Privacy Policy - smawatec APP

Privacy Policy
-
Effective Date: April 13, 2026

This Privacy Policy explains how smawatec GmbH (“Smawatec”, “we”, “us”, “our”) processes personal data when you use the Smawatec mobile application, connected cloud services, and compatible smart water devices.

1. Controller

The controller responsible for the processing of personal data is:

smawatec GmbH

Arneburger Straße 24 – Haus 2

39576 Stendal

Germany

Tel.: +49 3931 4196970

Email: info@smawatec.com

Registration Number: HRB 35227

Managing Director: Gordon Koch

2. Categories of Personal Data

Depending on how you use the App and Device, we may process the following categories of personal

2.1 Account and Profile Data

– Name

– Email address

– Language

– Region / country

– Account identifiers

2.2 Device and Technical Data

– Device ID

– Firmware version

– App version

– Operating system version

– Push token / notification token

– Authentication and session-related tokens

– Pairing and connectivity status

– Configuration settings

– Timestamps of certain account and token-related activities

2.3 Water Usage and Device Event Data

– Flow rate data

– Volume data

– Water usage patterns

– Leak alerts and leak-related event data

– Valve state and commands

– Temperature, pressure, or comparable sensor values

– Automation settings and user-defined thresholds

– Timestamps for events and actions

2.4 Support and Communication Data

– Support requests

– Messages you send us

– Records of communications relating to support or troubleshooting

2.5 Log and Security Data

– Security-related events

– API requests and timestamps

– Technical server logs where required for secure and stable operation

3. Purposes and Legal Bases

We process personal data for the following purposes and legal bases under Article 6 GDPR:

3.1 Contract Performance, Article 6(1)(b) GDPR

We process data necessary to create and manage your account, pair and operate your Device, provide leak detection and valve-control functionality, deliver notifications, display water usage information, synchronize settings, and provide customer support.

3.2 Legal Obligations, Article 6(1)(c) GDPR

We may process data where necessary to comply with legal obligations.

3.3 Legitimate Interests, Article 6(1)(f) GDPR

We process data where necessary for:

– IT security and fraud prevention;

– service stability, diagnostics, troubleshooting, and error analysis;

– improving reliability and technical performance; and

– defending or establishing legal claims.

Our legitimate interests consist in operating a secure, reliable, and economically viable connected-device service.

3.4 Consent, Article 6(1)(a) GDPR

Where we request your consent for optional processing, we will rely on your consent. You may withdraw consent at any time with effect for the future.

4. App Permissions

4.1 Bluetooth

The App may request Bluetooth access to discover and pair your Device during setup and onboarding.

4.2 Local Network / Nearby Device Access

The App may require local network or nearby-device permissions to connect the Device to your network and complete setup.

4.3 Location Permissions

On some operating systems, location-related permission may be technically required for Bluetooth or Wi‑Fi pairing. We do not use this permission to track your physical movements for marketing purposes.

4.4 Push Notifications

The App may request permission to send alerts and operational notifications, such as leak alerts, device warnings, and service notices.

4.5 Biometric Authentication

If you enable biometric login on your device, authentication is processed locally by your operating system or device provider. We do not receive or store your raw biometric data.

5. Recipients and Processors

We disclose personal data only where necessary for the purposes described above and in accordance with applicable law.

Recipients or categories of recipients may include:

– hosting and infrastructure providers;

– notification delivery providers;

– customer support providers;

– IT security and maintenance providers;

– professional advisers where necessary; and

– authorities or courts where legally required.

Our current main service providers include:

– Hetzner Cloud for hosting and server infrastructure in Germany; and

– Google Firebase for push notification delivery.

We also send transactional emails such as password-reset emails and one-time code emails where necessary to operate the account and authentication functions.

6. International Data Transfers

Our primary hosting infrastructure is located in Germany.

If personal data is transferred to recipients outside the European Economic Area in the future, we will do so only in accordance with applicable law and only where an appropriate safeguard exists, such as an adequacy decision or the European Commission’s Standard Contractual Clauses.

7. Storage, Retention, and Deletion

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account-related and device-related data are generally retained for as long as your account remains active and as long as they are needed to provide the App and connected services.

Users may request deletion of their account either directly within the App or externally through our web page (https://smawatec.com/account-deletion/).

If you delete your account, the backend triggers an anonymization process so that the data can no longer be attributed to you as an identifiable person. Once this process is completed, the account cannot be restored and remote functionality may cease.

Technical server logs are retained for a limited period and are deleted automatically after 14 days.

We do not currently operate a separate automatic deletion or deactivation process solely on the basis of account inactivity.

Aggregated or anonymized information may remain stored for statistical, technical, or product-related purposes where it can no longer be linked to an identifiable individual.

8. Data Security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

Data transmission is protected using SSL/TLS encryption. Passwords are not stored in plain text; instead, they are stored in hashed form.

9. Your Rights

Subject to the conditions of applicable data protection law, you have the following rights:

– right of access;

– right to rectification;

– right to erasure;

– right to restriction of processing;

– right to data portability;

– right to object to processing based on legitimate interests;

– right to withdraw consent at any time, where processing is based on consent; and

– right to lodge a complaint with a supervisory authority.

You may contact us at info@smawatec.com to exercise your rights.

You may also use our external account-deletion page at https://smawatec.com/account-deletion/ to request deletion of your account and associated personal data.

10. Provision of Data

Certain data is necessary to provide the App, pair the Device, authenticate your account, and deliver core connected functions. If you do not provide such data, some features may not function or may function only partially.

11. Automated Decision-Making

We do not use automated decision-making within the meaning of Article 22 GDPR that produces legal effects or similarly significant effects on you.

12. Children

The App is not directed to persons under 18 years of age.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. The current version will be made available through the App or on our website.

14. Contact

If you have questions about this Privacy Policy or the processing of your personal data, contact: