Stack AV Co. External Data Protection Notice and Privacy Policy

Stack AV Co. (together, “Stack”, “we”, “us”) wants to provide you information about what personal information we collect and why, to whom we disclose it, and how we protect it, as well as your respective privacy rights under applicable laws. This data protection notice and privacy policy (the “Notice”) applies to you when we process your personal information as part of our interactions with you, such as when you visit our offices, send us an email, visit our website, or attend an event we are hosting. We also may collect your information when we interact with you or your company as part of our business operations and related activities, such as if you are an employee of our suppliers or are near our technology that is installed on a test vehicle (“Test Vehicle”), which is outfitted with equipment to detect the Test Vehicle’s surroundings.

This Notice is neither intended for our employees nor other members of our staff (who are subject to other notices specifically applicable and notified to them).

We may revise this Notice from time to time in our sole discretion, and we will communicate changes and updates to this Notice by posting an updated version of the Notice (with an updated date) on our website.

1. What personal information do we collect and use?

   The categories of personal information we collect depend on the nature of our relationship with you as well as your interactions with us. For example, depending on our interactions with you, we collect the following types of personal information:

   • Identifiers (e.g., name, alias, telephone number, postal address, e-mail address, signature, and photographs) – When, for example, you send us an e-mail, sign up for a Stack event or newsletter, visit our offices and check in with our front desk (including signing a non-disclosure agreement). We need identifiers in order to give you access to our offices. If you do not provide it, you may not be permitted to access our offices.
   • Characteristics of Protected Classifications Under Certain Jurisdictional Laws (e.g., race, age, national origin, disability, sex, and veteran status) – Only if you choose to provide this information in connection with your relationship with us, for example, to support diversity and inclusion efforts, speak on panels, etc.
   • Commercial Information (e.g., offerings considered, obtained, purchased) – If you share such information with us during the course of our relationship.
   • Internet or other electronic network activity information (e.g., IP address, browser and device details) – When, for example, you send us an e-mail, use Stack’s network, including guest WiFi, visit our website, or interact with our office applications).
   • Geolocation data – When, for example, you visit our offices, participate at our events.
   • Audio, electronic, visual, or similar information (e.g., CCTV footage for security purposes; visual-audio recordings during meetings or events) – When, for example, you visit our offices, attend video conferences with Stack staff, or participate in Stack events).
   • Professional or employment-related information (e.g., education, licenses, work experience and previous employers, professional memberships and affiliations) – When, for example, you give us your business card or other contact details, connect with us on social media or publicly post such information online, or otherwise provide your professional background in connection with our relationship.

   We may also collect, under certain circumstances and to the extent permitted by local law, sensitive personal information which is a subset of personal information. Sensitive personal information varies under applicable law but generally includes information about your ethnicity, health, trade union membership, religious beliefs, and sexual orientation. We sometimes need to collect sensitive personal information to manage certain activities in connection with our business activities. For instance, we may collect health information to manage a physical accommodation if you are coming onsite for a meeting or to facilitate a virtual meeting.

   In connection with the operation of Test Vehicles, we may, for our research purposes, collect and use:

   • Vehicle Telemetry Data. The Test Vehicles are equipped with cameras and sensors to detect and record its surroundings through electromagnetic, optical, and acoustic waves (e.g. radar, video, lidar, GPS, and microphones) to train and improve the ability of the Test Vehicles to safely drive autonomously. The data includes the Test Vehicle origin and destination, speed, direction, miles driven, and route information. This information is not used to identify any individuals.
   • Video Camera and Audio Data. The Test Vehicles are equipped with video cameras and microphones to record their surroundings. Any image, audio recording, or other indication of a person (or a pet, house, mailbox, stop sign, etc.) is used only for research and operation of the Automated Driving System (“ADS”) to identify and classify static and dynamic objects and respond appropriately. This information is not used to identify any individuals.
   • Geolocation data. The above information is accompanied by geolocation data, which is necessary to improve software so that the ADS can identify and classify static and dynamic objects and respond appropriately. This information is not used to identify any individuals.

   Please note that any collection and use of personal information captured through our Test Vehicles are incidental to our research and training purposes. We do not apply any facial recognition or other personally identifying technology to the images and other data collected by the Test Vehicles. We may allow our enterprise partners to use our ADS, and we may collect and maintain vehicle telemetry data, video camera and audio data, and geolocation data for them. If we do, we will handle the information as required and permitted in our agreements with them.

   Neither our website or services are intended for individuals under the age of sixteen (16) years old. We do not knowingly maintain or collect personal information relating to any person under the age of 16. If you are under the age of 16, you should not use the website or services nor supply any personal information. If you are under the age of 16 years old and have already provided personal information to us, please have your parent or guardian contact us so that we can delete information relating to you.

2. Where do we collect your personal information?

   We collect your personal information from a variety of sources:

   • Your employer (e.g., where we interact with them as part of our business operations or related activities)
   • Our vendors and service providers (e.g., where you are acting on their behalf or are otherwise involved in related communications and/or transactions)
   • Our affiliated companies, so that we may better communicate with you or fulfill your requests
   • Third parties (e.g., business partners or professional organizations, where we interact with them as part of our business operations or related activities)
   • Public internet sources (e.g., social media, public profiles, and other online sources)
   • Public records (e.g., credentialing and licensing organizations)
   • Automated technologies on Stack’s electronic resources (e.g., to track RSVPs, logins, or activity across our network or applications)
   • Recording technologies installed by Stack (e.g., CCTV in common areas of Stack’s facilities, voicemail technologies, webcams, audio-visual recording technologies, Bluetooth technologies, Test Vehicles)

   If you disclose any personal information relating to other people to us, you represent that you have the authority to do so and to permit us to use the information in accordance with this Notice.

3. Why and how do we use your personal information?

   We use your personal information for the following purposes:

   • Providing the functionality of Stack’s website and supporting our interactions with you, such as monitoring and maintaining the website’s performance, responding to your inquiries and requests, sending administrative information to you, such as changes to our terms, conditions, and policies
   • Providing you with our newsletter and/or other marketing materials, such as information or news about Stack and its activities such as updates or upcoming events
   • Managing our business operations, including enabling Stack to comply with contractual obligations, facilitating communication, securing our premises and proprietary information, conducting data analysis (e.g., to improve our business operations, products, and services, to identify opportunities to develop our business), facilitating Stack’s marketing initiatives, building and maintaining business relationships, conducting internal audits, in connection with a corporate transaction, sale, or assignment of assets, merger, divestiture, or other changes of control or financial status of Stack or any of its affiliates
   • Maintaining the safety and security of our employees, staff, and visitors (e.g., in case of emergency)
   • Monitoring, safeguarding, and managing IT infrastructure, laptops and computer equipment, mobile devices, office facilities, and other company property
   • Protecting Stack’s legal rights, including monitoring and assessing compliance with policies and procedures, monitoring telephone, email, internet and other company resources, conducting investigations including reporting of allegations of wrongdoing, policy violations, fraud, or financial reporting concerns
   • Complying with legal and other requirements applicable to our businesses in all jurisdictions in which we operate, such as tax deductions, record-keeping and reporting obligations, conducting audits, compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, pursuing legal rights and remedies, defending litigation, and managing any internal or external complaints or claims (including those received through the company hotline or e-mail)

   Stack processes your personal information to comply with our legal obligations, manage our contractual relationships, protect life or physical safety, and based on our legitimate interest to operate and protect our business (unless your fundamental rights outweigh our interests). In certain instances, we may process personal information based on your consent if (i) consent to the processing described in this Notice is required by local law, (ii) the processing involves sensitive personal information, or (iii) the specific processing activity is not required in connection with the purposes described above. Subject to applicable law, some processing may also be necessary so that we can perform a contract with you or because it is required by law.

4. With whom do we share personal information?

   Due to the distributive nature of Stack operations, we disclose personal information to personnel and departments throughout Stack and certain Stack affiliates to fulfill the purposes described in this Notice. Access to personal information within Stack will be limited to those who have a need to know the information, including personnel in HR, IT, Compliance, Legal, Finance and Accounting, and Internal Audit.

   Stack will need to make personal information available to unaffiliated third parties such as our suppliers and service providers that we have engaged at the local or global level (e.g., website hosting, data analysis, payment processing, order fulfillment); our legal and professional advisers; our business partners in support of our business operations and related activities (e.g., a trainings, webinars, conferences, corporate events); affiliated companies; the public (if you elected to disclose personal information on services like message boards, chat, profile pages, blogs, and our social media pages); third parties in relation to compelled disclosures (e.g., subpoenas); and government authorities (when we believe disclosure is necessary to comply with the law or to protect the rights, property, or safety of Stack, our workforce, or others).

   In connection with a corporate transaction, sale, or assignment of assets, merger, divestiture, or other changes of control or financial status of Stack or any of its subsidiaries or affiliates, your personal information may be transferred to the acquiring person or entity.

   We may also disclose personal information with your consent, which you may withdraw your consent at any time.

5. Transfers of your personal information outside of the country in which you are located

   Some recipients of your information will be located outside your home jurisdiction, including any country in which we or they have operations (e.g., United States, United Kingdom, Canada, Japan). We take appropriate measures to protect personal information that are consistent with applicable privacy and security laws and regulations, including requiring service providers to implement technical and organizational measures to protect personal information, entering into data processing and transfer agreements where required.

6. How long do we retain your personal information?

   Stack will not retain your personal information for longer than is necessary in relation to the purposes for which your personal information is processed. We will retain personal information for the period necessary to fulfill the purposes outlined in this Notice unless a longer retention period is required or permitted by law. The criteria used to determine our retention periods are:

   • As long as we have an ongoing relationship with you or your employer;
   • As required by a legal obligation to which we are subject (for example, certain laws require us to keep records for a certain period of time before we can delete them); and
   • As advisable in light of our legal position (such as in regard of applicable statutes of limitations, litigation, or regulatory investigations).
7. Your rights in relation to the personal information we process about you

   Depending on the applicable laws in your country of residence, you may have certain rights related to your personal information, for example, you may have the right to:

   • know what personal information we have collected about you
   • request access to your personal information
   • correct your inaccurate, incomplete, or outdated personal information
   • inform us that you do not wish to receive marketing information

   You can seek to exercise your data privacy rights (where applicable) by contacting us at compliance@stackav.com.

   To help protect your privacy and security, we will verify and respond to your request consistent with applicable law, taking into account the nature of the request and the applicable circumstances. We will make reasonable attempts to promptly investigate, comply with, or otherwise respond to your requests as may be required by applicable law. Please note that, depending upon the circumstances and the request, we may not be permitted to provide you with access to your personal information or otherwise fully comply with your request.

8. Security

   We will take reasonable organizational, technical, and administrative measures against unlawful or unauthorized processing of your personal information, and against the accidental loss of, or damage to, your personal information. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Questions or complaints” section below.

9. Questions or complaints

   If you have any questions or complaints regarding Stack’s processing of your personal information, please contact us at compliance@stackav.com.