This privacy policy will help you understand:

I. How we collect and use your personal data

II. How we use cookies and similar technologies

III. How we delegate process, share, transfer and publicly disclose your personal data

IV. How we protect and store your personal data

V. How you manage your personal data

VI. How we process information about minors

VII. Updates and amendments to this Privacy Policy

VIII. How to contact us

I. How we collect and use your personal data

We will follow the principles of legality, legitimacy and necessity to collect and use your personal data actively provided by you in the process of using the product/service or generated by using the product/service, and obtained from a third party authorized by you, for the following purposes described in this privacy policy, so as to provide you with and optimize our service and protect the security of your account.

Please pay special attention to our bold or underlined content. For sensitive personal data specified in laws and regulations, we will bold and underline such information; For personal data specified in laws and regulations, we will bold the information.

Please understand that with the continuous iteration and update of products/services, the type of personal data we need to collect, the purpose of process, etc. may change. If we use your personal data for any other purpose not set forth in this Privacy Policy, or collect information for a specific purpose for any other purpose, we will notify you in a reasonable manner and obtain your consent again before using it, except for lawful reasons expressly provided by law.

(i). Information from or about you

Scenarios in which our products/services collect and use personal data include:

1. Account Registration and Login

When you login to ROX APP and ROX applet using ROX account, according to the legal requirements of network real name system, if you use your mobile phone number to register APP account, we will collect your mobile phone number and verify whether your identity is true and valid by sending a SMS verification code. When you login to ROX account, we will collect your mobile phone number and SMS verification code so that you can login and use our products and services normally.

If you use your email to register, login or manage your account information, during the registration and login process, we may process the following information: email address, login password, nickname, account ID, region and personal device information. Among them, the email is used for authentication and account binding, the user name and region are used for personal data settings, the account ID is used to uniquely identify your account, and the device information is used for login verification and service security analysis.

You can also use a third-party platform account to register and login to the ROX APP. We will obtain the third-party account information (your profile photo, nickname, mobile phone number) provided by the third party you authorize for quick login. At the same time, we will collect your mobile phone number and SMS verification code, create a ROX account for you and bind it to the third-party account.

When you register and login to your ROX account through ROX WeChat applet, we will obtain your mobile phone number from a third-party platform to verify your identity and facilitate the normal login process and use of our applet.

If you do not want to register and login, you can select the tourist mode to enter the ROX APP or ROX applet to view some content, and you do not need to provide the above information in the tourist mode.

2. Personal Data

You can fill in/supplement/modify your personal information (nickname, profile photo, gender, gender, region, personal profile) on the APP of ROX, and the specific information is subject to the page display. You may complete or change your personal data at your discretion.

When you modify your profile photo, we'll use your camera permission or album permissions/storage permissions for you to take photos or select pictures from your album to upload as your profile photo. When you modify your region, we will invoke your location permission. If you do not agree to our invoking your location permission, you can also manually select to modify the region.

3. User change and management function

You can request to change or unbind the primary user of the current vehicle as needed. If you initiate a change of the primary user, we will process the following information: mobile phone number/email of the original primary user, mobile phone number/email of the new primary user, and vehicle control service password.

After submitting the changes, the system will automatically verify the account status and complete the unbinding and rebinding. If the system detects an exception, the background operator may intervene to process.

After the change is successfully initiated, the new primary user will receive an in-app notification (or email prompt) and complete the confirmation, and then the identity of the primary user will be formally updated. Operators can view the change records in the background, including VIN, original owner user and new owner user information.

Please note that to secure your account and ensure operational compliance:

• Information related to changes in primary users is only visible to authorized personnel;

• We will control the access and operation of key information such as email and VIN, and record relevant operations;

• When the vehicle is still bound to the main user, the current account cannot be cancelled;

• Operational records of main user changes and disassociations will be retained for at least 6 months to meet regulatory and service audit requirements.

If you are unable to operate within the App, you can also contact the staff through the dealer or customer service channel to assist in updating the main user. All changes require authentication and service password confirmation in the system.

4. Invite Friends

If the service is supported in your country and region, you can share a ROX poster or ROX QR code with your friend by clicking on "Account" - "Invite Friend" to invite them to use the ROX App with you. When you save a poster or QR code locally to your device, we'll invoke your album/storage permissions to save the invitation poster or QR code for you.

5. Test Drive

If the service is supported in your country and region, when you reserve a test drive through the official website of ROX, we will collect your name/nickname, mobile phone number, mobile phone verification code, test drive store information and city information to reserve a test drive for you. When you use the reserved test drive function of ROX APP or ROX applet, we will collect your mobile phone number, test drive store information and invoke your location permission to reserve a test drive for you. If you agree to open the location permission, we will automatically select the nearest test drive store for you, or you can manually select the test drive store.

Please understand that if you refuse to provide the above information, you will not be able to complete the scheduled test drive. Please pay special attention. If you reserve our test drive for others, please make sure you have obtained their consent.

You can also choose to go directly to our offline stores for a test drive. Before you experience the test drive activities in the store, you need to provide us with the name, mobile phone number and ID information of the test drive person for signing the test drive agreement and exemption agreement; In order to verify the identity and driving qualification of the test driver, we will ask the test driver to show his/her personal identity card and driving license before the test drive.

You can view and manage your test drive reports via 'Account' - 'Driving Report'.

6. Car purchase service

If the service is supported in your country and region, when you submit and manage a vehicle order or pay a deposit and balance through this App, we will invoke your location permission to collect your license city, sales stores and delivery center information according to the needs of order process, delivery arrangement and after-sales support. We will also process your VIN, name, contact number, ID information (including number and ID photo) Vehicle type and vehicle configuration information and payment record information are used to help you complete the vehicle reservation and provide you with subsequent vehicle delivery services. If you do not agree with us to invoke your location permissions, you can also manually select the city of listing, sales stores and delivery center.

If you choose bank card payment, we will collect your payment information (payer name and bank card account number); If you choose the payment services provided by third-party payment institutions (including WeChat, Alipay, UnionPay, etc., subject to the payment method displayed on the page), we need to share your order number and transaction amount information with these payment institutions to confirm your payment instructions and complete the payment.

When the vehicle is delivered, we will collect the name, mobile phone number, certificate type, certificate number, license plate number and driving license information of the vehicle owner and the equity registrant to determine the vehicle owner and the equity registrant to complete the delivery of the vehicle. If you complete the vehicle handover, we will retain a copy of the handover form and purchase agreement.

As a supplement to the order information, our sales consultant will collect supporting materials such as invoices or ID photos from you; If you are setting up a vehicle user, we will process his name, mobile phone number and ID number; If you set up a vehicle rights holder, we will process his name, mobile phone number and certificate number; In order to achieve battery traceability registration, we will collect and register your VIN, name, ID number and driving license photos.

The above information is filled in by you on your own initiative, or entered with the assistance of your dealer if authorized by you, for the purpose of completing orders and providing service support. Some information will be displayed on this App page, and other information is only used for background process and service management.

All order information will be stored and deployed in the cloud service platform, and security management will be carried out in accordance with applicable laws. We will not use your order data for advertising or promotional purposes.

If you wish to access, correct or delete information relating to an order, you may contact us by contacting us in the manner listed in the "How to Contact Us" section and we will process it in accordance with applicable law.

We will arrange for our staff to contact you and provide services based on the above information provided by you on your own initiative.

7. Real name authentication

If your country and region have the real name system requirements for the car network card, you need to complete the real name certification when your vehicle is delivered. You can complete the real name certification in ROX App or our offline stores. We will collect your name, ID type, valid ID number, ID photo, face information and VIN in accordance with laws and regulations to complete real name authentication for you.

8. Mall Shopping

If the service is supported in your country and region, when you use the ROX App for shopping in the mall, we collect the name, address, mobile phone number of the consignee in order to ship your goods to you. If you purchase goods for others and need to provide their receipt information, please ensure that you have obtained the authorization consent of others. At the same time, our system will generate order information for you, and specify the name of the purchased goods, order number, order creation time, payment method and payment amount. When you have completed your payment, we will collect your payment information.

If you need to issue an electronic invoice, please contact our customer service and provide your email address and invoice header information.

9. Remote Vehicle Management

You can use the ROX App to scan the QR code on the vehicle to activate the ROX on-board system. When you use the "Scan" function, we will invoke your camera permissions. When you activate the ROX on-board system, the vehicle information of your account ID, nickname, profile photo, VIN and license plate number will be used to bind the on-board system, so as to realize the interconnection between ROX and the vehicle for remote control of the vehicle. For personal information processing rules of ROX on-board system, please refer to ROX Connected Vehicle & Services Privacy Policy.

After the binding is completed, you can remotely view your vehicle (such as vehicle model, license plate number, VIN, cumulative mileage, battery power, vehicle position, etc.) when using the ROX APP vehicle control module, and remotely unlock/lock the vehicle, open/close the window, tailgate, air conditioner, perform remote parking, mode switching, car search, etc., which shall be subject to the relevant function interfaces in the App.

For security reasons, you will be required to enter a service password if:

• When entering the vehicle control interface for the first time;

• When vehicle control commands are sent too frequently;

• When the ROX APP is updated/uninstalled and reinstalled, enter the vehicle control interface.

For convenience, you can replace the service password with a fingerprint ID or face ID.

All sensitive information will be subject to your express consent prior to process and will be desensitized or encrypted during use.

If you use functions such as remote control of the vehicle (such as checking the vehicle status and sending control commands) in the App, we will process some information related to your vehicle, including VIN, current status information of the vehicle (such as location, power, door lock status, etc.), remote control operation records (unlocking, air conditioning settings, reservation installation settings, etc.).

If you charge your vehicle, we will record some information related to charging of your vehicle, including charging time, power and other information, which you can view through ROX App.

This information is intended to help you view and operate your vehicle remotely from your phone. Data will be encrypted during transmission to ensure security.

We will only upload and display the current location of your vehicle and will not record your historical driving trajectory.

You can allow vehicle status information to be uploaded in the vehicle by turning on the network service switch. When turned off, we will not receive your vehicle status data, but you will still be able to use some features locally or via Bluetooth connection.

Information related to remote control is stored in our overseas cloud servers. The daily operation and maintenance of the system is managed by a professional team to ensure the normal operation of the service.

10. Charging pile installation service

If the service is supported in your country and region, when you need us to provide you with home charging pile installation service, you need to provide us with your name, installation address, mobile phone number, parking space number (optional), so that our service personnel can install the charging pile for you.

