WEBSITE PRIVACY STATEMENT

Version update date: [1/11/2024]

Version effective date: [1/11/2024]

The entity responsible for the processing of personal data referred to below is O&J Automotive Netherlands B.V. (hereinafter referred to as “O&J”, “we” or “us”), a private company with limited liability established under the law of Netherlands, having its statutory seat in Kingsfordweg 151, 1043GR Amsterdam. To ensure compliance with European data protection legislation, O&J is the data controller of this personal data.

We give top priority to the protection of your personal data, and we process your data in accordance with applicable data protection laws. This statement provides comprehensive information about the processing of personal data when you use our website.

This Privacy Statement does not apply to:

  • The processing of personal data when you use our vehicle;
  • Your use of third-party services in our website. The data processing of these services is subject to their individual privacy policies, which we strongly advise you to read carefully;
  • Your use of mobile apps provided by O&J;
  • Our employee personal data or candidate recruiting practices.

In this Privacy Statement, we will explain to you:

  1. What personal data we collect and how do we use it?
  2. What third-party services do we use?
  3. With whom will we share this data?
  4. How do we transfer your data outside the EU?
  5. What rights do you have in relation to your personal data?
  6. How long do we retain your data?
  7. How do we protect your data?
  8. Privacy of Children
  9. How can you contact us and make a request
  10. How will we update this Privacy Statement?

1. What personal data we collect and how do we use it?

We use the collected personal data when you visit our web applications to manage and meet with your service and information requests, to make our products and services as effective as possible, and to protect our IT systems from attacks and other illegal activities.

To communicate with you:

Data Processing Purpose

Type of Personal Data

Legal Basis for Processing

To fulfill requests or service appointments you make to us, including test drives, service and event appointments

Your contact information, including your name, your phone number, and your email address. (note: we may contact you to confirm your booking or request)

Performance of a contract with you or necessary in order to take steps at your request prior to entering into a contract

To respond to any feedback, requests, questions, or complaints you may have regarding our products and services (in person, online, telephone, email, etc.)

Your contact information, including your name, your phone number, and your email address.

Communication and interactions information, including your request details

Performance of a contract with you or necessary in order to take steps at your request prior to entering into a contract

Necessary for our legitimate interests: to administer customers inquiries and requests

To participate in surveys or our offline event about your experience with our products and services

Account information

Your contact information, including your name

Survey or feedback details

Necessary for our legitimate interests: to understand, analyze and improve customer experience

Sign up for marketing communications

Your basic information, including contact information

Order information

Where you have provided your consent

To realize our product functions and services:

Data Processing Purpose

Type of Personal Data

Legal Basis for Processing

To create your account

Your username, password, email, phone number

Where you have provided your consent

To fulfill and complete your orders, including reservations, orders and pre-orders, and other transactions entered with us

Your contact information, including your name, your phone number, your email address, and your delivery address

Order information

Financial information

Performance of a contract with you

To diagnose and repair your vehicle, and provide assistance with claims, maintenance and parts replaced

Vehicle Identification Number (VIN), engine number

Information generated by the vehicle

Information related to how the vehicle is used and operated

Order information

Necessary for our legitimate interests as well as to fulfil our legal obligations, such as conducting safety-related recalls.

To ensure information security, and to understand and improve our products and services.

Data Processing Purpose

Type of Personal Data

Legal Basis for Processing

To detect and defend against unauthorized access to data, and to enhance information security

Device information

Network activity information

Necessary for our legitimate interests: to protect the confidentiality, integrity, and availability of IT systems

To upload crash logs for troubleshooting

Account information

Relevant crash logs

Where you have provided your consent

To understand and analyze website UI behavior and usage, so as to improve our services

Analytics data (aggregated data on UI behavior, usage and analytics of website.

Necessary for our legitimate interests: to understand, analyze and improve customer experience

Where you have provided your consent (website cookies)

Other circumstances

Data Processing Purpose

Type of Personal Data

Legal Basis for Processing

To demonstrate compliance with regulatory requirements

Contact information

Order information

Vehicle information

Necessary to comply with a legal obligation

To prevent thefts, and to ensure safety in Stores

Video images captured through CCTV

Necessary for our legitimate interests: to monitor the security of store assets and ensure Data Subjects’ safety

2. What third-party services do we use?

On our websites, we incorporate social plugins from popular social networks like Instagram, Facebook, Twitter, TikTok, and YouTube. Here’s how they work:

  • When you visit our websites, social media plugins are initially deactivated. This means no information is transmitted to the network operators. If you want to use any of these networks, simply click on the respective plugin to establish a direct connection to their servers.
  • If you’re logged into your user account on a social network when you activate the plugin, the network can recognize your visit to our websites and associate it with your account. To prevent this, please log out of the network before activating the social plugin. The social network cannot detect your visits to other websites of ours unless you activate its social plugin on those sites too.
  • When you activate a social plugin, the network directly transfers the available content to your browser, which integrates it into our websites. During this process, data transfers controlled by the respective social network may occur. Your connection to a social network, the data transfers between the network and your system, and your interactions on the platform are governed solely by the network’s data protection provisions.
  • The social plugin remains active until you deactivate it or delete your cookies. For more information about cookies setting, please read our Cookie Policy.

Please note that our website may feature links to external websites beyond our control, and this Privacy Policy does not apply to them. If you access these websites through the provided links, the operators of those websites may collect information from you according to their own privacy policies, which may differ from ours.

3. With whom will we share this data?

3.1 Affiliates and subsidiaries

To assist, operate, enhance, and fulfil services on our behalf based on our legitimate interests to outsource certain operations, we share personal data with our affiliates and subsidiaries.

3.2 Services providers and business partners as data processors:

We share data with our services providers and partners to maintain our business operations, our relationship with you, and provide you with our services:

Categories of providers

Reason for Sharing

IT-providers and their sub-processors

Personal data is transferred to IT-providers who supply general business support systems to us, such as software and data storage providers.

Authorized retailer(s) (and its sub-processors)

Personal data is transferred to authorized retailer(s) for the purpose of communication and administration of the handover of cars (if applicable).

Marketing and advertising suppliers

To assist, operate and fulfil services with marketing services or with digital advertising.

Cloud service providers

To enhance vehicle function and provide cloud service.

3.3 Law enforcement and government authorities

To fulfil our legal obligations, we may be required to disclose information in response to subpoenas, court orders, or lawful requests from government authorities conducting investigations. This includes compliance with law enforcement requirements, regulatory inquiries, and the verification or enforcement of our policies and procedures. We may also disclose information in emergency situations to prevent or halt potentially illegal, unethical, or legally actionable activities. When we receive a request for personal data from a law enforcement authority, we assess the necessity and proportionality of the requested information.

4. How do we transfer your data outside the EU?

In principle, the personal data we collect is stored in the countries of your place of residence or within the European Economic Area and UK, your data will be stored at our data center located in Germany.

We, as an international company, share your personal data with group companies, subcontractors, and business partners worldwide. Specifically, we transfer personal data for IT-support, hosting services, maintenance, and customer service. This means that your personal data may be processed by other companies or subcontractors located outside the European Economic Area or UK, which may have a data protection standard differing from the country in which we are located. Regardless of where your personal data is processed, we apply the same protections as described in this Statement. We transfer your personal data in accordance with the legal frameworks required by different jurisdictions. Recipients of your personal data are required to adhere to the same level of privacy safeguards as mandated by applicable data protection laws. These include, but are not limited to:

5. What rights do you have in relation to your personal data?

5.1 Right to withdraw consent

Where you have given consent for the processing of your personal data, you may withdraw your consent at any moment with effect for the future.

5.2 Right to access your personal data

You have the right to request information about the personal data we hold regarding you. Upon request, we will provide you with a copy of your personal data.

5.3 Right to rectification

You may request from us the rectification of incorrect or incomplete personal data concerning you. We make reasonable efforts to keep personal data in our possession or control, which are used on an ongoing basis, accurate, complete, current and relevant, based on the most recent information available to us.

5.4 Right to restriction

You may request from us the restriction of processing of your personal data, if:

  • You contest the accuracy of your personal data, for the period we need to verify the accuracy;
  • The processing is unlawful and you request the restriction of processing rather than erasure of your personal data;
  • We no longer need your personal data for the processing purpose, but you require them for the establishment, exercise, or defense of legal claims; or
  • You object to the processing while we verify whether our legitimate grounds override yours.

5.5 Right to portability

You have the right to receive your personal data provided to us and, where technically feasible, request its transfer to another organization. This right applies if we process your personal data through automated means, based on your consent or for the performance of a contract you are a party to. Your personal data must have been provided by you, and this right should not adversely affect the rights and freedoms of others. You can receive your personal data in a structured, commonly used, and machine-readable format. The transmission of your personal data to another organization is subject to technical feasibility.

5.6 Right to erasure

You have the right to request that we delete the personal data we process about you. We must comply with this request unless the processing of your personal data is necessary for:

  • Compliance with a legal obligation requiring processing by laws to which we are subject;
  • Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes; or
  • The establishment, exercise, or defense of legal claims.

5.7 Right to object

You have the right to object, at any time, to the processing of your personal data based on our legitimate interests or the legitimate interests of a third party, provided that the processing is not based on your consent. If you exercise this right, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or if the processing is necessary for legal claims. If you object to the processing, please let us know if you also wish for your personal data to be erased.

5.8 Right to be informed

You have the right to be informed about the collection and use of your personal data. We have prepared this Statement for this purpose, and you will be informed of any changes to this Statement.

5.8 Right to lodge a complaint

You have the right to lodge a complaint with your local data protection supervisory authority or with any other data protection authority in the EU. However, we would appreciate it if you first contact us to try to solve your issue – you can find our contact details in Section 8.

6. How long do we retain your data?

We retain data related to our provided services in accordance with legal obligations. If you are a customer, we will keep your data for the duration of any contractual relationship you have with us, and, where permitted, beyond the end of that relationship for as long as necessary to fulfil the purposes set out in this Privacy Statement.

We retain the data we collect from or about you for the period necessary to fulfil the purposes outlined in this Privacy Statement, unless a longer retention period is required or permitted by law. Once the data is no longer necessary for these purposes, we either delete it or retain it in an anonymized form. In determining the appropriate retention period, we take into account various criteria, including the type of services requested by or provided to you, the nature of our relationship with you, the potential impact on the services we provide to you if we delete certain data about you, and the retention periods mandated by law.

7. How do we protect your data?

We strive to maintain high security standards and have implemented robust technical and organizational measures to protect your data, in accordance with the current, general state of technology. We ensure that your personal data is adequately secured against loss, falsification or unauthorized access. However, please note that the transmission of information via the internet is not completely secure. While we do our best to protect your personal data, we cannot guarantee 100% security of your data transmitted to us.

Once we have received your personal data, we use strict procedures and security features to prevent unauthorized access. In the unfortunate event of a personal data incident, we will report it and take remedial measures in accordance with the requirements of the law and regulatory authorities.

We take the security and privacy of your data seriously. To ensure the highest standards of data protection, all personal data collected through our services is stored in a secure data storage centre located in Frankfurt, Germany (Zone A). Owned by Alicloud (Germany) Gmbh, located in Neue Rothofstraße 13 -19, 60313 Frankfurt am Main, Germania. This location adheres to the stringent data protection regulations set by the European Union under the General Data Protection Regulation (GDPR).

8. Privacy of children

We do not knowingly collect or use any personal data from children (we define children as minors younger than 16) without prior, verifiable consent which is given or authorized by the holder of parental responsibility over the child. We do not knowingly allow children to order our vehicles, communicate with us, or use any of our online services.

If you become aware that a child has provided us with personal data, please contact us: Privacy @mychery.com. We will take all reasonable measures to delete the information as soon as possible and to not use such information for any purpose, except where necessary to protect the safety of the child or others as required by law.

9. How can you contact us and make a request

If you have any questions about the processing of your personal data, we recommend reading through this Privacy Statement first.

To make a query, raise a concern, or exercise your data subject rights, please feel free to contact us via:

E-mail Address: Privacy @mychery.com

We take your privacy seriously and aim to respond to you within one month or within the timeline specified by the relevant local privacy protection law, after confirming your identity. If you believe that we have not adequately addressed your complaints or concerns, you have the right to lodge a complaint with a competent data protection authority.

10. How will we update this Privacy Statement?

We may update this Privacy Statement, for example, to reflect changes in our business operations and measures for protecting personal information. If we make changes to this Privacy Statement, we will notify you. Where changes to this Privacy Statement significantly impact the nature of our data processing or have a substantial effect on you, we will provide sufficient advance notice, allowing you the opportunity to exercise any applicable rights