CHANGAN CONNECT Privacy Policy
Effective Date:February 21, 2025
Updated Date:February 21, 2025
Version number:VQ-G.M-250221
Welcome to driving CHANGAN Auto! With this Privacy Policy ("Policy") we are informing you about how we process, and protect certain personal data ("Data") when you use CHANGAN CONNECT(the "APP") is an application developed by Changan Automobile (hereinafter referred to as “we”, “us”, “our”) that enables you to connect to your vehicle and provides related services.
Data Controller and Data Protection Officer
Your Data Controller(or the equivalent of other jurisdictions) according to different regions for the purposes of this Policy is:
·South America Region
CHANGAN AUTO MEXICO S. de R.L. de C.V.
Boulevard Manuel Ávila Camacho 138 piso 5 Lomas de Chapultepec III Sección, Miguel Hidalgo, 11000
·CIS Region
Changan Motors Rus" Limited Liability Company.
·Middle East and Africa Region
CHANGAN INTERNATIONAL CORPORATION (DMCC BRANCH)
1003&1004&1005 Fortune Tower, Jumeira Lake Towers, Al Sarayat Street
(referred to as "CHANGAN", "we", "us", "our")
Further, please see Section 9 with contact information to our Data Protection Officer ("DPO"), and, where applicable.
1. User Setup
1.1 User Account
We may collect and process your Data after you log in and acknowledge this Policy in regard to the different Services that we provide, depending on whether you have registered an account with us ("User Account") as the owner of a Vehicle, as a driver with a driver account, or as a user of a shared Vehicle.
1.2 Other Users
We understand that related persons or independent entities other than yourself (including, but not limited to, your relatives, friends, colleagues, collectively referred to as "Other Users") may also access and use our Services when they use your Vehicle. Please note that Other Users must obtain authorization from the primary account holder before they can link the Vehicle to their account. We recommend that they create their own account in the In-Vehicle Terminal or the Vehicle control app ("APP") so that we can provide the Services appropriately and safeguard their data protection rights.
In the absence of a dedicated registration of such Other Users, we will consider that such Other Users have access to the Services with your authorization when they use your User Account or use your physical key to access and use your CHANGAN Auto. We will further assume that you may exercise the rights described in this Policy in your name on behalf of such Other Users.
1.3 Connected Service Mode, Full Privacy Mode
Depending on your privacy and consent preferences, we will process your Data in different modes:
After you log in to the In-Vehicle Terminal with, we will enable the "Connected Service Mode" and the "Full Privacy Mode". You can freely switch between these two modes at any time.
If You turn on the “Connected Service Mode” , we will process Your Data and store it on our cloud server; You can use the normal remote Vehicle control function and other related Services accessed through this APP. By contrast, in and “Full Privacy Mode”, any residual Data that we collect will be stored in the In-Vehicle Terminal only. You will not be able to use our Services, e.g. remote control of vehicles.
In “Fully Privacy Mode”, any residual Data that we collect will be stored in the In-Vehicle Terminal. At the same time, you will not be able to use the functionalities of the Vehicle network, such as remote Vehicle control.
1.4 Minors
Our Services are primarily addressing the use of the Vehicle and the Services by adults. Minors may not create and own User Accounts without the consent of a parent or other guardian. We do not knowingly collect Data from minors without the prior consent of a parent or other guardian.
We will implement available technology and make reasonable efforts to verify the consent or authorization of the holder of parental responsibility before processing the Data of a minor.
If we become aware that any Data of any minor has been inadvertently collected, we will immediately delete the data or process the minor's Data only if we can rely on a legal basis other than consent.
We will strictly comply with national and regional legal requirements regarding the Data of minors and comply strictly with any lower age thresholds required by law. Diversified age specifications regarding minors are observed across various countries and regions.
2. Data categories and purposes of processing
2.1 Categories of data, purposes of processing and legal bases
We process your Data for the purposes described in the table below, relying on the following legal bases:
· Your consent to processing your Data, which you provide through a separate consent declaration in the In-Vehicle Terminal or otherwise. We rely on consent in particular relating to Location, image recognition, voice recognition and video recording Data;
· Performing our contractual obligations under the TSA and other relevant agreements including, but not limited to, applicable service agreements, subscription terms, and ancillary agreements you have entered into with us;
· Fulfilling legal obligations to process your Data for the EDR, eCall function;
· Protecting the vital interests of yours or of another natural person;
· Our Legitimate interest, in particular where we are providing the Services to Other Users.
You can withdraw your consent at any time in the settings of the In-Vehicle Terminal. This does not affect the lawfulness of processing your Data before the withdrawal. After you withdraw your consent, some functions may not be available. Please proceed with caution.
2.2 Data you provide to CHANGAN
|
Services |
Categories of Data |
Purposes |
Legal bases |
Source of collection |
Nature of collection (Obligatory / voluntary) |
Effect of non-provision or providing incorrect or inaccurate data |
|
Register / Login account |
Email address, email verification code, telephone number, mobile verification code, login password, traceid, userid, VIN code, vehicle model, vehicle registration number, vehicle nickname, vehicle parameters, camera data |
We process email address, email verification code, telephone number, mobile verification code, login password to register You for the Deepal account and to enable You to login.
If You have bound a vehicle, we process traceId, userId, VIN, vehicle model, license plate number, vehicle nickname, vehicle parameters to synchronize Your data and display it in the APP
|
Users consent, the necessity for contract performance, and legitimate interests (subject to the legally recognized grounds and the practically defensible legal grounds in your jurisdiction). |
Collected directly from you |
Voluntary |
May affect your use of this specific service and its associated services or functions but will not impact other unrelated services. |
2.3 Data we process when you use the Services
|
Services |
Categories of Data |
Purposes |
Legal bases |
Source of Collection |
Obligatory or voluntary collection |
Effect of non-provision or providing incorrect or inaccurate data |
|
Account and Security Management |
Email address, telephone number, login password, mobile phone network status, device model, device type, device version, operation log, service log, IP address |
We process email addresses, telephone numbers, and login passwords to assign Your account to You. We process mobile phone network status to ensure the functionality and quality of the service. We process device model, device type, device version, operation logs, service logs, and IP addresses to identify anomalies in Your account status and in APP functionalities, and ensure safe and stable operation of the services provided to You
|
Users consent, the necessity for contract performance, and legitimate interests (subject to the legally recognized grounds and the practically defensible legal grounds in your jurisdiction). |
Collected directly from you/your vehicle |
Voluntary |
May affect your use of this specific service and its associated services or functions but will not impact other unrelated services. |
|
Bluetooth key |
Bluetooth data, device identification information, location information |
We process Bluetooth data to identify nearby devices for connection and control the vehicle through Bluetooth keys. For this purpose we need to turn on the Bluetooth function on the phone and issue Bluetooth positioning calibration data.
We may need to process Your location data to identify Your vehicle and unlock Your vehicle via the Bluetooth key.
|
Users consent, the necessity for contract performance, and legitimate interests (subject to the legally recognized grounds and the practically defensible legal grounds in your jurisdiction). |
Collected directly from you/your vehicle |
Voluntary |
May affect your use of this specific service and its associated services or functions but will not impact other unrelated services. |
|
Language and country settings |
System language, country code, device model, VIN |
We process system language, country code, and device model data for switching language versions for Your convenience. We process VIN in order to find information about the vehicle You are binding to synchronise language switching. |
Users consent, the necessity for contract performance, and legitimate interests (subject to the legally recognized grounds and the practically defensible legal grounds in your jurisdiction). |
Collected directly from you/your vehicle |
Voluntary |
May affect your use of this specific service and its associated services or functions but will not impact other unrelated services. |
|
Remote control of vehicles |
Vehicle Id, vehicle air conditioning status, tyre status, charging status, travel plan, seat status, lamp status, vehicle cycle status, vehicle position, window information, door status, vehicle status data; steering wheel heating status, remote seat heating status, battery heating status, seat ventilation status, vehicle control code, flashing siren, flashing lights |
We process these data to provide You with relevant vehicle related information, such as battery level and mileage, in the APP when You bind the vehicle with our APP and turn on the relevant functions of the vehicle. Additionally, we will provide You with the remote control of vehicle-related functions, such as window control, car search, interior air conditioning on and temperature setting, seat ventilation, steering wheel heating, remote seat heating, and travelling reservation. |
Users consent, the necessity for contract performance, and legitimate interests (subject to the legally recognized grounds and the practically defensible legal grounds in your jurisdiction). |
Collected directly from you/your vehicle |
Voluntary |
May affect your use of this specific service and its associated services or functions but will not impact other unrelated services. |
|
Vehicle diagnostics |
Tire pressure data, airbag data, battery current and charging status data, powertrain data, vehicle stability system data, steering data, ABS data and further technical data |
We process this data for You to check the current health of Your vehicle and to see if the vehicle's major modules are in proper condition. |
Users consent, the necessity for contract performance, and legitimate interests (subject to the legally recognized grounds and the practically defensible legal grounds in your jurisdiction). |
Collected directly from you/your vehicle |
Voluntary |
May affect your use of this specific service and its associated services or functions but will not impact other unrelated services. |
|
Vehicle management |
Vehicle nickname, license plate number, vehicle model, VIN, purchase record, device model, vehicleID |
We process such data to systematically identify and mark the vehicles You wish to manage, so that we can accurately identify and provide You with services such as binding and unbinding vehicles. |
Users consent, the necessity for contract performance, and legitimate interests (subject to the legally recognized grounds and the practically defensible legal grounds in your jurisdiction). |
Collected directly from you/your vehicle |
Voluntary |
May affect your use of this specific service and its associated services or functions but will not impact other unrelated services. |
|
Vehicle sharing |
Email address, CAPTCHA, expiry time data, email address of the person being shared |
We process email addresses and verification codes for authentication when You share Your vehicle with other users on the app. Other users can merely see Your name/nickname, but none of Your account data. We process valid time data to set the expiry date of sharing. We process the email address of the person sharing the vehicle in the APP for record-keeping purposes and for ensuring the functionality of the service. |
Users consent, the necessity for contract performance, and legitimate interests (subject to the legally recognized grounds and the practically defensible legal grounds in your jurisdiction). |
Collected directly from you/your vehicle |
Voluntary |
/ |
|
Vehicle upgrades |
VIN, software version number, vehicle model, vehicleID, traceID |
We process such data to identif if the vehicle software must be updated |
Users consent, the necessity for contract performance, and legitimate interests (subject to the legally recognized grounds and the practically defensible legal grounds in your jurisdiction). |
Collected directly from you/your vehicle |
Voluntary |
May affect your use of this specific service and its associated services or functions but will not impact other unrelated services. |
|
App remote vehicle condition control |
All-privacy mode status and vehicle network status; Vehicle status data such as door lock, window, lamp, air conditioner, seat, charging port cover, front compartment cover status, rear dome, rear window, mileage, total mileage, percentage of remaining power, partition glass status, tire pressure value, etc.; Technical data of vehicle running motion such as tire pressure, battery charge and discharge, parking state, etc. |
When you remotely manage and control your vehicle through the APP, we process such data, including vehicle condition data, motion operation technical data, full privacy mode status values, etc. (Details are subject to the functionality displayed by the APP). We work with your data according to your specific functionality. |
User's consent, need to perform the contract and legal rights and interests (subject to the legal reasons recognized by law and the practical legal reasons in your jurisdiction). |
Collect directly from you/your vehicle |
Voluntary |
May affect your use of this particular service and its associated services or features, but not other unrelated services. |
|
Sentry tower mode |
VIN, sentry tower mode function switch status, outside camera data and radar data; Such as suspicious event alarm signals such as close to the side of vehicle, severe vibration of vehicle, anti-theft status activation; |
We
will process VIN, external camera data, radar data, etc. to realize accurate
identification of threat events close to the vehicle body (stamping, collision,
theft, etc.), and notify the vehicle owner of the alarm signal through the
mobile phone APP, so as to help the vehicle owner to pay attention to the
vehicle safety at any time. |
User's consent, need to perform the contract and legal rights and interests (subject to the legal reasons recognized by law and the practical legal reasons in your jurisdiction). |
Collect directly from you/your vehicle |
Voluntary |
May affect your use of this particular service and its associated services or features, but not other unrelated services. |
Please note: Depending on the car model, its technical capabilities, and market regulations, the availability and details of Services may vary. Consequently, the information we collect about you may also differ.
2.4 Direct Marketing
In the future, we may use your Personal Data for direct marketing purposes. At that time, we will provide detailed information regarding the types of Personal Data to be used, the methods of direct marketing, and the specific purposes of such activities. You will also be provided with clear options to opt-out or refuse such uses of your Personal Data at any time.
3. Data Protection Measures
We implement appropriate technical and organizational measures to safeguard your information from unauthorized access, ensure data accuracy, and maintain ensure proper use. These measures include, but are not limited to, encryption, anonymization, access controls, regular system audits, and employee training to ensure compliance with data protection standards.
Access to our data collection system is strictly limited to authorized system administrators, and users’ information is stored in secure system database. Queries or modifications of this data are restricted to administrators with the necessary permissions and are logged for audit purposes.
When disclosing or entrusting data processing to third parties, we require such parties to enter into a Data Processing Agreement (DPA) with us. Under this agreement, the receiving party must demonstrate technical capability and robust institutional processes to process Personal Data exclusively for the purposes specified in the business contract. They are required to respond promptly to requests from data subjects exercising their rights, as well as to data breach incidents. Upon contract termination, the receiving party must either return or securely destroy the data, as specified in the agreement.
Our corporate policies, ethical standards, and business practices are designed to limit the use and disclosure of information to authorized individuals, processes, and transactions. We also conduct regular assessments of our data protection practices to identify and mitigate potential risks.
Additionally, our corporate policies, ethical standards, and business practices are designed to limit the use and disclosure of information to authorized individuals, processes, and transactions. We also conduct regular assessments of our data protection practices to identify and mitigate potential risks.
Despite these measures, no data transmission over the internet or any wireless network can be guaranteed to be perfectly secure. While we strive to implement state-of-the-art measures to protect your data, we cannot guarantee absolute security against all risks. In the event of a data breach, we will notify affected users and the regulatory authorities in compliance with applicable legal requirements and within the required timeframes.
4. Third party recipients
We do not transmit your Data to third parties other than as set out below, in order to fulfil our contractual obligations with you under the TSA and other relevant agreements, comply with legal requirements, or where we have obtained your consent, or based such transmission on legitimate interest in regard to Other Users:
4.1 CHANGAN affiliates
We may transmit your Data to affiliated companies of CHANGAN ("CHANGAN Affiliates") for the purposes set out above under Section 3. We will be pleased to provide further information on the respective CHANGAN Affiliates, if you contact us as indicated under Section 9.
4.2 Data processors instructed by CHANGAN
In accordance with applicable laws, we may transmit your Data to third-party entities or recipients acting under our instructions pursuant to relevant legal agreements. Such data processors include in particular without limitation:
· IT service providers;
· Logistics and freight service providers;
· Data storage and cloud service providers;
· Event management service providers;
· Call center service providers;
5. Data transfers around the world
We may process your Data globally based on business needs. Your data may be transferred across borders to different countries or regions. We will take appropriate cross-border protection measures in accordance with the data cross-border requirements of different countries or regions, such as based on adequacy protection levels, cross-border transfer standard contracts, user consent, ensuring vehicle safety, complying with legal obligations, etc.. Recipients of personal data are located in [Mexico].
Please contact us using the contact details under Section 9 provided in this Policy in case you would like more information about how we cross-border transfer your data and how we protect your Data in a third country.
6. Retention
Your Personal Data is stored securely in our data centers around the world, including but not limited to those located in [ Mexico]. In regions subject to data localization, processing, or residency requirements, we establish data centers or deploy servers in accordance with local regulations, ensuring compliance with legal mandates in each jurisdiction.
We store your Data for the duration necessary to fulfill the processing purposes outlined in Section 3, or as mandated by applicable legal retention requirements. The retention period may vary depending on the purpose of processing and could be subject to further statutory data retention obligations. Upon the expiry of these retention periods, we will delete such Data using appropriate data deletion techniques to ensure that it cannot be accessed or retrieved. Where appropriate, we may anonymize your Data by irrevocably removing all personal identifiers, thereby ensuring that re-identification of you as a natural person is impossible.
For interactions with our virtual voice assistant, we regularly delete your Data immediately after the voice assistant has responded to your request. In exceptional cases, we may process your Data for up to 30 calendar days, after which any in-vehicle audio Data is permanently deleted from the cloud server. When using the Voice Assistant to control other functions or applications, we may synchronize relevant information in these functions or application scenarios to facilitate the completion of the requested actions. Please contact us for further information.
7. Data Subject Rights
You have a number of rights in relation to your personal information under data protection law. In relation to most rights, we will ask you for information to confirm your identity and, where applicable, to assist us search for your personal information. Other than in exceptional cases, we will respond to you within one month or within the time limit prescribed by laws and regulations after we have received your request (including any identification documents requested).
You have the right to:
· Access your Data that is being processed by us. In particular, you may request information on the purposes of the processing, the categories of personal information concerned, the categories of recipients to whom the personal information have been or will be disclosed, the envisaged period for which the personal information will be stored, the existence of the right to request rectification or erasure of personal information or restriction of processing of personal information or to object to such processing, the right to lodge a complaint with a supervisory authority, any available information as to the personal information’s source (where they are not collected from you), the existence of automated decision-making, including profiling and, where appropriate, meaningful information on its details. Your right to access may be limited by the laws of the relevant country or region;
· Rectify inaccurate or incomplete Data processed about you;
· Restrict the processing of your Data for example where you think that we no longer need to use your personal data or where you think that the personal data we hold about you may be inaccurate;
· Ask us to erase your Data in certain circumstances, for example where you withdraw your consent or where the personal data we obtained is no longer necessary for the original purpose; this right, will, however, need to be balanced against other factors (for example, we may have legal obligations which mean we cannot comply with your request). We may anonymize your data or retain it solely for the purpose of fulfilling legal obligations;
· object to processing of your Data where we process your personal data based on our legitimate business interests (indicated in this Privacy Policy), you can object to our processing. We will consider your objection and determine whether or not our legitimate business interests prejudice your privacy rights; Data Portability: Request that your Data are delivered in a structured, commonly used and machine readable format either to you or directly to a third party if technically feasible;
· Withdraw consent: we may ask for your consent for certain uses of your Data – we have indicated in this Privacy Policy where we do need your consent. You have the right to withdraw your consent at any time; As a result, we may no longer process your personal information based on this consent in the future. The withdrawal of consent has no effect on the lawfulness of processing based on consent before its withdrawal;
· Refuse being subject to purely automated decisions (including profiling) where this has a significant effect on you (if applicable). We do not envisage that any decisions will be taken about you in this way, however we will update this statement if this changes.
· The right to refuse receiving marketing or political promotions (if applicable).
· The right to prohibit or restrict us from transferring your Data made publicly available to an unlimited number of persons (if applicable).
You can exercise the above rights and/or manage your information by contacting us as set out under Section 9. Please note that not all the above rights will be absolute; this means that there may be some circumstances where we may not be able to comply with your request (such as where this would conflict with our obligation to comply with other regulatory and/or legal requirements). However, if we cannot comply with your request, we will tell you the reason.
We reserve to amend and update this Policy from time to time, in order to adapt it to new legal developments and/or changes in the way we process your Data.
We will inform you about changes to this Policy with pop-up banners or any other appropriate measures in the In-Vehicle Terminal (including a link leading to the full text and showing the latest changes) and will post any changes to this Policy there. We will archive older versions of this Policy, which you can review through Home – Vehicle Settings – Privacy Authorization – User Agreement and Privacy Policy.
If you have any questions, comments or suggestions about this Policy or matters relating to your Data, or if you would like to exercise any of your rights, please contact us as follows:
South America Region
Data Protection Officer for CHANGAN
Email address: [fernando.correa@changan.mx]
CIS Region
Data Protection Officer for CHANGAN
Email address: [info@changanauto.ru]
Middle East and Africa Region
Data Protection Officer for CHANGAN
Email address: [ yara11@changan.com.cn]
We will respond to your request within one month or within the time limit prescribed by laws and regulations. We will inform you in case we need to extend this timeline in light of the complexity of your request and/or for other reasons permitted under law.
10. Your right to lodge a complaint
If you are of the opinion that the processing of your personal information by us is not in compliance with this Policy or the applicable data protection regulations, you have the right to make a complaint to a regulatory authority.
You can also make a complaint to us via the contact details above. We will then check the matter and inform you about the outcome of the investigation.
***