Privacy Policy for the DIALux Software

The privacy policy for the online offering at www.dialux.com can be found here: Data protection policy.

1. Name and contact details of the controller

The responsible party according to Art. 4, para. 7 of the EU General Data Protection Regulation (GDPR) is:
DIAL GmbH
Bahnhofsallee 18
58507 Lüdenscheid, Germany
Tel. +49 (0) 2351 5674 0
E-Mail dialog(at)dial.de
Website www.dial.de

2. Contact details of the Data Protection Officer

Contact details of the Data Protection Officer
progressorg GmbH
Höveler Weg 2
58553 Halver, Germany
Tel. + 49 (0) 2353 9096 31
Fax: + 49 (0) 2353 9096 49
E-Mail: datenschutz(at)progressorg.de
Website: www.progressorg.de

3. Description and scope

DIALux is the world’s leading software for professional lighting design and a marketing tool for luminaire manufacturers.

These privacy notices inform you about which personal data we process when you register for DIALux and use our software, for which purposes we do so, on which legal basis this takes place, and which rights you have as a data subject.

Personal data means any information relating to an identified or identifiable natural person. Protecting your privacy when using DIALux is important to us.

4. Information on the processing of your data

Certain information is already processed automatically as soon as you register for DIALux or use the software. Below, we describe the individual processing operations.

4.1 Data processing when registering for DIALux

Purposes of processing

• Setting up and managing your DIALux user account
• Authentication and provision of licensed and/or personalized features (e.g. DIALux Pro)
• Communication with you in connection with the use of DIALux (e.g. technical notices, contractual information) 

Categories of data processed

• First name, last name
• E-mail address
• Password (encrypted)
• Date and time of registration
• Where applicable, information about your company (company, position, industry)
• Technical metadata during the registration/login process (IP address, date/time, device/operating system used) 

Legal bases

• Art. 6(1)(b) GDPR (performance of a contract or implementation of pre-contractual measures)
• Art. 6(1)(f) GDPR (legitimate interest in ensuring the functionality and security of our systems, e.g. logging login attempts) 

Recipients / categories of recipients

• Internal departments (e.g. support, development, sales)
• Payment service providers when purchasing paid licenses (only for payment processing)

Data transfers to third countries

If service providers in third countries are used for hosting or support, the transfer takes place only in compliance with the requirements of Art. 44 et seq. GDPR (e.g. on the basis of an adequacy decision or EU Standard Contractual Clauses, see Section 6).

Retention period

We store your registration data for the duration of your user account. After deletion of the account, the data will be deleted unless they are still required for compliance with statutory retention obligations or for the establishment, exercise, or defense of legal claims.

Obligation to provide data / consequences of non-provision

The provision of the above-mentioned data is required for registration and use of DIALux. Without these data, we cannot grant you access to the software and the corresponding features. 

4.2 Data processing during installation (setup information)

Purposes of processing

• Carrying out and evaluating the installation process
• Ensuring that DIALux was installed correctly and can run on your system
• Error analysis and improvement of the installation routine 

Categories of data processed

• Carrying out and evaluating the installation process
• •Random instance ID
• DIALux and setup version
• Operating system (version, language), screen resolution and color depth
• Available and occupied working memory
• Results of system checks (e.g. OS, hardware, SSE2, GPU)
• Results of the OpenGL check (graphics card, driver version)
• Results of the installation of components (e.g. DCF, DDD, LDK, RMS)
• Information on whether a system restart is required

Legal bases

• Art. 6(1)(b) GDPR (performance of the user contract for DIALux, insofar as these data are necessary to provide the software)
• Art. 6(1)(f) GDPR (legitimate interest in a stable and error-free installation as well as product improvement) 

Recipients / categories of recipients

• Internal development / support

Retention period

As a rule, we store setup information for a limited period of time (e.g. until evaluation of the installation process and correction of any errors). If longer retention is required to correct recurring errors, storage takes place only in pseudonymized form.

4.3 System information when starting DIALux

Purposes of processing

• Checking the compatibility of DIALux with your hardware and software environment
• Optimizing the software for the hardware used in each case
• Error diagnosis in the event of crashes or performance problems

Data categories (examples)

• Date and time
• Instance ID, user ID
• Type and clock frequency of the CPU
• Type and memory configuration of the graphics card(s)
• Size of the installed working memory
• Number and resolution of the monitors
• Installed .NET Framework versions
• Installed DIALux version(s), selected language and renderer
• Available DirectX version and graphics card features
• Installed DIALux plugins including manufacturer name
• Information on installed web browsers

Legal bases

• Art. 6(1)(b) GDPR (performance of a contract, insofar as necessary for the provision of functioning software)
• Art. 6(1)(f) GDPR (legitimate interest in product optimization and error diagnosis) 

Recipients

• Internal development / support

Retention period

System information is stored for the duration of the analysis of technical problems and for product improvement, and is then anonymized. Insofar as the data are contained in log files, the periods stated in Section 4.6 apply.

