Privacy Policy
This Privacy Policy explains how Allbee processes personal data when users access the Allbee Cloud dashboard. It should be read together with the User Terms. Separate data-processing terms may apply between Allbee and the organisation that uses the Service.
This Privacy Policy explains how Allbee (the "Provider", "we", "us") collects, uses, and protects personal data when you use the Allbee Cloud web application and related services (the "Service"). The Service may include dashboard access, energy reporting, occupancy reporting, alerts, issue tracking, remote access to authorised on-premise gateways, and cloud synchronisation.
We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable privacy laws.
1. Who is responsible
For personal data relating to your Allbee Cloud account, authentication, security, support, and use of the dashboard, Allbee is the controller.
For operational data submitted by connected gateways and devices on behalf of an organisation, the organisation is normally the controller and Allbee acts as a processor. This may include energy data, occupancy data, sensor readings, device status, alerts, issue data, control events, and gateway information. The organisation is responsible for deciding why and how that operational data is processed, who may access it, and how users and building occupants are informed where required.
Contact: support@allbee.eu.
2. Personal data we collect
| Category | Examples |
|---|---|
| Account data | Name, email address, role, organisation, assigned buildings, gateway access, and user permissions. |
| Single sign-on data | When you sign in via Microsoft or Google: the provider's stable subject identifier, verified email address, name, and tenant ID, workspace domain, or similar organisation identifier. We do not receive your provider password. |
| Authentication and session data | Login timestamps, session identifiers, authentication method, token metadata, failed sign-in attempts, and security-related events. |
| Usage and technical data | Actions performed in the dashboard, pages or features used, IP address, browser and device information, timestamps, server logs, and diagnostic data. |
| Operational gateway and device data | Energy measurements, occupancy events, sensor readings, lighting-control events, device status, gateway status, alerts, issues, configuration data, synchronisation status, and related technical data. |
| Support and communication data | Messages you send to us, support requests, troubleshooting information, and related correspondence. |
3. How we use personal data and the legal basis
3. How we use personal data
We use personal data for the purposes below. Under GDPR, we must also identify a lawful basis for each purpose.
- Providing the Service. We use account, authentication, and permission data to let you sign in, maintain your session, apply your access rights, and show the dashboards, reports, alerts, issues, and gateway information available to you. We do this because it is necessary to provide the Service to you or your organisation.
- Operating reports and dashboards. We process operational gateway and device data to generate energy reports, occupancy reports, alerts, issue lists, analytics, exports, and status views. Where we process this data for an organisation, we do so on that organisation's request.
- Security. We use login, session, technical, and log data to protect the Service, detect unauthorised access, investigate suspicious activity, apply rate limits, and maintain audit logs. We do this because we have a legitimate interest in keeping the Service secure.
- Support and troubleshooting. We use support messages, diagnostic data, logs, and gateway or dashboard information to respond to support requests and resolve problems. We do this because it is necessary to support the Service and because we have a legitimate interest in maintaining reliability.
- Legal compliance. We may retain or disclose information where required by law, court order, regulator, or other legal obligation.
4. Single sign-on
If you sign in with a third-party identity provider such as Microsoft or Google, that provider shares a limited profile with us so we can verify who you are and link the sign-in to your existing invited Allbee account. This may include your subject identifier, email address, name, tenant ID, workspace domain, or similar account information.
We use this information only to authenticate you, link your provider identity to your Allbee account, apply your permissions, and protect the Service. We do not receive your Microsoft or Google password.
Your use of the identity provider is also governed by that provider's own terms and privacy policy. For Microsoft accounts, and for any unverified email address, we may first send a verification link to confirm that you control the mailbox before linking the identity to your Allbee account.
5. Operational building, gateway, and device data
Connected gateways and devices may send operational data to the Service. This data may be used to provide energy reporting, occupancy reporting, alerts, issue tracking, device diagnostics, gateway status, remote support, and cloud synchronisation.
Operational data may relate to buildings, rooms, zones, devices, gateways, sensors, lighting behaviour, occupancy events, energy usage, and system status. Depending on the configuration, such data may indirectly relate to individuals, for example when occupancy data is linked to a specific room, time, or workplace.
Where we process this data on behalf of an organisation, the organisation is responsible for ensuring that the processing is lawful, that appropriate notices are provided where required, and that access permissions are correctly assigned.
6. Sharing and sub-processors
We do not sell personal data. We share personal data only where needed to provide, secure, support, or legally operate the Service.
This may include sharing data with:
- identity providers you or your organisation choose to use for sign-in;
- hosting, infrastructure, database, storage, monitoring, and email providers;
- support or technical service providers acting on our behalf;
- your organisation's administrators or authorised users, according to assigned permissions;
- authorities, courts, regulators, or other parties where legally required.
Where we use sub-processors to process personal data on behalf of an organisation, we use appropriate data-processing terms and security measures.
7. International transfers
We aim to use infrastructure and service providers that process data within the European Economic Area where practical. If personal data is transferred outside the European Economic Area, we use appropriate safeguards where required, such as standard contractual clauses or other lawful transfer mechanisms.
8. Retention
We keep personal data only for as long as needed for the purposes described in this Policy, unless a longer retention period is required by law or by a separate agreement with the relevant organisation.
- Account and SSO-link data is kept for as long as your account is active and for a reasonable period after removal where needed for security, audit, or legal purposes.
- Authentication, security, and server logs are kept for a limited period, unless longer retention is needed to investigate security incidents or comply with law.
- Operational gateway and device data is retained according to the organisation's configuration, subscription, agreement, or data-processing terms.
- Support messages are kept for as long as needed to handle the request and maintain service history.
9. Your rights
Subject to applicable law, you may have the right to access, rectify, erase, restrict, or object to the processing of your personal data, and the right to data portability.
For account, authentication, and dashboard-use data controlled by Allbee, you can contact us at support@allbee.eu.
For operational building, gateway, energy, occupancy, alert, or device data processed on behalf of an organisation, we may need to refer your request to that organisation or handle it according to that organisation's instructions.
You may also lodge a complaint with a supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens.
10. Cookies and sessions
The Service uses strictly necessary cookies and similar technologies to maintain your signed-in session, secure authentication, remember security state, and operate the dashboard. These cookies are required for the Service to function and are not used for advertising.
If optional analytics or non-essential cookies are introduced in the future, we will provide additional information and obtain consent where required.
11. Security
We apply technical and organisational measures appropriate to the risk, including encryption in transit, hashed passwords, scoped access permissions, authentication controls, rate limiting, logging, backups, and access restrictions.
No system is perfectly secure. You are responsible for keeping your login credentials secure and for notifying your administrator or Allbee if you suspect unauthorised access or misuse.
12. Changes to this Policy
We may update this Privacy Policy from time to time. If changes are material, we will take reasonable steps to notify the organisation or affected users, for example by email, in-app notice, or through an administrator. The updated "Last updated" date on this page shows when the Policy was last changed.
13. Contact
Questions about this Privacy Policy or your personal data can be sent to support@allbee.eu.