Version: July 1, 2020
In a nutshell:
- The Surfsight™ platform enables customers to collect and process videos, location data, and driving events from dashcam devices installed in an organization’s vehicles (cars or trucks), and lets such organizations – our customers – keep sight of the driving safety of their staff and the operation of their vehicles, and protect their interests in case of accidents or insurance claims. In the process, personal data is also collected on the platform.
- Our customers manage their Surfsight data independently on our cloud platform. They decide what information to collect through their dashcam devices and for what purposes to use it. If you’re an employee or Surfsight user and have any question regarding your data on the Surfsight Platform – please first approach your employer, who can assist you with any question and right you might have with respect to such data.
- Like most businesses, we also collect and process personal information of our website visitors, business contacts, and customers.
- We respect your rights regarding your personal data.
- Have a question and can’t find an answer? Contact us, we’re here to help: [email protected]
Now in more detail:
Introduction and Definitions
The Surfsight solution is a technology platform and service owned and operated by us, Lytx, Inc. and our wholly-owned subsidiaries (“Company”). You can find our contact details below.
The Surfsight solution helps organizations to protect their staff and vehicles on the road, and to protect their legal interests in claims and disputes. These organizations are our Customers.
The Surfsight solution is a cloud Platform, connected to Dash Camera Devices (which the Customer buys, owns, installs, and operates), and accessible to Customers and their permitted Users through a dedicated Web Portal.
As soon as they’re turned on upon the vehicle’s ignition, Devices record Videos and collect various Location Data and Driving Data, which might include personal information or personally identifiable information (personal data) of the vehicle’s Drivers, Passengers, or Other People, as explained in detail below.
Our Customers decide the purposes for which they use the Surfsight solution, as well as the means for collecting data, including without limitation the configuration of features available in the Platform and Devices. Our Customers control the data processed on their behalf via the Surfsight solution and they are responsible under our End User License Agreement (EULA) for handling any data rights and data requests of their employees and contractors, Users, Drivers, Passengers, and Other People as Data Controllers. We also use the data collected, uploaded or available to the Surfsight solution for the provision of services to our Customers, product improvement, research and development and commercial uses, as described in detail below. With respect to the processing of personal data of Customers, Company is a Data Processor, as further described in the Privacy and Data Processing Agreement sections of the EULA.
To make things clear with an example: if you’re an employee of CorpCo and got a CorpCo company car that has a Surfsight Device installed in it, then you are a Driver, CorpCo is our Customer and has full control over your personal data, and we process your personal data on CorpCo’s behalf and according to its instructions. If CorpCo gave you access to the Surfsight Portal, you’re also a User, and you can access the Platform to view videos, get statistics, and take some actions, all according to your permissions as defined by CorpCo.
If you’re a User, Driver, or Passenger and have any issue regarding your personal information, please contact your employer first! Our Customer’s contact details appear on or around the Device and in the Portal.
In addition, we also operate several Websites – such as Surfsight.com – and collect personal data of Visitors. Some Visitors and other people who communicate with us, become our business Contacts or Customers. We collect and process various personal information regarding our Visitors, Contacts, and Customers, and we are the Data Controllers for such personal data.
If you are a Visitor, Contact or Customer of ours and have any issue regarding your personal information that we control, please contact us (details below).
How Do We Collect Personal Data?
If you’re a Contact or Customer of ours, there might be several ways in which we receive your personal data:
- When you share it with us directly, through your communication with us on the Websites’ contact forms, by email, phone, or facsimile, in conferences, meetings, or via any other communication channel.
- We might augment the personal data we have about you with information you provided us directly, information others have provided us about you, and data we’ve collected about you from your use of the Surfsight solution or Websites (see below).
If you’re a User or Driver, there are two ways in which we receive personal data about you that we process on behalf of our Customer:
- Our Customer provides us with your personal data through the Surfsight solution, the Portal, Devices owned and operated by the Customer, Customer’s use of the Platform, or otherwise.
- You provide us personal data directly through your use of a Device in a vehicle you’re driving, which sends the Platform videos and data, or through your use of the Portal, Websites, customer support channels, or otherwise.
You can usually shut down the Device or unplug it from electricity to stop its operation and collection of information. However, your handling of the Customer’s Devices and vehicles is subject to your relationship with your employer, our Customer. If the Platform does not receive data from the Device, it might not function properly. The data provided by the Surfsight solution to our Customer who controls your account might be incomplete or inaccurate, and that might affect your relationship, work or compensation. Please consult with your employer regarding the potential effect of disabling or tampering with the Device and its operations.
If you’re a Passenger or another person unrelated to the Customer (Other People), we might still process some personal data about you. Such data is received from the Customer’s Device assigned to the Driver that picked your video footage, location information, or other visible or inferred personal data, inside the Customer’s vehicle or around it. If you have any question or request regarding your data, please approach first the Driver whose vehicle you’ve ridden, or our Customer, the Driver’s employer.
If you’re a Visitor to our Websites or a User using the Surfsight solution, we might receive some personal data through your device, operating system, and browser, and various hosting, tracking, analytics and advertising technologies used on our Websites, such as cookies (see below), Amazon Web Services, WordPress and WordPress plugins, Analytics and Advertising technologies by Google and others, Customer support services by Freshdesk, Social Login APIs by Google, Facebook, Twitter and others, and other technologies. Our Websites do not currently respond to “Do Not Track” signals sent by your browser or device.
What Personal Data Do We Process?
If you’re a Contact or Customer of ours, or a Surfsight User, we may collect and process these types of personal data about you:
- Identification and Account information, such as full name, identification number (e.g. Employee ID, ID number, car plate number, gender, profile photo, username and password
- Contact details, such as country/time zone, work and home addresses, phone numbers, and email address
- Social networking information you’ve shared with us
- Work-related information, such as company, division, department, role, and title information
- Payment information, such as bank account number, credit card details, PayPal account, or other billing information
- Any personal data contained in any photos, media, and other files sent to us or uploaded to the Platform
- Any other personal data you provide us on any communication channel, such as email correspondence, customer support, and product feedback.
On the Surfsight Platform, we process mostly data from and about Devices, not people. However, in the process of collecting such information, various types of personal data are also collected. Our Customers decide what data to collect from Devices, whether and to which extent to associate Devices with specific people in their organization, and what personal data of Users and Drivers to store on the Platform.
These are the types of personal data about Drivers, Passengers, and Other People that we may process on Customers’ behalf:
- Identification information and contact details of Drivers and recipients of data shared via the Platform, as entered by the Customer or its Users on the Platform, such as name, identification number, car plate number, gender, profile photo, phone numbers, and email addresses
- Videos from Devices might be used to identify:
- The vehicle
- The vehicle’s surroundings, which might include videos of unidentified Other People in the public domain, such as pedestrians and cyclists. Our Customer’s ultimately determine the location of the Devices and are therefore responsible for complying with applicable laws. If you’re a Customer, User or Driver, please do not place Devices in the interior of private residences or any other publicly inaccessible locations or no photo zones. Videos from other private locations should also be avoided, unless you’ve attained the owner’s consent.
- The vehicle’s interior, which might include face and body videos, expressions, behaviors and activity within the vehicle of the Driver and Passengers. Gender and approximate age can also be inferred from the videos.
- Please be aware that the Device and Platform automatically record and process videos taken outside and inside the vehicle if the Customer has configured it to do so. Any conduct within the vehicle, whether appropriate or not, legitimate or illegal (such as texting and driving or use of alcohol and drugs), might be recorded by the Device, stored on the Platform, and become available to the Customer, its permitted Users, and others at the Customer’s discretion (See “Who is Your Information Shared With?” below). If you’re a Customer, User or Driver, make Passengers in the vehicle aware of the Device, about the Surfsight solution, and their processing of personal data. Please don’t record, process, transfer, or publish photos or videos in which people are identifiable without their permission, or if you have another legally justifiable reason to do so. You have control over data within the Surfsight solution, along with this control comes responsibility. Consider your use of the data in your control carefully, and consult with your managers, lawyers, or privacy professionals when in doubt.
- Detailed location, travel and route information, for example GPS signals (combined with a time-stamp) and other information from the Device, which can indicate, especially in combination with the videos or other data, the location of the vehicle, its Driver and Passengers, and Other People around the vehicle.
- Driving Data, such as speed, acceleration, deceleration (breaks), turns, stops, and crashes – which can document and indicate, especially in combination with Location Data and Videos, the occurrence of traffic violations such as speeding, illegal parking, reckless driving, and more. We collect, and may use a third party to collect, sensory and motion data from Devices, including information from its gyroscope, accelerometer, and compass, in order to calculate and detect various driving events and behaviors.
- Any personal data contained in any videos, media, and other files uploaded by Devices, Customers, or Users
- Any other personal data our Customers or Users enter or share on the Surfsight Platform
- Important notice: Not all videos and data from Customer’s Devices are processed on the Surfsight Platform. Customers define on the Platform the means and triggers for data collection for each Device. Still, Device data might contain the personal data such as mentioned above, which is stored locally on the Device memory card. Devices are owned, installed, and operated by the Customers, under the Customers’ sole and complete control. We take no responsibility over videos and data on the Devices that are not processed on the Platform. Please contact your employer for any question regarding the use of Devices in Customer vehicles.
We also collect and process these types of personal data about anyone using the Devices, Surfsight Platform, Portal, or Websites:
- Usage, logs, analytics, and other device and technical data collected when you use our Websites or the Surfsight Platform, including device information and identification numbers, operating system information, IP address, browser and session information, browsing history and referrals, cookies information, advertising identification numbers, language information, connectivity information, configuration information, metadata of files, and usage information (such as screen views, clicks, and usage time).
What About Personal Data of Children?
Surfsight is a technology platform for driving safety and documentation, and is not intended for children. We do not knowingly collect or process information about children, although Passengers and Other People who are children might be captured on Customer videos coincidentally. The Surfsight solution makes no attempt whatsoever to personally identify Children, Passengers, or Other People, who appear on Customer’s videos processed on the Platform.
Occasionally, parents use the Surfsight solution to keep track and sight of their children’s driving, location, and conduct in their cars. Such children usually have a driving license and are older than 16 years old. Even in such cases, the Surfsight solution is intended to be used with significant parental involvement and approval, and with the children/Drivers’ awareness.
Please contact our Customer or the Driver if you have any concern with respect to Children’s personal data on Devices. Please contact us (contact details below) if you have any concern with respect to Children’s personal data on the Platform.
What About Cookies?
What Are The Purposes For Processing Personal Data? How Is Your Personal Data Used?
The purposes for the processing of personal data with the Surfsight solution are determined by our Customers. Each Customer might use the Surfsight solution for different purposes. Such purposes might include encouraging and monitoring driving safety; protecting Customer assets, such as their vehicles; protecting the Customers, staff, and third parties in case of accidents, legal proceedings, and insurance claims; tracking vehicles and fleet management; determining or corroborating the circumstances of a lawsuit, claim, loss or theft; preventing and detecting fraud; supervising professional drivers; route planning; traffic measurement and documentation; and more.
If you’re a Driver, we collect and use your personal data to provide our services to our Customers, according to their instructions and settings, so they can achieve their respective purposes. We may use your Device and contact details, according to Customer’s instructions and settings on the Portal, to communicate with you and to provide you with support and handle requests and complaints. Such interactions are performed on Customers’ request, and based on the Customer’s settings, or on your own requests or based on your settings in the Device and Portal (if you’re also a User).
Our purpose in processing personal data via the Surfsight solution is to provide our services to the Customers according to our agreements with them and applicable law. An integral part of our services to Customers is the continual improvement of the Device and Surfsight Platform, and therefore we also use of the data collected on Surfsight to ensure our products and services are working as intended; to analyze, measure and understand how our services are used; to improve our products and services; to develop new features, products, and services; to protect our company, staff, Customers and Users, as well as Drivers, Passengers, and the general public; and to comply with any applicable law and assist law enforcement agencies where required under any applicable law.
As part of the processing activities undertaken on behalf of Customer, we may create derivative data containing insights from Customer data but which does not itself consist of personal data (such as aggregated, anonymized or de-identified data). We may also use anonymous, statistical or aggregated information collected on the Platform, in a form that does not enable the identification of a specific user, by posting, disseminating, transmitting or
otherwise communicating or making available such information to customers, vendors, partners and any other third party. For example, GPS information that we receive from your Device may be provided to municipalities in an aggregated and/or anonymous form to help improve road safety and solve traffic problems.
We also process usage and analytics information, as well as some statistical and aggregate data derived from personal data, for the improvement and further development of the Surfsight solution, Platform, App, Devices, and
the Portal, or for research purposes.
Websites, Customers, Contacts and Visitors
If you’re a Customer, Contact, or Visitor on our Websites, we may process your personal data for our own business purposes, including:
- Delivering our products and services, improving them, and developing new features, products, and services
- Providing information about our company, products, and services
- Providing customer support, billing and invoicing
- Contacting you via any communication channel, including email, phone, SMS, and other messaging platforms
- Analyzing and optimizing Websites and Surfsight solution traffic and usage
- Protecting of our company, staff, Customers, and systems
- Online advertising in all forms and channels, including targeting you and others who share similar characteristics as you (lookalikes) online on search engines, websites, apps, messaging platforms, social networking platforms, and offline
- Direct Marketing in all forms and channels, including email, SMS, messaging, postal service, and more; you can always opt-out from Direct Marketing by unsubscribing yourself through links on any communication or by contacting us and notifying us accordingly.
What Is The Basis For The Processing of Data?
As Data Controllers, our Customers often process personal data via the Surfsight solution (and we process such data as data processor on behalf of our Customers and according to their instructions) for any or some of the following reasons:
- Processing is necessary for compliance with a legal obligation to which the Customer is subject, for example regulation regarding companies with large vehicle fleets;
- Processing is necessary for the performance of a contract to which the data subject is party (for example, an employment and contractor agreement with our Customer) or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary in order to protect the vital interests of the data subject (such as Drivers and Passengers) or of another natural person (such as Other People), for example the right to personal safety when
driving or walking next to traffic, and the right to defend themselves in legal proceedings with relevant evidence;
- Processing is necessary for the performance of a task carried out in the public interest, such as increasing personal and public safety on the roads, or protecting law enforcement officers and others in the performance of
- Processing is necessary for the purposes of the legitimate interests pursued by our Customer or by a third party, for example: conducting their business; providing their products and services; protecting the security of its workforce, vehicles, and other property; protecting themselves, their staff, and third parties in case of accidents, legal proceedings, and insurance claims; tracking their vehicles and managing their fleets; assigning projects and tasks to remote workforce in transit based on employees’ location; validating attendance for work; supervising professional drivers; planning routes; measuring and documenting traffic; etc.
- In certain cases, processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in our Customer as Data Controller;
As a Data Processor for certain personal data, we process personal data based on the instructions from our Customers.
Websites, Customers, Contacts, and Visitors
As a Data Controller for our Customers, Contacts and Visitors’ personal data, we process personal data based on any or some of the following legal bases:
- The data subject has given us consent to the processing of his or her personal data for specific purposes communicated in this policy;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person, for example protecting our Customers and our staff;
- Processing is necessary for compliance with a legal obligation to which we are subject, for example the need to maintain billing records for transactions;
- Processing is necessary for the purposes of the legitimate interests pursued by us, or our Customers, for example the conduct of our business, the development and delivery of our products and services, and the promotion and sales of such products and services.
Who Is Your Information Shared With?
Our services sometime enable our Customers, their Users, or you, to share information, including personal data, based on your consent or other legal bases, as referenced above. Our Customers, Users, or you, decide about the sharing of videos and other data on the Platform, the identity of the recipients, and the distribution of the information. For example, the Customer may use the Platform to transfer Videos or Driving Data captured on its Devices to employees within the organization, insurance companies, law firms, law enforcement agencies, government or municipal authorities, etc.
This section deals with information we share about you with others.
For the delivery of our services, we share all User, Device, and Platform data on the Surfsight Platform (which includes identifiable information of Drivers, Passengers and Other People) with the Customer who is the Data Controller with respect to such data. This means that your employer has access and control over all the information we collect about you. We also share Customer’s representatives contact details to all the Customer’s Users and others who might need such details, to comply with any applicable law. Our Customers may select to share the information with some of their staff and other organizations and bodies, as mentioned above. As further described below, we also utilizes third party processors in the provision of services, including cloud hosting providers, IT and system administration, payment processing, technical support, research and analytics, telecommunication vendors, and customer support.
Customers, Contacts, and Visitors
We process your details on our servers and computers, cloud CRM services, support systems and services (such as Freshdesk), billing systems (such as Priority), SMS gateways, Email and SMS communication services (such as Twilio and MailChimp), and backup systems. We may share some of your details with our staff, consultants, resellers, affiliates, and other third-party business partners for research and analysis, cooperation opportunities, joint
promotions, sales, and events.
We use additional processors around the world for various processing activities needed for the performance of the Surfsight solution, our Websites, our other products and services, our operations, and our business, and share information with such processors on a need basis. Such processors include hosting and backup providers (such as Amazon Web Services), analytics providers (such as Google and Heap), website technology (such as WordPress and WordPress plugins), advertising technology (such as Google), telecommunication services, media transmission services (such as Velia.net), security technology, and more. We limit the information we share with each processor based on the business need in using such processor, to protect your information while still effectively benefiting from the services of such processor.
We may also share non-personally identifiable information and aggregate information for any purpose. Such data is not personal data, and its sharing cannot be used to identify you.
We may need to share your information with law enforcement agencies, courts of law, and other governmental organizations, if ordered to do so by competent bodies and according to applicable law.
Mergers and Acquisitions
If we are involved with a merger, asset sale, financing, liquidation, bankruptcy, or the acquisition of all or part of our business to another company, we may share your information with that company and its advisors before and after the transaction date.
How Do We Safeguard Your Personal Data?
We take information security very seriously. We implement industry standard security controls to prevent unauthorized access, maintain data accuracy, and ensure data availability. We also implement appropriate organizational measures to protect your information.
We apply our security controls also when working with business and technology partners. We only select and contract with processors and third parties who use appropriate security measures and provide sufficient guarantees, including technical and organizational measures, to ensure the appropriate protection of the data we entrust with them. Unfortunately, although we make every effort to keep your data safe, we cannot fully ensure or warrant the security of your personal information.
You can take part in securing your personal data. Always lock the vehicle where the Customer’s Device is installed. If you’re a User, prevent unauthorized access to your Surfsight account and personal information by selecting a strong password and protecting your login credentials appropriately. Limit access to your computer and mobile device. If you’re using the Portal, sign off when you finish accessing your account.
Do We Transfer Personal Data Internationally?
Most of our information is stored in the cloud on Amazon Web Services in the U.S. and Europe. Amazon takes extreme measures with respect to privacy and data security. Read more about it here. Our R&D and customer support center are located in Israel.
At the same time, our business is international – we serve Customers that keep sight on their vehicles around the world utilizing the Surfsight solution, and we utilize additional processors and service providers in various countries. Therefore, we transfer, store or otherwise process your personal information in other countries. We take appropriate safeguards in the selection of our processing vendors around the world to require that your personal data is well protected. Despite our efforts, it may be the case that a country where your personal data is processed has different, or less protective, data protection and privacy regulation than the country you live in.
For How Long Do We Keep Personal Data?
Where permissible, we may de-identify or anonymize in lieu of deleting your personal data. In certain occasions we might not be able to fully delete, de-identify or anonymize your personal data due to technical or operational reasons, for example deleting from backup storage and archives. In such cases, we shall take reasonable measures to secure any information still maintained by us according to our standard data security practices.
What Are Your Rights With Respect to Your Personal Data?
If you’re an User or Driver on Surfsight, please approach your employer to exercise any rights you may have, as they are the Data Controllers of your personal data. Otherwise, please contact us (details below).
According to the data protection and privacy regulation where you live, you may have certain rights with respect to your personal information.
If you are a resident of the European Union, your rights may include, under certain terms and conditions set in the EU General Data Protection Regulation (GDPR) or other applicable law:
- Right of Access to your personal data processed by us
- Right to Rectification of inaccurate or incomplete personal data
- Right to Erasure of your personal data (“Right to be Forgotten”)
- Right to Restriction of Processing for a certain period or under certain conditions
- Right to Data Portability of your personal data to another data controller in a structured format
- Right to Object the processing of your personal data. Specifically, you have the right to object further processing of your personal data for direct marketing purposes.
- Right Not To Be Subject to a Decision Based Solely on Automated Decision-Making. We do not make any decisions based solely on automated decision-making, and our Customers commit to us in our EULA or other agreements that they avoid such practice as well.
- Right to File a Complaint with the applicable data protection authority in your country
After deletion or anonymization of your personal data following its retention period, the rights to access, erasure, rectification, and data portability cannot be enforced.
If you are a resident of the state of California:
- You have the right to request disclosure of what personal data we collect, use, disclose and sell;
- You have the right to not receive discriminatory treatment because you exercised any of your privacy rights; and
- You have the right to designate an authorized agent to make requests under the California Consumer Privacy Act; provided however that you must submit written proof of such designation to us and we may require additional verification.
To exercise your rights, please contact us either by email or mail in accordance with the Contact Us section below. Please note that we must verify any requests pursuant to this section to ensure the individual making such request is authorized to exercise such rights. Therefore, you must submit your name and email address, as well as confirm access to such email address, in order for us to process your request. We will comply with the applicable data protection laws and the exercising of your rights under such laws, however please note that such rights specified above are not absolute, and exemptions may be applicable. We try to respond to all legitimate requests within one month and will contact you if we need additional information from you in order to honor your request. Occasionally it may take us longer than a month, taking into account the complexity and number of requests we receive. If your personal data has been submitted to us in connection with our provision of services to a Customer, and you wish to exercise any rights you may have under applicable data protection laws, please inquire with the specific Customer directly. Because we may only respond to a request related to our Customer’s data with such Customer’s permission, if you wish to make your request directly to us, please provide the name of the Customer who submitted your information when contacting us. We will refer your request to that Customer, and will support them as needed in responding to your request within a reasonable timeframe. If you are an employee of a Customer, we recommend you contact your company’s system administrator for assistance in correcting or updating your information.
Notice to California Residents: We have not sold any personal data to third parties for a commercial purpose in the preceding twelve months.
Who Can You Contact Regarding Your Personal Data?
If you’re a User or Driver, please contact your employer first with any issue, as they are the Data Controllers of your personal information. Your organization’s contact details appear on or around the Device, in the Portal, and in any communications processed via the Platform. If you do not know who your Data Controller is, please contact our customer support and we will attempt to determine who the Data Controller is and forward your request.
How to Contact Us?
You can contact us with any question or concern you have at:
Via email: [email protected]
9785 Towne Centre Drive
San Diego, California 92121
General Data Protection Regulation (GDPR) – European Representative
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Lytx has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:
– by using EDPO’s online request form: https://edpo.com/gdpr-data-request/
– by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium
UK General Data Protection Regulation (GDPR) – UK Representative
Pursuant to Article 27 of the UK GDPR, Lytx has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:
– by using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/
– by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom