Aston Martin Connected Cars Privacy Notice
Last revised: August 02, 2024
Aston Martin Lagonda of North America, Inc (“AML”) is the controller of the personal data collected from or about individuals (“you,” “your”), in some cases along with other entities within AML’s group of companies (collectively “we,” “us,” “our”), as further described in this Privacy Notice.
See also our U.S. State Privacy Notice, which is a supplement to this privacy notice and includes information required by U.S. Privacy Laws (including in California) and information about privacy rights.
Changes to this Privacy Notice
We may modify or update this Privacy Notice from time to time.
If we make any material changes to the terms of this Privacy Notice then we will notify you of this through appropriate means and will provide a revised version, generally by posting an updated version and changing the date of last revision. The date of last revision is included at the top of the Privacy Notice.
Scope of this Privacy Notice
When you purchase and/or operate a connected vehicle and as part of the related services we offer to you, we will process personal data about you. “Personal data” includes any information that relates to you as an identified or identifiable individual.
This privacy notice covers the collection of personal data through our connected vehicles and the Aston Martin connected vehicle mobile application (the "App") (together the "Services"), as well as the subsequent processing of that data and your rights in connection with that processing.
Please read this Privacy Notice in conjunction with any other privacy notices or policies that we provide to you from time to time for specific purposes in relation to specific processing activities so that you’re fully informed of how your personal data is collected and used. For further information regarding AML’s privacy practices generally, please refer to our general privacy policy available at ASTON MARTIN PRIVACY NOTICE.
What personal data do we process about you and why?
The table in Annex A provides a breakdown of the categories of personal data processed, as well as the purposes of processing and the lawful bases relied upon (where such lawful bases are applicable and/or required under UK/EU GDPR or other international data privacy laws) for the purposes of applicable data privacy law.
We will generally process your personal data for the following purposes, including where such purposes form part of our legitimate interests or those pursued by a third party:
- performance of the terms of our agreement with you or to take steps at your request prior to entering into our agreement
- ensuring the quality and delivery of our products and services and developing new products and services
- enabling and improving the functionality and capabilities of the App, including by allowing data to be shared across devices
- fulfilment of our sales, service, and administrative processes
- customer support, including providing updates in relation to the progress of your vehicle throughout the manufacturing process and enabling you to easily communicate with your preferred Aston Martin dealer
- marketing communications and market research
- fulfillment of our legal obligations.
- enabling recovery in the event of a breakdown or theft of your vehicle
- ·operating and managing our global connected vehicle and driver IT support systems and services
Please note that in cases where we request certain information in order to enter into or perform the terms of our agreement with you, or to comply with applicable statutory requirements, if you decide not to provide us with the relevant information when requested, this could mean that we are unable to enter into an agreement with you or to comply with our obligations.
Your vehicle also has a ‘Privacy Mode’ feature to provide you with an enhanced level of personal privacy. When Privacy Mode is switched on, certain information about you will not be shared with AML or other third parties and certain connected vehicle features will not be available. You can find out more about Privacy Mode and the features it disables in the user manual and in-car settings.
How do we collect your personal data?
We collect your personal data in the following ways:
- by interacting directly with you, including collecting information that you provide in connection with your use of the vehicle by making selections through the use of in-car buttons, displays, or other systems (such as the infotainment system integrated within the vehicle) or by use of the App
- by indirectly collecting technical data in relation to your use of the vehicle, including where such information is automatically collected by systems or program integrated within the vehicle (such as periodically refreshing data in order to enable remote vehicle status functionality and sending location data automatically to our call centers through our Stolen Vehicle Tracking system when a theft alert is triggered by the vehicle)
- by indirectly collecting your data from the dealer where you purchased the vehicle, including for example any specific issues or preferences relating to the vehicle that you identify to the dealer and any other information that you provide in order to enable use of the App.
Who do we share your personal data with?
We may share your personal data with members of our group of companies and selected third parties, as discussed in more detail below.
Group affiliates
We may share your personal data with other members of our group of companies for the purposes of providing customer support, ongoing maintenance, marketing communications, and business administration. Depending on the purposes of processing, this could involve other members of our group also acting as controllers of your personal data, including the following AML group affiliates:
- Aston Martin Lagonda Limited
- Aston Martin Lagonda of Europe GmbH
- Aston Martin Japan Ltd.
- Aston Martin Lagonda (China) Distribution Co. Ltd.
Third-party service providers
We may use third party service providers (“Vendors”) to process your personal data on our behalf in specific circumstances or for specific purposes, including in relation to:
- IT and technology-based services, including in connection with data storage arrangements, the provision of App functionality, and in-vehicle telecommunications and connectivity services and enhanced functionality features
- diagnostics and data analytics
- breakdown recovery and roadside assistance services
- stolen vehicle tracking
- image and video content
- marketing, communications, and customer relationship management
- business administration and resource planning.
Other third parties
We may also share your personal data with other third parties, including:
- professional advisors, such as lawyers, accountants, and auditors that we interact with in the ordinary course of business and, to the extent necessary, to bring and defend legal claims
- third parties directly involved in, or reasonably related to, an acquisition or disposal of all or part of our business or assets
- ·other public authorities such as law enforcement agencies, emergency services, governmental authorities, courts, and tribunals.
Preferred dealers (e.g., your preferred dealer and/or dealer from which you purchased your vehicle)
We may share your personal data with the relevant dealership from which you purchased the vehicle, to the extent necessary in order to resolve any issues or complaints relating to your purchase and use of the vehicle, or a dealer that you have otherwise listed as your preferred dealer.
The vehicle owner and other App users
If a non-owner operates the vehicle, we will collect the personal data described in this privacy notice, and some of such personal data may be shared with the owner of the vehicle as described in Annex A. In addition, if the owner allows another user (e.g., in their family or household) to use their App, each person who uses the App will have access to certain data about the vehicle and its use. For example, the owner may have access to information through the App regarding the secondary user’s use of the vehicle, and the secondary user with App access may be able to view certain information through the App about the owner’s and others’ use of the vehicle.
How long do we keep your personal data?
Your personal data is retained for only as long as the specific purposes we set out in this Privacy Notice, including in the table in Annex A.
In some cases we may however anonymize data so that it is no longer personal data, for example where data is used for statistical purposes. In such cases, the anonymized data may be retained for a longer period, but the underlying personal data will be automatically deleted.
Security measures
We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this privacy notice.
Your personal data is protected by technical security systems and additional authorization procedures, both during data transfer and when your data is filed and stored on our secure servers.
In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
However, please note that no data transmission over the Internet, mobile networks, wireless transmission, or electronic storage of information can be guaranteed to be 100% secure. As a result, we cannot fully guarantee the security or integrity of any personal data.
Your rights
Please see our U.S. State Privacy Notice below for information on what rights you may have and how to exercise them.
Under data privacy laws, depending on your country, or state or territory, of which you are a resident or data subject (as applicable) you may have the following rights regarding your personal data.
- Access: You may have the right to obtain from us confirmation if your personal data is being processed by us in addition to certain related information, as well as the right to obtain a copy of your personal data undergoing the processing.
- Rectification: You may have the right to request the rectification of inaccurate personal data and to have incomplete data completed.
- Objection: Where we process your personal data on the basis of our legitimate interests, you may have the right to object to this processing for reasons relating to your particular situation. If this is the case, we will stop this processing of your personal data unless we can demonstrate compelling reasons why we need to process it which override your rights and freedoms, or where we need to process it for the purposes of legal claims. Where we process your personal data for direct marketing purposes, you may have the right to object to our processing of your personal data for this at any time.
- Portability: You may have the right to receive your personal data that you have provided to us, in a structured, commonly used, and machine-readable format and to transmit it to other data controllers. This right only exists if the processing is based on your consent or a contract and the processing is carried out by automated means.
- Restriction: You may request that we restrict the processing of your personal data in certain cases (so that we must suspend the processing, except for storage, with your consent or for legal claims) including for example where you object to us processing your personal data on the basis of our legitimate interests or where you want to establish the accuracy or the reason we are processing your personal data.
- Erasure: You may request to erase your personal data if (i) it is no longer necessary for the purposes for which we have collected it; (ii) you have withdrawn your consent and no other legal ground for the processing exists; (iii) you objected and no overriding legitimate grounds for the processing exist; or (iv) the processing is unlawful, or erasure is required to comply with a legal obligation.
- Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. For example, this is the Information Commissioner’s Office in the UK (“ICO”). While we would ask that you please get in touch with us in the first instance so that we can try to resolve your issue, you can contact the ICO through the live chat feature on their website (Contact us - public | ICO) or by telephone at 0303 123 1113.
- Right to refuse or withdraw consent: in cases where we ask for your consent to processing, you are free to refuse to give consent, and you can withdraw your consent either in full or in part, at any time and we will cease such processing; however, such a withdrawal of consent may mean that we are no longer able to provide you with services that require such processing. The lawfulness of any processing of your personal data that occurred prior to the withdrawal of your consent will not be affected.
Please be aware that not all of these rights are absolute and that there may be situations in which you cannot exercise them or where they are not relevant in the circumstances or applicable in your jurisdiction.
Automated decision-making
We do not conduct any automated decision-making using your personal data that has a legal or significantly similar effect.
International Transfers
Some of the third parties with whom we share personal data are located outside of your jurisdiction, in third countries which may not be considered by the originating jurisdiction to provide an adequate level of protection for your personal data.
However, transfers made to third parties located in countries that have not been deemed to provide an adequate level of protection only take place using a lawful data transfer mechanism or, where appropriate, on the basis of permissible statutory derogations. Examples of the mechanisms that we may rely on in this context include: (i) the UK International Data Transfer Agreement and the UK Data Transfer Addendum to the EU Standard Contractual Clauses; (ii) the EU Commission’s Standard Contractual Clauses; and (iii) other enforceable overseas data transfer agreements and/or mechanisms permitted under applicable data privacy laws. We may however adjust the type of mechanism used in order to address changing legal requirements and/or lawful transfer instruments.
Please contact us using the contact details in the Contact Us section below if you’d like to receive further information in relation to how we approach international transfers of your personal data.
Contact us
If you have any questions about this Privacy Notice, including any requests to exercise your data protection rights, please contact us by letter or email using the details below:
The Data Protection Officer
Aston Martin Lagonda, Banbury Road,
Gaydon, CV35 0DB,
United Kingdom
Email: data.officer@astonmartin.com
ANNEX A
DETAILS OF OUR DATA PROCESSING
Purpose |
Types of Personal Data |
Lawful Basis for Processing (under UK/EU GDPR or other international data privacy laws to the extent applicable) |
Core enablers |
||
Enrollment/User Onboarding |
|
Performance of contract |
Subscription Management |
|
Performance of contract |
Unit Preferences |
|
Legitimate interests |
Change of Country |
|
Performance of contract |
Infotainment |
||
Online Navigation |
|
Performance of contract (for vehicle owners)
Consent (for other vehicle operators) |
Connected Vehicle |
||
Geo-Fence and Speed-Fence |
|
Performance of contract (for vehicle owners)
Consent (for other vehicle operators) |
Over The Air Software Update (OTASW) |
|
Legitimate interests |
Remote Vehicle Status including Car Finder & Feel Good |
|
Performance of contract (for vehicle owners)
Consent (for other vehicle operators) |
|
Performance of contract (for vehicle owners)
Legitimate interests (for other vehicle operators) |
|
Remote Trip Statistics and Journey Log |
|
Performance of contract (for vehicle owners)
Consent (for other vehicle operators) |
Remote Diagnostics |
|
Legitimate interests |
Protect Mode |
|
Performance of contract (for vehicle owners)
Legitimate interests (for other vehicle operators) |
Private eCall |
|
Performance of contract and/or vital interests |
Breakdown Call |
|
Legitimate interests and/or legal obligation |
Stolen Vehicle Tracking |
|
Performance of contract (for vehicle owners)
Legitimate interests (for other vehicle operators) |
Anti-Theft Push Notification |
|
Performance of contract (for vehicle owners)
Legitimate interests (for other vehicle operators) |
Remote Lock / Unlock / Window Open / Close / Window Vent |
|
Performance of contract (for vehicle owners) |
Connected Customer |
||
Account Management (Profile) |
|
Performance of contract |
|
Legitimate interests |
|
Order Updates |
|
Legitimate interests |
Pro-Active Communication on Vehicle Status |
|
Performance of contract (for vehicle owners)
Consent (for other vehicle operators) |
|
Performance of contract (for vehicle owners)
Legitimate interests (for other vehicle operators) |
|
Recall Campaigns |
|
Legal obligation and/or legitimate interests |
Contact Dealer |
|
Legitimate interests |
Preferred Dealer |
|
Legitimate interests |
App Analytics |
Google Analytics:
|
Legitimate interests |
FullStory
|
Legitimate interests |
|
Caching |
|
Legitimate interests |
Compliance |
||
Accountability and Record-Keeping |
|
Legitimate interests and/or legal obligation |
ASTON MARTIN CONNECTED CARS U.S. STATE Privacy Notice
(“U.S. STATE PRIVACY NOTICE”)
U.S. State Privacy Notice Effective Date: AUGUST 02, 2024
This U.S. State Privacy Notice applies to “Consumers” as defined under state privacy laws in California (“U.S. Privacy Laws”). This U.S. State Privacy Notice is a supplement to our other privacy policies or notices applicable to the Services, including the above Privacy Policy. In the event of a conflict between any other AML policy, statement, or notice and this U.S. State Privacy Notice, this U.S. State Privacy Notice will prevail as to Consumers and their rights under the applicable state privacy law. Capitalized terms used but not defined herein will have the meanings given to them in the Privacy Policy.
This U.S. State Privacy Notice is designed to provide you with notice of our recent, historical data practices over the prior 12 months (from the Effective Date listed at the top of this U.S. State Privacy Notice), including through the Services and anywhere this U.S. State Privacy Notice is posted. This U.S. State Privacy Notice also applies to our current data practices such that it is also meant to provide you with “notice at collection,” which is notice of personal information we collect, and the purposes for which we process personal information, among other things required by the U.S. Privacy Laws.
Section A of this U.S. State Privacy Notice covers our collection, use, and disclosure of Consumers’ personal information or personal data (referred to herein as “personal information” or “PI”) as defined under applicable law. Section B [of this U.S. State Privacy Notice describes your rights under U.S. Privacy Laws and explains how to exercise those rights. Sections C and D describe your rights under other state laws (which are different from the rights discussed in Sections A and B), and Section E provides information on how to contact us in relation to our privacy practices.
Notably, this U.S. State Privacy Notice does not apply to data that is not treated as PI under the applicable laws or to the extent the data is subject to an exemption under the applicable laws. This U.S. State Privacy Notice also does not apply to information collected by third-party content, websites, applications, platform, code (e.g., plug-ins, application programming interfaces, and software development kits), and certain cookies and other tracking technologies (“Third-Party Services”).
A. PI COLLECTION, USE, AND DISCLOSURES
Generally, we collect, retain, use, and disclose your PI for our business and commercial purposes in relation to your purchase and use of a connected vehicle and the Services.
These include purposes such as:
- The purposes listed in our Privacy Policy
- The purposes explained at the time of collection
- Other purposes that are related to or compatible with the context in which we collected your PI, or that are required or permitted by applicable law.
Our business and commercial purposes also include the disclosure of PI (which may include all the categories of PI in the table below) to the recipients listed above in “Who do we share your personal data with?”
