1. Introduction and Scope
Yirox is an automotive and new-energy vehicle product manufacturer and solution provider, supplying EV charging accessories, BYD/Tesla accessories, pickup truck accessories, wheel-service consumables, automotive abrasives, and off-road LED lighting to distributors, wholesalers, repair chains, accessory brands, and online sellers worldwide. We operate with export-oriented service across North America, Europe, South America, the Middle East, Oceania, and Asia-Pacific markets.
This Privacy Policy (“Policy”) describes how Yirox (“we,” “us,” or “our”) collects, uses, discloses, retains, and protects personal data in connection with the following activities:
- Visits to our website and any associated digital platforms;
- Inquiries, quotation requests, and pre-sales communications;
- B2B transactions, including standard SKU orders, OEM/ODM development programs, and low-MOQ trial orders;
- Ongoing customer relationship management, after-sales support, and warranty handling;
- Compliance with applicable export control, trade, and regulatory obligations.
This Policy applies to all individuals whose personal data we process in the course of these activities, including business contacts at customer companies, distributors, wholesalers, OEM/ODM partners, suppliers, and website visitors. It does not apply to our employees or job applicants, whose data is governed by separate internal policies.
We are committed to processing personal data in accordance with the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), the Personal Information Protection Law of the People’s Republic of China (PIPL), and all other applicable data protection laws.
2. Definitions
The following definitions apply throughout this Policy:
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person (“data subject”). This includes business contact information such as a name, work email address, or phone number, even when provided in a professional capacity. |
| Data Controller | The legal entity that determines the purposes and means of processing Personal Data. Yirox acts as Data Controller for the personal data described in this Policy. |
| Data Processor | A natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Data Controller under a written agreement. |
| Processing | Any operation performed on Personal Data, including collection, recording, storage, use, disclosure, transfer, or deletion. |
| Consent | A freely given, specific, informed, and unambiguous indication of the data subject’s wishes, signifying agreement to the processing of their personal data for a stated purpose. |
| Cookies | Small text files placed on a device by a website, used to store browsing information and preferences. |
| Usage Data | Data collected automatically from website infrastructure, including IP addresses, browser types, pages visited, and time spent on pages. |
| OEM/ODM | Original Equipment Manufacturer / Original Design Manufacturer programs, under which Yirox develops or manufactures products to a customer’s specifications or brand requirements. |
3. Categories of Personal Data We Collect
We collect personal data only to the extent necessary for the legitimate purposes described in this Policy. The categories of personal data we may collect include:
3.1 Business Contact and Identification Data
We collect the names, job titles, company names, work email addresses, telephone numbers, and business postal addresses of individuals who contact us, submit inquiries, register on our B2B portal, or enter into commercial relationships with us. This information is provided directly by the individual or by their employer in the course of establishing a business relationship.
3.2 Transaction and Commercial Data
In the course of processing orders and managing commercial relationships, we collect and process order details (including product categories, SKU specifications, quantities, and pricing), OEM/ODM project requirements (including drawings, samples, vehicle fitment data, target price bands, and private-label specifications), purchase history, payment information, billing addresses, and tax identification numbers required for invoicing and export documentation.
3.3 Technical and Usage Data
When you visit our website, we automatically collect technical information, including your device’s Internet Protocol (IP) address, browser type and version, operating system, device identifiers, the pages of our website you visit, the time and date of your visit, and the time spent on those pages. This data is collected through server logs and cookies.
3.4 Communication Data
We retain records of communications exchanged with us, including the content of inquiry forms, email correspondence, meeting notes, and records of interactions at trade shows or exhibitions. This data is used to manage our business relationships and provide consistent service.
3.5 Compliance and Due Diligence Data
To fulfill our obligations under international trade and export control regulations, we may collect and process information required for sanctions screening, including names, company names, and country of domicile of our business partners. We may also obtain credit reference information from third-party agencies to assess commercial risk.
3.6 Data Obtained from Third-Party Sources
We may supplement the personal data you provide with information lawfully obtained from publicly accessible sources (such as commercial registers and trade directories) or from third parties (such as credit reference agencies, trade show organizers, or referral partners).
4. Purposes and Legal Bases for Processing
We process personal data only where we have a lawful basis to do so. The table below sets out the primary purposes for which we process personal data and the corresponding legal basis under the GDPR.
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Processing orders, managing OEM/ODM agreements, and fulfilling contractual obligations | Contractual Necessity (Art. 6(1)(b)) |
| Responding to pre-sales inquiries and providing quotations | Legitimate Interests (Art. 6(1)(f)) |
| Managing B2B customer relationships and after-sales support | Contractual Necessity / Legitimate Interests |
| Warranty handling and product safety monitoring | Contractual Necessity / Legal Obligation |
| Issuing invoices and maintaining accounting records | Legal Obligation (Art. 6(1)(c)) |
| Complying with export control, customs, and tax regulations | Legal Obligation (Art. 6(1)(c)) |
| Conducting sanctions screening and trade compliance due diligence | Legal Obligation (Art. 6(1)(c)) |
| Facilitating product recalls or safety notifications | Legal Obligation / Legitimate Interests |
| Sending marketing communications to existing customers | Legitimate Interests (Art. 6(1)(f)) |
| Sending marketing communications to new contacts | Consent (Art. 6(1)(a)) |
| Analyzing website performance and improving user experience | Legitimate Interests (Art. 6(1)(f)) |
| Ensuring IT security and preventing fraud | Legitimate Interests (Art. 6(1)(f)) |
| Conducting credit risk assessments | Legitimate Interests (Art. 6(1)(f)) |
| Publishing case studies or client references naming individuals | Consent (Art. 6(1)(a)) |
Where we rely on legitimate interests as our legal basis, we have conducted a balancing test to ensure that our interests are not overridden by your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests at any time (see Section 9).
5. Export Control and Trade Compliance
As an export-oriented manufacturer serving global markets, Yirox is subject to international trade regulations, including export control laws and sanctions regimes administered by the European Union, the United States (OFAC), the United Nations, and other relevant authorities. In order to comply with these obligations, we screen our business partners against applicable sanctions lists before entering into commercial relationships. This screening may involve processing personal data such as names, company names, countries of domicile, and, where a potential match is identified, additional identifying information to conduct further due diligence.
This processing is carried out on the basis of our legal obligation under applicable export control and sanctions regulations. Records of sanctions screening are retained for up to ten (10) years to demonstrate compliance with our regulatory obligations.
6. Product Safety and Recall Obligations
Yirox manufactures and supplies products subject to safety standards and certification requirements, including CE, RoHS, EMC, FCC, UKCA, TUV, DOT, E-mark, ECE, ETL, CSA, Energy Star, ISO 9001, IATF 16949, MPA, and EN12413. In the event of a product safety issue or recall, we may be required to process the personal data of our business customers (including contact names, email addresses, and order records) to identify affected products, notify relevant parties, and coordinate corrective actions. This processing is carried out on the basis of our legal obligation under applicable product safety regulations and our legitimate interest in protecting the safety of end users.
7. OEM/ODM Confidentiality
In the course of OEM/ODM development programs, customers may share with us confidential technical information, including product drawings, samples, specifications, and private-label requirements. While this information primarily constitutes confidential business information rather than personal data, we treat it with the same level of care and protection. We enter into Non-Disclosure Agreements (NDAs) with OEM/ODM customers as appropriate, and we restrict access to project-specific information to personnel directly involved in the relevant program.
8. Disclosure of Personal Data to Third Parties
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. We may share personal data with the following categories of recipients, strictly for the purposes described in this Policy:
Service Providers and Data Processors. We engage third-party service providers to support our operations, including cloud hosting providers, payment processors, logistics and freight forwarding companies, CRM and ERP system providers, email marketing platforms, and IT security vendors. These providers act as Data Processors and are bound by written data processing agreements that require them to process personal data only on our instructions and to implement appropriate security measures.
Manufacturing and Sourcing Partners. Where a customer requires special sourcing support or where we engage sub-contractors for specific manufacturing processes, we may share limited technical specifications and project requirements with trusted partners. We ensure that confidential OEM/ODM data is protected through appropriate contractual arrangements.
Certification and Testing Bodies. We may share product specifications and related documentation with certification and testing bodies (such as TUV, SGS, Bureau Veritas, and similar organizations) to obtain or maintain product certifications. This process does not typically involve the sharing of personal data.
Legal, Regulatory, and Governmental Authorities. We may disclose personal data to customs authorities, tax authorities, sanctions screening service providers, and other governmental or regulatory bodies to the extent required by applicable law or to protect the legal rights, property, or safety of Yirox, our customers, or others.
Professional Advisors. We may share personal data with our legal counsel, auditors, and other professional advisors where necessary for the provision of their services, subject to appropriate confidentiality obligations.
9. International Data Transfers
Yirox operates internationally and may transfer personal data across national borders in the course of our business. When we transfer personal data from the European Economic Area (EEA), the United Kingdom, or other jurisdictions with data transfer restrictions to countries that do not provide an equivalent level of data protection, we implement appropriate safeguards to ensure that your data remains protected. These safeguards may include:
- Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA;
- International Data Transfer Agreements (IDTAs) approved by the UK Information Commissioner’s Office for transfers from the UK;
- Compliance with the Personal Information Protection Law (PIPL) of the People’s Republic of China for transfers of data out of China, including the conclusion of standard contracts issued by the Cyberspace Administration of China where required.
You may request a copy of the transfer mechanisms we use by contacting us at the details provided in Section 13.
10. Data Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, or alteration. Our security measures include, but are not limited to:
- Encryption of data in transit using Transport Layer Security (TLS/SSL) protocols;
- Role-based access controls and the principle of least privilege for internal systems;
- Multi-factor authentication (MFA) for access to systems containing personal data;
- Regular security assessments and vulnerability management;
- Physical security controls at our manufacturing and office facilities;
- Staff training on data protection and information security obligations.
Our commitment to quality management under ISO 9001 and IATF 16949 extends to our information security practices, reflecting a culture of traceability, accountability, and continuous improvement. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected individuals, in accordance with applicable law.
11. Data Retention
We retain personal data only for as long as is necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following table sets out our standard retention periods for different categories of data:
| Data Category | Retention Period | Basis |
|---|---|---|
| Inquiry and pre-sales lead data | Up to 24 months from last contact | Business development and relationship management |
| Active customer and contract data | Duration of relationship + up to 10 years | Contractual and legal obligations |
| Invoice, payment, and accounting records | Up to 10 years | Tax and accounting compliance |
| Export documentation and customs records | Up to 7 years | Customs and trade compliance |
| Sanctions screening records | Up to 10 years | Regulatory compliance demonstration |
| Product liability and warranty records | Up to 10 years | Statutory liability periods and safety monitoring |
| OEM/ODM project documentation | Duration of program + up to 7 years | Contractual and legal obligations |
| Website technical logs | Up to 12 months | IT security and system integrity |
| Marketing consent records | Until consent is withdrawn + 3 years | Documentation of lawful basis |
Upon expiry of the applicable retention period, personal data is securely deleted or anonymized, unless it is required for the establishment, exercise, or defense of legal claims.
12. Cookie Policy
Our website uses cookies and similar tracking technologies to ensure the proper functioning of the site, analyze website traffic, and support our marketing activities.
12.1 Types of Cookies We Use
Strictly Necessary Cookies are essential for the website to function and cannot be switched off. They are typically set in response to actions you take, such as setting your privacy preferences, logging in, or filling in forms.
Performance and Analytics Cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. All information these cookies collect is aggregated and therefore anonymous.
Functional Cookies enable the website to provide enhanced functionality and personalization, such as remembering your language preferences or region.
Targeting and Advertising Cookies may be set through our site by our advertising partners to build a profile of your interests and show you relevant advertisements on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device.
12.2 Cookie Details
| Cookie Name | Provider | Purpose | Duration | Category |
|---|---|---|---|---|
_ga | Google Analytics | Distinguishes users for analytics | 2 years | Analytics |
_gid | Google Analytics | Distinguishes users for analytics | 24 hours | Analytics |
_gat | Google Analytics | Throttles request rate | 1 minute | Analytics |
cookieconsent_status | Yirox | Stores your cookie consent preferences | 1 year | Strictly Necessary |
PHPSESSID | Yirox | Maintains your session state | Session | Strictly Necessary |
12.3 Managing Your Cookie Preferences
You can manage your cookie preferences at any time by accessing our cookie consent banner or by adjusting your browser settings to refuse all or some cookies. Please note that disabling certain cookies may affect the functionality of our website. You may also opt out of analytics tracking by installing the Google Analytics Opt-out Browser Add-on.
13. Your Privacy Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal data. We will respond to all valid requests within the timeframes required by applicable law (generally 30 days under the GDPR, extendable to 90 days in complex cases).
13.1 Rights Under the GDPR (EEA and UK Residents)
Right of Access (Art. 15 GDPR). You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data along with supplementary information about how it is processed.
Right to Rectification (Art. 16 GDPR). You have the right to request that we correct inaccurate or incomplete personal data about you without undue delay.
Right to Erasure (Art. 17 GDPR). You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (and no other legal basis applies), or where the data has been unlawfully processed. This right is subject to exceptions, including where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
Right to Restriction of Processing (Art. 18 GDPR). You have the right to request that we restrict the processing of your personal data in certain circumstances, such as while the accuracy of the data is contested or while an objection to processing is being considered.
Right to Data Portability (Art. 20 GDPR). Where processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
Right to Object (Art. 21 GDPR). You have the right to object at any time to the processing of your personal data where that processing is based on legitimate interests, including profiling. You also have an absolute right to object to the processing of your personal data for direct marketing purposes, including profiling related to direct marketing.
Right to Withdraw Consent (Art. 7(3) GDPR). Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Right to Lodge a Complaint (Art. 77 GDPR). You have the right to lodge a complaint with the competent data protection supervisory authority in your country of residence, place of work, or place of the alleged infringement.
13.2 Rights Under the CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.
Right to Delete. You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
Right to Correct. You have the right to request that we correct inaccurate personal information we maintain about you.
Right to Opt-Out of Sale or Sharing. We do not sell personal information. We do not share personal information for cross-context behavioral advertising purposes.
Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights.
To submit a request under the CCPA, please contact us at the details provided in Section 14 with the subject line “California Privacy Rights Request.”
14. Children’s Privacy
Our website and services are designed for B2B commercial interactions and are not directed at children under the age of 16 (or 18 in certain jurisdictions). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child without appropriate parental consent, we will take prompt steps to delete such information from our records.
15. Third-Party Links
Our website may contain links to third-party websites, including those of our logistics partners, certification bodies, or industry associations. This Policy does not apply to those third-party websites, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party websites you visit.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, our services, or applicable legal requirements. When we make material changes, we will update the “Last Updated” date at the top of this Policy and, where appropriate, notify you by email or by a prominent notice on our website. We encourage you to review this Policy periodically to stay informed about how we protect your information.
17. Contact Us and Exercising Your Rights
If you have any questions, concerns, or requests regarding this Privacy Policy, our data processing practices, or if you wish to exercise any of your privacy rights, please contact us using the following details:
Yirox
Attn: Privacy / Data Protection
[Insert Company Registered Address]
Email: [Insert Privacy Contact Email]
Phone: [Insert Contact Phone Number]
We aim to acknowledge all requests within 72 hours and to respond substantively within the timeframes required by applicable law. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction.
Annex A — Jurisdiction-Specific Disclosures
A.1 EEA and UK Residents
For the purposes of the GDPR and UK GDPR, Yirox acts as the Data Controller for the personal data described in this Policy. The legal bases for our processing activities are set out in Section 4. You have the right to lodge a complaint with the supervisory authority in your country of residence. A list of EEA supervisory authorities is available on the European Data Protection Board website at https://edpb.europa.eu. The UK supervisory authority is the Information Commissioner’s Office (ICO), reachable at https://ico.org.uk.
A.2 California Residents (CCPA/CPRA)
In the preceding twelve (12) months, Yirox has collected the following categories of personal information as defined by the CCPA: identifiers (such as name, email address, and IP address), commercial information (such as records of products purchased or inquired about), and internet or other electronic network activity information (such as browsing history on our website). We have not sold or shared personal information for cross-context behavioral advertising purposes. For the full list of your rights and how to exercise them, please refer to Section 13.2.
A.3 Personal Information Protection Law (PIPL) — China
For personal data processed in connection with individuals located in the People’s Republic of China, Yirox complies with the requirements of the Personal Information Protection Law (PIPL). Where we transfer personal data out of China, we implement the measures required by the PIPL, including the conclusion of standard contracts issued by the Cyberspace Administration of China where applicable. You may exercise your rights under the PIPL by contacting us at the details provided in Section 17.
This Privacy Policy was prepared in accordance with applicable data protection laws and industry best practices for B2B manufacturers and export-oriented businesses. It should be reviewed by qualified legal counsel before publication to ensure compliance with the specific legal requirements of all jurisdictions in which Yirox operates.