Deco Privacy Policy

Last Updated: Jan, 18, 2024

General rules and definitions

TP-Link Global Inc. (collectively, “TP-Link” “we” “us” or “our”) takes your privacy seriously. We abide by applicable privacy laws and regulations to protect your personal data. Accordingly, we developed this privacy policy ("Policy”) in order for you to understand what types of personal data we collected, how we use it, for what reason do we need to process your personal data, who we share it with, when and how we delete it, what rights do you have concerning your personal data and what measures we take to protect it.

TP-Link provides:

(1) software that may be downloaded to your smartphone or tablet to access services (“Mobile Apps” such as Tether, Deco, Tapo etc.), 

(2) services, including technical support and services accessible through the Site(s) (“Support”),

(3) subscription services, including services that can be accessed using the Support and Mobile Apps (“Subscription Services”, such as Homeshield). The term “Services” means the Sites, Support, Mobile Apps, and Subscription Services, which may be used in conjunction with hardware products provided by TP-Link affiliates and in other ways provided by TP-Link. Some Services of TP-Link can be used together or in ways that integrate with products and services from third parties.

The Sites mentioned in (2) do not include pages linked from the Websites which are operated by local partners, such as https://www.tp-link.com/us. Supplemental data protection information is available where our partners (including affiliates) operate or provide TP-Link branded web pages or products. 

You accept and consent to the practices and policies outlined in this Privacy Policy. This Privacy Policy incorporates herein the Terms of Use; both statements should be read in conjunction with each other. This Privacy Policy may change from time to time. Your continued engagement with our Services after such revisions indicates that you accept and consent to them, so please check the Privacy Policy periodically for updates. Your use of the Products is governed by the applicable privacy policy made available to you when you download or access such Products, including on any page where you log in to a cloud account which may be linked from the Websites. For further information regarding our partners’ data protection practices in a specific country and/or region, please refer to the privacy policy tailored for that specific country and/or region via https://www.tp-link.com/en/choose-your-location/. You may consult the respective privacy policy for your country/region of residence or check the policy posted on the page you are viewing to read the data protection practices that apply.

1. Changes to our privacy noticed

This Policy may change at any time as we improve and change our Services. We may notify you by placing a prominent notice on our Services . You should check the Services frequently for updates. If you do not agree with the terms of the updated Policy, you must stop using the Services.

2. Sources and categories of personal data we collect

We collect personal data to the minimum scope which is necessary for the provision of our Services. The personal data we collect may be freely provided by you, received from third parties under your authorization, or, in case of usage data, collected automatically when using our Services.

2.1 Personal Data You Knowingly Provide to Us

When you register or update your TP-Link account(TP-Link ID), we collect or process your account data(email, location, user avatar, user nickname, user country code, user mobile phone identifier, etc.) to send you e-mail for authentication purpose (activating account, password reset etc.).

When you enable device binding, we collect or process your TP-Link ID, device identifier and credentials, user personalized settings (such as device avatar, device family management, etc.) to establish device management relation in the database.

When you subscribe HomeShield through in-app purchase we collect or process your order data (including third-party platform transaction ID, third-party platform subscription ID, third-party purchase certificate, etc.). Our third-party partners (NortonLifeLock Inc. and F‑Secure Corporation) provide SDK in the devices, they vary depending on the models and software version.

2.2 Personal Data We Receive from Third Parties

Some third-party services(Alexa, Google Assistant, etc.) that you choose to integrate with may transmit personal data into your account with us. You authorize that such “Third Party Information” is covered under this Policy and we may use it just as we use your personal data. This information may include but is not limited to, for example, account credentials, names, avatars, profile information, configuration information, images, and linked users (e.g., friends).

You may also voluntarily provide your personal data to us via third-party service providers that help us operate our Services. 

2.3 Personal Data We Collect Automatically

For models with embedded Homeshield SDK: 

Only after you activate Homeshield-Network Security with NortonLifeLock (“Avira”) service on a device, the device active the related SDK that collect or process anonymized data (including randomized user ID, hardware ID, integrator ID etc.), network traffic data(including DNS/HTTP header/DHCP etc.) to protect network from DDoS, IoT Client Intrusion and generate daily/weekly/monthly comprehensive reports. 

