Welcome
Thingsty ("we", "us", "our") respects your privacy and is committed to protecting your Personal Data in compliance with applicable data protection laws.
This Privacy Policy explains how we collect, use, store, and protect your information when you use our Internet of Things (IoT) platform and related services ("Services").
1. Definitions
"Personal Data" means any data from which a natural person can be identified, directly or indirectly."Sensitive Personal Data" means Personal Data relating to financial information, health data, biometric data, genetic data, religious beliefs, or political opinions.
"Data Subject" means the natural person to whom the Personal Data relates.
"Processing" means any operation performed on Personal Data, including collection, storage, use, modification, transfer, or deletion.
"Anonymized Data" means data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person.
2. Data We Collect
We collect different categories of data depending on the deployment type:2.1 Public Deployments
In public deployments (for government utilities and other government service providers), all user-related data is anonymized at collection. We process only operational telemetry data from IoT devices (consumption readings, device status, timestamps) without any linkage to identifiable individuals.
Anonymized data cannot be used to identify any individual and is not considered Personal Data.
Anonymized data cannot be used to identify any individual and is not considered Personal Data.
2.2 Private Commercial Deployments
For private commercial customers, we collect minimal Personal Data necessary for service delivery:
| Category | Data Elements | Purpose | Consent Type |
|---|---|---|---|
| Email address | Authentication, notifications, account recovery | Required for service | |
| Name | Full name | Account identification, communication | User input (opt-in) |
| Contact | Phone number (optional) | SMS alert notifications | User input (opt-in) |
| Address | User address (optional) | Service delivery, billing correspondence | User input (opt-in) |
| Geolocation | IP-based city/country | Security monitoring, regional compliance | Legitimate interest |
| Usage | Feature usage patterns | Service improvement | Anonymized/aggregated |
2.3 Public Deployment Upgrade
Users in public utility deployments may choose to upgrade their service by opting in to provide additional account information (name, email, phone, address). Upon opt-in, their data will be treated under the same privacy protections as private commercial deployments, with full data subject rights and explicit consent requirements.
2.4 Data We Do NOT Collect
We do not collect any Sensitive Personal Data:
- No national identification numbers
- No biometric or genetic data
- No health or medical records
- No data revealing religious beliefs, political opinions, or ethnic origin
- No data concerning children
3. Legal Basis for Processing
We process Personal Data based on the following legal grounds:- Contractual Necessity: Processing required to provide our Services (account management, service delivery)
- Explicit Consent: For optional data collection (phone number, device location) obtained through opt-in mechanisms
- Legitimate Interest: For security monitoring and service improvement, where such interests do not override your fundamental rights
4. Consent Framework
4.1 How We Obtain Consent- Informed: Clear disclosure of data collected, purposes, and recipients at registration
- Freely Given: Optional fields clearly marked; service access not conditional on optional data
- Specific: Separate consent for each processing purpose
- Recorded: Consent recorded with timestamp for audit purposes
4.2 Withdrawal of Consent
You may withdraw consent at any time by:
- Disabling optional features in account settings
- Deleting optional data fields from your profile
- Requesting account termination
- Contacting us at support@thingsty.com
5. Data Storage and Transfer
Our Services utilize cloud infrastructure hosted on Amazon Web Services (AWS) in the United States (Oregon region).
Public Utility Deployments: Since user-related data is anonymized, it cannot identify individuals and poses no privacy risk during storage or transfer.
Private Commercial Deployments: Personal Data is transferred and stored with your explicit consent obtained at registration.
Data Protection Safeguards:
- AWS maintains ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II certifications
- AWS Data Processing Agreement (DPA) with Standard Contractual Clauses in place
- All data encrypted at rest using AES-256 encryption
- All data encrypted in transit using TLS 1.2
- Encryption keys managed through AWS KMS (FIPS 140-2 Level 3 certified HSMs)
- Access restricted to authorized administrators only
6. Your Rights
As a Data Subject, you have the following rights:| Right | Description | How to Exercise |
|---|---|---|
| Access | Obtain confirmation of processing and access to your Personal Data | Account dashboard or email request |
| Correction | Rectify inaccurate or incomplete Personal Data | Self-service profile editing |
| Erasure | Request deletion of your Personal Data | Account deletion request |
| Data Portability | Receive your data in a structured, machine-readable format | Email request |
| Restriction | Restrict processing in certain circumstances | Email request |
| Objection | Object to processing based on legitimate interest | Email request |
To exercise your rights, contact: support@thingsty.com
We will respond within 30 days of receiving your request.
7. Data Security
We implement robust technical and organizational measures to protect your Personal Data:Encryption:
- At Rest: AES-256 encryption for all stored data
- In Transit: TLS 1.2 encryption for all data transfers
- Key Management: Key management system with FIPS 140-2 Level 3 certified hardware security modules (HSMs)
Access Control:
- Role-based access control (RBAC)
- Principle of least privilege
- Secure password hashing
Infrastructure Security:
- Network ACLs
- DDoS protection
- CDN with edge security
- Access logging and security event monitoring
Certifications:
- ISO 27001 (Information Security Management)
- ISO 27017 (Cloud Security)
- ISO 27018 (Cloud Privacy)
- SOC 2 Type II (Security, Availability, Confidentiality)
8. Data Retention
We retain Personal Data only as long as necessary for the purposes for which it was collected:- Account Data: Duration of account + 30 days after termination
- IP/Access Logs: 90 days (auto-deleted)
- Usage Analytics: Anonymized and aggregated; no retention of identifiable data
- IoT Telemetry: Per customer retention policy (configurable)
9. Data Breach Notification
In the event of a Personal Data breach that poses risk to your rights and freedoms:- We will notify the relevant authority within 72 hours of becoming aware
- We will notify affected Data Subjects without undue delay where the breach is likely to result in high risk
- Notification will include: nature of breach, categories of data affected, likely consequences, and measures taken
10. Third-Party Disclosure
We do not sell, rent, or trade your Personal Data. We may share data only with:- Service Providers: AWS (infrastructure), under Data Processing Agreements
- Legal Requirements: When required by law, court order, or government authority
- Business Transfer: In the event of merger or acquisition, with prior notice
11. Children's Privacy
Our Services are not intended for individuals under 18 years of age. We do not knowingly collect Personal Data from children. If we become aware of such collection, we will delete the data immediately.12. Cookies and Tracking
We use essential cookies for:- Session management and authentication
- Security and fraud prevention
- User preferences
13. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or prominent notice on our website. Continued use of Services after changes constitutes acceptance of the updated policy.14. Contact Us
For privacy-related inquiries, requests, or complaints:Data Protection Contact:
Email: support@thingsty.com
We will acknowledge your request within 7 days and provide a substantive response within 30 days.