IDEAL BALTIC ELECTRIC CARS

PRIVACY RULES

Osaühing Ideal Baltic (Ideal Baltic or we) offers its customers (natural and legal persons; hereinafter also referred to as you) a car rental service (hereinafter also referred to as the Vehicle) activated and used on our website www.myavis.ee/en/ and mobile app (hereinafter also referred to as theService).

Protecting your privacy is very important to us when we provide services to you and collect and use your data (including your personal data). We therefore want you to understand the types of personal data we collect about you and how we use it. The purpose of this privacy policy is to give you an overview of how we use your personal data.

Definitions

For a better understanding, we would like to explain some of the terms used in this document.

The GDPR is the General Data Protection Regulation (EU 2016/679), which was implemented on 25 May 2018 and is directly applicable in all EU Member States.

Mobile App means an application for smartphones, tablets and/or other mobile devices that allows you to reserve, unlock, lock and/or perform other actions on the Vehicle as set out in the Software.

Personal data means any type of information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

Processing means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The controller is the subject who decides why and how personal data are collected and processed.

A processor is a person who processes personal data on behalf of the controller.

Terms and Conditions means the terms and conditions applicable to your use of our Services, which are available at [saite uz tīmekļa vietni].

1. Data Controller

Osaühing Ideal Baltic

Registration number: 10614625

Address: Peterburi tee 47c, 11415 Tallinn, Estonia

E-mail: admin@avisnow.eu

2. The type of personal data we collect and process, the purposes of use and the lawful basis.

• Services ordered by natural persons

When you use our services, we collect different types of information. Some information is collected from you personally when you register to use the service (identification data) or specifically consent to certain uses (marketing data), some information is collected automatically when you use the service (usage data). We may also obtain information (including personal data) from public sources such as business/trade registers, the internet and from third parties such as credit registers for background and credit analysis.

Identification data

• Name (first and last name)
• Mobile phone number
• E-mail address
• Login details: username and password (the password will be stored in encrypted form and will not be visible in clear text at any time).
• Driving licence number

Purposes and legal basis for processing of identification data:

• Creating and accessing a user account, registering a user, signing a service contract (N&N). The legal basis for such use is contractual necessity (Article 6(1)(b) GDPR).
• Service-related communications, such as billing, user support, exchanging information with third-party service providers within our services. The legal basis for such use is contractual necessity (Article 6(1)(b) GDPR).
• Managing your accounts, assets and debts. The legal basis for this use is usually our legitimate interests (Article 6(1)(f) GDPR), but in some cases it may also be our legal obligation (Article 6(1)(c) GDPR), for example to keep basic accounting records.
• Managing accidents involving Vehicles and sending information to insurance companies if necessary. The legal basis for this use is our legitimate interests (Article 6(1)(f) GDPR).

Payment information

• Payment card information (issuer, cardholder, card number, card expiry date) will be processed and stored by the third party payment service provider Stripe for payment processing and fraud prevention purposes. Stripe is an independent data controller, so please read its privacy policy at: www.stripe.com/en-ee/privacy.
• Information about the services you have purchased from us and the payments you have made.
• Information about the amounts that have been credited to your account (system wallet) by a third party (e.g. your employer) and their balance.

Purposes and legal basis for processing payment information:

• Provision of services and management of your user account under the N&N. The legal basis for such use is contractual necessity (Article 6(1)(b) GDPR).
• Managing our accounts and assets. The legal basis for this use is usually our legitimate interests (Article 6(1)(f) GDPR), but in some cases it may also be our legal obligation (Article 6(1)(c) GDPR), for example to keep key accounting records.
• The possibility to use the system wallet as a payment method for services under the N&N. The legal basis for such use is contractual necessity (Article 6(1)(b) GDPR).

Application data

• Your login details
• GPS data
• IP address
• Battery data
• Vehicle screen data
• Speed of the vehicle you are using
• Distance travelled by the vehicle while you are using it
• Electric scooter battery charge level
• Data generated by the vehicle/mobile app, such as location, driving habits, speed
• Information about your use of our website, mobile app and Vehicles (including journey and location history)
• Type and version of browser/phone
• Your preferred settings.

Purposes and legal basis for processing information on use:

• Provision of services as defined in the N&N. The legal basis for such use is contractual necessity (Article 6(1)(b) GDPR).
• Service support. The legal basis for such use is contractual necessity (Article 6(1)(b) GDPR).
• Generating statistics and analysing user data (including gaps) to maintain and develop the Services. The legal basis for such use is our legitimate interests (Article 6(1)(f) GDPR).
• Protecting our assets by using GPS data to locate Vehicles. The legal basis for this use is our legitimate interests (Article 6(1)(f) GDPR).

Marketing data

• Details of whether you have consented to marketing
• Details of your choice of marketing channels (email, mobile or both).

Purposes and legal basis for processing marketing information:

• Marketing our services and products. The legal basis for such use is your consent (Article 6(1)(a) GDPR).

• Services ordered by legal persons

If our services are ordered or paid for by a legal entity (e.g. by crediting the user’s account / system wallet) for use by its employees or customers, we still collect and process the same information as described in section 2.1 about the actual users of the services. As we enter into an N&N with each user, we have a direct relationship with the user and the data processing is based on the same legal basis as described in section 2.1 above.

In the case of legal persons, we additionally collect the following information:

• company name;
• company registration number;
• VAT registration number;
• the name, surname, telephone number and e-mail address of the person who represents the legal entity(legal entity representative) and is responsible for the performance of the contract and the management of the service users.

In this case, we process the personal data of the representative of the legal person in order to contact our client (i.e. the legal person) for the provision of the services we have agreed with the client. The legal basis for this is our legitimate interests (Article 6(1)(f) GDPR) – we need to contact the legal person and if you are acting as their representative, we assume that the legal person has informed you of your appointment as our contact person so there is a balance of interests and we are not infringing your interests, rights and freedom. Where the processing of personal data is based on legitimate interests, the data subject always has the right to object to such processing. If you object, we will inform our client, asking them to provide us with information about a new contact person or otherwise comment on your objection.

3. Yours sharing your data

We only make your personal data available to employees who need it to perform their job (on a so-called “need-to-know” basis). Outside the Company, we may share your data with such persons in the following circumstances and only to the extent necessary:

• Our service providers: your data may be accessed by persons who provide services to us and process your data on our behalf (data processors) and to the extent necessary for the provision of such services. These include providers of hosting, maintenance, service billing and development services for websites and mobile applications.

• To public authorities and public bodies (e.g. police, courts, data protection authorities): we will only disclose your data if and to the extent that we are legally obliged to do so.

• Third parties in connection with legal processes (e.g. legal, financial advisors): we may share or disclose your data where it is necessary to protect our property and rights (including for this purpose to bring legal claims), to enforce our contracts, to defend ourselves against third party claims.

• Third parties in connection with corporate transactions: we may share your information with third parties in connection with corporate transactions, such as the sale of our business or the issue of new shares to investors, or the sale of our business/assets to another company. This may also occur in the context of a joint venture, merger or other reorganization.

In general, your personal data is processed in the European Economic Area (EEA). However, if it is necessary to transfer data outside the EEA, we comply with the requirements of the GDPR governing such transfers.

4. Retention of personal data

We keep your data for as long as necessary for the purposes of processing described in this Privacy Policy and to comply with all mandatory legal requirements. The criteria we use to determine the retention period for different categories of personal data are:

• whether you are an active customer or not – how often you use our services or when you last rented a Vehicle;
• whether there are contractual or legal obligations that require us to keep the data for a certain period of time;
• whether there are any proposed or potential legal claims relating to the rental of a Vehicle you have made with us or otherwise relating to your relationship with us;
• whether the applicable law, statute or regulation allows a specific retention period;
• what the data retention expectations were at the time the data was provided to us.

In addition, we may process data in aggregated or anonymised formats, for example for analytical and statistical purposes and to improve and develop our services.

You can obtain more specific information about the retention of your personal data by sending a request to the email address provided in Section 1 of this Privacy Policy.

5. Your rights

Right of access – you have the right to know what data we hold about you (if any).

Right to rectification – you have the right to request the rectification of your personal data if it is inaccurate or incomplete.

Right to erasure – you have the right to request the erasure of your personal data under certain conditions, including where the processing of your personal data is no longer necessary for the purposes for which it was collected or where the processing of your personal data was based on your consent and you wish to withdraw your consent and there are no other grounds for processing your personal data.

Right to restrict processing – in certain circumstances, you have the right to prohibit or restrict the processing of your personal data for a certain period of time (for example, if you have submitted an objection to processing).

Right to object – you have the right to object to processing based on our legitimate interests. Upon receipt of such an objection, we will stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing or the processing is necessary for the establishment, exercise or defence of legal claims. You also have the right to object at any time to the processing of your personal data for direct marketing purposes. Upon receipt of such an objection, we will stop processing your personal data for direct marketing purposes.

To exercise your rights, please send the relevant request to the email address provided in Section 1 of these Privacy Terms. We have the right to respond to your request within 30 days.

6. Right to lodge a complaint with the supervisory authority

If you require further information about your personal data or the exercise of your rights, you may contact us at the email address set out in Section 1 of this Privacy Policy.

If you consider that the processing of your personal data does not comply with legal requirements, you have the right, without prejudice to other administrative or judicial remedies, to lodge a complaint with a supervisory authority, in particular in the Member State where you are domiciled, where you have your place of work or where the alleged infringement took place. In Estonia, the supervisory authority is the Data Protection Inspectorate (Andmekaitse Inspektsioon).

7. Amendments to these Privacy Terms

We may unilaterally amend this Privacy Policy from time to time, in particular if there are changes to the law governing the protection of personal data or to our data processing practices. In the event of a material change, we will notify you in advance. An updated and valid version of the Privacy Terms is always available on our website https://www.myavis.ee/en/privacy-policy.