Portal IoT

Privacy Policy and Data Processing Addendum of the IoT Portal

Version: 1.0

Effective as of: 6 June 2026

This document is a working draft of the Privacy Policy and Data Processing Addendum for the IoT Portal service. Before publication, we recommend having this document reviewed by a lawyer, especially if the service will be provided for consideration or if users will process personal data of other persons through the service.

1. Who we are

The operator of the IoT Portal service, available at iot.strunc.net, is:

Miloslav Štrunc
IČ: 74397796
Sídlo / adresa: Střimelická 2503/22, 14100 Praha 4
E-mail pro ochranu osobních údajů: gdpr@portal-iot.net

Hereinafter referred to as the “Provider”.

This Privacy Policy describes how the Provider processes personal data of users of the IoT Portal and what rights users have under the GDPR.

2. Basic definition of roles

The Provider acts as the personal data controller in respect of data required for the operation of user accounts, provision of the service, security, communication with users, and compliance with legal obligations.

In relation to data that a user sends to the IoT Portal from their devices, sensors, or via the MQTT/HTTP API, the Provider may also act as a personal data processor if such data contains personal data of third parties or personal data processed by the user. In such case, the user is the controller of such data and is responsible for ensuring that there is a legal basis for its collection, transmission, and processing.

3. What personal data we process

The Provider may process in particular the following data:

  1. User account data
    e-mail address, password stored in a secured form, language, interface theme, date of registration, date of last login, account status.
  2. Operational and security data
    IP address, access time, data concerning server requests, technical logs, information about errors, login attempts, and security events.
  3. Sensor and device data
    sensor name, sensor token, names of measured values, units, user descriptions, dashboard settings, public or shared links, alarm configuration.
  4. Measurement data from devices
    values sent by the user’s devices, such as temperature, humidity, voltage, relay status, pressure, level, or other technical data according to the user’s settings.
  5. Communication data
    content of messages sent to the Provider by e-mail or via a contact form, if used.
  6. Payment and billing data
    only if the service becomes subject to a fee: name, address, Company ID No., VAT ID No., data necessary for issuing accounting documents and recording payments.

4. Purposes and legal bases of processing

We process personal data for the following purposes:

  1. Creation and administration of a user account
    Legal basis: performance of a contract.
  2. Operation of the IoT Portal service
    Legal basis: performance of a contract. This includes sensor registration, data receipt, data storage, display of dashboards, alarms, dashboard sharing, and other service functions.
  3. Security of the service and prevention of misuse
    Legal basis: the Provider’s legitimate interest in protecting the service, users, and data.
  4. Technical support and communication with the user
    Legal basis: performance of a contract or legitimate interest.
  5. Compliance with legal obligations
    Legal basis: legal obligation. This will typically include accounting, tax, or archiving obligations if the service becomes subject to a fee.
  6. Improvement and maintenance of the service
    Legal basis: legitimate interest. The Provider may analyse operational and technical data for the purpose of fixing errors, optimising performance, and improving security.

5. Data sent from the user’s devices

The user acknowledges that the content of data sent by their devices is determined solely by the user.

The user undertakes not to send to the IoT Portal personal data of third parties, sensitive data, health data, precise location data relating to persons, biometric data, camera recordings, or any other data requiring a special protection regime, unless the user has a valid legal basis for doing so and unless doing so does not violate the GDPR or any other legal regulations.

If the user sends data to the IoT Portal that constitutes personal data, the user is responsible for ensuring that:

  1. there is a legal basis for its processing,
  2. data subjects have been informed,
  3. appropriate protection of devices and tokens has been ensured,
  4. data are not provided to the Provider to an extent disproportionate to the purpose,
  5. the IoT Portal is not used for covert surveillance of persons.

6. Public and shared dashboards

The IoT Portal may enable the creation of a public dashboard or a dashboard accessible by invitation or link.

The user is responsible for ensuring that no personal data, confidential data, security-sensitive information, device tokens, or data whose disclosure could harm the user, third parties, or the Provider are published on a public or shared dashboard.

The Provider is not liable for content that the user makes accessible on a public or shared dashboard.

7. Cookies and local storage

The IoT Portal uses technical cookies or similar technical mechanisms necessary for login, session maintenance, form security, and proper operation of the service.

Assumption for this draft: the IoT Portal does not use marketing cookies or advertising tracking. If analytics or marketing tools are added later, this section must be amended and the relevant consent mechanism must be added.

8. To whom data may be disclosed

Personal data may be disclosed only to the extent necessary:

  1. to the Provider and persons involved in the operation of the service,
  2. to the server infrastructure or hosting provider,
  3. to the e-mail service provider,
  4. to payment or accounting service providers, if the service becomes subject to a fee,
  5. to public authorities where required by law.

The Provider does not sell users’ personal data to third parties.

9. Transfers of data outside the EU

Assumption for this draft: the service is operated on servers located in the Czech Republic or in the European Union, and personal data are not transferred outside the European Union or the European Economic Area.

If personal data are to be transferred outside the EU/EEA, the Provider will proceed only in a manner permitted by the GDPR, for example on the basis of an adequacy decision or standard contractual clauses.

10. Data retention period

We retain personal data only for the period necessary for the relevant purpose.

Indicative retention periods:

  1. User account – for the duration of the account’s existence.
  2. Measurement data from sensors – for the period set by the service or by the user; if no special period is set, for the duration of the account’s existence.
  3. Operational and security logs – usually for the period necessary for securing and diagnosing the service.
  4. E-mail communication – for the period necessary to handle the request and protect the Provider’s rights.
  5. Accounting and tax documents – for the period prescribed by legal regulations.

After account termination, certain data may be temporarily retained if necessary for the protection of the Provider’s rights, compliance with legal obligations, or handling of security incidents.

11. Data security

The Provider implements appropriate technical and organisational measures to protect personal data, in particular:

  1. password-protected account access,
  2. storage of passwords in a secured form,
  3. separation of user data by accounts,
  4. authorisation checks when accessing sensors and dashboards,
  5. use of device tokens,
  6. CSRF protection for forms,
  7. parameterised database queries,
  8. operational logging,
  9. regular updates of the server environment,
  10. restricted access to production data.

The user is responsible for securing their devices, e-mail mailbox, passwords, sensor tokens, and end systems that send data to the IoT Portal.

12. User rights

Under the GDPR, the user has in particular the right to:

  1. request information as to whether their personal data are being processed,
  2. request access to their personal data,
  3. request rectification of inaccurate data,
  4. request erasure of data,
  5. request restriction of processing,
  6. object to processing based on legitimate interest,
  7. request data portability, where technically possible and legally applicable,
  8. lodge a complaint with the Office for Personal Data Protection.

Requests may be sent to the following e-mail address: gdpr@portal-iot.net.

Before handling a request, the Provider may verify the identity of the applicant in order to prevent unauthorised disclosure of data.

13. Account deletion

The user may request cancellation of the account and erasure of personal data.

After account cancellation, data that the Provider no longer needs will be deleted or anonymised. Certain data may continue to be retained if necessary for compliance with legal obligations, protection of the Provider’s rights, or handling of security incidents.

14. Security incidents

If a personal data breach occurs, the Provider will assess the risk to the rights and freedoms of individuals and will take appropriate measures.

Where required by the GDPR, the Provider will notify the incident to the competent supervisory authority and/or to the affected persons. In relation to processing where the Provider acts as a processor, the Provider will notify the incident to the user as controller without undue delay.

15. Data Processing Addendum pursuant to Article 28 GDPR

This section applies where the user processes personal data through the IoT Portal and the Provider acts as processor in relation to such data.

15.1 Controller and processor

The user is the controller of personal data that the user enters, sends, or causes to be sent to the IoT Portal by their devices, provided that such data are personal data.

The Provider is the processor of such data and processes them solely for the purpose of operating the IoT Portal service.

15.2 Subject matter of processing

The subject matter of processing is the receipt, storage, display, administration, sharing, and, where applicable, deletion of data sent by the user or their devices to the IoT Portal.

15.3 Duration of processing

Processing continues for the duration of the user account or for the period during which the user uses the relevant service function.

15.4 Nature and purpose of processing

The nature of the processing is automated technical processing of data in a cloud/web application.

The purpose of the processing is to enable the user to register devices, receive data, display values, create dashboards, share dashboards, configure alarms, and use other related functions of the IoT Portal.

15.5 Type of personal data

The processed data may include in particular:

  1. technical data from devices,
  2. descriptions of measured values,
  3. measurement time series,
  4. device identifiers,
  5. any data entered by the user into sensor, value, or dashboard names.

The Provider does not assume that the service will be used to process special categories of personal data under the GDPR.

15.6 Categories of data subjects

Depending on the nature of the use of the service, these may include in particular:

  1. users of the IoT Portal,
  2. persons whose data the user has entered into the service,
  3. persons who may be indirectly identified from data sent by the user’s devices.

15.7 Instructions of the controller

The Provider processes personal data only in accordance with the user’s instructions, which are expressed through the use of the service and its settings.

The Provider is not obliged to comply with any instruction that is manifestly unlawful or technically disproportionate.

15.8 Confidentiality

The Provider will ensure that persons who have access to personal data are bound by confidentiality or by a similar statutory duty of confidentiality.

15.9 Sub-processors

The user agrees that the Provider may engage sub-processors necessary for the operation of the service, in particular providers of hosting, server infrastructure, e-mail services, or backup services.

Current list of sub-processors:

  1. WEDOS Internet a.s., Masarykova 1230, 373 41 Hluboká nad Vltavou, IČ: 28115708

The Provider is responsible for ensuring that sub-processors are bound by personal data protection obligations corresponding to the GDPR.

15.10 Assistance to the controller

The Provider will provide the user with reasonable assistance in handling data subject requests, resolving security incidents, and fulfilling other obligations under the GDPR, where such assistance is possible having regard to the nature of the service.

If the requested assistance exceeds the ordinary operation of the service, it may be provided for reasonable remuneration, if agreed in advance.

15.11 Erasure or return of data

After termination of the service provision, the Provider will delete or anonymise personal data unless further retention is required by legal regulations or by a legitimate interest in protecting the Provider’s rights.

15.12 Inspection and audit

The Provider will provide the user with information necessary to demonstrate compliance with the obligations under this Data Processing Addendum.

An on-site audit is possible only by prior written agreement, to a reasonable extent, without compromising the security of the service, the rights of other users, or the Provider’s trade secrets.

16. User obligations

The user undertakes to:

  1. provide truthful registration data,
  2. protect their login credentials,
  3. protect their sensor tokens,
  4. not grant access to unauthorised persons,
  5. not send unlawful content to the service,
  6. not send personal data to the service without a legal basis,
  7. not use the service to monitor persons without their knowledge or without another legal basis,
  8. configure public and shared dashboards so that unauthorised disclosure of data does not occur.

17. Children

The IoT Portal is not intended for children. The user confirms that they are a person authorised to enter into an agreement for the use of the service.

18. Changes to this Privacy Policy

The Provider may amend this Privacy Policy, in particular in the event of changes to the service, legal regulations, or the method of data processing.

The current wording will always be available on the IoT Portal website. In the event of material changes, the Provider may also inform users by e-mail or by notice in the user interface.

19. Contact

Questions concerning personal data protection may be sent to:

gdpr@portal-iot.net

The supervisory authority is:

Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7
Website: uoou.gov.cz