Privacy Notice Test
Version 1
Effective from 01.10.2025
Market: European Market
At Hero MotoCorp Ltd. ("Hero MotoCorp", "we", "us") protecting your privacy and your personal data is a top priority. In this Privacy Notice you will find information on how we process your personal data, the purposes for which your personal data is processed, and the data subject rights you have in this regard.
This Privacy Notice applies to all visitors, users and others (hereinafter referred to as "you" or "your" or "User")
(i) Website- https://www.heromotocorp.com/en-it.html, as well as any other websites we own or operate where this notice is linked.
(ii) Mobile applications (Apps) owned and / or operated by us on which this Privacy Notice is linked; and
(iii) The social media accounts and/or pages that we controls (Together referred as "Sites/Apps").
Should you require additional information beyond what is presented in this Privacy Notice, please do not hesitate to reach out to us using the contact details listed in Section 1 of this Privacy Notice.
PRIVACY NOTICE SCOPE
In this Privacy Notice, we provide you with information in accordance with the requirements of the European & UK General Data Protection Regulation. We also observe the requirements of other national data protection legislation that may apply to the processing of your personal data.
This Privacy Notice contains information on the processing of your personal data (and in addition to the relevant processing as set out below) in relation to our Sites/Apps, with regard to you as a customer and user of Hero MotoCorp products and services, and with regard to you as a business partner as follows:
1. Controller, data protection officer, and representative in the European Union
2. General information on the processing of your personal data
3. Processing of your personal data in relation to Hero MotoCorp Ltd.
4. Storage period
5. Recipients of your personal data
6. Transfer of your personal data to countries outside the European Economic Area
7. Your rights and asserting
8. Personal data of minors
9. Changes to this Privacy Notice
1 CONTROLLER, DATA PROTECTION OFFICER, AND REPRESENTATIVE IN THE EUROPEAN UNION
1.1 Controller
The controller under data protection law decides on the purposes and means of processing your personal data and ensures compliance with the data protection regulations. If multiple controllers decide together the purposes and means of processing, these controllers are jointly responsible for the processing, which is referred to joint controllership.
The following controller processes your personal data:
Hero MotoCorp Limited
Address: The Grand Plaza, Plot No.2, Nelson Mandela Road, Vasant Kunj, Phase II, New Delhi 110070
Fax number: +91-11-46044399
We may also share your personal data with companies who are part of the Hero MotoCorp Group, and other third parties. These companies may process your personal data either as independent controllers, joint controllers or as our processors.
1.2 Data Privacy Office
You can contact our data privacy office if you have any questions about the processing of your personal data by us and other Hero MotoCorp Group companies, acting as joint controllers with us at: privacy-office@heromotocorp.com
1.3 Representative in the European Union
The representative in the European Union serves as a point of contact for you and the relevant authorities on all issues related to the processing of your personal data by us. You can contact our representative in the European Union as follows:
Address: Kronstaudener Weg 1, D-83071 Stephanskirchen
Email: margaret.isaac@herotcg.de
2 GENERAL INFORMATION ON THE PROCESSING OF YOUR PERSONAL DATA
2.1 What Personal Data HMCL collects?
The types of personal data we collect or obtain may vary according to our relationship with you and may include the following:
1 Direct Consumers/End Users/Customers: Name, Number, Email Address, Address, Banking information, Photo, age, gender, Profession, Location, Postal Code, other official identifiers like credit checks, KYC details etc.<
2 Business Partner (including third parties) and Dealer/Distributors (can be an individual or proprietary concern): Name, Number, Email Address, age, occupation, gender, date of birth, Banking information, other official identifiers (such as telephone recordings, Microsoft Teams, Zoom, etc.), details contained in business registration documents, third-party due diligence documents, trade references and credit checks etc.
2.2 Processing of your personal data
When we use the term “personal data” in this Privacy Notice, we mean all information that relates to you. Personal data includes, for example, your name, email address or postal address. Your personal data also includes all data that is linked or relates to you. Data that does not relate to you we shall refer to as non-personal or anonymous data. The data protection regulations and this Privacy Notice do not apply to such data. For example, by processing your personal data, we mean its collection, storage or erasure.
