(Version 3 applicable as of 31/03/2021)
The terms below have the following meaning:
- Customer: refers to the purchaser, recipient or licensee of Shayp’s Product(s) and/or Service(s) (including Shayp partners and affiliated insurance companies) and can also refer to the User of those Product(s) and/or Service(s) (where the Customer is also the end user of those Product(s) and/or Service(s)).
- Data Controller: means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
- Data Processor: means the party that Processes Personal Data on behalf of the Data Controller.
- Data Protection Law: means the GDPR and the Data Protection Act 2018 and any other laws which may apply to Shayp in relation to the Processing of Personal Data.
- Data Subject: means any individual person who can be identified, directly or indirectly, via a Personal Data identifier (as outlined below in the definition of “Personal Data”).
- Datalogger: refers to the device designed and patented by Shayp which connects to the User’s resource meter (water, electricity, gas or other) for the purpose of monitoring anomalies in consumption and transmitting that data to the User via the Shayp Platform.
- European Economic Area of EEA: means Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein, and Norway.
- GDPR: means the General Data Protection Regulation (No. 2016/679).
- Personal Data: is any information relating to a living individual which allows the identification of that individual. Personal Data can include:
- A name;
- An identification number;
- Details about an individual’s address or contact details;
- Any other information that is specific to that individual.
- Personal Data Breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
- Processing: means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.
- Product(s): the Datalogger and any other associated Shayp and non-Shayp hardware and accessories that may be required for the performance of the Datalogger.
- Service(s): all services offered in relation to the Product(s), including, but not limited to the Shayp Software, the Shayp Platform, and any other accessory services.
- Shayp: refers to Shayp SA, with its registered office located at Rue des Pères Blancs 4, 1040 in Brussels and registered under the number BE0682.631.956.
- Shayp Platform: refers to the secure platform created and designed by Shayp which displays the details of any Dataloggers installed in connection with the Customer and/or User along with details of any detected anomalies in the consumption of resources (water, gas, electricity or other). The platform is accessible by the Customer and/or User either by application installed on a portable device or by visiting https://app.shayp.io.
- Special Categories of Personal Data: are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.
- User: refers to the end user of Shayp’s Product(s) and/or Service(s).
2. Shayp as a Data Controller
The Processing of Personal Data by Shayp is undertaken as a Data Controller primarily but in some cases Shayp may be considered a Data Processor. All Processing activities of Shayp are undertaken in accordance with Data Protection Law.
3. Shayp Processing Activities
3.1 Type of Personal Data Processed: The following are examples of the types of Personal Data that Shayp processes:
- Telephone number;
- Email address;
- Identification documents (driver’s licence, passport etc) (limited to employees);
- IP address;
- Location data (limited to the general location of the Datalogger or IP address);
- Consumption data (water, gas, electricity or other) and associated habits (for example, volume of water consumed over a given period and time of peak consumption);
- Building type and location;
- Information relating to the User’s login activity within the Shayp Platform;
- Any other information as provided to Shayp by the Data Subject or its agents or representatives;
- Shayp may supplement this Personal Data with information that is publicly available from other sources (for example, Crossroads Bank for Enterprises or internet searches);
It is important to note that since Shayp’s Product(s) and Service(s) are changing on a regular basis to better meet the needs of its Customers and Users, we also Process information for research and testing purposes (in order to provide a better experience for the Customer and User and to improve the Product(s) and Service(s) that we offer). The information Processed for research purposes is limited to, for example, the volume of water used along with the size of the building (and not information directly identifying the Customer or User, such as full name, contact details etc).
3.2 Purpose of Processing: The following is a list of the type of activities that Shayp carries out with the Personal Data that it Processes:
- To fulfil an order from a Customer and/or User;
- To provide a Customer and/or User with access to the Shayp Platform;
- To provide customer support to a Customer and/or User;
- To allow the Customer and/or User to view the consumption data in realtime;
- To alert a Customer and/or User to any anomalies detected by the Datalogger;
- To guarantee the proper technical operation of the offered Product(s) and/or Service(s);
- To provide the Customer and/or User with any updates that may affect the quality of the offered Product(s) and/or Service(s);
- To provide the Customer and/or User with any updates to our terms, conditions, policies or practices;
- To provide the Customer and/or User with news updates, new promotions or Product(s) of Shayp (where the Customer or User has subscribed to this);
- To develop, test and improve our Product(s) and/or Service(s) (including, but not limited to, conducting research, testing and troubleshooting new features);
- To comply with any contractual, regulatory/legal, tax, accounting or other obligations as is necessary.
3.3 Legal Basis for Processing: Shayp, as Data Controller, will rely on the various provisions of Data Protection Law as the legal basis to process such Personal Data, including, but not limited to, the following:
- Processing that is necessary for the performance of a contract to which a Data Subject is a party or in order to take steps at the request of a Data Subject prior to entering a contract (for example, where Shayp Processes Personal Data as is necessary for providing the Customer and/or User with an accurate quotation for Product(s) and/or Service(s)).
- Processing that is necessary for compliance with a legal obligation (for example, if ordered by a court or in accordance with additional legislation).
- Processing that is permitted by way of consent from the Data Subject or its agents or representatives (either expressed or implied).
4. Special Categories of Data
Shayp does not ordinarily process any Special Categories of Data other than where such data has been provided directly to it by the Data Subject (or agents or representatives). In this regard, Shayp relies on the fact that the Processing of Special Categories of Data is permitted under several provisions of the GDPR and the Data Protection Act 2018.
5. Data Subject Rights
5.1 Data Protection Law provides certain rights in favour of Data Subjects (“Data Subject Rights”). The rights are as follows:
- The right of a Data Subject to receive detailed information on the Processing of their Personal Data;
- The right of access to Personal Data including knowledge of whether or not the Data Subject’s Personal Data is being Processed and, if so, having access to that Personal Data plus additional ancillary information. This includes information such as the purposes of the Processing, the categories of Personal Data concerned, the recipients or categories of recipient to whom the Personal Data have been or will be disclosed to and the retention periods;
- The right to rectify or erase Personal Data (right to be forgotten);
- The right to restrict Processing;
- The right of data portability; i.e the right to receive Personal Data concerning the Data Subject in a structured, commonly used and machine readable format and have the right to transmit that data to another Data Controller. This right only applies to Personal Data which the Data Subject has provided to Shayp (and not to data which is received from third parties);
- The right of objection; and
- The right to object to automated decision making, including profiling.
5.2 Any Data Subject wishing to exercise their Data Subject Rights should write to Shayp by email to firstname.lastname@example.org or by registered letter to the following address:
Gregoire de Hemptinne
Chief Operating Officer
Rue des Peres Blancs 4
6. Disclosure to Third Parties
6.1 From time to time, Shayp may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process. For example, where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data.
6.2 Shayp may also share Personal Data with (a) another statutory body where there is a lawful basis or requirement to do so; (b) selected third parties including contractors, sub-contractors, advisors, consultants and investors (as appropriate); (c) Shayp partners and affiliates such as insurance companies; and (d) other parties as is appropriate if we are under a legal obligation to do so.
6.3 Where we enter into agreements with third parties to Process Personal Data on our behalf, we will ensure that the appropriate contractual protections are in place to safeguard such Personal Data and ensure that the Personal Data is only Processed insofar as is necessary and appropriate in accordance with Data Protection Law.
6.4 Examples of third parties to whom Personal Data has been or will be disclosed include:
- Suppliers and subcontractors (for order handling, shipment, payments and operational purposes);
- Partners for installation and support (for the installation and the configuration of our Product(s) and/or Service(s));
- Partners for the purposes of reselling Shayp’s Product(s) and/or Service(s);
- External service providers, professional advisors and consultants to Shayp in order to support and advise Shayp in relation to the compliance of its legal and contractual obligations.
7. Data Security
7.1 Shayp ensures that the appropriate technical and organisational measures are in place to protect the Personal Data that it Processes. All Shayp employees and contractors are bound by a confidentiality clause and must abide by the Shayp internal access practice which restricts access to Personal Data except where it is necessary and required. These measures protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data is held securely using a range of security measures including IT measures such as encryption.
7.2 As an additional measure for the security and confidentiality of the Personal Data held on the Shayp Platform, we advise the Customer and/or User to choose a strong password for accessing their account and to keep this password strictly private and confidential in order to prevent unauthorised access to the data. It is advised that access to the Shayp Platform should not be provided to third parties by the User and/or Customer.
8. Data Retention
Shayp will retain Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data is Processed.
9. Data Transfers outside of the EEA
10. Further Information
By post to:
Gregoire de Hemptinne
Chief Operating Officer
Rue des Peres Blancs 4
By email to: