PLUGGED IN RIDE inc.
Privacy & DataProtection Policy
This policy describes how we collect, use, protect, and govern your personal data across all jurisdictions in which we operate, and the rights you hold as a data subject.
Effective:1 January 2025
Last Revised:26 April 2026
Version:4.2.0
Policy ID:PP-2025-001
β GDPR Compliantβ CCPA / CPRAβ LGPD (Brazil)β PIPEDA (Canada)β PDPA (Thailand)β ISO 27001 Aligned
SECTIONS OF CONTENTS
#1 Overview & Scope. #2 Automated Consent Auditing. #3 Cookie Consent Enforcement. #4 Page & Script Discovery. #5 Prioritised Risk Remediation. #6 Continuous Compliance Evidence. #7 GDPR, CCPA & Global Compliance. #8 Multi-Jurisdictional Program. #9 Third-Party Script Risk. #10 Your Rights. #11 Data Retention. #12 Contact & DPO
Shipping and Returns
#1 Overview & Scope
This Privacy Policy (“Policy”) governs the collection, processing, storage, transfer, and deletion of personal data by Plugged In Ride Inc (“we”, “us”, “our”, “the Company”), a data controller registered under applicable data protection laws. This Policy applies to all websites, mobile applications, APIs, and digital services (collectively, “Services”) operated or controlled by the Company.
We are committed to privacy by design and by default, embedding data protection principles into every layer of our technical and organisational operations. Our privacy programme is built on four pillars:Β transparency,Β accountability,Β data minimization, andΒ security.
Global Coverage
This policy applies to all persons worldwide who interact with our Services, regardless of their country of residence.
Privacy by Design
Data protection requirements are embedded at the architecture level, not applied as an afterthought.
Lawful Basis
All processing activities are mapped to a documented lawful basis under applicable privacy legislation.
Record Keeping
We maintain comprehensive Records of Processing Activities (RoPA) reviewed quarterly by our DPO.
WHO THIS POLICY COVERS
This Policy covers personal data relating to: website visitors; registered users and subscribers; customers and prospective customers; business contacts and partners; job applicants; and any other natural persons whose data we process in the course of our operations.
#2 Automated Consent Auditing
We deploy a continuous, automated consent auditing system that monitors, validates, and records consent interactions across all digital touchpoints. This system operates in real time and generates tamper-evident audit logs that serve as legal evidence of valid consent capture.
HOW AUTOMATED AUDITING WORKS
Our consent management platform (CMP) intercepts and logs every consent signal at the moment of generation. Each record captures: a unique consent identifier (UUID), timestamp with millisecond precision, user agent and IP hash (pseudonymised), the specific consent choices made per category, the version of the consent notice presented, and a cryptographic hash of the notice text to prove it was not altered post-consent.
Real-Time Scanning
Continuous crawling of all pages detects new consent touch-points within 15 minutes of deployment.
Version Control
Every change to consent notices triggers a new version, preserving the full historical audit chain.
Preference Sync
Consent preferences propagate to all integrated systems within 30 seconds via API webhook.
Anomaly Detection
Machine learning models flag unusual consent patterns that may indicate data quality issues.
CONSENT RECORD RETENTION
Consent records are retained for a minimum of five (5) years from the date of collection, or for the duration of the processing activity plus three (3) years, whichever is longer. Records are stored in immutable storage with cryptographic integrity verification to ensure they cannot be modified or deleted prior to their scheduled retention expiry.
#3 Cookie Consent Enforcement
We implement technical enforcement controls that prevent non-essential cookies and trackers from loading until explicit, informed, and freely-given consent has been obtained. Our enforcement mechanism is not reliant on script self-regulation β cookies are physically blocked at the network layer until consent is recorded.
COOKIE CATEGORIES
| CATEGORY | PURPOSE | CONSENT REQUIRED | TYPICAL RETENTION |
|---|---|---|---|
| Strictly Necessary | Session management, security, load balancing, authentication | No (Legitimate Interest) | Session / 24h |
| Functional | User preferences, language settings, accessibility features | Yes | 12 months |
| Analytics | Aggregate usage statistics, performance measurement, A/B testing | Yes | 13 months |
| Marketing | Interest-based advertising, remarketing, cross-site tracking | Yes | 90 days |
CONSENT BANNER SPECIFICATIONS
Our consent notice is displayed prominently on first visit before any non-essential processing occurs. The banner presents balanced accept/reject options with equal visual prominence. Users may access granular category controls to provide or withdraw consent at any time. Withdrawal of consent is as easy as giving it and takes immediate effect.
No Cookie Walls: Access to our Services is never conditional on acceptance of non-essential cookies. Declining all optional cookies does not degrade core functionality or create barriers to accessing content.
CROSS-DEVICE CONSENT PERSISTENCE
For authenticated users, consent preferences are stored server-side against the user account and applied consistently across all devices. For unauthenticated visitors, preferences are stored in a first-party consent cookie with a 13-month persistence period. Users visiting via a new device or after clearing cookies will be presented with a fresh consent prompt.
AUTOMATED CRAWLING β DAILY
Automated scanners traverse the complete sitemap, following all internal links and JavaScript-rendered routes to discover active pages and loaded resources.
NETWORK INTERCEPTION β REAL TIME
Browser-level network request interception captures every outbound request, identifying third-party domains, cookies set, and data transmitted in request payloads.
SCRIPT FINGERPRINTING β WEEKLY
Each JavaScript file is fingerprinted using SHA-256 hash. Changes to existing scripts trigger alerts for manual review by the privacy engineering team.
VENDOR RECONCILIATION β MONTHLY
Discovered vendors are cross-referenced against our approved vendor register and Data Processing Agreements (DPAs) database. Gaps generate remediation tickets.
INVENTORY PUBLICATION β QUARTERLY
A curated version of the script and cookie inventory is published publicly as part of our transparency commitment.
Our consent notice is displayed prominently on first visit before any non-essential processing occurs. The banner presents balanced accept/reject options with equal visual prominence. Users may access granular category controls to provide or withdraw consent at any time. Withdrawal of consent is as easy as giving it and takes immediate effect.
No Cookie Walls: Access to our Services is never conditional on acceptance of non-essential cookies. Declining all optional cookies does not degrade core functionality or create barriers to accessing content.
CROSS-DEVICE CONSENT PERSISTENCE
For authenticated users, consent preferences are stored server-side against the user account and applied consistently across all devices. For unauthenticated visitors, preferences are stored in a first-party consent cookie with a 13-month persistence period. Users visiting via a new device or after clearing cookies will be presented with a fresh consent prompt.
#4 Page & Script Discovery & Inventory
We maintain a comprehensive, continuously-updated inventory of all pages, scripts, pixels, beacons, and third-party technology loaded on our digital properties. This inventory is the foundation of our privacy programme and ensures no undisclosed data processing occurs on our platforms.
DISCOVERY METHODOLOGY
AUTOMATED CRAWLING β DAILY
Automated scanners traverse the complete sitemap, following all internal links and JavaScript-rendered routes to discover active pages and loaded resources.
NETWORK INTERCEPTION β REAL TIME
Browser-level network request interception captures every outbound request, identifying third-party domains, cookies set, and data transmitted in request payloads.
SCRIPT FINGERPRINTING β WEEKLY
Each JavaScript file is fingerprinted using SHA-256 hash. Changes to existing scripts trigger alerts for manual review by the privacy engineering team.
VENDOR RECONCILIATION β MONTHLY
Discovered vendors are cross-referenced against our approved vendor register and Data Processing Agreements (DPAs) database. Gaps generate remediation tickets.
INVENTORY PUBLICATION β QUARTERLY
A curated version of the script and cookie inventory is published publicly as part of our transparency commitment.
INVENTORY DATA POINTS
Each discovered script record contains: script URL and loading domain; detected purpose and data categories processed; associated vendor name and privacy policy URL; DPA status (signed / pending / not required); consent category mapping; geographic data routing destinations; and last-seen scan date.
Tag Management: All third-party tags are deployed exclusively via our approved Tag Management System (TMS). Direct hard-coded script implementations require security and privacy review approval before deployment.
05 βPrioritized Risk Remediation
Our privacy engineering team operates a structured risk-based remediation programme. Privacy risks identified through automated scanning, DPIAs, audit findings, or incident reports are classified, assigned priority scores, and tracked to closure within defined service level targets.
RISK CLASSIFICATION MATRIX
SEVERITY / LIKELIHOOD / SLA TARGET
HIGH
Active legal violation; data breach risk; unlawful processing
IMMINENT
Known exploit or active regulatory investigation
24 HOURS
Immediate escalation to DPO and engineering leads
MEDIUM
Consent gaps; inadequate disclosures; borderline practices
PROBABLE
Industry trend indicates egulatory focus on this area
7 DAYS
Assigned owner with weekly progress reporting
LOW
Best-practice gaps; enhancement opportunities
POSSIBLE
Theoretical risk with no known active exploitation
30 DAYS
Scheduled in quarterly privacy sprint backlog
DATA PROTECTION IMPACT ASSESSMENTS (DPIA)
We conduct DPIAs for all new or significantly changed processing activities that are likely to result in high risk to data subjects. DPIAs follow the structured methodology prescribed by GDPR Article 35 and incorporate: description of processing; necessity and proportionality assessment; risk identification and evaluation; and planned risk mitigation measures. DPIA reports are reviewed by the DPO prior to processing commencement.
06 βContinuous Compliance Evidence
Our compliance programme generates a continuous, auditable evidence chain that demonstrates ongoing adherence to applicable privacy laws. Evidence is not produced solely for periodic audits β it is generated automatically as a by-product of normal operations.
EVIDENCE ARTEFACTS MAINTAINED
Consent Receipts
Cryptographically-signed records of every consent interaction, stored in append-only audit log.
Data Flow Maps
Automatically generated diagrams of personal data flows, updated when processing changes.
Scan Reports
Dated outputs from automated privacy scans, retained for 5 years as compliance evidence.
DPA Register
Executed Data Processing Agreements with all processors, versioned and centrally accessible.
Training Records
Completion certificates for mandatory privacy training, tracked per employee.
Breach Register
Confidential log of all suspected and confirmed personal data breaches with response timelines.
REGULATORY REPORTING READINESS
In the event of a regulatory inquiry, supervisory authority audit, or data subject complaint escalation, we maintain the capability to produce a comprehensive compliance evidence package within five (5) business days. This package includes RoPA extracts, DPIA reports, consent audit logs, processor agreements, and security certification evidence.
07 βGDPR, CCPA & Global Privacy Consent Compliance
GENERAL DATA PROTECTION REGULATION (GDPR)
For individuals in the European Economic Area (EEA), United Kingdom, and Switzerland, we act as a data controller under the GDPR (Regulation (EU) 2016/679) and UK GDPR. We process personal data only where we have a valid lawful basis. Our six lawful bases are: consent (Article 6(1)(a)); contract (Article 6(1)(b)); legal obligation (Article 6(1)(c)); vital interests (Article 6(1)(d)); public task (Article 6(1)(e)); and legitimate interests (Article 6(1)(f)).
Where we rely on legitimate interests, we conduct and document a Legitimate Interests Assessment (LIA) to confirm the interest is not overridden by the data subject’s rights and freedoms. For special category data (Article 9), we identify an additional condition from Article 9(2).
CALIFORNIA CONSUMER PRIVACY ACT (CCPA / CPRA)
For California residents, we honour all rights under the California Consumer Privacy Act and its amendment, the California Privacy Rights Act (CPRA). We do not sell or share personal information as defined under the CCPA without providing a clear “Do Not Sell or Share My Personal Information” opt-out mechanism. We honour opt-out preference signals, including the Global Privacy Control (GPC), automatically.
California residents may request: disclosure of personal information collected; deletion of personal information; correction of inaccurate personal information; opt-out from sale or sharing; and limitation of sensitive personal information use. We do not discriminate against residents for exercising these rights.
Global Privacy Control (GPC): Our platform automatically detects and honours the GPC browser signal as a valid opt-out from the sale or sharing of personal information for California residents, without requiring additional user action.
INTERNATIONAL DATA TRANSFERS
Where we transfer personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on: Standard Contractual Clauses (SCCs) approved by the European Commission; the UK International Data Transfer Agreement (IDTA); binding corporate rules (BCRs) where applicable; or explicit consent for occasional transfers.
We conduct Transfer Impact Assessments (TIAs) for all international data transfers, assessing the legal framework of the destination country and supplementary measures required to ensure equivalent protection.
Section 8: Multi-Jurisdictional Privacy Programme
We operate a unified privacy programme capable of meeting the requirements of multiple data protection regimes simultaneously. Rather than applying the minimum common denominator, our baseline aligns with the most protective applicable standards, elevated further by local requirements where applicable.
JURISDICTIONAL COVERAGE
| REGION / COUNTRY | APPLICABLE LAW | KEY OBLIGATIONS |
|---|---|---|
| European Union | GDPR | Lawful basis; DPO appointment; DPIA; 72h breach notification; SCCs for transfers |
| United Kingdom | UK GDPR DPA 2018 | ICO registration; UK IDTA for transfers; UK-specific guidance compliance |
| United States | CCPA/CPRAVCDPACPA | Sale opt-out; GPC honouring; sensitive data limits; state-specific rights |
| Brazil | LGPD | DPO (Encarregado); ANPD registration; international transfer safeguards |
| Canada | PIPEDA Quebec Law 25 | Privacy impact assessments; OPC reporting; consent for cross-border transfers |
| Australia | Privacy Act 1988 APPs | Australian Privacy Principles; OAIC notifications; cross-border accountability |
| Singapore | PDPA | PDPC registration; mandatory breach notification; data portability |
| Japan | APPI | PPC filing; third-country transfer safeguards; sensitive data consent |
PLUGGED IN RIDE inc.
CONFLICT RESOLUTION
Where obligations conflict across jurisdictions, our legal and privacy teams apply a conflict-resolution matrix to determine the operative standard. In all cases, we apply the standard that provides the greatest protection to the data subject, unless doing so would directly violate an applicable law.
09 βThird-Party Script & Tracker Risk Management
Third-party scripts represent one of the most significant and dynamic privacy risks in the digital ecosystem. We apply rigorous controls to assess, approve, monitor, and where necessary terminate third-party script relationships.
VENDOR ONBOARDING REQUIREMENTS
Before any third-party script or tracker may be deployed on our properties, the vendor must satisfy the following requirements: completion of a privacy and security questionnaire; provision of a current Data Processing Agreement (DPA) compliant with Article 28 GDPR; documentation of all sub-processors; evidence of appropriate technical and organisational security measures; and a signed commitment to notify us within 24 hours of any personal data breach affecting our data subjects.
RUNTIME MONITORING CONTROLS
Behavioural Analysis
Scripts are sandboxed and monitored at runtime. Any attempt to access unexpected browser APIs or data triggers an automatic quarantine alert.
Outbound Data Logging
All outbound network requests from third-party scripts are captured, inspected, and compared against declared data flows.
Subresource Integrity
CDN-loaded scripts are protected with SRI hashes. Any modification to a script file breaks the hash and prevents loading.
Consent-Gate Blocking
Non-essential vendor scripts are blocked at the network proxy layer until consent is verified no reliance on self-enforcement.
TRACKER CLASSIFICATION
We classify all discovered trackers against the IAB TCF vendor list, the EFF’s known tracker database, and our proprietary risk taxonomy. Trackers are rated on three dimensions: data sensitivity (what categories of data are collected); data routing (where data is transmitted and stored); and cross-site linking(whether the tracker links identities across unrelated websites).
Tag Mutation Policy:Β If a third-party vendor modifies the behaviour of an approved script without prior notice and updated DPA, the tag is immediately quarantined pending review. Repeated violations result in permanent offboarding. Our monitoring system detects script changes within one scan cycle.
APPROVED VENDOR REGISTER
We publish and maintain an approved vendor register listing all third parties authorised to process personal data via our Services. This register is reviewed monthly. Vendors whose DPAs have expired or who fail to respond to annual review questionnaires are removed from the approved list and their scripts suspended.
10 βYour Rights as a Data Subject
Depending on your jurisdiction, you have the following rights in relation to your personal data. We process all verifiable requests within the timeframes mandated by applicable law (30 days under GDPR; 45 days under CCPA; extendable by an additional period with notice).
Right of Access
Obtain confirmation of whether we process your data and receive a copy of that data.
Right to Rectification
Have inaccurate or incomplete personal data corrected without undue delay.
Right to Erasure
Request deletion of your personal data where there is no overriding legitimate ground to retain it.
Right to Restrict
Temporarily limit the processing of your data whilst a dispute is being resolved.
Right to Portability
Receive your data in a structured, commonly-used, machine-readable format for transfer.
Right to Object
Object to processing based on legitimate interests or for direct marketing at any time.
Automated Decisions
Request human review of any decision made solely by automated means that significantly affects you.
Withdraw Consent
Withdraw consent at any time for consent-based processing, without affecting prior lawfulness.
HOW TO EXERCISE YOUR RIGHTSubmit your request by email to pluggedinride@yahoo.com, or by post to our registered address. We will verify your identity before processing any request. We do not charge a fee for first requests; however, we may charge a reasonable fee or decline manifestly unfounded or excessive requests.
RIGHT TO LODGE A COMPLAINT
You have the right to lodge a complaint with your competent supervisory authority. In the EU, this is typically the Data Protection Authority of your Member State. In the UK, this is the Information Commissioner’s Office (ICO, ico.org.uk). In the US (California), this is the California Privacy Protection Agency (CPPA). We encourage you to contact us first, as we are committed to resolving complaints directly.
11 βData Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Our retention schedules are defined in our Data Retention Policy, reviewed annually by the DPO, and implemented through automated data lifecycle management controls.
STANDARD RETENTION PERIODS
| DATA CATEGORY | RETENTION PERIOD | BASIS |
|---|---|---|
| Account registration data | Duration of account + 3 years | Contract; statutory limitation |
| Transaction records | 7 years from transaction date | Legal obligation (tax / accounting) |
| Consent records | 5 years from consent capture | Legal obligation; accountability |
| Marketing preferences | Until opt-out + 1 year | Consent; legitimate interest |
| Web analytics (aggregated) | 26 months | Legitimate interest; proportionate |
| CCTV / access logs | 31 days | Security; proportionality |
| Job applicant data (unsuccessful) | 6 months post-decision | Legitimate interest; legal defence |
Upon expiry of the applicable retention period, personal data is permanently deleted or irreversibly anonymised. Deletion is automated where technically feasible and manually verified for high-risk data categories. Anonymised statistical data may be retained indefinitely as it no longer constitutes personal data.
12 βContact & Data Protection Officer
For any queries regarding this Policy, to exercise your data subject rights, or to report a privacy concern, please contact us using the details below. Our Data Protection Officer is an independent, qualified professional appointed pursuant to GDPR Article 37.
DATA PROTECTION OFFICER
RNR
PGP key available on request
PRIVACY TEAM
General Privacy Enquiries
Response within 5 business days
RIGHTS REQUESTS
Identity verification required
REGISTERED ADDRESS
PLUGGED IN RIDE inc.
Calgary, Alberta
Canada
EU & UK REPRESENTATIVES
Pursuant to GDPR Article 27, we have appointed a representative in the European Union:Β RNR. pluggedinride@yahoo.com. For UK data subjects, our UK GDPR representative is:RNR. pluggedinride@yahoo.com. These representatives may be contacted by supervisory authorities and data subjects on our behalf.
POLICY AMENDMENTS
We may update this Policy from time to time to reflect changes in law, technology, or our business practices. Material changes will be communicated by prominently posting a notice on our Services at least 30 days before the change takes effect, and by email to registered users where the change materially affects their rights. The date of the most recent revision appears at the top of this Policy. Continued use of our Services after the effective date constitutes acknowledgment of the revised Policy.
This Policy does not constitute legal advice. Where specific legal questions arise in your jurisdiction, please seek appropriate professional counsel.
