Privacy policy
Ideal Private Limited Company (“Ideal” or “us” in its various meanings) offers its customers (both natural and legal persons; also “you” in its various meanings) an electric scooter and car (also “vehicle”) rental service, which is activated and used through our website www.myavis.ee/et/avisnow and mobile application (the “Service”).
Your privacy is important to us in the provision of the Services and in the collection and use of your information (including your Personal Data). So, we want you to know the types of personal information we collect about you and how we use it. The purpose of the Privacy Policy is to give you an overview of how we use your personal data.
Definitions
For a better understanding, we explain the terms used in the Privacy Policy.
The General Data Protection Regulation (GDPR) is the EU General Data Protection Regulation (2016/679), which was implemented on 25 June 2016. from 1 May 2018 and which is directly applicable in all EU Member States.
A mobile app is an application software for smartphones, tablets and/or other mobile devices that can be used to book, unlock, lock and/or perform other software-enabled operations.
Personal data are any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, by reference to his or her name, identity number, location, network identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
The processing of personal data is any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation and alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The controller is the entity that decides why and how personal data is collected and processed.
An authorised processor is an entity that processes personal data on behalf of the controller.
The Terms are the terms and conditions applicable to the use of our services and can be found at www.myavis.ee/et/kasutajatingimused.
1. Data Controller
Private Limited Company Ideal Baltic
Registration number: 10614625
Address: Peterburi tee 47c, Tallinn, Harjumaa, Estonia
E-mail address: info@avisnow.eu
2. The type of personal data we collect and process, the purposes for which we use it and the legal basis for our processing.
2.1 Services commissioned by natural persons
When you use our services, we collect different types of data. Some data is collected from you personally when you register as a user of the service (identification data) or when you provide specific consent for certain uses (marketing data). Some data is collected automatically when you use the service (usage data). We may also obtain information (including personal information) from public sources, such as business/trade registers, the internet, and third parties, such as payment default registers, to analyse your background and credit information.
Identification details
- Name (first name and surname)
- Mobile phone number
- E-mail address
- Login details: username and password (the password is stored in encrypted form and is never shown as text).
- Driving licence number
Purposes and legal basis for processing identification data
- Creating and logging into a user account, registering a user, concluding a service contract (terms and conditions). The legal basis for the use is contractual necessity (Article 6(1)(b) GDPR).
- Service-related communications, such as billing, user support, communications with third-party service providers operating within the scope of our services. The legal basis for the use is contractual necessity (Article 6(1)(b) GDPR).
- Managing our accounts, assets and debts. The legal basis for the use is usually our legitimate interest (Article 6(1)(f) GDPR), but in some cases it may also be our legal obligation (Article 6(1)(c) GDPR), e.g. the storage of accounting records.
- Managing vehicle accidents and forwarding information to insurers where necessary. The legal basis for the use is our legitimate interest (Article 6(1)(f) GDPR).
Payment details
- Payment card data (issuer, cardholder, card number, card expiry date) are processed and stored by the third party payment service provider Stripe for payment processing and fraud prevention purposes. Stripe is an independent data controller and we therefore invite you to read its privacy policy at www.stripe.com/en-ee/privacy.
- Information about the services you have purchased from us and the payments you have made.
- Details of the amounts transferred from a third party account (e.g. your employer) to your account (system wallet) and the balance of the account.
- Purposes and legal basis for processing payment data
- Providing the Services and managing your account in accordance with the Terms. The legal basis for the use is contractual necessity (Article 6(1)(b) GDPR).
- Managing our accounts and assets. The legal basis for the use is usually our legitimate interest (Article 6(1)(f) GDPR), but in some cases it may also be our legal obligation (Article 6(1)(c) GDPR), e.g. the storage of accounting records.
- Allowing the use of a wallet as a way of paying for services in accordance with the conditions. The legal basis for the use is contractual necessity (Article 6(1)(b) GDPR).
Usage data
- Your login details
- GPS data
- IP address
- Battery data
- Data on vehicle displays
- Speed of your used vehicle
- Distance travelled by the vehicle during your period of use
- Electric scooter battery charge level
- Data generated by the vehicle/mobile app, such as location, driving style, speed.
- Information about how you use our website, mobile app and vehicles (including trip and location history).
- Browser/mobile phone type and version
- Your preferences settings
- Purposes and legal basis for processing
- Provision of services in accordance with the conditions. The legal basis for the use is contractual necessity (Article 6(1)(b) GDPR).
- Providing service support. The legal basis for the use is contractual necessity (Article 6(1)(b) GDPR).
- Keeping and developing the statistics needed to maintain and develop services and analysing user data (including gaps). The legal basis for the use is our legitimate interest (Article 6(1)(f) GDPR).
- Protecting our assets by using GPS data to pinpoint the location of our vehicles. The legal basis for the use is our legitimate interest (Article 6(1)(f) GDPR).
Marketing data
- Details of whether you have consented to receive marketing material.
- Details of your marketing channel preferences (email address, mobile phone or both).
Purposes and legal basis for processing marketing data
- Marketing our services and products. The legal basis for the use is your consent (Article 6(1)(a) GDPR).
2.2 Services commissioned by legal persons
Where our services are subscribed to or paid for by a legal entity (e.g. by transferring funds to a user account / system wallet) in order for the service to be used by its employees or customers, we will still collect and process the data described in section 2.1 about the actual users of the services. As we enter into terms and conditions with each user, we have a direct relationship with the user and the processing of the data is based on the same legal basis as described in section 2.1 above.
For legal persons, we also collect the following information:
- company business name;
- company registration code;
- VAT registration number;
- the name, telephone number and e-mail address of the person who represents the legal person (hereinafter referred to as the legal person’s representative) and who is responsible for the performance of the contract and the management of the users of the service.
In this case, we process the personal data of the legal representative for the purpose of communicating with the customer (i.e. the legal person) in order to provide the services as agreed with the customer. The legal basis for this is our legitimate interest (Article 6(1)(f) of the GDPR) – we need to communicate with the legal person and, if you are acting on their behalf, we will assume that the legal person has informed you of our designation as their contact person. So the interests are balanced and we do not conflict with your interests, rights or freedoms. Where the processing of personal data is based on legitimate interest, the data subject has the right to object at any time to the processing of personal data. If you raise an objection, we will inform your customer by asking them to nominate a new contact person or otherwise comment on your objection.
3. Sharing your data
In our company, your personal data is only available to those employees who need it to perform their job duties (need-to-know access). Outside the company, we may share your information with the following parties in the following circumstances and only to the extent necessary:
- our service providers: your data is accessed by persons who provide services to us and process your data on our behalf (processors). Such persons shall have access to the extent necessary for the provision of the above services. These include providers of website and mobile app hosting and maintenance services, service-related billing services and development services;
- public authorities and public bodies (e.g. police, courts, data protection authorities): we will only disclose your data if and to the extent that we are legally obliged to do so;
- third parties involved in legal proceedings (e.g. legal and financial advisers): we may share or disclose your information where it is necessary to protect our assets and rights (including to make legal claims necessary for this purpose), to enforce our contracts, to defend ourselves against third party claims;
- third parties in connection with business transactions: we may share your data with third parties in the context of a business transaction, for example, when selling a company, issuing new shares to investors or selling a company’s business/assets to another company. We may also do so in the case of a joint venture, merger or other reorganisation.
Generally, your personal data will be processed within the European Economic Area (EEA). Where data transfers to countries outside the EEA are necessary, we will comply with the requirements of the General Data Protection Regulation governing data transfers.
4. Retention of personal data
We will keep your data for as long as necessary for the purposes of the processing described in this Privacy Notice and to comply with mandatory legislation. The criteria used to determine the retention period for different types of personal data are:
- whether or not you are an active customer – how often you use our services or when you last rented a vehicle;
- whether there are any contractual or legal obligations under which we must retain data for a certain period of time;
- whether there is a pending or threatened legal claim relating to your hiring a vehicle from us or otherwise relating to your relationship with us;
- whether the applicable legislation sets a specific retention period;
- what retention period was assumed at the time the data were provided to us.
In addition, we may process data in aggregate or anonymised form, for example for analytical and statistical purposes and to improve and develop our services.
If you would like more information about the storage of your personal data, please send a request to the email address provided in section 1 of this Privacy Policy.
5. Your rights
Right of access – you have the right to know what information we hold about you.
Right to rectification – you have the right to request the rectification of your personal data if it is inaccurate or incomplete.
Right to erasure – You have the right to request the erasure of your personal data under certain circumstances, including where the processing of your personal data is no longer necessary for the purposes for which it was collected, or where the processing of your personal data was based on your consent and you wish to withdraw your consent and there are no other grounds for processing your personal data.
Right to restriction of processing – you have the right, in certain circumstances, to prohibit or restrict the processing of your personal data for a certain period of time (e.g. if you have objected to the processing).
Right to object – You have the right to object to the processing of data based on our legitimate interest. If you object, we will stop processing your personal data unless we can prove that the processing is carried out for legitimate grounds or is necessary for the establishment, exercise or defence of legal claims. You also have the right to object at any time to the processing of your personal data for direct marketing purposes. Upon receipt of this objection, we will stop processing your personal data for direct marketing purposes.
If you wish to exercise your rights, please send a request to the email address provided in section 1 of the Privacy Policy. We reserve the right to take up to 30 days to respond to your request.
6. Right to lodge a complaint with a supervisory authority
If you would like more information about your personal data or the exercise of your rights, you can contact us at the email address set out in section 1 of this Privacy Policy.
If you consider that the processing of your personal data is in breach of the law, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State where you are habitually resident or employed or where the alleged breach took place, without prejudice to any other administrative or judicial remedy. In Estonia, the relevant supervisory authority is the Data Protection Inspectorate.
7. Changes to the Privacy Policy
We may unilaterally change the Privacy Policy, if necessary, in particular in the event of changes in the legislation governing the protection of personal data or our own data processing practices. We will notify you in advance of any significant changes. An updated and current version of the Privacy Policy is available at any time on our website at www.myavis.ee/et/privaatsustingimused.