(Applicable to ENGWE connected electric bicycles and related APP services)
Article 1 Purpose and Scope of Application
1.1 These Rules explain how ENGWE provides users with mechanisms for data access, export, authorized third-party receipt, deletion, and related support in relation to data generated or processed by connected electric bicycles and their related digital services.
1.2 These Rules apply to:
(1)ENGWE-branded connected electric bicycles;
(2)ENGWE APP services directly related to the functions of such products;
(3)users’ requests for access, export, sharing, withdrawal of authorization, and deletion in relation to data generated by the foregoing products and services.
1.3 These Rules do not apply to the following circumstances:
(1)purely internal management data not directly related to product functions;
(2)data used only for internal cybersecurity, anti-abuse, audit, product debugging, or R&D analysis, and which should not be fully disclosed externally according to law;
(3)data independently controlled by third-party platforms or third-party service providers, unless otherwise specified by ENGWE within its own controllable scope.
Article 2 Definitions
Unless otherwise indicated by the context, the following terms in these Rules have the meanings set out below:
2.1 Product: means ENGWE-branded connected electric bicycles, including built-in or external IoT modules, sensors, control systems, and other components that may generate or transmit data during use.
2.2 Related Services: means digital services directly related to product functions, including the ENGWE APP and necessary backend support services.
2.3 User: means a natural person, legal person, or other organization that purchases, leases, receives by transfer, is authorized to use, or actually controls a product, and is entitled to use the related services.
2.4 Data Access: means that a user directly views online, or otherwise obtains, data relating to the use of their product or related services.
2.5 Data Export: means that ENGWE provides users with data they are entitled to obtain in a structured, commonly used, and machine-readable format.
2.6 Third-Party Recipient: means a third-party entity to which ENGWE provides specific data upon the user’s explicit request or authorization, such as a repair service provider, maintenance service provider, insurance service provider, fleet management service provider, or other service provider lawfully designated by the user.
2.7 Authorized Sharing: means ENGWE’s provision of relevant data to a third-party recipient based on the user’s request or authorization, according to the specified scope, purpose, and period.
2.8 Restricted Data: means data that is not suitable for full disclosure in its original form due to network and product security, trade secrets, authentication mechanisms, system integrity, protection of third-party rights and interests, or other lawful reasons.
Article 3 Applicable Data Scope
3.1 During product use and the operation of related services, ENGWE may generate, receive, record, store, or process the following categories of data:
(I)Vehicle Operation and Status Data
Including but not limited to: real-time speed, maximum speed, average speed, subtotal mileage, subtotal time, remaining range, total mileage, total riding time, assistance level, real-time motor power, real-time motor output torque, main battery 1 level, battery 2 level, battery 3 level, battery voltage, real-time cadence, single-ride average cadence, real-time human power, real-time human pedaling torque, CAN error codes, display error codes, headlight switch status, turn signal switch status, connectivity status, signal strength, IoT box battery level, number of GPS satellites, vehicle lock status, power on/off status, charging status, etc.
(II)Device Identification and Connection Data
Including but not limited to: device name, device model, serial number, MAC address, version number, software version, sensor data, status, and security mode.
(III)Location and Route Data
Including but not limited to: mobile device location information, precise vehicle location, navigation-related location data, riding routes, and route history.
(IV)Account and Basic Profile Data
Including but not limited to: email address, password, country/region, nickname, avatar, or account photo.
(V)Feedback, After-Sales, and Support Data
Including but not limited to: user email address or other contact information, device name, user’s country, issue type, feedback text, feedback photos, logs or diagnostic materials directly related to issue identification.
(VI)Community and User-Generated Content
Including but not limited to: photos uploaded by users to the community, comment content, content generated through photo editing, and other content actively published by users.
(VII)Logs and Operational Assurance Data
Including log information relating to the operation, troubleshooting, security assurance, and system integrity of the APP and backend services.
3.2 Different data types may be subject to different methods of disclosure, scope of disclosure, and processing conditions. ENGWE will determine the specific processing method based on the legal nature, risk level, system availability, security impact, and third-party rights and interests relating to the data.
Article 4 Basic Principles for Data Access
4.1 ENGWE processes users’ data access and sharing requests according to the following principles:
(1)Availability principle: for data generated during normal operation of the product or related services and available to ENGWE within its controllable scope, ENGWE will give priority to providing a reasonable access path;
(2)layered disclosure principle: direct viewing, export upon request, authorized sharing, and restricted disclosure will be differentiated according to data type and risk level;
(3)minimum necessity principle: only the scope of data corresponding to the purpose of the user’s request will be provided;
(4)identity and control-right verification principle: high-risk access, export, sharing, and deletion requests must undergo enhanced verification;
(5)security and confidentiality principle: trade secrets, authentication mechanisms, system security, and third-party rights and interests will be protected while data is disclosed;
(6)free and convenient access principle: for user data access requests within the scope required by the EU Data Act, ENGWE will in principle provide basic access and download capabilities free of charge through convenient channels;
(7)parallel compliance principle: where personal data is involved, personal data protection rules will apply simultaneously.
Article 5 Data Directly Accessible Online by Users
5.1 ENGWE will provide users with data that is generally directly viewable online through appropriate pages in the ENGWE APP, including but not limited to:
(1)real-time vehicle status data;
(2)basic riding statistics and historical summaries;
(3)device name, model, and partial version information;
(4)basic account profile data;
(5)summaries of feedback records submitted by the user;
(6)community content published by the user;
(7)other basic display data directly related to the user.
5.2 ENGWE may reasonably adjust the scope of data directly displayed based on product model, firmware version, system capabilities, and user function selections.
5.3 For underlying engineering data, fields that are excessively complex, or fields that may cause security risks, ENGWE may instead provide user-understandable summaries, status descriptions, or fault explanations, rather than displaying all raw data.
Article 6 Data Export Rules
6.1 Users may apply to export data they are entitled to obtain through the ENGWE APP or other designated entry points.
6.2 In principle, exportable data includes:
(1)historical riding statistics data;
(2)riding routes and related location history;
(3)partial device status history;
(4)basic account profile data;
(5)feedback records and community content submitted by the user;
(6)other data that is technically extractable, legally permissible to provide, and not classified as restricted data.
6.3 Exported data may be provided by means including:
(1)in-platform download;
(2)download notification through account messages or email;
(3)other secure transmission methods expressly specified by ENGWE.
6.4 The format of exported data will be structured, commonly used, and machine-readable according to the data type and technical circumstances, such as CSV, JSON, GPX, or other reasonable formats.
6.5 The following data is generally not exported in complete raw form:
(1)passwords, tokens, keys, and other authentication credentials;
(2)complete raw logs, debugging logs, and internal security analysis results;
(3)internal risk-control markers, anti-fraud rules, and attack detection rules;
(4)data involving third-party personal data that cannot be reasonably separated;
(5)data that may expose system vulnerabilities or impair network or product security;
(6)other data that should not be disclosed according to law or may only be disclosed in a limited manner.
6.6 If the scope of an export request is excessively broad, clearly exceeds a reasonable use purpose, involves large amounts of third-party information, or requires additional security review, ENGWE may require the user to narrow the scope, provide supplementary explanation of the purpose, or process the request in stages.
Article 7 Third-Party Receipt and Authorized Sharing Rules
7.1 Users may request ENGWE to provide specific data to a third-party recipient designated by them.
7.2 Third-party receipt scenarios may include but are not limited to:
(1)repair, maintenance, and fault diagnostics;
(2)insurance, claims, or accident handling;
(3)fleet management;
(4)riding analysis, use optimization, or other data services actively selected by the user;
(5)other scenarios reviewed by ENGWE and considered lawful and feasible.
7.3 When initiating a third-party sharing request, the user shall at least specify the following information:
(1)name and basic identity information of the third-party recipient;
(2)scope of data to be shared;
(3)purpose of sharing;
(4)sharing period;
(5)sharing method;
(6)whether the sharing is continuous;
(7)whether onward transfer or reuse is permitted;
(8)other information reasonably requested by ENGWE.
7.4 After completing necessary verification, ENGWE may provide relevant data to the third-party recipient as requested by the user. Necessary verification includes:
(1)user identity verification;
(2)verification of product control rights or binding relationship;
(3)identity verification of the third-party recipient;
(4)review of the reasonableness of the data scope and sharing purpose;
(5)assessment of security, trade secrets, and third-party rights and interests.
7.5 ENGWE may require the third-party recipient to accept additional conditions, including but not limited to:
(1)confidentiality obligations;
(2)purpose limitation;
(3)not developing related products or services that directly compete with ENGWE;
(4)not reverse-identifying authentication mechanisms, control logic, or security measures;
(5)not making further transfers or disclosures without authorization;
(6)implementing necessary technical and organizational security measures;
(7)accepting necessary audits, logging, and access controls.
7.6 For continuous sharing or API access scenarios, ENGWE may separately apply interface access specifications, testing requirements, frequency limits, abnormality circuit-breaking mechanisms, and access termination mechanisms.
7.7 Users may withdraw authorization at any time during the sharing period; however, withdrawal does not affect data provision completed before withdrawal based on valid authorization.
Article 8 Restricted Disclosure and Grounds for Refusal
8.1 ENGWE may refuse, restrict, delay, or change the method of provision in the following circumstances:
(1)the identity of the requester cannot be reasonably confirmed;
(2)the user’s control over the product or account cannot be reasonably confirmed;
(3)the request clearly exceeds the scope of data the user is entitled to obtain;
(4)the request would result in leakage of authentication information, key materials, security parameters, complete raw logs, or other high-risk data;
(5)the request would seriously impair trade secrets, intellectual property rights, system security, or service stability;
(6)the data contains third-party personal data or other protected information that cannot be reasonably separated;
(7)the third-party recipient’s identity is unclear, presents security risks, or refuses to accept necessary protection obligations;
(8)the request is clearly abusive, harassing, repeatedly duplicative, or made in bad faith;
(9)the data needs to be provided in stages due to technical limitations;
(10)other circumstances where restriction is permitted by law.
