Skip to content

UK Privacy Policy

1. INTRODUCTION

Scope

This SambaSafety EU/UK Data Protection and Privacy Notice (this “Notice”) sets out how Safety Holdings, Inc., American Driving Records, Inc., Instructional Technologies, Inc., Collision Management Systems Limited and Samba Holdings Canada Inc. (collectively, “we”, “our”, or “us”) collect, handle, share and use, and otherwise process the personal data, personal information, or personally identifiable information (collectively, “personal data”) of individuals (data subjects) in the circumstances that we have set out below.

This Notice applies to our processing of personal data of data subjects as set out below (collectively, “you”):

Jurisdiction of residence
Data subjects
Jurisdiction of residence European Economic Area, UK, or Switzerland (collectively, “Europe”)
Data subjects
  • who visit or interact with publicly available sections of our Website (“Website Visitors”);
  • who are Personnel at our Business Partners, Service Providers, or Professional Advisors (collectively, “Business Data Subjects”); or
  • who receive electronic or postal marketing communications from us (such as if you are Personnel at a potential Customer) (“Prospective Customers”).

Depending on where you are resident, we may be required to process your personal data in accordance with the EU General Data Protection Regulation, the UK General Data Protection Regulation, the Swiss Federal Act on Data Protection, and/or related data protection and e-privacy laws in Europe (such laws, collectively, the "GDPR").

If you are our Professional Advisor, Business Partner, Customer, or Service Provider, please provide this Notice to your Personnel who have dealings with us.

Residents of Europe

If you are resident in Europe, we only process your personal data as a controller only when you are a Website Visitor, Business Data Subject; or Prospective Customer. In all other circumstances, we will process your personal data in accordance with the terms of the contract we have with the third party for whom we act as data processor. Notably, we process personal data in connection with our provision of driver risk management or other services as a data processor of the relevant Customer, including Telematics Data and personal data of data subjects who visit or interact with:

  • sections of our Website only available to our Customers; and/or
  • our mobile applications, including the our mobile applications available on Android and iOS platforms.

This Notice shall not apply to the processing of such personal data where we are a data processor. In such cases, if you wish to obtain information about how your personal data is processed, please refer to the notice of the applicable data controller (e.g. your employer or our Customer). More information is set out below in section 10 for residents of Europe.

2. WHAT PERSONAL DATA DO WE PROCESS AND HOW IS IT COLLECTED?

In this section, we set out the types of personal data we may collect and the potential sources of such information. We may also receive any or all the types of personal data referred to in this section from our Affiliates.

What personal data do we collect when you visit publicly available sections of our Website (Website Visitors)?

Personal Data You Provide

You may provide to us (whether by uploading, email, telephone, post or otherwise) the following types of personal data through your use of publicly available sections of the Website, which we may then collect, use, store and/or transfer in accordance with this Notice:

  • Contact and Professional Data
  • Marketing and Communications Data
  • Voluntarily Provided Data

Automatically Collected Personal Data

The following types of personal data may be automatically collected or logged when you access and use publicly available sections of the Website, which we may then collect, use, store and/or transfer in accordance with this Notice:

  • Cookie and Technical Data
  • Usage Data

What personal data do we collect from individuals who receive electronic or postal marketing communications from us (i.e., Prospective Customers)?

  • Contact and Professional Data
  • Voluntarily Provided Data

What personal data do we collect from Personnel at our Business Partners, Service Providers, and Professional Advisors (i.e., Business Data Subjects)?

  • AML/KYC Data
  • Contact and Professional Data
  • Government-Issued Data
  • Marketing and Communications Data
  • Voluntarily Provided Data

Special Categories of Personal Data

We do not generally request any special categories of personal data from you with respect to the data processing activities covered by this Notice (this includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information concerning health, and genetic and biometric data). However, you may provide these types of personal data to us as Voluntarily Provided Personal Data. We will rely on “conditions” (including explicit consent) provided for in the GDPR to process such special category data.

Criminal Convictions and Offences Personal Data

We do not request any personal data relating to criminal convictions and offences with respect to the data processing activities covered by this Notice. However, such personal data may be provided to us as Voluntarily Provided Personal Data. We will rely on “conditions” provided for in the GDPR to process such criminal convictions and offences data.

Children’s Personal Data

Our Website and our services (including our mobile applications) and the other data processing operations covered by this Notice are not intended for children. We do not knowingly collect personal data from children under the age of 18. Parents or guardians of a child under the age of 18 who believe such child has disclosed personal to us should contact us using the contact details at Section 12 (How to Contact Us) below. A parent or guardian of a child under the age of 18 may review and request deletion of such child’s personal data as well as prohibit the use thereof. By accessing and using our Website, the users represent that they are at least 18 years of age.

3. HOW WE USE PERSONAL DATA

We set out below the purposes of our data processing activities, the relevant categories of personal data relating to such purposes, and the relevant GDPR legal basis and condition for processing. In certain circumstances, more than one legal basis for processing may be applicable. We provide more detail with respect to each of the legal bases and condition in Schedule 1 to this Notice.

PURPOSE OF DATA PROCESSING

To manage our relationship with our Business Partners, Customers and Service Providers

RELEVANT CATEGORIES OF PERSONAL DATA

  • Contact and Professional Data
  • Marketing and Communications Data

GDPR LAWFUL BASIS AND CONDITIONS (WHERE RELEVANT)

  • Legitimate Interests (i.e., to grow our business and develop our products/services)

To deliver relevant Website content and measure or understand the effectiveness of the advertising we serve to you

  • Contact and Professional Data
  • Cookie and Technical Data
  • Usage Data
  • Legitimate Interests (i.e., to grow our business and develop our products/services)
Sending electronic marketing and promotional materials to you in a business-to-business context and enabling you to complete surveys
  • Contact and Professional Data
  • Marketing and Communications Data
  • Legitimate Interests (i.e., to grow our business and develop our products/services)
  • Consent
Responding to you when you request contact
  • Contact and Professional Data
  • Consent
Managing and protecting our business and our Website, employees and staff from risks and threats, including identifying and preventing virtual threats such as cyber-attacks
  • Contact and Professional Data
  • Cookie and Technical Data
  • Usage Data
  • Voluntarily Provided Data
  • Legitimate Interests (i.e., to prevent fraud and for the proper running of our business)
  • Legal Obligation

Complying with legal and regulatory obligations, including:

  • maintaining accurate books and records
  • facilitating internal and external audits
  • conducting internal investigations
  • preventing and detecting fraud
  • investigating and addressing any complaints, claims, proceedings, or consumer disputes
  • responding to requests and directions from Governmental Authorities; and
  • seeking advice from Professional Advisors, including legal advice.
  • Contact and Professional Data
  • Cookie and Technical Data
  • Usage Data
  • Marketing and Communications Data
  • Voluntarily Provided Data
  • Legal Obligation

Condition for any special category personal data:

  • Article 9(2)(a) GDPR; (Voluntarily Provided Data)

Condition for any criminal offences personal data (for EU/UK):

  • Article 10 GDPR and applicable UK and/or EU member state law
Preparing for and addressing investigations and disputes (including those involving Affiliates, Customers, Business Partners, Service Providers, Professional Advisors, Governmental Authorities and consumers)
  •  All types of data set out in Part A of Schedule 1 to the extent relevant to the investigation or dispute
  • Legitimate Interests (i.e., in resolving investigations and disputes)
  • Contractual Necessity
  • Legal Obligation
Condition for any special category personal data:
  • Article 9(2)(a) GDPR; (Voluntarily Provided Data)
Condition for any criminal offences personal data (for EU/UK):
  • Article 10 GDPR and applicable UK and/or EU member state law

If you have provided consent to processing and subsequently withdraw that consent, we may still process your personal data where we have another lawful basis for doing so, provided that you have not expressly asked us to stop processing your personal data in accordance with Section 5.

Where we need to collect personal data by law or under the terms of a contract that we have with you, and you fail to provide that personal data when requested, we may not be able to perform the contract we have with you (for example, to provide access to the Website or our services).

4. SHARING OF PERSONAL DATA

Your personal data may be disclosed both internally and externally to third parties (as set out below) to the extent necessary for us to successfully complete the purposes of the processing as set out in the table above. Specifically, your personal data may be disclosed to our Personnel who have a business need to use such personal data.

We may share your information with the following categories of third parties:

  • Affiliates
  • Business Partners
  • Governmental Authorities
  • Professional Advisors
  • Service Providers

Please see section 7 below for information on international data transfers.

5. MARKETING

We may send Prospective Customers marketing communications (including newsletters) if they have requested such communications from us or if we are otherwise allowed to do so under applicable law.

If you do not wish to receive marketing information from us, you can opt out by contacting us using the contact details at section 12 below or by clicking the opt-out link in our electronic marketing communications. You cannot opt-out of service-related email communications (such as, account verification, transaction confirmation, or service update emails).

6. COOKIES

Please refer to our Cookie Policy (available at: https://sambasafety.com/cookies-policy/) for more information about our use of cookies.

7. INTERNATIONAL DATA TRANSFERS

Personal data may therefore be transferred, stored, and accessed within the country or region you are located in, and transferred to, stored in, and accessed from different countries to fulfil the purposes described in this Notice. The recipients of personal data identified under Section 4 (Sharing of Personal Data) may be established in countries outside Europe (such as the United States of America) and such country may have a different or lower standard of data privacy rights and protections than provided for under the GDPR. Notably, our Website and servers are hosted in the United States by Amazon Web Services.

Where personal data will be transferred outside any country in Europe and where there is not a European Commission/UK/Swiss adequacy decision in place, the transfers will be in accordance with Chapter V of the GDPR, and in line with the recommendations of the European Data Protection Board and/or the UK Information Commissioner’s Office, as applicable. Such transfers will occur subject to the data protection safeguards afforded under the EU Standard Contractual Clauses, Swiss, and/or UK equivalent of such clauses. For more information on the transfer mechanisms used, and/or to obtain a redacted copy of such appropriate safeguards, you may contact us as provided for under Section 12 (How to Contact Us).

8. RETENTION OF PERSONAL DATA

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, regulatory requirements, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. You can contact us about specific retention periods by emailing us at the email addresses set out in section 12 below.

9. USE OF PERSONAL DATA FOR TRAINING AI

We do not use your personal data to research, develop, train and/or otherwise improve our AI tools. Your personal data will not be provided to any providers of general-purpose AI models to improve or train such models.

10. SUPPLEMENTAL INFORMATION

Data controllers

We act as controllers of your personal data.

Lawful basis for processing

Our GDPR lawful bases for processing your personal data are explained in the table in section 3 above.

Your rights

If you are a resident in Europe, you may have the following rights under the GDPR in relation to your personal data:

  • request access to your personal data;
  • request correction of the personal data that we hold about you;
  • request erasure of your personal data;
  • object to processing of your personal data;
  • request restriction of processing of your personal data;
  • request the transfer of your personal data to you or to a third party; and
  • withdraw consent at any time where we are relying on consent to process your personal data.

To exercise any of the rights set out above, please contact us using the contact details provided in section 12 below. There are exceptions and exemptions that apply to some of the rights, which we will apply in accordance with the applicable data protection laws. We may need to request specific information from you to help us confirm your identity and your right to access the personal data (or to exercise any of the other rights).

We do not make decisions based solely on automated processing of personal data including profiling, which produce legal effects concerning individuals or similarly significantly affects individuals. We ensure that such decisions involve meaningful human involvement, and/or consideration of all relevant factors and information regarding the individuals, as appropriate.

In addition to the above rights, you have the right to lodge a complaint with a supervisory authority in the country of residence in Europe.

11. LINKS TO OTHER WEBSITES

Our Website may contain links to other websites. These websites may have separate privacy and data collection practices, independent of our practices, and your use and access to such sites is subject to those terms and policies. We have no responsibility or liability for these independent policies or actions and we are not responsible for the privacy practices or the content of such websites.

12. HOW TO CONTACT US

To ask any questions regarding this Notice, or to exercise any of your rights relative to us, please contact us using the following contact details:

Address:

5445 DTC Parkway, Suite 950 Greenwood Village, CO 80111

Email: dataprivacyoffice@sambasafety.com

13. AMENDMENTS TO THIS NOTICE

This Notice may be revised from time to time. We display a “Last Updated” date at the top of this Notice, so it is clear when there has been a change.

SCHEDULE 1 (DEFINITIONS)

A. TYPES OF PERSONAL DATA THAT WE PROCESS

TYPE OF PERSONAL DATA
DETAILS
TYPE OF PERSONAL DATA
Anti-Money Laundering and Know Your Customer Data (“AML/KYC Data”)
DETAILS
  • Personal data contained in government issued identification documents
  • Financial and banking information
  • Information relating to political exposure if reveled during AML, KYC, fraud checks, or transaction-related due diligence
  • Criminal convictions and offences data if revealed during AML, KYC, fraud checks, or transaction-related due diligence 
TYPE OF PERSONAL DATA
Contact and Professional Data
DETAILS
  • First name
  • Last name
  • Title and position
  • Email address (for training services only)
  • Physical address
  • Telephone numbers (for training services only)
  • Date and country of birth
  • Country of residence, nationality, and citizenship
  •  Customer unique identifier (i.e., if You have an assigned employee number by Your employer) 
TYPE OF PERSONAL DATA
Cookie and Technical Data
DETAILS
  • Our cookie banner and policy sets out details of the cookie and related data which we collect and process.
  • Internet protocol (IP) address
  • Browser type and version
  • Time zone setting and location
  • Browser plug-in types and versions
  • Operating system and platform
  • Authentication and security data
  • Information regarding how the Website is used
  • Other technology on the devices used to access the Website
  •  Device identification (ID) to enable push notifications regarding lesson assignment, due dates, and completion status 
TYPE OF PERSONAL DATA
Government-Issued Data
DETAILS
  • U.S. Social Security Number, typically received from Government agencies with only the last four digits
  • Driver’s license Number
  • Passport number
  • National identification number
  • Tax identification number
  • UK national insurance number this data may be hashed or pseudo-anonymized in our environment
TYPE OF PERSONAL DATA
Marketing and Communications Data
DETAILS
  • Preferences in receiving marketing from us and third parties
  • Communication preferences
TYPE OF PERSONAL DATA
Telematics Data
DETAILS
  • Data about the vehicle in which our telematics device is installed, such as precise geolocation, speed and other driving patterns
TYPE OF PERSONAL DATA
Usage Data
DETAILS
  • Information about how the Website is used 
TYPE OF PERSONAL DATA
Voluntarily Provided Data
DETAILS
  •  Any other personal data provided by you, including “special category” personal data or criminal convictions or offences data.

B. GDPR LAWFUL BASES FOR PROCESSING

Applicable GDPR lawful grounds for personal data processing
Summary
Applicable GDPR lawful grounds for personal data processing
 Consent
Summary

 You have given specific consent to our processing of your data. Generally, our processing of your personal data in connection with this Notice is not conditional on your consent. However, there may be occasions where we rely on your explicit consent. 

Applicable GDPR lawful grounds for personal data processing
 Contractual Necessity 
Summary

 We may process personal data to the extent necessary for us for us to comply with applicable laws.

Applicable GDPR lawful grounds for personal data processing
Legal Obligation
Summary

 We may process personal data where you have provided consent for us to do so.

Applicable GDPR lawful grounds for personal data processing
 Legitimate Interests
Summary

We may process personal data for our legitimate interests as a business or those of a third party where our processing does not prejudice your rights so as to override our legitimate interest. We have provided examples where applicable in section 3.

C. THIRD PARTY DATA SOURCES AND RECIPIENTS

Third party

 Affiliates

Description

Refers to our affiliates, subsidiaries, or entities under common management or subject to common control as us.

 GDPR STATUS OF THIRD PARTY

Joint controller with our other Affiliates.

Business Partners

Refers to current or prospective business partners which we undertake commercial, corporate, or other business transactions. Business Partners may include third parties (i) to which we may sell, transfer or merge all or parts of our business or assets; and (ii) from which we acquire, transfer or merge all or parts of their business or assets. These activities may include special, restructuring, and insolvency situations, and any preparatory and diligence activities relating to any of the foregoing.

Independent controller.

 

Customer

Refers to our current corporate customers to whom we provide our services

Independent controller.

Governmental Authorities

Refers to governmental authorities in Europe, the US or other countries, including law enforcement agencies, tax authorities, and supervisory authorities, and regulators.

Independent controller.

Personnel

Refers to any director, partner, officer, employee, contractor, staff member or other contact.

Professional Advisors

Refers to current or prospective professional advisors including lawyers, accountants, bankers, auditors, and insurers.

Independent controller.

 Service Providers 

Refers to current or prospective party providers of services, such as IT services, hosting services, administration services, and other business process and marketing services.

Typically, data processors. However, Service Providers who are independently regulated may be independent controllers. Our primary data-hosting provider is Amazon Web Services (AWS).