Privacy Statement for IKEA Home smart System and Application
Thank you for trusting us at IKEA of Sweden AB (“IKEA”, “we”, “us” or “our”) with your personal data. The IKEA vision is to create a better everyday life for the many people. That’s a big job and one that we at IKEA take seriously.
When you use your IKEA Home smart System (the “System”) and control your connected smart products within the System, such as a lamp, via the IKEA Home smart Application (the “Application”), we will process your personal data. We will collect most of your personal data by using cookies and similar technologies. How we do this is described in our text about cookies which you find here.
We commit ourselves to be transparent with you by providing clear information about what personal data we collect; what we do with it and why; who we disclose it to; how we protect personal data and what choices you have regarding the use of your personal data by us and third parties.
In short: Your personal data – for what purposes do we use it?
Of course, you are not required to provide your personal data to us. But if you want to use certain functionalities, as further set out below, in the System and the Application, we will need certain personal data about you to make the System and the Application function in a secure and satisfactory manner. To protect your privacy, we have taken measures to avoid identifying you directly when you use the System and the Application.
Do not hesitate to contact us with any questions you have regarding this Privacy Statement!
Your rights
Residents of some countries have specific rights with respect to the processing of their personal data. Below, we provide a detailed description of data subject rights under the GDPR and information about how to exercise them. In summary, you have the following rights:
Please note that residents of some U.S. states have similar data subject rights under state data protection laws. For more information, please see our U.S. State Supplemental Privacy Notice, available here.
Below you can read more about:
By pressing the selected heading, you will be transferred to the
relevant paragraph.
The company responsible for the processing of your personal data and how to contact us
Who do we disclose your personal data to?
Where is your personal data processed?
What are your rights when we process your personal data? Detailed description
A detailed description of how we process your personal data
U.S. State Supplemental Notice
We, IKEA of Sweden AB, with company registration no. 556074-7551, Tulpanvägen 1, 343 34 Älmhult, Sweden are responsible for the processing activities when you use the System and the Application.
If you have questions about our Privacy Statement or practices, please feel free to get in touch. You can contact us at Data.Protection@inter.ikea.com
Your personal data is initially collected and processed by us.
Nevertheless, to conduct our business, we need to work with service providers and business partners who will process your personal data. We comply with applicable law with respect to disclosure of your personal data and we take measures make sure your personal data is safe when disclosed to such entities as set out below.
We disclose your personal data to our service providers who process the personal data on our behalf, which means that we remain responsible for the data they are processing. Currently, we disclose your personal data to the following categories of service providers:
We also disclose your data to other business partners, who will be responsible for certain processing of your personal data. These business partners are:
If you have any questions regarding how we disclose your personal data or want to know more about who we disclose your personal data to, please feel free to contact us.
Your personal data will in most cases be processed outside of the EU/EEA if the service providers we use are based outside of the EU/EEA.
our personal data will be transferred outside the EU/EEA in the following cases:
In the above situations, the transfers only take place in accordance with applicable data protection legislation, meaning that we will transfer your personal data outside the EU/EEA when we can ensure an appropriate level of protection of your personal data. We will transfer your personal data under the Standard Contractual Clauses (article 46.2 (c) GDPR), Module 1 (controller to controller) and Module 2 (controller to processor) respectively, together with supplementary measures. You can find the Standard Contractual Clauses here.
If you want to know more about what safeguards we implement for transfers of personal data or receive a copy of the safeguards you are always very welcome to contact us.
You have certain rights that you can exercise to affect how we process your personal data. Below, we provide a more detailed description about those rights below.
If you want to know more about your rights or if you want to exercise any of your rights, please contact us and we will help you.
Please note that residents of some U.S. states have similar data subject rights under state data protection laws. For more information, please see our U.S. State Supplemental Privacy Notice, available here.
You have the right to lodge a complaint with a supervisory authority.
In detail. Your right to complain exists without prejudice to any other administrative or judicial remedy. You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place where the alleged infringement of applicable data protection laws has allegedly occurred.
You have the right to withdraw your consent at any time. This can easily be done in the Application under privacy settings. When you withdraw your consent, it will be done on behalf of all others using the same System as you.
In detail. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
You have the right to obtain confirmation as to whether we are processing personal data concerning you or not. You can make a request by contacting us. If we do process your personal data, you also have a right to obtain a copy of the personal data processed by us as well as information about our processing of your personal data.
In detail. The information we provide includes the following:
For any further copies of the personal data undergoing processing requested by you, we may charge a reasonable fee based on administrative costs. If you have made the request by electronic means the information will be provided to you in a commonly used electronic form, unless otherwise requested by you.
You have a right to obtain, without undue delay, the rectification of inaccurate personal data concerning you.
In detail. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including the means of providing a supplementary statement.
We will notify each recipient to whom the personal data has been provided of any correction that has been made unless this turns out to be impossible or entails a disproportionate effort. If you want information about these recipients, you are welcome to contact us.
You can at any time ask us to delete some or all of your personal data.
In detail. You have the right to obtain from us the erasure of your personal data and we have the obligation to erase your personal data without undue delay where one of the following grounds applies:
We will notify each recipient to whom the personal data has been provided about any erasure of personal data according to the above unless this turns out to be impossible or entails a disproportionate effort. If you want more information about these recipients, you are welcome to contact us.
Note that our obligation to erase and inform according to the above shall not apply to the extent that processing is necessary according to the following reasons:
You have the right to demand restriction on the processing of your personal data.
In detail. The right applies if:
Where the processing has been restricted according to the above, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise, or defence of legal claims or the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. We will notify you before the restriction of processing is lifted.
We will notify each recipient to whom the personal data has been provided about any restriction of processing according to the above unless this turns out to be impossible or entails a disproportionate effort. If you want more information about these recipients, you are welcome to contact us.
You have the right to receive your personal data from us in a structured, commonly used and machine-readable format and, where technically feasible, have your personal data transferred to another data controller (“data portability”).
In detail. The right applies to our processing of your personal data when it is based on the lawful basis of consent (Article 6.1 (a) GDPR or contract (Article 6.1 (b) GDPR) and the processing is carried out by automated means.
The exercise of the right to data portability shall be without prejudice to the right to be forgotten, Article 17 GDPR.
Your right to data portability shall not adversely affect the rights and freedoms of others.
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data that is based on the lawful basis legitimate interest (Article 6.1 (f) GDPR), including profiling.
In detail. If you object, we shall then no longer process the personal data in question, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of you, or for the establishment, exercise, or defence of legal claims.
As we state in the tables below, for some purposes, we process your personal data based on our “legitimate interest”. By carrying out a balancing of interests’ assessment concerning our processing of your personal data, we have concluded that our legitimate interest for the processing outweighs your interests or rights which require the protection of your personal data.
If you want more information in relation to our balancing of interests’ assessments, please do not hesitate to contact us.
We are happy that you share your personal data with us! We want to make your experience with us as joyful, meaningful, and simple as possible. To achieve this, we collect some information about you. This section tells you what personal data we collect and process, why we process it, and the lawful basis and storage period for the personal data in question.
For the functionality of the System and the Application |
||
What processing we perform |
What personal data we process |
Our lawful basis for the processing |
To enable you to use the System and the Application and to make sure that the System and the Application work in a satisfying and secure manner we process your personal data to:
The majority of these technical attributes that we collect are best described as codes and do not reveal your name or other personal data that directly can identify you. However, to be as transparent as possible, we inform you of our processing of these technical attributes since they, if connected with other personal data, could constitute personal data. |
|
Performance of the contract (Article 6.1 (b) GDPR). The processing is necessary for you to be able to use the System and the Application, including the different functionalities. You need to provide the personal data to us, otherwise, you will not be able to use the System and the Application, including the different functionalities. |
Gather information to detect problems in the System’s and the Application’s functionality. This information is essential for us to be able to fix problems we detect in the System’s and the Application’s functionality. |
|
Performance of the contract (Article 6.1 (b) GDPR). The processing is necessary for us to detect and fix problems in the System’s and the Application’s functionality. You need to provide the personal data to us, otherwise, we will not be able to ensure that the System and the Application, including the different functionalities, will function in a satisfying manner. |
Analyse information regarding detected problems in the System’s and the Application’s functionality in order to make improvements. To do this we use services from Google (Google Firebase). You can find more information on how Google processes your personal data on Google’s website. This information is essential for us to be able to improve the System’s and the Application’s functionality based on the analyses of detected problems and how the System and the Application are used. To best ensure your privacy while doing so, we mostly process personal data on an aggregate level. This means that we are able to see a certain pattern of use connected to a certain user of the System and the Application, but not who the user is. |
