CANADA - NTI
PRIVACY NOTICE ON PERSONAL DATA PROCESSING
(Version 09/2024)
Data Controllers
Ariston S.p.a. (hereinafter the “Company”), with registered offices in Viale Aristide Merloni, 45, 60044 Fabriano (AN), Italy, in the person of its legal representative,
AND
NTI Boilers Inc. (“hereinafter “NTI”) with registered offices in 30 Stonegate Drive, saint John, NB, Canada, which can be contacted at info@ntiboilers.com in the person of its legal representative,
Provide you with the following information regarding the processing of your personal data in their capacity as independent Data Controllers, for the purposes of the GDPR, to the extent applicable, and otherwise with respect to the collection, use and disclosure of your personal data.
NTI, as it is established in a country located outside the European Union, will process your personal data in accordance with applicable U.S. federal and state law, Canadian provincial and federal privacy law, and the EU Regulation 2016/679 (“GDPR”), as each may be applicable to you. “Personal Data” means data about an identifiable individual.
Data Protection Officer (“DPO”)
The Company has appointed a Data Protection Officer, who can be contacted at the following e-mail address: DPO.AristonGroup@ariston.com.
Categories of personal data
The Company will process your personal data strictly related to the use of the NTI NET App (hereinafter "App") and/or the web App (hereinafter "WebApp") listed below:
the IP address or ID of your device;
the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the computer environment of your device;
information on the interactions carried out by you with the App/WebApp, including commands for the activation of the appliance.
App Required Authorizations
Upon installation of the App, you will be asked for authorization to access to the location (based on GPS and network).
In this moment, some authorizations are also issued to allow the operation of the app in relation to the operating system running on the mobile device.
The details of these authorizations may change depending on system and app updates and are always available, upon download in the section dedicated to the app information in the mobile app store and in the settings area of the device itself.
Further personal data collected from you will be processed, depending on the service provided, by both Data Controllers. Below is an exemplifying and non-exhaustive list of the categories of data that will be processed:
name, surname;
e-mail address, country, telephone number;
gateway serial number and other information related to the product associated with you;
data relating to and/or derived from the operation of the equipment;
characteristics of the inhabited building (size of the house, number of rooms type of heating) and the family unit;
data of your choice transmitted by social platforms in case you make use of the social log-in function.
In particular, some of your personal data processed by both Data Controllers will be collected through the App and/or the web App:
the model and brand of the appliance managed through the App/web App, as well as how the system is managed;
data relative to the physical quantities (for example, temperature) measured by the sensors of the appliance;
consumption data;
data related to the status and parameter settings of the functions performed by the appliance;
e-mail addresses or telephone numbers used to send notifications following events;
geolocation of the device on which the application is installed in case such function is enabled which is further subject to Google Privacy Policy at https://www.google.com/policies/privacy/;
location of the appliance communicated by the Internet connection device in the initial configuration.
Both Data Controllers, in execution of the contract stipulated with the user, will also collect information relating to the installed appliance (including, by way of example, advanced technical details, heating settings and functioning, etc).
Purposes and legal basis of the Data Processing
The Company will process your personal data according to the principles of necessity, fairness, lawfulness and transparency dictated by GDPR, in order to create an account on the App/WebApps.
In relation, in particular, to the specific authorisations required when installing the App, the following processing purposes are specified:
Position
Access to this data is necessary in order to provide the service;
Storage space
This access is necessary for the sole purpose of installing the App on the mobile device;
Other
Access to the described functionalities is only necessary for the proper technical functioning of the App.
These purposes find their legal basis in the execution of the contract to which you are a party.
The purposes listed below are, instead, pursued by both Data Controllers:
Provision of remote control and/or remote diagnosis services and any service whose activation is requested directly by the data subject within the App/WebApp;
If necessary, in order to ascertain, exercise or defend the rights of the Data Controller in judicial and/or extra-judicial proceedings.
The purposes listed in point 1) find their legal basis in the execution of the contract to which you are a party.
Instead, the processing activities described in point 2) are conducted in accordance with a legitimate interest of the Data Controller: in particular, the interest to improve its service and to protect its rights in judicial and/or extrajudicial proceedings.
Direct marketing: sending of promotional and commercial communications relating to the Company's services/products/events (with automated contact methods such as e-mail or sms and with traditional contact methods such as telephone calls with operator and traditional mail), and/or carrying out market surveys, customer satisfaction activities and statistical analysis;
Profiling: Analysis of your preferences, habits, interests, in order to send you personalized commercial offers that suit your needs (by means of tracking tools, e.g. 'pixels').
The processing of your personal data for the abovementioned purposes, listed in points 3) and 4) will be carried out only upon your specific and unambiguous consent, expressed for each purpose.
Data retention
The Company and/or NTI, in relation to the purposes of creation of an account, will process your personal data until your unsubscription request. In any event, the Company and NTI will only retain your personal data for as long as is necessary to fulfil the purpose for which it was collected, or if required by law.
With regard to the processing activities related to the provision of remote control and/or remote diagnosis services, both the Data Controllers will process your personal data (related to equipment operation and personal data derivable on the basis of the equipment operation) until the end of the contract and, thereafter, for two years.
The data processing related to the purposes of direct marketing and profiling activities will be carried out until your withdrawal of consent.
The data related to the direct marketing activities will be retained for 24 months; the data related to the profiling activities, instead, will be retained for 14 months.
These retention periods shall begin to run from the time the personal data are collected.
If the Data Controllers exercise or defend their rights in judicial and/or extra-judicial proceedings, your data will be processed for the entire duration of the dispute, until the terms of the appeal have been exhausted.
Once the abovementioned retention terms have expired, the Data will be destroyed, deleted, or made anonymous, compatibly with the technical procedures for deletion and backup and for the accountability needs of the Data Controllers.
In particular, following your possible withdrawal of consent, the Data Controllers will continue to process your Data in order to be able to have evidence that you will no longer want to receive marketing information and promotional material.
Provision of Data
In order to create an account through the App/WebApp, the provision of your personal data is optional, however within the online registration form you will find fields marked with an asterisk: without this information it will not be possible for the Company to create such account and, therefore, to allow you to access the remote control and/or remote diagnosis services.
In relation to the fields not marked with an asterisk, your refusal to provide the data will in no way affect the creation of the account and the access to the service requested.
Regarding direct marketing and profiling activities, the provision of your data is optional: the Data Controllers will process your personal data only upon your express and unambiguous consent.
You may withdraw the consent given at any time: such withdrawal shall not affect the lawfulness of the processing based on consent before such withdrawal.
Data communication
Your Personal Data may be communicated to external parties operating as independent data controllers, for example: authorities and supervisory bodies and, in general, public or private parties entitled to request and/or access to such Data (e.g. banks, insurance companies).
In addition, your Personal Data may be communicated, subject to your express authorisation, which may also be contextual to the subscription to a further service, to third parties who may provide the aforementioned service also through their own instruments.
These third parties would be considered as independent data controller of your personal data.
If the appliance for which you are activating the remote control and remote diagnosis service has not been directly purchased by you, but is already present in the house because it has been installed by the owner, your personal data may be communicated to this very owner also by means of special digital interfaces (API).
This owner is considered to be an independent data controller and will therefore provide you with his own privacy notice regarding the processing of your personal data, which he will carry out for his own purposes.
Your Data may also be processed by external parties designated as Data Processors (pursuant to art. 28 of the GDPR, if and as applicable), who carry out specific processing activities on behalf of the Data Controller, such as, by way of example:
Technical assistance centres
Database providers;
Call-centre services providers;
Consultancy firms operating at national level;
Companies that provide management and/or maintenance services for the Company's mobile and desktop applications;
Parties that provide services for the management of the information system and telecommunications networks, including e-mail;
Marketing and market research companies;
Public relation companies.
Your personal data will not be disseminated.
Transfer of personal data to countries outside the European Union
Your Data might be processed, on behalf of the Company or NTI, by Data Processors that are based also in non-EU countries, whose level of data protection has been considered adequate by the European Commission pursuant to art. 45 of the GDPR (if and as applicable).
The transfer of your personal data may also be carried out following the signing of Standard Contractual Clauses as provided for by art. 46(2)(c) of the GDPR, if and as applicable.
A copy of the guarantees may be requested by contacting the Data Controller at the e-mail address info.connectivity@ariston.com
Personnel authorized to process personal data
The data may be processed by employees and/or collaborators of the Company, NTI and/or the Data Processors appointed by the latter to pursue the above mentioned purposes, who have been expressly authorised to the processing and have received adequate operating instructions.
Processing Methods
The Processing activities may include, besides data collection, also data registration, storage, amendment, communication, cancellation, circulation, etc. and will be carried out both through hardcopies and through digital, informatic and telematic tools, and with suitable tools in order to guarantee the security and confidentiality of the data.
Within the limits of the abovementioned specific purposes, data processing is carried out through manual, digital and telematic tools.
The Data Controllers adopt organization and technical procedures in accordance with personal data security and confidentiality obligations under applicable data protection and privacy laws.
Rights of the data subjects
Contacting the Privacy Office by ordinary mail sent to the address Viale Aristide Merloni, 45, 60044 Fabriano (AN), Italy or by e-mail at info.connectivity@ntiboilers.com, you can ask the Company, as Data Controller, for access to your data, their rectification, their cancellation, the limitation of the processing in the cases provided for by art. 18 GDPR, as well as the opposition to the processing, for reasons related to their particular situation, in the hypothesis of legitimate interest of the Company.
Furthermore, the data subjects, in the event that the processing is based on consent or contract and is carried out by automated means, have the right to receive the data in a structured, commonly used and machine-readable format and, if technically feasible, to transmit them to another data controller without hindrance.
Data subjects have the right to withdraw at any time the consent given for marketing and/or profiling purposes. This is without prejudice to the possibility for the data subject who prefers to be contacted exclusively through traditional methods, to oppose the processing for marketing purposes only in relation to the receipt of communications through automated means.
Data subjects shall have the right to lodge a complaint with the competent supervisory authority in the Member State where they habitually reside or work or in the State where the alleged breach has occurred.
Data subjects may also modify the consent given through the "user profile" section available within the App/WebApps.
Please note that the user can delete his/her user account autonomously via the App or WebApp, in the 'user profile' section:
- If the user has any associated products the deletion of the user account will be completed after 30 days;
- If the user has no associated products, the deletion will be completed after 1 day;
For further information regarding the details of the service, please refer to the Terms&Conditions. Inquiries for NTI can be directed to info@ntiboilers.com.
USA - NTI
PRIVACY NOTICE ON PERSONAL DATA PROCESSING PURSUANT TO ARTICLES 13 AND 14 OF THE EU REGULATION 2016/679 (“GDPR”) AND/OR APPLICABLE STATE AND FEDERAL LAW
(Version 06/2022)
Data Controllers
Ariston S.p.a. (hereinafter the “Company”), with registered offices in Viale Aristide Merloni, 45, 60044 Fabriano (AN), Italy, in the person of its legal representative,
AND
NTI Boilers Inc (hereinafter “NTI”) with registered offices in 30 Stonegate Drive, Saint John, NB, Canada, E2H 0A4, which can be contacted at info.connectivity@ntiboilers.com in the person of its legal representative,
They provide you with the following information regarding the processing of your personal data in their capacity as independent Data Controllers.
NTI, as it is established in a country located outside the European Union, will process your personal data in accordance with the provisions of the regulations in force at national level.
Data Protection Officer (“DPO”)
The Company has appointed a Data Protection Officer, who can be contacted at the following e-mail address: DPO.AristonGroup@ariston.com
Categories of personal data
The Company will process your personal data strictly related to the use of the NTI NET App, (hereinafter "App") and/or the web App (hereinafter "WebApp") listed below:
the IP address or ID of your device;
the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the computer environment of your device;
information on the interactions carried out by you with the App/webApp, including commands for the activation of the appliance.
App Required Authorizations
Upon installation of the App, you will be asked for authorization to access to the location (based on GPS and network).
In this moment, some authorizations are also issued to allow the operation of the app in relation to the operating system running on the mobile device.
The details of these authorizations may change depending on system and app updates and are always available, upon download in the section dedicated to the app information in the mobile app store and in the settings area of the device itself.
Further personal data referred to you will be processed, depending on the service provided, by both Data Controllers. Below is an exemplifying and non-exhaustive list of the categories of data that will be processed:
name, surname;
e-mail address, country, telephone number;
gateway serial number and other information related to the product associated with you;
data relating to and/or derived from the operation of the equipment;
characteristics of the inhabited building (size of the house, number of rooms type of heating) and the family unit;
data of your choice transmitted by social platforms in case you make use of the social log-in function.
In particular, some of your personal data processed by both Data Controllers will be provided through Apps and/or web Apps:
the model and brand of the appliance managed through the App/web App, as well as how the system is managed;
data relative to the physical quantities (for example, temperature) measured by the sensors of the appliance;
consumption data;
data related to the status and parameter settings of the functions performed by the appliance;
e-mail addresses or telephone numbers used to send notifications following events;
geolocation of the device on which the application is installed in case such function is enabled which is further subject to Google Privacy Policy at https://www.google.com/policies/privacy/;
location of the appliance communicated by the Internet connection device in the initial configuration.
Both Data Controllers, in execution of the contract stipulated with the user, will also collect information relating to the installed appliance (including, by way of example, advanced technical details, heating settings and functioning, etc).
Purposes and legal basis of the Data Processing
The Company will process your personal data according to the principles of necessity, fairness, lawfulness and transparency dictated by GDPR and/or applicable State and Federal law, in order to create an account on the App/WebApp.
In relation, in particular, to the specific authorisations required when installing the App, the following processing purposes are specified:
Position
Access to this data is necessary in order to provide the service;
Storage space
This access is necessary for the sole purpose of installing the App on the mobile device;
Other
Access to the described functionalities is only necessary for the proper technical functioning of the App.
These purposes find their legal basis in the execution of the contract to which you are a party.
The purposes listed below are, instead, pursued by both Data Controllers:
Provision of remote control and/or remote diagnosis services and any service whose activation is requested directly by the data subject within the App/WebApp;
If necessary, in order to ascertain, exercise or defend the rights of the Data Controller in judicial and/or extra-judicial proceedings.
The purposes listed in point 1) find their legal basis in the execution of the contract to which you are a party.
Instead, the processing activities described in point 2) are conducted in accordance with a legitimate interest of the Data Controller: in particular, the interest to improve its service and to protect its rights in judicial and/or extrajudicial proceedings.
Direct marketing: sending of promotional and commercial communications relating to the Company's services/products/events (with automated contact methods such as e-mail or sms and with traditional contact methods such as telephone calls with operator and traditional mail), and/or carrying out market surveys, customer satisfaction activities and statistical analysis;
Profiling: Analysis of your preferences, habits, interests, in order to send you personalized commercial offers that suit your needs (by means of tracking tools, e.g. 'pixels').
The processing of your personal data for the abovementioned purposes, listed in points 3) and 4) will be carried out only upon your specific and unambiguous consent, expressed for each purpose.
Data retention
The Company, in relation to the purposes of creation of an account, will process your personal data until your unsubscription request.
With regard to the processing activities related to the provision of remote control and/or remote diagnosis services, both the Data Controllers will process your personal data (related to equipment operation and personal data derivable on the basis of the equipment operation) until the end of the contract and, thereafter, for two years.
The data processing related to the purposes of direct marketing and profiling activities will be carried out until your withdrawal of consent.
The data related to the direct marketing activities will be retained for 24 months; the data related to the profiling activities, instead, will be retained for 14 months.
These retention periods shall begin to run from the time the personal data are collected.
If the Data Controllers exercise or defend their rights in judicial and/or extra-judicial proceedings, your data will be processed for the entire duration of the dispute, until the terms of the appeal have been exhausted.
Once the abovementioned retention terms have expired, the Data will be destroyed, deleted, or made anonymous, compatibly with the technical procedures for deletion and backup and for the accountability needs of the Data Controllers.
In particular, following your possible withdrawal of consent, the Data Controllers will continue to process your Data in order to be able to have evidence that you will no longer want to receive marketing information and promotional material.
Provision of Data
In order to create an account on the Platform, the provision of your personal data is optional, however within the online registration form you will find fields marked with an asterisk: without this information it will not be possible for the Company to create such account and, therefore, to allow you to access the remote control and/or remote diagnosis services.
In relation to the fields not marked with an asterisk, your refusal to provide the data will in no way affect the creation of the account and the access to the service requested.
Regarding direct marketing and profiling activities, the provision of your data is entirely optional: the Data Controllers will process your personal data only upon your express and unambiguous consent.
You may withdraw the consent given at any time: such withdrawal shall not affect the lawfulness of the processing based on consent before such withdrawal.
Data communication
Your Personal Data may be communicated to external parties operating as independent data controllers, for example: authorities and supervisory bodies and, in general, public or private parties entitled to request and/or access to such Data (e.g. banks, insurance companies).
In addition, your Personal Data may be communicated, subject to your express authorisation, which may also be contextual to the subscription to a further service, to third parties who may provide the aforementioned service also through their own instruments.
These third parties would be considered as independent data controller of your personal data.
If the appliance for which you are activating the remote control and remote diagnosis service has not been directly purchased by you, but is already present in the house because it has been installed by the owner, your personal data may be communicated to this very owner also by means of special digital interfaces (API).
This owner is considered to be an independent data controller and will therefore provide you with his own privacy notice regarding the processing of your personal data, which he will carry out for his own purposes.
Your Data may also be processed by external parties designated as Data Processors (pursuant to art. 28 of the GDPR and/or applicable State and Federal law), who carry out specific processing activities on behalf of the Data Controller, such as, by way of example:
Technical assistance centres
Database providers;
Call-centre services providers;
Consultancy firms operating at national level;
Companies that provide management and/or maintenance services for the Company's mobile and desktop applications;
Parties that provide services for the management of the information system and telecommunications networks, including e-mail;
Marketing and market research companies;
Public relation companies.
Your personal data will not be disseminated.
Transfer of personal data to countries outside the European Union
Your Data might be processed, on behalf of the Company, by Data Processors that are based also in non-EU countries, whose level of data protection has been considered adequate by the European Commission pursuant to art. 45 of the GDPR and/or applicable State and Federal law.
The transfer of your personal data may also be carried out following the signing of Standard Contractual Clauses as provided for by art. 46(2)(c) of the GDPR and/or applicable State and Federal law.
A copy of the guarantees may be requested by contacting the Data Controller at the e-mail address info.connectivity@ariston.com
Personnel authorized to process personal data
The data may be processed by employees and/or collaborators of the Company and/or the Data Processors appointed by the latter to pursue the above mentioned purposes, who have been expressly authorised to the processing and have received adequate operating instructions.
Processing Methods
The Processing activities may include, besides data collection, also data registration, storage, amendment, communication, cancellation, circulation, etc. and will be carried out both through hardcopies and through digital, informatic and telematic tools, and with suitable tools in order to guarantee the security and confidentiality of the data.
Within the limits of the abovementioned specific purposes, data processing is carried out through manual, digital and telematic tools.
The Data Controllers adopt organization and technical procedures to guarantee personal data security and confidentiality.
Rights of the data subjects
Contacting the Privacy Office by ordinary mail sent to the address Viale Aristide Merloni, 45, 60044 Fabriano (AN), Italy or by e-mail at info.connectivity@ntiboilers.com, you can ask the Company, as Data Controller, for access to your data, their rectification, their cancellation, the limitation of the processing in the cases provided for by art. 18 GDPR and/or applicable State and Federal law, as well as the opposition to the processing, for reasons related to their particular situation, in the hypothesis of legitimate interest of the Company.
Furthermore, the data subjects, in the event that the processing is based on consent or contract and is carried out by automated means, have the right to receive the data in a structured, commonly used and machine-readable format and, if technically feasible, to transmit them to another data controller without hindrance.
Data subjects have the right to withdraw at any time the consent given for marketing and/or profiling purposes. This is without prejudice to the possibility for the data subject who prefers to be contacted exclusively through traditional methods, to oppose the processing for marketing purposes only in relation to the receipt of communications through automated means.
Data subjects shall have the right to lodge a complaint with the competent supervisory authority in the Member State where they habitually reside or work or in the State where the alleged breach has occurred.
Data subjects may also modify the consent given through the "user profile" section available within the App/WebApp.
Please note that the user can delete his/her user account autonomously via the App or WebApp, in the 'user profile' section:
- If the user has any associated products the deletion of the user account will be completed after 30 days;
- If the user has no associated products, the deletion will be completed after 1 day;
For further information regarding the details of the service, please refer to the Terms&Conditions.