Skip to main content

Privacy Policy of Shelly Integrator API

(in force as of 20 November 2024, last amended 6 June 2026)

I. Introduction

Shelly Integrator Application Programming Interface (API) is a cloud-to-cloud API for integration, control and device status updates collection from Shelly devices. API is set of defined rules and protocols that allow different software components to communicate with each other by exposing functionality or data from a system to be used by other software, system, etc. via structured requests and responses.

This Privacy Policy describes how Shelly Europe Ltd. ("We") processes personal data in the context of using Shelly Integrator API, which as a service is provided exclusively to Integrators - business Partners - legal entities/organizations. It explains the types of personal data we process, how we collect and use it, and the rights of individuals whose data is processed under the applicable data protection laws, including the European Union's General Data Protection Regulation ("GDPR").

For the avoidance of any doubt „Shelly Devices" by the meaning of this Privacy Policy shall mean any smart device branded „Shelly", "Powered by Shelly", "Loqed" in all models and modifications.

II. Controller

The Personal Data related to Shelly Integrator API are processed by Shelly Europe Ltd., UIC: 202320104, having its seat and registered address in Europe, Bulgaria, 1407 Sofia, No 51 "Cherni Vrah" Blvd., Building 3, floor 2 and 3.

III. Personal Data

Personal data means any information relating to an identified or identifiable natural person ("Data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as that term is defined under the General Data Protection Regulation (GDPR).

IV. Data Subject

The Data Subjects to whom this Privacy Notice shall apply is the individual whose personal data we are processing ("the Data Subject"/ "You").

V. Data Protection Officer

You may address all your requests about the processing of your Personal Data to our Data Protection Officer via e-mail at dpo@shelly.com

VI. About Shelly Integrator API

Shelly Integrator API enables Integrators to manage devices across multiple Shelly user accounts. It is designed for large-scale deployments and industrial use cases involving a big number of devices. Upon permission of the Shelly account user, Shelly Integrator API allows centralized streaming of status data from many shelly devices to a single point for data ingest. Basic control over the devices is also possible.

The access to Shelly Integrator API and usage of its functionalities require filing a Shelly Integrator API access request. During this process personal data of Data subjects will be shared with Us by the Integrator.

VII. Types of Personal Data That We Process

1. The Integrator's data (non-personal data):

  • Company name.
  • Company email address.
  • Country of registration or operation.
  • Solution Type -- energy metering, power metering, load shedding, energy generation and usage balancing, industrial automation, other.
  • Voluntary provided information regarding Integrator's use case.
  • What kind of API will be used.

2. Contact person data (personal data):

  • Names.
  • Contact email address.
  • Contact phone number.

We do not collect the personal data of the contact persons directly from themselves. Instead, this information is submitted to us by the Integrator as part of the service registration process.

Since the personal data of the contact persons is not collected directly from the individuals, the Integrator company is solely responsible for ensuring that the personal data it provides is accurate, up to date, and submitted in compliance with applicable data protection laws. The Integrator is responsible for:

  • Ensuring that it has a lawful basis under applicable data protection laws to share the personal data with us.
  • Informing the contact person, before disclosing their data to us, about the nature, purpose, and legal basis of the processing and providing them with all information required under the applicable data protection laws.

By submitting the registration form, the Integrator confirms and represents that it has fulfilled its obligation to inform the relevant contact persons and obtained any required authorizations or consents where necessary.

3. Other data:

  • Certain technical and usage-related to the use of Shelly Integrator API data. This includes, but is not limited to, API requests sent to our Cloud, such as timestamps, request content (e.g., device commands or status queries), authentication tokens, IP addresses, number and frequency of requests, and associated metadata required for security, performance monitoring, rate limiting, and troubleshooting purposes.
  • Data generated during a customer support request - such as e-mails, messages, history of the correspondence, any correspondence content, sender and recipient information.
  • Device Data and Service Usage.

For providing the Integrator with the Shelly Integrator API We are also processing information about the Shelly Devices that are shared with the Integrator, including the information about interaction with Shelly Integrator API.

Based on our legitimate interest in accordance with Art. 6(1)(f) of GDPR we process personal data to:

  • Effectively provide and manage Shelly Integrator API and to ensure its proper functioning.
  • Communicate with the contact person that has been appointed in reference to the Service, as well as providing the necessary customer support when requested.
  • Respond to any claims against us and to protect the rights, privacy, property, or safety of Shelly Europe Ltd. (including its affiliates and subsidiaries), our users, or the public as required or permitted by law.
  • Enforce legal claims, including investigation of potential violations of the applicable terms of Service.
  • Detect, prevent, or otherwise address fraud, abuse, security, or technical issues with the Service, prevent hacking, frauds and other non-compliant use of the Service.
  • Maintain adequate security measures and protect against liability, including complying with industry standards and enforcing our policies, detection of spam, malware, illegal content, and other forms of abuse on our systems in violation of our security policies.
  • Anonymized and statistic data about the usage of our Service for the purposes of operating, evaluating, and improving the Service and our business.
  • Maintain Shelly Integrator API to ensure it is working as intended by performing regular monitoring of our system and activity information to identify and fix problems and avoid interruption.
  • Direct marketing and administration of joint promotions/marketing campaigns/contests etc. with our partners.

Based on the law when it is necessary or appropriate, we can process Personal data in accordance with Art. 6(1)(с) of GDPR to:

  • Comply with applicable laws, regulations, and procedures.
  • Respond to requests or orders from public, government and judicial authorities.

IX. Sharing Information with Third Parties

The following categories of Third-Parties may process your Personal Data as part of our operations:

  • Affiliates - other companies within the group of Shelly Group SE to which Shelly Europe Ltd. belongs to carry out business activities on a regular basis and or authorized employees within the group of Shelly Group SE involved in service delivery, administration, or support.
  • Service providers - carefully selected companies that provide services for or on our behalf, such as providers of cloud services, customer support services, e-mail and messaging services, including direct marketing services, infrastructure supply and IT services.
  • Professionals in various fields (such as but not limited to external marketing, product and service consultants, auditors, legal, finance and accountancy advisors) for maintenance and improvement the quality of Shelly Integrator API, ensuring compliance with regulatory requirements, protection of our legitimate rights and interests in court and administrative proceedings.
  • State bodies and public authorities to which we might be obliged to disclose personal data when this is required by law, legal process, administrative or court order to disclose your information.
  • Other parties in connection with corporate transactions as part of a merger or transfer, acquisition or sale, or in the event of bankruptcy; In this case, Data subjects will receive a clear notification via email and/or our website regarding the change of ownership, the incompatibility of new use of personal information, and the choice of personal information.

We require and pay attention that the above stated third parties apply all required technical and organizational measures for the protection of the Personal Data shared with them.

X. Cross-Border Data Transfers

Personal Data you entrust to us will primarily be processed by us in European Union. However, some of our Third-Party Service Providers and specifically our providers of support, e-mail messaging services for direct marketing, are not located in the European Union. The main country outside the European Union where your Personal Data can be processed by such service providers, is the United States. All these international data transfers are subject to legal requirements to ensure that your personal information is processed safely and as you would expect, which means your Personal Data is likely to end up in other countries, including outside the European Union. We will process your Personal Data for marketing purposes including by sharing these with these service providers only upon your explicit consent.

XI. Retention of Data

The retention period of the Data depends on the legal basis relied upon to process your Data.

We retain personal data for no longer than necessary to fulfill the purposes for which it was collected. Specifically Contact person data is retained for as long as the Integrator uses Shelly Integrator API, until the Integrator designates a new contact person or if required under our legal obligations in the respective countries we operate.

Following the expiration of the above-stated time limits, the Data is deleted and may not be retrieved and used any longer.

The data shall not be deleted but shall continue to be processed only for protection of our legitimate rights and interests or in compliance with our legitimate obligations, in the event that as of the date of expiration of the above stated time limit there is pending court, administrative and pre-court proceedings -- until its closing.

XII. Data Subject Rights

Individuals whose personal data we process have the following rights under the data protection law:

  • Right of access -- to obtain information about the processing and a copy of the data free of charge. If we are unable to provide the Data subject with access to his Personal Data because disclosure would violate the rights and freedoms of third parties, we will notify him of this decision.
  • Right to rectification -- to correct inaccurate or incomplete data.
  • Right to erasure -- to request deletion of their data in certain circumstances. The right to be forgotten is not an absolute right and might not be respected in cases provided for by the law or because of a lack of reliable verification of Data Subject's identity. Deleted data cannot be recovered by Shelly Europe Ltd.
  • Right to restriction of processing -- to limit processing in specific cases: (i) The accuracy of Your data is challenged or (ii) an objection to the use of Your Data or (iii) in case of unlawful processing of Data but you do not want it to be deleted, or (iv) Data are no longer needs your data but you want the organisation to keep it to create, exercise or defend legal claims.
  • Right to object -- to object to processing based on legitimate interests (i) for legitimate interests; (ii) for statistical purposes; or (iii) for direct marketing purposes.
  • Right to lodge a complaint -- with the supervisory authority in the Member State of your residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to You infringes the GDPR. Data subjects have the right to submit complaints or signals to the supervisory authority at any time, in case they believe the processing of their personal data violates the legislation on personal data protection.

Without prejudice to your right of complaint to the supervisory authority at any time, please contact us in advance and we promise to make everything possible to settle any disputes amicably.

Only a person who can be identified by us as a Data Subject has the opportunity to exercise his/her rights under this section. He/she may contact us at: dpo@shelly.com and after submitting a written request and verifying his/her identity the requested information will be provided.

If We have legitimate concerns regarding Data Subject's identity, we may request the provision of additional information necessary to verify his/her identity. We reserve the right to refuse access to the required information if we are not in a position to identify the individual submitting a request.

XIII. Information Security Measures

The security, integrity, and confidentiality of your Personal Data are extremely important to us. We have implemented technical, contractual, organisational, and physical security measures that are designed to protect our Data Subjects' Personal Data from unauthorised access, disclosure, use, and modification. We regularly review our security procedures and practices to consider appropriate new technology and methods. Please be aware that, despite our best efforts, no security measures are perfect or impenetrable.

XIV. Privacy Policy Updates

We may update this Privacy Policy from time to time due to changes in Shelly Integrator API, the applicable laws and our legitimate interest. You can determine when the Privacy Policy was last revised by the date provided at the beginning of this page.

Any changes will become effective 14 days upon publishing in the application or making them available to the User in other way.

XV. Further Information

If you have any additional questions, please do not hesitate to contact us at: dpo@shelly.com