PRIVACY NOTICE

Last updated: 31.07.2022

 

About "Ride Share Bulgaria" EAD ("the Company", "we", "us"), the protection of your personal information is a top priority. With this privacy notice, we aim to inform you what personal data we collect from the users of the website http://spark.bg/ (hereinafter referred to as "website") and the SPARK mobile application (hereinafter referred to as "mobile application"), why we collect them, with whom we share this information and what your rights are in relation to the processing of your data.

Before you start using the Website and/or the Mobile Application, you must carefully read and familiarize yourself with this notice, expressly agreeing to it before registering and installing the Mobile Application. We reserve the right to update this notice at any time by notifying you in a timely manner.

1.    Data about us

"Ride Share Bulgaria" EAD is registered in the Commercial Register at the Registration Agency with EIC 204787918 and address: Sofia, 11-13 Yunak Str., 4th floor. According to the General Regulation for the Protection of Personal Data (GDPR), we act as a Personal Data Controller when we collect, store and use your personal data for provision of the services ordered by you for the shared use of electric cars on the territory of the Republic of Bulgaria. Insofar as we use the SPARK mobile application, owned by our parent company UAB SPARK TECHNOLOGIES, a limited liability company, when processing your data, incorporated and existing under the laws of Lithuania, legal entity code 304953141 , with registered office in Vilnius, Lithuania, we act as joint data controllers for all other data processing activities outside the common infrastructure we share and have general access, we act as independent data controllers.

"Ride Share Bulgaria" EAD is responsible for providing the information required by law and processing the requests of data subjects, provided for in the GDPR and described in this notification, for users in the territory of the Republic of Bulgaria. We have a Data Protection Officer who you can contact with questions about this privacy notice or your rights as data subjects at privacy@spark.bg.

2.    How and what personal data do we collect??

We collect personal data directly from you (e.g. upon registration), through our interaction with you in providing our services, and through the mobile application and electric vehicles you use. In some cases, we may also receive information about you from third parties such as your employers (registered to use our services), other customers (who used an electric car after you), our partners (e.g. who monitor the mobility of the electric car, payment service providers ) or public bodies such as the Traffic Police, the Ministry of the Interior, the Prosecutor's Office of the Republic of Bulgaria, the Court and others. The personal data we collect about you includes the following categories:

       Identification data: k three names; personal identity number;

       Legal capacity to drive a motor vehicle: copy of driving license incl. Number, date and place of issue and validity, category of cars;

       Contact data: residential address; e-mail address; phone number;

       Financial and Transaction Data: customer number, certain data about the payment cards you use (type of card and the last 4 digits of the number); history of services used, date, place and amount of service charge, date of obligations (levels of obligations, amount of obligations, date of acceptance of obligation, term, date of payment), credit rating, eGo points that you have accumulated rewards equal to the kilometers traveled;

       Photo with biometric data / scanned facial image that allows you to be accurately identified;

        Electric vehicle usage data: location of the vehicle, distance traveled, speed of movement, date, time and duration of use of the vehicle, moment of unlocking and locking of the vehicle, change in the charge level of the batteries in the vehicle, when you started using the vehicle, information, which allows determining the vehicle's parking time, the vehicle's speed, information about where the vehicle is charging and whether the vehicle's door is closed;

       Mobility tracking data: distance traveled, route, speed and location of the electric vehicle received from GPS transmitters;

       Data from our communication with you: correspondence regarding requests for assistance, questions, complaints, opinions in case you have rated our services or other users, etc.;

       Data related to legal and insurance claims: data on damage to the electric vehicle, security incidents/traffic accidents or other violations in case they occurred while you were using the electric vehicle (date, place, time of the accident/violation, amount of damages, fault, etc.), unpaid debts, accrued penalties, etc.;

       IT management data: IP address, operating system, communication data, logs and other metadata from the use of the application, etc. With your consent, mobile device location data may also be obtained while using the mobile application in order to be notified of available electric vehicles near you, and you may change your mobile device settings at any time.

3. Grounds and purposes of data processing

 

On the basis of the need to conclude and execute a contract for the provision of a service for the shared use of electric vehicles and compliance with legal obligations (Article 6, paragraph 1, letters “b” and “c” of the GDPR), we collect and process your personal data with view:

       Registration and enrollment of customers;

       Conclusion, administration and execution of contracts;                                                                          

       Communication with the customer;           

       Compliance with legal requirements e.g. for keeping accounting records, providing cars only to legally competent persons and accurately identifying customers, notifying public authorities of traffic accidents and other violations (e.g. traffic police, traffic police, Ministry of Interior, etc.);

       Prevention of traffic accidents, protection and control of the company's property and establishment and exercise of legal claims..

On the basis of establishing and exercising our legal claims (Article 9, paragraph 1, letter “e” of the GDPR), we process your photo with biometric data for the purpose of::

       accurate identification of customers that registered users are legally competent to drive a vehicle and identical to the driver of the electric vehicle;

       ensuring the accuracy of your personal data and ensuring your security and the security of third parties;

       the prevention of fraud and traffic accidents, the protection and control of the company's property and the establishment and exercise of legal claims.  

On the basis of a contractual obligation and protection of our legitimate interests (Article 6, paragraph 1, letter “b” and “f” of the GDPR), we also collect data from monitoring the mobility of the electric vehicle in order to: 

       Providing high-quality services for temporary use of electric cars to a wide range of users through a mobile application and using the services in good faith and appropriately by customers; 

       Protecting and controlling company-owned assets, our legitimate interests and rights, and ensuring your security and the security of third parties.

On the grounds of our legitimate interest in business development, anonymized aggregated data about the services used by customers may also be used for the purposes of statistical analysis and marketing research after complete removal of your identifying personal data..

With your express consent, we may also use your contact details to send marketing messages about our services or offers. You can withdraw your consent at any time and refuse to receive newsletters by clicking on the "unsubscribe" link in the e-mail messages we send. If you accept us to process your data for direct marketing purposes, please indicate your consent to the processing of personal data for direct marketing purposes at the time

 of registration or log into your personal profile and select a function to receive a newsletter.

4.    If you do not provide us with the data we require? 

When you register in our system, it will be explicitly indicated which data are mandatory for providing the service of shared use of electric cars. Your refusal to provide the necessary information for the fulfillment of our rights and obligations under the contract may cause it not to be concluded or for its termination. The provision of data for direct marketing purposes is completely voluntary and no adverse consequences will follow for you if you choose not to take advantage of this offer of ours.

5.    Automated decision making

In order to provide you with high-quality services and rewards, we use automated decision-making to calculate your e-Go points in a completely objective and non-discriminatory manner based on the kilometers you travel. The fee charged for using our services is also calculated in an automated manner based on the minutes you have used the vehicle. Although the check for data validation and confirmation of the customer's identity is done by automated means, decisions to refuse registration are made only after human intervention and additional validation of documents. "Ride Share Bulgaria" EAD values your privacy and does not use your personal data to profile you.

6.    Who we share data with?

"Ride Share Bulgaria" EAD protects the confidentiality of your personal information and does not disclose your personal data to third parties, except with your consent and in cases permitted by law.

With guaranteed protection and control measures, disclosure is possible with other companies part of our corporate group or with our service providers in order to ensure the smooth functioning of the car rental system and high quality of services (e.g. with server providers , telemetry services, accurate customer identification and data validation, technical and administrative assistance to customers, EV mobility monitoring, EV usage service delivery platform, payment services, legal and accounting services, etc.). In this case, the service providers we use are required to strictly comply with their contractual obligations with us and the applicable data protection legislation, including taking the necessary measures to protect the confidentiality of your personal information.

We may also share your data with third parties if there is a justified need:

       public authorities such as the traffic police, SDVR, the Ministry of the Interior, the Prosecutor's Office of the Republic of Bulgaria, the Court and other administrative bodies (state and local) in order to fulfill our legal obligations to report violations, prevent fraud and traffic accidents;

       insurers, law firms, private bailiffs, debt collection companies (eCollect AG, with address Neuhofstrasse

21, 6340 Baar, Zug, Switzerland, with registration number: CHE – 180.481.291., represented by Mark Schillinger in his capacity of the Executive Director) etc. in order to enforce the general conditions of use of the mobile application and our contract with the customer and to guarantee the property of the company and our other rights and legal interests; 

       to protect the security, rights and interests of our other users or third parties.

7.    DATA TRANSFER OUTSIDE THE EU/EEA

In case of need for manual data verification during customer registration, data transfer is also done by the JUMIO validation service providers who have companies in the USA and India. The transfer is carried out on the basis of standard contractual clauses (Article 46, paragraph 2, letter “c”) of the GDPR) with the necessary level of data protection, insofar as JUMIO is certified according to the PCI DSS standard and is subject to an annual audit for its compliance.

8.    How long do we keep the data for?

We store your personal data for no longer than is necessary to achieve the specific purposes for which it was collected, after which we destroy it in a secure manner.

If you have consented to your data being processed for direct marketing purposes, your data will be stored until you withdraw consent or 2 years from the later of the following dates: the date of termination of the contract or the date of payment of the obligation, or 3 years from the date of the last login.

If the registration process is not successfully completed without the Client being granted the right to use the services of shared use of electric cars, his personal data are stored for a period of 3 years and are deleted (anonymized) immediately after the Client has selected the "Forget me" button through the mobile application in the event that the Customer has not used the electric car sharing services. Upon successful registration with the

 right to use the services for shared use of electric cars, your data is stored for the following periods:

       Data from your profile - 2 years from the date of termination of the contract or the date of repayment of the obligation. If your account is inactive, the data is stored for 3 years from the date of the last login.

       The data from monitoring the mobility of the electric car - 2 years from the later of the following dates: the date of termination of the contract or the date of payment of the obligation. Data of customers whose accounts are not active will be stored for 2 years from the date of the last login.

       Biometric data - Data is deleted immediately after identification / after successful account verification from the Administrator's database. The biometric data is then stored in JUMIO's specialized servers for a period of 5 years, starting from the date on which the Customer's identity verification process was successfully completed.

       Data related to accounting, legal claims and insurance claims - 5 years from the date of issue of the document or occurrence of the insured event.

In case of administrative or legal proceedings initiated by or against customers, all data is stored for a period of 5 years. from a final judgment or payment of the debt.

9.                 Security measures

Your data is stored under technical and organizational measures that guarantee its security, including the use of secure Amazon servers and cloud services in the European Union, encryption, technical, software and anti-virus protection, protections for communication and computer networks, limited access to the data only to authorized and trained employees, personal data protection policy and security procedures that we regularly review and revise as necessary, etc. Biometric data is recorded and processed under the highest security requirements by the international data validation company JUMIO, which is certified with PCI DSS certificate (level 1).

10.              What are your rights?

You have certain rights in relation to your personal data, including:

       Withdrawal of consent: You have the right to withdraw your consent at any time in the event that you have given consent to the processing of your data for a specific purpose, without affecting the processing up to that point. Where you have consented to direct marketing purposes, you may opt out of receiving newsletters at any time by clicking on the "unsubscribe" link in the email messages we send or by changing your mobile application settings. If you have provided access to your location through the mobile device in order to find EVs near you, you may also change the settings you have selected.

       Access to information: this right gives you the opportunity to receive a copy of the personal data we hold about you, as well as information related to the processing. You can access the history of the services you have used and the data provided during registration through your account on the mobile application, and you can also submit a special request for access to any data we process about you.

       Correction: this right enables you to ask us to correct any incomplete or inaccurate information about you. We ask that you always promptly note any change in your personal data in your profile or notify us of this at the e-mail indicated below.

       Erasure: this right enables you to ask us to delete your personal data when we have no valid reason to continue processing it e.g. if the purpose for which the data was collected has been achieved or if you have withdrawn your consent. If you comply with the legal requirements, we will retrieve your personal data according to the terms set out in the Privacy Notice / Privacy Policy, unless we have a legal obligation to continue processing it or to retain the data necessary to establish, exercise or defend legal claims. In the event of an incomplete successful registration process without your knowledge of the right to use the electric car sharing services, your personal data is stored for a period of 3 years and is deleted (anonymized) immediately after the Customer has selected the "Forget me" button via the mobile application in the event that the Customer has not used the electric car sharing services.

       Objection to processing: in cases where we rely on our legitimate interests as a basis for processing, you may object to such processing on grounds relevant to your particular situation. You also have the right to object when the processing is for direct marketing purposes or your data is processed for statistical purposes. If you wish to stop receiving marketing communications, you can click the "unsubscribe" link in the communications we send or change your settings from the mobile application.

       Restriction of processing: this right enables you to ask us to temporarily stop processing your personal data if, for example, you want us to establish the accuracy of the data or the reasons for its processing.

       Data portability: this right is limited to cases where the data is processed in an automated manner and provided by you to us on the basis of your consent or for the purposes of the performance of a contract,

giving you the opportunity to require us to provide your data stored in electronic form to you or to a third party. 

       Rights related to automated decision-making and profiling: you have the right not to be subject to a decision based solely on automated processing, including profiling, which gives rise to legal consequences for you or similarly significantly affects you.

       Lodging a complaint – l If you believe that any of your rights have been violated, you have the right to file a complaint with us and/or with the supervisory body Commission for Personal Data Protection - https://www.cpdp.bg/

For questions related to this privacy notice or in case you wish to exercise any of your rights as a data subject, you can contact us by e-mail: privacy@spark.bg,  phone number 00 359 2 419 3476 or at the address: Sofia, 11-13 Yunak Str., 4th floor.

When submitting requests to exercise rights as a data subject, please fill out and send us the following link: https://spark.bg/wp-content/uploads/2022/07/07_Application-form-for-data-subjects-requests.docx. Upon such request by you, we may need you to provide us with information confirming your identity. This requirement is part of our data protection measures and aims to ensure that personal information is not provided to a person who does not have the right to receive it.

 

Additional information about "Ride Share Bulgaria" EAD can be found on our website: http://spark.bg/