(last updated on 24 September 2020)
what3words Limited (“what3words”, “we” or “us”) is committed to protecting your personal data and respecting your privacy.
In respect of the processing activities described in this Policy, what3words Limited of Studio 301 Great Western Studios, 65 Alfred Rd, London, England, W2 5EU, UK, is the data controller.
Please note that in respect of the processing of certain personal data that we receive from Mercedes-Benz AG, Mercedesstrasse 120, 70372 Stuttgart, Germany (“Mercedes-Benz”), we and Mercedes-Benz are joint data controllers as we jointly determine the means and purposes of the relevant processing activities.
This Policy contains much more detail, but we wanted to make you aware of the following key points:
- Information we may collect from you
We may collect and process the following personal data about you:
(A) Mercedes me data
The only way to login to the 3WordAuto app is by using your “Mercedes me connect” account (pursuant to your agreement with Mercedes-Benz) (“Mercedes me”). Once you have logged into the 3WordAuto app by using your Mercedes me account, the following personal data will be shared with us by Mercedes-Benz:
- your Mercedes me login token which allows you to use the 3WordAuto app (the login token is an alphabetical and/or numerical code generated and used by Mercedes-Benz to authenticate your credentials); and
- your Mercedes-Benz car selection (i.e. which Mercedes-Benz car to send the 3 word address to),
(together, “Mercedes me data”).
With respect to the sharing of Mercedes me data by Mercedes-Benz (“Stage 1”) with us and our processing of Mercedes me data in the 3WordAuto app (“Stage 2”), Mercedes-Benz and we are jointly responsible as so-called joint data controllers. Within the scope of such shared responsibility, (i) Mercedes-Benz will ensure compliance with the legal requirements under applicable data protection laws in respect of Stage 1 and we will ensure such compliance in respect of Stage 2; (ii) we will provide you with the information required pursuant to Articles 13 and 14 of the EU General Data Protection Regulation (“GDPR”) in this Policy; and (iii) we will handle your requests should you exercise any of your rights under Articles 15 to 22 GDPR (for more information about your rights, please see Section 7 below).
Purposes for which this data is processed by us
The purposes for which this data is shared with us and processed in our 3Word Auto app are:
- to operate the 3WordAuto app; and
- to provide the 3WordAuto app services to you.
Please note that we do not store your login token or car selection on our servers.
(B) Information you voluntarily provide to us
You may provide us with personal data such as your name and email address and any other information that you choose to give to us when you contact us by phone or email to ask us a question in relation to the 3WordAuto app, to report an issue or for any other reason. We may keep a record of that correspondence and the related personal data for the purposes set out below.
Purposes for which this data is processed by us
The purposes for which this data is processed by us are:
- to communicate with you (e.g., to respond to your request);
- to resolve a dispute or establish, exercise and defend our legal rights; and/or
- nuisance caller management.
(C) Information we collect about you when you interact with the 3WordAuto app
If you use the 3WordAuto app, you will provide us with the relevant 3 word address location that you wish to be navigated to. When you use the voice functionality provided by our what3words voice API in the 3WordAuto app to search a 3 word address location, the audio file containing the 3 word address you said is transcribed to text through automated methods by software provided by our service provider who provides voice recognition technology, Cantab Research Limited, trading as Speechmatics. Speechmatics will send us a text file of the 3 word address (not the audio file). After the audio file is transcribed to text, this audio file will instantly be deleted. If you did not say a correct 3 word address, we do not receive a text file of what you said.
Purposes for which this data is processed by us
The purposes for which this data is processed by us are:
- to operate the 3WordAuto app and send a 3 word address to your Mercedes-Benz car;
- to provide you with most relevant 3 word address search results to send to your Mercedes-Benz car;
- to understand how you and other users of 3WordAuto app interact with the app using technology such as (but not limited to) that provided by Google (e.g. Google Firebase and Google BigQuery) and improve our 3WordAuto app in the long-term. We analyse our customer behaviour as a whole and never on an individual level – this means we produce aggregated figures to measure the performance of our services; and
- (for the audio files only) to permit audio to text transcription through automated methods, after which such files are discarded.
2. Legal basis for processing
In certain jurisdictions, such as those located within the European Union, we are required to establish legal bases to process your personal data. We have identified our legal basis for processing in respect of each of the processing activities set out below:
(A) Sharing and Processing of Mercedes me data
Mercedes-Benz and what3words consider that it is necessary to process Mercedes me data in the 3WordAuto app for the performance of a contract with you or in order to take steps at your request before entering into a contract with you. Without such processing, we would not be able to deliver the 3WordAuto app services to you.
(B) Delivering 3WordAuto
We process the personal data we collect through the 3WordAuto app (as set out in Section 1 (A) above) where it is necessary for the performance of a contract with you (to deliver the 3WordAuto app service to you) or in order to take steps at your request before entering into a contract with you.
(C) Responding to correspondence instigated by you
Where you contact us for any reason, we will process any personal data provided by you for the purposes set out under Section 1(B) above. On balance, we consider that we have a legitimate interest in processing your personal data for those limited purposes, and that it is necessary to do so.
(D) Effectively managing our business and improving the 3WordAuto app
Where we have determined that, on balance, our legitimate interest in using your personal data to better understand how the 3WordAuto app is being used and improve delivery of the 3WordAuto app to you does not outweigh your own rights and freedoms, we rely on legitimate interests as the legal basis for processing that personal data. We will always seek to ensure that any data used for analysis purposes is encrypted and / or aggregated, where doing so would not impact the specific purpose we are trying to achieve.
(E) Legal proceedings
Where we have determined that processing your personal data is necessary for compliance with a legal obligation, or we have a legitimate interest in carrying out the processing for the purpose of detecting, and protecting against, breaches of our policies and applicable laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms), we may rely on these legal bases for processing that personal data.
3. Disclosure of personal data to third parties
We will only share your personal data with other organisations for the purposes set out above and where we believe that we have a right to do so in accordance with this Policy.
Where we use data processors, we always seek to ensure that they are bound by data processing terms which meet the requirements of applicable data protection legislation and that they only process your personal data upon our instructions.
The following categories of third party may have access to your personal data as a result of your use of the 3WordAuto app:
- a prospective buyer in the event of a sale or purchase of what3words or any of its assets;
- any third party when obliged to do so by law;
- data hosting companies (such as Amazon Web Services);
- providers of data analytics services (such as Google Firebase and Google BigQuery); and
- when you use the voice functionality provided by our what3words voice API in the 3WordAuto app to search a 3 word address location, the audio file containing the 3 word address you said is transcribed to text through automated methods by software provided by our service provider who provides voice recognition technology, Cantab Research Limited, trading as Speechmatics. Speechmatics will send us a text file of the 3 word address (not the audio file); and
- any third party to the extent necessary for the establishment, exercise or defence of legal rights.
With respect to the Mercedes me data, this will be shared with us by Mercedes-Benz as set out above. In addition, we will share your personal data with Mercedes-Benz for the purposes set out in Section 1 above.
Mercedes-Benz will have access to your personal data as a result of your use of your Mercedes me account to login to and enable you to use the 3WordAuto app. The audio file containing the 3 word address you said is transcribed to text and delivered by us to your selected Mercedes-Benz car, together with the longitude and latitude coordinates corresponding with the 3 word address.
4. International transfer of personal data
The personal data that we collect from you may be transferred to, and stored in, a country outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who either work for us or for one of our suppliers. Countries outside the EEA may not have laws which provide the same level of protection to your personal data as laws within the EEA. Where this is the case we will put in place appropriate safeguards to ensure that such transfers comply with applicable data protection laws.
5. Keeping information secure
Unfortunately, the transmission of information via the internet is not completely secure. Whilst we cannot guarantee the security of your data transmitted to our 3WordAuto app, and any transmission is at your own risk, we will use strict procedures and security features to try to prevent unauthorised access. For example, we provide HTTPS to ensure communication to/from what3words is securely encrypted. Our systems are protected behind a firewalled VPC, all hosted in London on Amazon infrastructure, and we follow strict internal policies as to our handling of personal data and conduct regular reviews of our infrastructure and server security.
6. How long we keep your personal data
Within the scope of Mercedes-Benz’ and our shared responsibility in respect of the Mercedes me data, Mercedes-Benz and we will ensure independently that the relevant retention related obligations in respect of the Mercedes me data are complied with.
We will only store your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Where you have requested that we delete any personal data we hold on you, we will typically continue to process the data for only a short period of time to allow us to process that request and keep a record of your request. See Section 7 below for further detail.
7. Your rights
We think it is important that you are able to control your personal data. You can exercise your right to prevent processing of your personal data at any time by contacting us at email@example.com.
Under applicable data protection laws, you may be entitled to exercise the following rights:
- The right to access personal data that we hold about you.
- The right to require us to update our records to ensure the data we hold is accurate.
- The right to require us to delete your personal data. There will be instances where this right is restricted, such as where it is necessary to continue to process your personal data for the establishment, exercise or defence of legal claims.
- The right to restrict how we process your data (for example, if you dispute its accuracy, we may restrict its processing until your complaint is resolved).
- The right to require us to transfer your data to another organisation.
- The right to object to data processing. There will be instances where this right is restricted, such as where we have an overriding legitimate ground to continue to process your personal data.
- The right not to be subject to the decision of an automated process, such as profiling, when this would have a legal effect (or similarly significant effect) on you.
Should you wish to exercise any rights in connection with your personal data, please email us at firstname.lastname@example.org
Within the scope of Mercedes-Benz’ and our shared responsibility in respect of the Mercedes me data, Mercedes-Benz and we have agreed that we will handle your requests in the first place should you exercise any of your rights above. However, irrespective of this agreement, you may exercise any of your rights in respect of and against each of us.
We will process any request in line with any local laws and our policies and procedures. We aim to respond to enquiries within 3 working days, but may take up to 30 days to comply with valid requests.
If you want to stop using 3WordAuto, you may do so by removing the 3WordAuto app on your personal device.
In the event that you aren’t happy with our processing of your personal data, we ask that you always seek to get in touch in the first instance so that we can help ease your concerns. However, you also have the right to lodge a complaint about how we process your personal data with the supervisory authority in your country.
Any changes we may make to this Policy will be posted on this page. Where it makes sense because the changes are material, we will notify you by e-mail or in another appropriate manner such as when you next interact with 3WordAuto.
9. Contacting us is easy and we want to hear from you
The following definitions apply in this Policy:
- “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, that decides how and why personal data are processed;
- “personal data” means any information relating to an identified or identifiable natural person;
- “process”, “processing” or “processed” means anything that is done with any personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; and
- “processor” means any person or entity that processes personal data on behalf of the controller (other than employees of the controller).