Global Data Protection Policy

Nextracker Inc., including its subsidiaries (collectively, “Nextracker” or the “Nextracker Group”)1 , a global leader in solar tracking solutions, is committed to protecting your privacy and ensuring the security of your personal data. This Global Data Protection Policy (GDPP) outlines how we collect, use, and safeguard your information in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

The relevant Nextracker entity that is responsible for your personal information will be the Nextracker entity to which you provided your personal information. However, as we may share your personal information within the Nextracker Group, other Nextracker Group entities may also use your personal information in accordance with this GDPP.

Please read this GDPP carefully to understand our policies and practices regarding your personal information and how we will use such information. If you do not agree with these policies and practices, please do not use the Websites. By accessing or using the Websites and our services, you agree to our collection, use and disclosure of your personal information.

  1. Data protection principles

    Nextracker is committed to processing data in accordance with its responsibilities. Personal data shall be:

    1. processed lawfully, fairly and in a transparent manner in relation to individuals;
    2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes;
    3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
    4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
    5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by regulations in order to safeguard the rights and freedoms of individuals; and
    6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

  2. Data Controller Information

    Nextracker Inc. is the data controller responsible for processing your personal data. If you have any questions about this policy, you can contact us at:

    • Email: privacy@nextracker.com
    • Address: 6200 Paseo Padre Parkway, Fremont, CA 94555

  3. Collection of personal information

    Nextracker collects personal data that you provide to us directly or through interactions with our website, products, and services. You may also provide Nextracker with personal information in other ways, such as if you communicate with us through social media or participate in our promotions.

    • Website Visitors: When you visit one of our websites, we collect various types of information, such as browser type and language, device type, operating system, access times, domain name and the address of the Website from which you came to the Websites. We may also collect information about your IP address or click stream data within our websites (i.e. the actions taken in connection with the Websites). This information helps us improve the functionality of the Websites. We also collect information such as your name and email address when you contact us.
    • Request for a Quote:
    • Account Holders:
    • Apply for a Job:

      1. Identification information, for example, date of birth, gender, country of residence, and nationality.
      2. Government issued identifiers, for example tax identification number, and citizenship or work authorization status.
      3. Employment, Education and Professional Information, such as employment history and job title.
    • Marketing Preferences: When you voluntarily engage with us regarding subscription choices and communication preferences we collect your name, email address, telephone number and company details.

  4. USE OF YOUR DATA

    Nextracker processes personal data, including but not limited to the following purposes:

    • To provide and improve our services: Ensuring optimal functionality of our products and support services.
    • To communicate with you: Sending product updates, newsletters, and responding to inquiries.
    • To carry out selection processes: Evaluating your profile and candidacy when you apply to work for us.
    • To comply with legal obligations: Ensuring regulatory compliance and enforcing contractual agreements.
    • For marketing and analytics: Enhancing user experience, analysing website traffic, and personalizing content.

  5. LEGAL BASIS FOR PROCESSING

    We process your data based on one or more of the following legal grounds:

    1. Consent: When you opt-in to marketing communications or cookies. We use a double opt-in process to ensure your explicit consent. After signing up, you will receive an email requesting confirmation of your subscription before we send further communications. Evidence of opt-in consent shall be kept with the personal data. The option for you to revoke your consent will be in place to ensure that you can revoke your consent and is reflected accurately in Nextracker’s systems.
    2. Contractual Necessity: When processing is required to fulfil a contract or in order to take steps at the request of the data subject prior to entering into a contract.
    3. Legal Obligation: When required by law to retain certain records.
    4. Legitimate Interest: To improve services and business operations, provided such interests do not override your rights.

  6. Data Sharing

    We do not sell or rent your personal data. However, we may share your data with:

    • Service Providers: Vendors assisting with IT, marketing, payroll, benefits, and customer support.
    • Affiliates and Partners: For business operations and service enhancements.
    • Regulatory Authorities: When required to comply with legal requests.

  7. International Transfer of personal information

    Due to the global nature of our business, we may transfer personal information to other Nextracker Group entities, suppliers and other recipients located in different countries, including to countries outside of the European Economic Area (“EEA”) or the United Kingdom (“UK”). Where we transfer your personal information to recipients in countries not considered to provide an adequate level of data protection, we will ensure we take steps to ensure your personal information is protected and safeguarded. Such steps include entering into EU Standard Contractual Clauses (“SCCs”) with the recipient or seek assurances from them that they have Binding Corporate Rules (“BCRs”) in place. BCRs are data protection policies adhered to by companies established in the EU and UK for transfers of personal information outside of the EU and UK within a corporate group.

