Privacy Policy Surfsight

Privacy Policy

Effective: July 1, 2020 | You may contact us for previous versions of the Privacy Policy.

In a nutshell:

Now in more detail:

1. Introduction and Definitions​

The Surfsight solution is a technology platform and service owned and operated by us, Lytx, Inc. and our wholly owned subsidiaries (“Company”). You can find our contact information below.

The Surfsight solution helps organisations to protect their staff and vehicles on the road, and to protect their legal interests in the event of claims and litigation. These organisations are our customers. 

The Surfsight solution is a Cloud Platform, connected to in-car camera devices (which the Customer purchases, owns, installs and operates), and accessible to Customers and their Authorised Users via a dedicated Web Portal.  

As soon as they are switched on when the vehicle is started, the devices record Videos and collect various Location Data and Driving Data, which may include personal information or personally identifiable information (Personal Data) of Drivers, Passengers or Other persons in the vehicle, as explained in detail below. 

Our Customers decide the purposes for which they use the Surfsight solution, as well as the means of data collection, including without limitation the configuration of features available in the Platform and Devices. Our Customers control the data processed on their behalf through the Surfsight solution and they are responsible under our End User License Agreement (EULA) for processing all rights and data requests of their employees and contractors, Users, Drivers, Passengers, and Other Persons as Data Controllers. We also use the data collected, uploaded or made available on the Surfsight solution for the provision of services to our Customers, product improvement, research and development, and for other purposes. 

development and commercial uses, as described in more detail below. With respect to the processing of Customers’ personal data, the Company is a Data Controller, as described in more detail in the Privacy Agreement and Data Processing Agreement sections of the EULA. 

To clarify with an example: if you are an employee of CorpCo and you have a CorpCo company car in which a Surfsight Device is installed, then you are a Driver, CorpCo is our Customer and has full control over your personal data, and we process your personal data on CorpCo’s behalf and at CorpCo’s direction. If CorpCo has given you access to the Surfsight Portal, you are also a User, and you may access the Platform to view videos, obtain statistics, and perform certain actions, all in accordance with your permissions as defined by CorpCo.

If you are a user, driver or passenger and you have any problem concerning your personal information, please contact your employer first! Our customer’s contact details can be found on or around the device and in the portal.

In addition, we also operate several websites – such as Surfsight.com – and collect personal data from Visitors. Some Visitors and others who communicate with us become our Business Contacts or Customers. We collect and process a variety of personal information about our Visitors, Contacts and Customers, and we are the Data Controller for that personal data. 

 If you are one of our visitors, contacts or Customers and have a question about your personal information under our control, please contact us (details below).

2. How do we collect personal data?

  1. If you are one of our Contacts or Customers, we may receive your personal data in several ways:
  2. When you communicate them to us directly, through your communication with us on the contact forms on the Websites, by e-mail, telephone or fax, at conferences, meetings or by any other means of communication.
  3. When other Customers, Contacts, Resellers, Business Partners or Third Parties share your information with us, depending on their interaction with you, their purposes, their legal basis and their privacy policy. In such cases, we assume responsibility for controlling only the personal data we have received.
  4. We may supplement the personal data we have about you with information you have provided to us directly, information other people have provided to us about you, and data we have collected about you from your use of the Surfsight solution or the Websites (see below).

If you are a User or Driver, there are two ways in which we receive personal data about you that we process on behalf of our Customer:

  1. Our Customer provides us with your personal data through the Surfsight solution, the Portal, devices owned and operated by the Customer, the Customer’s use of the Platform, or otherwise. 
  2. You provide us with personal data directly through the use of a device in a vehicle that you drive, which sends video and data to the Platform, or through your use of the Portal, Websites, Customer Support channels, or otherwise.

You can usually switch off the Device or disconnect it from the electricity supply to stop its operation and the collection of information. However, your handling of the Devices and Customer vehicles is subject to your relationship with your employer, our Customer. If the Platform does not receive data from the Device, it may not function properly. The data provided by the Surfsight solution to our Customer who controls your account may be incomplete or inaccurate, and this may affect your relationship, work or remuneration. Please consult your employer regarding the potential effect of disabling or altering the Device and its operations.

If you are a Passenger or another person not related to the Customer (Other Persons), we may still process certain personal data about you. This data is received from the Customer’s Device allocated to the Driver who captured your video footage, location information or other visible or inferred personal data in or around the Customer’s vehicle. If you have a question or request about your data, please first contact the driver whose vehicle you used, or our Customer, the driver’s employer.

If you are a Visitor to our Websites or a User using the Surfsight solution, we may receive certain personal data through your device, operating system and browser, as well as from various hosting, tracking, analytics and advertising technologies used on our Websites, such as cookies (see below), Amazon Web Services, WordPress and WordPress plugins, analytics and advertising technologies from Google and others, Freshdesk Customer Support Services, social login APIs from Google, Facebook, Twitter and others, and other technologies. Our websites do not currently respond to “Do Not Track” signals sent by your browser or device. 

3. What personal data do we process?

If you are one of our Contacts or Customers, or a Surfsight User, we may collect and process these types of personal data about you: 

On the Surfsight platform, we primarily process data from and about Devices, not individuals. However, in the process of collecting this information, various types of personal data are also collected. Our Customers decide what data to collect from Devices, whether and to what extent they associate Devices with specific individuals in their organisation, and what personal data about users and drivers to store on the Platform. These are the types of personal data about drivers, passengers and others that we may process on behalf of Customers.

We also collect and process these types of personal data about anyone using the Devices, Surfsight Platform, Portal, or Websites:

4. What about children's personal data?

Surfsight is a technology platform for safety and driving documentation, and is not intended for children. We do not knowingly collect or process information about children, although passengers and others who are children may be captured on Customer videos by coincidence. The Surfsight solution makes no attempt to personally identify children, passengers or other persons who appear in Customer videos processed on the platform.

Occasionally, parents use the Surfsight solution to track and monitor the driving, location and behaviour of their children in their car. These children generally have a driving licence and are aged over 16. Even in such cases, the Surfsight solution is intended to be used with significant parental involvement and approval, and with the awareness of the children/drivers.

Please contact our Customer or the driver if you have any concerns about children’s personal data on the devices. Please contact us (details below) if you have any concerns about children’s personal data on the Platform. 

5. What about cookies?

A cookie is a small data file that your browser saves on your computer or mobile device. We use cookies to collect information and provide our services. We may use cookies to store your login details, enable certain features, understand how you interact with us, monitor your use of our portal and websites, our products and services, and personalise your experience and the advertising displayed to you. You can configure your browser to prevent the use of cookies. If you do not accept cookies, our websites and the Surfsight platform may not function properly. 

6. What are the purposes of processing personal data? How is your personal data used?

Surfsight solution

The purposes for which personal data is processed using the Surfsight solution are determined by our Customers. Each Customer may use the Surfsight solution for different purposes. These may include encouraging and monitoring safe driving, protecting Customer assets such as vehicles, protecting Customers, staff and third parties in the event of accidents, legal proceedings and insurance claims, tracking vehicles and managing the fleet, determining or corroborating the circumstances of a lawsuit, claim, loss or theft, preventing and detecting fraud, supervising professional drivers, planning routes, measuring and documenting traffic, etc.

If you are a Driver, we collect and use your personal data to provide our services to our Customers, in accordance with their instructions and settings, so that they can achieve their respective objectives. We may use your Device and contact details, in accordance with the Customer’s instructions and settings on the Portal, to communicate with you and provide you with assistance and deal with requests and complaints. These interactions are carried out at the request of Customers, and on the basis of Customer settings, or at your own request or on the basis of your settings in the Device and the Portal (if you are also a User).

Our purpose in processing personal data via the Surfsight solution is to provide our services to Customers in accordance with our agreements with them and applicable law. An integral part of our services to Customers is the continuous improvement of the Surfsight Device and Platform, and therefore we also use the data collected on Surfsight to ensure that our products and services work as intended; to analyse, measure and understand how our services are used; to improve our products and services; to develop new features, products and services; to protect our company, our staff, our Customers and Users, as well as Drivers, Passengers and the general public; and to comply with any applicable law and to assist law enforcement agencies where required by any applicable law.

As part of the processing activities undertaken on behalf of the Customer, we may create derived data containing information derived from the Customer’s data but which does not itself consist of personal data (such as aggregated, anonymised or de-identified data). We may also use anonymous, statistical or aggregated information collected on the Platform, in a form that does not allow a specific user to be identified, by displaying, disseminating, transmitting or otherwise communicating or making available such information to Customers, vendors, partners and any other third parties. For example, GPS information we receive from your Device may be provided to municipalities in an aggregated and/or anonymous form to help improve road safety and solve traffic problems.

We also process usage and analysis information, as well as certain statistical and aggregated data derived from personal data, for the improvement and development of the Surfsight solution, Platform, App, Devices and Portal, or for research purposes.

Websites, customers, contacts and visitors

If you are a Customer, contact or visitor to our websites, we may process your personal data for our own business purposes, including:

  1. To provide our products and services, improve them and develop new functions, products and services. 
  2. To provide information about our company, products and services. 
  3. Providing assistance to customers, invoicing and preparing bills.  
  4. contact you via any communication channel, including e-mail, telephone, SMS and other messaging platforms. 
  5. Analyse and optimise traffic and use of Surfsight websites and solutions. 
  6. Protecting our company, our staff, our customers and our systems. 
  7. online advertising in all its forms and across all channels, including targeting you and others who share similar characteristics to you (lookalikes), online on search engines, websites, applications, messaging platforms, social networking platforms and offline. 
  8. Direct marketing in all forms and through all channels, including email, SMS, courier, postal services, etc. You can always opt-out of direct marketing by unsubscribing using the links in any communication or by contacting us and letting us know.

7. What is the basis for data processing?

Surfsight solution

    1. As data controllers, our Clients often process personal data through the Surfsight solution (and we process such data as a data processor on behalf of our Clients and in accordance with their instructions) for one or more of the following reasons:
    2. Processing is necessary in order to comply with a legal obligation to which the Customer is subject, for example regulations concerning companies with a large fleet of vehicles; 
    3. The processing is necessary for the performance of a contract to which the data subject is a party (for example, an employment and subcontracting contract with our Customer) or to take action at the request of the data subject prior to entering into a contract; 
    4.  The processing is necessary to protect the vital interests of the data subject (such as drivers and passengers) or of another natural person (such as other individuals), for example the right to personal safety when driving or walking alongside traffic, and the right to defend oneself in legal proceedings with relevant evidence; 
    5. The processing is necessary for the performance of a task carried out in the public interest, such as enhancing personal and public safety on the roads, or protecting law enforcement officers and other persons in the performance of their duties; 
    6. Processing is necessary for the purposes of the legitimate interests pursued by our Customer or by a third party, for example: conducting its business; providing its products and services; protecting the safety of its staff, vehicles and other property; protecting itself, its staff and third parties in the event of accidents, legal proceedings and insurance claims; tracking its vehicles and managing its fleets; assigning projects and tasks to remote staff in transit based on employees’ locations; validating attendance at work; supervising professional drivers; route planning; measuring and documenting traffic; etc. 
    7. In some cases, processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in our Customer as Data Controller; 
    8. The data subject (Customer, Customer’s representative, User or Driver) has given his/her consent via the Customer’s forms, the Portal, the Device or otherwise (for example by installing the Device in the vehicle him/herself, or by accessing the Portal and the Platform), to the processing of his/her personal data for the specific purposes communicated by the Customer or in this Privacy Policy.

As Data Processor for certain personal data, we process personal data on the basis of instructions from our Customers.

Websites, customers, contacts and visitors

As data controller for the personal data of our Customers, Contacts and Visitors, we process personal data on one or more of the following legal bases:

  1. The data subject has given us his/her consent to process his/her personal data for the specific purposes set out in this policy; 
  2. The processing is necessary for the performance of a contract to which the data subject is a party – for example, an agreement with us or the terms of use of the websites – or in order to take action at the request of the data subject prior to entering into a contract; 
  3. The processing is necessary to protect the vital interests of the data subject or another natural person, for example to protect our Customers and staff;
  4. Processing is necessary to comply with a legal obligation to which we are subject, for example the need to keep billing records for transactions;
  5. Processing is necessary for the purposes of the legitimate interests pursued by us or our Customers, for example the conduct of our business, the development and delivery of our products and services, and the promotion and sale of those products and services. 

8. With whom is your information shared?

Our services sometimes allow our Customers, their Users or you to share information, including personal data, on the basis of your consent or other legal bases, as indicated above. Our Customers, Users or you decide whether to share videos and other data on the Platform, the identity of the recipients and the distribution of the information. For example, the Customer may use the Platform to transfer Videos or Driving Data captured on its Devices to employees of the organisation, insurance companies, law firms, law enforcement agencies, government or municipal authorities, etc. The Customer may also use the Platform to transfer the Videos or Driving Data captured on its Devices to third parties. 

This section deals with the information we share about you with other people.

Surfsight solution

For the provision of our services, we share all User, Device and Platform dataon the Surfsight Platform (which includes identifiable information of Drivers, Passengers and Other Persons) with the Customer who is the Data Controller in respect of that data. This means that your employer has access to and controls all the information we collect about you. We also share the contact details of Customer representatives with all Customer Users and others who may require such contact details, in order to comply with any applicable law. Our Customers may choose to share information with certain of their employees and other organisations and bodies as described above. As described in more detail below, we also use third party processors in connection with the provision of services, including cloud hosting providers, IT and system administration, payment processing, technical support, research and analysis, telecommunications providers and Customer support.

Customers, contacts and visitors

We process your data on our servers and computers, cloud CRM services, support systems and services (such as Freshdesk), billing systems (such as Priority), SMS gateways, email and SMS communication serves (such as Twilio and MailChimp) and backup systems. We may share some of your data with our staff, consultants, resellers, affiliates and other third party business partners for the purposes of research and analysis, cooperation opportunities, joint promotions, sales and events.

Everybody

We use additional processors around the world for various processing activities necessary for the performance of the Surfsight solution, our websites, our other products and services, our operations and our business, and we share information with these processors on an as-needed basis. These processors include hosting and backup providers (such as Amazon Web Services), analytics providers (such as Google and Heap), website technologies (such as WordPress and WordPress plugins), advertising technologies (such as Google), telecommunication services, media delivery services (such as Velia.net), security technologies, and others. We limit the information we share with each processor based on the business need to use that processor, in order to protect your information while efficiently benefiting from that processor’s services. 

We may also share non-personally identifiable information and aggregate information for any purpose. These data are not personal data, and sharing them cannot be used to identify you.

We may share your information with law enforcement agencies, courts and other governmental organisations, if instructed to do so by the relevant agencies and in accordance with applicable law.

Mergers and acquisitions

If we are involved in a merger, sale of assets, financing, liquidation, bankruptcy or acquisition of all or part of our business by another company, we may share your information with that company and its advisers before and after the date of the transaction. 

9. How do we protect your personal data?

We take information security very seriously. We implement industry-standard security controls to prevent unauthorised access, maintain data accuracy and ensure data availability. We also implement appropriate organisational measures to protect your information.

We also apply our security controls when working with business and technology partners. We only select and contract with subcontractors and third parties who use appropriate security measures and offer sufficient guarantees, including technical and organisational measures, to ensure adequate protection of the data we entrust to them. Unfortunately, although we do our utmost to ensure the security of your data, we cannot fully ensure or guarantee the security of your personal information.

You can play a part in securing your personal data. Always lock the vehicle where the Customer’s device is installed. If you are a User, prevent unauthorised access to your Surfsight account and personal data by choosing a strong password and protecting your login details appropriately. Limit access to your computer and mobile device. If you are using the portal, log out when you have finished accessing your account. 

10. Do we transfer personal data internationally?

Most of our information is stored in the cloud on Amazon Web Services in the United States and Europe. Amazon takes extreme measures to ensure data confidentiality and security. To find out more, click here. Our R&D centre and customer support centre are located in Israel.

At the same time, our business is international – we serve Customers who keep track of their vehicles around the world using the Surfsight solution, and we use additional processors and service providers in various countries. As a result, we transfer, store or process your personal information in other countries. We take appropriate security measures in selecting our processors worldwide to ensure that your personal data is well protected. Despite our efforts, it is possible that a country where your personal data is processed may have different, or less protective, data protection and privacy regulations than the country in which you live. 

11. How long do we keep personal data?

We retain the personal data we collect for different periods, depending on the type of information, the length of the contract with our Customers, legal requirements regarding certain types of data and other factors. Generally, we will retain your personal data for as long as is reasonably necessary to fulfil the purposes described in this Privacy Policy or the EULA, unless a longer retention period is required or permitted by law. We will also retain your personal data for as long as necessary to resolve disputes, enforce our rights and agreements, and protect our staff and Customers.

