Privacy Notice
Last Updated: 16.
December 2024
Version: 1.0
At NIO, we take your privacy seriously. Please read this Privacy Notice carefully as it contains important information regarding how we process your personal data when you visit our Firefly global website (“Website”) and on your privacy rights.
This Privacy Notice describes possible personal data processing activities in connection with the Website. The specific processing activities that apply to you depend to a large extent on how you interact with the Website and services provided on the Website.
Please note that any changes to the Privacy Notice will become effective as of the date of posting the revised notice.
1.Who is Responsible for the Processing of Your Personal Data?
NIO Nextev Europe Holding B.V., Hoogoorddreef 58a, 1101 BE Amsterdam, the Netherlands ("NIO", "we", "us", or "our") is responsible for the collection, processing and use of personal data in connection with the Website and Firefly digital or connected products and services (“FY Services”).
2. How to Contact Us?
If you have any questions or complaints about or in relation to the handling of your personal data or would like to contact our data protection officer, please do not hesitate and contact us by using the contact details below:
NIO Nextev Europe
Holding B.V.
- Firefly Privacy -
Hoogoorddreef 58a
1101 BE Amsterdam
the Netherlands
E-Mail: privacy@firefly.world
3. What Personal Data Do We Process, for Which Purposes, and based on Which Legal Bases?
3.1. When you use our Website, some information, such as IP address, is transferred. At that time, we also receive information about your device such as mobile phone type and operating system (iOS or Android). We cannot use this data to identify you. We use this information to better understand which mobile devices and operating systems are used to access and use our Website. This data is necessary to provide the Website to you, without this data, we won’t be able to provide you with the latest content.
3.2. Depending on how you interact with our Website, the categories and amount of personal data we collect, process, and use as well as the relevant processing activities will differ.We will collect, process, and use your personal data including but not limited to in the following cases:
-When you access our Website and use individual features of the website.
-If you reach out to us to provide you information about products or if you ask for support.
-When you voluntarily contact us by e-mail or correspond with us directly.
-If you register with our press distribution list.
3.3. We may process, in particular, the following categories of data:
-User Contact Information, such as a user’s first name, last name, postal address, phone number, email address.
-Digital Identifiers,such as IP address, account ID, device ID, login token, digital certificate and related verification code.
-Interests, such as vehicle preferences, hobbies, sports clubs, associations, education, professional situation, language skills etc.
3.4. The information may, in particular, be processed by us based on the following legal bases and for the described purposes:
3.4.1. Performance of the contract in relation Firefly services and business or in order to take steps prior to entering into the contract:
-Handling of your requests related to becoming a Firefly business partner.
-Handling of your NIO connected vehicle order and timely provision of the battery as a service subscription.
3.4.2. Compliance with legal obligations to which NIO is subject:
-Fulfilment of Legal Obligations. We will process personal data to the extent necessary for compliance with any other legal obligation based on EEA or EEA Member State law, such as if we are legally obligated to provide certain data to a court or an authority in the EEA.
3.4.3. Based on your freely given consent:
-Provision of support, such as requests about our products or regarding our services that we receive via email, phone call or contract form.
-Performance of website analysis and behavioral targeting.
-Provision of advertising, marketing material, such as the latest news about our products and services.
3.4.4. Based on the legitimate interests of us or a third party, as specified below:
-Secure Functioning of IT Systems.Collected data will be processed in the context of ensuring the secure functioning and operation of IT systems. This includes but is not limited to (i) backing up and restoring data processed in IT systems, (ii) logging and monitoring to check the correct functioning of IT systems, (iii) detection and defense against unauthorized access to personal data, as well as (iv) managing and responding to incidents and problems in order to remedy disruptions in IT systems.
-Enhancement: We may process your personal data to enhance the Website and services provided on the website.
-Establishment, Exercise or Defence of Legal Claims: We may process your personal data to the extent that this is necessary for the establishment, exercise or defence of legal claims.
-Disclosure of Information to Authorities, Courts, or Other Third Parties. Where we are not legally obliged to do so under EEA or EEA Member State law, we may disclose your personal data to third parties, such as law enforcement authorities, if we reasonably believe that it is necessary or appropriate to do so. In particular, the disclosure may be made (a) to assist in governmental, court, arbitration tribunal, or (other) legal proceedings and investigations; (b) to prevent potential harm or damage to NIO Group Companies or third parties; (c) for the establishment, exercise or defense of legal claims from or against NIO Group Companies; (d) to protect and ensure (i) the security or integrity of our services or (ii) the rights, property or personal safety of users of our services or other persons or entities; and/or (e) to comply with obligations under non-EEA law.
4. Disclosures of Your Personal Data
4.1. We may share your personal data with the following parties:
4.1.1.NIO Group Companies. Depending on which Firefly service you are using or if you would like to become a business partner in a specific region, we may share your personal data with other NIO Group Companies to provide the service to you or to handle your inquire properly.
4.1.2.Service Providers and Advisors. Personal data may be disclosed to third party vendors and other service providers that perform services for us, on our behalf, which may include identifying and serving targeted advertisements (for example, on Facebook and Twitter), providing payment, providing e-signing solutions, mailing or email services, tax and accounting services, data enhancement services, fraud prevention services, web hosting, delivery services and/or analytic services.
4.1.3.Purchasers and Other Third Parties in Connection with a Corporate Transaction. Personal data may be disclosed to a purchaser or another external entity in connection with a transaction, such as a merger, sale of assets or shares, reorganization, financing, change of control or acquisition of all or a part of our business.
4.1.4. Law Enforcement Authorities, Other Authorities, Courts, and Other Third Parties. Personal data may be disclosed to third parties, such as law enforcement authorities, as required by law or if we reasonably believe that such action is necessary or appropriate. In particular, the disclosure may be made (a) to comply with the law and legal obligations as well as the requests of authorities, courts, or arbitration tribunals; (b) to assist in governmental, court, arbitration tribunal, or legal proceedings and investigations; (c) to prevent potential harm or damage to NIO Group Companies or third parties, (d) for the establishment, exercise or defense of legal claims from or against NIO Group Companies, and/or (e) to protect and ensure (i) the security or integrity of our services or (ii) the rights, property or personal safety of users of our services or other persons or entities.
5. Are You Obligated to Provide Your Personal Data?
You are generally not obligated to provide any personal data. However, our Website or respective Website content cannot be provided without the processing a minimal amount of your personal data.
6. Retention Periods
6.1. In general, we will only retain your personal data (i) for as long as necessary to fulfil the purposes we collected or otherwise processed it for, (ii) until you withdraw your consent on which the processing is based, where there is no other legal ground for the processing, or (iii) until you successfully exercise your right to object as stipulated under Section 9.2.7, in each case to the extent that Section 6.3 does not apply.
6.2. Personal data that we process for the performance of a contract is stored as long as your contract is not terminated and after termination of the contract, we usually store your personal data for 6 to 10 years to meet accountability and statutory retention requirements.
6.3. We may particularly refrain from erasing your personal data if its continued processing is necessary for compliance with a legal obligation (including statutory retention obligations, such as under tax law) or for the establishment, exercise or defence of legal claims.
6.4. In some circumstances, we may anonymize your personal data (so that it can no longer be associated with you) in order to use it for research or statistical purposes.
7. International Transfers of Your Personal Data
7.1. Your personal data may be transferred to, processed, or stored in, countries outside of the jurisdiction you are in where we and our third party service providers or other NIO Group Companies have operations or servers.
7.2. If you are located in the EEA, your personal data may be processed outside of the EEA ("International Transfer"), including but not limited to in the USA or China.
Any International Transfers are made either: (a) to a country, territory, or sector ensuring an adequate level of protection in relation to the processing of personal data as determined by the European Commission, which can be reviewedhere; (b) to an entity that is a member of a compliance scheme recognized as offering adequate protection for the rights and freedoms of data subjects as determined by the European Commission, such as to U.S. entities certified under theEU-U.S. Data Privacy Framework; or (c) pursuant to appropriate safeguards, such as the Standard Contractual Clauses approved by the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021, whose clauses can be reviewed under the Annex of the aforementioned Implementing Decision.
Outside of the aforementioned cases, an International Transfer may occur with your explicit consent. If so, we will make you aware of this separately and provide you with further information.
7.3. If you wish to enquire further about International Transfers and the safeguards we rely on, please contact us as set out under Section 11 of this Privacy Notice.
8. COOKIES AND SIMILAR TECHNOLOGIES
8.1. We use cookies and similar technologies to provide you with our service.
8.2. When you visit our Website, cookies are set in your terminal device to store information or similartechnologies are used to retrieve information from your terminal device. The information collected in this process may relate to the content you view, the device you use, or overall your interaction with our website and the services offered there. Some cookies are set directly by us, others by third parties whose services are used by NIO. The same applies to technologies similar to cookies, such as Java scripts (pixels).
8.3. Without your explicit consent, only necessary cookies are set, which are required for the proper operation of our Website. With your consent, we may also use optional cookies and similar technologies that help us analyze the website, provide additional functionality, or serve ads on social media or other websites. Once given,consent can be revoked at any time with effect for the future.
8.4. Please review Annex 1 of this Privacy Notice to find out what cookies and other technologies we use and for what purpose they are used for.
9. Your Rights in Respect of Your Personal Data
9.1. This Section applies to you if you are located in the EEA.
9.2. In accordance with applicable data protection law, you have the following rights in respect of your personal data:
9.2.1. Right of Access. You have the right to obtain:
9.2.1.1. a confirmation of whether we are processing your personal data;
9.2.1.2. information about the categories of personal data that we are processing, the purposes for which we process your personal data, and information as to the envisaged storage period or the criteria used to determine it;
9.2.1.3. where the personal data are not collected from you, information as to their source;
9.2.1.4. information about the recipients or categories of recipients with whom we may share your personal data and, in case of transfers to countries outside of the EEA, information about the appropriate safeguards;
9.2.1.5. the existence of automated decision-making, including profiling, and relevant information in relation thereto; and
9.2.1.6. a copy of the personal data we hold about you.
9.2.2. Right to Data Portability. You have the right, under certain conditions, to receive a copy of the personal data you have provided to us in a structured, commonly used, machine-readable format that supports its re-use in relation to another controller, or, where technically feasible, to request the transfer of your personal data to another controller.
9.2.3. Right to Rectification. You have the right to obtain rectification of any inaccurate or incomplete personal data that we hold about you without undue delay.
9.2.4. Right to Erasure. You have the right, under certain conditions, to require us to erase your personal data without undue delay, if the continued processing of that personal data is not justified. This may particularly be the case if the processing of your personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed. However, we may particularly refrain from erasing your personal data to the extent that its continued processing is necessary for compliance with a legal obligation (including statutory retention obligations, such as under tax law) or for the establishment, exercise or defence of legal claims.
9.2.5. Right to Restriction. You have the right, to require us to restrict the processing of your personal data if our continued processing of the personal data in this way is not justified, under certain conditions, such as where (i) the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of that personal data, or (ii) the processing is unlawful and you oppose the erasure of your personal data and request the restriction of its use instead.
9.2.6. Right to Withdraw Consent. Whenever our processing occurs based on your freely given consent, you can withdraw your consent at any time with future effect. As a consequence of your withdrawal, we will cease the relevant processing activity where there is no other legal ground for the processing. Your withdrawal of consent will not affect the lawfulness of our processing based on your consent before the withdrawal.
9.2.7. RIGHT TO OBJECT. YOU HAVE A RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA
9.2.7.1. BASED ON THE LEGITIMATE INTERESTS BY US OR A THIRD PARTY ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION WHILE WE WILL NO LONGER PROCESS THE PERSONAL DATA UNLESS (I) WE ARE ABLE TO DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS OR (II) FOR THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS; OR
9.2.7.2. FOR DIRECT MARKETING PURPOSES.
9.3. If you wish to exercise one of these rights, you may in any case do so by using the contact details set out under Section 12 of this Privacy Notice.
9.4.Right to File a Complaint. You also have the right to file a complaint with a data protection authority, in particular, in the EEA Member State of your habitual residence, your place of work or the place of the alleged infringement, if you believe that our processing of your personal data is not in compliance with data protection law. You can find a list of the data protection authorities in the EEA and their contact details under the following link:https://edpb.europa.eu/about-edpb/about-edpb/members_en
The name and contact details of the competent data protection authority at the location of NIO Nextev Holding Europe B.V. are:
Autoriteit Persoonsgegevens
Hoge Nieuwstraat 8
P.O. Box 93374
2509 AJ Den Haag/The Hague
Website: https://autoriteitpersoonsgegevens.nl/
10. Changes to This Privacy Notice
We regularly evaluate our privacy notices and procedures to implement improvements and refinements. Accordingly, we may update this Privacy Notice from time to time, and so you should review this page periodically. If we make material changes to this Privacy Notice, we will update the "last updated" date at the start of this Privacy Notice. Changes to this Privacy Notice become effective when they are posted on this page.
11. Notices to You
If we need to provide you with information about something, whether for legal, marketing, or other business-related purposes, we will select what we believe is the best way to get in contact with you. We will usually do this through e-mail or by providing you with a notice via the relevant service. The fact that we may send notices to you does not limit or restrict your ability to opt out of certain types of communications as described in this Privacy Notice.
12. Privacy Contact
If you have any questions in relation to this Privacy Notice or want to exercise the rights set out under its Section 9, please feel free to contact us under privacy@firefly.world.
ANNEX 1: COOKIE AND SIMILAR TECHNOLOGIES
1. Overview of necessary cookies
Category of type | Name of Cookie | Provider | Purpose | Storage period | 1st/3rd party |
---|---|---|---|---|---|
Strictly necessary cookies | locale | NIO | Used to remember the user's language Settings | During the session | 1st |
Strictly necessary cookies | npp_analytical | NIO | Used to remember the user's GDPR consent cookie selection | 30 days | 1st |
2. Overview of functional and performance cookies & similar technologies
2.1. Google Analytics
Google Analytics is a web analytics service provided by Google Ireland Limited, Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google") that tracks and shares website traffic.
Google Analytics uses so-called tracking pixels and "cookies"; cookies are text files that are stored on your terminal device and enable an analysis of your use of the website. The information generated by a cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. However, by activating IP anonymization, your IP address will be shortened by Google beforehand within the European Economic Area (European Union and other member states). Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there.
On our behalf, Google will use this information for the purpose of evaluating your use of the websites, compiling reports on website activity and providing us with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google.
You can find a detailed overview of the data collected by Google at: https://marketingplatform.google.com/about/analytics/.
More details on how Google handles your personal data can be found on Google’s Privacy & Terms site: https://business.safety.google/privacy/.
The use of Google Analytics may require the transfer of your personal data to the USA.
The legal basis for the use of Google Analytics is your voluntarily given consent. Any potential cross-border data transfer is subject to the DPF EU-U.S. Data Privacy Framework that Google LLC has been certified under (https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active).
Google Analytics uses the following cookies:
_gat
Purpose: Used to throttle request rate. When Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_.
Duration: 1 minute
_ga_ <container—id>
Purpose: This cookie name is associated with Google Universal Analytics to persist session state.
Duration: 2 years
_ga
This cookie is used by Google Analytics to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page and used to calculate visitor, session and campaign data for the sites analytics reports.
Duration: 2 years
Here you can opt-out from data collection related to Google Analytics: