This Privacy Policy adopts a mixed model of "General Principal Policy + Country-Specific Clauses". The system will automatically identify your country/region through a triple mechanism of [user registration number location + mobile phone number location + IP address], and automatically load the corresponding country-specific supplementary clauses (embedded as a separate link, which you can click to view the full content). You may manually switch your country/region using the "Region Selection" button at the top of the page to access the country-specific clauses for the corresponding version at your discretion. In case of any discrepancy between the Country-Specific Clauses and the General Principal Clauses, the former shall prevail. Please carefully read and understand the entire content of this Policy (including the automatically loaded country-specific clauses), especially the clauses marked in bold. Your use of this APP and related services will be deemed as your full acceptance of this Policy.
When you register an account in, log onto, or use the "AIMA GO" mobile APP (hereinafter referred to as the "APP") and its related services, Chongqing Aima Car Service Technology Co., Ltd. (hereinafter referred to as "we", "Aima", or the "Data Controller") will process your personal data in accordance with this Policy and the applicable country/region-specific supplementary clauses.
We will fulfill our data protection obligations in strict accordance with the applicable privacy laws and regulations of your country/region, including but not limited to the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA) of the USA, Brazil's General Data Protection Law (LGPD), Indonesia's Personal Data Protection Law (PDP Law), Malaysia's Personal Data Protection Act (PDPA), South Africa's Protection of Personal Information Act (POPIA), Turkey's Personal Data Protection Law (KVKK), Saudi Arabia's Data Protection Law, and other regulations that came into effect in 2026.
We are deeply aware of the importance of personal data and will adopt security protection measures commensurate with the risks to ensure that your data remains safe and under control. If you have any questions, you may communicate with us using the contact information for your country/region provided at the end of this Policy.
Registered address: 18 Jinshan Avenue, Dongcheng Sub-district, Tongliang District, Chongqing
Global service hotline: +86 400-882-8890 (service hours: 09:00-18:00 from Monday to Friday (Beijing Time), English service is available)
Universal email address for privacy advisory services: tousushouli@aimatech.com
| Service country/region | Regional representative/contact | Contact information | Time limit for response | How to find the link to country-specific clauses |
|---|---|---|---|---|
| European Union and European Economic Area (EEA) (including Portugal) | AIMA GO EU Representative (compliance representative under Article 27 of GDPR) | E-mail: | If the complaint meets the requirements of the GDPR, we will generally respond to it within one month, or we may extend the time limit for another two months in case of any complex case and we will notify you of such extension | Automatic loading within the APP, path: Me → Privacy Center → EU-Specific Clauses |
| The Americas (California, USA, Canada, etc.) | AIMA GO US Privacy Contact | E-mail: | If the complaint meets the requirements of the CCPA, we will generally respond to it within 45 calendar days, or we may extend the time limit for another 45 days in case of any complex case and we will notify you of such extension | Automatic loading within the APP, path: Me → Privacy Center → Americas-Specific Clauses |
| Asia Pacific, Africa, and the Middle East (Indonesia, Malaysia, South Africa, Japan, Mexico, Saudi Arabia, etc.) | Regional Contact Team of Chongqing Aima Car Service Technology Co., Ltd. | Email: tousushouli@aimatech.com Mailing address: Chongqing Aima Car Service Technology Co., Ltd. Data Protection Officer (Consignee), please specify "data privacy consulting" and the registered account information |
Subject to the time limit prescribed by local laws (for example, the time limit prescribed by South Africa's POPIA is 20 business days, and the time limited prescribed by Indonesia's PDP Law in case of emergency is 3*24 hours) | Automatic loading within the APP based on the country which you are located in, path: Me → Privacy Center → Applicable Country-Specific Clauses |
Personal Data: They mean any information relating to an identified or identifiable natural person ("data subject"), including but not limited to identity information, device data, and location data.
Special Categories of Personal Data: They include information revealing racial or ethnic origin, political or religious beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation pursuant to the GDPR and regional regulations; in certain scenarios, continuously precise location data may also be deemed to fall within these categories.
Processing: It means any operation performed on personal data, whether by automated means or not, including but not limited to collection, recording, storage, adaptation, retrieval, use, transmission, disclosure and deletion.
Right to Data Portability: It means that a data subject has the right to obtain the personal data he/she has provided and to transmit them to another data controller; and we cannot obstruct such transmission.
Sale/Sharing: As defined under the CCPA/CPRA, a "sale" means the disclosure of personal information for valuable consideration; "sharing" means disclosure to a third party for cross-context behavioral advertising. This APP is not engaged in such practices.
This Policy applies to all personal data processing activities in connection with this APP and related services, covering users in all service regions outside China. It shall apply on a layered basis within the following scope, and country-specific clauses shall be made available through separate links for precise match:
Special Note: If a user's ID and mobile number location are inconsistent, the mobile number location shall prevail for matching the applicable country-specific clauses. For users who have not bound a mobile number, the country-specific clauses will be matched based on the IP address, and users may manually switch and adjust the selection.
We adhere to the principles of legality, fairness, necessity, transparency, purpose limitation and data minimization, and process data on the basis of legal grounds. Any processing beyond the purposes set out below will be carried out only upon obtaining your separate express consent. If there are any supplementary provisions concerning the specific scope of collection and usage scenarios set forth in the applicable country-specific clauses, the applicable country-specific clauses shall prevail.
| Data category | Specific content | Data source | Purpose of processing | Core legal grounds |
|---|---|---|---|---|
| Account and identity data | Mobile number, verification code, username, and profile photo; public information obtained after logging onto any third-party account (Google or Meta); name, ID card No./Passport No., and other real-name information required to be provided for purchasing insurance or trade-in services. | User's registration and login, as well as voluntary submission | Creating and managing accounts, identity authentication, legal real-name registration, and ensuring account security | Contract performance (GDPR 6(1)(b)), and statutory obligation (GDPR 6(1)(c)) |
| Vehicle data | Vehicle identification number (SN/VIN), battery code/ID, vehicle model, operating status (speed and battery level), alert information (movement and vibration alerts), fault code, ride statistical data, battery health information, maintenance records, vehicle SIM card ICCID, and theft-related information. | Binding the APP with an vehicle, and automatic reporting by the on-board device | Binding the APP with the vehicle, remote control (unlocking, vehicle locating), status monitoring, fault alerts, after-sales claims handling, and product optimization | Contract performance (GDPR 6(1)(b)), and legitimate interest (GDPR 6(1)(f)) |
| Location and route data | Real-time/historical precise location (GPS, requiring separate authorization), approximate location (IP address, country/city code), and running routes (starting point, destination, and waypoints). | Collected through the on-board GPS/APP after obtaining the user's authorization | Vehicle location and tracking, route history query, electronic fence alarm, navigation to nearby stores, and regional service optimization | User's consent (GDPR 6(1)(a)); express consent (GDPR 9(2)(a)) is applicable in special scenarios |
| Device and technical data | Device identifiers (Android ID, OAID, IMEI, and MAC address), device model, operating system version, IP address, SIM card IMSI (for network diagnosis), network request logs, crash information, and software installation list (for security detection). | Automatically collected during the course of using the APP | Service stability, troubleshooting, detection of account anomalies, fraud prevention, and compatibility adaptation | Legitimate interest (GDPR 6(1)(f)), and contract performance (GDPR 6(1)(b)) |
| Transaction and contact data | Transaction records, consumption amount, payment method (incomplete card numbers), and order information; email address, delivery address, and contact telephone number. | Order payment, voluntarily submitted by users | Order processing, payment settlement, after-sales service, delivery notifications, and tax compliance | Contract performance (GDPR 6(1)(b)), and statutory obligation (GDPR 6(1)(c)) |
| Content and interaction data | Community comments, activity content, feedback on customer services, uploaded images; age, date of birth, and region provided in personal profile information. | Voluntarily submitted by users | Community interaction, after-sales handling, customer support, and content review | User's consent (GDPR 6(1)(a)) |
| Other auxiliary data | Clipboard information (read only during operation but not stored), acceleration sensor data (for portrait/landscape screen adaptation), and audio information (for self-defined sound effects/future voice control). | Collected when specific functions are triggered | Optimize user experience and realize auxiliary functions | User's consent (GDPR 6(1)(a)) |
1. Information Usage: Based on your device information, authorized location information, browsing history, riding habits, and order information, we may create anonymized user profiles for displaying personalized content recommendations (such as nearby events and popular community posts) and advertisements (such as promotions for accessories and insurance services). For specific requirements on the processing of advertising data, the provisions set forth in the applicable country-specific clauses shall prevail.
2. Right to Control: You may disable the personalized recommendation and advertisement through "Me → Settings → Privacy Settings → Recommendation Management". Once disabled, only general content will be displayed, and your use of core services will not be affected. You have the right to object to data processing for direct marketing purposes at any time, and we will stop such processing immediately.
In accordance with regulations, data processing can be conducted without separate consent under the following circumstances:
We only request device permissions when they are necessary to realize relevant functions. You may manage these permissions at any time through your device's system settings. Disabling certain permissions may affect the availability or functionality of the corresponding features. For countries that have special requirements for permission requests, the applicable country-specific clauses shall apply:
| Permission | Application scenario and purpose | Necessary or not | Effect after disabling |
|---|---|---|---|
| Exact location (GPS) | Vehicle location, route tracking, anomaly alerts, navigation to nearby stores, and Bluetooth pairing assistance | No (the permission to use the core location function needs to be granted) | You will be unable to use location, route tracking, location-based services, and certain Bluetooth pairing processes |
| Bluetooth | Connecting with and controlling the vehicle (unlocking through Bluetooth, and viewing real-time status) | Yes (necessary for using the Bluetooth-based control function) | You will be unable to perform close-range vehicle operations through the APP |
| Camera | Scanning codes to bind vehicles, taking profile photos or posts, and scanning codes for real-name authentication. | No | You will need to enter information manually and will be unable to use the scanning or photo upload functions |
| Storage (Photo album) | Selecting local images when uploading profile photos, posting updates, and submitting feedback | No | You will be unable to select images from your photo album for uploading |
| Notices | Receiving vehicle alarms, fault notifications, system messages, and marketing information (marketing notifications can be turned off separately) | No | You will be unable to receive important service reminders and alert messages in a timely manner |
This APP does not respond to browser-based "Do Not Track" signals. You may limit information tracking through your mobile device settings, but disabling certain technologies may prevent core functions from working properly. For regions, such as the European Union and California, that impose special compliance requirements on the use of Cookies, the applicable country-specific clauses shall apply.
Data will only be shared in the following circumstances and in strict compliance with the principle of minimum necessity; if applicable country-specific laws and regulations impose more stringent restrictions, the corresponding country-specific clauses shall prevail:
| Entity to which data are shared | Sharing content | Sharing purpose |
|---|---|---|
| Affiliates of AIMA Group | Necessary personal data | Business collaboration and service optimization of the Group |
| Dealers | Purchase history and contact information | Localized after-sales service |
| Payment processors | Transaction amount and order number (incomplete card number) | Completing the payment process |
| Cloud service providers | Encrypted vehicle and user data | Data hosting (DPA signed) |
| Government/Regulators | Data required by law (such as data related to recalls) | Fulfilling compliance obligations |
No personal data will be transferred to any third party unless:
We will only publicly disclose your personal data if we have obtained your express consent, or if required by law, judicial proceedings, or mandatory government requests, provided that appropriate security measures are taken.
To ensure the proper functioning of certain features, this APP is equipped with software development kits (SDKs) provided by third-party service providers. We will conduct a prudent assessment of our partners' data security capabilities and compliance qualifications, and enter into data processing agreements with them. Please note that certain SDK providers may act as independent data controllers when processing your data, and their data processing activities will be governed by their own privacy policies and applicable local laws and regulations. The main third-party SDKs are listed below; if a country has special regulatory requirements for SDKs, the supplementary country-specific clauses shall apply:
| Name of SDK | Company | Feature category | Category of personal data collected/processed | Link to privacy policy | Description of data control relationship |
|---|---|---|---|---|---|
| Google Maps SDK | Google LLC | Map and location services | Exact location and rough location | https://policies.google.com/privacy | Joint Controller |
| Firebase Cloud Messaging | Google LLC | Push notification | Device identifiers and APP usage data | https://firebase.google.com/support/privacy | Processor |
| Google Sign-In | Google LLC | Social media account login | Public information (nickname and profile photo) of third-party accounts | https://policies.google.com/privacy | Controller |
| Meta SDK | Meta Platforms Ireland Ltd. | Social media account login/sharing | Public information (nickname and profile photo) of third-party accounts | https://www.facebook.com/privacy/policy/ | Controller |
| Huawei Push Kit | Huawei Mobile Services | Push notification (to Huawei device) | Device identifiers and APP usage information | https://consumer.huawei.com/en/privacy/privacy-policy/ | Processor |
| Crashlytics (Firebase) | Google LLC | APP crash analysis | Device identifiers, crash logs and partial device information | https://firebase.google.com/support/privacy | Processor |
Special Note: For the purpose of ensuring the timely delivery of push notifications, after you have granted notification permissions, certain push SDKs may cause the APP to initiate automatic startup or associated startup. You may manage the automatic startup through your device's system settings (such as "APP Startup Management").
We adhere to the principle of localized data storage and strictly comply with the relevant national data localization requirements in order to ensure compliance with local laws and regulations and meet service performance demands:
| Service country/region | Primary storage location | Cloud service provider | Supplementary description (including localization requirements) |
|---|---|---|---|
| European Union and EEA | Ireland | Huawei Cloud's Ireland Dublin Access Point | No cross-border data transmission within this region, compliance with the GDPR storage requirements, and localized data storage |
| Asia Pacific, Africa and Middle East | Singapore (temporary storage in the region during transfer), Johannesburg in South Africa, Turkey/Saudi Arabia (in preparation) | Huawei Cloud and AWS | Sensitive data in Indonesia and Malaysia are stored within their respective territories. Data in Africa will be transferred to Huawei Cloud's Johannesburg Access Point in South Africa; data in the Middle East will be transferred to Access Points in Turkey/Saudi Arabia. After the completion of transfer, temporary data will be deleted and users will be notified to ensure compliance with the applicable national data localization laws and regulations of each region |
| The Americas | Virginia, USA | Amazon AWS (S3 WORM Compliant Storage), and Alibaba Cloud | In compliance with the CCPA/CPRA and applicable compliance standards in the Americas; no mandatory requirement for local data storage in California |
Data will be retained "for the shortest period necessary to achieve the purposes for which they were collected" or as required by applicable laws and regulations. Upon expiration, the data will be deleted or anonymized. If the laws of the relevant country require a longer retention period, the corresponding country-specific clauses shall prevail:
| Data type | Storage period (determination criteria) |
|---|---|
| Account data | Period of account existence; deleted or anonymized within 180 days upon account deregistration (unless the data are retained as required by laws and regulations) |
| Transaction data | 6 to 10 years upon completion of the transaction (pursuant to local taxation and warranty regulations) |
| Vehicle data | 1 year upon termination of service, or to be extended according to local regulations (for example, 5 years are required under South Africa's POPIA) |
| Location and track data | Generally no more than 30 days; users may manually delete single tracks |
| System Log | 6 months (for safety audit and troubleshooting) |
| Marketing-related data | Until the user's withdrawal of consent/objection to marketing, or when the statutory period expires |