|
Legitimate interest (Article 6.1 (f) GDPR). The processing is necessary for purposes of our legitimate interest to be able to detect problems in the System and the Application’s functionality. |
Storage period: We will store your personal data for as long as you use the System and the Application, including specific connected smart products. We will however regularly delete such personal data that we no longer need for the functionality of the System and the Application. For example, we delete the IP address after thirty (30) days. |
To enable you to control the System via the Application outside your home |
||
What processing we perform |
What personal data we process |
Our lawful basis for the processing |
Enable you to control the System via the Application from outside of your home, e.g. when not connected to the same Wi-Fi as the System, we process your personal data to identify your device to ensure that it is a part of the System and to enable you to control the System via the Application from outside your home. Most of these technical attributes that we collect are best described as codes and do not reveal your name or other personal data that directly can identify you. However, to be as transparent as possible, we inform you of our processing of all technical attributes since they, if connected with other personal data, could constitute personal data. |
|
Performance of the contract (Article 6.1 (b) GDPR). The processing is necessary for you to be able to control the System via the Application from outside your home. You need to provide the personal data to us, otherwise, you will not be able to control the System via the Application from outside your home. |
Storage period: We will store your personal data for as long as you use this feature “control the System via the Application outside of your home”. |
To enable you to use and control the System via the Application on multiple devices |
||
What processing we perform |
What personal data we process |
Our lawful basis for the processing |
Enable you to use and control the System via the Application on multiple devices and to remember your trusted devices connected to System. These technical attributes that we collect are best described as codes and do not reveal your name or other personal data that directly can identify you. However, to be as transparent as possible, we inform you of our processing of these technical attributes since they, if connected with other personal data, could constitute personal data. |
|
Performance of the contract (Article 6.1 (b) GDPR). The processing is necessary for you to be able to control the System via the Application on multiple devices. You need to provide the personal data to us, otherwise, you will not be able to control the System via the Application on multiple devices. |
Storage period: Your personal data will be stored for as long as the Application is installed on your device. |
To enable you to save and adjust your favourite scenes |
||
What processing we perform |
What personal data we process |
Our lawful basis for the processing |
Enable you to create and save a scene, for instance when it comes to connected lamps - to turn on the lights in the bedroom at seven o’clock as per your chosen scene. These technical attributes that we collect are best described as codes and do not reveal your name or other personal data that directly can identify you. However, to be as transparent as possible, we inform you of our processing of these technical attributes since they, if connected with other personal data, could constitute personal data. |
|
Performance of the contract (Article 6.1 (b) GDPR). The processing is necessary for you to be able to create and save a scene. You need to provide the personal data to us, otherwise, you will not be able to create and save such a scene. |
Enable you to create and save a scene that will be initiated at sunrise and/or sunset, for instance when it comes to connected lamps - to turn on the lights in the bedroom at sunrise as per your chosen scene. The majority of these technical attributes that we collect are best described as codes and do not reveal your name or other personal data that directly can identify you. However, to be as transparent as possible, we inform you of our processing of these technical attributes since they, if connected with other personal data, could constitute personal data. |
|
Performance of the contract (Article 6.1 (b) GDPR). The processing is necessary for you to be able to create and save a scene. You need to provide the personal data to us, otherwise, you will not be able to create and save such a scene. |
Storage period: Your personal data for as long as you have such scene saved in the System. |
To give you support regarding the System and the Application |
||
What processing we perform |
What personal data we process |
Our lawful basis for the processing |
Communicate with you when you contact us related to your usage of the System and the Application, e.g. for support matters. |
|
Legitimate interest (Article 6.1 (f) GDPR). The processing is necessary for the purposes of our legitimate interest to provide customer service, i.e. support. |
Storage period: We will store your personal data for as long as necessary to perform our support in relation to the System and the Application, however no longer than one (1) year after your support matter has been solved. |
To improve the System and the Application, including different functionalities |
||
What processing we perform |
What personal data we process |
Our lawful basis for the processing |
Collect information that is necessary in order to improve the System and different functionalities. We will collect information about you to acknowledge patterns in how the System and the different functions are used. To best ensure your privacy while doing so, we only process personal data on an aggregate level. |
|
Consent (Article 6.1 (a) GDPR). The personal data will be processed based on your consent. When you consent, it will be done on behalf of all others using the same System as you. You can withdraw such consent at any time in the Application under privacy settings. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal. |
Collect information that is necessary in order to improve the Application and different functionalities. To do this we use the analytic service from Google (i.e. Google Firebase Analytics including Google Analytics). You can find more information on how Google processes your personal data on Google’s website. This analytics service from Google will collect information about you to acknowledge patterns in how the Application and the different functions are used. To best ensure your privacy while doing so, we only process personal data on an aggregate level. |
|
Consent (Article 6.1 (a) GDPR) The personal data will be processed based on your consent. When you consent, it will be done on behalf of all others using the same System as you. You can withdraw such consent at any time in the Application under privacy settings. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal. |
Storage period: We will store your personal data for as long as necessary to perform our analysis and further improve the System and the Application and no longer than one (1) year. Google will continue to store your personal data for its own purposes and Google will inform you separately about such storing. |
To notify you about the information that you have required in relation to the System by push notifications |
||
What processing we perform |
What personal data we process |
Our lawful basis for the processing |
Send you push notifications regarding events in the System that you have chosen to get notifications about. In order to send you such push notifications, we use services from Google (Google Firebase). You can find more information on how Google processes your personal data on Google’s website. The information is used to send you push notifications about such events that you have chosen to get notifications about. |
|
Performance of the contract (Article 6.1 (b) GDPR). The processing is necessary for you to be able to receive push notifications essential for the functionality of the connected smart products. You need to provide the personal data to us, otherwise, you are unable to receive notifications from the System. |
Send you push notifications in relation to the maintenance of the System, e.g. low battery in a connected smart product, or when a product is not working. In order to send you such push notifications, we use services from Google (Google Firebase). You can find more information on how Google processes your personal data on Google’s website. The information is used to help you detect and solve a problem in the System when it is needed, in order to make the System and the different functionalities work in a satisfying manner. |
|
Performance of the contract (Article 6.1 (b) GDPR). The processing is necessary for you to be able to receive push notifications essential for the functionality of the connected smart products. You need to provide the personal data to us, otherwise, you are unable to receive notifications from the System. |
Storage period: We will store your personal data for as long as you have chosen to receive push notifications regarding the System. |
To connect and control the System via your smart products from third parties |
||
What processing we perform |
What personal data we process |
Our lawful basis for the processing |
Enable you to connect to and control the System via smart products from Google (i.e. Google Home). We and Google (i.e. the third party provider of such smart product) will process your personal data to authenticate the user and make the integration between the System and the smart product in question function, i.e. perform the actions made by you via such smart product. These technical attributes that we collect are best described as codes and do not reveal your name or other personal data that directly can identify you. However, to be as transparent as possible, we inform you of our processing of these technical attributes since they, if connected with other personal data, could constitute personal data. You can find more information on how Google processes your personal data on Google´s website. |
When using the “Remote login”:
|
Performance of the contract (Article 6.1 (b) GDPR). The processing is necessary for you to be able to connect and control the System via such smart product from Google. You need to provide the personal data to us, otherwise, you are unable to connect and control the System via such a smart product from Google. |
Enable you to connect to and control the System via smart products from Amazon (i.e. Alexa). We and Amazon (i.e. the third party provider of such smart product) will process your personal data to authenticate the user and make the integration between the System and the smart product in question function, i.e. perform the actions made by you via such smart product. These technical attributes that we collect are best described as codes and do not reveal your name or other personal data that directly can identify you. However, to be as transparent as possible, we inform you of our processing of these technical attributes since they, if connected with other personal data, could constitute personal data. You can find more information on how Amazon processes your personal data on Amazon´s website. |
When using the “Remote Login”:
|
Performance of the contract (Article 6.1 (b) GDPR). The processing is necessary for you to be able to connect and control the System via such smart product from Amazon. You need to provide the personal data to us, otherwise, you are unable to connect and control the System via such a smart product from Amazon. |
