XPENG takes privacy issues very seriously and we are fully committed to protecting your privacy. In this Privacy Notice we describe who we are, how and for which purposes and on what legal basis we process your personal data through XPENG website and App, as well as your experience at stores, or contact us via phone or email, etc., how you can exercise your privacy rights and all other information that may be relevant to you. A reference to “XPENG,” “we,” “us” is a reference to XPENG European Holding B.V. and its relevant affiliates involved in the collection, use, sharing, or other processing of Personal Data.
We did our best to provide you with all information in a clear and readable format. However, if you have any questions about our use of your personal data after reading this Privacy Notice, you can of course always contact us through the contact details provided at the end of this Privacy Notice.
This Privacy Notice may be changed over time. The last modifications to this Privacy Notice have been made on 14/08/2024.
1. WHEN DOES THIS PRIVACY NOTICE APPLY?
This Privacy Notice is applicable to the processing of personal data in relation to the use of XPENG App, website, or the experience in XPENG stores. This Privacy Policy does not address the processing of personal data of applicants or employees in the context of their employment relationship with XPENG.
2. WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA?
This Privacy Notice applies to the processing of personal data where XPENG acts as a controller in the sense of applicable data protection laws. . This Privacy Notice indicates what personal data are collected and used (processed) by XPENG and for what purpose, and to which persons or entities the data may be provided.
3. WHAT PERSONAL DATA DO WE COLLECT?
When we provide our services, we have a need to process personal data. We typically process the following personal data when you use our APP or website, visit our stores, or contact us via phone or email, etc.:
· Your basic information: your first name, last name, ID number, preferred salutation, and contact information such as your address, zip code, city, region, country, phone number, email address.
· Your XPENG account information: your user ID, username, Google/Facebook account (if you use Google/Facebook account to sign in), phone number and email address associated with the account, password. Your phone’s camera permission is required to enable you to scan the QR code on your vehicle display screen to log in XPeng vehicle account.
· Device information: device name, device type, OS version, screen resolutions, system language, device ID, MAC address, IP address, cookie ID, Bluetooth ID, device motion status (if you use XPENG APP Polling through an Android device, the device motion status is verified in real-time in your device to ensure the effectiveness of the function), and other information related to your device.
· Vehicle information: Vehicle Identification Number (VIN), vehicle model, registration number, vehicle conditions, Bluetooth ID, ICCID, other unique device identifiers.
· Vehicle telematics data: telematics data regarding the performance, usage, operation, and condition of your XPENG vehicle, including A/C and temperature, speed, status of doors, windows, and ports, charging and battery status, mileage, Bluetooth connectivity status.
· Location information, such as the location of your XPENG vehicle, and your location for finding the nearest stores or charging station, as well as locations you have saved on the app. We may use third party map applications (such as Google Maps) to help you verify your location.
· Appointment or service history: including reservations, test drive appointments, vehicle repair history, warranty claims, service records, and any other information related to your service appointments or requests.
· Order information: your purchase information, order agreement, and other documents related to your delivery, such as government-issued ID.
· Communication and interactions information, such as customer service records, satisfaction surveys, customer feedback, your request details, and images you uploaded (if you choose to)
· Financial information, including payment method, bank card information payment status, amount, VAT number, invoice, information about financing, leasing or credit application.
· Insurance information: If you want us or our authorized dealers to provide insurance brokerage, we or our dealers will need to collect your name, your government-issued ID, contract information, vehicle identification number (VIN), and any other information related to your insurance to fulfill your request.
· Job application data: including employment and education information, date of birth, nationality, background check information, resume details, cover letters or work samples.
· Analytics data: aggregated data regarding app and website users' UI behaviour, usage and performance. We may use third party applications (such as Google Analytics) to realize this function.
4. HOW DO WE USE YOUR PERSONAL DATA?
We use personal data to manage our service and meet your information requests, to understand the use of our XPENG APP and website use, and to make our products and services as effective as possible.
