This page provides general information about your rights under Regulation (EU) 2023/2854 (the EU Data Act) in relation to data generated through the use of Cozify connected products and related services.
This page complements, but does not replace, Cozify’s privacy information under applicable data protection law. The EU Data Act applies to both personal and non-personal data generated through the use of connected products and related services. Where personal data is involved, applicable data protection law, including the General Data Protection Regulation (GDPR), continues to apply (see Privacy Policy).
1. Scope
This page applies to data generated through the use of Cozify connected products and related services, to the extent required by the EU Data Act.
For the purposes of this page:
- Connected products means Cozify products that obtain, generate or collect data concerning their use or environment and that communicate that data via an electronic communications service, physical connection, or on-device access.
- Related services means digital services, including app and cloud-based functions, that are connected with a Cozify product in such a way that the absence of the service would prevent the product from performing one or more of its functions, or that are subsequently connected to the product by the manufacturer or another provider.
- Product data and related service data means data generated by the use of the connected product or related service and that is readily available to Cozify within the meaning of the EU Data Act.
2. Categories of data generated by Cozify products and related services
Depending on the product, configuration, accessories, integrations, and enabled service features, Cozify connected products and related services may generate product data, related service data, and associated metadata such as:
- technical device telemetry, such as device status, state changes, and sensor readings;
- environmental and measurement data, where supported by the product;
- event and automation data, such as triggers, rules, schedules, and execution events;
- connectivity, performance, and diagnostic information;
- service interaction and usage data required to provide, secure, maintain, and improve functionality;
- metadata necessary to interpret, structure, transmit, or manage the data.
The exact categories of data generated, the format of the data, the frequency of generation, the estimated volume of the data, and the applicable storage and retention arrangements may vary by product line, service feature, firmware version, deployment configuration, and subscription plan.
Data may be stored on the device, in the Cozify service environment, or in both locations, depending on the product and related service architecture.
3. Your right to access data
Subject to the conditions and limitations of the EU Data Act and other applicable law, you may request access to product data and related service data that is readily available to Cozify and generated through your use of a Cozify connected product or related service.
Where required by the EU Data Act, Cozify will provide such data, together with relevant metadata needed to understand and use the data, without undue delay and free of charge to the user.
Where applicable and technically feasible, Cozify may provide access in a structured, commonly used, and machine-readable format, such as JSON or CSV, and may enable direct access through the device, application, service interface, or another suitable technical means.
Access may be subject to reasonable authentication, account verification, security checks, and technical procedures designed to protect users, systems, devices, confidential information, and trade secrets, as permitted by law.
You can request access to your data by contacting: support@cozify.fi
4. Your right to instruct Cozify to share data with a third party
Subject to the conditions and limitations of the EU Data Act and other applicable law, you may instruct Cozify to make product data or related service data available to a third party of your choice.
Where Cozify is required to do so under the EU Data Act, Cozify will make the relevant data available to the designated third party in accordance with the applicable legal requirements and appropriate technical and security measures.
Before making data available to a third party, Cozify may require verification of your identity, authority, account control, and the identity of the designated third party.
If you have instructed Cozify to share data with a third party, you may later withdraw that instruction for future sharing through the available service settings or by contacting Cozify. Withdrawal will not affect any processing already carried out before the withdrawal took effect.
Third parties receiving data at your request are responsible for their own use of that data and must comply with the EU Data Act, data protection law where applicable, and any other relevant legal obligations.
5. Format, method, and conditions of access
Cozify aims to provide access and sharing mechanisms that are practical, secure, and interoperable, taking into account the nature of the product, the related service, the relevant data set, and the technical architecture in use.
Depending on the relevant product or service, access or sharing may be provided through one or more of the following means:
- in-app export functionality;
- account-based service interface access;
- device-level access where available;
- secure file export;
- application programming interfaces or other technical transfer mechanisms, where supported.
Cozify may define reasonable technical, operational, and security requirements for requests, including request scope, identity verification, format selection, transfer channel, and safeguards against fraud, abuse, or risks to device and service security.
6. Trade secrets, confidential information, and security
Cozify may apply proportionate measures permitted by law to protect trade secrets, confidential information, cybersecurity, and the security of connected products and related services when providing access to or sharing data.
Such measures may include, where appropriate:
- data minimisation and scoped disclosure;
- authentication and access controls;
- secure transmission methods;
- confidentiality and contractual protection measures;
- technical restrictions necessary to protect the security, integrity, or resilience of devices and services.
Where Cozify considers that a request affects trade secrets or security-sensitive information, Cozify will assess the request in accordance with the EU Data Act and other applicable law. Where permitted by law, Cozify may apply protective measures, suspend sharing, or refuse part of a request where the legal conditions for doing so are met.
7. Personal data and data protection
The EU Data Act does not create an independent legal basis for the processing of personal data. Where requested data includes personal data, Cozify will process and disclose that data only in accordance with applicable data protection law.
Where relevant, this may require Cozify to assess whether the request concerns the requester’s own personal data, another person’s personal data, mixed personal and non-personal data, or data that cannot lawfully be disclosed without an additional legal basis.
8. Public sector access in exceptional circumstances
In certain exceptional cases defined by the EU Data Act, public sector bodies, the European Commission, the European Central Bank, or Union bodies may request access to data from private sector entities.
If Cozify receives such a request, Cozify will assess it in accordance with the applicable legal framework and, where legally required, will disclose only the data that must be provided, subject to appropriate proportionality, confidentiality, and security safeguards.
9. Applicability dates
The EU Data Act has applied since 12 September 2025.
For connected products and related services placed on the market from 12 September 2026, the EU Data Act introduces additional design-related requirements intended to ensure that relevant product data and related service data are, where required, directly accessible by default.