Our Privacy Policy above, including the “What personal data do we process about you and why?” section and the table in Annex A provide details on processing purposes and personal data processed for such purposes. As required by some of the state privacy laws, the table immediately below describes the categories of PI we collect as well as examples of types of data that fit within such categories, in the left column. The right column states the categories of recipients that receive such PI from us.
Category of PI |
Categories of Recipients (for business purposes) |
1. Identifiers and contact information (such as name, phone number, address, email address, mobile identification number, IP address, cookie ID, AML ID, vehicle identification number, vehicle license plate number) |
Group affiliates Vendors Third parties for legal or similar reasons Preferred dealer(s) The vehicle owner and permitted App users |
2. Personal records (such as name, signature, address, telephone number, education, employment, employment history, bank account number, credit card number, debit card number) |
Group affiliates Vendors Third parties for legal or similar reasons Preferred dealer(s) The vehicle owner and permitted App users |
3. Personal characteristics or traits (such as age and gender) |
Group affiliates Vendors Third parties for legal or similar reasons Preferred dealer(s) The vehicle owner and permitted App users |
4. Transaction / Commercial Information (such as preferred language, identity check information, proof of ownership information, status of acceptance of terms and conditions (including date and time of acceptance), status of consent to App analytics (including date and time of consent), current software versions installed on relevant electronic control units, current status of download/update of new software, payment status for service packages, details of vehicles owned (including registration numbers and nicknames), and preferred dealer information. |
Group affiliates Vendors Third parties for legal or similar reasons Preferred dealer(s) The vehicle owner and permitted App users |
5. Service Usage Information (such as the types of data listed above in the “Infotainment,” “Connected Vehicle,” and “Connected Customer” sections of Details of Our Data Processing in Annex A.) |
Group affiliates Vendors Third parties for legal or similar reasons Preferred dealer(s) The vehicle owner and permitted App users |
6. Location Data |
Group affiliates Vendors Third parties for legal or similar reasons The vehicle owner and permitted App users |
7. Professional or employment information (such as your title, affiliated organization, professional expertise and experience, and education-related information) |
Group affiliates Vendors Third parties for legal or similar reasons Preferred dealer(s) |
8. Inferences from PI collected |
Group affiliates Vendors Third parties for legal or similar reasons Preferred dealer(s) |
Sensitive PI
|
|
Account information and password (we may store your account login in combination with a password in our systems) |
Group affiliates Vendors Third parties for legal or similar reasons
|
Precise geolocation data |
Group affiliates Vendors Third parties for legal or similar reasons The vehicle owner and permitted App users
|
We do not sell or share personal information that we collect in connection with our provision of the Services.
We also may disclose each category of PI and Sensitive PI in the table to the following categories of recipients in a manner that does not constitute sale or sharing as defined in the U.S. Privacy Laws:
- other parties at your direction or through your intentional action;
- the government or private parties to comply with law or legal process; or
- in addition, our Vendors and the other recipients listed in the above table may, subject to contractual restrictions imposed by us and/or legal obligations, also use and disclose your PI for business purposes. For example, our Vendors and the other categories of recipients listed in the table below may engage subcontractors to enable them to perform services for us or process for our business purposes.
DE-IDENTIFIED PI
Personal information that we de-identify for the purposes of anonymizing it or receive in a de-identified format will be maintained as such and we will not attempt to re-identify it.
SOURCES OF PI
See our Privacy Policy above under “How do we collect your personal data?” for sources of PI collection.
DATA RETENTION
Because there are so many different types of PI in certain categories, and so many purposes and use cases for different data, we are unable to provide retention ranges based on the categories of PI in a way that would be meaningful and transparent to you. Actual retention periods will depend upon how long we have a legitimate purpose for the retention consistent with the collection purposes and applicable law. For instance, we may maintain business records for as long as relevant to our business, and may have a legal obligation to hold PI for as long as potentially relevant to prospective or actual litigation or government investigation. We apply the same criteria for determining if we have a legitimate purpose for retaining your PI that you ask us to delete. If you make a deletion request, we will conduct a review of your PI to confirm if legitimate ongoing retention purposes exist, will limit the retention to such purposes for as long as the purpose continues, and will respond to you with information on any retention purposes on which we rely for not deleting your PI. For more information on deletion requests, see the Right to Delete section.