Only after you activate Homeshield-Parental Controls with NortonLifeLock (“Avira”) service on a device, the device active the related SDK that collect or process anonymized data (including randomized user ID, hardware ID, integrator ID etc.), network traffic data(including DNS/HTTP header/DHCP etc.) to clients websites browsing management and generate daily/weekly/monthly comprehensive reports. 

Only after you activate Homeshield-Network Security with F-Secure Homeshield service on a device, the device active the related SDK that collect or process anonymized data (including randomized user ID, hardware ID, integrator ID etc.), network traffic data(including DNS/HTTP header/DHCP etc.) to to protect network from DDoS, IoT Client Intrusion and generate daily/weekly/monthly comprehensive reports.

Only after you activate Homeshield-Parental Controls with IPOQUE service on a device, the device active the related SDK that collect or process mobile clients application category data locally inside the gateway and upload network traffic data(including DNS/HTTP header/DHCP etc.) to TP-Link Cloud to generate daily/weekly/monthly comprehensive reports. 

Only after you activate Gaming Boost with IPOQUE service on a device, the device active the related SDK that collect or process mobile clients application category data locally inside the gateway and upload network traffic data(including DNS/HTTP header/DHCP etc.) to TP-Link Cloud to generate daily/weekly/monthly comprehensive reports. 

For models with embedded HomeCare SDK:

When you enable Parental Control-Application management or Antivirus-Malicious Content Filter/Infected Device Quarantine, the related SDK will collect and process the client application info(IP address, requesting URL, File name, File path) to detect malicious URLs and C&C servers.

When you enable Antivirus-Intrusion Prevention System, the related SDK will collect and process Source IP address and Destination IP address to provides network-based intrusion protection for connected clients by detecting and blocking intrusions from network traffic.

When you enable clients recognition, the device active the related SDK that collect or process particular network data(including  MAC addresses and hostname field in DHCP/NetBIOS/MDNS/HTTP) to match accessing clients with a corresponding device type, brand, and model.

When you join our User Experience Improvement Program, we collect and process your general information of the mobile phone, including IMEI number (MEID number), system version number, SDK version number, system information, etc. and the usage status of the product functions based on your consent. If you wish to withdraw your consent, please go to 7. Your Choices. You can also disable the function in “Settings-About-User Experience Improvement Program”, disabling the function means you opt out of the program.

When you report abnormal problems through the feedback function for the purpose of customer support, we collect your email address, user country code, user collection data (including mobile platform, platform version, etc.), device data (including device name, device logs, etc.).

For the purpose of marketing push, we based on your consent collect your associated device, App activity data, App function usage, device usage behavior data, etc. If you wish to withdraw your consent or object to the personalization of adverts and content, please go to 7. Your Choices.

In addition, we may also request related access permissions for the execution of related functions and services in the case where you use our Services, especially where you install and launch our Services.

 

Access

Purposes

Local Network (iOS only)

Local device administration

Notifications

Receiving system notifications

Account Deletion

TP-Link ID deletion and related information

Data Collection and Utilization

User experience improvement

Location

Obtaining SSID information when you onboard a Deco device

Obtaining SSID information when you use Deco Lab

Storage

Wi-Fi Sharing, VPN Server export config file

Camera

Photo taking for TP-Link Account custom avatar function

Detecting infrared cameras when you use Deco Lab

VPN Settings through QR Code Scan

Photos

TP-Link Account custom avatar function

Parental Controls profile avatar

Support center feedback

Bluetooth

Some Deco models and IoT Devices Onboarding

Face ID/Touch ID (iOS only)

TP-Link ID Login with Face ID/Touch ID

Biometric (Android only)

TP-Link ID Login with Fingerprint/Face

3. How we share personal data

We may share your personal information internally and externally with suppliers, advisors, or partners for our legitimate business purposes, and only on a need-to-know basis. When sharing personal information, we implement appropriate checks and controls to confirm that the information can be shared in accordance with applicable laws. Here’s more detail about who we may share your information with and in what kinds of situations:

(1) With Our Authorized Partners: We may share your information with our authorized partners, including affiliates. We share information with our authorized partners to:

  • promote safety, security, and integrity and comply with applicable laws;
  • develop and provide features and integrations;
  • provide customer service and technical support; 
  • understand how customers use and interact with our Services.

(2) Service Providers: To assist in our business operations and better provide our Services (e.g., for software maintenance services, advertising technologies, e-mail services, delivery services, database management services, web analytics, and other services), we may share your information with service providers.

(3) Other Entities with Your Consent: You may choose to integrate certain third-party services with our Services. By doing so, you authorize us to transmit your personal information to third parties when you choose to integrate their services with our Services. Information collected by such third-party services is subject to their own terms and policies, all of which you should carefully and diligently review.

The Services may include links to third-party websites whose privacy practices may differ from ours. Your usage of any such websites is governed by the privacy policies of those websites and not this Privacy Policy. You should carefully review the privacy policy of any website you visit. We will consider your decision to use those third-party products and services with the Products or our Services to be a representation to us that you have consented to the third parties' terms and practices.

We have engaged:

  • Google Assistant and Alexa, virtual assistant technology service providers, to provide device discovery, device management, device control, and live view services for platform users. We provide account credentials, device list, device alias, and the camera's live broadcast data which can be viewed via third-party players with such third parties based on your consent. If you wish to withdraw your consent, please go to 7. Your Choices. We suggest you check the privacy policy of Google Assistant and Alexa.
  • Ookla and Samknows, the related SDK in the device will report IP and network speed data to their server based on your consent. If you wish to withdraw your consent. We suggest you check the privacy policy of Ookla and SamKnows.
  • Google Play and App Store, application distribution platforms and payment channels, to provide payment services and distribute applications to platform users.
  • AWS as our cloud storage and computing service provider. We suggest you check the privacy policy of AWS.
  • Other embedded third-party SDKs, you can check for 2. Sources and categories of personal data we collect. We suggest you check the privacy policy of related SDK of FingHomeShield-AviraHomeShield-F-secure and HomeCare.

We will not provide your personal data to the third party without your clear consent unless such provision approved by relevant laws.

(4) Marketing and Advertising: We may provide user information to our third-party marketing service providers for our promotional and/or marketing practices. We may also disclose information that does not directly identify you to advertising and analytics providers to serve personalized ads for the Services and to better understand your use of the Services.

(5) Change of Control: We may be required to share your information as part of a merger, acquisition, asset sale, asset purchase, financing, bankruptcy, or other change of control.

(6) Responding to Legal Requests: We may share information where we have a good faith belief that such disclosure is necessary to (a) comply with an applicable law or legal process or (b) respond to actual or potential complaints or legal claims, like search warrants, court orders, production orders, or subpoenas. These requests come from third parties such as civil litigants, law enforcement, and other government authorities. Or (c) where otherwise necessary to protect our rights, interests, and/or property (including, without limitation, to enforce our agreements), or the rights, interests, and/or property of our agents, independent contractors, customers, and others.

4. Security of personal data

When you browse community or other websites, you may need to register a TP-Link ID to get all features.

We have implemented measures, including encryption and TLS technology, designed to secure your personal data from accidental loss and from unauthorized access, use, alteration, and disclosure. In addition, we restrict the number of staff in charge with access to your personal data to the minimum level and frequently conduct training and education so that they comply with the confidentiality obligations with respect to your personal data.

Your account’s privacy and security are protected by your password. In order to prevent unauthorized access to your account and personal data, you should select a strong password and protect it by limiting access to your computer, device, browser, or application and by signing off after you have finished accessing your account. If you use a third-party service to sign into your account, you should protect that account accordingly as well.

While we strive to always protect the privacy of your account and personal data in our records, we cannot always guarantee it will be completely secure. The security of your personal data may be compromised by unauthorized entry, unauthorized use, hardware failure, software failure, and other factors at any time.

Here are some best practices to protect your TP-Link ID account:

  • Use complex passwords (a mixture of upper and lower letters, numbers, and symbols) when signing up.
  • Use a unique password different from other website accounts to avoid being involved in their accidental data breaches.
  • Change your passwords regularly.
  • Use 2 Factor Authentication (2FA) if possible.

