Privacy Statement

smart Europe GmbH Privacy Statement

We are well aware of the importance of personal information to you and will do our best to protect your personal information safe and secure. This page outlines our Privacy Statement and explains, in a concise, clear and easy-to-understand manner, how smart Europe handles your personal information. Please see below for the full content of the smart Europe Personal Information Privacy Statement.

I. General Information

The party responsible within the meaning of the General Data Protection Regulation (GDPR) is:

smart Europe GmbH

Esslinger Str. 7, 70771 Leinfelden-Echterdingen, Germany

E-Mail: eu.corporateoffice@smart.com

Data protection officer:

smart Europe GmbH

Data Protection Officer

Esslinger Str. 7, 70771 Leinfelden-Echterdingen, Germany

E-Mail: eu.dataprotection@smart.com

Scope of this Privacy Statement

This Privacy Statement applies to our website and social media accounts, the Hello smart App, the Internet of Vehicle (IoV) services and other services offered by smart Europe.

Specific products and services may be subject to separate privacy statements.

What information do we collect from you and your vehicle and for what purpose do we process it?

We may collect the following types of information, which may be related to you or your use of our products and services, in accordance with the principles of legality, righteousness and minimum necessity:

• Identification data, e.g. name, address, phone number, e-mail etc.

• Technical Data, e.g. VIN number, model, maintenance history, usage statistics, etc.

• Driving analysis data, e.g. position, speed, car mode, warnings, status codes, battery status, search history etc.

• Contract data, e.g. purchase information, service information, smartID, preferences etc,

• Other data, e.g. credit information, bank details, appointment booking history etc.

Some of our functions need to invoke your device permission. We will use the system pop-up window or application pop-up window to ask you for authorization. You can always select to switch the relevant permissions at any time in the settings function of your device.

We process your data for the purposes explained in this Privacy Statement, in particular:

We use the collected personal data when you visit our web applications to operate them as conveniently as possible for you and to protect our IT systems from attacks and other illegal activities.

We use professional or employment related information when you apply for a job in our job portal to receive and process job applications.

For the execution of a contract as well as for customer administration reasons and – if necessary – for the execution and settlement of any business transactions, we use the data in each case only to the extent necessary for this purpose.

For other purposes (e.g. display of personalized content or advertisements based on your usage behavior), we and, if applicable, selected third parties will use your data.

For training purposes (e.g. registration for face-to-face training or live online training), your data will be used by us and, if applicable, by selected third parties.

In addition, we use personal data insofar as we are legally obligated to do so:

• We use technical and driving analysis data to optimize the vehicle functions, provide roadside assistance, inform you about necessary maintenance and to provide security services.

• When you buy products or digital services or use after-sales services.

• We use your data, if you book a test drive or a workshop appointment with a smart sales partner near you via our website.

How do we share your personal information?

We will share your data if it is necessary within the “smart Ecosystem”, our Financial Service Partner (Deutsche Bank AG, Taunusanlage 12, 60325 Frankfurt am Main, Germany) and our Leasing Service Partner (ALD Automotive Group, 1-3 rue Eugène et Armand Peugeot, CS 90111, 92508 Rueil-Malmaison Cedex, France.)

We will only share your personal information for the necessary purpose and scope e.g. if you purchase products or digital services or use after-sales services, it may be necessary for your customer data to be exchanged between the respective companies involved in the smart Ecosystem.

The “smart Ecosystem” includes the smart Europe GmbH, the local smart branches (entities), the smart Agents and smart Authorised Service Partners and other partners involved in the smart daily business.

smart branches (entities) are:

smart Europe GmbH, Esslinger Str. 7, 70771 Leinfelden-Echterdingen, Deutschland

smart Austria Automotive GmbH, Am Belvedere 10, 1100 Wien, Österreich

smart Schweiz GmbH, Richtistrasse 2-6, 8304 Wallisellen, Schweiz

smart Belgium Srl, Avenue du Péage 68, 1200 Woluwe-Saint-Lambert, België

smart Automobile France SAS, 7 avenue Niépce, 78180 Montigny-le-Bretonneux, France

smart Italia S.r.l., Via di Quarto Peperino, 2200188 Roma, Italia

smart Nederland B.V., Ravenswade 4, 3439 LD Nieuwegein, Nederland

smart Portugal Unipessoal Lda., Rua Gottlieb Wilhelm Daimler, 2710-037 Sintra, Portugal

smart España A.E., S.L., avenida de Bruselas 30, Alcobendas, Madrid 28108, España

smart UK Automotive Ltd., The Pinnacle, Midsummer Boulevard, Milton Keynes, MK9 1BP, United Kingdom

Mercedes-Benz AG, Mercedesstraße 120, 70372 Stuttgart, Deutschland

smart Agents and smart Authorised Service Partners, and other partners:

Your data will not be automatically shared with smart Agents and smart Authorised Service Partners. An exchange of data only takes place if this is necessary for the fulfilment of a contract with you, if the exchange serves a legitimate interest or you have given your express consent, e.g. in case of a Test drive, on-site appointment for vehicle service, repair or consultation, telephone advice, vehicle handover or trade-in.

In case we share your data based on a consent, an overview of the smart Agents and smart Authorised Service Partners for whom your consent applies can be found at any time in the Self Care Portal of your smart Account. There you also have the possibility to revoke your consent.

Data transfer to third countries

We may transfer your data to recipients in a third country outside the European Union. We only do so if an adequate level of data protection is ensured by an adequacy decision of the European Commission or other appropriate safeguards.

All transfer of data including transfer of data within the EU will be encrypted.

How long do we store your personal information?

We will store your personal data as long as is necessary for the purposes specified in this Privacy Statement, in particular for the fulfilment of our contractual and legal obligations. We may also store your personal data for other purposes if or as long as the law allows us to store it for particular purposes.

If you choose to cancel your account, we will delete all the data we have stored regarding you. If it is not possible or necessary to completely delete your data for legal reasons, the relevant data will be blocked for further processing. For example, we are legally obliged to retain order and payment data in connection with a purchase for tax audits and financial audits for up to ten years. Before we can finally delete this data.

What are the legal bases for data processing?

We only process your personal data if there is a legal basis for the processing. We rely on the following legal grounds for data processing in most cases:

• Legal basis for the processing of personal data on the basis of your consent is Article 6 (1) lit. a GDPR.

• Legal basis for the processing of personal data which is necessary for the conclusion or performance of a contract entered in your interest is Article 6 (1) lit. b GDPR. This also applies to pre-contractual processes.

• Legal basis for the processing of personal data which is required to fulfil a legal obligation concerning smart is Article 6 (1) lit. c GDPR.

• Legal basis for the processing of personal data which is necessary in order to realize a legitimate interest by smart, except where such considerations are overridden by the need to protect your interests or fundamental rights, is Article 6 (1) lit. f GDPR.

What are your rights as a data subject?

As a data subject, you have the right of access (Art. 15 GDPR), rectification (Art. 16 GDPR), data erasure/deletion (Art. 17 GDPR), restriction of processing (Art. 18 GDPR) and data portability (Art. 20 GDPR). More details and how you can raise your rights is described in the end of this Statement under “HOW DO YOU EXERCISE YOUR DATA SUBJECT RIGHTS”.

How to contact us?

You can easily contact us by calling our customer service number

AT +43 1 2536442

BE +32 2 5889656

FR +33 1 84883613

DE +49 711 5507 7020

IT +39 06 94503682

NL +31 30 8081521

PT +351 210 201 582

ES +34 91 9491521

CH +41 43 5081946

or sending an email to:

hallo@support.smart.com (German)

hello@support.smart.com (English)

ciao@support.smart.com (Italian)

bonjour@support.smart.com (French)

hola@support.smart.com (Spanish)

hoi@support.smart.com (Dutch)

ola@support.smart.com (Portuguese)

You can contact our privacy team by sending an email to – eu.dataprotection@smart.com.

smart Europe GmbH

Esslinger Str. 7, 70771 Leinfelden-Echterdingen, Germany

II. HOW WE COLLECT AND USE PERSONAL DATA

1. WHEN YOU USE OUR WEBSITE

Server-Log-Files

Whenever you visit our websites, we automatically collect and store information in so-called server log files, which your browser automatically transmits to us. These are:

• IP address (Internet protocol address) of the terminal device from which the online offer is accessed;

• Internet address of the website from which the online offer was accessed (so-called origin or referrer URL);

• Name of the service provider through whom the online offer is accessed;

• Name of the files or information accessed;

• Date and time as well as duration of the retrieval;

• Amount of data transferred;

• Device (PC, mobile, other), operating system and information on the Internet browser used, including installed add-ons (e.g. for the Flash Player);

• http status code (eg "request successful" or "requested file not found").

The above data is stored in the log files without your full IP address, so that no conclusions can be drawn about your IP address.

This data is not merged with other data sources.

The collection of this data is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the technically error-free presentation and optimization of our website. For this purpose, the server log files must be collected.

1.1. Cookies

Cookies may be used when visiting our web applications. Technically, these are so-called HTML cookies and similar software tools such as web/DOM storage or local shared objects (so-called "flash cookies"), which we refer to collectively as cookies.

• Cookies are small files that are stored on your desktop, notebook or mobile device while you visit a website. Cookies make it possible, for example, to determine whether there has already been a connection between the device and the websites; take into account your preferred language or other settings, offer you certain functions (e.g. online shop, vehicle configurator) or recognize your usage-based interests. Cookies may also contain personal data.

• Whether and which cookies are used when you visit our websites depends on which areas and functions of our websites you use and whether you agree to the use of cookies that are not technically required in our Consent Management System.

• The use of cookies also depends on the settings of the web browser you are using (e.g., Microsoft Edge, Google Chrome, Apple Safari, Mozilla Firefox). Most web browsers are preset to automatically accept certain types of cookies; however, you can usually change this setting. You can delete stored cookies at any time. Web/DOM storage and local shared objects can be deleted separately. You can find out how this works in the browser or device you are using in the manual of the respective manufacturer.

• The consent to, and rejection or deletion of, cookies are tied to the device and also to the respective web browser you use. If you use multiple devices or web browsers, you can make decisions or settings differently.

• If you decide against the use of cookies or delete them, you may not have access to all functions of our websites or individual functions may be limited.

1.1.1. We use the following types of cookies:

a. Essential Cookies

These cookies are absolutely necessary for the functionality of our website and the provision of our services. Legal basis for their use is contract fulfillment, if cookies are used to enable the ordering process, or our legitimate interest in the provision of our website and services.

b. Functional Cookies

With these cookies we are able to provide advanced functionality and personalization. They can be set by us or by third parties whose services we use on our website. Legal basis for the use of functional cookies is your consent.

c. Performance Cookies

We use these cookies with your prior consent to analyze and improve the use of our website and services.

d. Marketing Cookies

Marketing cookies are used by our advertising partners to serve advertisements based on your interests and usage behavior. They do not directly store personal data, but are based on a unique identification of your browser and internet device. We will only use such cookies with your prior consent.

For more information about our used Cookies please read section “Cookie-Settings”. There you can change your cookie settings at any time.

2. WHEN YOU USE OUR SOCIAL MEDIA CHANNELS

You can use social media channels and messaging services as a user to react, reply, comment on social media posts shared by smart Europe. In addition, you can as well tag or mention smart Europe accounts on different social media channels and messaging services. Lastly, you can use social media channels and messaging services to reach out to smart Europe.

The operators of the respective social networks may collect information on your usage behaviour via cookies and similar technologies. When you use social networks, the nature, scope and purposes of data processing are determined primarily by the social network operators.

Details of the processing activities on the platforms you can find under following links:

Facebook(Meta)

TikTok

LinkedIn

Twitter

Pinterest

3. WHEN YOU SIGN UP FOR AN ACCOUNT

When you register as a user via our web services we will create a user account using your e-mail address as the identifier (smart ID) which will be your identifier within the smart Ecosystem. Your created smart ID is the basis for your connected customer experience and enables you to: save your individual vehicle via our online customizer, book a test drive, buy the vehicle or digital services, connect to the vehicle, purchase aftersales packages, manage workshop services and use other services offered by smart.

3.1. Private person registration:

You can sign up for an account via the id.smart.com website or via the Dashboard in the outlet of your smart Agent. We distinguish between two levels of registration.

The soft registration is only used for the purpose of obtaining information, e.g. for the logging of your customized car via our online customizer, which supports you online in the configuration of your desired model. The following data is collected from you: Title, First Name, Last Name, Email.

The full registration is required for all other purposes, e.g. for the booking of a test drive or for the purchase of the vehicle. Following data is collected additionally to the data collection of the soft registration: Date of Birth, Street, City, State, Postal Code, Country and in some countries ID type and ID number.

3.2. Business registration:

Via the sed.smart.com website, the account is created for business customers including our smart Agent network in order to get registered to access the systems to get access to the necessary customer information. For business customers and our smart Agent network, we distinguish between two levels of registration. The initial registration is for the User to get the smart ID (email address), post which they will receive the email for the verification. After verification, the user can continue with the Registration process to link themselves with the respective workshop. The following data is collected from you: Title, First Name, Middle Name, Last Name, Email, VAT number, company name, fiscal code.

The legal basis for the processing of your data is legitimate interest and contract fulfillment.

4. WHEN YOU BOOK A TEST DRIVE OR APPOINTMENT

When you book a test drive we will collect your name, email address, date of birth, address and phone number and drivers license to ensure that you are legally qualified to drive the vehicle.

We use this data for:

• The execution of your appointments, e.g., test drive, incl. creation of contracts.

• Forwarding your appointment details and requests to the dedicated contact within the smart Ecosystem.

• Contacting you for appointment management.

The legal basis for the processing of your data is contract fulfilment.

With your prior consent, we may also use this data to contact you for customer satisfaction consultations, for targeted consulting based on previous activities or for marketing purposes.

5. WHEN YOU PURCHASE A VEHICLE OR OTHER PRODUCTS OR SERVICES

To provide you with vehicle services, we will collect your name, mobile phone number, e-mail address, vehicle type, VIN, vehicle configuration model, registration city and sales service area information. We will share your VIN number with our third party provider for activating your digital services, read more under section III. 1. Authentication and registration of vehicle SIM card.

When you purchase a product or a service and you choose to pay cash we will collect your billing address and register your preferred payment method (e.g. Credit /Debit). If you choose a financed payment and want smart to facilitate the financing smart will collect your billing address, your name and ID and forward this to Deutsche Bank which is our preferred financing partner.

If you choose to lease the vehicle smart will collect your billing address, your name and ID and forward this to our Leasing-Partner ALD.

As part of the purchase your identity may need to be verified. For this reason we use a third party provider Onfido Limited, 3 Finsbury Avenue, EC2M 2PA London , and we will redirect you to the website of our partner.

The legal basis for the processing of your data is contract fulfilment.

6. WHEN YOU PURCHASE THIRD PARTY PRODUCTS (WALLBOX)

As part of the checkout of your order we also offer our smart charge@home services for home charging, consisting of the option to purchase wallbox hardware, a pedestal and an installation service. Adjusted to reflect full portfolio. For this purpose we have a third party provider ABB E-Mobility B.V. Heertjeslaan 6, 2629JG - Delft/NL. In case you purchase a smart charge @home wallbox and for the installation we will forward your data to ABB. We will forward the following data: name, address, contact details, preferred installation date.

7. WHEN YOU USE THE HELLO SMART APP

With the Hello smart App you are able to connect to your vehicle and to access vehicle remote functions and other services via your smartphone. To provide the App, we process your personal data according to the respective description of the functions or services you use. This data processing is necessary to provide the functions of the App according to your use (Art. 6 para. 1 lit. b) GDPR), unless otherwise stated for individual functions or services in this privacy statement.

7.1 App login

To log into the App, you need a smart account (for account registration, see section 3). If you do not have a smart account yet, you sign up via the app. In this case, you will automatically be forwarded to our website to get registered for a smart account. We collect your fist name, last name and your e-mail address as well as your country code. With this data we generate your personal smart ID which is linked to an individual unique ID (UUID) at smart. After generating the smart account you can log into the Hello smart App. You can also delete your account via the Hello smart App. Please read more under the section IX. Cancellation of your account.

When you log into the App, you will also be asked for permission to activate certain cookies and similar technologies, such as SDK’s, for purposes like improve your user experience, to analyze the use of our services and to support our marketing activities (please refer to section 1.1. for further information on how we use cookies). The consent is voluntary. You can change your privacy preference settings at any time.

7.2 App permissions

When you open the app for the first time, you will be asked for your consent to enable certain features or access certain information. Your consent is voluntary and can be revoked at any time via the settings of your end device. If you do not activate individual functions, certain services of the App may not be available.

