In a nutshell:
Now in more detail:
1) Introduction and Definitions
The Surfsight solution is a technology platform and service owned and operated by us, Lytx, Inc. and our wholly-owned subsidiaries (“Company”). You can find our contact details below.
The Surfsight solution helps organizations to protect their staff and vehicles on the road, and to protect their legal interests in claims and disputes. These organizations are our Customers.
The Surfsight solution is a cloud Platform, connected to Dash Camera Devices (which the Customer buys, owns, installs, and operates), and accessible to Customers and their permitted Users through a dedicated Web Portal.
As soon as they’re turned on upon the vehicle’s ignition, Devices record Videos and collect various Location Data and Driving Data, which might include personal information or personally identifiable information (personal data) of the vehicle’s Drivers, Passengers, or Other People, as explained in detail below.
Our Customers decide the purposes for which they use the Surfsight solution, as well as the means for collecting data, including without limitation the configuration of features available in the Platform and Devices. Our Customers control the data processed on their behalf via the Surfsight solution and they are responsible under our End User License Agreement (EULA) for handling any data rights and data requests of their employees and contractors, Users, Drivers, Passengers, and Other People as Data Controllers. We also use the data collected, uploaded or available to the Surfsight solution for the provision of services to our Customers, product improvement, research and development and commercial uses, as described in detail below. With respect to the processing of personal data of Customers, Company is a Data Processor, as further described in the Privacy and Data Processing Agreement sections of the EULA.
To make things clear with an example: if you’re an employee of CorpCo and got a CorpCo company car that has a Surfsight Device installed in it, then you are a Driver, CorpCo is our Customer and has full control over your personal data, and we process your personal data on CorpCo’s behalf and according to its instructions. If CorpCo gave you access to the Surfsight Portal, you’re also a User, and you can access the Platform to view videos, get statistics, and take some actions, all according to your permissions as defined by CorpCo.
If you’re a User, Driver, or Passenger and have any issue regarding your personal information, please contact your employer first! Our Customer’s contact details appear on or around the Device and in the Portal.
In addition, we also operate several Websites – such as Surfsight.com – and collect personal data of Visitors. Some Visitors and other people who communicate with us, become our business Contacts or Customers. We collect and process various personal information regarding our Visitors, Contacts, and Customers, and we are the Data Controllers for such personal data.
If you are a Visitor, Contact or Customer of ours and have any issue regarding your personal information that we control, please contact us (details below).
2) How Do We Collect Personal Data?
If you’re a Contact or Customer of ours, there might be several ways in which we receive your personal data:
If you’re a User or Driver, there are two ways in which we receive personal data about you that we process on behalf of our Customer:
You can usually shut down the Device or unplug it from electricity to stop its operation and collection of information. However, your handling of the Customer’s Devices and vehicles is subject to your relationship with your employer, our Customer. If the Platform does not receive data from the Device, it might not function properly. The data provided by the Surfsight solution to our Customer who controls your account might be incomplete or inaccurate, and that might affect your relationship, work or compensation. Please consult with your employer regarding the potential effect of disabling or tampering with the Device and its operations.
If you’re a Passenger or another person unrelated to the Customer (Other People), we might still process some personal data about you. Such data is received from the Customer’s Device assigned to the Driver that picked your video footage, location information, or other visible or inferred personal data, inside the Customer’s vehicle or around it. If you have any question or request regarding your data, please approach first the Driver whose vehicle you’ve ridden, or our Customer, the Driver’s employer.
If you’re a Visitor to our Websites or a User using the Surfsight solution, we might receive some personal data through your device, operating system, and browser, and various hosting, tracking, analytics and advertising technologies used on our Websites, such as cookies (see below), Amazon Web Services, WordPress and WordPress plugins, Analytics and Advertising technologies by Google and others, Customer support services by Freshdesk, Social Login APIs by Google, Facebook, Twitter and others, and other technologies. Our Websites do not currently respond to “Do Not Track” signals sent by your browser or device.
3) What Personal Data Do We Process?
If you’re a Contact or Customer of ours, or a Surfsight User, we may collect and process these types of personal data about you:
On the Surfsight Platform, we process mostly data from and about Devices, not people. However, in the process of collecting such information, various types of personal data are also collected. Our Customers decide what data to collect from Devices, whether and to which extent to associate Devices with specific people in their organization, and what personal data of Users and Drivers to store on the Platform.
These are the types of personal data about Drivers, Passengers, and Other People that we may process on Customers’ behalf:
We also collect and process these types of personal data about anyone using the Devices, Surfsight Platform, Portal, or Websites:
4) What About Personal Data of Children?
Surfsight is a technology platform for driving safety and documentation, and is not intended for children. We do not knowingly collect or process information about children, although Passengers and Other People who are children might be captured on Customer videos coincidentally. The Surfsight solution makes no attempt whatsoever to personally identify Children, Passengers, or Other People, who appear on Customer’s videos processed on the Platform.
Occasionally, parents use the Surfsight solution to keep track and sight of their children’s driving, location, and conduct in their cars. Such children usually have a driving license and are older than 16 years old. Even in such cases, the Surfsight solution is intended to be used with significant parental involvement and approval, and with the children/Drivers’ awareness.
Please contact our Customer or the Driver if you have any concern with respect to Children’s personal data on Devices. Please contact us (contact details below) if you have any concern with respect to Children’s personal data on the Platform.
5) What About Cookies?
6) What Are The Purposes For Processing Personal Data? How Is Your Personal Data Used?
The purposes for the processing of personal data with the Surfsight solution are determined by our Customers. Each Customer might use the Surfsight solution for different purposes. Such purposes might include encouraging and monitoring driving safety; protecting Customer assets, such as their vehicles; protecting the Customers, staff, and third parties in case of accidents, legal proceedings, and insurance claims; tracking vehicles and fleet management; determining or corroborating the circumstances of a lawsuit, claim, loss or theft; preventing and detecting fraud; supervising professional drivers; route planning; traffic measurement and documentation; and more.
If you’re a Driver, we collect and use your personal data to provide our services to our Customers, according to their instructions and settings, so they can achieve their respective purposes. We may use your Device and contact details, according to Customer’s instructions and settings on the Portal, to communicate with you and to provide you with support and handle requests and complaints. Such interactions are performed on Customers’ request, and based on the Customer’s settings, or on your own requests or based on your settings in the Device and Portal (if you’re also a User).
Our purpose in processing personal data via the Surfsight solution is to provide our services to the Customers according to our agreements with them and applicable law. An integral part of our services to Customers is the continual improvement of the Device and Surfsight Platform, and therefore we also use of the data collected on Surfsight to ensure our products and services are working as intended; to analyze, measure and understand how our services are used; to improve our products and services; to develop new features, products, and services; to protect our company, staff, Customers and Users, as well as Drivers, Passengers, and the general public; and to comply with any applicable law and assist law enforcement agencies where required under any applicable law.
As part of the processing activities undertaken on behalf of Customer, we may create derivative data containing insights from Customer data but which does not itself consist of personal data (such as aggregated, anonymized or de-identified data). We may also use anonymous, statistical or aggregated information collected on the Platform, in a form that does not enable the identification of a specific user, by posting, disseminating, transmitting or otherwise communicating or making available such information to customers, vendors, partners and any other third party. For example, GPS information that we receive from your Device may be provided to municipalities in an aggregated and/or anonymous form to help improve road safety and solve traffic problems.
We also process usage and analytics information, as well as some statistical and aggregate data derived from personal data, for the improvement and further development of the Surfsight solution, Platform, App, Devices, and the Portal, or for research purposes.
Websites, Customers, Contacts and Visitors
If you’re a Customer, Contact, or Visitor on our Websites, we may process your personal data for our own business purposes, including:
7) What Is The Basis For The Processing of Data?
As Data Controllers, our Customers often process personal data via the Surfsight solution (and we process such data as data processor on behalf of our Customers and according to their instructions) for any or some of the following reasons:
As a Data Processor for certain personal data, we process personal data based on the instructions from our Customers.
Websites, Customers, Contacts, and Visitors
As a Data Controller for our Customers, Contacts and Visitors’ personal data, we process personal data based on any or some of the following legal bases:
8) Who Is Your Information Shared With?
Our services sometime enable our Customers, their Users, or you, to share information, including personal data, based on your consent or other legal bases, as referenced above. Our Customers, Users, or you, decide about the sharing of videos and other data on the Platform, the identity of the recipients, and the distribution of the information. For example, the Customer may use the Platform to transfer Videos or Driving Data captured on its Devices to employees within the organization, insurance companies, law firms, law enforcement agencies, government or municipal authorities, etc.
This section deals with information we share about you with others.
For the delivery of our services, we share all User, Device, and Platform data on the Surfsight Platform (which includes identifiable information of Drivers, Passengers and Other People) with the Customer who is the Data Controller with respect to such data. This means that your employer has access and control over all the information we collect about you. We also share Customer’s representatives contact details to all the Customer’s Users and others who might need such details, to comply with any applicable law. Our Customers may select to share the information with some of their staff and other organizations and bodies, as mentioned above. As further described below, we also utilizes third party processors in the provision of services, including cloud hosting providers, IT and system administration, payment processing, technical support, research and analytics, telecommunication vendors, and customer support.
Customers, Contacts, and Visitors
We process your details on our servers and computers, cloud CRM services, support systems and services (such as Freshdesk), billing systems (such as Priority), SMS gateways, Email and SMS communication services (such as Twilio and MailChimp), and backup systems. We may share some of your details with our staff, consultants, resellers, affiliates, and other third-party business partners for research and analysis, cooperation opportunities, joint promotions, sales, and events.
We use additional processors around the world for various processing activities needed for the performance of the Surfsight solution, our Websites, our other products and services, our operations, and our business, and share information with such processors on a need basis. Such processors include hosting and backup providers (such as Amazon Web Services), analytics providers (such as Google and Heap), website technology (such as WordPress and WordPress plugins), advertising technology (such as Google), telecommunication services, media transmission services (such as Velia.net), security technology, and more. We limit the information we share with each processor based on the business need in using such processor, to protect your information while still effectively benefiting from the services of such processor.
We may also share non-personally identifiable information and aggregate information for any purpose. Such data is not personal data, and its sharing cannot be used to identify you.
We may need to share your information with law enforcement agencies, courts of law, and other governmental organizations, if ordered to do so by competent bodies and according to applicable law.
Mergers and Acquisitions
If we are involved with a merger, asset sale, financing, liquidation, bankruptcy, or the acquisition of all or part of our business to another company, we may share your information with that company and its advisors before and after the transaction date.
9) How Do We Safeguard Your Personal Data?
We take information security very seriously. We implement industry standard security controls to prevent unauthorized access, maintain data accuracy, and ensure data availability. We also implement appropriate organizational measures to protect your information.
We apply our security controls also when working with business and technology partners. We only select and contract with processors and third parties who use appropriate security measures and provide sufficient guarantees, including technical and organizational measures, to ensure the appropriate protection of the data we entrust with them. Unfortunately, although we make every effort to keep your data safe, we cannot fully ensure or warrant the security of your personal information.
You can take part in securing your personal data. Always lock the vehicle where the Customer’s Device is installed. If you’re a User, prevent unauthorized access to your Surfsight account and personal information by selecting a strong password and protecting your login credentials appropriately. Limit access to your computer and mobile device. If you’re using the Portal, sign off when you finish accessing your account.
10) Do We Transfer Personal Data Internationally?
Most of our information is stored in the cloud on Amazon Web Services in the U.S. and Europe. Amazon takes extreme measures with respect to privacy and data security. Read more about it here. Our R&D and customer support center are located in Israel.
At the same time, our business is international – we serve Customers that keep sight on their vehicles around the world utilizing the Surfsight solution, and we utilize additional processors and service providers in various countries. Therefore, we transfer, store or otherwise process your personal information in other countries. We take appropriate safeguards in the selection of our processing vendors around the world to require that your personal data is well protected. Despite our efforts, it may be the case that a country where your personal data is processed has different, or less protective, data protection and privacy regulation than the country you live in.
11) For How Long Do We Keep Personal Data?
Where permissible, we may de-identify or anonymize in lieu of deleting your personal data. In certain occasions we might not be able to fully delete, de-identify or anonymize your personal data due to technical or operational reasons, for example deleting from backup storage and archives. In such cases, we shall take reasonable measures to secure any information still maintained by us according to our standard data security practices.
12) What Are Your Rights With Respect to Your Personal Data?
If you’re an User or Driver on Surfsight, please approach your employer to exercise any rights you may have, as they are the Data Controllers of your personal data. Otherwise, please contact us (details below).
According to the data protection and privacy regulation where you live, you may have certain rights with respect to your personal information.
If you are a resident of the European Union, your rights may include, under certain terms and conditions set in the EU General Data Protection Regulation (GDPR) or other applicable law:
After deletion or anonymization of your personal data following its retention period, the rights to access, erasure, rectification, and data portability cannot be enforced.
If you are a resident of the state of California:
To exercise your rights, please contact us either by email or mail in accordance with the Contact Us section below. Please note that we must verify any requests pursuant to this section to ensure the individual making such request is authorized to exercise such rights. Therefore, you must submit your name and email address, as well as confirm access to such email address, in order for us to process your request. We will comply with the applicable data protection laws and the exercising of your rights under such laws, however please note that such rights specified above are not absolute, and exemptions may be applicable. We try to respond to all legitimate requests within one month and will contact you if we need additional information from you in order to honor your request. Occasionally it may take us longer than a month, taking into account the complexity and number of requests we receive.
If your personal data has been submitted to us in connection with our provision of services to a Customer, and you wish to exercise any rights you may have under applicable data protection laws, please inquire with the specific Customer directly. Because we may only respond to a request related to our Customer’s data with such Customer’s permission, if you wish to make your request directly to us, please provide the name of the Customer who submitted your information when contacting us. We will refer your request to that Customer, and will support them as needed in responding to your request within a reasonable timeframe. If you are an employee of a Customer, we recommend you contact your company’s system administrator for assistance in correcting or updating your information.
Notice to California Residents: We have not sold any personal data to third parties for a commercial purpose in the preceding twelve months.
14) Who Can You Contact Regarding Your Personal Data?
If you’re a User or Driver, please contact your employer first with any issue, as they are the Data Controllers of your personal information. Your organization’s contact details appear on or around the Device, in the Portal, and in any communications processed via the Platform. If you do not know who your Data Controller is, please contact our customer support and we will attempt to determine who the Data Controller is and forward your request.
15) How to Contact Us?
You can contact us with any question or concern you have at:
Via email: firstname.lastname@example.org
9785 Towne Centre Drive
San Diego, California 92121
General Data Protection Regulation (GDPR) – European Representative
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Lytx has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:
– by using EDPO’s online request form: https://edpo.com/gdpr-data-request/
– by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium
UK General Data Protection Regulation (GDPR) – UK Representative
Pursuant to Article 27 of the UK GDPR, Lytx has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:
– by using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/
– by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom