Effective: November 1, 2019


At Buildings IOT ("BIOT") and its subsidiaries, Operational Technology Integrators ("OTI"), Kodaro, LLC ("Kodaro"), and Controlco ("Controlco"), we believe the privacy of your data is very important to protect and keep secure. This Privacy Policy covers the information we collect about you when you use our products, services, websites, or otherwise interact with us, unless a different policy is displayed. BIOT and its subsidiaries offer a wide range of products and services including, but not limited to, consulting services, building integration and automation services, public and private cloud software, help desk services, operational technology (OT) and informational technology (IT) hardware. In this policy, we refer to all of these products and services, including our websites, as "Service" or "Services".


Information we collect about you

The information we collect about you is information that you provide to us when accessing our Services or otherwise provide it directly to us when you voluntarily fill out forms on our websites or at marketing events such as industry conferences, live demos and webinars.

If you use our public or private Cloud Services, users are asked to supply their name, email address and company name to ensure they are authorized to access these resources. As you navigate our Cloud Services, we track clickstream data about how you interact with and use the features contained in the service. At all levels of access across our Cloud Service, we track usage for statistical purposes (to understand how and where users are finding the most value on the platform to inform future software updates and new designs).

When you contact our Help Desk with a question or to ask for help, we keep that correspondence and all contact information in our enterprise help desk software.

If you use our publicly accessible websites for BIOT or its subsidiaries, we keep track of certain information automatically and obtain such information through Cookies and Google Analytics. This information may include details on your browser type, how often you visit our site and from what country, length of visit and your IP address.

Other information collected through our publicly accessible websites or at industry events may include:

  • contact details, such as your name, title, company/organization name, e-mail address, telephone and fax numbers, and physical address

  • information about your company, and job function

  • your e-mail marketing preferences

  • information used to customize and facilitate your use of our websites, including login and technical information

  • inquiries about and orders for our products and services

  • information that assists us in identifying the products and services that best meet your requirements

  • event registration information

  • feedback from you about our websites and our products and services generally


You are not required to provide any of this information collected through our websites or provided to us at industry events, but if you do not, we may not be able to provide you the requested service or complete your transaction.

How we use the information we collect

How we use the information we collect depends in part on which Services you use, how you use them, and any preference you have communicated to us. Below are the specific purposes for which we use the information we collect about you.

When our private or public Cloud Services are accessed across your organization, we use our collected information to customize welcome messages, verify users against our approved list and allow for unique access to the appropriate levels of the platform.

We use the information collected from our Help Desk to help you resolve technical issues you encounter, to respond to your requests for assistance, to analyze crash information, and to repair and improve the Services.

For account related services, we use your contact information to send transactional communications via email and within the Services, including reminding you of license expirations, responding to your comments, questions and requests, providing customer support and sending technical notices, updates, security alerts and administrative messages. All payment processing is performed through Netsuite at our enterprise. No payment information is ever requested or processed through our Cloud Services. We also send you communications as you onboard a particular Service to help you become more proficient in using that Service. These communications are part of the Services and in most cases you cannot opt out of them. If an opt out is available, you will find that option within the communication itself or in your account settings.

We use the information collected from our publicly accessible websites to send, by email, promotional communications, newsletters, survey requests and events that may be of specific interest to you. We also communicate with you about new product offers and promotions. You can control whether you continue to receive these communications by using the opt out information that is available within the communication itself or in your account settings.

How we share the information we collect

We’ll never sell any personal info to third parties, and we won’t use names or personnel or companies in external marketing without your permission.

The only times we’ll ever share your info:

  • To provide products or services you've requested, with your permission.

  • To investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service, or as otherwise required by law.

  • If BIOT is acquired by or merged with another company — we don’t plan on that, but if it happens — we’ll notify you well before any info about you is transferred and becomes subject to a different privacy policy.​


Your Rights With Respect to Your Information

As a California-based company, we are required under the new California Consumer Privacy Act ("CCPA") to allow users to request that their data be deleted from our records. We are happy to comply to deletion requests sent to us via any contact form on our site.

You may have also heard about the General Data Protection Regulation (“GDPR”) in Europe. GDPR gives people under its protection certain rights with respect to their personal information collected by us on the Service. Accordingly, BIOT recognizes and will comply with GDPR and those rights, except as limited by applicable law.


