Skip to main content

General Terms and Conditions of Shelly Integrator API

(in force as of 20 November 2024, last amended 6 June 2026)

I. Introduction

Art.1. (1) Shelly Europe Ltd. provides Shelly Integrator Application Programming Interface (Shelly Integrator API) - a cloud-to-cloud API for integration, control and device status updates collection from Shelly devices under the terms and conditions set forth below.

(2) Shelly Integrator API enables Integrators to manage devices across single or multiple Shelly user accounts. It is designed for large-scale deployments and industrial use cases involving a big number of devices. Upon permission of the Shelly account user, the Service allows centralized streaming of status data from many shelly accounts to a single point for data ingest. Basic control over the devices is also possible.

(3) We also have Privacy Policy and may have other legal statements and conditions applicable to various activities on Shelly Integrator API, including but not limited to terms and conditions that may apply to your use of Shelly Integrator API, (Special documents). All the foregoing is incorporated herein by reference, and shall, together with these General Terms and Conditions of using Shelly Integrator API ("the Terms") govern your access to and use of Shelly Integrator API and are a binding agreement between Shelly Europe Ltd. and the entity you represent ("You" or "Your"). If any of the Special documents are inconsistent with these General Terms and Conditions, those Special documents shall prevail.

Art. 2. Contact data with Shelly Europe Ltd. during business days from 09:00 until 17:00 CET:

tel: +359 2 988 6954

Open a ticket https://support.shelly.cloud/en/support/home

II. Definitions

Art.3. The following words and expressions when commencing with a capital letter (including when used with a definitive article and/or used in plural) shall have the meaning and content stated herein unless the context requires otherwise:

  1. "Service Provider/Us/We/Shelly Europe" - shall mean the company which owns the Shelly Integrator API -- Shelly Europe Ltd., a company registered according to the laws of Republic of Bulgaria, entered in the Bulgarian Commercial Register and the Register of NPLE at the Registry Agency under UIC: 202320104, having its seat of management in the city of Sofia, Lozenets district, 1407, 51 Cherni Vrah Blvd., Building 3, floor 2 and 3.

  2. Integrator - a legal entity/organization who have obtained a license for use of Shelly Integrator API on its behalf and processes data accessed through the Shelly Integrator API exclusively for the pursuit of its legitimate business interests, including the provision of services or functionalities to its customers in relation to its own products or solutions

  3. "Shelly Smart Control" - is a digital service branded Shelly Smart Control, accessible via Shelly Smart Control App (Shelly App) or online via https://control.shelly.cloud/#/login, that allows remote access, control and monitoring of Shelly devices and the appliances to which these are attached.

  4. Shelly Integrator API - a cloud-to-cloud API for integration, control device status updates and data collection from Shelly devices. API is set of defined rules and protocols that allow different software components to communicate with each other by exposing functionality or data from a system to be used by other software, system, etc. via structured requests and responses. Shelly Integrator API is intended for cloud-to-cloud use only, not cloud to app.

  5. "Shelly Devices" shall mean any smart device branded „Shelly", "Loqed" or "Powered by Shelly" in all models and modifications.

  6. Shelly App User - any person (irrespective individual or legal entity) who has registered an Account with Shelly Smart control App and uses the application outside his trade, business, craft or profession.

  7. Personal Data - has the meaning given to the definition in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

  8. Suggestions - means all suggested improvements to the Shelly Integrator API that You provide to us.

III. Subject Matter

Art.4. (1) These Terms govern the relations between Shelly Europe and each Integrator regarding the use of Shelly Integrator API.

(2) The present Terms do not govern the relationship between the Integrator and the Shelly App User. Any agreements, services, or obligations between them are solely their responsibility.

Art. 5. (1) These Terms are mandatory for the Integrator.

(2) By filing and submitting a registration form and accessing the Shelly Integrator API, the Integrator declares that it has read, accepts and is obliged to comply with these Terms unconditionally. The Integrator is further obliged to comply with all other conditions imposed by the law, even if not mentioned in these Terms.

(3) In case the Integrator disagrees with these Terms, it shall not access and use Shelly Integrator API.

Art. 6. (1) Shelly Europe shall not be liable if the Integrator has not read these Terms.

(2) Shelly Europe shall not be liable for any damages and/or losses arising from non-compliance on the part of the Integrator of the provisions of these Terms and the applicable law.

IV. Access to Shelly Integrator API

Art.7. (1) The access to Shelly Integrator API and usage of its functionalities require filing a Shelly Integrator API access request.

(2) By filing the Shelly Integrator API access request the Integrator provides the following data:

  1. Company name.
  2. Company email address.
  3. Country of registration or operation.
  4. Contact person names.
  5. Contact email.
  6. Contact phone number.
  7. Solution type - energy metering, power metering, load shedding, energy generation and usage balancing, industrial automation, other.
  8. Voluntary provided information regarding the Use case.
  9. What kind of API will be used - Integrator API or Cloud Control API.

(3) The API access request is submitted on behalf of, or for the benefit of the Integrator. In this case, the person submitting the request acknowledges that has the legal right and/or authorization to bind the Integrator with these Terms. He/she may be asked to provide additional registration details, such as the official documentation certifying the existence of the legal entity/organization, etc.

Art.8. (1) The Integrator is responsible for ensuring that all details provided to Us are correct, complete and up-to-date.

(2) Shelly Europe shall not be liable for any loss or damage that may occur for the Integrator due to the provision of incorrect, incomplete or false data (for example inability to access and use Shelly Integrator API, to receive customer support etc.).

Art.9. (1) Shelly Europe will notify the Integrator once the request is satisfied by sending an email or if additional information is required. The email contains authentication information about how to obtain valid JSON Web Token (JWT) and token credentials. These credentials serve as identification of the Integrator. The acquired JWT access token will be valid 24 hours and must be used for issuing WSS connection.

(2) Shelly Europe reserves the right to reject access requests at its sole discretion, particularly in cases of incomplete, inaccurate, or unverifiable information.

Art.10. (1) The Integrator is solely responsible for securely storing and protecting its assigned tag and token credentials. It must take all reasonable measures to prevent unauthorized access, disclosure, or use of these credentials, and agrees to notify Us immediately if suspect any compromise or misuse.

(2) To the extent permitted by applicable law the Integrator takes responsibility for all activities that occur under his assigned tag and token credentials. The Integrator should take all necessary steps to ensure that they will be kept confidential and secure and should inform Us immediately if has any reason to believe that his credentials become known to anyone else, or if they are being, or is likely to be used in an unauthorised manner. The Integrator must immediately notify Shelly Europe in case of breach of security or unauthorized use of his-her credentials.

V. Using Shelly Integrator API

Art.11. (1) The Shelly Integrator API is provided to enable the Integrator to enhance the functionality of his services by integrating with Shelly Integrator API. Shelly Integrator API is a cloud-to-cloud API integration that enables the Integrators to request access to the devices of Shelly App Users upon Shelly App User's permission and register them to Integrator's service.

(2) The right to use Shelly Integrator API is provided by Shelly Europe for an indefinite period and is available free of charge. The use of the Shelly Integrator API shall remain in effect unless and until terminated by the Integrator or Shelly Europe as provided herewith.

(3) To share a device each Shelly App user shall be logged in with their existing Shelly account, select which device they want to share with the Integrator and choose what additional access rights to provide the Integrator -- read or read and control.

(4) The Shelly App user has full control over access permissions and can grant, extend, or revoke an Integrator's access at any time through the Shelly App interface without prior written notice то the Integrator or Shelly Europe. If access is revoked, the Integrator will immediately lose the ability to access the device through Shelly Integrator API.

Art.12 (1) To successfully integrate with Shelly Integrator API, each Integrator is required to establish and maintain an open WebSocket connection to our cloud infrastructure. Upon initiating the connection, the Integrator must authenticate using a valid JWT issued by Shelly Europe. Failure to authenticate correctly will result in immediate termination of the connection.

(2) Shelly Europe's systems communicate via structured HTTPS requests and persistent WebSocket connections. As part of the integration, Integrator's system must be capable of both sending and receiving such communications reliably.

(3) Shelly Integrator API sends real-time event notifications over the WebSocket connection. These events may include, but are not limited to: device state changes (e.g., online/offline, status updates), device settings changes (e.g., configuration updates), command execution events (e.g., command sent, acknowledged, executed) or errors, etc.

(4) The Integrator is responsible for implementing appropriate listeners and handlers to process these event messages in real time. The Integrator is responsible to route, manage, store and process the data on his own.

(5) The Integrator must ensure that his systems remain responsive to events and acknowledgments over WebSocket and HTTP interfaces. In case of repeated timeouts, failures, or improper handling of events, we reserve the right to suspend or throttle your access to protect Shelly Integrator API stability and our cloud stability.

Art.13 Shelly Europe is allowed to set and enforce limits on Integrator's use of the Shelly Integrator API (e.g. limiting the number of API requests that the integrator may make or the number of devices that may be accessed) in its sole discretion and without prior notice.

Art.14. Shelly Europe uses reasonable care and skill to keep the Shelly Integrator API operational and provides the Integrator with the experience that is normally expected for this type of service. However, Shelly Integrator API features and their availability may change from time to time such as but not limited:

  1. may experience temporary interruptions due to technical difficulties, maintenance or testing, or necessary updates of the Shelly Integrator API.

  2. To improve Integrator experience and optimize Shelly Integrator API constantly, Shelly Europe reserves the right to provide replacement, modified and updated versions of the Shelly Integrator API to change, suspend or discontinue any of the Shelly Integrator API' functionalities without prior notice to You. After a new version of the Shelly Integrator API is released, Shelly Europe does not guarantee that older versions will continue to be usable. In addition, Shelly Europe may stop (permanently or temporarily) providing any features within the Shelly Integrator API. Shelly Europe shall not be held liable for any loss or damages occurred because of replacement, modification, and updated version, including but not limited to the unavailability or the lack of support to previous version(s) of the Shelly Integrator API.

VI. Rights and Obligations of the Integrator and Shelly Europe

Art.15. (1) The right to use Shelly Integrator API is non-transferable, and non-assignable. The Integrator may not assign sublicense, transfer, or otherwise grant access to their credentials or related privileges to any third party without prior written consent from Shelly Europe. Any unauthorized transfer or sharing of access credentials may result in the suspension or termination of the Integrator's access.

Art. 16. (1) The Integrator is obliged:

  1. not to use in any way that could damage Shelly Integrator API, Shelly App Users, Shelly devices or Shelly Europe's and its affiliates general business.

  2. not to use their access for any unauthorized activities, including but not limited to: accessing, modifying, or using Shelly App User's data beyond the agreed service scope, sharing access credentials with unauthorized third parties, using Shelly App user's data for marketing or personal gain without lawful justification, selling personal data, scrape, build databases or otherwise create copies of any data accessed or obtained using Shelly Integrator API, except as necessary to enable an intended usage scenario for its Use case.

  3. not to use Shelly Integrator API and/or its functionalities for any unlawful purpose or any purpose prohibited under this clause.

  4. not to input, submit, transmit, disclose or otherwise make available any data accessed, received or derived through Shelly Integrator API to any artificial intelligence, machine learning or generative AI system, model, service or tool, nor to use any such data for the purpose of training, developing, fine-tuning, evaluating, prompting or operating (including by way of inference) any such system, model, service or tool [save with Shelly Europe's prior written consent and subject to compliance with applicable data protection laws]

  5. not to use any "deep-link", "robot", or other automatic or manual device, software, program, code, algorithm or methodology, to access, copy or monitor any portion of Shelly Integrator API, its website or in any way reproduce or circumvent the navigational structure or presentation of the Shelly Integrator API.

  6. not to gain or attempt to gain unauthorized access to any portion or features of Shelly Integrator API, Shelly App users devices, or any other system or network connected to them, by hacking, "password-mining" or using any other illegitimate method of accessing data.

  7. not to probe, scan or test the vulnerability of Shelly Integrator API, its website or any network connected to Shelly Integrator API or the website, nor breach the security or authentication measures of Shelly Integrator API or any network connected to it.

  8. not to use any device, technology or method to interfere or attempt to interfere with the proper functioning of Shelly Integrator API and its features or any transactions occurring on Shelly Integrator API, or with any other person's use of Shelly Integrator API, such as computer virus and/or malware/malicious software.

  9. not to take any action that would cause an unreasonably or disproportionately large load on the infrastructure of the Shelly Integrator API, its website or our systems or networks, or any systems, or networks connected to the website, to the Portal or to us or similar attack.

  10. not to use Shelly Integrator API or its website:

    • i. to harass, abuse, or threaten others or otherwise violate any person's legal rights.
    • ii. to violate any of the Shelly Europe's intellectual property rights or any third-party rights.
    • iii. to perpetrate any fraud, including but not limited to engage in or create any unlawful gambling, sweepstakes, or pyramid scheme.

(2) Shelly Europe has the right at its solo discretion to suspend, prohibit or limit access to Shelly Integrator API and/or some of its features temporarily or permanently by a specific Integrator or in general case of an established or assumed abuse by the Integrator or third parties of these Terms, the applicable law or any third party rights, as well as in compliance with an order of a competent authority and/or in fulfillment of a statutory obligation and in cases of unusually high traffic and other technical grounds. Shelly Europe shall not be liable for any eventual or sustained loss or damages to the Integrator that may occur as a result of such actions, nor is Shelly Europe obliged to provide any explanation or enter into any correspondence with the Integrator.

Art. 17 (1) The Integrator is obliged to settle his/her relations with an Internet provider of the local and mobile network and the services and settings of the operator necessary for the operation of the Shelly Integrator API.

(2) Shelly Europe shall not be liable for the improper functioning of Shelly Integrator API when it is due to lack of or low quality of the Internet connection.

Art.18. The Integrator is responsible for establishing, implementing, and maintaining appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of all data accessed, received, or derived using Shelly Integrator API. This includes, but is not limited to:

  1. ensuring secure access to the Shelly Integrator API and associated systems (e.g., use of HTTPS, authentication via secure credentials or tokens).

  2. preventing unauthorized access, disclosure, or alteration of data.

  3. safeguarding stored data, logs, and backups using industry-standard encryption and access controls.

  4. monitoring for and responding to security incidents or breaches in a timely manner.

The Integrator shall promptly notify Shelly Europe of any actual or suspected security breach related to data accessed through Shelly Integrator API and cooperate fully in any related investigation or mitigation efforts.

Art.19 (1) By using Shelly Integrator API, the Integrator acknowledges that acts as independent data controller concerning any personal data they access, collect, or process. The Integrator is solely responsible for determining the purposes and means of the processing of personal data within its own services and shall ensure that all such processing complies with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), where applicable and must be able to demonstrate compliance with applicable data protection laws.

(2) The Integrator further represents and warrants that it has obtained all necessary rights, consents, and legal bases to collect, process, and transfer such data through Shelly Integrator API in connection with the services it provides to its own users or customers.

(3) To the extent required by data protection laws applicable to the parties processing of personal data under these Terms, the parties agree to be bind by Controller-to-Controller data protection terms hereto as Exhibit 1. Nothing in the Agreement shall be construed as creating a joint controller or processor-subprocessor relationship between the Integrator and Shelly Europe.

(4) Any misuse of Shelly Integrator API, including unauthorized access, data breaches, or non-compliance with data protection obligations, may result in immediate suspension or termination of the Integrator's licenses granted herein.

VII. License for use of the Shelly Integrator API

Art.20. Subject to and in consideration of your full compliance with the Terms, Shelly Europe grants to the Integrator for the entire term of Your use of the Shelly Integrator API and throughout the world the non-exclusive, revocable, personal, worldwide, royalty-free, non-assignable non-sublicensable license to use the Shelly Integrator API solely for the purpose of integrating his service with Shelly Integrator API.

Art.21. If the Integrator provides any Suggestions to Us, We will be entitled to use the Suggestions without restriction. The Integrator hereby irrevocably assigns to Us all right, title, and interest in and to the Suggestions and agrees to provide Us any assistance we require to document, perfect, and maintain our rights in the Suggestions.

VIII. Intellectual Property and Confidentiality

Art.22. (1) Shelly Europe has and retains all its rights over the intellectual property on or related in some way to the Shelly Integrator API, including but not limited to its software, design, interface, code, content, functionalities, logos, graphic images or inscriptions, commercial symbols, dynamic symbols, texts and/or multimedia Content, documentation, and any related materials, etc. irrespective of whether these are its own or received by way of contractual licenses or in any other manner.

(2) All Shelly trademarks, service mark, trade names, logos, domain names, and any other features of the Shelly brand (Shelly Brand Features) are sole intellectual property of Shelly Europe or Shelly Europe has all rights on their use. These Terms do not grand the Integrator any rights to use any Shelly or its Brand Features, whether for commercial and non-commercial purposes.

(3) Nothing in these Terms shall be deemed permission on the part of Shelly Europe to the Integrator to reproduce, copy, recompile, disassemble, reverse engineer, create derivative works or modify in any other manner any part of Shelly Integrator API, including by entering any external content thereto.

Art.23. (1) The use of Shelly Integrator API is licensed, not sold or transferred to the Integrator, and Shelly Europe retains ownership of all copies.

(2) You may be given access to certain non-public information, software, and specifications relating to Shelly Integrator API ("Confidential Information"), which is confidential and proprietary to Shelly Europe. You may use Confidential Information only as necessary in exercising your rights granted under these Terms. You may not disclose any Confidential Information to any third party without Shelly Europe's prior written consent. You agree that you will protect any Confidential Information from unauthorized use, access, or disclosure in the same manner that you would use to protect your own confidential and proprietary information.

Art.24. (1) Shelly Integrator API is intended exclusively for commercial use by the Integrator. Each Integrator may only use the Shelly Integrator API to perform legitimate business activities. Any unauthorized use of Shelly Integrator API is strictly prohibited.

(2) To protect the legitimate interests of Shelly Europe, the Integrator shall:

  1. refrain from any actions that could harm the reputation, integrity, or functionality of Shelly Integrator API.

  2. not engage in any competitive activities, including developing or promoting services that directly compete with Shelly Integrator API.

  3. not misuse the Shelly Integrator API in a way that violates applicable laws, regulations, or contractual obligations.

Art. 25. In case of violation of art.24 by Integrator Shelly Europe shall have the right to suspend or terminate access and seek indemnification for the suffered thereof damages and losses.

IX. Limitation of Liability

Art.26. (1) The Integrator is solely responsible for his use of Shelly Integrator API and for any direct, indirect, incidental, special, punitive or consequential loss or damages, including any loss of business or profit, arising out of any use, or inability to use, that may occur to him, or any third party including but not limited Shelly App Users. THE ACCESS AND USE OF SHELLY INTEGRATOR API ARE AT THE INTEGRATOR'S SOLE RISK AND IS PROVIDED "AS IS," "AS AVAILABLE." SHELLY EUROPE MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES ON MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THE SHELLY INTEGRATOR API, INCLUDING REGARDING THE UNINTERRUPTED AVAILABILITY, ERROR-FREE OPERATION, OR FITNESS FOR A PARTICULAR PURPOSE.

(2) The Integrator will exercise and rely solely on his own skill and judgment within the use of Shelly Integrator API. Any access, management or control of Devices maintained by the Integrator are the sole responsibility of the Integrator and for any consequences thereof - for any direct, indirect, incidental, special, punitive or consequential loss or damages, including any loss of business or profit, arising out of any use, or inability to use, that may occur, including the use of those actions by Shelly App User, other users of services, employees, agents, consultants, directors, officers, representatives, consultants, etc. The Integrator shall at his own expenses and risks ensure that his use of Shelly Integrator API complies with all applicable legal requirements.

(3) Shelly Europe shall not be held liable for any loss or damages that may occur for the Integrator or any third party including but not limited Integrator's customers, employees, agents, consultants, directors, officers, representatives, consultants, partners, etc. in case any malfunctions of the Shelly Integrator API occur or the Shelly Integrator API became fully or partially unusable, or Shelly device is damaged due to improper control, maintained by the Integrator causing harmful behavior of the configuration.

(4) Shelly Europe shall not be liable for any damages, losses, or liabilities arising from:

  1. any unauthorized access to a Shelly app User's devices resulting from Integrator's failure to protect their credentials or implement adequate security measures.

  2. any actions, modifications, or data processing activities performed by the Integrator while accessing a Shelly App user's device, as each Integrator is solely responsible for their use of Shelly Integrator API.

  3. any consequences that arise from Shelly App User's granting Integrators with read or read and control access to their devices.

(5) Shelly Europe has no liability to the Integrator, nor any obligation to provide compensation in connection with internet or other service outages or failures that are caused by third parties or events beyond Shelly Europe's control.

(6) Shelly Europe makes no representations, warranties or guarantees, whether express or implied that Shelly Integrator API will operate without defect, interruption or error, and no compensation can be claimed in case of direct or indirect damage of any kind caused by a failure of Shelly Integrator API or arising from use of Shelly Integrator API, including but not limited to indirect, incidental, punitive, exemplary, special or consequential damages, loss or leakage of data, loss of customers, loss of turnover, damage to image or loss of opportunity of any kind.

(7) Shelly Europe shall not be in default in the event of delay or non-performance due to a case of force majeure usually recognized by jurisprudence, for example in the event of a natural or climatic disaster, conflict involving the armed forces, act of terrorism, riot, epidemic, embargo, flood, shortage of energy or raw materials, cut-off or restriction of the Internet networks, etc. The case of force majeure suspends the obligations of Shelly Europe whose performance is thus prevented.

(8) The limitation of liability contained in these Terms shall apply to the fullest extent permitted by the applicable laws.

X. Indemnity

Art.27. The Integrator undertakes to defend, indemnify and hold Us and our affiliates harmless from and against all liabilities, damages, claims, actions, costs and expenses (including without limitation legal fees), in connection with or arising from the use or misuse of Shelly Integrator API, unauthorized access, Your breach of these Terms, or Yours conduct or actions. We may, if necessary, participate in the defence of any claim or action and any negotiations for settlement. No settlement (neither court nor contractual) which may adversely affect our rights or obligations including settlement of any claim that involves any commitment, including payment of money, shall be made without our prior written approval.

XI. Termination

Art.28. (1) The terms of using Shelly Integrator API will continue to apply until terminated by either the Integrator or Shelly Europe in the cases provided for in these Terms.

(2) The Integrator may terminate his agreement with Shelly Europe at any time by sending a notice to support@shelly.cloud The notice shall consist of information regarding the Integrator's credentials and email address. Upon receiving a valid termination request, We will review, respond to, and take the necessary actions to complete the termination within one (1) month from the date of receipt.

(3) Shelly Europe may terminate the agreement with the Integrator at any time for any reason, including, but not limited to: (i) The Integrator has violated these Terms or (ii) The Integrator create risk or possible legal exposure for Shelly Europe or Shelly App users; or (iii) our provision of Shelly Integrator API to the Integrator is no longer commercially viable iv.) misuse of access privileges is detected, data breaches, or non-compliance with data protection obligations v) an Integrator engages in fraudulent activities. vi) at our discretion with immediate effect without prior notice and stating any reasons, such termination shall not give rise to any liability for compensation, damages, or penalties vii) in all cases specified in the current Terms.

(4) Nothing in this section shall affect our rights to change, limit or stop the provision of Shelly Integrator API without prior notice.

(5) In the event of termination of our relationship, Shelly Europe shall permanently suspend all rights of use and access to Shelly Integrator API as of the date of termination and you will immediately stop using Shelly Integrator API. All licenses granted herein immediately expire and You must cease use of Shelly Integrator API.

XII. Personal Data

Art.29. (1) Upon filing an API access request, grounds for collection and processing personal data may arise and personal data might be processed. The purpose of the processing of the provided personal data is providing the use of Shelly Integrator API and the basis for the processing is the fulfilment of our contractual and pre-contractual obligations and our obligations under applicable law. We process your personal data when you access the Website for the purposes of the legitimate interests pursued by Us.

(2) We enable You to get acquainted, in an easy and user-friendly manner, with our Privacy Policy.

XIII. Marketing

Art.30. (1) Shelly Europe may provide Integrators with access to news, offers, and posts for engagement and knowledge-sharing.

(2) You may subscribe to our newsletter, and We will send You commercial messages regarding all commercial activities offered on Shelly Integrator API, including but not limited to new services, new Shelly Integrator API functionalities/features or promotional campaigns. We may also send you marketing information based on our legitimate interest.

(3) You are entitled to subscribe or unsubscribe from receiving such messages at any time by clicking on the unsubscribe link in the message.

(4) Shelly Europe reserves the right to contact the Integrator to request information about their use of Shelly Integrator API, including integration details and business use cases. We may prepare and publish a success story or case study for marketing and promotional purposes.

XIV. Miscellaneous

Art.31. (1) These Terms may be amended or modified unilaterally by Shelly Europe at any time at its sole discretion or if the amendments have been imposed by virtue of legal acts entered into force, and without an explicit prior notification to the Integrator. Such amendments shall be effective and binding upon the Integrator 14 days from the date of their publishing on Shelly Integrator API website.

(2) The Integrator, on his responsibility should read these Terms regularly and familiarize himself with the amendments (if any). Integrator's continued use of Shelly Integrator API and its functionalities following the implementation of amendments will constitute binding acceptance of those amendments.

Art.32. If any provision of these Terms is deemed as abolished, invalid or unenforceable, such provision shall be considered as severable, and shall not affect the validity and enforceability of the other provisions.

Art.33. Shelly Europe has the right to transfer all or part of its rights and obligations for service to its affiliates.

Art.34. All disputes arising out of the implementation of or in connection with these Terms shall be settled by mutual negotiation. In event of failure to reach a mutual agreement by negotiation, all disputes shall be governed and construed in accordance with the laws of Republic of Bulgaria. You agree to submit to the exclusive jurisdiction of the competent Bulgarian court all disputes, controversies or disagreements which may arise, in relation to these Terms.

Exhibit 1 — Controller-to-Controller Data Protection Terms

Shelly Europe and the Integrator have entered into an agreement for the provision of Shelly Integrator API (as amended from time to time, the "Agreement").

These Controller-to-Controller data protection terms ("Controller Terms") are entered into by Shelly Europe and the Integrator and supplement the Agreement. These Controller Terms will be effective and replace any previously applicable terms relating to their subject matter, from the Agreement's effective date.

These Controller Terms reflect the parties' agreement on the processing of Personal data.

I. Definitions

Art.1. In these Controller Terms, the following terms and expressions, when first capital letter (including when used in plural) shall have the meanings assigned to them in this article 1, unless the context otherwise requires no matter if used in plural or in singular:

  1. "Controller Terms" means this Controller-to-Controller data protection terms and all schedules.

  2. "The agreement" -- the General terms and conditions of Shelly Integrator API.

  3. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

  4. "EU Data Protection Laws" means the GDPR and laws implementing or supplementing the GDPR.

  5. "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

  6. "Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

  7. "EEA" means the European Economic Area.

  8. "Affiliates" means any entity, any other entity that directly or indirectly controls, is controlled by, or is under common control with such entity. For the purposes of this definition, "control" means the direct or indirect ownership of more than 50% of the voting securities or other ownership interests of an entity, or the ability to direct the management or policies of such entity, whether through ownership, contract, or otherwise.

  9. "Data Incident" means any unauthorized access, acquisition, disclosure, alteration, loss, destruction, or misuse of personal data or other confidential information, whether accidental or intentional, that compromises the security, integrity, or confidentiality of such data. This includes, but is not limited to, data breaches, security vulnerabilities, system intrusions, or any event that may result in the unlawful or unintended processing of data.

The terms, "Commission", "Controller", "Data subject", "Member State", "Personal Data", "Personal Data Breach", "Processing", "Third country" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

II. Purpose and Scope

Art.2. (1) Shelly Europe Ltd. provides Shelly Integrator Application Programming Interface (Shelly Integrator API) - a cloud-to-cloud API for integration, control and device status updates collection from Shelly devices under the terms and conditions of the Agreement.

(2) Shelly Integrator API enables Integrators to manage devices across single or multiple Shelly user accounts. It is designed for large-scale deployments and industrial use cases involving a big number of devices. Upon permission of the Shelly account user, the Service allows centralized streaming of status data from many shelly accounts to a single point for data ingest.

(3) The Integrator, as an independent business entity, will process personal data of Shelly account users.

(4) This Controller Terms governs the sharing of personal data between the Parties as independent controllers under the GDPR. In the event of conflict between the terms of the Agreement and this Controller Terms, the terms of the Controller Terms will take precedence regarding matters specifically related to the processing of personal data.

(5) The Parties acknowledge that they do not process personal data on behalf of each other and act as separate controllers determining their own purposes and means of processing. Each party will comply with the obligations applicable to it under the Data Protection Laws.

III. Processing of Personal Data

Art.3. In connection with the use of the Shelly Integrator API, the following categories of personal data may be shared between the Parties, subject to the permissions granted by the Shelly account user and solely for the purpose of enabling the integration and management of Shelly devices:

  1. Account Identification Data -- Shelly account user's e-mails;

  2. Device-Linked Metadata:

    • Device names or labels assigned by the user (e.g., "Living Room Sensor");
    • Device location data;

  3. Usage and Status Data:

    • Real-time and historical device status (e.g., on/off states, temperature readings, power consumption, etc.);
    • Time-stamped activity logs generated through use of the devices.

  4. Control interaction data:

    • Records of commands or settings initiated by the user or through the Integrator's interface;

(3) The parties shall not use the personal data for purposes other than those specified under these Controller Terms, including, but not limited to, the following profiling End-consumers for targeted advertising, selling or sharing data with third parties, unsolicited direct marketing, automated decision-making, disclosing data for competitor analysis, whether during or after the term of these Controller Terms.

(4) The Parties shall comply with all applicable Data Protection Laws.

Art.4. (1) Each Party shall ensure that it has valid legal ground for processing personal data.

(2) Both Parties shall maintain transparent privacy policies informing Data subjects of the nature and purpose of data processing.

V. Personnel Education

Art.5. (1) Each Party shall take reasonable steps to ensure the reliability of any employee, its Processors or sub-processors which may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Personal data, as strictly necessary for the purposes of these Controller Terms, and to comply with Applicable Laws in the context of that individual's duties to the relevant Party, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

(2) Each Party must ensure that employees and other parties who have access to personal data are authorized to process personal data on behalf of that Party. If such authorization expires or is withdrawn, access to the personal data must cease without undue delay.

(3) Each Party shall only authorize persons who need access to the personal data to fulfil their obligations under the Agreement, these Controller Terms and any other processing that is necessary to fulfil obligations to which the Party is subject.

(4) Each Party must ensure that persons authorized to process personal data on behalf of the Party are subject to obligations of confidentiality either by agreement or applicable law. The obligations of confidentiality shall survive the duration of these Controller Terms and/or employment relationship.

VI. Security and Data Breaches

Art.6. (1) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data subjects, each Party shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk and to protect personal data against unauthorized access, loss, alteration, or disclosure.

(2) In assessing the appropriate level of security, each Party shall take account of the risks that are presented by processing, in particular from a Personal data breach. Security measures shall include but are not limited to: encryption of personal data in transit and at rest, access control and authentication mechanisms, regular security assessments and audits, incident response and breach notification procedures.

(3) Each Party shall carry out risk assessments to ensure that an appropriate security level is maintained at all times. The Party must ensure regular testing, analysis and assessment of the security measures, in particular with regard to ensuring sustained confidentiality, integrity, availability and robustness in processing systems and services, and the ability to quickly restore the availability of personal data in the event of an incident.

Art.7. (1) The Parties shall notify each other immediately and without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data or any Security incident, providing each other with sufficient information to allow themselves to meet any obligations to report or inform Data Subjects and/or the competent Supervisory Authority of the Personal data breach under the Data protection laws.

(2) The Parties shall cooperate and take reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Personal Data Breach/Privacy incident.

(2.i) In the event of a Personal Data Breach or Security Incident if the Party has reasons to believe that such have occurred, the relevant Party shall notify the other Party immediately after becoming aware of the Security Incident/Personal Data Breach.

(2.ii) Such notification must be sent by email to the contact data of each party with the subject: "Service Provider's name/ Security Incident". This notification must include:

  • A description of the nature of the Security Incident/ Personal Data Breach, including to the extent possible, the categories and numbers of Data Subjects affected, and the categories and numbers of Personal Data records concerned.
  • The contact details of the appointed responsible persons or other relevant contact from whom information may be obtained;
  • A description of the likely consequences of the Security Incident/Personal Data Breach and
  • A description of the measures taken or proposed by the Party to address the Security Incident/Personal Data Breach, including, where appropriate, the actions taken to mitigate any adverse consequences.

(2.iii) The Parties agree and warrant that they will cooperate with each other so that each of them will be able to meet its obligation to notify Supervisory Authorities and/or the Data subjects of a Security Incident as required by the Data protection laws.

(2.iv) Each Party shall bear the full cost of the remedial actions taken in response to the Security Incident/Personal Data Breach.

(2.v) The Parties undertake and ensure that they regularly monitor the state of data protection and the relevant best practices and technologies for the maintenance of implemented technical and organizational measures in order to ensure a level of protection corresponding to the risks presented throughout the duration of these Controller Terms.

VII. Data Subject Rights

Art.8. (1) Each Party is responsible for responding to data subject requests related to the data it controls, including: right of access (Art. 15 GDPR), right to rectification (Art. 16 GDPR), right to erasure (Art. 17 GDPR), right to restriction of processing (Art.18), right to data portability (Art. 20 GDPR), right to object and automated individual decision-making (Art. 21 GDPR).

(2) If a Party receives a data subject request concerning data controlled by the other Party, it shall forward the request within 5 days as of receipt.

(3) The Parties shall provide reasonable assistance to each other in ensuring compliance with data subject rights.

VIII. Data Protection Impact Assessment and Prior Consultation

Art.9. If requested the Parties shall provide reasonable assistance to each other with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which a Party reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to processing of personal data by, and taking into account the nature of the processing and information available to.

IX. Deletion of Personal Data

Art.10. (1) Each Party shall retain the shared personal data only for as long as necessary for the specified purposes in accordance with their own Privacy policies.

(2) Upon termination of these Controller Terms, both Parties shall securely delete any remaining shared data unless legal obligations require further retention.

X. Cooperation and Audit Rights

Art.11. (1) The Parties shall cooperate in good faith to ensure GDPR compliance, including providing necessary information upon request. This includes providing reasonable assistance in responding to inquiries, requests, audits or investigations from supervisory authorities, and to data subject requests where appropriate.

(2) If an audit reveals a breach in the obligations in the applicable Data Protection Law or these Controller Terms, the Party must rectify the breach as soon as possible. The other Party may require this Party to temporarily stop all or part of the processing activities until the breach has been rectified.

(4) Each Party shall pay its own costs associated with the audit. If an audit reveals significant breaches of the obligations under applicable Data Protection Law or these Controller Terms, this Party shall pay for the other's Party reasonable costs accrued from the audit.

(5) Both Parties shall assist each other in responding to regulatory investigations and data protection impact assessments. The Parties shall notify each other immediately and without undue delay upon receiving a request, starting a regulatory investigation, etc. from a competent supervisory authority regarding the processing of personal data under the Agreement and these Controller Terms. Such notification shall include sufficient information to enable both Parties to coordinate their response, fulfill any reporting obligations, and, where necessary, inform Data Subjects and/or the competent supervisory authority.

XI. Data Transfers Outside the EEA

Art.12. (1) The Parties acknowledge that Personal Data may be transferred between them in their respective capacities as independent Data Controllers, including transfers to or from jurisdictions within and outside the European Economic Area ("EEA"). Each Party shall ensure that any such transfer of Personal Data complies with applicable data protection laws, including the GDPR, and shall not cause the other Party to be in breach of its obligations under those laws.