  8. Data Retention

    We will retain your personal information for no longer than is necessary for the provision of the products and/or services, internal analytical purposes, recruiting purposes, or to comply with our legal obligations, resolve disputes and enforce agreements (e.g., settlement). The criteria used to determine the retention periods include:

    • how long the personal information is needed to provide the products and/or services and operate the business;
    • the type of personal information collected; and
    • whether we are subject to a legal, contractual or similar obligation to retain the data (e.g., mandatory data retention laws, government orders to preserve data relevant to an investigation, or data that must be retained for the purposes of litigation or disputes).

    Once no longer needed, data is securely deleted or anonymized.

  9. Your Rights Under GDPR

    As an individual under GDPR, you have the right to:

    • Access: Request a copy of the personal data we hold about you.
    • Rectification: Correct inaccuracies in your data.
    • Erasure: Request deletion of your data under certain conditions.
    • Restriction: Limit processing of your data in specific circumstances.
    • Portability: Receive your data in a structured format for transfer.
    • Objection: Object to data processing for marketing purposes.
    • Withdraw Consent: Withdraw consent at any time where applicable. To exercise your rights, contact us at privacy@nextracker.com.

  10. MINORS

    You must be aged 16 or over to use the Websites and our other digital offerings. We do not solicit or knowingly collect personal information from children aged 16 and under. If we are made aware that we have received such information, or any information in violation of our policy, we will use reasonable efforts to locate and remove that information from our records.

  11. LINKS TO OTHER WEBSITES

    Our Websites may contain links to other websites that are not operated or controlled by us. We do not control such third-party websites or their privacy practices. Any personal information you choose to give to third-party websites is not covered by this GDPP. If you have reasons to believe that your interaction with us is no longer secure, please immediately notify us of the problem by contacting us as set out below.

  12. Data Security

    We implement technical and organizational measures to protect your data against unauthorized access, alteration, or loss. These include encryption, access controls, and regular security audits. While we use industry-standard precautions to safeguard your personal information, we cannot guarantee complete security. 100% complete security does not presently exist anywhere online or offline.

  13. Cookies and Tracking Technologies

    We use cookies to enhance user experience, analyse traffic, and provide targeted advertisements. You can manage your cookie preferences through your browser settings. You can find more details about cookies in our Cookies Policy.

  14. Policy Updates

    Nextracker may update this GDPP to reflect regulatory changes or business practices. Any modifications will be posted with an updated effective date.

    For further inquiries about this policy, please contact us: privacy@nextracker.com

  15. Breach

    In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Nextracker shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the competent authority.

Country Specific Appendix

  1. RIGHTS AND DISCLOSURES SPECIFIC TO CALIFORNIA RESIDENTS

    If you are a resident of the U.S. state of California, you have certain rights granted by the California Consumer Privacy Act (“CCPA”) and is described in this Country Specific Appendix of the GDPP. This portion of the Country Specific Appendix of the GDPP describes the rights of California residents.

    Right to Opt Out of the Sale of Personal Information
    We share (as the terms are defined under the CCPA) personal information when you interact with a Website. You have the right to opt-out of the sharing of your personal information with third parties. We do not knowingly share personal information of any individual under 16 years of age. If you opt-out, we will wait at least 12 months before asking you if we may share your personal information.

    Your Rights

    Your Right to Request Disclosure of Information We Collect and Share About You

    If you are a California resident, you have the right to ask us for any or all the following types of information regarding the personal information we have collected about you prior to our receipt of your request:

    • Specific pieces of personal information we have collected about you;
    • Categories of personal information we have collected about you;
    • Categories of sources from which such personal information was collected;
    • Categories of personal information that the business sold or disclosed for a business purpose about the consumer;
    • Categories of third parties to whom the personal information was sold or disclosed for a business purpose; and
    • The business or commercial purpose for collecting your personal information.

    Your Right to Request Deletion of Personal Information We Have Collected About You

    Additionally, California residents have the right to request that we delete the personal information we have collected about you, except for situations where the CCPA authorizes us to retain specific information, including when it is necessary for us to provide you with services that you requested; perform a contract we entered into with you; maintain the functionality or security of our systems; or comply with or exercise rights provided by the law. The law also permits us to retain specific information for our exclusively internal use, but only in ways that are compatible with the context in which you provided the information to us or that are reasonably aligned with your expectations based on your relationship with us. We will act on your deletion request within the timeframes set forth below.

    Exercising Your Rights and How We Will Respond

    Residents of California may exercise their access or deletion rights, or to ask a question about your data subject rights, by contacting us at privacy@nextracker.com.

    We will first acknowledge receipt of your request within 10 business days of receipt of your request. We will then provide a substantive response to your request as soon as we can, generally within 45 days from when we receive your request, although we may be allowed to take longer to process your request under certain circumstances. If we expect your request is going to take us longer than normal to fulfill, we will let you know.

    We usually act on requests and provide information free of charge, but we may charge a reasonable fee to cover our administrative costs of providing the information in certain situations. In some cases, the law may allow us to refuse to act on certain requests. When this is the case, we will endeavor to provide you with an explanation as to why.

    Our Commitment to Allowing You to Exercise Your Rights – Non-Discrimination

    If you exercise any of the rights explained in this GDPP, we will continue to treat you fairly. If you exercise your rights under this GDPP, you will not be denied or charged different prices or rates for products or services or provided with a different level or quality of products or services than others.

    Verification of Identity – Access or Deletion Requests

    We will ask California residents for identifying information and attempt to match it to information that we maintain about them to verify their request. If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to your request. We will notify you to explain the basis of the denial.

    Authorized Agents

    You may designate an agent to submit requests on your behalf. The agent must be a natural person or a business entity that is registered with the California Secretary of State. If you would like to designate an agent to act on your behalf, you and the agent will need to comply with our verification process. Specifically, if the agent submits requests to access, know or delete your Personal Information, the agent will need to provide us with your signed permission indicating the agent has been authorized to submit the opt-out request on your behalf. We will also require that you verify your identity directly with us or confirm with us that you provided the agent with permission to submit the request.

    Please note that this subsection does not apply when an agent is authorized to act on your behalf pursuant to a valid power of attorney. Any such requests will be processed in accordance with California law pertaining to powers of attorney.

    California Shine the Light
    California Civil Code Section 1798.83, also known as the “Shine the Light” law, permits California residents that have an established business relationship with a business to annually request, free of charge, information about certain categories of personal information a business has disclosed to third parties for those parties’ direct marketing purposes in the preceding calendar year.

    California Do Not Track
    Some browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. Currently, we do not respond to browsers’ do not track signals.

  2. EEA/UK DATA SUBJECT RIGHTS

    If you are located in the EEA/UK, you may have legal rights under applicable laws, which may be subject to certain limitations and/or restrictions. These rights may include to:

    • request access to personal information we hold about you;
    • correct personal information when incorrect, out of date or incomplete;
    • request that we erase your personal information;
    • opt-out of any marketing communications that we may send you and to object to us using / holding your personal information if we have no legitimate reason to do so;
    • request that we restrict the processing of your personal information (i.e., we would need to secure and retain the data for your benefit but not otherwise use it);
    • withdraw your consent at any time; and
    • the portability of personal information (i.e., ask for a copy of your personal information to be provided to you, or a third party, in a digital format).

    All such requests should be made using the contact details set out in the Data GDPP. Please be advised that if you request that your personal information be deleted, you may no longer be able to access or use certain parts of the Website. By accessing your account on the Website, you may at any time modify or delete personal details such as name, address and country of residence. You may also delete your personal account at any time.

    We will respond to any request in writing, or orally if requested, as soon as practicable and in any event not more than within one (1) month after receipt of that request. In exceptional cases, we may extend this period by two (2) months, and we will provide reasons. We may request proof of identification to verify your request. For more details in relation to your rights, including how to exercise them, please contact us using the contact details as set out below.

    You also have the right to lodge a complaint about the processing of your personal information with your local data protection authority.

  3. BRAZILIAN DATA SUBJECT RIGHTS

    If you are in Brazil this GDPP also applies and you may have legal rights under Brazilian Law “LGPD” and other applicable laws, which may be subject to certain limitations and/or restrictions. These rights may include to:

    • request access to personal information we hold about you;
    • correct personal information when incorrect, out of date or incomplete;
    • request that we erase your personal information except those that may be retained for compliance with legal and/or regulatory purposes;
    • opt-out of any marketing communications that we may send you and to object to us using / holding your personal information if we have no legitimate reason to do so;
    • withdraw your consent at any time; and
    • the portability of personal information (i.e., ask for a copy of your personal information to be provided to you, or a third party, in a digital format).

    All such requests should be made using the contact details set out in the Data GDPP or through Nextracker Brasil Ltda.’s Data Protection Officer (DPO – “Encarregado de Proteção de Dados”) Regiane Alves Gomes at rgomes@nextracker.com.

    Please be advised that if you request that your personal information be deleted, you may no longer be able to access or use certain parts of the Website. By accessing your account on the Website, you may at any time modify or delete personal details such as name, address and country of residence. You may also delete your personal account at any time.

    We will respond to any request in writing as soon as practicable and in any event not more than within fifteen (15) days after receipt of that request. We may request proof of identification to verify your request. For more details in relation to your rights, including how to exercise them, please contact us using the contact details as set out below.

    You also have the right to lodge a complaint about the processing of your personal information with your local data protection authority the ANPD (“Autoridade Nacional de Proteção de Dados”).

    Contact Details:

    Nextracker Brasil Ltda. DPO – Encarregado de Proteção de Dados – Regiane Alves Gomes rgomes@nextracker.com

 

1The term “Nextracker,” the “Company,” “we,” “us,” and “our,” may refer to Nextracker Inc. or one or more of the Nextracker Inc. subsidiaries or to all these entities taken as a whole. All these terms are used for convenience only and are not intended as a precise description of any of the separate companies.