Osaühing Ideal (Ideal or we) offers its clients (both natural persons and legal entities; hereinafter also you) e-scooter and car (hereinafter also a Vehicle) rental service activated and used via our website www.myavis.ee/en/avisnow and mobile application (the service).
When providing you the services and collecting and using your data (including your personal data), protection of your privacy is an important concern to us. Therefore, we want you to understand what type of personal data we collect about you and how we use it. These privacy terms aim to give you an overview of the use of your personal data.
For a better understanding, we hereby explain some terms used herein.
GDPR means the General Data Protection Regulation (EU 2016/679), implementation of which started on 25 May 2018 and which is directly applicable in all European Union member states.
Mobile Application means an application software intended for smart phones, tablets and/or other mobile devices by virtue of which the Vehicle reservation, unlocking, locking and/or other actions provided for in the software are being carried out
Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, by a name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller means the entity that decides why and how the personal data is collected and processed.
Processor means the entity which processes personal data on behalf of the controller.
T&C means the terms and conditions applicable to use of our services available at https://www.myavis.ee/en/terms-and-conditions.
1. Data Controller
Registration code: 10325140
Address: Peterburi tee 47c, Tallinn, Harju county, Estonia
2. The type of personal data we collect and process, purposes of use and lawful grounds
2.1 Services ordered by natural persons
We collect different type of information when you use our services. Some of the information is collected from you personally when you sign up for the use of the service (identification data) or specifically consent to certain usage (marketing data), some of the information is collected automatically upon your use of the service (usage data). We may also obtain information (incl personal data) from public sources, such as commercial/trade registers, the internet and from third parties, such as credit registers, for background and credit information analysis.
- Name (first name and family name)
- Mobile number
- E-mail address
- Login data: username and password (password will be saved in an encrypted form and will not at any point be visible in plain text)
- Number of driver license
The purposes of and legal basis for processing of the identification data:
- Creation and accessing of user account, registering a user, conclusion of service agreement (T&C). Legal basis for such use is contractual necessity (GDPR art 6 1(b)).
- Communication regarding the service, e.g. invoicing, user support, exchange of information with third party service providers within our services. Legal basis for such use is contractual necessity (GDPR art 6 1(b)).
- Managing of our accounts, assets and debts. Legal basis for such use is usually our legitimate interest (GDPR art 6 1(f)), but in some cases it may also be our legal obligation (GDPR art 6(1)c)), e.g. to keep accounting base documents.
- Managing accidents with Vehicles and transmitting information to insurance companies as the case may be. Legal basis for such use our legitimate interest (GDPR art 6 1(f)).
- Payment card details (issuer, card holder, card number, card expiration date) will be processed and payment card data will be stored by third-party payment service provider Stripe for handling of payments and for fraud prevention. Stripe is an independent data controller, therefore please review its privacy terms at: www.stripe.com/en-ee/privacy.
- Information regarding the services you have purchased from us and payments made by you.
- Information about amounts credited to your account (system wallet) by a third party (e.g. your employer) and balance thereof.
The purposes of and legal basis for processing of the payment data:
- Provision of services and managing of your user account in accordance with T&C. Legal basis for such use contractual necessity (GDPR art 6 1(b)).
- Managing of our accounts and assets. Legal basis for such use is usually our legitimate interest (GDPR art 6 1(f)), but in some cases it may also be our legal obligation (GDPR art 6(1)c)), e.g. to keep accounting base documents.
- Enabling you to use the system wallet as the payment method for the services in accordance with T&C. Legal basis for such use contractual necessity (GDPR art 6 1(b)).
- Your login data
- GPS data
- IP address
- Battery data
- Display data of the Vehicle
- Speed of Vehicle used by you
- Distance covered by the Vehicle upon your use
- Battery level of the e-scooter
- Data generated by the Vehicle/Mobile Application like location, driving habits, speed
- Information about how you use our website, Mobile Application and Vehicles (including ride and location history)
- Browser/phone type and version
- Your preference settings.
The purposes of and legal basis for processing of the usage data:
- Provision of Services as stipulated by T&C. Legal basis for such use contractual necessity (GDPR art 6 1(b)).
- Provision of Service support. Legal basis for such use contractual necessity (GDPR art 6 1(b)).
- Making statistics and analyzing of user data (incl shortcomings) to maintain and develop the Services. Legal basis for such use is our legitimate interest (GDPR art 6 1(f)).
- Protecting our assets using GPS data for locating our Vehicles. Legal basis for such use is our legitimate interest (GDPR art 6 1(f)).
- Data on whether you have consented to marketing
- Data of you marketing channel preferences (e-mail, mobile phone or both).
The purposes of and legal basis for processing of the marketing data:
- marketing of our services and products. Legal basis for such use is your consent (GDPR art 6 1(a)).
2.2 Services ordered by legal entities
When our services are ordered or payment for the user is organized by a legal entity (e.g. by crediting users account/system wallet) for use by its employees or customers, we still collect and process the same information as described under Section 2.1 about the actual users of the services. As we conclude T&C with each user, we have direct relationship with the user and data processing is based on the same lawful basis as described under Section 2.1 above.
In case of legal entities, we additionally collect the following information:
- Business name of the company
- Registry code of the company
- VAT identification number
- Name, phone number and e-mail address of the person representing the legal entity (the representative of legal entity) and responsible for performance of the contract and administration of the users of the service
In such case we process the personal data of the representative of the legal entity to communicate with our client (i.e. the legal entity) for provision of our services as agreed with the client. The legal basis for doing this is our legitimate interest (GDPR art 6 1(f)) – we need to communicate with the legal entity and if you act as representative of one, we assume that the legal entity has informed you of appointing you as our contact person and therefore there is a balance of interest and we do not conflict with your interests, rights and freedoms. In case processing of the personal data is based on the legitimate interest, the data subject always has the right to object to such processing. If you do object, we will inform our client asking to provide us with a new contact person or otherwise comment on your objection.
3. Sharing of your data
With us your personal data is accessible only to those employees who need the data to perform their work duties (on a so-called need-to-know basis). Outside the Company, we may share your data with the following persons under the following circumstances and only to the extent required:
- Our service providers: Your data is accessible by the persons providing services to us and processing your data on our behalf (data processors) and to the extent needed to perform such services. These include providers of website and Mobile Application hosting, maintenance, service invoicing, and development services.
- Public authorities and state institutions (e.g. police, courts, data protection authorities): we will only disclose your data when and to the extent we are legally obliged to do it.
- Third parties in connection with legal processes (e.g. legal, financial advisers): we may share or disclose your data, if it is necessary to protect our property and rights (incl present legal claims for that purpose), enforce our contracts, defend ourselves against any third-party claims.
- Third parties in connection with corporate transactions: We may share your information with third parties in the context of a corporate transaction, such as the sale of our company or issuing new shares to investors or sale of company´s business/assets to another company. Also, in the context of the creation of a joint venture, merger or other reorganization.
As a rule, your personal data is processed in the European Economic Area (EEA). However, if there is a need to transfer the data out of EEA, we follow GDPR requirements regulating such transfers.
4. Retaining of personal data
We retain your data for as long as necessary for the purposes of processing described in these privacy terms and to comply with any mandatory legislation. The criteria we use to determine the retention period for different categories of personal data is as follows:
- whether you are an active client or not - how frequently you use our services or when your most recent Vehicle rental occurred;
- whether there are contractual or legal obligations that exist that require us to retain the data for a certain period of time;
- whether there is any ongoing or threatening legal claim that relates to any Vehicle rental you have made with us, or that is otherwise related to your relationship with us;
- whether any applicable law, statute, or regulation allows for a specific retention period;
- what the expectation for retention was at the time the data was provided to us.
Additionally, we may process the data in an aggregated or anonymized format, for example for analysis and statistical purposes and to improve and develop our services.
You can obtain more specific information on retention of your personal data by making a corresponding query to the e-mail address provided in section 1 of these privacy terms.
5. Your rights
Right to access – you have the right to know which data we hold about you (if any).
Right to data rectification – you have the right to require corrections to your personal data in case they are inaccurate or incomplete.
Right to data deletion – you have the right under certain conditions to request the deletion of your personal data including in situations where the processing of your personal data is no longer necessary for the purposes for which it was collected, or if the processing of your personal data was based on your consent and you wish to withdraw your consent, and there are no other grounds for processing your personal data.
Right to restrict processing – you have the right under certain circumstances to forbid or restrict the processing of your personal data for a certain period (e.g. you have submitted an objection concerning data processing).
Right to object – You have the right to object to data processing which is based on our legitimate interest. We will stop processing your personal data upon such objection, unless we can demonstrate compelling legitimate grounds for the processing or processing is needed for the establishment, exercise, or defense of legal claims. You also have the right to object at any time to processing of your personal data for direct marketing. Upon receiving such objection, we shall stop processing your personal data for direct marketing.
In order to exercise your rights, please send your respective inquiry to the e-mail address provided in section 1 of these privacy terms. We have the right to respond to your query within 30 days.
6. The right to submit a complaint to a supervisory authority
Should you need further information concerning your personal data or exercising your rights, you have the possibility to contact us at e-mail address provided in section 1 of these privacy terms.
If you believe that processing of your personal data is not compliant with legal requirements, you have the right, without prejudice to any other administrative or judicial remedy, to file a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. In Estonia, the relevant supervisory authority is Data Protection Inspectorate (Andmekaitse Inspektsioon).
7. Amendments to these Privacy Terms
We may unilaterally change these privacy terms from time to time, especially in case of changes in the legal acts regulating protection of personal data or in our own data processing practices. In case of material changes we will inform you in advance. The updated and valid version of the privacy terms is always available at our website www.myavis.ee/en/privacy-notice