Privacy policy
What personal data we collect
As part of using VitoNode, we collect the following personal and device-related data:
User information: First name, last name, email address, password (encrypted), system role
Device information: Serial number, device type, location assignment (building section, floor, room)
••• Good to know – Data protection through free-form location labeling: Location assignment (e.g. building section, floor, room) is not selected via fixed dropdown menus, but can be freely written. This means you may choose symbolic or internal labels (e.g. “HQ-1” or “Office X”) that are only meaningful to you. This helps obfuscate the real location and adds an extra layer of privacy and security, especially when the system is used by multiple roles or shared with others.
Usage data: Logins, interactions within the dashboard, timestamps of actions
Environmental data: Sensor measurements (e.g. temperature, CO₂, VOCs, PM, light, noise) that may be linked to a location and a user
Payment and subscription data: Subscription type, payment status, and payment information processed via Stripe (excluding full credit card data)
How and why we collect this data
We collect data for the following purposes:
Service provision: To activate the software via the device’s unique serial number and enable all dashboard features (visualization, alerts, analytics, recommendations)
Personalization & access control: To manage user-specific roles, notifications, and permissions
Smart device integration: To enable automated control of connected smart home or building devices
Security and system performance: To prevent misuse, monitor logins, and analyze system performance
Contractual processing: To manage subscriptions, billing, and payments
Data collection occurs through:
• Direct input (e.g. during registration, location setup, or subscription activation)
• Automated processes (e.g. continuous sensor data transmission)
• User interaction (e.g. button clicks, settings within the dashboard)
Third-party services
To provide and improve our services, we use trusted third-party providers:
• Stripe: For secure payment processing (credit card, PayPal)
➝ Privacy policy: https://stripe.com/privacy
• Firebase Cloud Messaging (Google): For push notifications when thresholds are exceeded
➝ Privacy policy: https://firebase.google.com/support/privacy
• Google Analytics (optional, with user consent): For anonymized usage analytics
• EMQX MQTT Broker: For secure, encrypted data transmission between devices and the platform
• Home Assistant (self-hosted): For optional integration with third-party smart devices via the VitoNode platform
We ensure all third-party services are GDPR-compliant or implement appropriate safeguards (e.g. Standard Contractual Clauses for data transfers to non-EU countries).
User rights: Access, correction, deletion
In accordance with the GDPR and other privacy laws, you have the right to:
• Request access to the personal data we store about you
• Request correction of incomplete or inaccurate data
• Request deletion of your data, provided no legal retention obligations exist
• Request restriction of data processing or object to certain types of processing
Please contact us via:
• Email: contact@vitonode.com
• Subject line suggestion: Data Access / Deletion / Correction
We respond to all requests within 10 days.
Legal basis & data protection compliance
VitoNode complies with the following regulations:
• EU General Data Protection Regulation (GDPR)
• ePrivacy Directive (for cookies and tracking technologies)
• California Consumer Privacy Act (CCPA) – soweit anwendbar bei Nutzern aus Kalifornien
Our data processing is based on:
• Art. 6(1)(b) GDPR: Contractual performance (e.g. use of the software, subscription management)
• Art. 6(1)(f) GDPR: Legitimate interests (e.g. IT security, system optimization)
• Art. 6(1)(a) GDPR: Consent (e.g. for optional cookies, Google Analytics)
All data is stored on servers located within the EU. We implement technical and organizational measures to ensure the highest level of data security – including TLS encryption, role-based access control, and two-factor authentication.