Personal data may be transmitted across borders within the Group or with service providers in strict compliance with the following requirements; if a country has special provisions (such as the localization requirements in Indonesia and Turkey), the corresponding country-specific clauses shall prevail:
| Country/Region to which the requirements apply | Compliance safeguards |
|---|---|
| EU/UK (GDPR) | Transmission to whitelisted countries will be made under the "adequacy decision"; transmission to non-whitelisted countries will be made using the latest version of the EU SCCs and will be subject to a Transfer Impact Assessment (TIA); and binding corporate rules (BCRs) will be signed among Group subsidiaries and approved by the competent regulatory authorities |
| The Americas (CCPA/CPRA, etc.) | Pass the certification under the U.S. Privacy Framework and enter into compliance agreements; the transmission of South American users' data to U.S. Access Points complies with applicable local laws and regulations |
| Asia Pacific, Africa and Middle East | Sensitive data in Indonesia, Malaysia, and other such countries are stored locally within their respective territories; transmission of Brazilian users' data is conducted with ANPD authorization; transmission of South African users' data rely on POPIA adequacy decisions; and standard data processing contracts are signed between Group entities |
Apart from the common rights, users in the EU have the following rights (click the separate link for exclusive clauses for the EU to view detailed information):
Exclusive to users in California, USA (click the separate link for exclusive clauses for the Americas to view detailed information):
Supplementary Provisions for Other Regions in the Americas: We comply with applicable laws and regulations, such as Canada's PIPEDA. Cross-border transmission of personal data to U.S. Access Points are protected by contractual arrangements designed to ensure an adequate level of data protection. In the event of a data breach that is likely to result in significant damage, we will notify affected users and the relevant regulatory authorities in a timely manner.
The following rights shall be exercised in accordance with the applicable laws and regulations of the corresponding country; (click the separate links for exclusive clauses for each country to view detailed information):
Note: (The corresponding clauses will be automatically loaded based on the region you select manually or the system identifies; the specific content is available for viewing via the "Region-specific Clauses" entry on the page. The content of the clauses is dynamically updated in line with the amendment of local laws and business deployment, and we recommend that you review the latest version every six months to ensure timely understanding of the scope of protection for your rights and interests.)
These Supplementary Clauses constitute an integral part of the Privacy Policy, whose formulation and interpretation are strictly compliant with the mandatory laws and regulations of the user's principal place of residence or the place where the Services are provided. There is no substitutional relationship between the clauses for different regions, which could be applied only to their own region with the paramount principle of aligning with the user's actual legal environment. We undertake to establish a continuous legal monitoring mechanism to ensure that these Clauses are dynamically updated in response to the evolution of global privacy legislation.
Note: When you travel across national borders (e.g., a user from the EU traveling to Southeast Asia), the system will prioritize loading the corresponding clauses based on the Service Region you have manually selected. In the absence of such manual selection, the system will temporarily match the regional clauses according to your IP Location. You may make adjustments at any time via the Region Selection button at the top of the page to ensure that the Policy complies with the legal requirements of your current location.
These Clauses are formulated in accordance with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and Portugal's Personal Data Protection Act (Lei n.º 58/2019 de 8 de agosto). They apply to users in EU member states and the European Economic Area (EEA), with the supplementary provisions set out as follows:
As a data controller, we strictly adhere to the following principles (consistent with the core principles of the privacy policy of Portugal's AIMA (Agência para a Integração, Migrações e Asilo)):
For the scenarios of monetization through in-app advertising (e.g., accessory promotions and third-party insurance advertisements), the supplementary clauses are set out as follows:
You may request access to our "Records of Data Processing Activities" via the EU region-specific email address (dpo@aimago.eu). The records include the purposes of processing, categories of data involved, types of recipients, and details of transboundary data transfers (if any). We will provide a structured report (e.g., in PDF format) within one month of receiving your request.
The legal foundation of these Clauses is the General Data Protection Regulation (GDPR), integrated with the domestic implementation rules of Portugal's Personal Data Protection Act. As a regulation with direct effect under EU law, the GDPR establishes the highest compliance standards for our business operations within the EU/European Economic Area (EEA).
These Clauses are formulated in accordance with the California Consumer Privacy Act (CCPA/CPRA) of the United States and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). They apply to users in the Americas, with the supplementary provisions set out as follows:
Pursuant to the definitions of "Sale" and "Sharing" under the CCPA/CPRA, the following shall be expressly clarified:
For scenarios involving "the provision of personalized services" (e.g., recommending accessories compatible with your vehicle model, suggesting maintenance services based on your riding habits), the supplementary explanations are set out as follows:
A permanent "Privacy Policy" access entry (in bold blue font) is placed at the top of "Home → Me → Settings" in the APP; a single click will direct you to the version of the Policy tailored to your region. Upon your first registration, you must actively check the box stating "I have read and agreed to the Privacy Policy" to proceed, which ensures your full informed consent.
These Clauses are intended to provide a unified response to the fragmented privacy legal requirements across the Americas, with the core objective of fulfilling the statutory obligations under the U.S. CCPA/CPRA and Canada's PIPEDA.
These Clauses are formulated in accordance with Indonesia's Personal Data Protection Law (PDP Law), Malaysia's Personal Data Protection Act (PDPA) and South Africa's Protection of Personal Information Act (POPIA). They apply to users in the corresponding regions, with the supplementary provisions set out as follows:
For requests for "data access, correction or deletion" submitted, we will respond in accordance with the following time limits:
For multilingual regions including Southeast Asia and the Middle East, the regional clauses are available in 4 languages: English, Indonesian, Malay and Arabic. You may switch the language via the "Region Selection" function to ensure barrier-free understanding. Such regional clauses shall have the same legal effect as the Chinese version; in the event of any ambiguity, the version in the local official language shall prevail.
These Clauses recognize and respect the increasingly stringent and distinct legislative developments across all jurisdictions in this region, and we undertake to implement tailored localized compliance adaptations.
These Clauses apply to users in Vietnam and Thailand, and are intended to meet the increasingly stringent local data protection requirements.
Personal Data Protection Law of the Socialist Republic of Vietnam (Decree No. 13/2023/ND-CP, hereinafter referred to as the PDPL) came into force on Jul. 1, 2023, and all of its provisions shall formally enter into effect on Jan. 1 2026. We will make advance preparations for compliance, with the specific measures set out as follows:
We comply with the provisions of Thailand's Personal Data Protection Act (PDPA), which has entered into full force. In light of the latest amendment developments in 2024, we pay special attention to and undertake to comply with its potential detailed requirements for cross-border data transfer rules.
These Clauses apply to users in countries with notably distinctive regulatory regimes, including the Russian Federation, Turkey, the Republic of Korea, Brazil and Japan.
Pursuant to the Federal Law on Personal Data of the Russian Federation (Federal Law No. 152-FZ), we will comply with the following provisions:
Pursuant to the Personal Data Protection Law of the Republic of Turkey (KVKK, Law No. 6698), we will comply with the following provisions:
These Clauses apply to users in Latin American jurisdictions including Argentina.
Argentina is a pioneer in data protection in Latin America, and its Personal Data Protection Law (Law No. 25,326) has been recognized by the EU as a jurisdiction providing an "adequate level of protection". We will comply with the following provisions:
Note: When you travel across national borders (e.g., a user from the EU traveling to Southeast Asia), the system will prioritize loading the corresponding clauses based on the Service Region you have manually selected. In the absence of such manual selection, the system will temporarily match the regional clauses according to your IP Location. You may make adjustments at any time via the Region Selection button at the top of the page to ensure that the Policy complies with the legal requirements of your current location.