7.2.1 Camera The use of certain functions (e.g. vehicle activation and login via QR-code) requires the app to be able to access your camera. The camera function can only be used if you have activated this function in the app. You can subsequently activate or deactivate this function in your device settings at any time. When this function is activated, we process the personal data that you record with the camera when using the respective app functions. This data processing is based on your express consent (Art. 6 para 1. Lit. a) GDPR). If you revoke your consent, the app will not access your camera. Please note that without access to your camera, some functions are not available.

7.2.2 Location The use of certain functions (e.g. public charging with smart charge@street) requires the app to be able to access your location and geographical data. Your location will only be processed if you have activated this function in the app. You can subsequently activate or deactivate this function in your device settings at any time. This data processing is based on your express consent (Art. 6 para 1. Lit. a) GDPR). If you revoke your consent, the app will not access your location. Please note that without access to your location, some functions are not available.

7.2.3 Push Notifications When you open the app for the first time, you will be asked for your consent to receive push notifications. Push notifications may include alerts, sounds and icons. With push notifications, we can inform you about certain functions or services when the App is running in the background (e.g. in the case of charging the vehicle). You can activate and deactivate push notifications at any time in your device settings. If you have activated push notifications, we store a push token of your end device in order to be able to send you push notifications. For the sending of push notifications we use Google Firebase, a service of Google Ireland Ltd., Google Building Gordon House, Barrow Street, Dublin 4, Ireland. Access to the information by Google LLC in the United States cannot be excluded. Please note that the level of data protection in the United States is considered inadequate according to European standards. This data processing is based on your express consent (Art. 6 para 1. Lit. a) GDPR). If you revoke your consent, we will delete the push token and you will not receive any further push notifications.

7.3 Vehicle Pairing

In order to activate certain digital services and control the vehicle via the app, it is necessary to pair the vehicle with your smart account via the App. To pair the App with your vehicle, you will be asked to scan the vehicle pairing QR code shown on the Digital Head Unit (DHU) of the vehicle. For pairing, the VIN, email address and UUID will be exchanged. The App collects your first name, last name and your birthdate which you shared within the registration process. Your vehicle will automatically be recognized by the VIN and UUID number.

For pairing and activation of the digital services, we use a third party provider for Telematic Service.

You can use the Unpairing function to remove the vehicle from your App. In this case you will not be able to use the remote control functions of the App anymore. The collected data will be deleted.

• Google Firebase Remote Function: Google firebase remote function is used to store URLs, configurations of the APP. During the initialization of the APP, we collect this information.

• Google Firebase Crashlytics: Crash reports are sent to Google Firebase for error reporting and understanding why the app crashed.

• Maps & Location: Here Maps is the official provider of the maps in the app. The Maps are used to display the current location of the vehicle. It is also used to display Public sharing POIs.

• Localize: Localize is a third party service we use to integrate in the app which provides over the air translation to the app.

• Talk to smart Chatbot: User can chat with smart CEC agent. Currently we only open a web view which opens a chatbot.

• Talk to smart contact: Talk to smart sections have phone number information about different markets, social media channel and one tap chat open with Apple Business iMessage and WhatsApp

7.4 Digital Key and App Key-Sharing

You can create a digital key which you can use to open, close and start the vehicle and share it with other users. In order to create a digital key, it is necessary that you have activated a Bluetooth connection. To create the key, we process the vehicle identification number (VIN), vehicle location and basic vehicle information (vehicle series code and model code), your user name and user ID as well as the calibration values. When you use the digital key, we also process information about the door status, lock status, usage mode and engine status.

When you share the digital key, we process additional information to enable the key sharing and to verify the recipient's authorization (including the e-mail address, app id, share id, user id, user type, phone model and operating system as well as the time and duration of the sharing).

To provide the digital key services, we use a third party provider for Telematic Service.

7.5 Public Charging

We offer our smart charge@street public charging services for your vehicle in cooperation with Digital Charging Solutions GmbH, Rosenstraße 18-19, 10179 Berlin (“DCS”). The charging services are provided by DCS. The user can access the smart charge@street website operated by DCS via the Hello smart App to conclude a contract for charging services or to manage his existing contract. DCS is the data controller and responsible for the data processing in this regard.

Via the app, users can display nearby charging points, provided they have permitted access to their location. In addition, users can view the availability, available cable type and price. The user may use third-party map services (by Google Ireland or by Apple Inc.) to navigate to a Charging Point. For this purpose, Google Maps or Apple Maps need access to your location. Please note that Google Ireland Limited processes your location data within the Google Maps service and Apple Inc. within the Apple Maps service under their own responsibility and that we are not responsible for this data processing. Please see https://policies.google.com/privacy?hl=en for more information on how Google Maps processes personal data within the Map services and https://www.apple.com/legal/internet-services/maps/terms-en.html for more information on how Apple Maps processes personal data within the Map services.

7.6 Wallbox

If you purchased a smart charge@home wallbox via our partner ABB E-Mobility B.V., Heertjeslaan 6, 2629JG – Delft, Netherlands (“ABB”) with a connectivity function, you can pair your wallbox with the vehicle via Bluetooth in the app . Successful pairing will allow you to use the Bluetooth Plug & Charge functionality. To establish this connection, we need to process the VIN of your vehicle.

III. WHEN YOU USE VEHICLE-BASED DIGITAL SERVICES

Depending on your vehicle model and the functions and services you actually choose, we collect and use your relevant personal information to provide you with more diversified vehicle-based Digital Services. All collected information is generally stored and processed within EU with the exception of technical data required for Vehicle Performance Analysis and Error identification, which can be transferred outside EU for third level support. No personal identifiable information will be shared outside EU.

Please Note: In the process of providing the following vehicle-based Digital Services, we may collect your vehicle information, such as: vehicle charging information, parking brake status, cruising range, alarm status, maintenance status, seat belt status, collision status, vehicle travel time, energy consumption. Please note that the vehicle information alone cannot identify you and does not belong to your personal information. We will treat your vehicle information as your personal information only when it is used in combination with your other information and can identify you. We will process and protect your vehicle information in accordance with this Privacy Statement. The hardware, software of the network system and the data in the system are protected from damage, alteration or leakage due to accidental or malicious reasons, and the system operates continuously and reliably and normally, and the network service is not interrupted.

Some of the following functions and services in the use of the vehicle are provided to you by smart and the third-party service providers that smart connects you to. Except as expressly stated otherwise in this Clause and the applicable user clauses, this Clause does not apply to third-party service providers who independently provide products or services to you. We recommend that you carefully read the privacy clauses or personal information processing rules of third-party service providers before using these services to understand how they will process and protect your personal information, and how you can exercise your relevant rights.

You can activate and deactivate individual services and functions in the privacy settings of your vehicle's DHU. You can also control certain services and functions via the Hello smart App. For more information, you can also consult the User Manual, which you can access in your vehicle.

1. Authentication and registration of vehicle SIM card

The vehicle-based Digital Services provided by smart or third parties require a mobile network connection.

When you activate and use the vehicle-based Digital Services, your data will be forwarded to our service provider VODAFONE ENTERPRISE GERMANY GMBH, Ferdinand-Braun-Platz 1 40549 Düsseldorf who collects your name, address, VIN and engine number on behalf of smart to be able to provide you with our SIM Service, Connectivity Service as well as our E-Call Service. Legal basis for the processing of your data is contract fulfillment.

If your vehicle is equipped with a wireless network connection, data can be exchanged between the vehicle and other equipment. The wireless network connection can be enabled through the transmission and reception unit of the vehicle or by connecting a mobile terminal equipment, such as a smart phone.

2. Vehicle Remote Functions

With the Hello smart App you are able to access and control certain vehicle functions remotely via your smartphone.

You have the Following Remote functions via the Hello smart App:

• You can lock and unlock the door & boot of your vehicle remotely. Collected data: Vehicle identification number (VIN), vehicle information: door status, door lock status, usage mode and car mode;

• You can use the App to find the vehicle by flashing light or sounding the horn. Collected data: Vehicle identification number (VIN), Vehicle information: vehicle speed, car location, vehicle direction, usage mode and car mode;

• You can use climate control to manage the temperature in the vehicle, including seat heating and steering wheel heating. Collected data: Vehicle identification number (VIN), climate status: seat heating status, seat ventilation status, in-vehicle setting temperature, high voltage status, usage mode and car mode;

• You can remotely start and stop charging the vehicle battery. Collected data: Vehicle identification number (VIN), state of charge, charge remaining time, high voltage status, charging current, charging voltage, charging start time, usage mode and car mode

• You can access and display status information of the vehicle via the app remotely. Collected data: Vehicle identification number (VIN), Vehicle status data (such as mileage, battery voltage, door and flap status/position/lock status, the window status/ warning/ position/, vehicle alarm status, sunroof open status, engine status, key status)

Legal basis for the data processing is contract fulfillment according to Art. 6 para. 1 lit. b) GDPR. To provide Vehicle Remote Functions, we use a third party provider for Telematic Service as a contract data processor.

Digital Services via the Digital Head Unit (DHU)

2.1. Online Navigation

With this function we enable Route calculation, Map updates, showing charging stations, Parking places and Online traffic information. You can only use the navigation map related functions if you activate this function in the privacy settings on the DHU.

Collected data: Favorites (including name, address, latitude and longitude, phone, etc.), destination name, latitude and longitude, point-of-interest (“POI”) address, POI phone , record of consent

Legal basis for the data processing is contract fulfillment according to Art. 6 para. 1 lit. b) GDPR. To provide Online navigation services, we use a third party provider for Telematic Service as a contract data processor.

2.2. App Store

You can download, upgrade or delete third party applications via the App Store. The App Store is provided by our third-party service provider Faurecia Clarion Electronics Europe, R. Soeiro Pereira Gomes Lote 1 3-Dto, 1600-196 Lisboa. The respective app providers are responsible for data processing in connection with the installation and use of the apps.

Data collected for the provision of the App Store: User ID, application download record

Legal basis for the data processing is contract fulfillment according to Art. 6 para. 1 lit. b) GDPR.

2.3. Voice Control

You can use voice control to activate vehicle functions through the voice assistant. You only need to say your command, and the system will help you complete the operation. Tap Voice Access to turn on/off the voice access function. After this function is turned on, native applications such as multimedia/navigation/voice assistant can be operated by voice command in the voice wake-up state. Tap Scene Wake-up-free to turn on/off the scene wake-up-free function. After this function is turned on, some functions such as multimedia/navigation can be operated by voice command without voice wake-up. Users can create and collect their own voice assistants according to their own preferences, and can also customize the wake-up words, such as Hello, smart.

Collected data: Voice input, Device ID, longitude and latitude, coordinates, phone book contact information

To provide voice control functions, we use a third party cloud provider (Cerence B.V., CBS-weg 11, 6412 EX Heerlen, The Netherlands) as a contract data processor.

2.4. User Profile

You can create your individual user profile and store your preferred settings such as body setting, ambient lights, air conditioning, keyless unlock, including ergonomic settings (seats, mirrors, head-up screen). Your profile is connected with your smart ID. When you log into the vehicle, your profile settings as well as further information you have provided in your smart account (e.g. a profile picture, your name, date of birth) will be loaded.

Collected data: Vehicle identification number (VIN), user ID, profile picture, user nickname, account type, birthday, ergonomic settings (e.g. seat adjustment) and personalized settings (e.g. ambient lights).

