Personal data privacy policy

This Privacy Policy describes how we collect, use, store and protect your data when you:

use the ondilo.com website, browse, create a customer account, place an order in our shop
Use the ICO mobile app and the associated connected water analyser.

The protection of your personal data is a priority for Ondilo.

As part of our commitment to protect your personal data in a transparent manner, we want to inform you :

– how and why Ondilo uses and stores your personal data through the Application it offers,

– the legal basis on which your personal data is processed,

– and your rights and our obligations in relation to such processing.

Data controller

The data controller is:

ONDILO SAS
162 Avenue Robert Schuman

ZA la Pile

13760 Saint-Cannat

FRANCE

If you have any questions regarding data protection, you can contact us at contact@ondilo.com.

2. In what context do we collect personal data?

As part of its business, ONDILO uses your personal data primarily for the following purposes:

order management on the ondilo.com website
customer relationship management
the personalisation of recommendations made on the ICO application
analysis of website statistics

3. What personal data do we process and for what purposes?

In the context of personal data processing, Ondilo collects and processes the following data for the purposes detailed below. Your data is only collected and processed for specific and legitimate purposes.

When shopping in our store:
• Transactions are secure
• Payments are processed via a certified payment provider (e.g. Stripe, PayPal, etc.).
• Ondilo never has access to your credit card details.

These data are grouped into two categories:

Personal data: data that allows a person to be identified, directly or indirectly, collected when downloading and configuring the ICO Application, when creating an account and/or placing an order on the ondilo.com website.
Data collected through ICO and its application: data relating to water quality (temperature, pH, ORP-redox, conductivity), data on the pool/spa.

Purpose of the treatment	Categories of Personal Data	Legal basis of the processing operation
Customer Relationship Management	Contact details: surname, first name, email address, postal address, telephone number Account details: login credentials Transaction data: products ordered, payment methods (via secure service provider)	Performance of the contract
Customer support	Name, first name, email, phone number, country, place of purchase of the product, UUID of the product, status of private or professional, details of the request, type of request, OS used, history of requests.	Performance of the contract
Use of ICO and its application: Water quality analysis and recommendations	Pool/spa data: Pool/spa characteristics: type, volume, Treatment and maintenance products with their packaging Pool/spa equipment: ozonator, UV lamp Location of the swimming pool, Measurements (average and real-time): Temperature, pH, ORP-Redox, conductivity, salt content	Performance of the contract
	ICO data and mobile device: Smartphone operating system UUID number, IP addresses location data (depending on the permissions you have granted us)	Performance of the contract
Website performance analysis	Technical browsing data: IP address, logs, browser type, pages viewed Cookies	Consent

4. Recipients of your data

Your data may be transmitted to service providers acting on our behalf, in particular for:

hosting (cloud/web),
payment and invoicing,
delivery,
customer support,
statistical analysis.

These service providers are contractually bound to respect data confidentiality and security.

Ondilo never claim your data to third parties.

OndiloThe personal data we collect directly or through ICOs is intended for our use and enables access to services and monitoring of the use of these services. In this context, we may use your personal data and the data collected in connection with the provision of the service to provide you with personalised analyses and advice.

Retailers. In the context of certain partnerships, particularly OEM partnerships, Ondilo may share your data with the retailer or distributor from whom the Connected Device was purchased, or, in the case of a Connected Device purchased on our website, Ondilo may transfer your data to certain distributors and retailers for the purposes of providing and monitoring the service. The distributor and/or retailer undertakes not to use your data for commercial purposes. Furthermore, under no circumstances may the distributor or retailer resell your data.

Providers. We ensure that only authorised persons have access to this data. Our service providers may receive this data in order to perform the services we entrust to them. Some personal data may be forwarded to third parties or legally authorised authorities in order to fulfil our legal, regulatory or contractual obligations.

They may be communicated to these entities for the purposes set out in this privacy policy. These operations are carried out on the basis of instruments that comply with the applicable regulations and are capable of ensuring the protection and respect of your rights.

Partners. In addition, data collected through Connected Items may be shared with a smart assistant in your home, such as Alexa, Google Home, or others, if you choose to do so.

In this context, data may then be shared with these partners, subject to your consent and within the framework of the privacy policy issued by each of the intelligent assistants with which you will interface the Connected Object. We invite you to read the privacy policy governing the collection of personal data from these intelligent assistants to which you agree to submit by interfacing the Connected Object.

Buyer. Finally, in the event that Ondilo is purchased by a buyer, your data will be transferred to the buyer. The Acquirer shall in turn be bound by the same obligations to store and modify data with respect to the user of the Application and its linked sites as those set out in this Privacy Policy.

5. Retention period for personal data

The retention periods we apply to your personal data are proportionate to the purposes for which they were collected.

The length of time we retain personal data is variable and determined by various criteria, including :

– the purpose for which we use them: Ondilo must keep the data for the period necessary to fulfill the purpose of the processing ;

and

– legal obligations: legislation or regulations may set a minimum length of time for which we must retain personal data.

We organise our data retention policy according to these criteria and make it available to you.

In the event of a deletion request, all your data will be permanently deleted within 30 days of your request. However, if your account is deleted, Ondilo will retain anonymised data for service improvement and statistical purposes. If you have deleted your Ondilo account and wish to use our Products and Services again, simply create a new account.

At a glance you have all parameters of your pool or spa water in easy-to-read views.

6. Ondilo's commitments regarding personal data protection

In providing the service, Ondilo, acting as a service provider on behalf of its client, undertakes to:

Process data solely for the purpose(s) for which it is collected.
Process data in accordance with the customer's instructions

Ensuring the confidentiality of processed data

Ensure that staff involved in the processing of personal data:
- Undertakes to respect the confidentiality of data processed by contractual means.
- Receives the necessary training in the protection of personal data
- Undertakes to take commercially reasonable measures to ensure the reliability of any member of staff involved in the processing of personal data.