Enable you to connect to and control the System via smart products from Apple (i.e. Apple HomeKit). We and Apple (i.e. the third party provider of such smart product) will process your personal data to authenticate the user and make the integration between the System and the smart product in question function, i.e. perform the actions made by you via such smart product. These technical attributes that we collect are best described as codes and do not reveal your name or other personal data that directly can identify you. However, to be as transparent as possible, we inform you of our processing of these technical attributes since they, if connected with other personal data, could constitute personal data. You can find more information on how Apple processes your personal data on Apple´s website. |
|
Performance of the contract (Article 6.1 (b) GDPR). The processing is necessary for you to be able to connect and control the System via such smart product from Apple. You need to provide the personal data to us, otherwise, you are unable to connect and control the System via such a smart product from Apple. |
Storage period: We will store your personal data for as long as such smart product from third parties connected to the System. |
To connect the System with your speakers from Sonos |
||
What processing we perform |
What personal data we process |
Our lawful basis for the processing |
Enable you to connect your Sonos speakers to the System and control your Sonos speakers via the Application. We and Sonos (the provider) will process your personal data in order to make the integration between the System and the Sonos Speakers function, i.e. perform the actions made by your device when you use the Application to control the Sonos speaker. These technical attributes that we collect are best described as codes and do not reveal your name or other personal data that directly can identify you. However, to be as transparent as possible, we inform you of our processing of these technical attributes since they, if connected with other personal data, could constitute personal data. You can find more information on how Sonos processes your personal data on Sonos’ website. |
|
Performance of the contract (Article 6.1 (b) GDPR). The processing is necessary for you to be able to connect and control your Sonos speakers via the Application. You need to provide the personal data to us, otherwise, you are unable to connect and control your Sonos speakers via the Application. |
Storage period: We will store your personal data for as long as such speaker from Sonos is connected to the System. |
Last Updated: October 1st 2022
Thank you for trusting us at IKEA of Sweden AB (“IKEA”, “we”, “us” or “our”) with your personal data. The IKEA vision is to create a better everyday life for the many people. That’s a big job and one that we at IKEA take seriously.
This notice supplements our Privacy Statement for IKEA Home smart System and Application by providing specific disclosures applicable to residents of certain U.S. states.
A. Residents of Colorado, Connecticut, Utah, and Virginia
In conjunction with our Privacy Statement for IKEA Home smart System, this notice provides information about the categories of personal data we collect and process, our purposes for processing such personal data, the categories of personal data we disclose to third parties, and the categories of third parties to whom we disclose personal data, in relation to the IKEA Home smart System and Application.
We do not sell or share Personal Information to Third Parties or process Personal Information for purposes of targeted advertising, as the terms “sell,” “process,” and “targeted advertising” are defined in Colorado’s, Connecticut’s, Utah’s, and Virginia’s data protection statutes.
Residents of Colorado, Connecticut, Utah, and Virginia have certain rights with respect to the processing of their personal data. To exercise your data subject rights or (for residents of certain states) to appeal our decision regarding your data subject rights, you may contact us at IKEA.RangeSupply.Privacy@inter.ikea.com.
B. Residents of California
This Notice is intended to provide California consumers with meaningful insight into how we may collect and use your personal information, in accordance with the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”).
IKEA does not sell your personal information, share your personal information for cross-context behavioural advertising, or use your sensitive personal information for purposes beyond those authorized by the CPRA.
Collection and Use of Personal Information
CATEGORIES OF PERSONAL INFORMATION |
COLLECTION PURPOSES |
---|---|
Identifiers. Such as a unique personal identifier, online identifier, Internet Protocol address, email address, or other similar identifiers. |
|
Personal Information Contained in Customer Records Contact data, such as phone number and email address. |
|
Commercial Information Such as records in relation to the Application and the System, including connected smart products from IKEA. |
|
Internet or other electronic network activity information Such as usage history, product settings you utilize, and other interactions with our products. |
|
Geolocation Data Such as device location. |
|
Audio, Electronic, Visual, and Similar Information Such as information about your use of the System and the Application, diagnostic data regarding your System if an error occurs, information regarding your System’s software, and information you provide when you contact us for technical support. |
|
Retention Period: We will store your personal information for the storage periods detailed in our Privacy Statement for IKEA Home smart System and Application. The duration for which we retain a specific piece of personal information may depend on the purpose for which we collected it. In general, we will store your personal data for as long as you use the System and the Application, including specific connected smart products. We will however regularly delete such personal data that we no longer need for the functionality of the System and the Application.
Contact Us: If you have questions about our Privacy Statement, U.S. State Supplemental Notice, or our privacy practices, please feel free to get in touch. You can contact us at IKEA.RangeSupply.Privacy@inter.ikea.com