To provide the personalized profile functions, we use a third party provider for Telematic Service as a contract data processor.

2.5. Weather

If you activate the weather function, this interface shows you the weather information based on your location and region.

Collected data: Vehicle information number (VIN), Latitude and longitude, operator, model, device ID,

Legal basis for the data processing is contract fulfillment according to Art. 6 para. 1 lit. b) GDPR. To provide you with location based weather information, we use a third party provider for Telematic Service as a contract data processor.

2.6. Energy Management

The energy management function allows the user to set charging schedules and to select the time at which the vehicle's battery will be charged at a charging location. In addition, the user can choose whether the vehicle should be air-conditioned and the battery warmed up at the desired departure time.

Collected data: Travel time, charging time, air conditioning preheating, battery pretemperature, user ID, energy consumption, electricity consumption.

Legal basis for the data processing is contract fulfillment according to Art. 6 para. 1 lit. b) GDPR. To provide you with energy management services, we use a third party provider for Telematic Service as a contract data processor.

2.7. Online Music

Using the Online music function allows you to display the QR code of third-party application multimedia services (including Spotify, TuneIn). You scan the QR code to log in or you enter the username and password in the third-party multimedia service interface. It connects you to the third-party application multimedia service installed on the vehicle. You can activate or deactivate the online music function via the privacy settings. The respective providers are responsible for the processing of data in connection with the use of third party multimedia services.

Collected data: Record of consent or disapproval; information on the music collection (last song played, picture, Media ID, search records) will only be stored locally.

Legal basis for the data processing is contract fulfillment according to Art. 6 para. 1 lit. b) GDPR. To provide you with the online music function, we use a third party provider for Telematic Service as a contract data processor.

2.8. 112 E-Call

The "EU Emergency Call" is an emergency assistance system regulated by the European Union and required by law. When you are in an emergency situation while driving, including but not limited to physical discomfort, encountering a safety threat, a safety accident, or an emergency response of the vehicle (such as airbag deployment), and you manually use/activate the function or the function is automatically triggered (such as when a vehicle airbag deploys), the E-Call system transfers data to the emergency call center of the emergency call system. An "EU emergency call" is made uniformly via the European emergency number 112.

Collected data: Emergency call trigger mode (automatic/manual), call trigger time, TCAM SIM number (vehicle built-in SIM number), vehicle information number (VIN), Vehicle type (passenger car or light-duty commercial vehicle), Vehicle energy/power type (gasoline/ diesel/CNG/LPG/electricity/hydrogen), Vehicle location, Driving direction, Vehicle speed, Number of persons in the vehicle, Battery status, Door status, Vehicle collision status (collision location, collision type, collision acceleration, airbag status, anti-theft system status, etc.).

The recipients of the data processed by the in-vehicle E-Call system are the relevant public safety answering points designated by the relevant public safety authorities in their country (such as local police, hospitals, rescue agencies and your emergency contact for emergency rescue services) to first receive and process emergency calls to the European emergency number 112.

The data contained in the system memory is not available outside the system before the in-vehicle system is triggered. The in-vehicle E-Call system is untraceable and is not subject to any continuous tracking under normal operating conditions. The data in the internal memory of the in vehicle E-Call system can be automatically and continuously deleted. The vehicle position data is continuously overwritten in the system's internal memory in order to always maintain the latest vehicle location data required for the normal operation of the system. Activity data logs in the in-vehicle E-Call system are kept no longer than the time required to process an emergency call.

Legal basis for the data processing is our legal obligation according to Art. 6 para. 1 lit. c) GDPR.

2.9. Private E-Call

Instead of the 112 e-call, you can activate a Private E-call in the DHU settings. If you have selected the Private E-Call, the emergency call as well as the relevant data is not directed to the public safety answering points, but to a private provider (ARC Europe SA, Av. des Olympiades 2, 1140 Evere, Belgium).

Collected data: Vehicle information number (VIN), number of passengers, vehicle type, vehicle direction, car location, vehicle speed, usage mode and car mode. The provider of the Private E-Call may also collect additional information in order to provide you with further services.

Legal basis for the data processing is contract fulfillment according to Art. 6 para. 1 lit. b) GDPR. To provide you with the Private E-Call function, we use a third party provider for Telematic Service as a contract data processor.

2.10. Roadside Assistance (B-Call)

The B-Call allows the user to contact a private roadside assistance provider in the event of a breakdown. Roadside assistance are provided by ARC Europe SA, Av. des Olympiades 2, 1140 Evere, Belgium (“ARC”). If the user triggers the B-Call, all relevant data about the vehicle's condition as well as the vehicle location are transmitted to ARC and a voice connection is established.

Collected data: Vehicle information number (VIN), vehicle location, license plate number, mobile phone number, mobile phone location, emergency contact name, emergency contact phone number, fault information (including fault code and fault light information). The provider of the B-Call may also collect additional information in order to provide you with further services.

Legal basis for the data processing is contract fulfillment according to Art. 6 para. 1 lit. b) GDPR. To provide you with the B-Call function, we use a third party provider for Telematic Service as a contract data processor.

2.11. Real time remote safety monitoring

smart vehicles are equipped with a real time remote safety monitoring system, which is used to collect and save various system data of the vehicle to facilitate vehicle maintenance/failure analysis.

Collected data: position and motion data (such as time, position, speed, direction ), Vehicle maintenance data (due date of next service), Environment information (temperature, air pollution), e-motor, high voltage battery and alarm information, door and flap status/position/lock status and other functions.

To provide you with real time remote safety monitoring, we use a third party provider for Telematic Service as a contract data processor.

2.12. "Over-the-Air"-Software Updates (OTA)

The vehicle software (infotainment system, ECU firmware) can be updated via “over-the-air”-updates in order to obtain new functions, to provide system updates or to correct bugs and errors.

Collected data: Vehicle identification number (VIN), vehicle hardware and software version, software package, vehicle and software configuration information, operating system, date and time of software upgrade

Legal basis for the data processing is contract fulfillment according to Art. 6 para. 1 lit. b) GDPR. To provide you with OTA-Updates, we use a third party provider for Telematic Service as a contract data processor.

For customer support: In the unlikely event that OTA installation is aborted, the B-CALL can be triggered, Location and movement data (possible): Geo data, Vehicle status: before/after upgrade failure.

For continuous improvement of the OTA service: Vehicle configuration, Software configuration, e.g. release notes, date of publishment

In the unlikely event of an aborted the OTA where a roadside assistance is initiated, the following data is shared with the third-party support service: Vehicle Identification Number (VIN), Location and movement data: Geo data

2.13. Anti-theft system

The anti-theft system prevents others from illegally starting your vehicle. If the antitheft system is enabled, the vehicle status will be continuously monitored. The alarm will be triggered when the door/liftgate is not opened legally. If the remote anti-theft system is activated, a message that the vehicle cannot be started will pop up on the driver information display.

Collected data: Vehicle information, such as door open status, door lock status, windows open status, and trunk open status

The vehicle is also equipped with a tracking system, which can track and locate the vehicle and remotely activate the antitheft system to prevent the vehicle from being started.

Collected data: Vehicle information number (VIN), event time, contact name, contact phone number, vehicle location before and after the event, vehicle information (model, color, language setting) for activating the stolen vehicle location service. When you activate the stolen vehicle location service, the vehicle will continuously upload the above information to our call center to provide the police or the user with vehicle location information to help locate the vehicle.

Legal basis for the data processing is contract fulfillment according to Art. 6 para. 1 lit. b) GDPR. To provide you Anti-theft services, we use a third party provider for Telematic Service as a contract data processor.

IV. WHEN YOU CONTACT US

When you contact us via the contact form provided on our website, via e-mail, phone or direct message, using the chat and voice function provided on our website, the personal data transmitted with your request (i.e. your contact details and the information you provide) will be stored. We only use this data for processing your request.

Legal basis for such data processing is our legitimate interest to process your request according to Art. 6 (1) lit. f GDPR or Art. 6 (1) lit. b GDPR, if the request is directed to the conclusion or performance of a contract. The data will be deleted when the purpose of the processing no longer applies, e.g. your request has been answered conclusively.

V. CUSTOMER CARE AND AFTER SALES SERVICES

When you contact our customer service online, we will offer you automated chat and voice functions which will not process personal data unless you choose the option to continue a live chat with an agent. After 90 days your conversation with the chat and voice functions will be deleted.

To provide you with customer service including verification purposes as well as trouble shooting and issue resolution in accordance with customer care and aftersales processes. It is possible third party service providers (customer engagement center, retailer engagement center and smart Authorised Service Partners) will also be share this data to further assist the customer, we will also use this data for daily operation business including but not limited to repair and maintenance, we will collect your name, mobile phone number, vehicle information number (VIN), license plate number, model, address, city, and authorized service provider/repair site information.

Legal basis for the processing of your data is contract fulfillment.

VI. FOR PERSONALIZED PRODUCTS AND SERVICES AND MARKETING

The data we have collected can be used for marketing purposes by the smart Ecosystem based on your consent.

• What marketing purposes does our smart Ecosystem have?

  We would like to inform you about new products , services and special offers of the smart Ecosystem and its Service Partners (Finance and Leasing) via email (e.g. Newsletter), telephone (including direct messages), postal mailings or push-notification either by smart or your preferred local smart Agent you have selected in the Self Care Portal. We also would like you to participate in our customer surveys to let us know where we can improve our service and products.

• How do we collect your consent?

  We collect your consent either online or on site at your local smart Agent or smart Authorised Service Partners.

• How can you revoke your consent?

  You can always change your marketing consent settings manually in the Self Care Portal under “Settings” in your smart account or you can unsubscribe from the newsletter manually. You may also call our Service Center at any time for support.

• Which data do we process for marketing?

  Before we collect your consent we inform you about the type of data we process and the specific purpose of processing, e.g. for email newsletters we use your e-mail address, for future products in case you gave us information about your interests or hobbies, how you use our website, which messages you open, which areas you click, your purchase history, your payment method, how you interact with smart and your sales channel (online or at the local retailer) we may use this information to be able to provide you with special offers tailored to your interests.

• With whom do we share your data?

  We only share your data with the companies in the smart Ecosystem that you have selected for one of the following examples: test drive, appointment on site, vehicle handover, trade-in etc. An overview of the smart Agents and smart Authorised Service Partners for whom your consent applies can be found at any time in the Self-Care Portal.

• When do we delete your data?

  Your data will be deleted after your deletion request via your account, when you unsubscribe from our email-newsletter or you send a deletion request to our Service Center. We automatically delete your data if you have not interacted with us after a certain period of time.

VII. FOR PRODUCT AND SERVICE IMPROVEMENT

In order to improve and optimize our products and services, and to help you troubleshoot and analyze the problems you may encounter when using products or services through various channels, we will collect and store your problem feedback information and various operation log information (including crash information, device information and error logs). In addition, in order to provide you with a better service experience, when you give feedback and comments on the product, we will collect and store the feedback and comments to analyze user satisfaction.

Legal basis for the processing of your data is legitimate interest.

VIII. HOW DO YOU EXERCISE YOUR DATA SUBJECT RIGHTS

You have the following rights in connection with the processing of your personal data:

Right to access

You have the right to be informed about which data we collect from or about you, for what purpose we process your data and to whom are we forwarding your data. You may contact us via eu.dataprotection@smart.com and raise your access right.

Right to rectification

You can use the following methods in the Hello smart App to change or modify your personal information: Click "My" - "Settings" - "Personal Information", you can update your avatar, modify your nickname, signature, gender, birthday, use (purchase) car area, hobbies, mobile phone number, and modify or add delivery address. You may always contact us via eu.dataprotection@smart.com.

Right to erasure

If you want to have all your data deleted you can visit the Self Care Portal and delete your account. You also have the possibility to contact our Service Center (see contact details above). When you put in a request all data except the data we are legally obliged to retain will be deleted. You will be informed about the deletion process.

For further information we are obliged to delete your personal data without delay where one of the following grounds applies:

• Your personal data is no longer required for the purpose for which it was collected or otherwise processed.

• You are withdrawing your consent and there are no other legal grounds for processing that data.

• You are filing an objection (see below) to the data processing.

• Your personal data was unlawfully processed.

• The deletion of your personal data is necessary to fulfil an obligation under EU law or the law of the Member States.

Right to restriction

If you want to have your data restricted you can contact smart EU or your local smart Agent. You can also restrict your data via the Privacy settings in the Self Care Portal. You have the right to request a restriction of our data processing when one of the following conditions are met:

• you are contesting the accuracy of the personal data,

• the data processing is unlawful, but you do not agree to the deletion of the personal data, instead requesting a restriction of its use,

• we no longer need the personal data for the purposes of processing, but you need the data to establish, exercise or defend legal claims; or

• you have objected to processing (see below) and it is not yet clear whether our legitimate interest will prevail.

Right to data portability

If you want to receive the personal data you have provided to us in a structured, commonly used and machine-readable format you can contact smart EU or your local smart Agent. You can also request to have the data transferred to another controller without interference on our part provided that:

• the processing is based on consent granted pursuant to Art. 6 (1) lit. a GDPR or Art.9 (2) lit. a GDPR or on a contract pursuant to Art. 6 (1) lit. b GDPR; and
• the processing is carried out using automated methods.

In exercising this right, you may request that personal data related to you be transferred directly from us to another controller insofar as this is technically feasible and does not infringe on the freedoms and rights of any other person. The right to data portability does not apply to the processing of personal data required for fulfilling a task carried out in the public interest or in the exercise of an official authority invested in the controller.

Right to object

If you want to object to the processing of your personal data please contact smart EU or your local smart Agent. Objection will be approved unless it is based on one of the following grounds:

• the processing of your personal data by us is required for the fulfilment of a task that lies in the public interest or in the exercise of public authority that has been delegated to us; or

• the processing is necessary to safeguard our legitimate interest or the legitimate interest of a third-party, in so far as your interests or basic rights require that protection of your personal data prevail.

The right to object also applies to profiling based on these processes.

If the personal data that concerns you is being processed for direct marketing purposes, you have the right to object to the processing of your personal data for such marketing purposes. This also applies to profiling insofar as it is associated with such direct marketing.

You also have the right, on grounds arising from your particular personal situation to object to the processing of your personal data by us for scientific or historical research purposes or for statistical purposes, unless such processing is necessary for the performance of a task in the public interest.

Right to withdraw consent

You may revoke your consent at any time with future effect. Processing of your data which occurred prior to the withdrawal of consent is not affected.

When you wish to exercise any of the above rights, you can contact us by email at eu.dataprotection@smart.com. Upon receipt of your request, we may first verify your identity and may ask you to provide necessary information for authentication.

Mobile device authorizations

You may change or revoke our authorization to process your personal information at any time. You may modify it through your hardware device or permanently revoke all of our authorization to continue to collect your personal information by deleting your account.

Right to complaint

If you believe that the processing of your personal data violates legal requirements, you have the right to lodge a complaint with a competent data protection supervisory authority (Art. 77 GDPR).The responsible data protection supervisory authority is:

State Commissioner for Data Protection and Freedom of Information in Baden-Württemberg

Address: Lautenschlagerstraße 20, D- 70173 Stuttgart

Postal address: Postfach 10 29 32, 70025 Stuttgart

Telephone: +49 711/61 55 41-0

Email: poststelle@lfdi.bwl.de

https://www.baden-wuerttemberg.datenschutz.de/online-beschwerde/

IX. Cancellation of your account

You may delete your smart account at any time. You can do it online by accessing "My" - "Settings" - "Delete Account" on the "smart" account page; or call our Customer Engagement Team to assist you in deletion.

Once you delete your smart account, you will not be able to log in and use all user products and services. We will delete all information about your account (including related information associated with third parties), unless otherwise provided by law. So please proceed with caution.

X. Data transmission to recipients outside the European Economic Area

When using service providers and passing on data to third parties, personal data may be provided to recipients in countries outside the European Union ("EU"), Iceland, Liechtenstein and Norway (= European Economic Area) are transferred and processed there, in particular USA, India.

In the following countries, from the EU's point of view, there is an adequate level of personal data protection (so-called "adequacy"), in compliance with EU standards: Andorra, Argentina, Canada (limited), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay. We agree with recipients in other countries on the use of EU standard contractual clauses, binding corporate rules or other applicable instruments (if any) to create an "adequate level of protection" according to legal requirements. For more information, please contact us: eu.dataprotection@smart.com.

XI. UPDATES TO THIS PRIVACY STATEMENT

In order to provide better services, we may change and modify this Privacy Statement from time to time according to the updates of products and services and the relevant requirements of laws and regulations. We therefore recommend that you re-read this Privacy Statement from time to time.

Last update: January 2023