2.3 Legal basis for processing (overview)
We process your personal data only if we can base the processing on a legal basis or if such is lawful in accordance with the applicable data protection regulations, i.e. that the processing is permissible within the scope of the law. In the context of the GDPR, we base the processing of your personal data for the most part on the following legal bases:
The processing of your personal data is necessary for the fulfilment of a contract with you or for the implementation of pre-contractual measures that take place at your request (Article 6 (1) (b) of the GDPR)
You have given us your clear consent to the processing of your personal data for one or more specific purposes (Article 6 (1) (a) of the GDPR).
The processing of your personal data is necessary to fulfil a legal obligation (Article 6 (1) (c) of the GDPR).
The processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of you which require protection of your personal data (Article 6 (1) (f) of the GDPR).
Further information on the processing we undertake and the relevant lawful basis on which we process your personal data, can be found below in this Privacy Notice.
2.4 Personal data we process
We process personal data that you provide to us, that we collect (automatically) or that we receive from third parties.
You are not obligated to provide us with your personal data. However, the processing of certain personal data may be necessary, e.g. to enable us to offer and provide our Sites/Apps or to perform contracts concluded with you as a customer or business partner.
Personal data you provide to us
We process the personal data you provide to us. For example, when you call or contact us and provide us with certain personal data in this way. In relation to our Sites/Apps, you can provide us with further personal data when you select certain settings or configure a solution according to your needs. We collect and process this data to enable you to use our Sites/Apps. If you do not provide us with certain information, the use or functionality of our Sites/Apps may in part stop or be impaired.
Personal data we collect
In relation to our Sites/Apps, we collect certain personal data automatically and process it when you visit our Sites/Apps. This includes, for example, data such as your IP address, certain login data, browsing actions and data that will be processed so that we can technically provide you with our Sites/Apps. We collect this personal data by using cookies, and other similar technologies. Please see our cookie notice here for further details.
Personal data that we receive from third parties
In some cases, we receive your personal data from indirect sources – i.e. not directly from you. This may be the case, for example, if personal data about you is provided to us by third parties. We work with companies that provide services to us and who in turn provide us with personal data about you.
3 PROCESSING OF YOUR PERSONAL DATA IN RELATION TO OUR SITES/APPS
In relation to our Sites/Apps, we will inform you about the processing of your personal data relating to our digital touchpoints
S.no | Processing Activity | Lawful Basis | Justification for Chosen Basis |
---|---|---|---|
(A) Core Purposes (Directly Related to the Service) | |||
1 | Responding to Enquiries & Providing Information 1) To respond to your specific enquiries about our products, services, and offers 2) To provide you with information about vehicle specifications/service features/offer details, pricing, and availability | Performance of Contract (Pre-contractual steps) | Processing is necessary to respond to the individual's specific request for information before they potentially enter into a contract (e.g. vehicle purchase, service agreement). |
2 | Processing Vehicle Orders and Sales 1) To process your vehicle purchase, including order fulfillment, delivery, and payment processing. 2) To manage vehicle registration and related administrative tasks. | Performance of Contract | Processing is essential to fulfill the terms of the contract agreed upon with the customer (e.g., taking payment, arranging delivery, handling registration). |
3 | Managing Test Drive Bookings: 1) To manage and schedule your test drive appointments. 2) To contact you regarding test drive confirmation and follow-up. | Performance of Contract (Pre-contractual steps) | Processing is necessary to manage the test drive service requested by the individual, often as a step towards potentially entering into a purchase contract. |
4 | Providing Customer Support (related to purchase/service) 1) To provide customer support related to vehicle purchases, servicing, and warranties. 2) To address your queries and resolve any issues you may encounter. | Performance of Contract | Processing is necessary to provide support services linked to an existing contract (e.g., purchase agreement, warranty, and service plan). |
5 | Account Management (for accessing services/info) 1) To create and manage your online account for accessing vehicle information and services 2) To enable you to manage your preferences and communication settings. | Performance of Contract | Processing is necessary to provide the online account service requested by the user, enabling access to services or information related to their contract or potential contract. |
6 | Warranty Services 1) To fulfill and manage vehicle warranty services. 2) To process warranty claims and provide related support. | Performance of Contract | Processing is essential to fulfill the obligations under the warranty agreement, which forms part of the purchase contract. |
7 | Vehicle Tracking & Ride Details Service Provisioning To capture and process user location data for providing the core vehicle tracking and ride details service (live location, route history, ETAs) via the mobile app, as requested by the user. | Performance of Contract Consent: For device location access (permissions), or optional/secondary uses (e.g., marketing). | Processing location data is essential to fulfill the service agreement with the user. The service cannot be provided otherwise. |
8 | Document wallet feature for customer convenience. | Legitimate Interests | It is in the legitimate interest of the business to provide a convenient, value-added service to customers. This optional feature enhances the user experience. |
9 | To process and evaluate dealership applications/expressions of interest and communicate with the representative regarding steps towards a potential dealership agreement. | Performance of Contract (Pre-contractual steps) | Necessary for steps taken at the request of the data subject prior to entering into a contract. |
10 | Emergency Contact Details | Legitimate Interests | It is a legitimate interest to ensure the safety and well-being of the customer in an emergency. |
(B) Marketing and Promotional Purposes | |||
1 | Direct Marketing (Offers, Newsletters, Personalized) 1) To send promotional offers, newsletters, and marketing communications about our vehicles and services. (Requires clear opt-in). 2) To send information about special promotions, programs, schemes, offers, new features, and plans on products/services, and other marketing communications that we believe may be of interest to the user. 3) To personalize marketing communications based on user interests and preferences. | Consent | This processing is optional, not essential for the core service, and involves promotional outreach. Freely given, specific, informed, and unambiguous consent is required. |
2 | Marketing Surveys and Feedback (Research Administration) 1) To conduct marketing surveys and gather feedback to improve our products and services, customer research, and internal administrative purposes. | Consent | While feedback can sometimes fall under Legitimate Interests, using it for marketing purposes or broad, non-essential surveys typically requires the individual's explicit agreement. |
3 | Targeted Advertising (Based on behavior/cookies) To display targeted advertisements on our Sites/Apps and other online platforms based on your browsing behavior. (Requires cookie consent). To create lookalike audiences using cookie data & analytics for retargeting audiences. | Cookie Consent | Involves tracking (often via cookies) and profiling for advertising, which requires explicit consent under GDPR and privacy rules (or similar local regulations). |
(C) Sites/Apps and Service Improvement Purposes | |||
1 | Sites/Apps Analytics To analyze campaign performance through attribution modeling, A/B testing, and performance tracking, etc. | Legitimate Interests And potentially Consent for cookies | The business has a legitimate interest in improving its Sites/Apps. Must be balanced against individual rights; transparency and opt-out are crucial. Consent is needed for non-essential tracking cookies. |
2 | Service Improvement (Analyzing feedback) 1) To analyze Sites/Apps usage and improve the user experience. (May rely on legitimate interest with proper transparency). 2) To track Sites/Apps traffic and identify trends. | Legitimate Interests | The business has a legitimate interest in improving its products/services based on general feedback, provided it's done proportionately and respects user rights. |
3 | Security and Fraud Prevention 1) To analyze customer feedback and improve our vehicle offerings and services. | Legitimate Interests | The business and its users have a clear legitimate interest in maintaining security and preventing fraud, which outweighs potential privacy intrusion for necessary security measures. |
(D) Legal and Compliance Purposes | |||
1 | Legal Obligations (Compliance, legal requests) 1) To comply with legal and regulatory requirements. 2) To respond to legal requests and court orders. | Legal Obligation | Processing is necessary to comply with a specific legal requirement imposed on the business (e.g., tax laws, responding to lawful court orders). |
(E) Data Processing by third party vendors/partners | |||
1 | Using third party vendor/supplier/partner services for processing customers data for respective purposes like : 1) Maintaining dealer data including contact details, sales performance etc. 2) Payment processing and invoicing 3) Managing digital platforms and online services 4) Telematics and connected vehicle services 5) Providing IT support, system maintenance, data hosting etc. 6) Customer support services | Legitimate Interests, Performance of Contract | Legitimate Interest: The organization may rely on specialized vendors or partners for certain operational activities (e.g., payment processing, logistics, IT services) where outsourcing is necessary for efficient business operations. This interest is balanced against any potential impact on data principals. Performance of Contract: In many cases, sharing data with third parties is essential to fulfill contractual obligations (e.g., delivering goods, providing customer support, or completing a transaction). This lawful basis ensures data is processed only to meet the terms of the agreement. |
4 STORAGE PERIOD
We shall store your data only for as long as is necessary to achieve the purposes of the processing or for as long as we have a legitimate interest in continuing to store your data. The storage period for your personal data depends in particular on the category of personal data processed and the purpose of the processing. Storage of your data is also considered based on your consent to its storage.
Finally, we take into account statutory storage periods, which may require us to keep your data for a certain period of time. Your data will therefore be stored if this is provided for by the European or national legislator in European Union regulations, laws or other provisions to which we are subject. Corresponding requirements are also found in particular in commercial and tax legislation or derive from the regular statutory limitation periods.
In the event of a legal dispute, we will keep the personal data we need for our legal defense until the conclusion of the proceedings.
For more information on the storage period, please contact us via the contact details to be found under Section 1.2 of this Privacy Notice.
5 RECIPIENTS OF YOUR PERSONAL DATA
5.1 Recipients within the Hero MotoCorp Group
We may share your personal data with other Hero MotoCorp Group companies in certain cases. The processing by these Hero MotoCorp Group companies is regularly carried out on our behalf. The processing of your personal data may also be carried out under the sole controllership of the Hero MotoCorp Group company receiving your data or under the joint controllership of that company with us.
If we share your personal data with other controllers, this will in principle be done only if this is necessary for the performance of a contract with you, if we or the third party have a legitimate interest in this or if you have agreed to this.
Processing of your personal data by another Hero MotoCorp Group company on our behalf is carried out on the basis of a contract for processing data on behalf of a controller within the meaning of the GDPR.
In the case of joint controllership, we shall conclude an agreement on processing under joint controllership. This agreement shall lay down, inter alia, the obligations of the joint controllers in relation to compliance with the requirements of the GDPR. We shall be happy to provide you with the essential elements of this agreement on request. To this end, please contact us using the contact details that can be found in Section 1.2 of this Privacy Notice.
5.2 Recipients outside the Hero MotoCorp Group
In addition to recipients of the Hero MotoCorp Group, we may share your personal data with third parties, in relation to individual processing operations and taking into account the data protection regulations. These third parties include service providers that process your personal data on our behalf and service providers that provide services for us that are associated with the processing of your personal data. The processing of your personal data may also be carried out under the sole controllership of the third parties receiving your data or under the joint controllership of those third parties with us.
If we share your personal data with other controllers, this will in principle only be done if this is necessary for the performance of a contract with you, if we or the third party have a legitimate interest in this or if you have agreed to this.
In connection with the processing of your personal data, we use the following categories of service providers:
IT Service Providers (Data Hosting Providers)
Support (Customer Support)
Lawyers, auditors and tax advisers
We also pass on your data to the authorities and courts, as far as the GDPR or the law of the EU Member States obligates us. Processing of your personal data by third parties on our behalf is carried out on the basis of a contract for processing data on behalf of a controller within the meaning of the GDPR.
In the case of joint controllership, we shall conclude an agreement on processing under joint controllership. We shall be happy to provide you with the essential elements of this agreement on request. To this end, please contact us using the contact details that can be found under Section 1.2 of this Privacy Notice.
6 TRANSFER OF YOUR PERSONAL DATA TO COUNTRIES OUTSIDE THE EUROPEAN ECONOMIC AREA
Regardless of where your personal data is processed, the highest priority for us is that the level of protection guaranteed by the GDPR is always ensured.
If we transfer personal data to recipients outside the European Economic Area, we comply with the requirements of Chapter V of the GDPR. If we work with third parties or use service providers that may transfer your personal data to countries outside the European Economic Area, we shall oblige those third parties or service providers to comply with the requirements of Chapter V of the GDPR.
We point out that not all countries outside the European Economic Area have a level of data protection that is recognized as adequate by the European Commission (so-called "adequacy decision"). A list of the countries for which an adequacy decision has been adopted can be found at the following link: Adequacy decisions (europa.eu).
Where an adequacy decision has not been adopted, we conclude the standard contractual clauses adopted by the EU Commission with the recipients of your personal data ((EU) 2021/914 of 4 June 2021 – C (2021) 3972, OJ EU No L 199/31 of 7 June 2021). For transfer to other controllers, we use Module One of these standard contractual clauses and for transfer to our processors we use Module Two. If necessary, in addition to concluding the standard contractual clauses we shall also take additional measures to protect your personal data.
You can ask us for an overview of the recipients in countries outside the European Economic Area and information on the measures we have taken to ensure the level of protection of the GDPR at any time via the contact details specified under Section 1.2 in this Privacy Notice.
7 YOUR RIGHTS AND ASSERTING
If you wish to assert your rights as specified below, you can contact us at any time by contacting our data Privacy office, details in Section 1.2 or click the Data subject access rights form.
7.1 Right to information
You have the right to request confirmation as to whether or not your personal data will be processed. When we process your personal data, you have a right to information about this personal data and certain information required by law. For more information on your right to information, see Article 15 of the GDPR.
7.2 Right to rectification
You have the right to request the rectification of incorrect personal data concerning you without delay. Taking into account the purposes of processing, you have the right to request the completion of incomplete personal data. For more information on your right to rectification, see Article 16 of the GDPR.
We always strive to ensure the accuracy of your personal data. We therefore ask you to notify us immediately of any changes to your data (such as changes in address), so that we can ensure that your personal data is up-to-date.
7.3 Right to erasure
If the legal requirements are met, you may request us to erase your personal data immediately. This shall be the case, in particular, where:
Your personal data will no longer be required for the purposes for which it was collected or otherwise processed;
The processing of your personal data is based on your consent, you revoke this consent and we cannot base the processing on another legal basis;
You have objected to the processing of your personal data on grounds relating to your particular situation and there are no overriding grounds for the processing of your personal data;
If your personal data have been passed on to third parties and we are obligated to erase your personal data, we will inform these third parties about the erasure, insofar as this is required by law.
We would like to point out that your right to erasure is subject to restrictions. For example, we may not erase any personal data that we have to keep further due to legal requirements. Data that we need in order to assert, exercise or defend legal claims are also excluded from your right to erasure. For more information on your right to erasure, see Article 17 of the GDPR.
7.4 Right to restriction of processing
If the legal requirements are met, you may request a restriction on the processing of your personal data. This is particularly the case where:
You contest the accuracy of your personal data. The processing of your data will be restricted for a period enabling us to verify the accuracy of your personal data;
The processing of your personal data is not lawfully carried out and you require a restriction on the use of your personal data instead of the erasure of your personal data;
We no longer need your personal data for the purposes of processing, but you need these data for the establishment, exercise or defense of legal claims;
You have objected to the processing of your personal data on grounds relating to your particular situation, as long as it is not clear whether our legitimate grounds for processing outweigh your grounds.
For more information on your right to restriction of processing, see Article 18 of the GDPR.
7.5 Right to data portability
You have the right to receive the personal data you have provided us and which we process for the fulfilment of the contract, on the basis of your consent or by automated procedures, in a structured, customary and machine-readable format. You also have the right, in the event that the aforementioned conditions are met, that we transmit these data directly to a third party, insofar as this is technically feasible. For more information on your right to data portability, see Article 20 of the GDPR.
7.6 Withdrawal of consent
If you have given your consent to the processing of your personal data, you can revoke it at any time with effect for the future. The lawfulness of the processing of your data up until revocation remains unaffected. You can manage your consent by clicking here.
7.7 Right to object to data protection authorities
If you consider that the processing of your personal data violates applicable data protection laws, you may lodge a complaint with a data protection supervisory authority, in particular the data protection supervisory authority at your location, place of work or place of alleged infringement.
7.8 Right to object to processing
Right to object to the processing of your personal data during processing based on our legitimate interests
Insofar as we process data on the basis of a legitimate interest, you can object to the processing at any time for reasons that arise from your particular situation. We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims. We assume that, in the course of processing on the basis of a legitimate interest, we can normally prove such compelling legitimate grounds for protection, but we examine and evaluate each objection individually.
For more information on your right of objection, see Article 21 of the GDPR.
You have the right to object, at any time, to the processing of your personal data which is based on legitimate interests or performed for direct marketing purposes. In such cases, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
8 Personal Data of Minors
The use of our services is not intended for, nor directed to, individuals under the minimum age of consent for the processing of personal data as defined by the data protection laws of their jurisdiction. We do not knowingly collect, store, or process personal data from any individual who is below the legally stipulated age of consent without verifiable parental or guardian consent. In the event that you are a parent or legal guardian and have reason to believe that a minor under your care has provided us with personal data, we request that you contact us immediately at contact details specified under Section 1.2 in this Privacy Notice. Upon verification, we shall take all reasonable and necessary steps to expunge such data from our records, in accordance with applicable legal and regulatory obligations.
9 CHANGES TO THIS PRIVACY NOTICE
In this Privacy Notice, we will always keep you fully and completely informed about the processing of your personal data. This requires that we update this Privacy Notice regularly. We therefore recommend that you consult this Privacy Notice regularly.