11. Pick-up and delivery service

If the service is supported in your country and region, you can choose our pick-up and drop-off service when your vehicle is being serviced. You need to provide us with your name, license plate number, contact information, pick-up and drop off location so that the staff can contact you and provide you with the pick-up and drop-off service after verifying the vehicle information.

12. Worry-free tires

If the service is supported in your country and region, when you can enjoy the Worry-free tires service, we will share your name, mobile phone number, ID number, VIN and tire DOT code necessary for providing the service with our designated third party Ping An Property and Casualty Insurance Company of China, Shanghai Branch, based on your explicit consent, It is used to cover and settle your claims for the aforementioned tire protection service products with the third-party insurance agency, so as to contact us to provide services in a timely manner when you need them. This information will be used solely for service-related purposes and will be held in strict confidence in accordance with applicable privacy policies. If you do not agree to share the above information, you will not be able to enjoy the service. To learn about the Third Party Privacy Policy, please visit [Ping An Property&Casualty Insurance Official Website personal data Protection Policy] (link: https://hcz-static.pingan.com.cn/base-common/client/index.html#/agreement/protocol?id=85 )。

13. Repair compensation equity services

If you can enjoy the rights and interests of repair compensation in the mall, we will, based on your explicit consent, share your name, mobile phone number, ID number and VIN necessary for providing services with our designated third party, Ping An Property and Casualty Insurance Co., Ltd. Shanghai Branch, for your insurance and claim settlement of the aforementioned repair compensation rights and interests service products in the third party insurance institution, So as to contact us for timely service when you need it. This information will be used solely for service-related purposes and will be held in strict confidence in accordance with applicable privacy policies. If you do not agree to share the above information, you will not be able to enjoy the service. To learn about the Third Party Privacy Policy, please visit [Ping An Property&Casualty Insurance Official Website personal data Protection Policy] (link: https://hcz-static.pingan.com.cn/base-common/client/index.html#/agreement/protocol?id=85 )。

14. After-sales service function

If the service is supported in your country and region, when we provide you with after-sales support and service related to your vehicle, our system may process some of the information related to vehicle status based on the after-sales request submitted by you or your dealer. Please note that C-end users do not submit after-sales applications directly through App, and after-sales service is assisted by authorized dealers.

In the following scenarios, we may process the following information:

Claim process: including VIN, fault description, maintenance personnel information, etc., used to submit maintenance records and warranty requests;

Technical support request: including VIN, vehicle type, mileage, sales area, fault time, fault location and other information, used to help technicians judge the fault situation and provide support suggestions.

The above information is only bound to the ticket and is used to service the process process, and is not directly related to the owner's personal identity information.

Overseas after-sales service related data will be managed by our operation platform and stored in overseas cloud services to ensure system stability and data security. We will retain the data according to business needs, and update or clean up the data after user changes or service completion.

We do not use after-sales information for purposes unrelated to the service, and we do not share your relevant data with third parties, except to fulfill a repair agreement or to meet legal requirements.

15. User Community Services

If the service is supported in your country and region, you can post, comment, like, and share in user community. In order to provide you with these services, we will collect your nickname, account ID, your published and favorite content. You can upload pictures and post text yourself in the community. When you upload pictures, you need to open album/storage permission and camera permission. If you refuse to provide such permission, you will not be able to upload pictures, but it will not affect your use of other functions. If you choose to mark your location when posting, we need to invoke your location permission to use your location information, or you can adjust and mark your location by yourself. When you use the sharing function to share picture information to RedNote or TikTok Platform, we will invoke your storage permission to save the shared pictures locally for you. If you refuse such permission, you will not be able to store pictures, but it will not affect your use of other functions. You can share your information in the user community, but please note that your public information may include your or others' personal data and sensitive personal data. Please carefully consider whether to disclose your or others' relevant information before publishing. If the information you disclose contains information about others, be sure to obtain authorization from others before publishing it.

16. Equity management

When you use the benefits management function, we will collect your benefits that have been enjoyed, and you can manage your benefits through "Account" - "Rights".

17. Medal Wall Management

When you use the Medal Wall management function, we will collect your achievement medal, commemorative medal acquisition status, you can query your medal acquisition status through "Account" - "Medals".

18. Coupons management

When you use the card voucher function, we will collect the use status and validity status of your coupons, service vouchers and gift vouchers, and you can inquire about your medal status through "Account" - "Coupons".

19. Order management

When you use the order management function, we will collect your car purchase orders, goods orders and service orders, and you can manage your orders through "Account" - "My Order".

20. Invite Friends

When you use the Invite Friends feature, we collect the number of successful invitations, number of incomplete invitations, invitation management in progress and ended, invitation posters, and invitation QR codes for you to manage your invited friends.

21. Points Management

When you use the points management function, we collect your points, point details, and point task status for you to understand the points you have earned.

22. Customer service

If the service is supported in your country and region, when you contact us, we collect your mobile phone number, name, and account number to verify your identity. In addition, we may selectively record your communication information with us (including but not limited to text, voice, photos, video, location, etc. sent during communication) and consultation records to help you solve problems.

23. Information push and promotion

We will push you the activity registration information, car purchase information, etc. In order to ensure that you can receive message reminders in time when the ROX APP is closed or in the background, you need to open the notification permissions. You can choose to turn off notification permissions in your mobile device Settings.

In order to give you a better understanding of our products or services, we may from time to time use your name, mobile phone number to send you advertising, promotions and promotional marketing messages inviting you to participate in surveys about our products/services or in member events organized by us. If you do not wish to accept the above information sent to you by us, you can unsubscribe from it by contacting us in the ways listed in the "How to Contact Us" section.

(ii). Permissions Invoked by ROX APP

In order for you to have a better experience using our products/services, our products/services may need to invoke your system permissions. We will pop up a window to remind you that you explicitly agree to our calling these permissions, and we will only invoke these system permissions when necessary for the relevant function or service. The system permissions and scenarios we may invoke are as follows:

1. Location permissions. We will access your location information in the background after you open the location permission, which will be used for automatic selection and posting positioning of ordering licensed cities and test drive stores. If you refuse to open the location permission, the above functions will not be available, but it will not affect your normal use of our other products/services.

2. Camera permissions. After this permission is enabled, relevant functions can be used to take photos, record videos and scan. We only collect photos and videos when you actively click to take photos or record videos. If you refuse to open the camera permission and camera permission, the above functions will not be available, but it will not affect your normal use of our other products/services.

3. Storage/Albums/Media Access permissions. We need to invoke your storage/album permissions when you use local files, save files, invite friends, modify your profile photo, post and upload album pictures, etc. If you need to upload vehicle data, documents or other files, we will request access to pictures or files on your device. Access content only when you choose to upload a file. If you refuse to open storage/album/media access, the above functions will not be available, but it will not affect your normal use of our other products/services.

4. Network permissions. In the iOS system, you can use network permission to communicate with cloud services; In Android system, network permission includes checking network status and changing network connection. When positioning through network status information and distinguishing mobile data network or Wi-Fi network, network status permission is required. If you refuse this authorization, the aforementioned functions will not work properly.

5. Notification permissions. We will push you order status information, activity registration information, car purchase information and so on. If you refuse to enable notification permission, the above functions will not be available, but it will not affect your normal use of our other products/services.

6. Call permissions. When you use the ROX APP and call us on the order page, we may need to enable your call permissions. If you refuse to enable call access, you will not be able to make a consultation call.

7. Facial ID and fingerprint ID: We need to use your facial ID and fingerprint ID permissions for security verification, but we do not directly collect your facial ID and fingerprint ID information, and only obtain the verification results provided by the hardware service provider based on your authorization. If you refuse to enable this permission, you will not be able to replace the input verification of the service password with a face ID or fingerprint ID, but it does not affect your choice of another method. Please note that your face ID and fingerprint ID belong to sensitive personal data. Please read the relevant privacy policy and instructions of the hardware service provider when providing your aforementioned information to the hardware service provider. If you refuse this authorization, the aforementioned functions will not be used normally, but will not affect your normal use of our products and/or services.

You understand and agree that by enabling these permissions, you authorize us to collect and use these personal data to achieve the above scenario functions. You can turn off these authorizations in your phone's settings. After you close the authorization, we will not collect your personal data, nor can we provide you with the above functions corresponding to these authorizations. Your decision to close access will not affect the process of personal data previously performed based on your authorization.

(iii). Exceptions to obtaining your authorized consent

Please understand that according to the provisions of laws and regulations, we do not need your consent to collect and use your personal data when the following legitimate reasons occur:

1. Related to our performance of our obligations under laws and regulations;

2. Necessary to enter into and perform a contract to which you are a party;

3. It is directly related to national security and national defense security;

4. Directly related to public safety, public health and major public interests;

5. Directly related to criminal investigation, prosecution, trial and judgment execution;

6. To protect the essential interests (e.g., life, physical safety) of you or another individual when consent cannot be obtained in a timely manner;

7. Your own personal data disclosed to the public;

8. Collect your personal data from legally disclosed information, such as legal news reports, government information disclosure and other channels;

9. Other circumstances stipulated by laws and regulations.

II. How we use cookies, local storage and similar technologies

(i). Use of Cookies

When you use our services, we may send one or more cookies or anonymous identifiers to your device to collect your preferences, account settings and permissions in order to:

1. Remember your registration, login and access information to facilitate your operation of the system.

2. Timely detect and prevent security risks.

We will not use cookies or similar technology for any purpose outside the scope of this Privacy Policy. You can manage or delete cookies according to your preferences. You can clear all cookies stored in the software, but if you do so, you may need to personally change the user settings at each visit, and the corresponding information you previously recorded will be deleted, which may have a certain impact on the security of the services you use.

(ii). Use of local storage

To enhance your experience with the App, we may save some necessary setup information locally to remember your preferences, account status and function permissions. For example:

• Remember your login status to help you access features more easily;

• Record your preferences in vehicle control, settings adjustment, etc. for next use;

• Identify system anomalies or potential risks to improve App stability and security.

We will not use locally stored information for any purpose outside the scope of this Privacy Policy.

If you want to clear these local storage records, you can clear the data through the operating system or App settings. Please note that after clearing, you may need to login again and reset the relevant preferences, and some services may not run steadily or be available properly as a result.

III. How we delegate process, share, transfer and publicly disclose your personal data

(i). Delegated process

Under certain service scenarios, we may entrust a third party to process your personal data. For companies, organizations and individuals with whom we entrust process of personal data, we will sign strict confidentiality agreements or data process agreements, clarify the responsibilities of both parties, process matters and process purposes, require them to process Personal Information in accordance with our requirements, the requirements of this Privacy Policy and any other relevant confidentiality and security measures, and strictly supervise their personal data processing activities.

(ii). Share

We do not share your personal data with other personal data processors except:

1. Based on laws, regulations, administrative and judicial requirements

Provide your personal data based on mandatory requirements of laws and regulations, administrative and judicial requirements.

2. Sharing with our affiliates

In order for us to work with our affiliates to provide some of our services to you, we share your personal data among affiliates that are subject to unified management and control, subject to the purposes described in this Privacy Policy. If our affiliates change the process purpose of personal data, they will again obtain your authorization.

3. Shared with business partners

Some of our products/services are provided by third parties or at our tips. To implement this part of the functionality you choose, we need to share the information necessary to implement this part of the functionality with third parties.

Some of our services are provided by cooperative agents and dealers. On the basis of your authorization and consent, we will share your name/nickname, mobile phone number (mask process), test drive information and order information with cooperative agents and dealers for our agents and dealers to provide you with test drive and car purchase services.

(iii). Third-party SDKs

Third party SDKs may be included in certain business scenarios, such as when you use our products and/or services using such services provided by a third party through its SDKs, the third party may process your information. In order to maximize the security of your information, we strongly recommend that you review the privacy terms of any third-party SDK services before using them. Please refer to Appendix 1 List of Third Party SDKs for details of the third-party SDKs we access under this Privacy Policy.

(iv). Transfer

We will not transfer your personal data to other companies, organizations or individuals. However, please understand that with the development of our business, we may have mergers, separations, acquisitions and other situations. In such cases, if the transfer of personal data is involved, we will inform you of the name and contact information of the recipient, and ask him to continue to be bound by this privacy policy, otherwise we will obtain your authorization consent again.

(v). Public disclosure

We keep your personal data strictly confidential. We will publicly disclose your personal data only if:

1. With your express consent;

2. Legally-based disclosures: When required by law, legal proceedings, litigation or by a governmental authority, we will protect information security as much as possible in accordance with the law.

(vi). Exceptions to obtaining your authorized consent

We will not obtain your authorized consent to share, transfer or publicly disclose your personal data in the following circumstances:

1. Related to our performance of our obligations under laws and regulations;

2. Necessary to enter into and perform a contract to which you are a party;

3. It is directly related to national security and national defense security;

4. Directly related to public safety, public health and major public interests;

5. Directly related to criminal investigation, prosecution, trial and judgment execution;

6. To respond to a public health emergency or other public incident, or to protect the essential interests (e.g., life, physical safety) of you or another individual when consent cannot be obtained in a timely manner;

7. Your own personal data disclosed to the public;

8. Collect your personal data from legally disclosed information, such as legal news reports, government information disclosure and other channels;

9. Other circumstances stipulated by laws and regulations.

IV. How we protect and store your personal data

(i). Our techniques and measures to protect your personal data

1. Technical and organizational measures:

We have used industry-standard security measures to protect the personal data you provide from unauthorized access, public disclosure, use, modification, damage, or loss. We will take all reasonable and feasible measures to protect your personal data. For example, we will use encryption technology stipulated by the state to ensure the confidentiality of data; We use trusted protection mechanisms to protect our data from malicious attacks; We encrypt the transmission and storage of your sensitive personal data.

We deploy access control mechanisms to ensure that only authorized personnel have access to personal data. We conduct security and privacy training courses to enhance employees' awareness of the importance of protecting personal data. We permit access to personal data only to employees and partners of us and our affiliates who have a need to know such information, and have established strict access control and monitoring mechanisms for this purpose. We also require all personnel who may have access to your personal data to fulfill the corresponding confidentiality obligations.

2. Security Incident Response

If an unfortunate personal data security incident occurs, we will inform you of the basic situation and possible impact of the security incident, the disposal measures we have taken or will take, the suggestions you can independently prevent and reduce risks, and the remedial measures for you in a timely manner in accordance with the requirements of laws and regulations. We will inform you by mail, letter, telephone, push notice and other means. When it is difficult to inform personal data subjects one by one, we will take reasonable and effective ways to publish announcements. At the same time, we will also actively report the disposal of personal data security incidents in accordance with the requirements of regulatory authorities.

3. Special tips

We will do our best to ensure the security of your personal data and use technical means to restrict unauthorized access, use or disclosure of your personal data. Despite the above measures, please understand that due to the limitations of current technology development and various malicious means that may exist, even if we do our best to strengthen security measures, it is impossible to always guarantee 100% security of personal data. Please understand that the system and communication network accessed during the use of ROX and related services may have problems due to factors beyond our control. If our physical, technical or administrative safeguards are breached, resulting in unauthorized access, public disclosure, tampering or destruction of information, resulting in damage to your legitimate rights and interests, we will assume corresponding responsibilities to the extent prescribed by law.

(ii). Storage of your personal data

In accordance with laws and regulations, we store your personal data collected and generated in the course of our operations in China in the People's Republic of China, located in a data center (Shanghai) controlled by us. We will not transmit your personal data abroad without your permission.

For personal data generated by users outside China in the process of using this App service, we will store your personal data collected and generated in the process of operation in your country and region on overseas servers under our control in accordance with the laws and regulations of your country and region.

In general, we retain your personal data only for the period necessary for the purposes described in this Privacy Policy and for the period required by laws and regulations, unless otherwise stipulated by laws and regulations or otherwise authorized by the personal data subject. The storage period of different types of personal data may be different based on different process purposes. Factors that determine the storage period of different types of personal data include: statutory storage period or recommended storage period determined by laws, regulations or other normative guidelines; Necessary time to retain personal data for process purposes; You specify the retention period of the instructions.