As described in further detail below, subject to meeting the requirements for a Verifiable Consumer Request (defined below), we provide Consumers—which are, for clarity, residents of certain states—the privacy rights described in this section. For residents of states without Consumer privacy rights, we will consider requests but will apply our discretion in how we process such requests. For states that have passed Consumer privacy laws, but are not yet in effect as of the Effective Date, we will also consider applying state law rights prior to the effective date of such laws, but will do so in our discretion.
Making a Request and Scope of Requests
As permitted by U.S. State Privacy Laws, any request you submit to us is subject to an identity verification process (“Verifiable Consumer Request”) as described in the Verifying Your Request section below. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify that you are the Consumer about whom we collected PI.
To make a request, please submit your request to us by one of the methods below.
- Calling us at (866) 278-6661
- Email: data.officer@astonmartin.com
- Visit our webform at https://www.astonmartin.com/en-us/contact-us#enquire
Verifying Your Request
When you make a request, we will verify that you are the person you say you are, or, if you are seeking information on behalf of another person, that you are authorized to make the request on their behalf (see our “Authorizing an Agent” section immediately below). In addition, we will compare the information you have provided to us to ensure that we maintain personal information about you in our systems. As an initial matter, we will ask that you provide us with, at a minimum, your name, email address and driving license or passport (to confirm name and address). Depending on the nature of the request and whether we have the email address you have provided in our systems, we may request further information from you to verify that you are the Consumer making the request. We will review the information provided as part of your request and may ask you to provide additional information via email or other means to complete the verification process. We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify that you are the Consumer that is the subject of the request. The same verification process does not apply to opt-outs of Sale or Sharing, or limitation of Sensitive PI requests, but we may apply authentication measures if we suspect fraud (such as verifying access to the email provided when making the request).
The verification standards we are required to apply for each type of request vary. We verify your categories requests, certain deletion, and correction requests (e.g., those that are less sensitive in nature) to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you. For certain deletion and correction requests (such as those that relate to personal information that is more sensitive in nature) and for specific pieces requests, we apply a verification standard of a reasonably high degree of certainty. This standard includes matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you, and may include obtaining a signed declaration from you, under penalty of perjury, that you are the individual whose personal information is the subject of the request.
If we cannot verify you in respect of certain requests, such as if you do not provide the requested information, we will still take certain actions as required by certain U.S. State Privacy Laws. For example, if you are a California Consumer:
- If we cannot verify your deletion request, we will refer you to this U.S. State Privacy Notice for a general description of our data practices.
- If we cannot verify your specific pieces request, we will treat it as a categories request.
Authorizing an Agent
You may designate an authorized agent to submit a request on your behalf by submitting a request in the manner described above. If you are an authorized agent who would like to make a request, the U.S. State Privacy Laws require that we ensure that a request made by an agent is a Verifiable Consumer Request and allow us to request further information to ensure that the Consumer has authorized the agent to make the request on their behalf. Generally, we will request that an agent provide proof that the Consumer gave the agent signed permission to submit the request, and, as permitted under the U.S. State Privacy Laws, we also may require the Consumer to either verify their own identity or directly confirm with us that they provided the agent permission to submit the request.
Your Consumer Privacy Rights
Appeal Rights
Residents of certain states have the right to appeal a decision regarding a privacy request. You can exercise this right by responding to the email we send containing our response to your request, and following the instructions in this email.
Right to Limit Sensitive PI Processing
Certain personal information qualifies as sensitive data or Sensitive PI under the U.S. State Privacy Laws, which we refer to in this U.S. State Privacy Notice as “Sensitive PI.” If you are a California resident, you have the right to direct businesses to limit their use and disclosure of Sensitive PI if it is used or disclosed beyond certain internal business purposes. Where applicable, we will treat such a request as a revocation of any consent that you may have provided to your processing of Sensitive PI.
Right to Know/Access
Right to Know – Categories/Confirmation of Processing
If you are a California resident, you have the right to request that we provide you with certain information about our collection, use, and disclosure of your PI over the 12-month period prior to the request date, related to categories of PI. You can request that we confirm whether we are processing your personal information, and disclose to you: (1) the categories of PI we collected about you; (2) the categories of sources for the PI; (3) our business or commercial purpose for collecting or selling that PI; (4) a list of the categories of PI disclosed for a business purpose in the prior 12 months and, for each category of PI, the categories of recipients; and (5) a list of the categories of PI sold or shared about you in the prior 12 months and, for each, the categories of recipients.
Right to Know – Specific Pieces
You have the right to request a transportable copy of the specific pieces of PI we collected about you. In some states, such as California, this includes the right to PI collected in the 12-month period preceding your request. Please note that PI is retained by us for various time periods, so there may be certain information that we have collected about you that we do not even retain for 12 months (and thus it would not be able to be included in our response to you). Based on your state of residence, we may apply a limit on the number of “Right to Know” requests you make over a particular time period, as permitted under U.S. State Privacy Laws.
Right to Delete
You have the right to request that we delete any of your PI that we have collected directly from you, subject to certain exceptions which we will explain if they apply. After we confirm that your deletion request is a Verifiable Consumer Request, subject to permitted retention exceptions, we will carry out one or more of the following: (i) permanently erase your PI on our existing systems with the exception of archived or back-up systems; (ii) deidentify your PI; or (iii) aggregate your PI with other information. In our response to your request to delete, we will tell you the method for deleting your PI. Where legal exceptions will apply to your request for deletion, we will tell you which one(s) and will limit retention to the permitted purpose(s).
Right to Correct
You have the right to request that we correct inaccuracies that you find in your personal information maintained by us. Your request to correct is subject to our verification (discussed above) and the response standards in the applicable U.S. State Privacy Laws.
Do Not Sell/Share/Target
Under the various U.S. State Privacy Laws, Consumers have the right to opt out of certain processing activities. California and certain other states have opt-outs specific to Targeted Advertising activities—which California’s law refers to as “cross-context behavioral advertising,” and others simply as Targeted Advertising—which involve the use of PI from different businesses or services to target advertisements to you. California provides Consumers the right to opt out of sharing, which includes providing or making available PI to third parties for such Targeted Advertising activities, while other states provide Consumers the right to opt out from PI processing for Targeted Advertising more broadly. There are broad and differing concepts of the sale of PI under the various U.S. State Privacy Laws, all of which at a minimum require providing or otherwise making PI available to a third party. However, as stated above, we do not believe we sell or share PI, nor do we believe we process PI for the purposes of Targeted Advertising.
Some of the U.S. Privacy Laws also require us to state that we do not knowingly sell or share the PI of Consumers under the age of 16.
We may disclose your PI for the following purposes, which do not constitute a sale or sharing: (i) if you direct us to share your PI; (ii) to comply with your requests under the U.S. Privacy Laws; (iii) disclosures among the entities that constitute Company as defined above, to Company’s service providers, or as part of a Corporate Transaction; and (iv) as otherwise required or permitted by applicable law.
OPT-OUT PREFERENCE SIGNALS (ALSO KNOWN AS GLOBAL PRIVACY CONTROL OR GPC)
Some of the U.S. Privacy Laws require businesses to process GPC signals, which are referred to in California as opt-out preference signals (“OOPS”). These are signals sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicate the individual’s choice to opt out of the Sale and Sharing of personal information. To use an OOPS/UOOM/GPC, you can download an internet browser or a plugin to use on your current internet browser and follow the settings to enable the OOPS/UOOM/GPC. Because we do not believe we sell or share PI as defined under U.S. Privacy Laws, we do not process OOPS/UOOM/GPC signals.
