies. Google Analytics is a service provided by Google LLC ("Google") based in the USA. The personal data collected with the help of cookies includes your IP address. If the data is not provided, we will not be able to measure the web audience.

The processing serves to optimise the app by evaluating your user behaviour when using Solar4me. For example, we can use the frequency with which subpages are accessed to identify which content is of particular interest to visitors to the app and which content should be placed differently, for example.

It is technically necessary for your full IP address to be transmitted to Google. However, we have used so-called IP anonymisation. This means that your address is truncated immediately after transmission to Google as our processor and is not stored by Google. It is then no longer possible to identify the user of the end device. In the event that personal data is transferred to the USA, we have concluded standard contractual clauses with Google.

On the basis of this truncated IP address and the information in the cookies, Google creates the above-mentioned analysis of user behaviour on our website for us. As a rule, it is not possible for us to draw any conclusions about you as an individual person from these user profiles. We do not know which pseudonym has been assigned to you. Therefore, we are generally unable to recognise which specific actions you have taken on the website based on the Google Analytics usage profiles.

The legal basis for this processing - including the setting and reading of cookies - is a separate consent to be given by you (Art. 6 para. 1 sentence 1 lit. a GDPR). Your consent via the cookie banner. The access to and storage of information in the end device then takes place on the basis of the implementation laws of the e-Privacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. You can revoke your consent to use the tools at any time. To do so, click on "Data protection" in the app settings, which will call up the cookie banner again. Within the banner, you will find the individual tools under "More information" > "Services" and can select or deactivate them.

The data described in this section may be transmitted to Google in the USA. The transfer of data to the USA is based on Art. 45 GDPR in conjunction with the European Commission's adequacy decision C(2023) 4745, as the data recipient has undertaken to comply with the data processing principles of the Data Pricacy Framework (DPF). We would like to point out that US companies are obliged to hand over personal data to security authorities without you as the data subject being able to take legal action against this.

Furthermore, we have concluded standard contractual clauses with Google.

We have no influence on this processing activity and it cannot be ruled out that US authorities (e.g. secret services) may process, analyse and permanently store your data on US servers for surveillance purposes.

You can find more information on this in the Google Analytics privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

 

III. transmission of system data from an inverter

You have the option of sending the system data displayed in the app by email or sharing it via other services. You can determine the content of the transmitted information yourself. If you forward such information to us, we will process the data transmitted to us in this way to process your request. You are not obliged to provide this data. However, we cannot process your request properly without this data.

The legal basis for the processing of personal data is the balancing of interests pursuant to Art. 6 (1) (1) (f) GDPR. In this case, our legitimate interest is to process the request communicated by you.

We store this data for the duration of the processing of your request and thereafter for the duration of the statutory retention obligations (Section 257 HGB and Section 147 AO). For commercial letters, this is currently 6 years from the end of the calendar year in which the commercial letter was received or sent. The legal basis for this further storage is compliance with our legal obligation (Art. 6 para. 1 sentence 1 lit. (c) GDPR).

 

IV. Advertising partners

We work with advertising partners to provide advertising and personalised content on websites and services that are not operated by us and on other devices. There is no automatic redirection to these websites or services.

The partners may use cookies or other data collection technologies to collect data directly from a browser or device when a person visits their services and requests more detailed information on advertising. We do not pass on this data. For data collection on the part of advertising partners, please refer to the privacy policy on their websites.

 

C. Information on the rights of data subjects

As a data subject, you have the following rights in relation to the processing of your personal data, which you can exercise by contacting us using the contact information provided in section A:

• A right to information (Art. 15 GDPR) about which of your personal data we process. This includes further information about the data processing, such as the purpose and legal basis as well as the recipients of this data. You also have the right to request a copy of this data.
• A right to request that we rectify inaccurate personal data concerning you and complete incomplete personal data (Art. 16 GDPR).
• A right to request the deletion of personal data concerning you in the cases provided for by law (Art. 17 GDPR), for example if the data is no longer required for the purposes for which it was collected or if it has been processed unlawfully.
• A right to request the restriction of processing in the cases prescribed by law (Art. 18 GDPR)
• A right to receive the personal data concerning you in a structured, commonly used and machine-readable format, which we process on the basis of your consent or for the performance of a contract (see Section B)(right to data portability, Art. 20 GDPR).
• The right to withdraw consent given to us at any time. This does not affect the lawfulness of the processing carried out until the revocation.
• A right to lodge a complaint with a supervisory authority (Art. 77 GDPR). A list of data protection supervisory authorities and their addresses can be found here.