1. Introduction and Scope
This GDPR Compliance Policy describes how AUTONOMi collects, processes, stores, and protects personal data in accordance with the General Data Protection Regulation (GDPR) and applicable EU member state law.
This policy applies to:
- All personal data collected from individuals located in the European Union (EU) and European Economic Area (EEA), including Germany and Poland
- All processing activities carried out by AUTONOMi as a data controller or data processor
- All employees, contractors, and third parties who process personal data on behalf of AUTONOMi
2. Data Controller and Data Processor Roles
2.1 AUTONOMi as Data Controller
AUTONOMi acts as a data controller when it determines the purposes and means of processing personal data directly, including:
- Personal data collected from website visitors (goautonomi.com)
- Contact and account information provided by platform users
- Marketing and communication data
Controller contact details:
AUTONOMi
Email: gdpr@goautonomi.com
Website: goautonomi.com
2.2 AUTONOMi as Data Processor
AUTONOMi acts as a data processor when processing personal data on behalf of its clients (automotive dealerships and dealer groups) who are the data controllers. This includes:
- CRM and DMS data synced to the platform
- Customer lists and first-party audience data uploaded by clients
- Ad platform data and campaign attribution data
In this capacity, AUTONOMi processes data solely in accordance with client instructions as set out in the applicable Data Processing Agreement (DPA).
2.3 EU Representative
AUTONOMi is accessible to EU data subjects through the contact details above. If required under Article 27 GDPR, AUTONOMi will designate an EU representative. EU users may contact us at gdpr@goautonomi.com for all GDPR-related inquiries.
3. Legal Bases for Processing
AUTONOMi processes personal data only where a lawful basis exists under Article 6 GDPR. The following table outlines the processing activities and their corresponding legal bases:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Providing contracted platform services | Performance of a contract | Art. 6(1)(b) |
| User account management | Performance of a contract | Art. 6(1)(b) |
| Billing and payment processing | Legal obligation | Art. 6(1)(c) |
| Tax and financial record-keeping | Legal obligation (7-year retention) | Art. 6(1)(c) |
| Marketing communications (opt-in) | Consent | Art. 6(1)(a) |
| Analytics and platform improvement | Legitimate interest | Art. 6(1)(f) |
| Fraud prevention and security | Legitimate interest | Art. 6(1)(f) |
| Non-essential cookies and tracking | Consent | Art. 6(1)(a) |
| Compliance with legal proceedings | Legal obligation | Art. 6(1)(c) |
3.1 Consent
Where consent is the legal basis, AUTONOMi:
- Requests consent through a clear, affirmative action
- Provides a plain-language explanation of what data is collected and how it will be used
- Maintains records of consent (timestamp, version of policy consented to, and method of consent)
- Allows withdrawal of consent at any time, without penalty
To withdraw consent at any time: gdpr@goautonomi.com
3.2 Legitimate Interests
Where we rely on legitimate interests, we have conducted a legitimate interest assessment (LIA) to ensure our interests are not overridden by the rights and freedoms of data subjects. You have the right to object to processing based on legitimate interest (see Section 7).
4. Data We Collect
4.1 Controller Data (Website and Platform Users)
| Category | Examples | Retention |
|---|---|---|
| Identity data | Name, job title | Account duration + 3 years |
| Contact data | Email, phone number | Account duration + 3 years |
| Account credentials | Username, hashed password | Account duration |
| Financial data | Payment method details (tokenized) | 7 years (legal obligation) |
| Usage data | Login timestamps, feature usage | 3 years after last activity |
| Communications | Support tickets, emails | 2 years after resolution |
| Technical data | IP address, browser, device | 13 months (analytics) |
4.2 Processor Data (Client-Uploaded Data)
When clients upload data to the AUTONOMi platform, we process it as a data processor under the client's instructions:
- Customer CRM records (name, contact details, purchase history)
- Vehicle ownership and service records
- First-party advertising audiences
- Attribution and conversion data
Processor data retention is governed by the applicable DPA.
5. Data Minimization and Purpose Limitation
AUTONOMi adheres to the principles of:
- Data minimization — We collect only the personal data that is necessary for the specified purpose
- Purpose limitation — Personal data collected for one purpose is not used for incompatible purposes
- Storage limitation — Data is retained only for as long as necessary and deleted in accordance with our retention schedules
- Accuracy — We take reasonable steps to ensure personal data is accurate and up to date
6. International Data Transfers
AUTONOMi operates in the United States, Germany, and Poland. When personal data is transferred from the EEA to the United States or other third countries, we ensure appropriate safeguards are in place in accordance with Chapter V GDPR.
6.1 Transfer Mechanisms
| Transfer Destination | Mechanism | Reference |
|---|---|---|
| United States (AUTONOMi infrastructure) | Standard Contractual Clauses (SCCs) | EC Decision 2021/914 |
| Google (advertising and analytics) | SCCs + Google's data processing terms | policies.google.com/privacy |
| Meta (advertising platform) | SCCs + Meta's data transfer mechanisms | facebook.com/privacy/policy |
| HubSpot (CRM/marketing) | SCCs + DPA | legal.hubspot.com/dpa |
| Other US-based processors | SCCs + individual DPAs | Available on request |
6.2 Standard Contractual Clauses
We use the Standard Contractual Clauses approved by the European Commission under Decision 2021/914 as the primary mechanism for transfers to third countries. Copies of SCCs are available upon request at gdpr@goautonomi.com.
7. Data Subject Rights
EU individuals have the following rights under GDPR. To exercise any right, submit a request to gdpr@goautonomi.com. We will respond within 30 calendar days (extendable by a further 2 months for complex requests, with notice).
7.1 Right of Access (Art. 15)
You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data, along with information about the processing activities.
7.2 Right to Rectification (Art. 16)
You have the right to request correction of inaccurate or incomplete personal data without undue delay.
7.3 Right to Erasure (Art. 17)
You have the right to request deletion of your personal data where:
- The data is no longer necessary for the purpose for which it was collected
- You withdraw consent and there is no other legal basis
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
This right does not apply where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
7.4 Right to Restriction of Processing (Art. 18)
You have the right to request that we restrict processing of your data in certain circumstances, including while accuracy is contested or an objection is pending.
7.5 Right to Data Portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit it to another controller.
7.6 Right to Object (Art. 21)
You have the right to object at any time to processing based on legitimate interest or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
To object to direct marketing: unsubscribe from any email or contact privacy@goautonomi.com.
7.7 Right Not to Be Subject to Automated Decision-Making (Art. 22)
AUTONOMi does not make decisions that produce significant legal effects on individuals based solely on automated processing.
7.8 Right to Withdraw Consent
Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
8. Supervisory Authority
EU data subjects have the right to lodge a complaint with the competent data protection supervisory authority:
Germany:
Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI)
Website: bfdi.bund.de
Poland:
Urząd Ochrony Danych Osobowych (UODO)
Website: uodo.gov.pl
You also have the right to seek judicial remedy in the courts of your country of habitual residence.
9. Data Processing Agreements
AUTONOMi enters into a Data Processing Agreement (DPA) with:
- All EU clients who use the AUTONOMi platform (required by GDPR Art. 28)
- All sub-processors who process personal data on AUTONOMi's behalf
9.1 DPA Requirements
Our DPA includes:
- Subject matter and duration of processing
- Nature and purpose of processing
- Type of personal data and categories of data subjects
- Obligations and rights of the controller
- Sub-processor authorization and notification requirements
- Deletion or return of data upon termination
- Security measures (technical and organizational)
- Assistance with data subject rights requests
To request a DPA: gdpr@goautonomi.com
9.2 Sub-Processors
AUTONOMi uses the following categories of sub-processors who may process EU personal data:
| Category | Examples | Processing Activity |
|---|---|---|
| Cloud infrastructure | AWS, Google Cloud | Data storage and hosting |
| Payment processing | Stripe | Billing and subscription management |
| CRM and support | HubSpot, Intercom | Customer communication |
| Analytics | Google Analytics | Usage analytics |
| Advertising platforms | Google Ads, Meta, LinkedIn | Campaign delivery (client data) |
| Email delivery | SendGrid or equivalent | Transactional email |
A current list of sub-processors is available upon request at gdpr@goautonomi.com. We will notify clients 30 days in advance of adding new sub-processors.
10. Data Breach Notification
10.1 Internal Response
Upon discovering a personal data breach, AUTONOMi will:
- Contain the breach and assess the risk to data subjects
- Document the breach in our incident register
- Notify the relevant supervisory authority if required
10.2 Notification to Supervisory Authority
Where a breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 33.
Notification will include:
- Nature of the breach and categories/number of data subjects affected
- Contact details of our DPO or GDPR contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach
10.3 Notification to Data Subjects
Where a breach is likely to result in a high risk to the rights and freedoms of data subjects, we will notify affected individuals without undue delay, in accordance with GDPR Art. 34.
10.4 Client Notification (Data Processor Role)
Where a breach involves client data for which AUTONOMi acts as a data processor, we will notify the relevant client controller without undue delay to enable the client to fulfill their own notification obligations.
11. Privacy by Design and Default
AUTONOMi implements privacy by design and by default in accordance with GDPR Art. 25:
- Technical measures: Encryption of data in transit and at rest, pseudonymization where applicable, access controls
- Organizational measures: Data protection impact assessments (DPIAs) for high-risk processing activities, staff training, least-privilege access policies
- Default settings: Privacy-protective defaults — no non-essential cookies without consent, minimal data collection, opt-in (not opt-out) for marketing communications
12. Data Protection Impact Assessments
AUTONOMi conducts Data Protection Impact Assessments (DPIAs) before undertaking high-risk processing activities, including:
- Large-scale processing of personal data
- Systematic monitoring of individuals
- Processing special categories of data
- New technologies that may present significant risks
DPIA records are maintained internally and made available to supervisory authorities upon request.
13. German-Specific Requirements (BDSG)
In addition to GDPR requirements, AUTONOMi complies with the German Federal Data Protection Act (BDSG):
- Employee data is processed in accordance with §26 BDSG
- Technical and organizational measures comply with Annex 1 BSI IT-Grundschutz standards where applicable
- Data subject requests from German residents are processed within the 30-day GDPR timeframe
German supervisory authority for AUTONOMi's German operations:
Landesbeauftragter für Datenschutz und Informationsfreiheit (relevant state authority based on AUTONOMi's place of establishment in Germany, or BfDI for cross-border matters)
14. Polish-Specific Requirements
AUTONOMi complies with the Polish implementation of GDPR and applicable guidance from the Urząd Ochrony Danych Osobowych (UODO):
- Data subject requests from Polish residents are processed within the 30-day GDPR timeframe
- Marketing to Polish residents is conducted only with valid consent or a documented legitimate interest assessment
Polish supervisory authority:
Urząd Ochrony Danych Osobowych (UODO)
Website: uodo.gov.pl
15. Policy Updates
We review and update this GDPR Compliance Policy at least annually, or when:
- There are material changes to our processing activities
- New EU guidance or regulatory decisions affect our compliance obligations
- We expand into new EU markets or add new data processing activities
We will notify registered EU users of material changes via email with 30 days' notice.
16. Contact
For GDPR inquiries, data subject rights requests, or DPA requests:
AUTONOMi GDPR Contact
Email: gdpr@goautonomi.com
Website: goautonomi.com
For general privacy inquiries:
Email: privacy@goautonomi.com