Dalux Privacy Notice

Last updated: February 7, 2023

This Privacy Notice (“Notice”) explains how Dalux ApS, company reg. no. 28509839 with headquarters at Lyngbyvej 2, 2100 København Ø, Denmark (hereinafter referred to as “DALUX”, “we” “us” and “our”) and all subisdiaries in the Dalux group of companies:

Dalux ApS (Denmark)
Dalux Austria GmbH
Dalux Belgium BV
Dalux Germany GmbH
Dalux Finland Oy
Dalux Italia Srl
Dalux Limited (UK)
Dalux Lithuania UAB
Dalux Netherlands BV
Dalux Norway AS
Dalux Software Spain
Dalux Sweden AB
Dalux Switzerland GmbH
Dalux US Inc.
SAS Dalux France

with respect to data protection, collect, share, and process personal data as data controllers, in circumstances such as when you: · Visit our website at https://www.dalux.com (“Website”)

• Register to use our services, including the services available through our Website, our mobile and desktop applications (collectively referred to as “Services”)
• Register and/or attend our webinars, events, and Summits (“Events”)
• Contact us for Sales or Support by email or web form

DALUX undertakes to ensure that all legal requirements and obligations to protect personal data subject to the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”) are met. The references to “personal data” and “personal information” have the same meaning under this Notice and refer to any information that directly or indirectly can be linked to an identifiable natural person (“you”).

This Notice further describes your privacy rights. If you have agreed to any of our applicable terms and conditions that govern the use of any of our Services, those terms and conditions are thus incorporated to this Notice accordingly with reservations to any individually agreed terms and conditions between us and you. We encourage that you read this Notice and our terms and conditions thoroughly before using our Website and Services to ensure that you fully understand our views and practices on handling and processing your personal data and on what terms and conditions, we provide you our Services.

We strive to protect and respect your personal data to the best of our ability. Please be aware, that when you access or agree to use our Website and/or Services, you unconditionally acknowledge, agree, and accept the terms in this Notice.

1. When this Notice does not apply

a. Third Parties/links

Our Website and Services may contain links or integrate with other websites and online services. DALUX is not responsible or liable for any damage or loss related to your use of any third-party websites or online services. DALUX strongly recommends that you read the terms and privacy policy of the relevant third-party websites and online services before using them, whether directly or in connection with your use of the Website and/or Services.

b. Customer data

Except for the account information (as described below), this Notice does not apply to our privacy practices in relation to Customer owned materials such as the drawings, files, messages, and any other electronic data uploaded and stored in our Services by you, as an end user (“Customer Data”). DALUX processing in regard to Customer Data are instead governed by our Master Agreement and Data Processing Agreement, which regulates the agreement between you and DALUX regarding access and use of our Services.

DALUX is only responsible for ensuring compliance with all applicable laws and regulations, as well as any other privacy policies, agreements, and obligations, related to the collection, use, and storage of personal information in connection with our Services, for which DALUX collects directly.

2. How DALUX collects your personal data

DALUX collects your personal data in different ways. It can be collected either directly from you, by the use of cookies and other tracking technologies, automatically collected or generated when you interact with and use our Website and/or Services or collected when provided by other parties.

a. From you

We collect and process your personal data from you directly when you sign up to create an account to use our Services, register for any of our webinars and events, interact with us on social media, and/or when you provide us with personal information by contacting us directly via email or web form.

We may collect the following categories of information directly from you:

• Identification information. We may collect data such as name, last name, telephone number, email, and company.
• Account information. When you sign up for an account, we collect name, last name, phone number, email address, preferred language, and company.
• Support data. We may also collect information in connection with a support activity when you submit a help ticket or email to us.
• Attendee information. When you register and/or attend a webinar or event hosted by DALUX, we may collect personal information such as name, phone number, email address, and company.
• Billing information. When you purchase our Services, Dalux collects financial information to send you invoices and financial follow-ups.

b. Obtained automatically when you use our Website and Services

When visiting our Website and using our Services we use different technology to collect information about you that helps us improve your user experience and to provide our Services. This technology is collectively referred to as “cookies”. Cookies are text files that contain small amounts of information that is being stored on your web browser or device when visiting a website and can be traced back to the original website for each following visit or directed to another website that recognizes the stored cookie. Similarly, web beacons may be used to collect information such about your interaction with our HTML marketing emails that you subscribe to, as whether you have opened or clicked on a link. You can read more about our use of cookies and web beacons in our Cookie Policy.

In addition, when using our Services, we may collect the following:

• Device information. We also collect information from you about the devices you use to access our Services including IP addresses, browser used, and device. We may also collect GPS based location information when you use our Services.
• Usage information. We may also collect information about your behavioural pattern when using our Website and/or Services

c. Through integrated services

If you are given the option to access the Services through the use of username and passwords provided by third parties or Integrated Services, e.g. Microsoft Azure, you authorize the Integrated Service to provide personal information to DALUX. You are responsible to review the privacy notices and terms of use for each Integrated Service that you engage with prior to connecting to our Services. You are responsible for reviewing the privacy policies of the Integrated Services you engage with.

d. Provided by third parties

We may store and collect personal information about you from third-party sources. These third parties can be affiliates, external recruiting firms, business partners, publicly available sources and registers, and social networking platforms e.g. LinkedIn and Facebook.

The categories of personal data we may collect about you from third-party sources include:

•  Professional information, such as your occupation, field of industry, employment history, work experience, educational background, and other qualifications
• Identification information. We may collect data such as name, last name, telephone number, email, and company.

We may combine the personal information we receive directly from you, collected by us, or received by third parties when allowed to do so in accordance with applicable laws, for the purpose of providing you with relevant content, experiences, and other offerings as well as to keep our databases updated with current and accurate information about you.

3. How DALUX uses your personal data

We use the personal data we have collected about you for different purposes, if we can secure a lawful ground for processing. We process your personal data for the following purposes:

a. When contractually necessary

• To process and complete your registrations via our Website or when using our Services.
• To perform our obligations and deliveries subject to a contract with you or your employer or to validate your identity when entering a contract with you.
• To provide you with our Services, including support and communication
• To send information to you within the scope of our contract for example, to send you service messages, inform you of new updates, releases, errors, and other relevant information relating to the use of our Services such as changes to our Terms and Conditions.
• To perform any financial activity, including invoicing and other financial follow-ups.
• To send information you have requested.

b. Based on a legitimate interest of ours or a third party*

• To provide information about upcoming events (including webinars) related to the support or use of our products or to follow up on completed Dalux events (including webinars).
• To improve the quality, functionality and user experience of our products and services, including analyzing how they are being used. Automated analytic
• systems and other tracking techniques may be used to fulfil this purpose (if not subject to your consent).
• To uphold and maintain the security on our Website and Services by detecting, mitigating, and preventing security threats, perform maintenance, and debugging.
• To enforce our terms and conditions when using our Services.
• Other activities relating to the protection of your, our or any third-party rights, property, and safety.
• To anonymize, aggregate, or perform other non-identifying purposes in relation to your personal data.
• To manage existing and potential customer relationships.

* You have the right to object to our processing of your personal data when we rely on a legitimate interest for the processing. Read more about your rights and options under “Your Rights” below.

c. Your consent**

• When you have given us your consent to send you relevant marketing materials such as promotional offers and advertising.
• When you have given us your consent to share information about you with third parties, for example sub-processors.
• When you have given your consent for cookies or similar technologies.
• When you have given your consent to send push notifications to your mobile device.
• When you have given us your consent to a certain processing activity in connection with other occurrences.

**Where we have obtained your consent for processing, you are entitled to withdraw your consent at any time. Please contact us on the contact details provided below if you wish to withdraw your consent.

d. To fulfil a legal obligation

• When we are under a legal obligation to respond, disclose, or share your personal data with official authorities.

4. Who does DALUX share your personal data with?

We share the collected information about you with the following parties when relevant:

• Our service providers, who perform services or certain functions on our behalf, for example companies supporting us with invoicing, licenses, software maintenance, hosting, user verification and localization, marketing, security, support, analytics, social media etc. Please note that all service providers who we may share your personal information with are subject to a contract that either restricts or limits their ability to process and use your personal information.
• Other third parties in connection with a business transaction, hereunder a transfer, outsourcing, merger, sale, acquisition, consolidation, change in control, reorganization, or liquidation of DALUX, or parts hereof.
• Legal circumstances, when we are required to do so by law e.g. pursuant to a court order or when we otherwise in good faith believe, that it is required by law or with the law enforcement or other reasonable persons e.g. a legal counsel or external lawyer when we believe that a submission of the personal information is necessary to identify, contact and prevent, or respond to fraud and/or an intellectual property right infringement caused knowingly or unknowingly for the purpose of protecting DALUX’s property rights and safety.
• Administrators and other end users in your organization, who may gain access to your personal information when you accept an invitation to join a project or building on behalf of your organization or enterprise.
• Any other person with your consent to the disclosure.

5. Location of personal data and cross border transfers

DALUX transfers personal data to some of our third parties described above in the section: “Who does DALUX share your personal data with?” to help fulfil our obligations towards you, for example to provide a secure storage of your data, hosting and support. As an underlying basis, DALUX aims to only engage sub-processors or third parties where the processing and storage of personal data remains within the EEA. When it is not possible, DALUX relies on the following legal mechanisms to ensure the same level of protection as guaranteed by the GDPR when transferring personal data to third parties outside of the EEA: Third countries deemed adequate by the European Commission, appropriate safeguards e.g. Standard contractual clauses (SCC) adopted by the European Commission, approved binding corporate rules (BCR) or any other current or future appropriate safeguards pursuant to Article 46 of the GDPR, or your explicit consent.

6. How does DALUX protect your personal data?

The protection and security of your personal data is of vital importance to DALUX, and we go far to sustain all reasonably necessary technological, administrative, and physical measures to protect your personal data from unauthorized surveillance and access and malicious actions. We also take reasonable steps to limit the sharing and access of your personal data to only concern employees and contractors who need access to your data to perform a contract or other relevant function.

7. Your rights

You have the right to access the personal data we process about you, with the exceptions set out in the GDPR and other applicable laws. You further have the right to object to our processing, our use of your personal data, rectify your personal data, and require us to limit the processing of your personal data.

If we process personal data based on your consent, you have the right to withdraw your consent at any time. If you withdraw your consent, we will stop to process your personal data, unless continuation of processing is necessary to comply with our legal obligations as required or permitted by law. If you wish to withdraw your consent, please contact us.

If you request us to delete the personal data we have registered about you, we will do so without undue delay unless we can continue the processing pursuant to a different legal basis, such as a legal obligation to store and keep your personal data.

Under some circumstances, you may ask us to provide you with a copy of your personal data in a structured, commonly used and machine-readable format and ask us to transmit your data to a third party (data portability).

If you wish to exercise any of your applicable rights as described above, please contact us.

If you are an individual being subject to a contractual arrangement with any of our customers, which includes the processing of your personal data on behalf of such customer, we may refer any enquiry by you to the customer and cooperate with their handling of your enquiry, in order to comply with our contractual obligations towards the customer.

We will respond to your enquiry as soon as possible.

8. Notice to end users regarding products provided by your organization

Our Services are intended for use by organizations and enterprises. When our Services are made available to you through an enterprise customer of ours, that organization or enterprise is the data controller of your personal information within our Services, upon that for which DALUX collects to create an account with us. Please note that DALUX is not responsible for the privacy or security practices of that organization, which may be different than the practices that appear in this Notice.

As an end user, you may be using our Services on behalf of an organization you are affiliated with, such as your work or school organization. Please note that through project administrators, your organization can:

• Control and administer your use of our Services
• Access and process your personal data, including the interaction data and contents of the files you have uploaded to a project via our Services

9. Data retention

In cases where DALUX is the data controller of personal information, in cases described above, we will keep your personal data for as long as we need it to fulfil any of the purposes described under the section: “How DALUX uses your personal data”, to the extent we can do so lawfully. This includes our right to store your personal data longer, if we must do so in order to comply with a legal obligation, even if the original purpose for processing your personal data can no longer be justified. When we no longer have any justified legitimate needs to retain your data, your data will be anonymized or deleted.

When we use your personal data in connection with marketing purposes by your consent, we will use your personal information until you withdraw your consent. Please be aware that it will be necessary for us to store the registered information about you not wanting to receive marketing materials from us if you have decided to withdraw your consent.

For personal information processed as part of Service Data, we will process the personal information for as long as we are instructed to do so by the customer.

10. Data protection responsibilities

DALUX is responsible for the processing activities of personal data collected for our own purposes as described under this Notice. DALUX also process personal data on behalf of our enterprise customers subject always to a data processing agreement. If you process or provide us with personal data when using our Services, you will be the controller of the personal data and DALUX is the data processor. When you are the data controller, you are responsible for protecting the personal data you process, this includes your compliance with the GDPR and other privacy laws. When we process personal data on behalf of you as data controller, it is required that we enter into a written data processing agreement, to govern the details of the processing. If not included in a separate agreement entered with you, you can find our standard Data Processing Agreement here. If you for some reason cannot find the Data Processing Agreement or have any other questions, contact us.

To avoid any misconceptions, you should be aware that DALUX does not control nor is responsible for the personal data collected by our enterprise customers. Therefore, the legal basis for processing personal data, as well as the level of security may differ from the standards set out in this Notice.

11. Children’s privacy

Our Website and Services and their contents are not directed towards children who are under the age of 16, and if we happen to collect personal data from children or minors, we do so unknowingly. Any information provided by a child or minor to DALUX or its service providers without parental consent, will be deleted when discovered. If you have questions about personal data that may have been submitted by a child, please contact us.

12. Contact information

If you have any questions, requests or concerns relating to this Notice or our privacy practices in general, or if you wish to exercise any of your rights described above, including accessing, rectifying, or erasing your personal data, please contact us by sending an email to: privacy@dalux.com. When contacting us, please inform us of which DALUX Service your enquiry concerns as well as your full name and email-address, so that we can identify you and process your enquiry. We may ask for additional forms of verification depending on the nature of the inquiry and personal information requested.

If you have any complaints regarding the processing of your personal data or this Notice, we will cooperate with you to find a satisfactory resolution to your matter. If you believe that we have not assisted you sufficiently, you have the right to file a complaint to the Danish Supervisory Authority, Borgergade 28, 5, 1300 Copenhagen, Denmark or to another competent European Supervisory Authority or equivalent subject to your location.

13. Updates to DALUX Notice

We may change, update, and adjust this Notice from time to time when necessary. We will announce any contingent changes by updating the date, as stated on the top

of this Notice. We encourage you to read and return to this Notice regularly to make sure you are up to date with the latest version published.