(2) Transfer to Third countries or international organizations may only take place if there are the necessary guarantees of an adequate level of data protection in accordance with the applicable Data Protection Laws. Such transfers shall be made on the basis of:

  1. A valid adequacy decision by the European Commission pursuant to Article 45 GDPR, confirming that the recipient country ensures an adequate level of data protection; or

  2. In the absence of such a decision, appropriate safeguards in accordance with Article 46 GDPR, including the use of the European Standard Contractual Clauses adopted by the European Commission, as updated or replaced from time to time (Appendix № 1). For the purposes of the EU SCCs, Shelly Europe is the data exporter, and the Integrator is the data importer.

(3) Each Party agrees to provide reasonable cooperation, upon request, to enable the lawful transfer of Personal Data, including the execution of additional safeguards or documentation as required. Transfers shall be suspended or adjusted as necessary when the legal basis for the transfer is no longer valid or adequate safeguards cannot be ensured.

(4) If the Integrator transfers data without complying with the applicable Data Protection Laws, the Integrator shall be fully liable for the transfer and any resulting adverse consequences. This includes, but is not limited to, regulatory fines, penalties, claims, or any other legal or financial liabilities imposed due to non-compliance. The Integrator shall indemnify and hold Shelly Europe Ltd. and/or its affiliates, its and/or subsidiaries and/or their representatives harmless from any damage arising from such unauthorized data transfer.

XII. Liability and Indemnification

Art.13. (1) Each Party shall be responsible for its own compliance with GDPR and Data protection laws.

(2) If a Party reasonably believes that the other Party or its Processors/Sub-processors do not comply with its obligations under the Agreement and/or the Controller Terms, the Party shall have the right to suspend or terminate all or any part of these Controller Terms, effective on the date on which the Processor is so notified by the Controller, which notification shall be sent by registered mail, return receipt requested.

(3) The Integrator shall be liable in full for any and all damage suffered by Shelly Europe and/or its affiliates, its and/or subsidiaries and/or their representatives as a result of personal data breaches due to reasons related to the Integrator or its Processors/Sub-processors' data processing activities. In the event that administrative sanctions are imposed and/or damages are paid to Data Subjects due to a failure by the Integrator to comply with its obligations under these Controller Terms and/or its obligations under the Data Protection Laws, the Integrator shall be liable to reimburse Shelly Europe and/or its subsidiaries and/or their representatives in full for the administrative sanctions and damages paid by them.

(4) The Integrator shall indemnify and hold harmless Shelly Europe, its affiliates, subsidiaries and their representatives from and against any and all actions or claims by third parties -- including Data Subjects, and from and against any administrative fines imposed on Shelly Europe by a supervisory authority for an alleged breach of Applicable Data Protection Law caused by the failure of the Integrator or any of its Sub-Processors to comply with the data processing obligations under these Controller Terms or the applicable law.

XIII. Term and Termination

Art.14. (1) These Controller Terms may be terminated:

  1. Upon termination of the Agreement.

  2. By mutual consent of the Parties.

  3. Unilaterally by a Party upon written notification with immediate effect, if that Party reasonably believes that the other Party or its Processors/Sub-processors do not comply with obligations under these Controller Terms.

  4. Shelly Europe may terminate these Controller Terms upon written notice if the Integrator: (i) fails to correct a material breach of its obligations under these Controller Terms within fifteen (15) days after receipt of written notification of such material breach; (ii) ceases to carry on business as a going concern; or (iii) initiates a bankruptcy, reorganization or insolvency proceeding, or has such a proceeding initiated against it, makes an assignment for the benefit of creditors, or consents to the appointment of a trustee.

(2) Upon termination of these Controller Terms for any reason or cause whatsoever, each Party shall securely delete or return shared data unless legally required to retain it.

XIV. Miscellaneous

Art.15. All disputes arising out of the implementation of or in connection with these Controller Terms shall be settled through negotiations between the parties. When the Parties fail to achieve an agreement through negotiations, all disputes related to the present contract (agreement) shall be settled in accordance with the Bulgarian Law by the jurisdiction of the competent Bulgarian court.

Art.16. (1) These Terms may be amended or modified unilaterally by Shelly Europe at any time at its sole discretion or if the amendments have been imposed by virtue of legal acts entered into force, and without an explicit prior notification to the Integrator. Such amendments shall be effective immediately and shall be binding upon the Integrator 14 days from the date of their publishing on Shelly Integrator API website. Amendments may have retroactive effect.

(2) The Integrator, on his responsibility should read these Controller Terms regularly and familiarize himself with the amendments (if any). Integrator's continued use of Shelly Integrator API and its functionalities following the implementation of amendments will constitute binding acceptance of those amendments.

Art.17. If any provision of these Controller Terms is deemed as abolished, invalid or unenforceable, such provision shall be considered as severable, and shall not affect the validity and enforceability of the other provisions.

Art.18. Shelly Europe has the right to transfer all or part of its rights and obligations for service to its affiliates.

Appendix 1 — Standard Contractual Clauses

The Standard Contractual Clauses referenced in Exhibit 1, Article 12(2) are the EU Standard Contractual Clauses (Module One: Controller to Controller) as adopted by the European Commission and available at https://ec.europa.eu/info/law/law-topic/data-protection_en. For the purposes of these Clauses, Shelly Europe is the data exporter, and the Integrator is the data importer. The parties shall complete the Annexes to the Standard Contractual Clauses in accordance with the actual data processing relationship and applicable legal requirements.