AUTOMATED DECISION-MAKING AND PROFILING
We may, but do not believe that we, engage in processing that constitutes automated decision-making or profiling under the CCPA. However, as of the Effective Date, the definitions of these concepts, and any associated opt-out and access rights, have not been added to the updated regulations of the CCPA.
We do not believe we carry out profiling in furtherance of decisions that produce legal or similarly significant effects. If we change our practices, we will change this policy and provide you with the right to opt out of such activities as required by U.S. Privacy Laws, subject to any applicable exceptions.
RIGHT TO NON-DISCRIMINATION
You have the right not to receive discriminatory treatment for the exercise of your privacy rights.
OUR AND OTHERS' RIGHTS
Notwithstanding anything to the contrary, we may collect, use, and disclose your PI as required or permitted by applicable law and this may override your rights under U.S. Privacy Laws. In addition, we need not honor any of your requests to the extent that doing so would infringe upon our or any other person’s or party’s rights or conflict with applicable law.
In addition to CCPA rights, certain Californians are entitled to certain other notices, including:
1. Third-Party Marketing and Your California Privacy Rights:
California’s “Shine the Light” law permits California residents to request certain information regarding our disclosure of PI to third parties for their own direct marketing purposes. Separate from your CCPA rights set forth above, you have the following additional rights regarding disclosure of your information to third parties for their own direct marketing purposes: We may from time to time elect to share certain “personal information” (as defined by California’s “Shine the Light” law) about you with third parties for those third parties’ direct marketing purposes. California Civil Code § 1798.83 permits California residents who have supplied personal information, as defined in the statute, for us to, under certain circumstances, request and obtain certain information regarding our disclosure, if any, of personal information to third parties for their direct marketing purposes. If this applies, you may obtain the categories of personal information shared and the names and addresses of all third parties that received personal information for their direct marketing purposes during the immediately prior calendar year (e.g., requests made in 2023 will receive information about 2022 sharing activities). To make such a request, please provide sufficient information for us to determine if this applies to you, attest to the fact that you are a California resident, and provide a current California address for our response. You may make this request by contacting us at data.officer@astonmartin.com . Any such request must include “Shine the Light California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that we are only required to respond to one request per customer each year.
As these rights and your CCPA rights are not the same and exist under different laws, you must exercise your rights under each law separately.
2. California Minors:
Though our online service(s) are intended for an audience over the age of eighteen (18), any California residents under the age of eighteen (18) who have registered to use our online services, and who posted content or information on the service, can request removal by contacting us at data.officer@astonmartin.com, detailing where the content or information is posted, and attesting that they posted it. We will then make reasonably good faith efforts to remove the post from prospective public view or anonymize it so that the minor cannot be individually identified to the extent required by applicable law. This removal process cannot ensure complete or comprehensive removal. For instance, third parties may have republished or archived content by search engines and others that we do not control.
D. NOTICE FOR NEVADA RESIDENTS
Users of the Services who are Nevada consumers have the right to submit a verified request that the Services do not sell such Nevada consumer’s covered information. Such right is further described, and the terms are defined, in the Nevada Revised Statutes 603A (the “Nevada Internet Privacy Law”). The Services do not currently sell any covered information as defined in the Nevada Internet Privacy Law. Nevada consumers may register an email address to which identity verification instructions will be delivered if the Services begin selling covered information, as defined by the Nevada Internet Privacy Law, in the future. Any Nevada consumer who wishes to register should send their email address and a request to register to data.officer@astonmartin.com with “Nevada Do Not Sell Request” in the subject line and the message of the email. Should a Nevada consumer’s registered email address subsequently change, the Nevada consumer must contact data.officer@astonmartin.com to inform the Services of such change (specifying the Nevada consumer’s old and new email addresses), as the Services will not search any other records in the event a registered email address is no longer valid.
E. CONTACT US
If you have any questions about the Privacy Policy, the U.S. State Privacy Notice, or practices described in it, you may contact us at:
The Data Protection Officer
Aston Martin Lagonda, Banbury Road,
Gaydon, CV35 0DB,
United Kingdom