XPENG WEBSITE and APP PRIVACY POLICY


XPENG takes privacy issues very seriously and we are fully committed to protecting your privacy. In this Privacy Policy we describe who we are, how and for which purposes and on what legal basis we process your Personal Data through XPENG website and App, how you can exercise your privacy rights and all other information that may be relevant to you. A reference to “XPENG,” “we,” “us” is a reference to XPENG European Holding B.V. and its relevant affiliates involved in the collection, use, sharing, or other processing of Personal Data.

We did our best to provide you with all information in a clear and readable format. However, if you have any questions about our use of your Personal Data after reading this Privacy Policy, you can of course always contact us through the contact details provided at the end of this Privacy Policy. 

This Privacy Policy may be changed over time. The last modifications to this Privacy Policy have been made on 06/01/2022.


1.WHEN DOES THIS PRIVACY POLICY APPLY? 

This Privacy Policy is applicable to the processing by XPENG of all Personal Data of its suppliers and business partners and clients in the EU. This Privacy Policy does not address the processing of Personal Data of applicants or employees in the context of their employment relationship with XPENG.


2.WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA? 

This Privacy Policy applies to the processing of Personal Data where XPENG acts as a controller in the sense of the General Data Protection Regulation (GDPR). This Privacy Policy indicates what Personal Data are collected and used (processed) by XPENG and for what purpose, and to which persons or entities the data may be provided.


3. WHAT PERSONAL DATA DO WE COLLECT?

When we provide our services, we have a need to process Personal Data. We typically process the following Personal Data when you use XPENG APP or website:

Your basic information: your first name, last name, preferred title, and contact information such as your address, zip code, city and country, phone number, email address.

Your XPENG account information: your user ID, username, Google/Facebook account (if you use Google/Facebook account to sign in), phone number, email address, password associated with the account.  

Purchase information: your orders, wish-list, vehicle configurations, purchase history, billing status, deposit information, and other related data regarding your order and purchase. 

Device identifiers: IMEI, MAC address, Bluetooth ID, IP, and other unique device identifiers. 

Vehicle information: Vehicle Identification Number (VIN), vehicle model, and other unique device identifiers. 

Vehicle telematics data: telematics data regarding the performance, usage, operation, and condition of your XPENG vehicle, including A/C and temperature, speed, status of doors, windows, and ports, charging and battery status, mileage, cellular usage. 

Usage data:  data regarding app and website usage and performance. 

Service history: test drive appointment, vehicle repair history, warranty claims, customer complaints, service records, and any other information related to your service appointment or requests.

Certain information is collected by most browsers or automatically through your device, such as your IP address and cookie. A “cookie” is a string of information which assigns you a unique identifier that we store on your computer. Your browser then provides that unique identifier to use each time you submit a query tour website. We use necessary cookies to make our website work. We would also like to set optional “performance” cookies to gather anonymous site visitation data and “targeting” cookies to help us understand which content visitors’ value most. By enabling these cookies, you can help us provide a better website for users like yourself. For more information about the XPENG’s cookies and third-party cookies, see Cookie Policy in our website. 

We also use Google Analytics to collect aggregated and anonymized visitors’ UI behaviours and usage data of our website; we only use this kind of analytics tools to understand usage and effectiveness of our online services. To know more about how Google Analytics process data, please see: https://policies.google.com/privacy?hl=en-US


4.HOW DO WE USE YOUR PERSONAL DATA?

We use Personal Data to manage and meet service and information requests, to understand XPENG App and website use, and to make our products and services as effective as possible. 

Data Processing Purpose            Type of Data            Legal Basis for Processing            
  To create and activate your XPENG account

               

· Your  username, password, email, phone, or Google/Facebook account associated with  your XPENG account  

               

· Performance of a contract with you         

  To perform a contract with you and to fulfil and complete your orders, purchases and other transactions entered with us

               

· Your basic information and contact information

· Purchase information, such as your orders and configurations

               

· Performance of a contract with you

To fulfil requests you make, including test drives, service requests, call back requests for events or vehicles, brochure requests or information about specific vehicles

              

· Contact information

· Purchase information
· Service history

· VIN

               

· Performance of a contract with you or necessary to take steps at your request prior to entering into a contract
To provide connected-vehicle service on XPENG APP

               

· VIN and User ID

· Vehicle telematics data (such as mileage, battery,  A/C, doors and windows, charging port status)

· Bluetooth information (such as MAC address, Bluetooth ID, RSSI, connectivity status)

· Location of your phone and your vehicle

· Note: when you use Polling function, your phone’s location and motion status is processed in   real-time to realize this function)

               

· Performance of a contract with you Where you have provided your consent
To troubleshoot, analyze and improve our services

              

·  User ID

·  Device information (such as device type, device ID)

·  Crash logs

               

· Where you have provided your consent

· Necessary for our legitimate interests to improve our products and services, business   analysis 

To provide after-sales service for you, such as   roadside assistance, repair and maintenance

               

· VIN

· Vehicle telematics data

· Contact information

· Purchase information

· Service history

               

· Performance of a contract with you
To analyze app and website usage and to improve our services

              

· Usage and analytics data (non-personally identifiable). Some of this data is shared with Google Analytics.

             

· Necessary for our legitimate interests: to analyze and improve customer experience

· Where you have provided your consent (website cookies)

               

To detect and defend against unauthorized access to data, and to enhance information security

               

       

· User IPs and logs

· Necessary for our legitimate interests: to protect the confidentiality, integrity, and availability of IT systems

To respond to any requests, questions, or complaints you may have regarding our products and services (in person, online, telephone, email,   etc.)

              

· Contact information

· Purchase information

· Your requests, including phone conversation recordings (if applicable)

               

· Performance of a contract with you

· Where you have provided your consent

· Necessary for our legitimate interests: to administer customers inquiries and requests

To provide insurance brokerage for you (when you request)

               

· Your basic information: name, ID

· Insurance contract information

· VIN

               

· Performance of a contract with you
To provide charging service or to install domestic charging ports for you

              

· Vehicle telematics data (such as battery and charging status data)

· Contact information

· Planned locations of your domestic charging ports

               

· Where you have provided your consent

· Performance of a contract with you

Sign up for XPENG marketing materials or newsletters


· Contact information


· Where you have provided your consent
To participate in surveys about your experience with our products and services


· Contact information
                                

· Where you have provided your consent
To demonstrate compliance with regulatory requirements

               

· Contact information

· Purchase information

· Vehicle information

               

· Necessary to comply with a legal obligation


5.HOW DO WE STORE AND PROTECT YOUR PERSONAL DATA?

We retain the Personal Data we collect from or about you for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law. When the Personal Data is no longer necessary for these purposes, we delete it or keep it in a form that does not identify you. When determining this retention period, we take into account various criteria, including the type of services requested by or provided to you, the nature of our relationship with you, the impact on the services we provide to you if we delete some Personal Data from or about you, and retention periods required by law. 

We will take reasonable and appropriate measures to protect your Personal Data from loss, misuse, unauthorized access, disclosure, alteration and destruction. However, please note that no security measures can be 100% secure and perfect, and in the unfortunate event that a Personal Data security incident occurs, we will report it promptly and take remedial measures in accordance with the requirements of the law and regulatory authorities.

If you sell or transfer your vehicle to another person, please inform us promptly so that we can determine whether additional steps are needed to be taken to avoid disclosing Personal Data from or about you to the purchaser or transferee of the vehicle.


6.DATA CROSS-BORDER TRANSFER

XPENG is a global company. Your Personal Data is stored within the European Economic Area (EEA), but your Personal Data might be accessed from XPENG's affiliates outside of the EEA for the provision of services, such as IT systems maintenance. With respect to Personal Data transferred outside the EEA, we comply with applicable data protection laws providing adequate safeguards for the transfer of Personal Data to countries outside of the EEA. Before each transmission, we analyze the transmission scenarios and the risks they may pose before deciding whether to transmit. We use Standard Contractual Clauses as transfer tool to implement the cross-border transfer of your Personal Data; we also implement technical, organizational, and contractual measures to ensure lawful data international transfer. 

If you want to know more information about the international transfers of Personal Data, you may contact us according to the instructions in "How to Contact us " section below.


7.HOW DO WE SHARE YOUR INFORMATION?

We will not sell your personal information to anyone at any time for any purpose. We will only share your personal information in the following ways:

(a)Share with XPENG’ s relevant affiliates.  Your information may be shared within XPENG’s relevant affiliates only for explicit, and legitimate purposes, and the sharing is limited only to information required by services.

(b)Share with our service providers or business partners: We may share your Personal Data with our service providers and business partners when it is required to perform services on our behalf, for instance, authorized dealers, customer service providers, roadside assistance providers, repair service providers, payment processors, leasing service partner, recruitment service provider, analytics service provider, third parties you authorized and other professional service providers. We will sign strict data processing agreements based on applicable data protection laws with third-party entities receiving your Personal Data, requiring them to take necessary security measures and properly handle your Personal Data. 

(c)Share with third parties you've authorized: If you authorize someone else to use your vehicle or authorize someone else's account to be bound to your vehicle, your Personal Data may be accessed by third parties that you authorize, and you should exercise caution when making such authorizations.

(d)Share with other third parties as required by law or otherwise: We may, in our sole discretion, transfer or disclose information, including information that does or does not identify you, to a third party when:

It is required by European law; 

It is required by government departments and the judiciary authorities for European law enforcement purposes; 

It is required to handle emergencies; 

It is required to prevent or stop possible illegal, unethical practices. 

It is required to protect our products and services, and the personal and property safety of third parties or the public.


8. WHAT ARE YOUR RIGHTS IN RELATION TO THE DATA PROCESSING WE PERFORM?

As a data subject, you have specific legal rights granted by the General Data Protection Regulation (GDPR) relating to the personal data we process about you. We enable you to access and control the data that we collect, use and share from or about you, or your use of services

Electronic or text communications: If you no longer want to receive promotional-related emails that you have subscribed, you may opt out of receiving them by clicking the unsubscribe button in the emails. Please note that we may still send you important safety messages/calls or product service issues even if you opt out of receiving marketing messages. 

Data subject rights: You have the right to request access to and receive information about your certain data we maintain, to update and correct inaccuracies in that information, to restrict or delete the information, to object to or withdraw your authorization to use the information in a certain way. You may also have data portability right with respect to the data you voluntarily provide to us. If you want to exercise the aforementioned rights, you may contact us according to the instructions in "How to Contact us " section below. 

You can also lodge a complaint to your local data protection authority in the EEA. However, we will appreciate if you first contact us to try and solve your problem – you can find our contact details below.


9. PRIVACY OF CHILDREN

We do not knowingly collect or use any personal information from children (we define ‘children’ as minors younger than 16) without prior, verifiable parental consent. We do not knowingly allow children to order our vehicles, communicate with us, or use any of our online services.

If you become aware that a child has provided us with personal information, please contact us as indicated in the “How to contact us” section below. We will take all reasonable measures to delete the information as soon as possible and to not use such information for any purpose, except where necessary to protect the safety of the child or others as required by law.


10.HOW TO CONTACT US?

You can exercise your data subject rights in relation to us by filling out this form , which will help us to deal with your request properly. 

For questions or comments, please contact us.

Contact our Data Privacy department by email:  data-privacy@xiaopeng.com

Or contact XPENG European Holding B.V. at Herikerbergweg 292, D1.05, D1.06, D1.07, 1101CT Amsterdam.


11.HOW WILL WE UPDATE THIS POLICY?

We may update this Privacy Policy according to changes in our business functions and measures concerning the protection of Personal Data. If we make changes to this Privacy Policy, we will update it through our website or App. Where changes to this Privacy Policy will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will give you sufficient advance notice to ensure you have the opportunity to exercise any data subject rights.