Impel Achieves SOC 2 Type I Certification. | *Read More*

Data Processing Addendum to Terms and Conditions

Updated September 1, 2022

This Revised Data Processing Addendum (Revised Addendum) is between you as a Client and us, Augmented Reality Concepts, Inc. (d/b/a Impel (f/k/a SpinCar)) (collectively the Parties), and is part of our Terms and Conditions on our website (T&C). This Revised Addendum governs the processing of Personal Data when you use the Products and the Services and when European Laws apply.

SECTION I

Clause 1

Purpose and scope

Clause 2

Invariability

Clause 3

Interpretation

Clause 4

Hierarchy

In the event of a contradiction between the Revised Addendum and the provisions of related agreements between the Parties existing at the time when the Revised Addendum is agreed or entered into thereafter, the Revised Addendum shall prevail. Our processing of personal data is subject to this Revised Addendum, our T&C, our Privacy Notice, and our Cookie Notice.

SECTION II

OBLIGATIONS OF THE PARTIES

Clause 5

Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.

Clause 6

Obligations of the Parties

6.1.  Instructions

6.2.  Purpose limitation

The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.

6.3.  Duration of the processing of personal data

Processing by the processor shall only take place for the duration specified in Annex II.

6.4.  Security of processing

6.5.  Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

6.6.  Documentation and compliance

6.7.  Use of sub-processors

6.8.  International transfers

Clause 7

Assistance to the controller

Clause 8

Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 of the GDPR, where applicable, taking into account the nature of processing and the information available to the processor.

8.1  Data breach concerning data processed by the controller

In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

8.2  Data breach concerning data processed by the processor

In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of the GDPR

SECTION III

FINAL PROVISIONS

Clause 9

Non-compliance and termination

ANNEX I

List of parties

Controller(s): Client

Processor(s): Augmented Reality Concepts, Inc. d/b/a Impel (f/k/a SpinCar)

ANNEX II

Description of the processing

Categories of data subjects whose personal data is processed

Individuals who use the Products and the Services

Categories of personal data processed

The IP address, the type of device or web browser used, and the record of pages viewed, items viewed on those pages, and the amount of time spent viewing them. The IP address may be looked up and the corresponding geographic address may be stored. If in the course of interacting with the Products and Services a customer of a Client chooses to provide personal data in an email or text message, such personal data may be stored. If a customer of a Client chooses to provide personal data to the Client, the Client may combine them with the customer’s IP address, device and pageview information and share them with us.

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

No sensitive data are processed

Nature of the processing

The personal data collected from customers of Clients is used to show those customers images of and information about relevant vehicles and to inform those customers about web pages, vehicles and vehicle features that they have viewed, to respond to customers’ inquiries to a Client, or to inform customers of products and services offered by Client.

Purpose(s) for which the personal data is processed on behalf of the controller

The personal data are processed for the purposes of providing the Products and the Services.

Duration of the processing

In the primary data store on Amazon Web Services, personal data are retained for 180 days.

In the secondary data stores on database backups, log files and reports that were generated using the personal data, the personal data may be retained indefinitely.

For processing by (sub-)processors, also specify subject matter, nature and duration of the processing

A third-party service uses IP address to look up the corresponding geographic address. The duration of this processing is transitory.

Vendors that help manage email communications and support tickets for Clients. The duration of this processing is real-time.

Vendors such as Criteo that display targeted advertising for Clients. The duration of this processing is real-time.

ANNEX III

Technical and organizational measures including technical and organizational measures to ensure the security of the data

Description of the technical and organizational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.

When an employee or contractor no longer has a business need for the access privileges assigned to him or her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee or contractor of data importer.

For transfers to (sub-)processors, also describe the specific technical and organizational measures to be taken by the (sub-)processor to be able to provide assistance to the controller

Impel investigates each sub-processor’s data privacy and information security practices, taking into account certifications such as SOC 2 or ISO 27001, published agreements such as a Data Processing Addendum, and/or contractual terms agreed upon between Impel and the sub-processor.

Description of the specific technical and organizational measures to be taken by the processor to be able to provide assistance to the controller.

Policies and procedures are in place which require processor to provide assistance to the controller as required by the Revised Addendum and the GDPR.

ANNEX IV

List of sub-processors

The name, address, contact person’s name, position and contact details, and description of the processing (including a clear delimitation of responsibilities) for each sub-processor can be found at https://impel.io/subprocessors/.