8.2 Where feasible, ENGWE will give priority to the following alternative measures rather than complete refusal:
(1)narrowing the data scope;
(2)providing summaries, truncated versions, or de-identified versions instead;
(3)providing a one-time download instead of continuous interface access;
(4)delaying provision and requiring completion of supplementary verification or security measures.
Article 9 Deletion and Withdrawal Rules
9.1 Users may initiate deletion requests in relation to their account, community content, certain route data, certain feedback attachments, and other deletable data.
9.2 After initiating authorization for third-party sharing, users may withdraw authorization during the continuous sharing period, and ENGWE will stop subsequent sharing within a reasonable period.
9.3 ENGWE may not immediately delete, may only partially delete, or may instead restrict processing or anonymize the following data:
(1)data necessary for warranty performance, after-sales support, dispute handling, or fault traceability;
(2)data necessary to comply with legal obligations, financial and audit requirements;
(3)data necessary to maintain network, product, and service security;
(4)data necessary to ensure system integrity, identify abuse, and prevent fraud;
(5)data involving third-party rights and interests or public safety considerations.
9.4 Where data cannot be deleted immediately, ENGWE will explain the processing result or reasons to the user within an appropriate scope.
Article 10 Identity Verification and Access Control
10.1 To protect users and system security, ENGWE will adopt differentiated verification measures according to the risk level of the request.
10.2 General online viewing may be subject to login status verification.
10.3 For the following high-risk requests, ENGWE may require additional verification:
(1)exporting precise location or riding routes;
(2)authorizing a third party to continuously receive data;
(3)deleting data closely related to device binding;
(4)accessing highly identifiable identifiers, such as full serial numbers or MAC addresses;
(5)requesting data containing fault diagnostics, support logs, or other relatively sensitive content.
10.4 Additional verification measures may include:
(1)secondary verification code;
(2)binding relationship confirmation;
(3)device control-right verification;
(4)proof of purchase or use relationship;
(5)verification of administrator authorization chains in enterprise or fleet scenarios.
Article 11 Processing of Personal Data and Third-Party Information
11.1 If a request involves personal data, ENGWE will process it simultaneously in accordance with applicable data protection rules.
11.2 If the data contains third-party personal data, ENGWE may take the following measures:
(1)delete or mask third-party information;
(2)provide only the part directly related to the request;
(3)require the user to narrow the scope;
(4)refuse or restrict provision where reasonable separation is not possible.
11.3 For high-risk personal data such as precise location, riding routes, photos, free-text feedback, community content, and logs, ENGWE will apply stricter scope control and verification measures.
Article 12 Request Channels and Processing Methods
12.1 ENGWE will provide request entry points through at least the following channels according to its business model:
(1)the “Data Act Section” page in the ENGWE APP;
(2)the “Data Act Section” page on the ENGWE official website;
(3)assisted processing through customer service or after-sales ticket entry points where necessary.
12.2 For users who purchase through the ENGWE official website, users who purchase through third-party platforms, and users who purchase offline, ENGWE will in principle apply unified data access and sharing rules; however, reasonable distinctions may be made in identity verification and device control-right confirmation methods based on the purchase channel and binding status.
12.3 For users who purchase through third-party platforms such as Amazon, ENGWE may require them to connect the device in the APP or complete after-sales verification before initiating high-risk requests.
12.4 For offline purchasers, ENGWE may provide access to these Rules and operational guidance through packaging QR codes, manual QR codes, official website support pages, or in-ENGWE APP pages.
Article 13 Fees and Anti-Abuse
13.1 For basic access, viewing, and reasonable export and sharing requests within the scope required by law, ENGWE will in principle not charge users any fees.
13.2 If a user’s request is clearly repetitive, excessively frequent, abnormally broad in scope, requires additional customized processing, or clearly exceeds normal personal use purposes, ENGWE may take anti-abuse measures according to law, including limiting frequency, requiring scope reduction, requiring staged processing, or taking other reasonable measures within the scope permitted by law.
Article 14 Records, Logging, and Audit
14.1 ENGWE may keep necessary records of access, export, sharing, withdrawal, and deletion requests for security, logging, and dispute handling purposes.
14.2 Records may include:
(1)request time;
(2)request type;
(3)verification method;
(4)processing result;
(5)sharing recipient;
(6)data scope;
(7)abnormal circumstances;
(8)withdrawal or termination status.
14.3 For continuous sharing, API access, and high-risk requests, ENGWE may retain more complete audit records.
Article 15 Updates to These Rules
15.1 If product functions, APP services, data structures, export capabilities, third-party access mechanisms, or applicable legal requirements change, ENGWE may update these Rules.
15.2 The updated Rules will be published through the official website, ENGWE APP, or other appropriate means. Material changes will be notified to users in a reasonable manner.
Article 16 Contact Information and Dispute Handling
16.1 Users may initiate requests or enquiries relating to these Rules through the relevant pages in the ENGWE APP, the official website support entry, or ENGWE’s designated customer service channels.
16.2 If users object to data access, sharing, deletion, or related processing results, they may submit a review request through the following channels:
In-APP path: me-general-setting
Contact email: app@engwe-bikes.com
