GDPR Compliance

Our Commitment to GDPR Compliance

At DealerM, we are committed to ensuring the privacy and protection of your personal data. We comply with the General Data Protection Regulation (GDPR), which is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area.

This GDPR Compliance page explains how we collect, process, and protect your personal data in accordance with the GDPR. It should be read alongside our Privacy Policy, which provides more detailed information about our data processing activities.

Data Controller Information

DealerM, Inc. is the data controller responsible for processing your personal data. Our contact details are:

DealerM, Inc.
123 Tech Lane
San Francisco, CA 94107
United States
Email: privacy@dealerm.com

Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this GDPR Compliance page and our privacy practices. If you have any questions about this GDPR Compliance page, including any requests to exercise your legal rights, please contact our DPO using the details set out below:

Data Protection Officer
DealerM, Inc.
Email: dpo@dealerm.com

Lawful Basis for Processing

Under the GDPR, we must have a lawful basis for processing your personal data. Depending on the specific processing activity, we may rely on one or more of the following lawful bases:

• Consent: You have given clear consent for us to process your personal data for a specific purpose.
• Contract: The processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
• Legal obligation: The processing is necessary for us to comply with the law.
• Legitimate interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests.

International Transfers

As a global organization with operations in multiple countries, we may transfer your personal data to countries outside the European Economic Area (EEA). Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by implementing appropriate safeguards, including:

• Using specific contracts approved by the European Commission that give personal data the same protection it has in Europe.
• Transferring data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
• Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield, which requires them to provide similar protection to personal data shared between Europe and the US.

Data Retention

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider:

• The amount, nature, and sensitivity of the personal data
• The potential risk of harm from unauthorized use or disclosure of your personal data
• The purposes for which we process your personal data
• Whether we can achieve those purposes through other means
• The applicable legal requirements

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.