4.4 Graphics card information

Purposes of processing

• Ensuring the compatibility of DIALux with your graphics card
• Error diagnosis in the event of graphics problems (e.g. crashes, display errors)

Data categories (examples)

• Date and time
• Program version number
• Instance ID, user ID
• Process ID and bit width (32/64 bit)
• Time the log was created
• Information on whether an internet connection existed at the time of startup
• Graphics card initialization information
• Retrieved OpenGL information including manufacturer, type, driver version, supported OpenGL version 

Legal bases

• Art. 6(1)(b) GDPR
• Art. 6(1)(f) GDPR (legitimate interest in error diagnosis and performance optimization) 

Recipients / retention period

As with the system information (4.3). The logs are deleted after completion of the error analysis or after a defined period.

4.5 DIALux Product Tracking

Purposes of processing

• Statistical evaluation of the use of DIALux features
• Analysis of which luminaires, manufacturers, and formats are used in projects
• Further development of DIALux on the basis of real usage
• Provision of analyses to DIALux members (luminaire manufacturers) in anonymized form

Data categories (examples)

• Date and time
• DIALux version
• Instance ID, user ID, project ID
• Region/country
• Imported and used luminaires (brand, article number, article name)
• Source of the luminaires (online, file, etc.)
• Format of the imported luminaire files
• Type of planning and use (road, site, area, standard profile, arrangement information, mounting type)

Legal bases

• Art. 6(1)(b) GDPR (insofar as required for the provision of certain features or project management)
• Art. 6(1)(f) GDPR (legitimate interest in the further development and needs-based design of our software and services). Our legitimate interests are:
  • Improvement and further development of DIALux
  • Optimization of offerings for luminaire manufacturers and users
  • Ensuring market-appropriate and high-performance software 

Recipients / categories of recipients

• Internal departments (product management, development, sales)
• DIALux members (luminaire manufacturers) in anonymized or aggregated form (no direct conclusions about individual users) 

Retention period

Product tracking data are generally stored only as long as this is necessary for the stated purposes (product analysis, reporting, planning of future software versions). They are then anonymized or deleted. Insofar as data are stored on a project-related basis, they may be retained until the project or the user is deleted.

4.6 DIALux log files

Purposes of processing

• Ensuring the operation and security of DIALux (error diagnosis, defense against attacks)
• Traceability of errors and crashes
• Abuse prevention and ensuring the integrity of our systems

Data categories

• Date and time
• Program version number
• Instance ID, user ID, where applicable project IDs
• Process ID and bit width (32/64 bit)
• Time the log was created
• Status of the internet connection at program start
• User actions (modes used, tools, function calls) including timestamp
• Errors and exceptions that occurred, including stack trace
• Where applicable, login information (tokens), information on licenses, program language used, country of the user, product tracking status (active/inactive)

Legal bases

• Art. 6(1)(b) GDPR (insofar as required for contract performance, e.g. to remedy reported errors)
• Art. 6(1)(f) GDPR (legitimate interest in security, stability, and abuse detection) 

Recipients / retention period

• Recipients: internal IT/support
• Retention period: Log files are deleted after a defined period (e.g. 90 days, insofar as technically required), unless longer storage is necessary in individual cases to investigate security incidents or to establish legal claims.

4.7 Server log files

Purposes of processing

• Ensuring the operation and security of our server infrastructure (error diagnosis, defense against attacks)
• Traceability of errors and crashes
• Abuse prevention and ensuring the integrity of our systems

Data categories

• Full IP address
• Email address
• Time of the request
• Country
• URL accessed and action

Legal bases

• Art. 6(1)(b) GDPR (insofar as required for contract performance, e.g. to remedy reported errors)
• Art. 6(1)(f) GDPR (legitimate interest in security, stability, and abuse detection) 

Recipients / retention period

• Internal development / support
• Retention period: Log files are deleted or anonymized after a defined period (no later than after 28 days, insofar as technically required), unless longer storage is necessary in individual cases to investigate security incidents or to establish legal claims.

4.8 Use of Microsoft Defender SmartScreen

From version 13.2 onward, DIALux evo uses the security feature “Microsoft Defender SmartScreen,” a service provided by Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, USA) or the respective competent European group company. Microsoft Defender SmartScreen serves to protect you from visiting potentially dangerous websites, from phishing attacks, and from downloading or executing potentially harmful files.

