13 Nov. 2023

Overview

We respect and protect your privacy. This Data Protection Declaration sets out how we collect, use, disclose, process, manage and transmit personal information, and also informs you of your privacy rights. This applies to mobility services which can be rented through the ALPACA app or partner apps.

Unless otherwise specified below, we are a data controller for the personal data collected from our users within the European Economic Area. We have appointed a data protection staff who can be reached at support_eu@maasasia.com or at one of our postal addresses. "We" are a private limited liability company registered under the laws of the Federal Republic of Germany, and "you" are a person requesting vehicle rental service through the ALPACA app account or a rider of the vehicle.

Data collection and processing when using our app and services

To use ALPACA services in our app, registration is required by providing personal data.

1. Registration / Sign up

To create an account and register with ALPACA app, we require the following information from you:
your name, phone number, email address and your payment method information
In some cases, we may require information about your driver’s license and proof of age, depending on your country, your usage, and certain services provided.

This information is provided by yourself by entering in our app.

Pursuant to Article 6(1)(b) GDPR, registering and account creation is prerequisite for the rental service contract.

2. Data collection and processing when using the ALPACA app

Your current IP address and information about your end device (e.g. device type, operating system used, version, device ID(IDFA/ADID), language), along with the data and time of access and the retrieved content or data, are automatically transmitted to our servers when you use the app or your end device (‘access data’). This information is collected automatically as it is technically necessary for the functioning of our app.

The legal basis for data processing is Article 6(1)(b) GDPR, as it is essential for providing app functionalities and our services. Additionally, data processing is conducted in accordance with Article 6(1)(f) GDPR, based on our legitimate interest in ensuring continuous functionality and security, as well as the ongoing development of the app and our services.

(1) App permissions

To utilize our rental services, we require access to specific functions of your device (referred to as ‘permissions’). Depending on your operating system, you shall explicitly grant or revoke these permissions. Any data accessed through these authorizations will only be utilized for the purposes outlined in this Data Protection Declaration.

Access to your camera function is required for scanning the QR code on the vehicle before renting. In addition, we require access to the photo gallery for profile settings in your account, and we request camera access permissions for proper parking and return photos. In certain countries, the camera is also needed to verify your driver’s license and identity verification to comply with local authorities.

We require your location information to display nearby vehicles and provide directions to find them. Furthermore, we analyze location data when you use the app or rent a vehicle to enhance our offerings and tailor them to your preferences.

The lawful grounds are in accordance with Article 6(1)(b) of the GDPR, as the processing of data is necessary for the performance of the app’s functions and the provision of our services.

(2) ALPACA app analysis and further development

To consistently enhance our services, we aim to comprehend user interactions within our app. For this purpose, we gather and analyze the subsequent technical data: device details (such as device, operating system, app version, language, and time zone), instances of ALPACA app usage, user engagement and behavior within the app (e.g., vehicle selection), duration of app usage, and device location.

Furthermore, we use a service to acquire diagnostic information including device type, device identification, operating system edition, app condition during crash, crash pathway, and internal app technical logs when the app experiences a crash. This data does not include directly identifiable personal information. It is employed for error analysis within the app, thereby enhancing its reliability and stability.

In addition, we use a service to obtain diagnostic information such as device type, device ID, OS version, state of the app at the time of the crash, crash trace, internal app technical log data when the app crashes. This information does not contain any directly identifiable personal data. We use it to analyze errors in the app and thus improve stability and reliability.

Based on the legal basis of GDPR Article 6(1)(f), we rely on our legitimate interest to analyze app errors in an anonymized format and modify the app for improvement purposes. To enhance the app and our services, we collect the following information and provide it with third parties.

Information provided to third parties

Information stored in-house

(3) Purpose of Use and Processing

Generally, we use collected information as set out in the table below.

(4) Google Maps

The ALPACA App uses Google Maps API services provided by Google, enabling the display of interactive maps within our app. This functionality is crucial for the full provision of our content and services. Alongside presenting available vehicles, we use Google Maps to convert geographical coordinates into addresses and to provide you with estimated walking distance to your selected vehicle.

You can view

The Google Terms of Use

Terms of use for Google Maps/Google Earth

The Google privacy policy

The legal basis for this data processing is Article 6(1)(b) of the GDPR, it is necessary for the performance of the app’s functionalities and our services.

(5) Event and Promotions

We may occasionally share your information with business partners co-sponsoring events (e.g., event sponsors). If required by applicable law, we will obtain your prior consent. You may withdraw your consent at any time or request discontinue the sharing of your personal information with our business partners and third parties by contacting us as defined by the law.

The data processing is carried out based on the legitimate interests as previously mentioned pursuant to Article 6(1)(b) GDPR.

3. Data collection and processing when renting a ALPACA vehicle

When you rent a vehicle, we collect and handle supplementary data through the app and concerning our vehicles. This is carried out under the legal framework of Article 6(1)(b) of the GDPR when the data processing is necessary for the performance of the rental contract, and under Article 6(1)(f) of the GDPR when it is based on our legitimate interest in maintaining the app’s continuously functionality and security, as well as improving our services.

(1) Data collection in our app

We capture your device location at the start and end of the rental period when you rent a vehicle. For efficient operations, we collect user-provided return photos and travel routes to monitor their movement, for instance, to verify the return location, confirm compliance with service area boundaries, and identify instances of improper parking. Given that a rental agreement is established for each transaction, we retain records of the duration of your usage and the specific vehicle rented. We use this information primarily for invoicing purposes.

(2) Data collection by our vehicles

The vehicles are equipped with what we refer to as “IoT boxes”, which transmit data such as the vehicle location and diagnostic information (e.g., battery status) at frequent, brief intervals. This enables us to monitor the location and speed of the vehicles. Notably, the IoT boxes continue to send data irrespective of whether a vehicle is currently in use or not.

We process data related to the rental specifically for the following reasons:

4. Data collection during contact and communication

(1) Contacting us

If you reach out to us through an email, we will use the information you provided to address your request and any possible follow-up questions. Records of our communication will be retained pursuant to legal retention requirements, with a minimum retention period until your customer account is closed.

The legal basis for processing your requests is pursuant to Article 6(1)(f), serving both your and our legitimate interests in addressing your inquiries.

(2) Our contractual communication with you

Moreover, we will provide you with essential updates regarding our services, changes to our Terms and Conditions, pricing, and related subjects through email or push notifications. You will find more information on marketing communications below.

To receive push notifications, you will need to confirm or enable the option for receiving push notifications via our app on your device. You retain the ability to disable the receipt of push notifications at any time. This can be done in the app settings within the “Notifications” menu on iOS and Android devices.

The legal foundation for this process is outlined in Article 6(1)(b) GDPR, in cases where information pertains to the contractual relationship. Otherwise, it is based on your and our legitimate interest in providing you with pertinent information, as stated in Article 6(1)(f) GDPR.

(3) Social media appearances

In the event that you publish information related to or associated with our social media profiles on the relevant platform (e.g., public postings / messages, comments, images, videos, likes), the respective platform provider will be responsible for publishing this data. We do not use this data for any other purpose. If the respective social media platform provides the function, we may share your content that has been published on the platform through our own profile.

We retain the right to remove content from our own profile to the extent that it is possible and deem necessary by us. The content you publish will be deleted following the standard procedures and policies of the specific social media platform.

We reserve the right to delete content on our own profile to the extent this is possible and appears necessary to us. The content you publish will be deleted in accordance with the usual procedures and policies of the respective social media platform.

If you reach out to us via social media platforms, we may engage with you through the platform to address your inquiries. We will delete the data collected in this context once storage is no longer necessary, or we will restrict processing if there are legal retention obligations, provided such deletion or restriction of processing is feasible within the respective social media platform. Please be aware that communication via social media platforms may not be entirely secure. You are also welcome to contact us through other means as outlined in this Data Protection Declaration.

We generally only use aggregated, anonymous usage statistics provided by social media platforms. We do not make use of any enhanced advertising options related to social media platform profiles (e.g., interest-based, behavior-based, or location-based advertising).

We are unable to control the data collected by social media platforms or the complete extent of data collection, processing objectives, or storage periods. Especially, our experience has shown that social media platform providers store your data as user profiles and use them for purposes such as advertising, market research, and demand-oriented design of the platform. Where possible, for instance through settings and configurations, we strive to ensure that the respective social media platform processes your personal data in compliance with data protection laws.

You can find more detailed information on the data processing of social media platforms in the data protection declarations of the respective providers.

GDPR Article 6(1)(f), the processing of data related to our presences on social media is based on our legitimate interest for promotional and communication purposes.

5. Payment processing and VAT reporting

We use external service providers to process payments and VAT reporting. To process your payment and VAT reporting, we may transmit the information required as follows:

Please refer to the data protection policy of the respective payment provider for the legal basis for the data processing performed under the responsibility of the payment service providers:

VAT reporting agency

Countx, Countx GmbH, Chausseestrasse 6, 10115 Berlin, Germany (“Countx”). For more information, please see CountX’s privacy policy (countX | Privacy)

Payment service provider

Paypal, a Paypal (Europe) S.à r.l. et Cie, S.C.A. company, 22 24 Boulevard Royal, 2449 Luxembourg, Luxembourg (“Paypal”). For more information, please see Paypal’s privacy policy (privacy-full.pdf (paypalobjects.com))

Mollie, Mollie B.V., Keizersgracht 126, 1015CW Amsterdam, Netherlands (“Mollie”). For more information, Please see Mollie’s privacy policy (Mollie – Privacy statement)

The available payment options and service providers may vary depending on the country.

If not given us your consent pursuant to Article 6(1)(a), the legal basis for transferring data to the payment service providers as part of the contract processing is GDPR Article (6)(b) as it is necessary for the processing related to the settlement of the rental contract.

6. Damage and accidents

If there is any vehicle damage or accidents involving our vehicles, we will process your data (including personal, contractual, location, and route data) for customer support, claims resolution, handling and settlement, receiving and managing complaints, securing and enforcing our own claims, and preventing further damage to either party.

In this regard, we may share data with insurance companies for the purpose of processing claims and with relevant authorities (such as in the context of providing testimony, hearings or being involved in administrative or criminal proceedings).

Our legitimate interests lie particularly in resolving claims and accidents, especially to prevent harm to the company. The legal basis is GDPR Article 6(1)(b), (c) and (f), and if health data is involved in the accident, GDPR Article 9(2)(f) applies.

7. Disclosure of data in case of criminal or administrative offenses or contract violations

In the context of investigations into criminal or administrative offenses, we may disclose data (e.g., master data, route/location data, contract data, communication) to the relevant law enforcement authorities, particularly in the context of witness or defendant testimony. These actions may be taken, especially if there is a violation of traffic regulations, parking rules, or similar laws. For instance, if a vehicle is found to have violated contractual agreements or road traffic regulations and is improperly parked, posing a threat of fines or penalties to ALPACA, we may share data regarding who last rented and parked the vehicle with the relevant authorities. This also applies in the case of accidents, speeding, and similar offenses. In the aforementioned cases, if a third party makes a legitimate claim against ALPACA, we may also share your data with the claimant.

If you are suspected by the relevant authorities of having committed a criminal or administrative offense related to our vehicles or services, we reserve the right to process data provided by the authorities in relation to this matter.

If there is a legal obligation to be fulfilled, the legal basis is GDPR Article 6(1)(c). Otherwise, if it is not the case, GDPR Article 6(1)(f) is applicable as it is necessary for our legitimate interest in preventing harm to the company, protecting vehicles, and exercising contractual and non-contractual rights.

8. Public partners

Our services may be provided through or operated in certain locations in collaboration with governmental or administrative departments where sometime requiring government or administrative approval/permission. Our business partners may include governmental agencies, local (municipal, provincial, urban) administrative authorities and local quasi-governmental agencies (e.g., city transportation authorities, regional public transportation operators, and designated data collectors). If necessary to operate in specific cities or locations or to assist local authorities in improving, guiding, or managing urban planning activities, public transportation services, traffic congestion, or our vehicles or services (e.g., vehicle parking area designation, issuance of parking spaces), we may take the following measures: share your information with public partners. In some cases, it may be necessary to share your information with public partners in accordance with the law or regulations.

The data provided to authorities does not directly identify individuals and is used for purposes of service management and planning, conducting research, and performing analysis.

9. Perks for certain users

Based on the rental location, we provide discounts to specific users, such as those holding local public transport subscriptions or students. To avail of these discounts, we request evidence of your eligibility status, which could include a photo of your student ID. You can upload this documentation on a designated website. There, you will receive additional details concerning the processing and storage duration. Typically, the uploaded ID photo is reviewed within 24 hours and deleted as soon as its validity is confirmed. Our customer service team will keep you updated throughout this

The data processed solely based on your consent pursuant to Article 6(1)(a) and 9(2)(a) GDPR, and we do not use the data for any other purposes.

10. Referral

In compliance with the local regulations, we may occasionally offer recommendations to help you introduce our services to people you know. If you select to use our referral service to inform others about our services, we will provide you with a referral code to share with your friends. Please note that we do not collect information from these third parties unless they register for the service using the provided referral code.

11. Other processing purposes

We also use your personal information for the following additional purposes:

Under Article 6(1)(f) of the GDPR, based on our legitimate interests:

2. Under Article 6(1)(c) of the GDPR, to fulfill legal obligations, such as adhering to commercial and tax retention requirements or complying with mandatory court or administrative orders to provide data.

12. Transmission of personal data

The transfer of collected data occurs as previously explained and generally only under the following circumstances:

We engage external service providers for data processing on our behalf, and they are not permitted to use personal data for their own purposes. Aside from the explicitly mentioned service providers in this Data Protection Declaration, this may include IT and data center service providers, technical service providers, agencies, market research firms, group companies and consulting firms.

We may utilize service providers based on processing personal data in “third countries” outside the European Union or the European Economic Area. In such cases, if there is an adequacy decision pursuant to Article 45 of the GDPR for these countries, we have taken appropriate measures to ensure an adequate level of data protection for any data transfers. These measures include, among others, the European Union’s standard contractual clauses (potentially including additional agreements in line with the recommendations of data protection supervisory authorities) or binding internal data protection regulations.

13. Advertising

We process your data to display or transmit personalized advertisements to you. We use the information you provided during registration, data collected during app usage, and information on messages read and receipt confirmations. Particularly, as some of our products and services are limited to specific regions, we also process your location for these purposes. You can always contact us to oppose these processes and close your account.

Unless consent is required as per GDPR Article 6(1)(a), the processing of your data for advertising purposes is based on our legitimate interest under GDPR Article 6(1)(f).

(1) Newsletter

By subscribing to our newsletter, you will receive regular updates on our services, surveys or special events. We only send such emails when you explicitly consent. To record your consent, we collect the following information based on our legitimate interest under GDPR Article 6(1)(f), which retain until you unsubscribe from the newsletter registration, confirmation of the time the email was sent, verification of the consent of the email, and the duration of retention of activated links or responsive emails.

If you want to stop receiving our newsletters, you can unsubscribe it at any time by clicking the unsubscribe link available in each email or sending an email to support_eu@maasasia.com.

When you have given consent, we process data for a specific purpose under Article 6(1)(a) GDPR. In accordance with Article 7(3), the data subject has the right to withdraw consent at any time.

(2) Product recommendation emails and push messages

We will send you such emails regarding product recommendations, surveys and product review requests from time to time. If you don’t want to receive these emails from us, we can opt-out and unsubscribe by clicking the unsubscription link available in each email or by sending an email directly to us (support_eu@maasasia.com.). You can also change your push notification settings in the app.

Introducing our products and receiving feedback from our customers is our legitimate interest under the legal basis of Article 6(1)(f) GDPR. However, the data subjects have the right to refuse to receive such information from us and to do so easily under Article 7(3).

(3) Online advertisements

You may see ads within our app or outside our own services. If you wish not to process your data for these purposes, you will be able to object in our app setting. However, please note that even if you no longer wish your data to be used for promotional purposes, you may be able to keep seeing ads from us outside our own services.

The legal basis is Article 6(1)(f) GDPR for our legitimate interest.

14. Data processing within the Maasasia Group and Partners

We are a global company with affiliates, service providers, and partners in many locations. As such, your information may be transmitted, accessed, stored, and otherwise processed by us and these third parties for the purposes described above and in jurisdictions outside your home jurisdiction (including Asia, European Economic Area and other jurisdictions) at the request of law enforcement agencies. By providing your information, you authorize such transmission, storage, or use. We will take steps (including appropriate written data processing terms and services and data transmission agreements) to ensure that your information receives an adequate level of protection in the jurisdictions in which we process the information.

We have concluded a joint responsibility agreement with Maasasia Inc in accordance with Article 26 GDPR which governs, among other things, the aforementioned items. You can assert your rights as a data subject with and against us and Maasasia Inc.

15. Erasure

As a general principle, we only store personal data for as long as is necessary to achieve the purposes for which it was collected. Subsequently, unless data is still needed for evidential purposes in accordance with civil law claims or due to legal retention obligations, we will promptly delete the data.

We may retain contractual data with you for a maximum of 3 years after the termination of our business relationship for evidentiary purposes. Any claims expire on the earliest of the standard statutory limitation periods.

In principle, we store personal data only as long as necessary to fulfill the purposes for which we collected the data. Thereafter, we delete the data immediately, unless we still need the data until the expiry of the statutory limitation period for evidentiary purposes for claims under civil law or due to statutory retention obligations.

Thereafter, we shall still retain some data for accounting purposes. We are obligated to do so due to legal documentation requirements that may arise from commercial law, backing law, tax law, anti-money laundering regulations, and securities trading law. The retention and documentation periods specified here range from 2 to 10 years.

16. Rights of data subject

You as a data subject have the right to exercise the following rights as outlined in Articles 15 - 21 and 77 of the GDPR, provided that the legal requirements are met:

Your withdrawal of consent does not affect the legality of the processing performed under that consent before the withdrawal. Therefore, you have the right to revoke any prior consent applicable in the future at any time.

As long as we process your data based on legitimate interest, you have the right to object to your data processing at any time depending on your specific situation. In the case of objecting to data processing for direct marketing purposes, you have the general right to object without specifying any reasons.

If you wish to assert your rights, you can contact us at support_eu@maasasia.com at any time. In this process, we may ask you to submit your request with the email address registered in your account for proof of your identity.

For documentation purposes, your requests asserting data protection rights and our responses to them are stored for up to 3 years. In certain cases, these documentations can be stored for a longer period for the purpose of legal claims, exercise, or defense.

In accordance with Article 6(1)(f) GDPR, stemming from our interest in defending against civil claims, avoiding fines as outlined in Article 83 of the GDPR, and fulfilling our accountability obligations as per Article 5(2) GDPR.

17. Changes to this Data Protection Declaration

This Data Protection Declaration may change from time to time depending on current legal requirements and actual circumstances, and when new services or privacy policies are introduced. Our Data protection team will keep you informed if changes are made. However, we recommend that you also check this Data Protection Declaration on a regular basis for possible changes.

18. Contact Information

If you have any questions in terms of Data Protection Declaration or wish to exercise or make a complaint about your rights of your personal data we retain, please contact us at:

Data Protection Team

E-mail: support_eu@maasasia.com