Privacy Notice: SikaRoof® Monitoring System

The Sika Roof Monitoring System is used to create and manage user accounts, roles and permissions, projects/objects, and attached sensors. It records and visualizes sensor telemetry and metadata, triggers alerts/system emails, and maintains security/audit logs. Access is via authenticated login with optional 2-factor authentication (2FA). The portal is used for operational monitoring, maintenance, and support.

Depending on the implemented scope, the following personal data of users (e.g., employees of customers/partners) may be stored and processed in the Sika Roof Monitoring System:

• First name, last name
• Email address
• Company (optional), company address (optional)
• Country, language
• User ID, user role
• Audit logs (user agent / login / logout / settings changes with timestamp)
• Associated objects with object ID
• Associated sensors with sensor ID

Why we need this data:

• Account creation & login (identification, authentication, authorisation)
• Role/permission management (access control, least-privilege)
• Object/sensor assignment & editing (operational use of the portal)
• Recording & visualisation of telemetry/metadata (service delivery)
• Alert/system emails (incident/threshold notifications, service communications)
• Security/error logs (security, availability, troubleshooting, fraud/abuse prevention)
  
  

We process your personal data on the following legal bases: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures) for account provisioning, authentication (incl. 2FA), role and permission management, object/sensor management, service communications, telemetry processing and product and customer support; and Art. 6(1)(f) GDPR (legitimate interests) for product and system improvement, platform operation, IT security, incident handling, error analysis, abuse prevention and auditability. Our legitimate interests are the secure and reliable operation of the platform, safeguarding of systems and data, troubleshooting and service quality, traceability of administrative actions, providing both product and system improvements.

Access to the Sika Roof Monitoring system is strictly role-based and follows the need-to-know principle. Permissions are granted according to defined roles; content access is limited to what is required for the respective task.

• Platform operations: Priot AG administrators and authorised support staff may access system configurations and operational dashboards to ensure availability, security, incident handling, and troubleshooting. No access to customer content beyond what is necessary for these purposes.
• Project/object ownership: Designated project/object owners and assigned users can view and edit data within their scope, as determined by their roles and permissions.
• Sika Switzerland (User Management): Sika Services AG manages identity and access management tasks (provisioning/deprovisioning of user accounts, role assignments, periodic access reviews). Access is limited to user administration metadata; no access to customer content beyond role administration.
• Product support and improvements: Sika Services AG, Sika affiliated entities and Priot AG may access customer data, as determined by their roles and permissions, to provide product support on case-by-case basis. Sika shall use customer sensor measurement data for product and system improvement.
  

• Cloud hosting (processor): Google Cloud Platform (operated by Google Cloud EMEA Limited) provides computer, storage, and network services. Primary data location: Zurich, Switzerland.
• Platform software & case-by-case support (processor): ThingsBoard, Inc. provides and maintains the platform software. If support is required, temporary, encrypted access to system data may occur on request, based on EU Standard Contractual Clauses (Art. 46 GDPR). Primary data location remains Zurich, Switzerland.
• Monitoring and logging (internal processing): Priot AG performs system performance monitoring, audit logging, and traceability of administrative actions for security and operational purposes.
• Support communication (processor): Microsoft (email services within EU/EFTA) is used for handling support requests and retaining correspondence for case tracking.

We do not disclose personal data to third parties unless you consent, we are legally required or entitled to do so, or we have a legitimate interest (e.g., maintenance and support). In such cases, appropriate technical and organizational measures (e.g., encryption, access controls) protect your data in transit and at rest. International transfers, where applicable, are safeguarded by appropriate measures such as the European Commission’s Standard Contractual Clauses.

Provision of core account data (e.g., name, business email, authentication factors) is necessary to enter into and perform the service. Without such data, we cannot create an account or grant access. Without device telemetry, core service features (monitoring/visualisation/alerts) cannot be provided.

We do not carry out automated decision-making, including profiling, within the meaning of Art. 22 GDPR.

For more information on the responsible legal entity in your country of origin and how to contact us, please visit our Sika Data Privacy Portal.

You may have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to your personal data. This access information includes – inter alia – provision of the information about the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed.
However, this is not an absolute right, and the interests of other individuals may restrict your right of access.
You may have the right to obtain a copy of the personal data undergoing processing.
Your requests are generally free of charge. We may charge a reasonable fee based on administrative costs in case your request is manifestly unfounded or excessive, in particular because of its repetitive character.

You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Under certain circumstances, you may have the right to obtain from us the erasure of personal data concerning you and we may be obliged to erase such personal data.

Under certain circumstances, you may have the right to obtain from us restriction of processing your personal data. In this case, the respective data will be marked and may only be processed by us for certain purposes.

Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.

Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, to the processing of your personal data by us and we can be required to no longer process your personal data.
Moreover, if your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case your personal data will no longer be processed for such purposes by us.