In the context of using DIALux evo, Microsoft Defender SmartScreen may in particular process the following data: 

• Information about websites and downloads initiated or displayed by DIALux evo (e.g. URL, file name, hash values, and digital signatures of files)
• Technical information about your device and operating system (e.g. operating system version, browser or runtime environment, language settings)
• Your IP address as well as a service-specific identifier
• Usage information regarding displayed SmartScreen warnings and how you handle them (e.g. “warning confirmed” or “warning ignored”). 

In this context, Microsoft acts as an independent controller processing telemetry and security data (URLs, file information, telemetry data, etc.) in order to maintain its security database and provide protective functions. The use of Microsoft Defender SmartScreen serves to increase the security of our software, to defend against malware, and to prevent phishing and other attacks on our users.

Microsoft processes the above-mentioned data under its own responsibility under data protection law in accordance with Microsoft’s privacy policy (available at aka.ms/privacy) and the specific privacy notices in Microsoft Edge or regarding Microsoft Defender SmartScreen (https://learn.microsoft.com/de-de/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen as well as learn.microsoft.com/en-us/microsoft-edge/privacy-whitepaper. Insofar as data are transferred to countries outside the EU/EEA, in particular to the USA, this is done on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR (e.g. adequacy decision of the European Commission or EU Standard Contractual Clauses).

The provision of the above-mentioned data is necessary for the use of the protective function of Microsoft Defender SmartScreen. You can deactivate Microsoft Defender SmartScreen in the DIALux settings (File->Settings->General Settings->Internet). In this case, the corresponding protection will not be available to you, or will only be available to a limited extent. The remaining use of DIALux evo is generally not affected by this.

5. Data transfers to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this takes place in the context of using third-party services or disclosing or transferring data to third parties, this occurs only:

• if it is necessary for the performance of our contractual or pre-contractual obligations (Art. 6(1)(b) GDPR),
• on the basis of your consent (Art. 6(1)(a) GDPR),
• due to a legal obligation (Art. 6(1)(c) GDPR), or
• on the basis of our legitimate interests (Art. 6(1)(f) GDPR).

Subject to statutory or contractual permissions, we process or have data processed in a third country only if the special requirements of Art. 44 et seq. GDPR are met. This means that processing takes place, for example, on the basis of an adequacy decision of the European Commission or Standard Contractual Clauses, or that other appropriate safeguards are ensured.

6. Deletion of data / retention period

The personal data processed by us are deleted or their processing is restricted in accordance with Art. 17 and 18 GDPR as soon as they are no longer required for their intended purpose and no statutory retention obligations prevent this. Insofar as data are not deleted because they are required for other lawful purposes, their processing is restricted (blocking).

Under German statutory requirements, retention takes place in particular for:

• 6 years pursuant to Section 257(1) German Commercial Code (HGB) (e.g. commercial letters, accounting documents)
• 10 years pursuant to Section 147(1) German Fiscal Code (AO) (e.g. tax-relevant records). 

7. Obligation to provide data

In the context of registering for and using DIALux, certain personal data are required in order to conclude a contract with you or to provide the contractually owed services (see in particular Section 4.1). Without these data, we cannot provide DIALux to you, or can provide it only to a limited extent.

Insofar as data processing is based on your consent (e.g. for certain tracking functions or marketing communications), the provision of these data is voluntary. Failure to grant consent or withdrawal of consent has no effect on the use of DIALux, but may result in certain additional features not being available.

8. Your rights as a data subject

You have the following rights vis-à-vis us with regard to the personal data concerning you:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)

Insofar as processing is based on consent, you have the right to withdraw this consent at any time with effect for the future, without affecting the lawfulness of the processing carried out on the basis of the consent until the withdrawal.

To exercise your rights, you may contact us at any time using the contact details stated in Sections 1 and 2.

9. Right to object under Art. 21 GDPR

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that we carry out on the basis of Art. 6(1)(f) GDPR (legitimate interest). We will then stop the processing unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

You may object to the processing of your personal data for direct marketing purposes at any time without giving reasons. In this case, we will no longer process your data for these purposes.

Please address your objection to: DIAL GmbH, Bahnhofsallee 18, 58507 Lüdenscheid, Germany, Tel. +49 (0) 2351 5674 0, Email: dialog@dial.de.

10. Right to lodge a complaint with a supervisory authority

Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data is unlawful. The authority responsible for us is: State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia, Kavalleriestraße 2–4, 40213 Düsseldorf, Germany, Email: poststelle@ldi.nrw.de, Website: www.ldi.nrw.de. You may also contact the supervisory authority at your usual place of residence.