Notify the customer of any personal data breach as soon as possible after becoming aware of it.

Assist the client, to the extent possible, in fulfilling their obligation to respond to requests from data subjects to exercise their rights and forward to the client, upon receipt, any request from a data subject to exercise their rights.

Provide the customer with the necessary documentation to demonstrate compliance with its obligations under applicable regulations. Furthermore, Ondilo undertakes to implement technical and organisational measures to ensure a level of security appropriate to the risk, in particular:
- Means of ensuring the confidentiality, integrity, availability and constant resilience of processing systems and services.
- Les moyens permettant de rétablir la disponibilité des données à caractère personnel et l’accès à celles-ci dans des délais appropriés en cas d’incident physique ou technique.
- A procedure for regularly testing, analysing and evaluating the effectiveness of technical and organisational measures to ensure the security of processing.
- Depending on the customer's choice, once the service has been terminated, all personal data shall be deleted or returned to the customer; existing copies shall be destroyed, unless Union or Member State law requires the retention of personal data.

7. Rights regarding the use of personal data

Under Law No. 78-17 of 6 January 1978 known as the ‘Data Protection Act’ and the General Data Protection Regulation (GDPR), which came into force in May 2018, you have all the rights (access, rectification, erasure of data, restriction of processing of such data, objection to the use of such data, portability of such data, instructions regarding the fate of such data after your death).

7.1. Your right to information

You acknowledge that this Privacy Policy informs you of the purposes, legal framework, interests, and recipients or categories of recipients with whom your personal data is shared.

If we decide to process data for purposes other than those indicated, you will be informed of these new purposes.

7.2. Your right to access and rectify your data

You have the right to access and correct your personal data.

In this respect, you have confirmation whether or not your personal data are processed, and when they are processed, you have access to your data as well as to information concerning :

the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients as well as the international organisations to whom the personal data have been or will be communicated, in particular recipients who are established in third countries ;
where possible, the envisaged period of retention of the personal data or, where this is not possible, the criteria used to determine that period;
the existence of the right to ask the data controller for the rectification or deletion of your personal data, the right to request a restriction on the processing of your personal data, the right to object to such processing ;
the right to lodge a complaint with a supervisory authority;
information on the source of the data when they are not collected directly from the data subjects;
the existence of automated decision making, including profiling, and in the latter case, useful information concerning the underlying logic, as well as the importance and intended consequences of such processing for the data subjects.

You may request that your personal data be, as the case may be, rectified or completed if they are inaccurate, incomplete, equivocal or out of date.

7.3. Your right to have your data deleted

You may request us to delete your personal data when one of the following reasons applies:

the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
you withdraw the consent previously given;
you object to the processing of your personal data where there is no legal ground for such processing;
the processing of personal data does not comply with the provisions of the applicable laws and regulations;
your personal data has been collected in the context of providing Information Society services to children under the age of 16.

Nevertheless, the exercise of this right will not be possible when the retention of your personal data is necessary under the terms of legislation or regulations and in particular for example for the establishment, exercise or defence of legal rights.

7.4. Your right to limit data processing

You may request the limitation of the processing of your personal data in the cases provided for by laws and regulations.

7.5. Your right to object to data processing

You have the right to object to the processing of personal data concerning you when the processing is based on the legitimate interest of the controller.

7.6. Your right to the portability of your data

You have the right to the portability of your personal data

The data on which this right can be exercised are :

only your personal data, which excludes anonymized personal data or data that does not concern you;
the declarative personal data as well as the personal operating data mentioned above;
personal data that does not infringe on the rights and freedoms of third parties, such as those protected by business secrecy.

This right is limited to processing based on consent or a contract as well as to personal data that you have personally generated.

This right does not include neither derived data nor inferred data, which are personal data created by Ondilo.

7.7. Your right to withdraw your consent

Where the data processing we carry out is based on your consent, you may withdraw it at any time. We will then stop processing your personal data without jeopardizing the previous operations for which you consented.

7.8. Your right to appeal

You have the right to file a complaint with the CNIL on French territory, without prejudice to any other administrative or jurisdictional recourse.

7.9. Your right to define post-mortem directives

You have the option to set guidelines for the storage, deletion and disclosure of your personal data after your death to a trusted, certified third party who is responsible for enforcing the wishes of the deceased in accordance with the requirements of the applicable legal framework.

7.10. How to exercise your rights

All the rights listed above can be exercised at the following email address rgpd@ondilo.com or by mail with a copy of an identity document to the following address Ondilo: 162 Avenue Robert Schuman ZA la Pile, 13 760 Saint-Cannat – France.

Nevertheless, with regard to the exercise of the right to information, we may not be obliged to act on it if :

you already have this information;
the registration or communication of your personal data is expressly provided for by law ;
the communication of information proves impossible;
the provision of information would require disproportionate efforts.

8. How do we protect your personal data?

All useful precautions are taken to ensure the security and confidentiality of your personal data, in particular to prevent their loss, alteration, destruction or use by unauthorised third parties.

In addition, we require service providers and subcontractors who may have access to personal data to implement appropriate technical and organisational security measures with regard to such personal data.

At a glance you have all parameters of your pool or spa water in easy-to-read views.

9. Update

We reserve the right to amend this policy to reflect changes in various regulations and practices.

The changes we make to our policy will be directly accessible through the Application under Settings / Legal notices / Privacy policy.

In order to ensure that you always have the latest version, we invite you to consult this section regularly.

Date de la dernière mise à jour : 20 01 2026