Privacy policy

Zennio User Registration Services

  1. Data controller. Zennio Avance y Tecnología, S.L. (“Zennio”), with tax identification number B45586724 and registered office at Río Jarama, 132, Nave P-8.11, 45007 Toledo, Spain, is the data controller for personal data processed via Zennio Remote/Zenprog Remote in accordance with the terms set out in this Policy, except in cases where it is expressly stated that Zennio is acting on behalf of a third party or where the roles of the parties depend on the contractual and operational configuration of the service. For any queries regarding this Policy, the User may contact Zennio at:info@zennio.com
  2. Purpose and scope of application. This Privacy Policy governs the processing of personal data arising from the access, use and operation of Zennio Remote / Zenprog Remote and, where applicable, Zennio Remote Manager (the “Service”), including, where applicable: 1) user account management; 2) remote access to facilities, devices, screens or projects; 3) the management of roles, permissions, pairings and guest users; 4) remote technical support; 5) the generation and retention of logs, security and activity records, as well as technical debugging traces; 6) the technical diagnosis, maintenance and security of the Service; and 7) the communications necessary for the provision, security, improvement and legal defence of the Service. This Policy shall apply to users who access or use the Service, as well as to those persons whose data may be processed in the course of the Service’s operation.
  3. Relationship with other documents. This Policy shall be interpreted in conjunction with: 1) the User Account Terms of Service; 2) the Remote Service Terms of Use (EULA); 3) the General Terms and Conditions of Contract and Licence; and 4) where applicable, the specific contractual documentation entered into with customers, distributors, integrators, hotels, companies or other business partners. In the event of any conflict, the applicable mandatory regulations shall prevail and, where applicable, the specific contractual documentation governing a particular processing relationship in greater detail.
  4. Categories of data processed. Zennio may process, depending on the functionality used and the context of the Service, the following categories of personal data:

 

4.1. Account and registration data: 1) email address; 2) account identifier; 3) authentication credentials and metadata; and 4) any other information necessary for the registration, maintenance and security of the account.

4.2. Service access and usage data: 1) user and role identifiers; 2) date and time of access; 3) associated installation, project, device or screen; 4) source of access, where provided and necessary for security purposes; and 5) technical metadata associated with the session or remote access.

4.3. User management and permissions data: 1) information relating to pairings; 2) assignment, modification and revocation of permissions; 3) user invitations and removals; and 4) relationships between admin users and guest users.

4.4. Support and diagnostic data: 1) support requests; 2) incidents; 3) technical diagnostic information; 4) technical data associated with authorised remote sessions, maintenance tasks, debugging and incident analysis; and 5) technical data necessary to analyse, resolve or prevent incidents affecting the Service.

4.5. Security and activity logs: 1) access events; 2) changes to permissions; 3) user registrations and deactivations; 4) pairings; 5) significant configuration changes; and 6) other structural or critical actions relating to the security, integrity and traceability of the Service. As a general rule, the Service is not designed to record the content viewed or processed during each session; rather, logs will be limited to accesses and actions relevant for security, support and legal defence purposes.

4.6. Technical debugging traces: 1) technical system and application events; 2) error, stability and diagnostic logs; 3) technical metadata necessary for debugging and security; and 4) where applicable, user information that may occasionally appear incidentally in such traces.

  1. Purposes of processing. Zennio will process personal data for the following purposes:

 

5.1. Provision of the Service: 1) to enable user registration and authentication; 2) to enable access to the Service’s features; 3) to manage installations, projects, roles, permissions and pairings; and 4) to provide the contracted or enabled features.

5.2. Technical support, maintenance and diagnostics: 1) to deal with incidents; 2) to provide remote support; 3) to diagnose errors or technical problems; 4) to apply corrective measures; 5) to debug technical errors; and 6) to improve the stability, security and compatibility of the Service.

5.3. Security, traceability and access control: 1) recording access and critical actions; 2) preventing, detecting and investigating misuse, unauthorised access or security incidents; 3) verify requests for the revocation, recovery or transfer of access; and 4) protect the integrity, availability and security of the Service, including the limited retention of technical logs where necessary for debugging, stability or security purposes.

5.4. Contractual compliance and legal defence: 1) to demonstrate compliance with contractual obligations; 2) to manage complaints, incidents, audits or requests; 3) to formulate, exercise or defend claims; and 4) to comply with legal obligations or requests from competent authorities.

5.5. Service improvement: 1) to carry out technical, statistical or functional analyses; 2) to develop new features; and 3) to improve the performance, usability and security of the Service.

Where possible, these analyses will be carried out in an aggregated, minimised or anonymised form.

  1. Legal basis for processing. Zennio will process personal data on the basis of one or more of the following legal bases, depending on the nature of the functionality used and the existing relationship:

 

6.1. Performance of the contract. Where processing is necessary to: 1) create and manage the user’s account; 2) provide the Service; 3) enable authorised remote access; 4) manage licences, roles and permissions; or 5) respond to support requests relating to the Service.

6.2. Legitimate interest. Where processing is necessary for the legitimate interests of Zennio or third parties, in particular to: 1) ensure the security of the Service; 2) maintain traceability and access control; 3) investigate incidents; 4) prevent misuse; 5) technically improve the Service; and 6) defend against claims.  Zennio shall, where appropriate, carry out the necessary balancing of these interests against the rights and freedoms of data subjects.

6.3. Compliance with legal obligations. Where processing is necessary to comply with legal, regulatory, tax, accounting, security or cooperation obligations with authorities.

6.4. Consent. Where a specific function or processing operation requires consent in accordance with applicable regulations, Zennio will seek such consent specifically.

  1. Privacy roles and context of processing. Depending on the context of the Service, Zennio may act as: 1) the data controller, in respect of the data necessary for the management of accounts, licences, security, support, the Service’s own logs and other specific purposes described in this Policy; or 2) a data processor or technology provider on behalf of a client or third party, where the Service is used in environments in which the client determines the purposes and means of processing certain data relating to the installation or its end users. Where the Service is used by hotels, businesses, integrators, facility managers or other professional clients, the specific role of the parties may depend on the actual design of the service and the applicable contractual documentation.
  2. Admin and guest users. Where the Service enables an admin role, Zennio may process the necessary data to: 1) assign, verify, modify or revoke said role; 2) manage invitations, registrations and de-registrations of guest users; 3) record critical actions carried out under the admin role; and 4) where applicable, manage exceptional revocation or transfer procedures, subject to verification of the legitimate data subject. When guest users access the Service under the admin’s authorisation, account, pairing or permissions framework, Zennio may process the information necessary to: 1) manage such access; 2) document the corresponding internal traceability; and 3) where technically feasible, identify the guest user in logs using an internal identifier, alias or other reasonable identifier, without prejudice to the fact that, where this is not technically possible, certain actions may be recorded under the admin’s account, pairing or authorisation framework.
  3. Technical debugging traces. The Service may generate technical debugging traces for the purposes of stability, maintenance, error analysis and security. These traces will be predominantly technical in nature, although they may occasionally contain user information where this is incidental to the operation or diagnosis of the Service. Such traces will not be used for purposes other than those strictly technical, security-related or for legitimate legal defence.
  4. Recipients of the data. Zennio will not disclose personal data to third parties except: 1) where necessary for the provision of the Service; 2) where processors or data processors acting on behalf of Zennio are involved; 3) where there is a legal obligation; 4) where necessary to comply with requests from competent authorities; or 5) where necessary in the context of corporate transactions, audits or restructuring, with appropriate safeguards. Suppliers accessing data on behalf of Zennio shall do so under the relevant data processing agreement and solely in accordance with Zennio’s instructions.
  1. International transfers. Where, for the provision of the Service, Zennio uses suppliers located outside the European Economic Area or involving access from third countries, Zennio shall adopt the safeguards required under applicable regulations, including, where applicable: 1) adequacy decisions; 2) standard contractual clauses; 3) or any other valid mechanisms recognised by data protection regulations. Up-to-date information on such transfers may be requested via the contact channels indicated in this Policy.
  2. Retention period. Personal data will be retained for as long as necessary to fulfil the purposes described in this Policy and, subsequently, for the periods required or permitted by applicable regulations. In general:

 

12.1. Account data. This will be retained whilst the Account remains active or for as long as it is necessary for managing the relationship with the user and, once this relationship has ended, for the periods required by law. When the user requests the closure of their account, ordinary account or profile data will be deleted or anonymised when no longer necessary for managing the relationship, without prejudice to data that must be retained in a blocked format in accordance with this Policy and applicable regulations.

12.2. Support and incident data. This data will be retained for the time necessary to respond to the request, manage the incident and record the action taken, and thereafter for the periods necessary to address any potential liabilities.

12.3. Security and activity logs and records. Logs will be retained for an operational period of up to 1 year for support, security, incident investigation and access control purposes. Once this period has elapsed, they may be kept in a blocked state, in an immutable environment, outside the ordinary circuit and with very restricted access, exclusively by IT, for the formulation, exercise or defence of claims, the handling of requests or the fulfilment of legal obligations.

12.4. Technical debugging traces. Technical debugging traces will be retained for a maximum period of 3 months, with restricted access and exclusively for technical, debugging, stability and security purposes. Where the selective deletion of information associated with a specific user is not technically feasible, this circumstance shall not prevent its retention for that limited period, provided it is not used for other purposes.

12.5. Once the applicable limitation periods have expired, the data will be securely deleted or anonymised.

  1. Data blocking. Where the rectification or erasure of personal data is required and there are potential liabilities arising from the processing, Zennio may retain certain data, particularly logs and security records, including those associated with deactivated or deleted accounts, in a blocked state, which entails: 1) their identification and retention; 2) the adoption of technical and organisational measures to prevent their ordinary processing, including their operational viewing; 3) restricted access exclusively for judges and courts, the Public Prosecutor’s Office, competent public authorities, data protection authorities, or for the formulation, exercise or defence of claims; and 4) their subsequent destruction once the relevant limitation period has expired.
  2. Rights of data subjects. Data subjects may exercise, in accordance with the terms set out in the applicable regulations, their rights to: 1) access; 2) rectification; 3) erasure; 4) objection; 5) restriction of processing; 6) data portability; and 7) where processing is based on consent, withdrawal of consent. Furthermore, they may object to processing based on legitimate interest where there are grounds relating to their particular situation, unless there are compelling legitimate grounds or the processing is necessary for the establishment, exercise or defence of legal claims. To exercise their rights, they may contact: dpo@zennio.com. Where the processing of certain data is carried out on behalf of and for the account of a client or third party, Zennio may forward the request to the relevant data controller or coordinate its handling with them. The exercise of the right to erasure shall not entail the immediate deletion of logs, records or traces that must be retained in a blocked form or for the strictly necessary technical period in accordance with this Policy and applicable regulations. 
  1. Complaints. Data subjects may lodge a complaint with the Spanish Data Protection Agency (AEPD) if they consider that the processing of their data does not comply with applicable regulations, without prejudice to the fact that they may first contact Zennio to attempt to resolve the matter directly. 
  1. Security measures. Zennio implements appropriate technical and organisational measures to protect personal data against destruction, loss, alteration, unauthorised disclosure or unauthorised access, taking into account the nature of the data, the risks involved in processing and the state of the art. These measures may include, where appropriate: 1) access control; 2) strong authentication; 3) segregation of environments; 4) traceability of access logs; 5) internal security policies; and 6) incident management procedures.
  1. Amendments to the Policy. Zennio may amend this Privacy Policy where necessary for legal, regulatory, technical or operational reasons, or due to changes to the Service. Where the amendments are significant, Zennio may communicate them by reasonable means, including the Service interface itself, email or any other appropriate means.
  2. Contact. For any queries regarding this Privacy Policy or the processing of personal data, please contact: Zennio Avance y Tecnología, S.L.;info@zennio.com