Classified as Mazda Restricted

Effective Date: April 2025

Privacy Policy – Mazda6e

I. General Information

1. Scope of this Privacy Policy

This policy (“Privacy Policy”) applies to the collection and processing of personal data through Mazda group companies and its business partners as further outlined below:

· when making use of the Mazda6e connected vehicle and related services and features (hereinafter "Features", see below PART II.),

· when subscribing to our Mazda6e App and related features and services offered through the Mazda6e App (together “Mazda6e App”, see below III.), all together “Services” via the vehicle to you (“User”, “you”), and

· when processing personal data collected through the services and/or the Mazda6e App for quality, service and security related purposes (see below PART IV.).

We take your privacy very seriously and will process your personal data only in accordance with applicable data protection law.

The implementation of new technologies or the introduction of new features and services might require future changes of this Privacy Policy which we may make at any time. In the event of a change, we will notify you of the modification through a notification such as a pop-up prompt to get the latest effective version. The most current as well as prior versions of this Privacy Policy can be at : www.mazda.eu/en/mazda-in-europe/

2. Controller for the processing of personal data

The responsible data controller for the personal data collected and processed in connection with the processing activities described in this Privacy Policy differs depending on the relevant processing activity or Feature or Service provided and is explained in the respective context below (see II.–IV.).

Various companies in the Mazda company group, in particular

· Mazda Motor Logistics Europe NV, a Belgian legal entity with the commercial register number 0406.024.281 and the official company address Blasveldstraat 162, 2830 Willebroek, Belgium (hereinafter referred to as “MLE”),

· Mazda Motor Europe GmbH, a German legal entity with the commercial register number 49390 and the official company address Hitdorfer Strasse 73, 51371 Leverkusen, Germany (hereinafter referred to as “MME”)

· Mazda’s National Sales Companies in Europe (hereinafter collectively referred to as “NSCs”; company details are listed at https://www.mazda.eu/en/mazda-in-europe/

· Mazda Motor Corporation, a Japanese legal entity with the commercial register number 2400-01-036223 and the official company address 3-1 shinchi, Fuchu-cho, Aki-gun, Hiroshima 730.8670 Japan (hereinafter referred to as “MC”)

(collectively referred to as “Mazda”, Mazda Group”, “we” or “us”) and external service providers, are involved in various data processing operations.

MC determines the specifications, design, and functional requirements of the Mazda6e vehicle and its features. It has developed the Mazda6e vehicle in collaboration with third party service providers and acts as a controller in regard to the Mazda6e related data processing activities as indicated below. . In order to be able to offer you all Features, Services and benefits such as maintenance, repair, quality control, monitoring and other services with regard to the functionality and safety of the Mazda6e vehicle, it is necessary that MC and/ or certain third party suppliers as data processors receive certain vehicle related information which may include certain personal data in order to provide the appropriate support services based on their technical expertise and knowledge. The companies of the Mazda Group have concluded corresponding contracts with each other to regulate the (joint) processing of personal data and to define the respective rights and obligations with regards to obligations under GDPR. We will be happy to provide further details on the content of the respective agreements upon request.

Notwithstanding the foregoing, data protection inquiries regarding processing activities described in this Privacy Policy can always be addressed at any time to MME or the respective Mazda company group in your country or its appointed data protection officer by ordinary mail or email. Please find respective information under https://www.mazda.eu/en/mazda-in-europe/.

The right to contact the respective controller or their data protection officer remains unaffected. The respective contact details can be found above or below in the respective section of this Privacy Policy.

II. Features

1. General information

In this section we describe how personal data is collected and processed when making use of the Features in your Mazda6e vehicle.

Many of the functions offered and used in the Features do not require data to be collected from the vehicle and transmitted to Mazda or third-party systems. Insofar as data for the use of a function or feature is stored exclusively in the vehicle, these processes are not in the scope of the provisions of the GDPR and other data protection regulations and are not subject to this Privacy Policy.

In these cases, we provide you with information in the relevant manual and/or additional instructions on how and to what extent you can change or delete data stored in the vehicle. Once you sell the vehicle or transfer it (permanently) to third parties for use, it is possible that information stored in the vehicle can continue to be viewed if you have not deleted the information beforehand.

2. Purposes, Legal Basis of Processing and Categories of Personal Data

We collect and process your personal data in connection with the Features only insofar as the collection and processing is:

· necessary for the conclusion or performance of the Mazda6e contract (Art. 6 (1) b) GDPR),

· where required by law (Art. 6 (1) c) GDPR),

· where based on consent (Art. 6 (1) a) GDPR), or

· where it is necessary for the purposes of legitimate interests of us or third parties (Art. 6 (1) f) GDPR).

We process your personal data amongst others for the following purposes:

· Activating the vehicle to establish an internet connection and use with the Features

· Creating a user profile in the vehicle and linking to the Mazda6e App

· Using remote services to control individual vehicle functions

· Displaying vehicle information (including the vehicle status) in the Mazda6e App

· Use of a digital key for the vehicle via Bluetooth key

· Use of the voice assistant in the vehicle

· Connection of your cell phone to the in-car entertainment system and establishing a connection to third-party providers

· Connection of the vehicle to third-party wireless networks (e.g. Wi-Fi)

· Use of navigation features and services with live traffic information

· Monitoring charging relevant data and charging the vehicle at a charging station

· Performing software updates

· Collecting error data and other technical vehicle data to improve our systems, services and other technologies, if you have given your prior consent

When doing so, the following categories of personal data are collected from the vehicle and processed:

· Vehicle identifiers and other hardware identifiers, e.g. vehicle identification number (VIN), vehicle ID, other unique hardware identifiers such as IMEI, MAC address, IMSI information of the SIM card

· User account data, such as email address, account ID, username

· Virtual identification and authentication information, such as verification codes, tokens, customer or account IDs, digital certificates

· Vehicle and trip-related information and telemetric data, such as vehicle status, trip duration, mileage, diagnostic error code system and application protocols for error analysis and product improvement

· EV-drive-related information such as battery identification, battery and charging status, battery temperature

· Location data, such as the position, latitude and longitude of the vehicle

· Sound recording information, e.g. when using the voice assist

For details on how we process personal data in the context of a particular Feature, please refer to Section 3 below in this Privacy Policy. For further details on other purposes for which we process your personal data, please refer to Section 4 below.

All personal data described in the sections below is collected directly from your vehicle (e.g. its sensors and related applications as made accessible through the infotainment system) or was made available by you through the Features (e.g. by entering certain personal data via the Features) and is processed in connection with the Features.

Currently, the following Features are offered:

· Account Creation, Login and Vehicle Binding

· Remote Control, Monitoring and Bluetooth Key

· OTA Update

· Charging

· Voice Assistant

· Map and Navigation

· Security Management

· Wireless Communication and Network Connectivity (Bluetooth® Audio/Hands-Free Cal/Wi-Fi/Apple CarPlay/Android Auto™)

The data described in this section is required to provide the Features. Once you acknowledge this Privacy Policy the following Features will be activated in your vehicle:

· Microphone authorization (for intelligent voice (VR), Bluetooth phone, camera - record sound)

· Vehicle positioning authorization (for navigation, intelligent voice navigation)

· Camera authorization (for in car monitor - fatigue reminder, In car monitor - Distraction reminder, In car monitor - gesture recognition camera)

You can deactivate and/or customize these Features at any time separately in the setting of the head unit. For example, you may use the navigation or voice assistance feature in a ”full privacy mode” which does not entail the transfer of personal data to third party providers. This will, however, also have the effect that you will not be able to make use of all or some of the functionalities or Features as set out below in more detail. Further information on how you activate, deactivate or customize the Features and/or related functionality and/or services is provided in the relevant Manual which can be accessed in the menu of your head unit.

As part of the use of the respective Features and related functions and/or services, personal data is processed and, depending on the feature, function, service or the respective settings, transmitted from the vehicle to third parties. The processing of the respective personal data is explained in more detail in section 3.

Neither Mazda, nor the external third parties engage in automated decision-making including profiling in connection with the Features unless you have been expressly notified otherwise in this Privacy Policy or by other means.

Your location data will not be collected on an ongoing basis unless it is necessary for the functions or services you subscribed to.

3. Specific Features

3.1 Account Creation, Login and Vehicle Binding

To use the Features, you need to register for Features through the Mazda6e App and bind the vehicle to our centralized vehicle backend with the support of your dealer. You may activate your account in the vehicle by logging in with the Mazda6e App QR scanner. Activating your account in the vehicle is a prerequisite to connect the vehicle to the vehicle backend which is necessary for making use of some Features and Services related to your vehicle, such as Voice Assistant and Maps and Navigation.

If you have not activated your account in the vehicle by scanning the QR code in the head unit of your vehicle with the Mazda6e App QR scanner, you can only continue as a “guest” (“guest account”). In this case, the “Full Privacy Mode” will automatically be activated, and certain services will be restricted due to the disconnection from the vehicle backend.

When activating your account with the Mazda6e App QR scanner and binding the vehicle, you can select “Connected Services and Analysis Mode” or ‘’full privacy mode”. In this context and subject to the below descriptions per each Feature, we may collect the following personal data to enable your registration and activation to Features in the vehicle:

Your name, nickname, avatar, your email address, your language, your country, your account data, your network identifier, your account identifier, your vehicle setup records, your password, verification code, the vehicle identification number (VIN), IMEI and other device IDs, customer service account ID, and a related token, including user authentication token. Furthermore, we log acknowledgement of this Privacy Policy and User Agreement.

The legal basis for such processing is Art. 6 (1) lit. b GDPR (performance of the contract).

When you make use of the Services of our Mazda6e App further personal data is processed. We inform you about the processing of your personal data in connection with the use of the Mazda6e App below in this Privacy Policy (Section III).

You can switch to Full Privacy Mode at any time via the vehicle settings once you have logging in in your vehicle.

3.2 Remote Control, Monitoring and Bluetooth Key

We offer Remote Control and Monitoring in the form of remote services though the Mazda6e App such as monitoring the vehicle status e.g. regarding battery status as well as enabling the locking / unlocking of your vehicle, also with a Bluetooth key.

For offering these Services which are operated through the Mazda6e, App we collect and process the following personal data from the vehicle:

VIN, power and charging data, mileage data, control status of door locks, charging, doors, windows, seat, wheel, trunk, lights, brakes, airflow, temperature, humidity, air quality, tire pressure, alarm data, speed, air conditioning, PM2.5, interior air quality, defrost, braking, gear position, drive motor data and voltage data, alarm data, IMS (In-vehicle Monitoring System) data, In-car radar information.

We synchronize the required data about your vehicle to be displayed in the Mazda6e App according to your actions when you manage and control your vehicle via the Mazda6e App.

The legal basis for such processing is Art. 6 (1) lit. b GDPR (performance of a contract).

3.3 OTA Update

With OTA Updates we are able to provide you with software updates for vehicle systems and functions as well as the map and infotainment system for you to receive wireless (“over-the-air”, together “OTA Updates”). You will be notified via the head unit if new OTA Updates are available. OTA Updates are automatically downloaded to your vehicle to prepare the respective installation. You will be asked to choose whether you want to complete the OTA Update now or later. The update does not require you to log-in with your account in the vehicle.

The provision of OTA Updates requires the collection and processing of certain vehicle related data through us such as:

VIN, Master ID, Domain ID, Part ID, Part Version No, Part Hardware ID, Part Hardware Version Number, Upgrade Record, Upgrade Log, Upgrade Equipment, Vehicle Model, and upgrade preferences you entered for the in-vehicle terminal.

Legal basis will be the performance of the Features and fulfil obligations related to the vehicle purchase contract (Art. 6 (1) b) GDPR). Where updates are provided to provide fixes and/or enhance the usability of the systems, the processing may be based on Art. 6 (1) c or f GDPR (legal requirements or related legitimate interests).

3.4 Wireless Communication and Network Connectivity

You can connect your vehicle to external devices through Bluetooth® Audio/Hands-Free Call /Wi-Fi or through Apple CarPlay / Android Auto services. To do this, you establish a connection between your vehicle and your phone, e.g. via a Bluetooth connection. When doing so, you can use your phone's data multimedia services via the head unit.

Please note that for this purpose, data from your vehicle, including a vehicle ID and other technical information, is transmitted from the vehicle to the respective provider such as Apple or Google.

These services are not offered or provided by us. The services are third party services offered by third party service providers Apple https://www.apple.com/legal/sla and Google https://policies.google.com/terms/service-specific for which certain additional terms and conditions may apply. We have no influence over their availability and the content offered by Apple or Google. Please make yourself familiar with the processing operations with regards to personal data of Apple and Google in the respective privacy policy at: https://www.apple.com/legal/sla/　

https://policies.google.com/privacy#infocollect

Please note that this feature and the related services are available only after you confirmed the feature’s activation during the initial set up process. Otherwise, such feature, and the related services will not be available. Can you deactivate the feature at any time in the settings in your head unit.

Please note that the data relevant for making use of the Feature or related services is usually stored locally in your connected vehicle can be deleted manually or is processed by the relevant third-party service providers Apple and Google in accordance with their terms of use and privacy policies.

The legal basis for such processing through us (if any) is Art. 6 (1) b GDPR (performance of a contract).

Mazda will not have access to such data.

3.5 Charging

To provide you with convenient charging monitoring and services, and at the same time charging data feedback on your Mazda6e App, we collect and process the following personal data:

VIN, vehicle power, battery charging status, AC charging cable connection status, DC charging cable connection status, charging current, remaining charging time, cruising range information, reservation charging status, reservation start time, reservation end time, etc.

The legal basis for such processing is Art. 6 (1) lit. b GDPR (performance of a contract).

For related features in the Mazda6e App please see below in Section III.

3.6 Voice Assistant

When you use the voice assistant (“Voice Assistant”) related functions, you need to turn on the in-vehicle microphone first and wake up the Voice Assistant through the in-vehicle voice button, wake-up words, or wake-up conditions you set before you can carry out voice interaction. During the voice interaction, the voice data (in-vehicle audio information) will be processed according to the functions you set or select.

Please note that this feature and the related services are available only after you confirmed the feature’s activation during the initial set up process. Otherwise, such feature, and the related services will not be available. You can deactivate the feature at any time in the settings in your head unit.

You can customize the Voice Assistant service in the settings of the head unit of the vehicle and use for example an “offline” version which does not entail the transfer of voice recording information to the Voice Assistant Service Provider outside your vehicle. Please note that in this case the services will be limited and not all functions and features of it can be used.

If you confirm this during the initial set up and do not customize the service settings otherwise the voice data will be transmitted to the technical Voice Assistant support service provider, Megatronix (Beijing) Technology Co., Ltd.; Room 1101, Floor 11, Building 6, No. 34 Chuangyuan Road, Chaoyang District, Beijing, China (“Voice Assistant Service Provider”) to complete the Voice Assistant service. The duration and range of the audio information we collect may be related to your settings.

To enhance the optimization and improvement of voice wake-up, recognition, semantic understanding and related functions, the in-vehicle audio information will be stored for 90 calendar days by the Voice Assistant provider for the learning and training of the corresponding voice algorithms to enhance the Voice Assistant capabilities. After 90 calendar days, the in-vehicle audio information will be deleted from the system of the Voice Assistant Provider, and the in-vehicle voice data will be anonymized and processed, trying to avoid any association with you or with a specific vehicle.

In addition, when you manipulate or use other functions or applications through Voice Assistant, we may synchronize the relevant information under these functions or application scenarios to complete the command docking processing. For example, making a Bluetooth phone call via Voice Assistant will collect the telephone number, and then make a call according to your voice command; initiating navigation via Voice Assistant will synchronize the collection of vehicle location, destination, or route; playing music/video via Voice Assistant will collect your search information and playback history.

To operate the Voice Assistant, the following personal data is processed:

Vehicle ID, in-vehicle audio information communicated to Voice Assistant, including vehicle location data, telephone number, voice content commands for recognizing voice content, executing your voice commands, and vehicle log data.

Such data is transmitted and used for the aforesaid purposes by the Voice Assistant Service Provider. Such data will not be transmitted to us. The telephone number is stored locally and used to execute your voice commands to make calls.

Subject to further details in the Voice Assistant’s Service Provider’s terms of use and privacy policy (see below) the legal basis for such processing is Art. 6 (1) lit. b GDPR (performance of a contract with the Voice Assistant Service Provider).

Subject to further details in the Voice Assistant’s Service Provider’s terms of use and privacy policy and to the extent collected in-vehicle audio information is used for learning and training as well as enhancement of the service the legal basis for such processing is Art. 6 (1) lit. f GDPR (legitimate interest which consists in the legitimate interest of you and the Voice Assistant Service Provider to enhance the quality of the services and related customer satisfaction).

The Voice Assistant is a third-party service of the Voice Assistant Service Provider Megatronix for which certain additional terms and conditions may apply. We have no influence over the availability and the content offered by Megatronix. Please make yourself familiar with the processing operations with regards to personal data of the Voice Assistant Provider in the privacy policy at: https://www.megatronix.com/privacy-mzd-eu.html.

If you confirmed the use of this service during the initial set up process in your vehicle personal data will be transmitted to the Voice Assistant Service Provider as described before. You can customize the service settings at any time and limit the use of Voice Assistant Services to a pure “offline” or “local” service setting which does not entail the transfer of personal data to the external third-party service provider.

3.7 Maps and Navigation

Certain information from third party sources, such as map navigation, POI and Intelligent Speed Assistance (“ISA”), is used to provide certain Map features and services to you. Map navigation and ISA is provided by Telenav Shanghai Inc, 27F & 28B V-Capital No. 333, Xian Xia Road, Shanghai, China (“Map Service Provider” or “Telenav”).

To use the full range of map services and ISA certain data will be transmitted to Telenav, including location data. The feature is only available if you have confirmed the use of the Telenav services and activated vehicle location and connectivity for in-vehicle applications in the initial set up in your vehicle which can be deactivated at any time. The feature (vehicle positioning authorization) as well as the use of the Telenav services can be customized or deactivated at any time in the settings in the vehicle head unit. For example, you may use the navigation feature without the additional Telenav content and services which can be customized in the settings in the head unit. In this case, however, the full range of the features may not be available.

ISA is a feature to obtain the speed limit data within the ISA electronic map based on the vehicle's location information for intelligent driving use. Please consider that location data and the encrypted VIN ID may be used by Telenav to provide you with the service, as the intelligent speed assistance systems under the Regulation (EU) 2019/2144 of the European Parliament and of the Council (“Regulation”). To provide you with ISA system, Telenav may use a third-party affiliate map provider to extract and deliver speed limit data and alerts for the areas you are navigating, and we/ Mazda (directly or through Third-Party Providers) may combine the data extracted and provided by Telenav with visual recognition data to deliver you relevant speed data. The third-party services always are governed by their own privacy policy in the context of such functionality, which you can find on their website.

In order to provide the service, the following personal data is transmitted to and processed by Telenav:

For navigation: vehicle location/position data, encrypted VIN ID, user behavior tracking data, home /work / other labelled location address.

For ISA: vehicle location/position data, encrypted VIN ID.

Subject to further details in the service provider’s terms of use and privacy policy (see below), the legal basis for such processing is Art. 6 (1) lit. b GDPR (performance of the contract).

The navigation is a third-party service offered by the service provider Telenav for which certain additional terms and conditions may apply. We have no influence over their availability and the content offered by Telenav. Please make yourself familiar with the processing operations with regards to personal data of Telenav in the privacy policy at: https://www.telenav.com/legal/policies-mazda-eu

If you confirmed the use of the Telenav service during the initial set up process in your vehicle personal data will be transmitted to the service provider Telenav as described before. You can customize the service settings at any time and limit the use of the services to a service setting which does not entail the transfer of personal data to the external third-party service provider.

3.8 Monitoring, Reminder and Gesture Recognition

To make use of the Features

· In car monitor - fatigue reminder

· In car monitor - Distraction reminder

· In car monitor - gesture recognition camera

the camera permission in the vehicle head unit needs to be activated. When using the Features certain personal data such as video images, sound recordings and photos is recorded and stored in the vehicle to enable the relevant Features. The data is not transmitted to places outside the vehicle and are regularly overwritten in the vehicle storage.

If you have not confirmed the activation of the feature during the initial set up process in the vehicle head unit the Camera authorization and the related features In car monitor - fatigue reminder, In car monitor - Distraction reminder, In car monitor - gesture recognition camera, will not be activated, will not work and you will not be able to use it.

3.9 Security Management

To ensure the safe and stable operation of the Features provided and to safeguard account security, we collect and process the following personal data:

Attack destination IP address, attack target port, event occurrence time, network protocol, attack rule ID, attack source IP address, attack source port, log type, device to be detected, and log type, Data length, CAN bus code, rule code, signal start bit, signal length, message length, abnormal CANID, detection time, detection cause high bit, detection reason low bit, reserved number, reserved position, TBOX Tuid, full CAN/CANFD message.

The legal basis for such processing is Art. 6 (1) b GDPR (performance of a contract) when directly related to enabling the use of certain features and Art. 6 (1) f GDPR (legitimate interest) when related to support our legitimate interest in securing the vehicle and our systems against unlawful access or impeding through IT security related risks.

4. Data of other persons, vehicle usage by a third party

In case other persons use your vehicle (e.g. a co-driver or someone you have let your vehicle) their personal data might be collected and processed during the use of the Features. Unless the person has not logged into the vehicle with a separate account, we have no information on the person or any related personal data to identify such a person. You must ensure that the data subjects are properly informed on the data processing activities as described in this Privacy Policy.

If you sell or permanently let your vehicle to a third party, make sure that this third party will not be able to access any of your personal data through the vehicle’s head unit (e.g. by deleting relevant information in the navigation system).

You can remove a vehicle from the App under “Me” by selecting “My Vehicle” in the “Vehicle Details” by clicking on “Unlink Vehicle”. By removing a vehicle from your list, your driving data will no longer be visible in the App and your vehicle will be disconnected from the App. If you do not remove the vehicle the data might still be accessible through the App. Please be informed that your account data in the App will not be deleted until you delete your account (see Section III.).

5. Recipients and Categories of Recipients

Due to their role when offering the Features and/or related Services MLE, MME, NSCs and MC will receive and process certain personal data from the connected vehicle for the aforesaid purposes. Any access to your personal data at Mazda is restricted to those individuals that have a need to know to fulfil their responsibilities.

In the context of enabling the Features and/or related Services the Mazda companies will process the relevant personal data in their respective role as follows:

· MLE and MME will receive and process the relevant personal data for the operation and maintenance of the relevant systems and services for connected vehicle features and software updates, the handling of related issues and troubleshooting as well as handling of related user enquiries.

· MC will receive and process the relevant personal data for the operation and maintenance of the relevant systems and services, the handling of related issues and troubleshooting as well as the overall management of the systems and services (including the supervision of subcontractors).

· NSCs will receive and process the relevant personal data for the operation and maintenance of the relevant systems and services and the handling of user enquiries.

Certain third parties, whether affiliated or unaffiliated, may receive your personal data to process such data on behalf or in collaboration with Mazda as necessary for the respective processing purposes. Data processors will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal data, and to process the personal data only as instructed.

MC will receive, and process certain personal data collected through the Features for the operation and maintenance of the relevant systems and services and software updates as well as the handling of related issues and trouble shooting. In this capacity, MC will act as a controller.

Certain technical third-party suppliers will support MC with the operation and maintenance of the relevant systems and services for connected vehicle features and software updates as well as the handling of related issues and troubleshooting as a processor to MC with other third-party suppliers as sub processor for the handling of related issues and trouble shooting. The third-party providers will be bound by respective instructions.

Mazda will involve further sub processors as necessary to provide technical support, e.g. with the operation and maintenance of the relevant systems and services and trouble shooting.

Certain third parties, whether affiliated or unaffiliated, may receive your personal data to process such data to meet the purpose of their contractual obligations. Therefore, we are passing on personal data, if necessary, to the fulfilment partner for the roadside assistance and to authorized Mazda dealerships and workshops, as well as independent workshops. We may also pass on certain personal data to governmental authorities, courts, external advisors, and similar third parties that are public bodies as required or permitted by applicable law.

6. Storage Period

Unless otherwise stated in this Privacy Policy, your personal data is stored by Mazda and/or the involved service providers, strictly to the extent necessary for the performance of our obligations and strictly for the time necessary to achieve the purposes for which the personal data is collected, in accordance with applicable data protection laws.

When Mazda no longer needs to process your personal data, we will erase it from our systems and/or records and/or take steps to properly anonymize it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which Mazda is subject; e.g. personal data contained in contracts, communications, and business letters may be subject to statutory retention requirements, which may require retention of up to 6 to 10 years).

There are specific storage periods for the following items:

· User data, such as name, address, email address, will be kept until the user deleted his Mazda6e account. This means that cached content is automatically deleted after the validity period expires, and stored data is deleted or automatically deleted after user account closure. If you change your email address via the App, the old email address will not be stored.

· Data relating to OTA Updates will be retained for a period of 10 years after the respective model has been ceased to be produced for product monitoring, safety and defense against product liability or related claims.

· Unless necessary for another specific purpose (see amongst others Section IV. below) Feature and related service information and/or telemetry data is stored for three (3) months. Critical telemetry data or alters may be stored for a longer period, which usually lasts up to one (1) year but may last longer depending on the purpose.

We may anonymize your personal data for example for the purpose of business analytics, research and development or statistical purposes while we may use such anonymized information indefinitely.

III. Mazda6e App

In this section we describe how personal data is collected and processed when making use of the remote-control services in your Mazda6e App (hereinafter “App”). For related processing activities in Features please see Section II.

1. Purposes, Legal Basis of Processing and Categories of Personal Data

The App will provide you with the following key functions:

· User Account

· Vehicle Linking / Authority Sharing

· Remote Control

· Digital Key

· Owner Manual

We collect and process your personal data in connection with the Services only insofar as the collection and processing is:

· necessary for the conclusion or performance of the Mazda6e App contract (Art. 6 (1) b) GDPR),

· where required by law (Art. 6 (1) c) GDPR),

· where based on consent (Art. 6 (1) a) GDPR), or

· where it is necessary for the purposes of legitimate interests of us or third parties (Art. 6 (1) f) GDPR).

For details on individual services, please refer to the respective service description in the Mazda6e App Terms and Conditions.

All (personal) data described in the Sections below was made available by you through the App (e.g. by entering certain personal data via the App) and is processed in connection with the Services.

The data described in the Sections below is required to provide the App services. Without this information, the App services cannot be performed.

To provide the services once connected through the App a connection will be established between the vehicle and our backend which requires the processing of certain vehicle related data such as the vehicle SIM card ID, IP address, the VIN and further App user related data.

Neither Mazda, nor its partners engage in automated decision-making including profiling in connection with the App services unless you have been expressly notified otherwise in this policy or by other means.

2. Individual Features

2.1 User Account

Through the App the following registration and user account services will be provided:

· Opening/Deleting user accounts

· User account login/logout

· View and change user account information (Password change)

· Vehicle binding (Vehicle SIM card will be activated after vehicle binding)

· Scan QR code to register of the vehicle user account

We only process your personal data when you start the registration process in the App and while managing your Mazda6e account, including opening and closing the account, log-in and log-out, as well as checking and changing user account information and linking the owner phone number and activation of the vehicle SIM card.

The purpose of our processing your personal data is to ensure your access to the App functions and services and to provide you with all account features. When you log in to the app, the SIM card in the vehicle is activated at the same time so that you can use the vehicle's Features. To register for the vehicle user account, you can use the App to scan a QR code in the vehicle head unit.

Processing of your personal data in this context is required for the fulfilment of our contract with you regarding the App (Art. 6 (1) (b) GDPR.

We process your personal data for other purposes only if we are obligated to do so based on legal requirements (e.g. transfer to courts or criminal prosecution authorities), if you have consented to the processing or if processing is otherwise permissible under applicable law. If we process your personal data for another purpose, we may provide you with additional information.

The data collected in connection with the registration and managing your Mazda6e account includes your email address, your language, your country code, Password/Mail Authentication Code, CAC Account ID, CAC Account Token, TSP-side Token, Account Authentication Token, cell phone number, login password. Furthermore, we log acknowledgement of this Privacy Policy and acceptance of our Terms and Conditions.

Cached content is automatically deleted after the expiration date (90 days), and personal email addresses are deleted after account deactivation or when logged out/expired. After account deletion or mobile number linkage modification, original data is deleted.

2.2 General App Usage

When you use the App, your device automatically transmits log files which we will store. These log files particularly include information about your device and IP address. These log files are stored based on Art. 6 (1) (f) GDPR (legitimate interests). Our legitimate interest is to ensure the security and functionality of the App, to defend us against possible cyber-attacks and prevent infringements of rights by third parties.

The automatically collected personal data will be stored for a maximum of 90 days and then be deleted, unless longer storage is required by law or otherwise permitted – e.g. based on your consent.

2.3 Vehicle Linking/Authority Sharing

Through the App the vehicle linking/authority sharing services will be provided.

The purpose of our processing your personal data is to send an authorization code to the owner's email address based on the OEM's request and tie the vehicle features to the owner and for sharing of vehicles to non-owners.

Processing your personal data in this context is required for the fulfilment of our contract with you regarding the App (Art. 6 (1) (b) GDPR.

We process your personal data for other purposes only if we are obligated to do so on the basis of legal requirements (e.g. transfer to courts or criminal prosecution authorities), if you have consented to the processing or if processing is otherwise permissible under applicable law. If we process your personal data for another purpose, we may provide you with additional information.

The data collected in connection with the vehicle linking/authority sharing includes your vehicle account ID, (shared) email address, email authentication code, account authentication token, vehicle type, VIN, authority sharing validity period.

The personal data will be deleted after the vehicle has been unlinked/unaccounted for and after the vehicles have been unlinked/voluntarily de-sharable by the vehicle owner/after the sharing period has expired.

2.4 Remote Control

Through the App the following remote-control services will be provided and will be activated as a pre-setting if not deactivated separately or entirely:

· Checking vehicle status (push notification when the battery heater status, battery heater mode, battery level has changed)

· Remote control of the vehicle

· Share Vehicle control authority to other people.

· Remote control of security codes

· Battery reservation heater / charge reservation

The provision of the services requires the collection and processing of certain vehicle related data such as Temperature, Tire Pressure, Speed + Position, Cumulative Mileage Electric Mileage, Vehicle Condition, Seat Condition, Air Conditioner Temperature, Windshield Condition, Sunroof Condition Remote switching of door locks ,Remote switching of air conditioner ,Remote switching of windows, remote toggle of lights, remote toggle of horn, remote toggle of trunk, remote control of seats, remote charging, and control results of these commands, remote security code, Vehicle ID, Account Authentication Token, Travel Plan Type, Start Time, End Time, Customer Time Zone, Vehicle Registration Number, Incar radar information.

The data is processed so that the owner can remotely check and control the vehicle information, the status of the doors, boot, windows, air conditioning, seats, etc., and the charging via the app, set and change the security code, and use the battery heating reservations, battery charging service.

Processing your personal data in this context is required for the fulfilment of our contract with you regarding the App (Art. 6 (1) (b) GDPR.

The latest data reported in the vehicle cycle is stored and then deleted when the vehicle is scrapped/deleted or after the vehicle has been decoupled. Remote control vehicle data is deleted either when the account is closed or if the user has already deleted the data. The remote-control security code data is deleted when the vehicle is unhitched or when the user account is deleted. Battery reservation heater/charge reservation data is deleted when the vehicle is unlinked/the service is completed.

2.5 Digital Key

Through the App the following digital key services will be provided:

· Activate, download and deactivate digital keys

· Share digital keys

· Manage your digital key

The digital key function allows users to activate, download and deactivate digital keys, to share digital keys and to manage your digital key data. You can use your digital key to unlock/lock the vehicle, open/close the window, open/close the trunk, flash the lights/whistle, open/close the electric tail, start the vehicle and for other relevant car controls.

For this purpose, the personal data such as account ID, VIN, Digital Key, Bluetooth MAC Address, Device Model/Model, device serial number, device manufacturer, vehicle ID, key type, sharer email address, sharing start time, sharing end time, sharing authority are processed in order to properly authenticate and allocate the digital key to the smart devices and to ensure the security of the service and systems involved. Such information will be shared between the vehicle and the relevant devices by near-field communication (NFC) or ultra-wideband (UWB).

Processing your personal data in this context is required for the fulfilment of our contract with you regarding the App (Art. 6 (1) (b) GDPR.

The processed Digital Key Service data will be deleted either upon cancellation of the user account or if the data has already been voluntarily deleted by the user.

2.6 Owner Manual

Through the App owner manuals are made available for certain features of your vehicle.

The vehicle owner / App shareholder can access the owner’s manual for the vehicle and view the owner’s manual, linked to the App. For this purpose, personal data such as VIN and the car type are processed.

3. Recipients and Categories of Recipients

Due to their role when offering the App and/or related services, MLE, MME, NSCs and MC will receive and process certain personal data from the App and the connected vehicle for the aforesaid purposes. Any access to your personal data at Mazda is restricted to those individuals that have a need to know in order to fulfil their job responsibilities.

In the context of offering and operating the App and/or related services the Mazda companies will process the relevant personal data in their respective role as follows:

· MLE and MME will receive and process the relevant personal data for the operation and maintenance of the App and the relevant systems and services, the handling of related issues and troubleshooting as well as handling of related user enquiries.

· MC will receive and process the relevant personal data for the operation and maintenance of App and the relevant systems and services, the handling of related issues and troubleshooting as well as the overall management of the systems and services (including the supervision of subcontractors).

· NSCs will receive and process the relevant personal data for the operation and maintenance of the App and the relevant systems and services and the handling of user enquiries.

Certain third parties, whether affiliated or unaffiliated, may receive your personal data to process such data on behalf or in collaboration with Mazda under appropriate instructions as necessary for the respective processing purposes. Data processors will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal data, and to process the personal data only as instructed.

In this context, MC will receive, and process certain personal data collected through the App for the operation and maintenance of the relevant systems and services for the App as well as the handling of related issues and trouble shooting. In this capacity, MC will act as a controller. A technical third-party service provider will support MC with the operation and maintenance of the relevant systems and services for the App as well as the handling of related issues and troubleshooting as a processor to MC with other technical third party providers as subprocessor for the handling of related issues and trouble shooting. The third-party providers will be bound by respective instructions.

MC will involve further subprocessors as necessary to provide technical support, e.g. with the operation and maintenance of the relevant systems and services and trouble shooting.

Further processors are involved for the following:

· data processor for the provision of the CRC regarding user requests,

· data processors used to implement for data corrections,

· data processor for monitoring vehicle data to detect cyber security issues,

· data processors for notifying Users (Push notifications, SMS and Email),

· data processors to manage vehicle status information to speed up the data acquisition and notify users quicker.

4. Storage Period

Unless otherwise described in this Privacy Policy, your personal data is stored by Mazda and/or our partners and service providers, strictly to the extent necessary for the performance of our obligations and strictly for the time necessary to achieve the purposes for which the personal data is collected, in accordance with applicable data protection laws.

There are specific storage periods for the following items:

User data, such as name, address, email address will be kept until the user deleted his Mazda6e account. This means that cached content is automatically deleted after the validity period expires, and stored data is deleted or automatically deleted after user account closure. If you change your email address via the App, the old email address will not be stored.

5. Termination of account

If you choose to terminate your account (in the App’s Menu all personal data related to your account will be deleted, unless other reasons for storage or retention periods apply (see III. Mazda6e App Section 2.1 and 2.2 above).

Please note: It also deactivates the vehicle SIM card that was activated when the app account was registered. Any vehicle functions and remote app functions in use will then no longer be available.

6. Personal Center

The implementation of new technologies or the introduction of new Services might require future changes of this part of the Privacy Policy which we may make at any time. We will inform you about such changes in the App. In the event of a change, you can view the historic versions of the Privacy Policy to which you have agreed and the version update. To obtain the historical version of the Privacy Policy, you can contact our customer service by selecting “Contact Us” in the App’s Menu under “Me” – “About Us”.

If you have any questions about or in connection with this Privacy Policy part for the Mazda6e App or the exercise of any of your rights, you may contact the respective data controller in your country or its data protection officer.

IV. Quality & Service & Security

We process the personal data collected from the vehicle in the context of the use of the CV services and/or the Mazda6e App for the following additional purposes:

1. Customer Relationship Center

When you contact your local Customer Relationship Center (“CRC”) by telephone or e-mail regarding the Features, the Mazda6e App or related services or other features of the vehicle itself, we need to check your identity. In case you contact us via an email address known to us, no further details will be requested. If you contact us by phone three (3) security characteristics must be correctly answered. Together with a description of your problem, your request can be processed by our CRC. In addition, where necessary to process your request further data as collected from Mazda internal systems (e.g. Digital Service Record, Warranty System) may be processed such as [location data, malfunction info, maintenance and warranty information, service campaigns etc.] or other data as available through our internal data bases (e.g. registration number, email address, etc.).

If your problem cannot be solved directly by our CRC (first level support), the claim handler will seek for additional advice and technical support from MME (second level support) and if needed also from MC (third level support) for further clarification. Therefore, data such as fact summary, error message code, User ID and for vehicle related issues further data such as VIN and product quality information report may be transferred to the aforesaid support teams of said entities and may be processed there to respond to your inquiry and support your request.

The legal basis for the processing of your data will be our legitimate interests (Art. 6 (1) lit. f) GDPR) which consist in being able to solve your technical problems via our CRC.

2. Product Monitoring and Product Improvement

Mazda will analyse data collected when making use of the Features, the Mazda6e App or related services or the vehicle itself regarding performance, usage, operation, and condition of the vehicle or its features and services likewise for the purposes of ensuring the security (including IT security) of your vehicle. For this purpose, certain Features and other vehicle and telematics related data will be collected for the car and/or transferred to a secure data storage with MC. This will include vehicle data connected to a VIN such as:

The data will be shared with MC and certain technical third-party providers to enable MC to perform the analysis of safety concerns, quality issues and issuance of product recalls or to defend ourselves against claims concerning malfunctions of our products and services. The data will be stored in a secure data storage with restricted access. Unless required to achieve the intended purpose, data will be processed in pseudonymized form (without reference to a natural person). Geolocation data will be stored separately and processed where strictly necessary to analyse and remedy a malfunction.

The Legal basis for the processing is the legitimate interest of us and the concerned data subjects in ensuring the safety, operability, and security (including IT security) of our products and services and our interest to defend us and our group companies against claims concerning malfunctions of our products and services (Art. 6 (1) f) GDPR).

The Legal basis for the anonymization and subsequent processing of the data for the above purposes is Art. 4 (6) GDPR and Art. 6 (1) lit. b GDPR or Art. 6 (1) f) GDPR respectively (legitimate interest in improving the CV Services and our products and in developing new products and services).

V. Further Remarks

1. Cross-Border Data Transfer

Some of the recipients of your personal data will be located or may have relevant operations outside of your country and the EU/EEA, e.g. in Japan or China. Depending on the country, the data protection laws may provide a different level of protection compared to the laws in your jurisdiction and regarding which an adequacy decision by the European Commission does not exist. Regarding data transfers to such recipients in Japan, the transfer is based on the respective adequacy decision by the European Commission. For the transfer to recipients outside of the EU/EEA where not such adequacy decision exists, we provide appropriate safeguards, in particular, by way of entering into data transfer agreements adopted by the European Commission (e.g. Standard Contractual Clauses (2010/87/EU and/or 2004/915/EC)) with the recipients and/or taking other measures to provide an adequate level of data protection. Insofar as the transfer of personal data to a country for which no adequacy decision exists is carried out for the fulfillment of the obligations arising from a contract with you (e.g. your vehicle purchase or other services contract and related warranty rights and obligations), the transfer is based on Art. 49 (1) lit. b GDPR. In such a case, the transfer is additionally secured, i.e. regardless of the existence of a corresponding legal obligation, with the contracts based on EU Standard Contractual Clauses. A copy of the respective measure we have taken is available. Please contact the data protection officer for further details.

2. Legal requirements to disclose data

If required by law (e.g. to assist in the investigation of a crime), MC is generally obliged to release data stored by MC to the extent necessary in individual cases.

Within the framework of the applicable law, government agencies are also authorised to read data from vehicles themselves in individual cases. For example, in the event of an accident, information can be read from the airbag control unit to help clarify the circumstances of the accident.

MC will also be required to collect and transmit to the European Commission the vehicle identification number (VIN) and practical driving data of vehicles registered from 1 January 2021. The data collection will be carried out indirectly by MC through authorised dealers and authorised repairers, who will read the data via the legally required OBD (on-board diagnostics) port in the vehicle during maintenance, repair or other service and transmit it to MC.

The data from practical driving are:

· For internal combustion engine-only vehicles and for non-externally rechargeable hybrid electric vehicles

o total fuel consumption (over the lifetime of the vehicle) (in litres)

o total distance travelled (over the lifetime of the vehicle) (in kilometres)

o For externally charged hybrid electric vehicles

o total fuel consumption (over the lifetime of the vehicle) (in litres)

o Total fuel consumption in discharge mode (lifetime) (litres)

o Total fuel consumption on driver selectable charge increase mode (lifetime) (litres)

o Total distance travelled (lifetime) (in kilometres)

o Total distance travelled in discharge mode with engine off (lifetime) (in kilometres)

o Total distance travelled in discharge mode with engine on (lifetime) (in kilometres)

o Total distance travelled with driver selectable load increase (life) (lifetime) (in kilometres)

o Total grid energy supplied to the battery (lifetime) (in kWh)

The processing is in compliance with legal obligations under Article 6(1)(c) of the GDPR in conjunction with Article 9 of European Commission Regulation 2021/392 in its current version.

As a vehicle owner, you may at any time object to the collection of this data for transmission to the European Commission.

You can express your refusal by sending your name and VIN number to our Customer Information Centre by email, telephone or contact form. The contact details can be found on the website under 'Contact'.

3. No obligation to provide data

There is no statutory obligation to provide personal data. The provision of some of the personal data indicated herein is required for the conclusion of a contract and in order to allow us to perform the requested services. Possible consequence of not providing certain personal data is the limited usability of our Services.

4. Your Rights

If you have declared your consent for any personal data processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal (Art. 7 (3) GDPR).

Pursuant to applicable data protection law you may have the right to: request access to your personal data (Art. 15 GDPR), request rectification of your personal data (Art. 16 GDPR); request erasure of your personal data (Art. 17 GDPR), request restriction of processing of your personal data (Art. 18 GDPR); request data portability (Art. 20 GDPR), and object to the processing of your personal data (Art. 21 GDPR).

In addition, you also have the right to lodge a complaint with the competent data protection supervisory authority (Art. 77).

Please note that these aforementioned rights might be limited under the applicable national data protection law.

4.1 Right of Access (Art. 15 GDPR):

You may have the right to obtain from confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data. The access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed. However, this is not an absolute right, and the interests of other individuals may restrict your right of access.

You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.

4.2 Right to rectification (Art. 16 GDPR):

You may have the right to obtain the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

4.3 Right to erasure ("right to be forgotten") (Art. 17 GDPR):

Under certain circumstances, you may have the right to obtain the erasure of personal data concerning you and we may be obliged to erase such personal data.

4.4 Right to restriction of processing (Art. 18 GDPR):

Under certain circumstances, you may have the right to obtain restriction of processing your personal data. In this case, the respective data will be marked and may only be processed by us for certain purposes.

4.5 Right to data portability (Art. 20 GDPR):

Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.