If you cancel your account, actively delete personal data or the information exceeds the necessary retention period, we will delete or anonymize your personal data.

V. How You Manage Your personal data

We attach great importance to your attention to personal data, and do our best to protect your rights to query, correct, supplement, delete and withdraw your consent to your personal data, so that you have full ability to protect your privacy and security. In accordance with relevant Chinese laws, regulations and standards, we guarantee that you exercise the following rights on your personal data:

(i). Query and copy your personal account information

You have the right to check your personal data at any time on ROX APP and ROX applet, or you can contact us through the contact information listed in the "How to Contact Us" section to obtain your personal data. Please understand that we may refuse your request to the extent permitted by applicable laws and regulations.

(ii). Correct and supplement your personal data

When you find that the personal data we process about you is incorrect or incomplete, you have the right to correct and supplement it. You can contact us through the contact information listed in the "How to Contact Us" section, or correct and supplement your personal data on the ROX APP by yourself, as follows: Account – Personal Data.

(iii). Modify vehicle user or primary user information

You can initiate a main user change request in the order management or vehicle setup module. In case of operation problems, you can also contact an authorized dealer to assist with process.

(iv). Delete your personal data

You can request us to delete personal data if:

1. If our process of personal data violates laws and regulations;

2. If we collect and use your personal data without your consent;

3. If our process of personal data violates our agreement with you;

4. If you no longer use our products/services, or you cancel your account;

5. If we no longer provide you with products or services.

You can request us to delete personal data through the contact information set out in the "How to Contact Us" section, except for the anonymization process of personal data or otherwise stipulated by laws and regulations. When deleting, you need to be identified and you should specify the specific type of personal data to be deleted. We will respond to your request in accordance with laws, regulations and regulatory requirements.

When you delete information from our service, we may not delete the corresponding information in the backup system immediately, but will delete it when the backup is updated.

(v). Change the scope of your authorization consent or withdraw your authorization

You have the right to grant or revoke your authorization at any time, and if necessary, you can do so through your phone settings.

Please understand that each business function requires some basic personal data to be completed (see "I. What personal data we collect and how do we use it?" for details). When you withdraw your consent or authorization, we can no longer provide you with the services corresponding to the withdrawal of consent or authorization, and will no longer process your corresponding personal data. However, your decision to withdraw your consent or authorization will not affect the previous processing of personal information based on your authorization.

(vi). Account Cancellation

You can apply for account cancellation through ROX APP "Account - Setting - Account Security - Cancel Account", the system will validate whether there is a binding vehicle relationship:

• If the vehicle is not bound, you can directly submit a cancellation application in the App, and all relevant account data will be deleted after cancellation;

• If the vehicle has been bound, in order to ensure service continuity, you need to complete the unbinding before you can log out.

We will respond to your request within 15 working days, subject to compliance with the laws, regulations and regulatory requirements of the country where the vehicle is located. In the event that logout fails, you can contact us by the methods listed in the "How to Contact Us" section.

Please note that after you cancel your account, we will stop providing you with our products/services, delete your personal data or anonymize your personal data, unless otherwise stipulated by laws and regulations or regulatory authorities on the storage time of user information.

(vii). Permission setting and control

If you want to revoke the authorization of some device permissions, you can manage them through the operating system settings. At present, the permissions that this App may invoke include: location permission, camera/camera permission, album/media access permission, notification permission, network permission, face ID/fingerprint identification permission.

After closing the above permissions, the corresponding functions will not be available, but will not affect your normal use of other basic services. Closing permissions does not affect the legality of data processing activities that you have previously completed based on authorization.

(viii). Obtain a copy of your personal data

If you need a copy of your personal data that we collect, you can contact us through the contact information in “How to Contact Us”. We will verify your identity as necessary and submit a copy of personal data to you in compliance with relevant laws and technical feasibility. If you request to transfer your personal data to the personal data processor designated by you and meet the conditions stipulated by the national regulatory authorities, we will provide the means of transfer.

(ix). Respond to your request

For security, we need to verify your identity before processing your request. Identity verification and response process will be completed within 15 working days of receiving your application. If your request is complex or requires too many technical means, we will complete the response process within the response time required by the applicable laws and regulations in the vehicle's location. We do not charge a fee for your reasonable request in principle, but we will charge a fee as appropriate for requests that are repeated multiple times, exceed reasonable limits, or require excessive technical means.

Please understand that we will not be able to respond to your request if:

1. Relevant to the performance of obligations stipulated by laws and regulations by the personal data controller;

2. Directly related to national security and national defense security;

3. Directly related to public safety, public health and major public interests;

4. Directly related to criminal investigation, prosecution, trial and execution of judgments;

5. We have sufficient evidence to show that users have subjective malice or abuse of rights;

6. To protect the essential interests (e.g., life, physical safety) of you or another individual when consent cannot be obtained in a timely manner;

7. Responding to your request will cause serious damage to the legitimate rights and interests of you or other individuals or organizations;

8. Involving trade secrets.

VI. How we process information about minors

We attach great importance to the protection of minors' personal data. Our products and services are primarily for adults and do not knowingly collect personal data about minors. If we find that personal data of a minor has been collected without the prior consent of a verifiable guardian, we seek to delete the relevant information as soon as possible. If you find that we have inadvertently collected personal data from minors, please notify us immediately and we will try to delete the relevant information as soon as possible. For minors' personal data provided with the consent of guardians, we will only process it if permitted by law or when the guardians explicitly consent or are necessary to protect minors.

VII. Updates and amendments to this Privacy Policy

In order to provide you with better service, our products/services will be continuously updated iteratively, and this Privacy Policy will be updated accordingly. However, we will not reduce your rights under past privacy policies without your express consent. We will alert you of updates to relevant content through announcements or other appropriate means before the updated version takes effect.

For major changes, we will notify you in a more significant manner (including but not limited to email, SMS or special prompts on the browsing page to explain the specific changes in the privacy policy). Significant changes referred to in this Privacy Policy include, but are not limited to:

1. Significant changes in our product/service model, such as the purpose of process personal data, the type of personal data process, the way personal data is used, etc;

2. Significant changes in our ownership structure, organizational structure, etc., such as changes in owners caused by business adjustments, bankruptcy mergers and acquisitions, etc;

3. Changes in the main objects of personal data sharing, transfer or public disclosure;

4. Significant changes in your rights to participate in the processing of personal information and the way in which you exercise them;

5. When the responsible department, contact information and complaint channel for handling personal data security change;

6. When the personal data security impact assessment report indicates that there is a high risk.

We will also archive older versions of this Privacy Policy for your review. If necessary, please contact us via the contact information listed in "How to Contact Us".

VIII. How to Contact Us

We have set up a dedicated department for personal data Protection. If you have any questions, opinions or suggestions about this privacy policy, or have any privacy complaints or rights requests, you can contact us at the following ways:

Email of person in charge of personal data protection: privacy-protection@roxmotor.com

Customer service: 400 006 0707

China contact address: Room 03, Floor 07, Building 9, No. 99, Jiangwancheng Road, Yangpu District, Shanghai (Room 03, Floor 08, Nominal Floor).

UAE contact address: Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates.

Generally, we reply within 15 working days after receiving your feedback and verifying your user identity.

If your request involves complex data retrieval, authorization verification or third-party collaborative process, we will complete the process within the time limit required by law and explain the reason for the delay.

Appendix 1: List of third-party SDKs

Name: Baidu Maps SDK

Scope of information collection: equipment information, location information

Purpose: Used to display your city and region

Sensitive Permissions Invoked: Location permissions

Collection method: SDK native collection

Name of the third party: Beijing Baidu Netcom Technology Co., Ltd

Privacy policy or official website link:

https://lbs.baidu.com/index.php?title=openprivacy

Name: WeChat Open SDK

Scope of information collection: equipment information (unified equipment identifier, MAC address), network information, WeChat account information, application information, payment order identifier, payment status

Purpose: Support WeChat login, sharing function and payment function

Sensitive permissions invoked: Network permissions

Collection method: SDK native collection

Name of the third party: Shenzhen Tencent Computer System Co., Ltd

Privacy policy or official website link:

https://support.weixin.qq.com/cgi-bin/mmsupportacctnodeweb-bin/pages/RYiYJkLOrQwu0nb8

Name: Mobile Push SDK

Scope of information collection: device information, network information, account binding information

Purpose of use: message push on mobile terminal device

Sensitive permissions invoked: Network permissions

Collection method: SDK native collection

Name of the third party: Shenzhen Tencent Computer System Co., Ltd

Privacy policy or official website link:

https://privacy.qq.com/document/preview/8565a4a2d26e480187ed86b0cc81d727

Name: APP Alipay Client SDK

Information collection scope: IMEI, IMSI, MAC address, device serial number, hardware serial number, SIM card serial number, ICCID, Android ID, OAID, SSID, BSSID; System settings, system attributes, device models, device brands, and operating systems; IP address, network type, operator information, Wi-Fi status, Wi-Fi parameters, Wi-Fi list; List of software installations.

Purpose: To provide you with payment services

Sensitive permissions invoked: Network permissions

Collection method: SDK native collection

Name of third-party organization: Alipay (China) Network Technology Co., Ltd

Privacy policy or official website link:

https://opendocs.alipay.com/common/02kiq3

Name: Weibo SDK

Scope of information collected: device information, IP address, installed application information

Purpose: Share information to Sina Weibo

Sensitive permissions invoked: None

Collection method: SDK native collection

Name of the third party: Weimengchuang Network Technology (China) Co., Ltd

Privacy policy or official website link:

https://weibo.com/signup/v5/privacy

Name: Huawei Push SDK

Scope of information collection: equipment information, basic application information, network information

Purpose: Provide message push service

Sensitive permissions invoked: Network permissions

Collection method: SDK native collection

Name of third-party organization: Huawei Technologies Co., Ltd

Privacy policy or official website link:

https://developer.huawei.com/consumer/cn/doc/development/HMSCore-G Account ID es/sdk-data-security-0000001050042177

Name: Xiaomi Push SDK

Scope of information collection: device information, network information, application information, push of process notification information in operation

Purpose: Provide message push service

Sensitive permissions invoked: Network permissions

Collection method: SDK native collection

Name of the third party: Xiaomi Technology Co., Ltd

Privacy policy or official website link:

https://dev.mi.com/console/doc/detail?pId=1822

Name: OPPO Push SDK

Scope of information collection: equipment information, basic application information, network information

Purpose: Push notification messages to users

Sensitive permissions invoked: Network permissions

Collection method: SDK native collection

Name of the third party: Guangdong Huantai Technology Co., Ltd

Privacy policy or official website link:

https://open.oppomobile.com/new/developmentDoc/info?id=10288

Name: VIVO Push SDK

Scope of information collection: equipment information, basic application information, network information

Purpose: Push notification messages to users

Sensitive Permissions Invoked: Notification Permissions

Collection method: SDK native collection

Name of the third party organization: Vivo Mobile Communications Co., Ltd

Privacy policy or official website link:

https://dev.vivo.com.cn/documentCenter/doc/366

Name: Bugly SDK

Scope of information collected: crash information, software version, device model

Purpose: Collect APP crash information and solve the flash back problem

Sensitive permissions invoked: None

Collection method: SDK native collection

Name of the third party: Shenzhen Tencent Computer System Co., Ltd

Privacy policy or official website link:

https://privacy.qq.com/document/preview/fc748b3d96224fdb825ea79e132c1a56

Name: UnionPay SDK

Information collection scope: device information (device model, IMSI, IMEI, device hardware serial number, MAC), location information, mobile phone number, application information

Purpose: Provide support for payment business and confirm equipment security

Sensitive permissions invoked: None

Collection method: SDK native collection

Name of the third party: China UnionPay Co., Ltd

Privacy policy or official website link:

https://open.unionpay.com/tjweb/acproduct/list?apiSvcId=3021&index=7

Name: Mobile one-click login SDK

Scope of information collected: mobile phone number mask

Purpose: one-click login of APP mobile phone number

Sensitive permissions invoked: None

Collection method: SDK native collection

Name of third party organization: China Mobile Limited

Privacy policy or official website link:

https://wap.cmpassport.com/resources/html/contract.html

Name: Unicom one-click login SDK

Scope of information collected: mobile phone number mask

Purpose: one-click login of APP mobile phone number

Sensitive permissions invoked: None

Collection method: SDK native collection

Name of Third Party Organization: China United Network Communications Group Co., Ltd

Privacy policy or official website link:

https://opencloud.wostore.cn/authz/resource/html/disclaimer.html?spm=a2c4g.11186623.0.0.41f1633eHxMLkQ&fromsdk=true

Name: Telecom one-click login SDK

Scope of information collected: mobile phone number mask

Purpose: one-click login of APP mobile phone number

Sensitive permissions invoked: None

Collection method: SDK native collection

Name of Third Party Organization: China Telecom Group Co., Ltd

Privacy policy or official website link:

https://e.189.cn/sdk/agreement/detail.do?spm=a2c4g.11186623.0.0.41f1633eHxMLkQ&APPKey=E_189&hidetop=true&returnUrl=

Name: Growth Marketing Kit SDK

Scope of information collection: device information (device model, IMSI, IMEI, device hardware serial number, MAC), application information, developer APP process information

Purpose: Data analysis

Sensitive permissions invoked: None

Collection method: SDK native collection

Name of the third party: Beijing Volcano Engine Technology Co., Ltd

Privacy policy or official website link:

https://www.volcengine.com/docs/6285/72216

Name: Ocean Engine Conversion SDK

Scope of information collection: device information (device model, IMSI, IMEI, device hardware serial number, MAC), application information, developer APP process information

Purpose: Statistical analysis

Sensitive permissions invoked: None

Collection method: SDK native collection

Name of third-party organization: Beijing Juliang Engine Network Technology Co., Ltd

Privacy policy or official website link:

https://open.oceanengine.com/labels/7/docs/1708428054592516

Name: Umeng Statistical Analysis SDK

Information collection scope: device information (IMEI/MAC/Android ID/IDFA/OAID/OpenUDID/G account ID/SIM card IMSI/ICID), location information, network information

Purpose: Data analysis

Sensitive permissions invoked: Network permissions

Collection method: SDK native collection

Name of third-party organization: Youmeng Tongxin (Beijing) Technology Co., Ltd

Privacy policy or official website link:

https://www.umeng.com/page/policy

Name: Umeng Crash Analysis SDK

Information collection scope: mobile phone number, device information (IMEI/MAC/Android ID/IDFA/OAID/OpenUDID/G account ID/SIM card IMSI/ICID), location information, network information

Purpose: APP performance monitoring and crash analysis

Sensitive permissions invoked: Network permissions

Collection method: SDK native collection

Name of third-party organization: Youmeng Tongxin (Beijing) Technology Co., Ltd

Privacy policy or official website link:

https://www.umeng.com/page/policy

Name: RedNote Sharing SDK

Scope of information collected: device information (Android ID/IDFA/operating system, system version, device model)

Purpose: for content sharing

Sensitive permissions invoked: None

Collection method: SDK native collection

Name of the third party: Xingyin Information Technology (Shanghai) Co., Ltd

Privacy policy or official website link:

https://agree.xiaohongshu.com/h5/terms/ZXXY20230525001/-1

Name: TikTok Open Platform SDK

Scope of information collected: device information (Android ID/IDFA/operating system, system version, device model)

Purpose: for content sharing

Sensitive permissions invoked: None

Collection method: SDK native collection

Name of the third party: Beijing Weibo Video Technology Co., Ltd

Privacy policy or official website link:

https://developer.open-douyin.com/docs/resource/zh-CN/dop/operation-standard/service-protocol/douyinsdk_pingtaiyinsizhengce