Do not sell my info (California)

Privacy Notice to California Residents

1. Overview

This Notice explains your rights under the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act of 2020 effective January 1, 2023 (“CPRA”) and other California privacy laws and helps you understand how DiDi collects, stores, uses, shares, and secures your personal information in compliance with the CCPA and CPRA. In this Notice, the terms “DiDi,” “company,” ”us,” “we,” and “our” refer to DiDi Research America, LLC, DiDi USA Inc. and their affiliates and subsidiaries.

2. Who This Notice Applies To

The CCPA and CPRA provide rights to individuals who provide services to the company, including current and former employees; applicants; owners/directors/officers; or contractors; and other individuals who reside in the State of California (“Consumers” or “you”).

Additionally, the CCPA and CPRA protect the personal information you provide DiDi on other individuals, like an emergency contact’s personal information, and the personal information that is necessary to administer benefits to your dependent(s) and spouse.

3. What We Collect and Why

As further described in the table below, the company collects information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with our Consumers (“Personal Information”).

Personal Information does not include publicly available information from government records, deidentified information, or aggregated information. Information excluded from the CCPA’s or CPRA’s scope, including: Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPPA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data. Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA) and the Driver’s Privacy Protection Act of 1994.

In addition, Personal Information does not include information that is created based on activities performed on company assets. You do not have an expectation of privacy or rights under the CCPA with respect to the following:

(1) Information created, collected, or maintained on any technology assets owned, leased, or operated in whole, or in part, by the company. DiDi’s technology assets consist of all electronic devices, software, and means of electronic communication, including but not limited to, computers and workstations, laptop computers, computer hardware, as well as computer software applications, associated files, and data that grant access to services like the Internet, email, phone, voicemail, social media, messaging applications and instant messages. All information created, collected, or maintained by the company’s technology assets are company property and provided to you solely for your use in conducting company business.

(2) The information DiDi collects when monitoring premises, equipment, devices, computers, network, applications, software, or similar company assets and resources, for the purpose of protecting its worksites, employees, and computer systems.

The following chart details the purposes for which we collected Personal Information in the last twelve (12) months, and the categories of information we collected for each purpose:

4. Personal Information DiDi Collected

Recruiting, Hiring, Onboarding, Termination, Or Resignation

· Identifiers

o A real name, IP address, email address, or other similar identifiers.

· Personal Information Categories listed in the California Customer Records Statute (Cal. Civ Code §1798.80(e))

o From our employees and applicants: A name, signature, Social Security Number, address, telephone number, passport number, driver’s license number, insurance policy number, education, employment history, emergency contact information, medical information, or health insurance information.

o From our business contacts (e.g., vendors): Contact information, bank account number, credit card number, or other financial information.

· Characteristics of protected classifications under California or federal law

o Age, race, ancestry, national origin, citizenship, religion, marital status, medical condition, physical or mental disability, sex (including gender identity, pregnancy, childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information.

· Professional or employment-related information

o Current or past job history or performance evaluations.

· Education Information

HR Benefits Management

· Identifiers

o A real name, IP address, email address, or other similar identifiers.

· Personal Information Categories listed in the California Customer Records Statute (Cal. Civ Code §1798.80(e))

o From our employees: A name, signature, Social Security Number, address, telephone number, medical information, or health insurance information.

· Characteristics of protected classifications under California or federal law

· Professional or employment-related information

o Current or past job history or performance evaluations.

· Health Insurance Information

Wage And Payroll Processing

· Identifiers

o A real name, IP address, email address, or other similar identifiers.

· Personal Information Categories listed in the California Customer Records Statute (Cal. Civ Code §1798.80(e))

o From our employees: A name, signature, Social Security Number, address, telephone number, and medical information.

· Characteristics of protected classifications under California or federal law

· Professional or employment-related information

o Current or past job history or performance evaluations.

· Health Insurance Information

· Financial Information

Building and Network Security

· Identifiers

o A real name, IP address, email address, or other similar identifiers.

· Internet or network activity information

· Biometric data

· Audio, electronic, visual, thermal, olfactory, or similar information

Evaluating Leave and Accommodation Requests

· Identifiers

o A real name, IP address, email address, or other similar identifiers.

· Characteristics of protected classifications under California or federal law

· Medical Information

Government Reporting

· Identifiers

o A real name, IP address, email address, or other similar identifiers.

· Characteristics of protected classifications under California or federal law

· Financial Information

Performance Reviews and Goals Monitoring

· Identifiers

o A real name, IP address, email address, or other similar identifiers.

· Professional or employment-related information

o Current or past job history or performance evaluations.

Business Management and Operations

· Identifiers

o A real name, IP address, email address, or other similar identifiers.

· Characteristics of protected classifications under California or federal law

· Health Insurance Information

· Internet or network activity information

· Biometric data

Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.

The company will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without first providing you notice.

5. Where We Get Your Personal Information From

We collect your Personal Information from the following sources:

· You: Primarily, we collect Personal Information directly from you. For example, during the application process or when you sign up for direct deposit or benefits.

· Third parties: When we collect your Personal Information from third parties, it is because you have provided consent either to us or to the third party. To the extent you use third-party websites, the sites may be governed by separate terms of use and privacy policies, which are not under our control and are not subject to this Notice. Please contact the third parties for questions regarding their privacy practices, as well as to exercise your rights.

6. When We Share Your Personal Information

DiDi does not and will not sell your Personal Information to third parties. DiDi may disclose your Personal Information to businesses and service providers in connection with providing the benefits and services the company offers its employees. For example, DiDi may share your Personal Information with applications and services including:

· To fulfill or meet the reason you provided the information. For example, if you share your name, contact information, and resume to be considered for a job posting, we will use that personal information in evaluating your qualifications for that position.

· To respond to inquiries

· To reach out for recruitment purposes.

· Human Resources information systems that help us manage employee data;

· Third party administrators that administer employee benefits;

· Payroll processors; or

· Legal services, including law firms that assist us with personnel immigration.

· To respond to law enforcement requests and as required by applicable law, court order, or government regulations.

· For other legitimate business purposes.

7. What Rights Do You Have Under the CCPA and CPRA

The CCPA and CPRA provide California residents with specific rights regarding their personal information.

Right to Know: You have the right to request that we disclose certain information to you about our collection and use of your personal and sensitive information unless responding to the request is impossible or involves disproportionate effort. Once we receive and confirm your verifiable request, we will disclose to you:

· The categories of personal information and sensitive information we collected about you.

· The categories of sources for the personal and sensitive information we collected about you.

· Our business or commercial purpose for collecting, using and/or disclosing that information.

· The categories of third parties, contractors and service providers with whom we share, sell or disclose that personal information.

· The specific pieces of personal information we collected about you (also called a data portability request).

· If we disclosed your personal information for a business purpose, a list of those disclosures, identifying the personal information categories that each category of recipient obtained.

· Whether your information is sold or shared.

· The retention period or criteria used for retention.

Right to Delete: You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

· Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.

· Help to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for those purposes.

· Debug products to identify and repair errors that impair existing intended functionality.

· Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.

· Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.

· Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.

· Comply with legal obligation.

Right to Non-discrimination: You have the right to not be discriminated against for exercising any of your rights under the CCPA or CPRA. Unless permitted by the CCPA or CPRA, we will not:

· Deny you services.

· Provide you a different level of service.

· Discriminate in making employment decisions.

Right to Opt-Out of Sale: You have the right to opt-out of the sale of your persona information to third parties. Please note that we do not sell your personal information.

California’s Shine the Light” law: California's “Shine the Light” law (Civil Code Section § 1798.83) permits users of our website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. Please note we do not share personal information with third parties for their direct marketing purposes.

8. How We Retain Your Personal Information

To the extent permitted by applicable law, DiDi will retain your Personal Information in accordance with its retention schedule, and only for as long as the company believes it is necessary to fulfill the purposes for which it was collected, including for the purpose of meeting any legal, accounting, or other reporting requirements or obligations, and other legitimate and essential business purposes.

9. How Other DiDi Policies & Disclosures Apply to Employees

This Notice is in addition to the policies and disclosures found in the DiDi Labs Employee Handbook. If you are unsure whether this Notice applies to you, please contact your Human Resources representative.

10. Disclaimer

Nothing in this Notice restricts DiDi’s ability to otherwise:

· Comply with federal, state, or local laws;

· Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;

· Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law; or

· Exercise or defend legal claims.

11. Exercising Your Rights

How to make a request: To make a request pursuant to your foregoing rights, please send an email to [email]. You may only make a verifiable request for access or data portability twice within a 12-month period. The verifiable request must:

· Provide enough information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.

· Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. We will only use personal information provided in a verifiable request to confirm the requestor’s identity or authority to make the request.

Response Timing and Format: We endeavor to respond to a verifiable request within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the 12-month period preceding the verifiable request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

12. Changes to this Notice

This Notice is reviewed and updated annually to ensure it accurately captures our practices and procedures. The effective date of each version of this Notice is identified below. DiDi will notify Consumers of an updated Notice by email and/or DiDi’s internal websites.

13. Resolving Concerns and How to Contact Us

If you have questions or concerns regarding this Notice or the handling of your Personal Information, please contact didilabshr@didiglobal.com or call (650) 336-0832. Alternatively, you may report concerns or complaints, including information about potential data breaches involving Personal Information to the Legal Department at tellusdidilabs@didiglobal.com.

Effective January 1, 2023