At AstraCaB, we prioritize the highest standards of service and support for both our customers and drivers, ensuring that they are treated with respect, dignity, and fairness. This commitment extends to how we protect the privacy and security of your personal information in compliance with the General Data Protection Regulation (GDPR) and other relevant data protection laws.

This Privacy Notice outlines our practices concerning the collection, use, disclosure, and protection of the information you provide to us while using our platform and services. Unless otherwise stated, the data controller for processing the personal data is AstraCaB GmbH (hereinafter "AstraCaB GmbH" or "we" or "us").

The terms 'you' or 'your' refer to both drivers and customers who request and receive our services through the AstraCaB online platform (hereinafter "Platform"), including the website astracab.de and AstraCaB mobile apps.

We collect and process personal data in accordance with the legal grounds outlined in the GDPR, which include obtaining your consent, fulfilling contractual obligations, complying with legal requirements, and pursuing our legitimate interests in providing and enhancing our services.

When using our platform, we may collect and process personal data that you voluntarily provide. We only collect information that is necessary to deliver the best possible services.

The types of data we collect and process include:

▪ Account data: user's first and last name, phone number, email address, profile picture, selected payment methods, user settings

▪ Order data: order details, such as requested pick-up and drop-off locations, selected vehicle type, time and date, additional services ordered (e.g. loading), and changes in the order status;

▪ Transaction data: transaction history, amount charged and refunded; used payment methods.

▪ Location data: precise and general location information from customers' and drivers' devices when the AstraCaB app is active, either in the foreground (app visible and open) or in the background (app open but not displayed).

▪ Usage data: information on interactions with our platform, e.g. used app features, webpages viewed, the times and dates of access, and details of app crashes and other system activities.

▪ Device data: information about the devices accessing our services, which includes hardware models, device IP addresses or other unique identifiers, operating systems and versions, installed software, preferred language, advertising identifiers, and device motion information.

▪ Feedback records: customer service interactions, including chat logs and call recordings.

Additionally, we collect and process data related to our business partners and their drivers:

▪ Business partner data: company name, legal address, phone number, email, VAT number, bank details, managing director's name, as well as the number of drivers and vehicles.

▪ Driver data: ID card (or passport) number, driver’s license number and submitted photos.

▪ Vehicle data: brand and model name, color, year, and the registration plate number.

▪ Accounting data: number of trips of each driver, amount to be paid to the business partner.

▪ Legal data: contracts and agreements, transaction history, communication records (including call logs and correspondence), evidence records (e.g. photos) and compliance documentation.

We use the data we collect for specified, explicit, and legitimate purposes, and we do not process your personal information in a manner that is incompatible with those purposes.

We collect and process your data to provide, personalize and improve our services:

▪ We use account data to connect customers with drivers, inform them about the order status, send order confirmation and invoices, process payments, as well as to provide our customer support and the latest updates on our services.

▪ We process order data to streamline the pick-up and drop-off process, ensuring that the trip and route are clear and transparent for both customers and drivers.

▪ We use location data to better understand our geographic coverage. This analysis helps us enhance route suggestions for our drivers, ensuring they take the most efficient paths. Besides, it assists us in positioning our vehicles in places that are most convenient for our customers.

▪ We process usage data to identify patterns and trends that help us to improve our services. This analysis directly informs the upgrading of our IT systems, ensuring they are more efficient, secure, and user-friendly. By doing so, we not only enhance the performance of our platform but also tailor it more closely to meet our users' needs and preferences. Furthermore, these improvements contribute to a more seamless and engaging user experience, reflecting our commitment to excellence and customer satisfaction.

▪ We use device data to enhance functionality and security of our platform. This information helps us optimize our services for different devices, ensuring compatibility and performance. Additionally, it allows us to identify and address any security vulnerabilities, safeguarding your personal information and improving overall user experience.

▪ We collect and analyze feedback records to continually improve the quality of our services. This analysis helps us to understand user satisfaction, identify areas to improve, and respond effectively to our customers' needs. By doing so, we can make informed decisions that enhance our platform's features and functionality to provide a better experience for all users.

▪ We process our business partners' data to facilitate efficient collaboration and compliance with legal and regulatory requirements. This information helps us ensure the reliability and integrity of our services, accurately manage financial transactions, and maintain strong, transparent relationships with our partners.

▪ We use driver data to ensure the safety and security of our platform. This information helps us verify the identities and qualifications of drivers, maintaining a trustworthy environment for our customers. By verifying these details, we can uphold high safety standards, comply with legal regulations, and provide peace of mind to all parties involved in the service.

▪ We use vehicle data to ensure the reliability and safety of the vehicles used on our platform. This information helps us verify that all vehicles meet our quality standards and regulatory requirements. Additionally, it enables users to easily identify the correct vehicle for their service, enhancing user confidence and satisfaction with our platform.

▪ We use accounting data to ensure accurate financial management and compliance. This data helps us monitor performance, manage payments, and maintain transparent financial records. It also supports our ability to make informed business decisions, forecast earnings, and sustain profitable and equitable relationships with all our partners and drivers.

▪ We collect legal data to establish, pursue, or defend legal claims should we need to provide evidence or defend ourselves against claims for damages or other allegations brought to our attention for investigation.

We do not sell your data. We share it only with trusted drivers, business partners and authorities. We restrict data sharing to only what is necessary to provide, maintain and improve our service.

Customer personal data is shared with platform drivers exclusively for the execution of orders via the AstraCaB Driver App. When fulfilling the order, drivers receive the customer's name, phone number, and location data. To address any post-service issues effectively, this information is temporarily stored in the Driver App.

Customer information might also be shared with AstraCaB's business partners. When this occurs, our partners are obligated to process the data according to the conditions outlined in this Notice. This ensures that all handling of customer information, whether by AstraCaB or its partners, adheres to the same high standards of privacy and security. We ensure compliance through regular audits and enforce strict contractual obligations to maintain the integrity and confidentiality of your personal information.

In certain situations, we may be required by law to disclose some information to external parties. This may occur under circumstances such as compliance with a court order or when we collaborate with local authorities to address complaints or conduct investigations. Additionally, we may fulfill requests from law enforcement agencies when we believe in good faith that such cooperation is required by law, impacts our customers or drivers, and aligns with globally recognized practices. In all cases, we rigorously ensure that there is a legal foundation for sharing such information. We also thoroughly document our decisions to maintain transparency and accountability in our data sharing policy. This approach guarantees that our actions are always justified and adhere to both legal and ethical standards.

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and regular security assessments. We keep a register of all data processing. Each department has a responsible person who documents all necessary information about the procedures of the respective department in accordance with the legal requirements of Article 30 GDPR. In the event of a personal data breach, we will notify the relevant supervisory authority and affected individuals without undue delay, as required under the GDPR.

Under the GDPR, you have specific rights regarding the personal data we collect and process. You have the right to access, rectify, erase, restrict, or object to the processing of your personal information. You may also have the right to data portability and the right to lodge a complaint with a supervisory authority. In addition, you have the right to withdraw your consent and opt out of receiving promotional communications from us at any time. You can manage your communication preferences through your account settings or by contacting us directly.

▪ Right to access: You have the right to request a copy of your personal data we store. It helps you understand how and why we are using your data, and check that we are doing it lawfully.

▪ Right to rectify: If the personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. You can update many of your details through your user account settings or contact us directly to make corrections.

▪ Right to erase (to be forgotten): You can request the deletion or removal of personal data where there is no compelling reason for its continued processing. This right is not absolute and only applies in certain circumstances.

▪ Right to restrict: You have the right to restrict the processing of your personal data under certain conditions. If processing is restricted, we are allowed to store your data, but not use it.

▪ Right to object: You have the right to object to the processing of your personal data based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics.

▪ Right to data portability: This right allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy, or transfer personal data from one IT platform to another in a safe and secure way, without hindrance to usability.

In compliance with the GDPR, we are committed to ensuring that personal data is stored only as long as necessary to fulfill the purposes for which it was collected. We retain personal data for the duration necessary to provide the services requested by the user, to comply with our legal obligations, resolve disputes, and enforce our agreements. The specific retention period depends on various factors including the nature of the data, the reasons for its collection and processing, and relevant legal or operational retention needs.

For example:
▪ Account data is retained for as long as the account is active. If the account is deactivated or terminated, we will anonymize or delete the data within 6 months, unless extended retention is required by law.

▪ Transaction records are kept for a period necessary to complete the transaction and for audit purposes, generally up to 10 years as required by tax and commercial law.

▪ Usage data from interactions with our platform may be retained for up to 24 months to allow for performance analysis and service improvement.

Upon expiration of the data retention periods, personal data is securely deleted or anonymized. Users can also request the deletion of their personal data at any time, unless legal requirements dictate otherwise. Requests for data deletion can be made through our customer service portal or via direct contact at privacy@astracab.de.

When deleting data, we take all reasonable and necessary steps to ensure complete and comprehensive removal of personal information from our systems and backups, barring any legal requirements for retention.

In some cases, we may retain personal data for longer periods if required for legal, tax, or regulatory reasons, or for legitimate and lawful business purposes. In such cases, the data will be processed only as necessary for the specific legal purpose and kept securely.

We may update this Privacy Notice from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on our website or by other means. We recommend that you regularly check this notice to stay updated on our privacy practices. By continuing to use our services after an update, you agree to the revised notice as allowed by law.

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us at privacy@astracab.de.