Privacy Policy for Geberit Mobile Apps and IoT Services

This Privacy Policy applies to the use of the Geberit mobile apps (“Mobile App(s)”) and Internet of Things services (“IoT Services”), and the services they provide. Use of Mobile Apps and IoT Services requires us to process your personal data when you access certain services. By personal data, we mean any information relating to an identified or identifiable natural person.

2.1 The operator of Mobile Apps and IoT Services and the controller responsible for processing your personal data is Geberit International AG, Schachenstrasse 77, 8645 Rapperswil-Jona, Switzerland (“Geberit”).

2.2 Our data protection officer can be reached by email at dataprotection@geberit.com or at the postal address above for the attention of “The data protection officer”. To contact our data protection officer in confidence, please use DPO@geberit.com.

3.1 In each section, you will be informed of the legal basis for processing your data. The applicable data protection law depends on the country in which you use Mobile Apps and IoT Services. For the European Union and the European Economic Area, the General Data Protection Regulation (“GDPR”) applies. The General Data Protection Regulation UK (“GDPR UK”) applies to the United Kingdom, and the Swiss Data Protection Act (“DSG”) applies to Switzerland.

3.2 In cases where we rely on your consent, the legal basis is Article 6(1)(a) of the GDPR or GDPR UK, or Articles 30 and 31(1) of the DSG. If the data processing is based on a contract between you and us or involves pre-contractual services, the legal basis is Article 6(1)(b) of the GDPR or GDPR UK or Articles 30 and 31(1)(2)(a) of the DSG. In the case of our overriding legitimate interest in data processing, the legal basis is Article 6(1)(f) of the GDPR or GDPR UK or Articles 30 and 31(1)(2) of the DSG. We will inform you of our overriding legitimate interest separately for each section. If you require further information in this regard, please contact us using the contact details provided in Section 2. You have the right to object to the processing of your personal data at any time, for reasons related to your particular situation.

This section provides further information about what personal data we collect from you and how we process it.

4.1 Download of Mobile Apps

When downloading Mobile Apps, certain information is passed on to your chosen online store for mobile applications (so-called apps). As this data is processed exclusively through the respective online store, the handling of this data is beyond our control. For more information, please refer to the terms of use and privacy policy of the respective online store provider.

4.2 Use of Mobile Apps and IoT Services

4.2.1 When you open Mobile Apps for the first time, we ask you to specify the country in which you intend to use it so that we can offer you services in the appropriate language and with the intended functionality. The legal basis for this is our contractual relationship with you pursuant to the “Terms of Use for Geberit Mobile Apps and IoT Services” and point b) of Article 6(1) of the GDPR.

4.2.2 When using Mobile Apps and IoT Services, the backend servers used to provide, for example, user manuals of Geberit products or remote support connectivity, automatically and temporarily collect information transmitted by your mobile end device in server log files. This data is as follows:

• IP address of the mobile end device sending the request
• Request path and arguments
• Request time
• Operating system of the mobile end device sending the request

The data in these server log files is not analysed in a way that allows conclusions to be drawn about specific individuals. In cases where the information listed above contains personal data (in particular the IP address), the legal basis for the collection of this data is our legitimate interest in the proper functioning of our Mobile Apps and IoT Services. Logging and analysing the data also helps us to ensure the security of our IT systems. Your personal data will not be processed further. As soon as your personal data is no longer required for the purpose for which it was processed, it will be deleted within 30 days at the latest. If the data is stored for other, similar reasons, your personal data will be anonymised so that it cannot be connected or traced back to you.

4.2.3 If the Geberit ID is used for user authentication in the mobile apps, the following information is stored locally on your mobile device: Unique identifier (“UID”) of the Geberit ID, your name, your email address, your telephone number and your country. This information is required to authenticate the user. The processing takes place on the basis of the contract that you concluded with us when the Geberit ID was created.

4.2.4 When using Mobile Apps, you have the option to voluntarily submit personal data, e.g. by registering your Geberit product, contacting us via email or contact form. This data is used by us to provide our services and handle your requests. This data will be solely collected by the responsible Geberit sales company. The data collection is subject to a separate privacy policy that is accessible on the corresponding Geberit website.

4.2.5 Service technicians commissioned by Geberit companies or representatives of Geberit companies’ customer service can retrieve technical data from your Geberit product via Mobile Apps and IoT Services in the course of service work and transmit the data to Geberit. This technical data comprises device data, statistical and diagnostic data such as model, article number, serial number (only in case of IoT Services), manufacturing date, installation date, firmware version, device settings, profile settings, meter readings from the device components, error codes, and event logs (e.g., errors, descaling events, flush events). This can be done on site by a service technician via Mobile Apps or, if initiated by you, remotely by a customer service representative via IoT Services. We need this data to provide you with our services on the basis of our contractual relationship and to improve our range of products and services as well as their functions and performance features through anonymised data analyses based on our legitimate interests. In the case of IoT services, the data is either deleted or completely anonymised as soon as it is no longer required for the purpose for which it was processed, usually after two years.

4.2.6 When using IoT Services, personal data associated with you or your Geberit ID is also collected for the purpose of the efficient handling of a service request and subsequent provision of service and support of compatible Geberit Connect and Geberit AquaClean products (e.g., remote configuration, maintenance, troubleshooting and fault clearance). This data will be solely collected by the responsible Geberit sales company.

4.2.7 If you configure the Geberit Gateway via Mobile Apps and the Geberit Gateway is permanently connected to the internet (e.g. via Ethernet or WLAN), you have the option of activating and using Geberit Cloud Services. This involves the regular transmission of the technical data listed in Section 4.2.5 to Geberit for the purpose of improving our range of products and services, as well as their functions and performance features, through anonymised data analyses. Activation of Geberit Cloud Services is voluntary and must be initiated by you via Mobile Apps (opt-in). The legal basis for this is your consent. You can revoke your consent at any time with effect for the future by deactivating Geberit Cloud Services in Mobile Apps. The data is then either deleted or completely anonymised as soon as it is no longer required for the purpose for which it was processed, usually after two years.

4.2.8 If Geberit Cloud Services are activated according to 4.2.7, you also have the option of activating notifications to be notified of important events related to the Geberit Gateway. For this purpose, your Geberit ID is linked to the serial number of the Geberit Gateway so that email notifications can be sent to the email address stored under the corresponding Geberit ID. The notifications are optional and must be activated by you via Mobile Apps (opt-in). The legal basis for this is your consent. You can revoke your consent at any time with effect for the future by deactivating notifications in Mobile Apps. The link will then be removed again and you will no longer receive notifications.

4.2.9 When you connect a Geberit product to Mobile Apps, we may ask you for permission to use device data from your Geberit product (opt-in). This device data is the technical data listed in Section 4.2.5 in completely anonymised form. The purpose of collecting this data is to improve our range of products and services, as well as their functions and performance features, through data analyses. The legal basis for this is your consent. The consent applies separately for each device and, in the case of the Geberit Gateway, also for the Geberit products connected to the gateway. You can revoke your consent at any time with effect for the future by deactivating the ‘Send device data’ setting in Mobile Apps. The collected data will be deleted as soon as it is no longer required for the purpose for which it was processed.

4.3 Analytic data

4.3.1 When using Mobile Apps, your chosen online store for apps and/or operating system provider may collect usage and diagnostics data such as, e.g., frequency of Mobile Apps usage and information on Mobile Apps crashes and provide it to us in aggregated and anonymised form. The collection of such data is governed by the terms of use and privacy policy of the online store and/or operating system provider and is thus beyond our control. The legal basis for viewing and evaluating this data on our side is a legitimate interest in the analysis, optimisation and economic operation of Mobile Apps.

4.3.2 When using Mobile Apps, we may ask you for permission to collect app usage data (opt-in). This includes information such as the type of your mobile device, the version and language of your operating system, the screen resolution, the time of access, and various usage data, such as data on the use of specific features of Mobile Apps and the type and condition of the connected Geberit products. We do not collect any personal data; instead, we only gather anonymised information that cannot be traced back to the user. We use this data to improve the functions and performance features of Mobile Apps and our products, as well as to resolve any malfunctions. The legal basis for processing this data is your consent. You can revoke your consent at any time with effect for the future by deactivating the ‘Send app usage data’ setting in Mobile Apps. The collected data will be deleted as soon as it is no longer required for the purpose for which it was processed, usually after two years.

4.4 Mobile Apps also use or link to one or more of the following tools and technologies

4.4.1 movingimage video hosting for functional movies

Functional movies for selected Geberit products are provided in Mobile Apps. These functional movies can assist you in the maintenance and care of your Geberit product. The video files are hosted on servers of a third-party service called movingimage (movingimage EVP GmbH, Tempelhofer Ufer 1, 10961 Berlin Germany) and from there they are downloaded to your mobile end device when you open the videos in Mobile Apps. During this process, certain information such as your IP address may be stored in the server log files of movingimage, which is beyond our control. More information can be found in the privacy policy of movingimage (please refer to https://www.movingimage.com/gtc/privacy-policy-of-movingimage-evp-gmbh/).

4.4.2 Geberit tools and web calculators in the Geberit Pro Mobile App

The Geberit Pro Mobile App embeds Geberit tools and web calculators such as, e.g., the SilentPanel Assistant and a tool for the determination of pipe diameters. The usage of these tools is governed by a separate privacy policy. More information can be found in the cookie settings banner that appears automatically when launching one of the tools in the Geberit Pro Mobile App.

Your personal data will never be shared with third parties without your express prior consent. The only exceptions to this apply in the following cases, which are based on our legitimate interests.