5. How we store and process your personal data

Your personal data will be transferred or transmitted to, or stored and processed in the following circumstances in accordance with the purposes stated within this Privacy Policy:

  • Places we have infrastructure or data centers, including the United States, Ireland, and Singapore, among other countries where our Services are available. Typically, the primary storage region is the region that is closest to the customer’s region, often with backups to data centers in another region. The storage location(s) are chosen in order to operate efficiently, to improve performance, and to create redundancies in order to protect the data in the event of an outage or other problem.
  • Other countries where our partners, vendors, service providers and third parties are located outside of the country where you live, for purposes as described in this Privacy Policy.

These countries may have different privacy standards that differ from those where you are. Please note that data processed in another country may be subject to different laws and may be accessible to government, judicial, law enforcement, and regulatory agencies in those countries. However, we will take measures to protect your personal data if it is transferred to these countries.

6. Retention of your personal data

We retain personal data for different periods of time depending on the purposes for which we collect and use it, as described in this Privacy Policy. We will delete or de-identify personal data when it is no longer needed to fulfill these purposes unless a longer retention period is required to comply with applicable laws. There may be technical or other operational reasons where we are unable to fully delete or de-identify your personal data. Where this is the case, we will take reasonable measures to prevent further processing your personal data.

7. Your Choices

Depending on where you reside, you may have legal rights to request the following by contacting us as detailed in the “Contact Us” section:

  • Access to, or a copy of, your personal data
  • Confirmation that we are processing your personal data
  • Correction or amendment of your personal data
  • Deletion of your personal data
  • Transfer of your personal data to a third party
  • Restriction or objection to certain uses of your personal data

You can also opt out of our processing or sharing of your personal data for online targeted advertising purposes by following the instructions here

You also have other choices to manage your personal data. For example, you can:

  • Opt-out of our email marketing messages by clicking the “unsubscribe” link at the bottom of our emails.
  • You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies.
  • Opt out of the use of data by Google Analytics in supporting browsers here.
  • Opt out of interest-based advertising by companies participating in the National Advertising Initiative and/or the Digital Advertising Alliance opt-out mechanisms here and here. Participating companies will place opt-out cookies on your browser to recognize your choice. Note that your choice may not be recognized if you block or clear cookies. If you use different computers or browsers, you may need to replicate your choices across those computers and browsers.

You may also send us an email to privacy@tp-link.com to request to exercise your rights described above regarding personal data. However, note that we cannot delete the email address used for administrative emails to you (e.g., emails about your transactions, policy changes, forgotten password, and confirmation emails) except by also deleting your user account. 

We may ask you to provide us with information necessary to reasonably verify your identity before responding to your request. Certain information may be exempt from such requests. For example, we may not accommodate a request to exercise certain rights if we believe doing so would violate any law or legal requirement or negatively impact the information's accuracy. If we deny your request in whole or in part, you may have the right to appeal the decision. In such circumstances, we will provide you with information regarding the appeal process.

8. Children's Privacy

Our websites are not directed to, or intended for, children as defined by local legal requirements, and we do not knowingly collect personal data from children. If you believe that we have any such data, please notify us immediately using the contact information provided in the “Contact Us” section and we will delete it as quickly as possible.

9. California Consumer Privacy Act

Click here to read additional disclosures required under the California Consumer Privacy Act.

10. Notice Concerning Do Not Track 

“Do Not Track” is a privacy preference that users can set in certain web browsers. We do not currently recognize or respond to browser-initiated Do Not Track signals. Learn more about Do Not Track

11. Updates To Our Privacy Policy

This Privacy Policy may change from time to time, and we may notify you by updating the Privacy Policy’s effective date above. If there are material changes, we will place a prominent notice on this website or provide notice through other means. We encourage all users to occasionally refer to this Privacy Policy so that they can remain aware of our current practices. If you do not agree with the terms of the updated Privacy Policy, you must stop using the Services. Your continued use of the Services after any Privacy Policy changes means that you agree to the updated Privacy Policy.

12. Contact Us

If you have any questions or need further assistance, please email us at privacy@tp-link.com 

TP-Link Global Inc.

36 Technology, Suite 200, Irvine, CA 92618