Privacy policy

This privacy policy sets out how Oxa Autonomy Ltd uses and protects your personal data.

1. Important information and who we are

Privacy policy

Oxa is a global leader in autonomous vehicle (AV) software for industrial and commercial fleets, and was founded in 2014 with a vision of Universal Autonomy - software that enables any vehicle to be self-driving, anywhere, at any time.

This privacy policy gives you information about how the Oxa group collects and uses your personal data, including any data you may provide when you use this website, apply to work with Oxa or if you have seen one of our vehicles.

The Oxa group (Group) is made up of different legal entities: Oxa Autonomy Ltd, Oxa Autonomy (US) LLC and Oxa Autonomy (Canada) Limited. This privacy policy is issued on behalf of the Group so when we mention "Oxa", "we", "us" or "our" in this privacy policy, we are referring to the relevant company in the Group responsible for processing your data. Oxa Autonomy Ltd is the controller and responsible for this website.

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights (paragraph 7), please contact us using the information set out in the contact details section (paragraph 8).

2. The types of personal data we collect and how we use it

Personal data means any information about an individual from which that person can be identified.

A) If you are a visitor to our website and consent to use of our cookies

We collect this data so that we can:

  • Respond to any queries we receive from you.
  • Conduct statistical analysis (e.g. on the use of our website).
  • Operate and improve our website and services.

What we collect:

  • Identity data, including e.g. your name if you fill out our contact form.
  • Contact details, in certain circumstances.
  • Technical data, including internet protocol (IP) address, traffic data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and other communication data which gives us information about how you accessed our website.
  • Usage data including information about how you use our website.

Third party services:

We use some third party services to understand how people use our website. Currently, we use these services;

  • Google Analytics - to track our website traffic. You can find more information and manage or withdraw your consent using Google’s privacy controls
  • LinkedIn Pixel or Insight Tag - to understand LinkedIn marketing activity. You can find out more information and manage or withdraw your consent using LinkedIn’s privacy settings

Lawful basis

The law requires us to have a legal basis for collecting and using your personal data. We rely on the following legal bases:

  • Legitimate interests: we may use your personal data where it is necessary to conduct our business and pursue our legitimate commercial interests, for example to give you the best and most relevant user experience and to help grow our business. We make sure we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests.
  • Consent: we rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you consent to our Cookies Policy.

B) If you apply to work with Oxa

We collect this data so that we can:

  • Evaluate your suitability for current and future roles.
  • Keep appropriate records in connection with our recruitment.
  • Improve our recruitment process.

What we collect:

  • Identity data including first name, last name, title, date of birth.
  • Contact data including postal address, email address, and telephone numbers.
  • Data about your skills, experience and qualifications.
  • Data about referees and information collected from them.
  • Data from background checks.
  • Aggregate details of ethnicity, gender and age in order to assess whether we are offering opportunities fairly.

Lawful basis

The law requires us to have a legal basis for collecting and using your personal data. We rely on the following legal bases:

  • Legitimate interests: we may use your personal data where it is necessary to conduct our legitimate business interests, for example to suitably review candidates for specific roles. We make sure we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests.
  • Consent: we rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example for conducting background checks.
  • Legal obligation: for example for equal opportunity monitoring.

C) If you have seen one of our vehicles

Oxa is on a mission to unlock the benefits of self-driving technology to every person and organisation on the planet. We are developing software that will enable autonomous driving for a variety of applications. In order to build safe and effective systems, we rely on a variety of data from a number of sensors, including camera footage.

We work with a number of partners and our vehicles might be collecting data under the instruction of one of these parties. In this case, Oxa might be processing data on behalf of our partner, the data controller. Where Oxa is processing data, the details of this privacy policy should hopefully be informative; however, should you have any further queries, please contact us using the contact information provided in paragraph 8 and we will provide details of the data controller.

We collect this data so that we can:

  • Build safe and effective software that will enable autonomous driving applications, including training AI models to support the same.
  • To understand and improve vehicle behaviour.
  • To comply with our legal obligations.

What we collect:

  • Images from camera footage and other sensors. This may include images of your distinguishing features and/or vehicle number plates.

Lawful basis

The law requires us to have a legal basis for collecting and using your personal data. We rely on the following legal bases:

  • Legitimate interests: we may use your personal data where it is necessary for the development of our legitimate business interests, including for the training and development of our software to enable safe and effective performance. We do not collect personal data in order to identify particular individuals. We make sure we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests.

Camera/privacy notices on Oxa vehicles inform you when a vehicle might be recording and will point you to a link to further information.

3. Disclosures of your personal data

We may share your personal data where necessary with the parties set out below for the purposes set out in paragraph 2.

  • Business and technical partners, suppliers or subcontractors for the performance of certain contracts.
  • Insurance partners, for the purpose of reviewing road, traffic and weather conditions as input to insurance research and related calculations.
  • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

4. International transfers

We share your personal data within the Oxa Group. This will involve transferring your data outside the UK to our overseas offices in Canada and the US and to our employees in the EU.

We may transfer your personal data to service providers that carry out certain functions on our behalf.

Whenever we transfer your personal data out of the UK to service providers or within the Oxa Group, we ensure a similar degree of protection is afforded to it by ensuring that the following safeguards are in place:

  • We will only transfer your personal data to countries that have been deemed by the UK to provide an adequate level of protection for personal data; or
  • We will implement similar technical and contractual protections so your personal data has a similar level of protection as it would in the UK or EU.

5. Data security

We have put in place appropriate measures to:

  • prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed; and
  • deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

6. Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) in which case we may use this information indefinitely without further notice to you.

7. Your legal rights

You have a number of rights under data protection laws in relation to your personal data.

You have the right to:

  • Request access to your personal data (commonly known as a "subject access request").
  • Request correction of the personal data that we hold about you.
  • Request erasure of your personal data in certain circumstances.
  • Object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
  • You also have the absolute right to object any time to the processing of your personal data for direct marketing purposes.
  • In certain cases, request the transfer of your personal data to you or to a third party.
  • Withdraw consent at any time where we are relying on consent to process your personal data.
  • Request restriction of the processing of your personal data.

If you wish to exercise any of the rights set out above, please contact us using the contact details provided at paragraph 8 below.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights).

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

8. Contact details

If you have any questions about this privacy policy or about the use of your personal data, or if you want to exercise your privacy rights, please contact us in the following ways:

  • Email address: privacy@oxa.tech
  • Address: Data Protection Officer, Oxa, 8050 Alec Issigonis Way, Oxford Business Park North, Oxford, OX4 2HW

9. Complaints

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.