Where permitted, we may de-identify or anonymise your personal data instead of deleting it. In some cases, we may not be able to completely erase, de-identify or anonymise your personal data for technical or operational reasons, for example the erasure of backup storage and archives. In this event, we will take reasonable steps to secure any information still held by us in accordance with our standard data security practices.

Please be aware that our Clients may also retain on their own systems and computers copies of personal data collected through the Surfsight solution, even after we have completed the provision of our services, terminated our contractual relationship, and deleted, de-identified or anonymised any data related to Clients’ accounts on the Platform. Such retention of data by Customers is subject to their privacy policies, purposes, legal bases, agreements with data subjects and any applicable laws. We take no responsibility for the use by Customers of their personal data outside the Surfsight Platform. 

12. What are your rights with regard to your personal data?

If you are a Surfsight user or driver, please contact your employer to exercise any rights you may have, as they are responsible for processing your personal data. Otherwise, please contact us (contact details below).

Depending on the data protection and privacy regulations in force in your country, you may have certain rights regarding your personal information.

If you are a resident of the European Union, your rights may include, under certain conditions set out in the EU General Data Protection Regulation (GDPR) or any other applicable law:

After deletion or anonymization of your personal data following its retention period, the rights to access, erasure, rectification, and data portability cannot be enforced.

If you are a resident of the state of California:

To exercise your rights, please contact us either by email or mail in accordance with the Contact Us section below.  Please note that we must verify any requests pursuant to this section to ensure the individual making such request is authorized to exercise such rights. Therefore, you must submit your name and email address, as well as confirm access to such email address, in order for us to process your request.  We will comply with the applicable data protection laws and the exercising of your rights under such laws, however please note that such rights specified above are not absolute, and exemptions may be applicable. We try to respond to all legitimate requests within one month and will contact you if we need additional information from you in order to honor your request. Occasionally it may take us longer than a month, taking into account the complexity and number of requests we receive.

If your personal data has been submitted to us in connection with our provision of services to a Customer, and you wish to exercise any rights you may have under applicable data protection laws, please inquire with the specific Customer directly. Because we may only respond to a request related to our Customer’s data with such Customer’s permission, if you wish to make your request directly to us, please provide the name of the Customer who submitted your information when contacting us. We will refer your request to that Customer, and will support them as needed in responding to your request within a reasonable timeframe.  If you are an employee of a Customer, we recommend you contact your company’s system administrator for assistance in correcting or updating your information.

Notice to California Residents: We have not sold any personal data to third parties for a commercial purpose in the preceding twelve months.

13. Do we change our privacy policy from time to time?

From time to time, we may amend this Privacy Policy to reflect product and service developments, industry standards or new regulations. Updates to this Privacy Policy will be posted on this URL. 

Please read the latest privacy policy available here from time to time. Note that we may require your consent to our updated EULA and Privacy Policy each time you use our websites, Surfsight solution, devices or portal. If you do not agree with these terms and policy, please do not use our services. If you are a Surfsight user or driver, please check the effect of this decision with your employer. 

14. Who can you contact about your personal data?

If you are a user or driver, please contact your employer first with any questions, as they are the data controller of your personal information. Your organisation’s contact details appear on or around the Device, in the Portal, and in any communication processed via the Platform. If you do not know who your data controller is, please contact our Customer Service department and we will try to determine who the data controller is and pass on your request. 

15. How can you contact us?

If you have any questions or concerns, please contact us at the following address: 

By e-mail: privacy@lytx.com 

By post:

Lytx, Inc.

9785 Towne Centre Drive 

San Diego,

California 92121USA 

General Data Protection Regulation (GDPR) - European Representative

In accordance with Article 27 of the General Data Protection Regulation (GDPR), Lytx has appointed the European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact the EDPO if you have any questions about the GDPR : 

UK General Data Protection Regulation (GDPR) - UK Representative

In accordance with Article 27 of the UK GDPR, Lytx has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK if you have any questions about the UK GDPR: 

If you have any questions or concerns, please contact us at the following address:

By e-mail: privacy@lytx.com 

By post:  

Lytx, Inc.  

9785 Towne Centre Drive 

San Diego,

California 92121USA