PlusAI

EU Data Protection Notice

Version 1.1 — August 6, 2024

Introduction

Plus AI, Inc. ("Plus," "we," "us," or "our") is committed to protecting the personal data of individuals in the European Union and European Economic Area. This EU Data Protection Notice ("Notice") describes how we collect, use, and share personal data in connection with testing our autonomous driving technology on public roads in Europe. This Notice supplements our general Privacy Policy.

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable member state data protection laws.

Section 1: Data Controller

The data controller for the personal data processing activities described in this Notice is:

Plus AI, Inc.
3003 N. First Street, Suite 200
San Jose, California 95134
United States

For questions or requests regarding this Notice or your personal data, please contact us at privacy@plus.ai.

Section 2: Scope

This Notice covers two categories of personal data that Plus may collect during vehicle testing activities in Europe:

2.1 Vehicle Test Data

When Plus conducts testing of autonomous driving technology on public roads in Europe, our vehicles are equipped with sensors including cameras, LiDAR, and radar that capture data about the vehicle's surroundings. This data may include images, video, and point cloud data that incidentally capture personal data of other road users and bystanders, including:

  • Images of faces of pedestrians, cyclists, and other road users;
  • Images of vehicle license plates;
  • Location data associated with the above.

The legal basis for this processing is our legitimate interest (Article 6(1)(f) GDPR) in developing and testing autonomous driving technology to improve road safety. We have conducted a balancing test and determined that our legitimate interest is not overridden by the interests or fundamental rights of data subjects, taking into account that:

  • The data is collected in public spaces where individuals have a reduced expectation of privacy;
  • We apply technical measures to minimize the impact on individuals, including blurring of faces and license plates in stored data;
  • The data is used solely for the purpose of developing autonomous driving technology and is not used for surveillance or tracking of individuals.

2.2 Driver Monitoring System (DMS) Data

Our test vehicles are equipped with a Driver Monitoring System that uses an in-cabin camera to monitor the attention and alertness of the safety driver during testing. This system collects:

  • Video and images of the safety driver's face and upper body;
  • Eye gaze direction and head pose data;
  • Alertness and attention metrics derived from the above.

The legal basis for this processing is the performance of a contract (Article 6(1)(b) GDPR) with safety drivers who are contractually required to maintain attention during testing, and our legitimate interest (Article 6(1)(f) GDPR) in ensuring the safety of our testing operations and the public.

Section 3: Recipients

3.1 Data Processors

We engage the following categories of data processors who may have access to personal data in connection with our testing activities:

  • Cloud infrastructure providers for data storage and processing;
  • Data annotation and labeling service providers;
  • IT service providers for system maintenance and support.

All data processors are bound by data processing agreements that require them to process personal data only on our instructions and to implement appropriate technical and organizational measures to protect the data.

3.2 Vehicle Partners

We may share limited personal data with our vehicle partners in connection with joint testing and development activities. These partners include:

  • Scania (TRATON GROUP) — for joint testing of autonomous trucking technology on European roads;
  • Iveco — for integration testing and validation of autonomous driving systems;
  • Bosch — for sensor and systems integration and testing.

Where personal data is shared with vehicle partners, this is done on the basis of our legitimate interest in collaborative development of autonomous driving technology, and appropriate data sharing agreements are in place.

3.3 Public Bodies

We may disclose personal data to public authorities, regulatory bodies, or law enforcement agencies where required by applicable law or where necessary to comply with legal obligations, including in connection with obtaining or maintaining permits for autonomous vehicle testing on public roads.

Section 4: Third Country Transfers

As Plus is headquartered in the United States, personal data collected during testing in Europe may be transferred to and processed in the United States. We ensure that any such transfer is carried out in compliance with Chapter V of the GDPR, using one or more of the following safeguards:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission;
  • An adequacy decision by the European Commission, where applicable;
  • Other appropriate safeguards as permitted under Article 46 of the GDPR.

We conduct transfer impact assessments as required and implement supplementary measures where necessary to ensure that personal data receives an essentially equivalent level of protection as guaranteed within the EEA.

Section 5: Storage Duration

5.1 Vehicle Test Data

Vehicle test data containing personal data is retained for the period necessary to fulfill the purposes for which it was collected, including for the development, training, and validation of our autonomous driving systems. Raw sensor data containing unblurred personal data (faces and license plates) is processed and anonymized as soon as reasonably practicable. Anonymized data, which no longer constitutes personal data, may be retained indefinitely for research and development purposes.

5.2 DMS Data

Driver Monitoring System data is retained for the duration of the testing engagement and for a period of up to 12 months thereafter for safety analysis and system improvement purposes. After this retention period, DMS data is deleted or anonymized.

Section 6: Individual Rights

Under the GDPR, individuals whose personal data we process have the following rights:

6.1 Right of Access

You have the right to request confirmation as to whether we process your personal data and, if so, to obtain a copy of that data along with information about how we process it.

6.2 Right to Rectification

You have the right to request that we correct any inaccurate personal data we hold about you and to have incomplete personal data completed.

6.3 Right to Erasure

You have the right to request that we erase your personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected or where you withdraw your consent (if applicable).

6.4 Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data or where you have objected to processing pending verification of our legitimate grounds.

6.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where the processing is based on your consent or a contract and is carried out by automated means.

6.6 Right to Object

You have the right to object to the processing of your personal data where we rely on legitimate interest as our legal basis, on grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

6.7 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement if you believe that our processing of your personal data violates the GDPR.

6.8 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at privacy@plus.ai. We will respond to your request within one month of receipt. In certain circumstances, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for it. We may ask you to verify your identity before processing your request. Please note that in the context of vehicle test data, it may be difficult to identify specific individuals from sensor data, in which case we may ask you to provide additional information to enable identification.