This Privacy Statement provides an overview of the data processing principles of Auve Tech OÜ (hereinafter us/we or Auve Tech). Here you will find how we process the personal data of our partners, customers and visitors to our website and other marketing channels. Our goal is to be reliable and transparent when processing personal data.

1. Definitions

1.1 Data Subject / you means a natural person about whom we have information or information that can be used to identify a natural person.

1.2 Privacy Statement means this text, which sets out Auve Tech’s principles of personal data processing.

1.3 Client means any natural or legal person who has purchased or expressed their desire to purchase our products and/or services.

1.4 Please note! If a person is simply a passenger in a self-driving vehicle, then he or she is not our Client and the owner or user of the respective vehicle is usually the controller for the processing of the passenger’s personal data.

1.5 Contract means a service/sales or other agreement entered into between us and the Client, incl. standard terms and conditions and other applicable procedures and policies.

1.6 Website means primarily our website https://auve.tech/, as well as our social media pages.

1.7 Visitor means a person who uses the Website.

1.8 Services are the services and products we offer in connection to self-driving vehicles and related systems.

1.9 Cookies are data files that are stored on the Website Visitor’s device and which enable the operation of the Website and various other functions.
Definitions in the field of personal data are used in the Privacy Statement as defined in the EU General Data Protection Regulation (2016/679).

2. General terms and contact

2.1 Auve Tech OÜ is a legal person in Estonia, registry code 14635771, located in Harjumaa, Tallinn, Haabersti district, Vabaõhumuuseumi tee 1-304, 13522. We process your personal data as a controller, e.g. if you visit our Website or are an employee of ours. We belong to the same group with AS Silberauto and Auve Production OÜ.

2.2 In terms of our Services different controller-processor or controller-controller relationships can be used, depending on the setup of the Services. For example, we are processors of personal data when providing support and maintenance for our Clients; we can be a processor, separate controllers or joint controllers with our Clients when we, operate the self-driving system and data from the vehicle’s cameras and other systems. Generally we are controllers when we operate the self-driving system. More precises information about controller-processor statuses is given to the Data Subjects by our Clients and/or in the self-driving vehicle. We do not control how our Clients and other operators use gathered data outside of operating the self-driving vehicle and connected systems. For that please ask or read relevant privacy policies of self-driving vehicle owner/ operator.
We are the controllers of personal data when we independently develop our Services (however, in general, personal data is not used for said purpose).

2.3 The Privacy Statement Applies to Data Subjects and all our employees and cooperation partners who have contact with the personal data in our possession are guided by the rights and obligations specified in the Privacy Statement.

2.4 We do not knowingly process children’s personal data.

2.5 If you have any questions regarding the processing of personal data, you can contact us by writing to us at: gdpr@auve.tech. In order to exercise your rights in relation to your personal data, we may ask for a digitally signed application (or otherwise verify your identity). We will respond to requests related to personal data within 30 days of receiving them.
Please note that the links shared on the Website are governed by the privacy terms and conditions of their respective service providers/persons. As regards the processing of personal data published by the Data Subject on our social media (e.g. Facebook, Instagram), both the Privacy Statement (for our Processing) and the terms and conditions of the respective social media platform apply.

3. Principles

3.1 Our goal is to process personal data responsibly and transparently, and to be ready to demonstrate the compliance of the processing of personal data with the stated objectives and applicable data protection regulation.

3.2 All our processes, guidelines and processing activities related to the processing of personal data are based on the following principles: lawfulness, fairness, transparency, purposefulness, minimisation, accuracy, storage limitation, integrity, confidentiality, and data protection by default and by design.

4. Categories of personal data and collection of personal data

4.1 As a general rule, we collect and process the following types of personal data:

  1. Personal data disclosed to us by the Data Subject (e.g. if you contact Us);
  2. Personal data arising from regular communication with the Data Subject;
  3. Personal data clearly disclosed by the Data Subject (e.g. if you comment on our social media);
  4. Personal data deriving from the use of Services;
  5. Personal data resulting from visiting and using the Website;
  6. Personal data received from third parties;
  7. Personal data created and combined by us (e.g. e-mail correspondence within the framework of a Client relationship or a list of order history);
  8. Personal data of our employees and candidates to our job vacancies (see about processing of candidate’s personal data from: Privacy Statement for Job Applicants

5. PURPOSES, GROUNDS FOR, AND ACTIVITIES OF PROCESSING

We process personal data in accordance with data protection regulations and only if we have a basis for processing. The processing grounds we use are:

5.1 Consent. Based on consent, we process personal data precisely within the limits, to the extent and for the purposes for which the Data Subject has given us their consent. The Data Subject’s consent to us shall be freely given, specific, informed, and unambiguous, for example, by ticking the box on the Website. For example, we may send marketing messages based on consent. Consent may also be expressed by a clear act, for example, the Data Subject can, at their own discretion, send inquiries through the inquiry forms on our Website, in which case we process their data to respond to them and offer them Services.

5.2 When concluding and performing the Contract, we may process personal data for the following purposes:

  1. to take measures prior to the conclusion of the Contract at the request of the Data Subject;
  2. identification of the Client to the extent required by due diligence;
  3. performing the obligations assumed to the Client with regard to the provision of our Services, incl. product information, delivery information if necessary, etc.;
  4. communicating with the Client;
  5. ensuring compliance with the payment obligation;
  6. the submission, realisation and protection of claims.

5.3 Legitimate interest. Legitimate interest means our interest in managing and directing our company and enabling us to offer the best possible Services on the market. In case we are using legitimate interest, we have previously assessed your interests and ours. We may process your personal data on the basis of legitimate interest for the following purposes:

  1. Independent development of our Services to further improve our Services and make our Services safe and efficient;
  2. managing and analysing Client (also potential clients) database and for marketing activities in order to improve the availability, selection and quality of Services;
  3. ensuring a better user experience, higher quality services, and operation of various channels; we may analyse identifiers and personal data collected when our Website, our social media pages and other sales channels and Services are used, and we may collect statistics about Visitors and Clients;
  4. organising campaigns, incl. organising personalised and targeted campaigns. The terms and conditions of campaigns are set out separately;
  5. sending marketing offers to the Clients or potential customer if the respective person has previously purchased a similar product. In this case, the person is always guaranteed to have a simple opportunity to resign from the communication, and we have considered our and the Client’s interests;
  6. conducting satisfaction, incl. customer satisfaction surveys and measuring the effectiveness of marketing activities performed;
  7. making recordings; we may record messages and orders given both in our premises and using means of communication (e-mail, phone, etc.) as well as information and other activities we have performed, inter alia, calls to landline numbers. If necessary, we use these recordings to prove orders or other activities;
  8. network, information and cyber security reasons, for example measures for combating piracy and ensuring the security of the Website as well as for making and storing back-up copies;
  9. processing for organisational purposes, foremost for financial management and transfer of personal data within the group for internal management purposes (but also audits and other potential supervision), including for processing the personal data of Clients or employees;
  10. establishing, exercising or defending legal claims, incl. assigning claims to, for example, collection service providers, or obtaining information from institutions assessing creditworthiness;
  11. protecting health and property of us, our employees and Clients, for example, we may use cameras that may also record sound to ensure safety and security on our territory and our self-driving vehicles are equipped with cameras.

5.4 In order to fulfil our legal obligations, we process personal data in order to fulfil obligations deriving from law. For example, legal obligations arise in accounting or compliance with money laundering rules.

5.5 We generally process personal data to offer our Services, incl. to operate self-driving vehicles, assist, maintain, setup etc. self-driving vehicles and connected systems.

5.6 New purpose. Where personal data is processed for a new purpose other than that for which the personal data are originally collected or it is not based on the Data Subject’s consent, we carefully assess the permissibility of such new processing. We will, in order to ascertain whether processing for a new purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

  1. any link between the purposes for which the personal data are collected and the purposes of the intended further processing;
  2. the context in which the personal data are collected, in particular regarding the relationship between the Data Subject and us;
  3. the nature of the personal data, in particular whether special categories of personal data are processed or whether personal data related to criminal convictions and offences are processed;
  4. the possible consequences of the intended further processing for Data Subjects;
  5. the existence of appropriate safeguards, which may include encryption or pseudonymisation.

6. TRANSFER AND AUTHORISED PROCESSING OF PERSONAL DATA

6.1 We cooperate with persons to whom we may transmit data, including personal data, concerning the Data Subjects within the context and for the purpose of cooperation. When transferring personal data to third parties (generally our cooperation partners), we comply with the applicable data protection requirements.

6.2 Such third parties may include, among other, persons in the same group as us, distributors of our Services, supply partners, advertising and marketing partners, payment service providers, advisers, ICT partners, i.e. service providers for various technical services, provided that:

  1. the respective purpose and processing are lawful;
  2. personal data is processed pursuant to the instructions of the controller and on the basis of a valid contract.

6.3 In other cases, we transmit your personal data to third parties provided that we have your consent, a legal obligation, or there is an exception in the event that the transfer is necessary to protect your vital interests.

6.4 As a general rule, we do not transmit personal data outside the European Economic Area. Where we transfer personal data outside the European Economic Area, we do so in compliance with the requirements of data protection regulations, e.g. where the European Commission has decided that there is an adequate level of protection in the respective country or, in the absence of such a decision, we have adopted appropriate safeguards (standard data protection clauses).

7. STORAGE AND SECURITY OF PROCESSING PERSONAL DATA

7.1 Storage. We store personal data only for the period necessary for the purpose of processing. As a rule, for the duration of the period of validity of the Contract + three years to protect against any potential claims. In some cases, we have to store certain personal data as prescribed by law e.g. data connected to accounting 7 years. Personal data for which the storage period has expired are destroyed or made anonymous. When storing personal data, we comply with the purpose of processing, limitation periods for potential claims in the event of filing claims, and storage periods provided for in the law.
We may anonymize camera recordings by blurring all data referring to the Data Subject.

7.2 Security measures. We have established guidelines and rules of procedure on how to ensure the security of personal data through the use of both organisational and technical measures. Among others, we do the following to ensure security and confidentiality:

  • we provide our employees with access to personal data only where this is necessary for the performance of their duties and where the respective permission has been requested and rights have been granted;
  • a processor may process the personal data transferred to them only for the purpose and to the extent necessary for providing the services set out in the contract;
  • we use software solutions that help ensure a level of security that meets the market standard.

7.3 In the event of any incident involving personal data, we do our best to mitigate the consequences and alleviate the relevant risks in the future. Among other things, we register all incidents and, if necessary, notify the Data Protection Inspectorate and the Data Subject directly (e.g. by e-mail) or publicly (e.g. through the national media).

8. RIGHTS OF THE DATA SUBJECT AND EXERCISE OF THOSE RIGHTS

8.1 Rights concerning consent:

  1. The Data Subject has the right to notify us at any time of their intention to withdraw their consent to the processing of their personal data. Withdrawal of the consent does not affect the lawfulness of prior processing.
  2. You can exercise your rights concerning consent, for example by unsubscribing from messages in the footer of the respective e-mail or by contacting us at the address gdpr@auve.tech.

8.2 In the event of processing personal data, the Data Subject has the following rights, provided that the prerequisites set out in the EU General Data Protection Regulation are met:

  1. Right to receive information, i.e. the Data Subject has the right to receive information with regard to the personal data collected about them.
  2. Right to access data, which includes, inter alia, the right of the Data Subject to a copy of the personal data processed.
  3. Right to rectification of inaccurate personal data. The Data Subject can rectify incorrect data by contacting us using the contact details provided above.
  4. Right to erasure, i.e. in certain cases, the Data Subject has the right to obtain the erasure of personal data, for example where data is processed solely on the basis of consent.
  5. Right to restriction of processing personal data. This right arises, inter alia, where the processing of personal data is not permitted by law or temporarily when the Data Subject contests the accuracy of personal data.
  6. Right to data portability, i.e. in certain circumstances, the Data Subject acquires the right to receive their data in a machine-readable format or to require the transmission of the data to another controller in a machine-readable format.
  7. Rights related to automated processing and profiling mean that the Data Subject, on grounds relating to their particular situation, has the right to object at any time to the processing of personal data concerning them based on automated decisions/profiling and to require human intervention. The Data Subject may also require an explanation regarding the logic of making an automated decision. Automated processing/profiling may also be partially based on data collected from public sources. We do not use automated processing or profiling that has a significant effect on the Data Subject or their rights.
  8. Right to an assessment by a supervisory authority as to whether the processing of the personal data of the Data Subject is lawful.
  9. Right to compensation for damages where the processing of personal data has caused damages to the Data Subject.

8.3 Exercise of rights. In the event of a question, request, or complaint regarding the processing of personal data, the Data Subject has the right to contact us using the contact details provided in clause 2.

8.4 Filing complaints:

  1. The Data Subject has the right to file their complaint with us, the Data Protection Inspectorate, or the court.
  2. Contact details of the Data Protection Inspectorate (DPI) can be found on the DPI’s website at https://www.aki.ee/et/inspektsioon-kontaktid/tootajate-kontaktid.

Please note that no right is absolute – there are preconditions for exercising personal data rights as well.

9. COOKIES AND OTHER WEB TECHNOLOGIES

9.1 We may collect data about the Visitors of the Website and other information society services as well as the Clients by using Cookies (i.e. small fragments of information stored in the hard drive of the Visitor’s computer or another device by the Visitor’s browser) or other similar technologies and process such data (e.g. IP address, device information, location information).

9.2 We use the collected data to enable the consumption of Services in accordance with the habits of the Data Subject, to ensure the best quality of Services, to inform the Visitor and Customer of the content and give recommendations, to make the advertisements more relevant and our marketing efforts more effective, to simplify logging in and protecting data. Collected data is also used to count Data Subjects and record their usage habits.

9.3 We use session and persistent Cookies. Session Cookies are deleted automatically after each visit, while persistent Cookies are retained when the Website is used repeatedly.

9.4 Our Website may contain third party Cookies regarding which our cooperation partners are the controllers, in certain cases joint controllership may apply.

9.5 We use the following types of Cookies:

  1. Necessary Cookies are required to use the Website – to navigate the page and use its functions and for example necessary Cookies enable logging into the Website, shopping basket functions, distinguishing bots from people, and ensuring other security functions. Without these Cookies, the Website cannot function properly and the provision of service may be hindered. Because necessary Cookies are essential for the operation of the Website and for the provision of our Services, these Cookies are always enabled.
  2. Preference Cookies – these Cookies store the Data Subject’s selections (such as font size, other personalised website display features) and attributes (such as user name, language, or country of location of the Visitor) in order to offer a more personalised and convenient use of the Website. Preference Cookies, although separate from necessary Cookies, are necessary for the Visitor to ensure that an appropriate personalised solution is displayed. The data stored depends on a specific Cookie. In general, we collect technical data about the device and store the selections made by the Data Subject (e.g. font size, other editable properties of the Website) and their attributes (e.g. user name, language, country of location).
  3. Functional/statistics/analytics Cookies are Cookies that collect information about how Data Subjects use the Website, for example which subpages are visited most frequently and which error messages occurred. These Cookies generally do not collect information that can identify the person. These are used to improve the operation of the Website and Service offers.
  4. Marketing and personalised analytics Cookies are Cookies used for optimising marketing activities and/or for displaying personalised advertising. These Cookies may be third party Cookies.

9.6 With regard to Cookies, Visitors consent to their use on the Website or in the web browser. The processing is generally based on consent. The majority of web browsers allow Cookies. Without Cookies, not all functions of the Website may be available to the Visitor. Enabling or disabling Cookies and other similar technologies is up to the Visitor through the settings of their own web browser.

If you prefer your personal data not be processed on our Website, you can activate the private browsing feature of your web browser.

9.7 Cookie table. The Cookies we use are as follows:

NAMETYPEWHAT & WHYEXPIRATIONOWNER
Cookie Consentnecessaryto choose whether to show the cookie popup or not1 year
LinkedIn Insighttrackingto track conversions, retarget website visitors, and unlock additional insights about members interacting with your adsup to 2 yearsLinkedIn
Bing Adstrackingenables online conversion tracking, remarketing, product audiences, automated bidding, and improves ad, broad match, and syndication performancesessionBing
Google Analyticsperformanceto track website activity such as session duration, pages per session, bounce rate etc. of individuals using the site, along with the information on the source of the trafficsessionGoogle
Google Adstrackingto show what happens after a customer interacts with our adssessionGoogle
Hotjarnecessaryto gain a better understanding of how users interact with the website and to identify issues that  users are running into when browsing the website. This is essentially necessary to be able to identify whether  a Website or Service design is functioning or has run into error. up to 8 yearsHotjar

9.8 Our Website and Services are always improving and thus the use of Cookies may also change.

10. SPECIAL PROVISIONS FOR OUR SERVICES

10.1 With regard to our direct Clients, employees and Visitors to our Website, we are generally the controller. Regarding our Services, e.g. when data is collected about passengers of a self-driving vehicle, different processing statuses can apply. Generally, we are controllers when we operate the self-driving system. Information on the processing statuses is provided to the data subjects in the self-driving vehicle and/ or by our Clients. For example, we may be joint controllers with our Clients and/ or other self-driving vehicle operator service providers. In case of a joint controllership, you can find data about how other operators/ owners process personal data from their privacy policies.

10.2 Our self-driving vehicles are equipped with different sensors and cameras. Most of the data gathered by this equipment is not personal data and is needed to operate the vehicles. However, cameras are recording passengers (cameras inside the vehicle) and traffic (outer cameras). Cameras are used to ensure functioning of self-driving vehicle, ensure safety of passengers, us and Clients, incl. safety of property. Our vehicles have notices about usage of cameras. Generally, camera recordings are retained: 5 years internal cameras; 5 years external cameras; unless different information is provided in the camera notices. We may also anonymize the camera recordings.