To realize our product functions and services:
Data Processing Purposes | Type of Personal Data | Legal Basis for Processing |
To create and activate your XPENG account | · Your username, password, email, phone number, or Google/Facebook account relate to your XPENG account · Vehicle information | · Performance of a contract with you |
To fulfill and complete your orders, including reservations, orders and pre-orders, leasing, fleet sales, and other transactions entered with us | · Your basic information, including contact information · Order information · Financial information | · Performance of a contract with you |
To provide connected-vehicle service through XPENG APP | · VIN and User ID · Vehicle telematics data (such as mileage, battery, speed) · Bluetooth information (such as MAC address, Bluetooth ID, connectivity status) · Location data · Device motion status (if applicable) | · Performance of a contract with you |
Vehicle authorization (authorize others to remote control your XPENG vehicle via XPENG App) | · User ID · VIN · Contact information of your authorized person · Virtual identification and authentication · Authorization status | · Performance of a contract with you |
To provide you with charging service | · Location data · Vehicle telematics data (such as battery and charging status) · Order information | · Performance of a contract with you |
To handle bills, invoices, and taxation | · Your basic information, including contact information · Order information · Financial information | · Performance of a contract with you · Necessary to comply with a legal obligation |
To provide you with XPENG Trade-in service | · Your vehicle information, including VIN, vehicle model, registration number, vehicle conditions · Your contact information | · Performance of a contract with you |
To provide insurance or finance solutions for you (upon your request) | · Your basic information, including contact information · Insurance contract information · Financial information · Vehicle and device information | · Necessary in order to take steps at your request prior to entering into a contract |
Note: If you choose a direct payment gateway to complete your purchase, then our authorized payment provider collects and stores your bank card data. Adyen's Privacy Policy.
To communicate with you:
Data Processing Purposes | Type of Personal Data | Legal Basis for Processing |
To fulfill requests or service appointments you make to us, including test drives, service and event appointments, partnership requests. | · Your basic information, including contact information (note: we may contact you to confirm your booking or request) · Order information · Appointment or service history (such as appointment details, customer service history) | · Performance of a contract with you or necessary in order to take steps at your request prior to entering into a contract · Necessary for our legitimate interests: to administer customers inquiries and requests |
To respond to any feedback, requests, questions, or complaints you may have regarding our products and services (in person, online, telephone, email, etc.) | · Your basic information, including contact information · Order information · Communication and interactions information, including your request details, and images/files you uploaded (if you choose to). | · Performance of a contract with you or necessary in order to take steps at your request prior to entering into a contract · Necessary for our legitimate interests: to administer customers inquiries and requests |
Sign up for XPENG marketing communications | · Account information · Order information | · Where you have provided your consent |
Advertising and marketing purposes, including displaying online ads based on your online profile and analysing the effect of such online marketing campaigns. We may use cookies and similar technologies ("cookies") for this. Some cookies create unique identifiers and may collect data while you are using our websites or applications or other content, which help us to personalise content or advertisements. Read our Cookie Policy for more information about cookies. | · Online identifiers · Device-related information · Cookies | · Where you have provided your consent, to the extent that the processing is not permitted on a legitimate interest basis |
To participate in surveys about your experience with our products and services | · Account information · Contact information · Survey or feedback details | Necessary for our legitimate interests: to understand, analyze and improve customer experience |
Process job candidates’ personal data to evaluate applications for employment | Job application data (including name, contact details, employment and education information, CV) | Necessary to take steps at your request prior to entering into a contract |
To understand and improve our products and services, or to ensure information security.
Data Processing Purposes | Type of Personal Data | Legal Basis for Processing |
To detect and defend against unauthorized access to data, and to enhance information security | · Device information · Network activity information | Necessary for our legitimate interests: to protect the confidentiality, integrity, and availability of IT systems |
To upload crash logs for troubleshooting | · Account information · Relevant crash logs | Where you have provided your consent |
To understand and analyze app and website UI behaviour and usage, so as to improve our services. We also use cookies like Google Analytics to collect usage data of our app and website; we only use this kind of analytics tools to understand usage and effectiveness of our online services. To know more about how Google Analytics process data, please see: https://policies.google.com/privacy?hl=en-US | · Analytics data (aggregated data on UI behaviour, usage and analytics of app and website. Some of this data is shared with Google Analytics) | Necessary for our legitimate interests: to understand, analyze and improve customer experience Where you have provided your consent (website cookies) |
Other circumstances
Data Processing Purposes | Type of Personal Data | Legal Basis for Processing |
To demonstrate compliance with regulatory requirements | · Contact information · Order information · Vehicle information | Necessary to comply with a legal obligation |
To prevent thefts, and to ensure safety in Stores | · Video images captured through CCTV | Necessary for our legitimate interests: to monitor the security of store assets and ensure Data Subjects' safety |
5. HOW DO WE STORE AND PROTECT YOUR PERSONAL DATA?
We retain the information we collect from or about you for the period necessary to fulfill the purposes outlined in this Privacy Notice unless a longer retention period is required or permitted by law. When the information is no longer necessary for these purposes, we delete it or keep it in a form that does not identify you. When determining this retention period, we take into account various criteria, including the type of services requested by or provided to you, the nature of our relationship with you, the impact on the services we provide to you if we delete some information from or about you, and retention periods required by law.
We will take reasonable and appropriate measures to protect your Personal Data from loss, misuse, unauthorized access, disclosure, alteration and destruction. However, please note that no security measures can be 100% secure and perfect, and in the unfortunate event that a Personal Data security incident occurs, we will report it promptly and take remedial measures in accordance with the requirements of the law and regulatory authorities.
If you sell or transfer your vehicle to another person, please inform us promptly so that we can determine whether additional steps are needed to be taken to avoid disclosing Personal Data from or about you to the purchaser or transferee of the vehicle.
6. DATA CROSS-BORDER TRANSFER
XPENG is a global company. Your personal data is stored within the European Economic Area (EEA), but your personal data might be accessed from XPENG's affiliates outside of the EEA for the provision of services, such as IT system operations and maintenance. With respect to personal data transferred outside the EEA, we comply with applicable data protection laws providing adequate safeguards for the transfer of personal data to countries outside of the EEA. Before each transmission, we analyze the transmission scenarios and the risks they may pose before deciding whether to transmit. We use Standard Contractual Clauses as transfer tool to implement the cross-border transfer of your personal data; we also implement technical, organizational, and contractual measures to ensure lawful data international transfer.
If you want to know more information about the international transfers of personal data, you may contact us according to the instructions in "How to Contact us" section below.
7. HOW DO WE SHARE YOUR INFORMATION?
We will not sell your Personal Data to anyone at any time for any purpose. We will only share your Personal Data in the following ways:
a) Share with XPENG’ s affiliates. We may share information with XPENG’s relevant affiliates. Your information may be shared within XPENG’s affiliates only for explicit, and legitimate purposes, and the sharing is limited only to information required by services.
b) Share with our service providers or business partners: We may share your personal data with our service providers and business partners when it is required to perform services on our behalf, for instance, our authorized dealers, customer service providers, roadside assistance providers, payment processors, leasing service partner, recruitment service provider, event/campaign organiser, analytics service provider, third parties you authorized, and other professional service providers. We will sign strict data processing agreements based on applicable data protection laws with third-party entities receiving your personal data, requiring them to take necessary security measures and properly handle your personal data.
c) Share with persons you've authorized: If you authorize someone else to use your vehicle or authorize someone else's account to be bound to your vehicle, your personal data may be accessed by third parties that you authorize, and you should exercise caution when making such authorizations.
d) Share with other third parties as required by law or otherwise: We may, in our sole discretion, transfer or disclose information, including information that does or does not identify you, to a third party when:
· It is required by European law;
· It is required by government departments and the judiciary authorities for European law enforcement purposes;
· It is required to handle emergencies;
· It is required to prevent or stop possible illegal, unethical practices.
· It is required to protect our products and services, and the personal and property safety of third parties or the public.
8. WHAT ARE YOUR RIGHTS IN RELATION TO THE DATA PROCESSING WE PERFORM?
As a data subject, you have specific legal rights granted by the General Data Protection Regulation (GDPR) relating to the personal data we process about you. We enable you to access and control the data that we collect, use and share from or about you, or your use of services.
a) Electronic or text communications: If you no longer want to receive marketing-related communications, you may opt out of receiving them by clicking the unsubscribe button in the emails, or to adjust your preference on XPENG APP. Please note that we may still send you important safety messages/calls or product service issues even if you opt out of receiving marketing messages.
e) Data subject rights: You have the right to request access to and receive information about your certain data we maintain, to update and correct inaccuracies in that information, to restrict or delete the information, to object to or withdraw your authorization to use the information in a certain way. You may also have data portability right with respect to the data you voluntarily provide to us. If you want to exercise the aforementioned rights, you may contact us according to the instructions in "How to Contact us " section below.
(f) You can also lodge a complaint to your local data protection authority in the EEA. However, we will appreciate if you first contact us to try and solve your problem – you can find our contact details below.
9. PRIVACY OF CHILDREN
We do not knowingly collect or use any Personal Data from children (we define ‘children’ as minors younger than 16) without prior, verifiable consent which is given or authorized by the holder of parental responsibility over the child. We do not knowingly allow children to order our vehicles, communicate with us, or use any of our online services.
If you become aware that a child has provided us with Personal Data, please contact us as indicated in the “How to contact us” section below. We will take all reasonable measures to delete the information as soon as possible and to not use such information for any purpose, except where necessary to protect the safety of the child or others as required by law.
10. HOW TO CONTACT US?
For questions or comments, or to submit a data subject request, please contact us.
Contact our EU Legal department by email: data-privacy@xiaopeng.com;
Or contact XPENG European Holding B.V. at Hoogoorddreef 11, 1101BA, Amsterdam, the Netherlands.
11. HOW WILL WE UPDATE THIS NOTICE?
We may update this Privacy Notice according to changes in our business functions and measures concerning the protection of personal data. If we make changes to this Privacy Notice, we will update it through our website or App. Where changes to this Privacy Notice will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will give you sufficient advance notice to ensure you have the opportunity to exercise any data subject rights.