Privacy Policy

Under applicable law, we perform several different roles in relation to Personal Data. To understand your obligations and LUXSTEEL’s obligations, it is important to distinguish between Personal Data controlled by LUXSTEEL and Personal Data controlled by the User.

“PD controlled by LUXSTEEL” means personal data for which WE determine the purposes and means of processing. This Privacy Policy applies only to PD controlled by LUXSTEEL.

“PD controlled by the User” means personal data for which the User determines the purposes and means of processing. In relation to PD controlled by the User, we act as a data processor, service provider, or in a similar role under applicable law. PD controlled by the User includes User Content and the personal data of Website users described in Section 2, which we store and process on behalf of our Users. Our Users instruct us what to do with PD controlled by the User. Users are responsible for ensuring that their collection and processing of PD controlled by the User complies with applicable law.

If you are a User and are looking for contractual provisions regarding how LUXSTEEL will handle and protect PD controlled by the User, please review our Data Processing Addendum (DPA). Below, we explain how we collect and use PD controlled by LUXSTEEL and what rights you have.

If you are a Website user of one of our Users and want to know how that User processes your data, please review that Website’s privacy policy.

1.1. Information you provide when registering as a User:

Contact data: first name, last name, email address.

User information: username, password (encrypted and securely stored), preferred communication language.

Legal basis for processing: Article 6(1)(b) GDPR, and after termination of the agreement Article 6(1)(f) GDPR.

Retention period: up to 3 years after termination of the agreement (Section 146(1) of the Estonian General Part of the Civil Code Act).

1.2. Information you provide for the provision of the Services and information we collect while providing the Services:

Contact data: first and last name, identification number, email address, phone number, date of birth, tax identification number, photo identity document, and citizenship. For identity verification, we may request a copy of an identity document. This document will be used solely for verification and will not be stored by us. If we use third parties for verification, we will do so only after entering into data processing agreements with them.

User information: username, password (encrypted and securely stored), communication language.

User transaction information: transaction information such as listed/sold vehicles and spare parts (i.e., their photos, description, cost), and, in the case of a vehicle sale, also the vehicle registration number, VIN number, vehicle location, and other vehicle documentation related to insurance, service, etc. Please note that by submitting the VIN number of advertised or managed vehicles in the course of using the Services (e.g., when creating or automatically transferring a listing), you grant DILIZY the right to permanently store the VIN number and use it for analytics and to improve the Services (improving listing quality, transparency, fraud prevention) and to share it for these purposes with third parties to uniquely identify the vehicle. You may only submit valid VIN numbers in the standard format.

IP addresses, preferences, pages visited before entering the Website, browser, network or device information (such as browser type and version, operating system, internet service provider, preference settings, unique device identifiers, language and other regional settings), information about how you interact with the Services and Websites (e.g., timestamps, clicks, scrolling, time spent, searches, transactions, referring pages, load times, and problems encountered while using the Services such as loading errors).

Legal basis for processing: Article 6(1)(b) GDPR, and after termination of the agreement Article 6(1)(f) GDPR.

Retention period: up to 3 years after termination of the agreement (Section 146(1) of the Estonian General Part of the Civil Code Act).

1.3. Information we collect during communications and when publishing feedback:

Information relating to requests and feedback (complaints, questions, suggestions, or other communications): the content of the request and the User’s contact data (first name, last name, email).

Legal basis for processing: Article 6(1)(b) GDPR, and after termination of the agreement Article 6(1)(f) GDPR.

Retention period: up to 3 years after termination of the agreement (Section 146(1) of the Estonian General Part of the Civil Code Act).

1.4. Information we process for advertising and marketing purposes:

Contact data: first and last name, email address.

Legal basis for processing: Article 6(1)(a) GDPR.

Retention period: until consent is withdrawn.

For marketing purposes, we store information about Users who have shown interest in our products or services (but are not yet registered customers) for 12 (twelve) months. This is the typical duration of our marketing campaigns.

1.5. Information collected while processing payment-related data:

Invoice information, such as paid and unpaid invoices with dates, bank account number, etc.

Accounting documents required to comply with a legal obligation.

Legal basis for processing: Article 6(1)(b) GDPR, and after termination of the agreement Article 6(1)(f) or Article 6(1)(c) GDPR.

Retention period: up to 3 years after provision of the service (Section 146(1) of the Estonian General Part of the Civil Code Act) or — for accounting documents — 7 years pursuant to the Estonian Accounting Act (Section 12(4) RAAS).

Users who create a Website using DILIZY are responsible for what they do with the personal data of their Website users, which they collect directly or through DILIZY, where they act as controllers in respect of such processing.

a. Your relationship with Website users:

You will collect personal data from your Website users. For example, you may request their name, address, email, and payment information to complete a sale. You may also use cookies and similar technologies to analyze usage and trends.

You are solely responsible for complying with rules relating to collecting and using information about your Website users, including personal data obtained from us or through DILIZY features, cookies, and similar technologies. Please note that you and DILIZY may be independent controllers of certain data (“Independently Controlled Data”). Independently Controlled Data includes information about the interactions of your Website users with your Website, such as IP address, device/browser data, pages visited prior to entering your Website, and browsing activity on your Website. Independently Controlled Data may be collected by the Services through the Website user’s browser and technologies such as cookies. Independently Controlled Data is PD controlled by LUXSTEEL to the extent processed by LUXSTEEL, and PD controlled by the User to the extent processed by you.

You must publish and comply with your own privacy and cookie policies.

We are not responsible for your relationship with your Website users or for how you collect and use their data, and we do not provide legal advice in this regard.

b. Payment information of Website users:

If you integrate your Website with external e-commerce payment operators, the payment data of Website users may be processed by those operators under their terms and policies. We transfer complete payment data of Website users only for the purpose of forwarding it to the selected operators. We do not collect or store the payment data of Website users in relation to such operators.

3.1. We process Personal Data for the following purposes:

Provision of the Services: creating and managing an account, providing and personalizing the Services, processing payments, responding to inquiries, etc.

Communication: sending emails about your activity in DILIZY and other Service-related announcements; conducting surveys, contests, and promotions.

Promotion: promoting the Services and sending tailored marketing communications about DILIZY’s (and partners’) products, services, offers, programs, and promotions, and measuring campaign effectiveness.

Advertising: analyzing interactions with the Services and external services in order to tailor advertising to your interests.

Personalization of the Services: providing user-tailored services, including setting language preferences based on location and displaying the correct date and time; we use cookies and similar technologies for this purpose.

Improving the Services: analyzing how the Services are used, developing and improving the Services, and monitoring advertising performance; typically using anonymized, pseudonymized, or aggregated data.

Security: ensuring the security and integrity of the Services.

Third-party relationships: managing relationships with vendors and partners.

Enforcement: enforcing the Terms of Use and other legal policies.

Protection: protecting our and others’ interests, rights, and property (e.g., protecting Users from abuse).

Legal compliance: meeting legal requirements, including AML, tax, and other regulatory obligations.

3.2. We process Personal Data for the above purposes only when:

Consent: you have given explicit consent; you can withdraw it at any time. Basis: Article 6(1)(a) GDPR.

Contract performance: processing is necessary to provide the Services or to take steps prior to entering into a contract. Basis: Article 6(1)(b) GDPR.

Legal obligation: processing is necessary to comply with a legal obligation (e.g., accounting, authority requests). Basis: Article 6(1)(c) GDPR.

AML requirements: processing for anti-money laundering purposes, including customer verification based on identification data and documents.

Legitimate interest: where necessary for our legitimate interests, provided that the rights and freedoms of the data subject do not override those interests. Basis: Article 6(1)(f) GDPR. We retain such data for 3 years after provision of the service.

Market and currency assignment: we use your IP address to determine your country in order to assign the appropriate market, pricing region and currency. IP geolocation is powered by DB-IP (https://db-ip.com).

The above list is not exhaustive. In some cases, the rights of other data subjects or our legal obligations may limit your rights.

You may also request deletion, anonymization, or export of data in a machine-readable format by sending a request to gdpr@dilizy.ai.

We handle deletion, export, and anonymization requests within 3 (three) business days after confirming the request, unless the law requires further retention of the data. We keep a record of all requests for compliance purposes.

5.1. We do not disclose Personal Data to third parties unless we have a legal basis to do so.

5.2. Data may be transferred outside the European Union for processing by partners or service providers in third countries. In such cases, we apply appropriate safeguards under EU law, including Standard Contractual Clauses or other mechanisms.

5.3. We may engage authorized processors to process data on our behalf, such as payment providers.

5.4. Authorized processors are our trusted partners and are contractually bound to process data in accordance with applicable law and data processing agreements.

6.1. We ensure the security of processing of Personal Data to protect against accidental or unauthorized processing, disclosure, or destruction.

6.2. We take data security very seriously. We use up-to-date technologies and security measures and regularly assess risks associated with processing different categories of data.

6.3. DILIZY provides tools supporting AML compliance. However, each User bears independent responsibility for the legality of their actions, including the accuracy and lawfulness of processing.

7.1. Subject to changes in law or practice, we reserve the right to amend this Privacy Policy. The amended text will be published without undue delay. We will notify you of all changes by email.

7.2. If you have questions, comments, or complaints regarding this Policy, or you wish to exercise your rights, please contact us at gdpr@dilizy.ai or by mail at:

LUXSTEEL OÜ

Attention: Legal – Privacy

Graniidi 1, 10413 Tallinn, Estonia

EFFECTIVE DATE: 01/03/2025

This DILIZY Data Processing Addendum (“DPA”) forms part of and is subject to the DILIZY General Terms (the “Terms”). Capitalized terms not defined in the DPA have the meaning given to them in the Terms and the Privacy Policy.

DEFINITIONS.

Breach means a breach of the Security Measures resulting in access to devices or facilities storing Your Controlled Data and the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Your Controlled Data transmitted, stored, or otherwise processed by LUXSTEEL on your behalf and on your instructions through the Services.

Data subject — a natural person whose personal data we process;

GDPR — Regulation (EU) 2016/679 ... (meaning as above);

Personal data (PD) — any information relating to an identified or identifiable natural person ... (meaning as above);

Applicable law — all applicable EU and Republic of Estonia legislation ... (meaning as above);

User or you — a natural or legal person who uses DILIZY and the Services;

LUXSTEEL or we, us, our or Controller — LUXSTEEL OÜ, registration number 12178223, address: Graniidi 1, 10413 Tallinn, Estonia.

Processor — a person or entity that processes personal data on behalf of the Controller;

Services — all services offered to Users under the Agreement;

Controller — the entity determining the purposes and means of processing PD; for the purposes of these terms, LUXSTEEL is the controller of personal data;

Website(s) — a website created by the User within the Dealer Management System;

Website user(s) — visitors and/or registered users of the Website.

Covered Data — User Content, including without limitation text, photos, images, audio, video, code, and other materials provided to us by you or your Website users.

Security Measures — the technical and organizational security measures applied by LUXSTEEL.

Sub-Processor — an entity engaged by DILIZY to process Your Controlled Data.

Your Controlled Data — any personal data contained in the Covered Data for which you determine the purposes and means of processing and LUXSTEEL acts as Processor on your behalf.

1. SCOPE.

The DPA applies only if and to the extent that LUXSTEEL and the Services process Your Controlled Data on your behalf. The DPA does not apply if: (a) your Covered Data does not include personal data, or (b) data protection laws do not apply to your Covered Data.

You agree that LUXSTEEL is not responsible for personal data that you choose to process outside of the Services or through third-party services.

2. DATA PROCESSING.

2.1. Subject matter: Your Controlled Data.

2.2. Duration: determined by you.

2.3. Purpose: providing the Services initiated by you; as part of this, we may process data to maintain accounts, render Websites, enable transactions, perform analytics, ensure security, debug, and improve the Services.

2.4. Nature of processing: as set out in the Agreement and your use of the Services.

2.5. Type of data: Your Controlled Data relating to you, your Website users, and other individuals included in the Content.

2.6. Categories of data subjects: you, your Website users, and other individuals whose data is included in the Content.

3. ROLES AND ACTIONS.

3.1. You are the Controller and LUXSTEEL is the Processor of Your Controlled Data.

3.2. LUXSTEEL as an independent controller: we may be an independent controller of certain data we control under the Terms and Privacy Policy; this does not create a joint-controller relationship.

3.3. Scope of actions: we process Your Controlled Data to provide the Services in accordance with the configuration of the Services.

3.4. Legal compliance: you ensure lawful collection of data and that your instructions comply with applicable law.

4. OUR OBLIGATIONS.

4.1. We process data only in accordance with the Agreement and the instructions provided within the Services; additional instructions require written consent.

4.2. Breach notification: we will notify you without undue delay of any confirmed Breach requiring notification.

4.3. Notification of complaints/authority requests — where permitted by law.

4.4. Assistance with rights requests — to a reasonable extent.

4.5. We maintain Security Measures; persons with access to data are bound by confidentiality obligations.

4.6. Sub-processors — we may use sub-processors; a list is available upon request; you may raise a substantiated objection.

4.7. Audits — we may engage auditors.

4.8. Audits and information upon request — subject to the procedure described in the DPA; costs are borne by you.

4.9. Compliance questions — we respond to reasonable requests once per year unless law requires more frequent responses.

4.10. Return/deletion of data after termination — as set out in the DPA.

5. DATA TRANSFERS.

You will ensure lawful mechanisms for transfers of data outside the EEA; otherwise, you will not transfer Your Controlled Data outside the EEA.

6. LIABILITY.

The parties’ liability is limited in accordance with the Agreement; you agree to indemnify LUXSTEEL for your violations of law.

7. MISCELLANEOUS.

You bear the costs associated with instructions that go beyond standard functionality.

8. CHANGES TO THE DPA.

We may amend the DPA and publish the current version on the website; continued use constitutes acceptance.