The rights under GDPR include:

  • Right of Access. This includes your right to access the personal information we gather about you, and your right to obtain information about the sharing, storage, security and processing of that information.

  • Right to Correction. This is your right to request correction of your personal information.

  • Right to Erasure. This is your right to request, subject to certain limitations under applicable law, that your personal information be erased from our possession (also known as the “Right to be forgotten”). However, if applicable law requires us to comply with your request to delete your information, fulfillment of your request may prevent you from using BIOT services and may result in closing your account.

  • Right to Complain. You have the right to make a complaint regarding our handling of your personal information with the appropriate supervisory authority.

  • Right to Restrict Processing. This is your right to request restriction of how and why your personal information is used or processed.

  • Right to Object. This is your right, in certain situations, to object to how or why your personal information is processed.

  • Right to Portability. This is your right to receive the personal information we have about you and the right to transmit it to another party.

  • Right to not be subject to Automated Decision-Making. This is your right to object and prevent any decision that could have a legal, or similarly significant, effect on you from being made solely based on automated processes. This right is limited, however, if the decision is necessary for performance of any contract between you and us, is allowed by applicable European law, or is based on your explicit consent.


Many of these rights can be exercised by signing in and directly updating your account information. If you have questions about exercising these rights or need assistance, please contact us at

Processors we use

As part of the services we provide, and only to the extent necessary, we use third party subprocessors, such as cloud computing providers and customer support software. We choose these third party subprocessors because of their GDPR-compliant safeguards put in place everywhere personal data is processed. The Subprocessors we use are:

  • Amazon Web Services. Cloud hosting and cloud services provider.

  • HubSpot. Service tickets, help desk, and email campaign software.

  • Okta. Identity and access mangament provider.

  • Google. Site analytics (website) and customer interactions (email).

  • Oracle Netsuite. Accounting management and webstore software.

  • Mailgun. Email transmission software.


Law enforcement

In the unlikely event that law enforcement is interested in the level of information we collect in performing our Service, we would never share your data with law enforcement unless a court order mandates such action. We reject requests from local and federal law enforcement when they seek data without a court order. And unless we're legally prevented from it, we’ll always inform you when such requests are made.

Cloud Services Security & Encryption

Physical Security

Our state-of-the-art servers are protected by biometric locks and round-the-clock interior and exterior surveillance monitoring. Only authorized personnel have access to the data center. 24/7/365 onsite staff provides extra protection against unauthorized entry and security breaches.



Over public networks, we send data using strong encryption. We use SSL certificates issued by GoDaddy Inc. The connection uses AES_256_CBC for encryption, with SHA2 for message authentication and ECDHE_RSA as the key exchange mechanism.

Our storage system uses AES-256/ SHA-256 encryption. Files are encrypted with AES-256, sliced, replicated, and geographically dispersed to separate data centers on private, end-to-end encrypted network connections. Device, system and controls data isn’t encrypted at rest — they are active in our database and subject to the same protection and monitoring as the rest of our systems.

Deleted data

All your Cloud Services content will be inaccessible immediately upon cancellation. Within 30 days all content will be permanently deleted from all servers and logs. This information cannot be recovered once it has been permanently deleted.

Location of Site and Data

All Cloud Services are operated in the United States. If you are located outside of the United States, please be aware that any information you provide to us via our platform will be transferred to the United States. By using our cloud services, participating in any of our services and/or providing us with your information, you consent to this transfer.

Third party websites

Users may find advertising or other content on our publicly accessible websites that link to the sites and services of our partners, suppliers, advertisers, sponsors, licensors and other third parties. We do not control the content or links that appear on these sites and are not responsible for the practices employed by websites linked to or from our Site. In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites which have a link to our site, is subject to that website's own terms and policies.

Children's Online Privacy Protection Act compliance

We are in compliance with the requirements of COPPA (Children's Online Privacy Protection Act), we do not collect any information from anyone under 13 years of age. Our websites, products and services are all directed to people who are at least 13 years old or older.

Changes & questions

BIOT may update this policy on occasion — we’ll notify you about significant changes by emailing the account owner or by placing a prominent notice within our platform. You can access, change or delete your personal information at any time by contacting our support team.

Want to know more?

If your IT teams have specific concerns not addressed here, work through your primary account manager to have more details explained and/or to set up a meeting with your IT leaders. For more information, you can email us at