5.1 For prosecution reasons

Where required in order to investigate the unlawful use of our services or for the purposes of prosecution, personal data will be disclosed to the relevant law enforcement authorities and, where applicable, to any third-party claimants. However, such a course of action will only take place if there is concrete evidence of unlawful conduct or misuse. In such cases, your data may also be shared if this is required for the fulfilment of terms and conditions of use or other agreements. If requested, we are also legally obliged to disclose such data to certain public authorities, such as law enforcement bodies, authorities that penalise offences, and financial authorities.

In these cases, data is disclosed based on our legitimate interest in combating misuse, aiding the prosecution of criminal offences, and aiding the establishment, assertion and enforcement of claims.

5.2 Associated companies within the Geberit Group

Personal data is disclosed to the respective local sales companies associated with the Group to ensure that we can provide optimal sales support to Geberit customers in each respective country. In these cases, data is disclosed based on our legitimate interest in ensuring effective customer support.

5.3 Contract data processors

We rely on contractually bound third-party companies and external service providers (referred to as “Processors”) in order to provide our services. In such cases, personal data will be shared with these Processors in order to allow them to provide their services. The Processors have been carefully selected by us. The Processors are permitted to use the data only for the purposes specified by us. Furthermore, they are contractually obligated to handle your data exclusively in accordance with this privacy policy and in line with the applicable data protection laws.

More specifically, we use the services of the following processors in particular:

• 1. other Geberit companies for the purposes of centralised customer administration and order processing
• 2. other Geberit companies for the purposes of providing centralised IT services for the other companies in the Group
• 3. cloud computing providers who process the selected usage and device data from your Geberit product within Europe
• 4. logistics service providers, for the purpose of sending you products, marketing materials or other items that you have ordered from us
• 5. payment service providers for the purpose of processing all payments from you to us or vice versa
• 6. service providers for installation work or after-sales services
• 7. service providers for the distribution of newsletters or the execution of customer surveys
• 8. IT service providers for hosting, operation and support for IoT Services

The transfer of data to data processors takes place on the basis of Article 28(1) of the GDPR or GDPR UK or Article 9(1) of the DSG.

Personal data will not be transferred outside the European Economic Area (EEA), Switzerland or the United Kingdom (UK). Data is only transferred from the EEA and UK to Switzerland to Geberit companies or IT service providers.

As a data subject you are entitled to the rights outlined below. If you would like to exercise any of these rights, please send us a written request using the contact details specified above or send an email to the following address: dataprotection@geberit.com.

6.1 Right to access

You have the right to request information from us about the personal data concerning you that we have processed. You can exercise this right at any time within the scope of Article 15 of the GDPR or GDPR UK or Article 25 of the DSG.

6.2 Right to rectification or erasure

Subject to the requirements of Articles 16 and 17 of the GDPR or GDPR UK or Article 32(1)(2) of the DSG, you have the right to request that we rectify inaccurate data or erase personal data concerning you. The prerequisites notably provide for a right to erasure where the personal data is no longer required the purposes for which it was collected or otherwise processed. The ability to exercise this right may be limited, particularly in cases where we need your data to fulfil a legal obligation or to process legal claims.

6.3 Right to restriction of processing

You have the right to request that we restrict processing under the conditions specified in Article 18 of the GDPR or GDPR UK or Article 32(2) of the DSG.

6.4 Right to object

According to Article 21 of the GDPR or GDPR UK or Article 32(2) of the DSG, you have the right to object to the processing of your personal data at any time, for reasons related to your particular situation. We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms, unless the circumstances involve asserting, exercising or defending legal claims, or unless you successfully challenge the processing of your data.

6.5 Right to data portability

In accordance with Article 20 of the GDPR or GDPR UK or Article 21 of the DSG, you have the right to request the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format.

6.6 Right to lodge a complaint with the relevant data protection supervisory authority

You have the right to lodge a complaint with a supervisory authority, in particular in the country of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the applicable data protection regulations.

If you would like to request the erasure of your data, simply email us at dataprotection@geberit.com. Generally speaking, we erase or anonymise your personal data as soon as it is no longer needed for the purposes for which we collected or used it in accordance with the sections above. If data needs to be retained for legal reasons, it will be blocked. This means that it will no longer be available for further processing. If you require further information regarding our erasure and retention periods, please contact us using the details provided above.

Your personal data will only be processed for purposes other than those described if a legal provision requires this course of action or if you have given your consent to the changed purpose of the data processing. In cases of further processing for purposes other than those for which we originally collected the data, we will notify you of these other purposes prior to the data being processed further, and will provide you with all other information that relates to this.

We do not use any automated processing systems for coming to specific decisions – including profiling.

The current version of this privacy policy is always available in Mobile Apps (typically under the “Information” or “More” menu items).

Version: June 2025

Changes compared with the previous version of this document (April 2024):

• General updates to the wording regarding the legal basis
• Section 4.2.3: Update regarding the UID of the Geberit ID
• Sections 4.2.7 and 4.2.8: Added clarification on Geberit Cloud Services
• Section 4.2.9: New section for collecting device data
• Section 4.3.2: Change to the legal basis for the collection of app usage data