Eloop Privacy Policy

Last updated April 2019

 

This privacy policy ("Privacy Policy") sets out the way in which Caroo Mobility GmbH (Brand Name: Eloop), Siebenbrunnengasse 17/7, 1050 Vienna, Austria (corporate registry number (Firmenbuchnummer) FN 475722 t) ("Eloop", "we", "us", "our") processes the personal data of its registered users ("Users", "you", "your").

Eloop operates a fleet of electric vehicles ("Vehicles") which Users can currently book and lease in the home area in Vienna ("Home Zone") and use within Austria in accordance with the Eloop General Terms and Conditions, available at [www.eloop.to/terms], as updated from time to time.

Eloop is subject to Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, "GDPR") as well as the Austrian Data Protection Act (Datenschutzgesetz).

This Privacy Policy is available in both the German and English languages. In the event of any conflict between the German language and the English language versions, the German language version shall prevail.

The Privacy Policy includes the following topics:

1. What is personal data?

2. Processing of data in relation to our service

2.1. Registration process

2.2 Fraud prevention

2.3. Lease of Vehicle

2.4. How long is your data stored? (retention period)

3. Processing of data on our website

3.1. Comments on blog posts

3.2 Talkus

4. Newsletter

5. Mailchimp

6. Your rights

7. Updates to this Cookie policy

B. Cookie Policy

B.1. Cookies

                        Cookie list

B.2 Third party processing on our website 

 

1. What is personal data?

Article 4(1) GDPR defines personal data as: "any information relating to an identified or identifiable natural person ('data project'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person".

Eloop is a data "controller" in the meaning of Article 4(7) GDPR: "the … legal person … which, alone or jointly with others, determines the purposes and means of the processing of personal data".

If you have any questions about how we process your data or if you want to exercise your rights as detailed below, please do not hesitate to contact us at:

  • Caroo Mobility GmbH, Siebenbrunnengasse 17/7, 1050 Vienna, Austria
  • Email office@eloop.to
  • Phone+43 660 600 29 90

2. Processing of data in relation to our service

As all of our Users must be over 18 years old to register with our service, we do not collect personal data on children.

2.1. Registration process

 

As part of the registration process, we collect:

  1. your name and title.
  2. your date of birth and address.
  3. your email address and mobile phone number.
  4. your driver's licence details, including data in points 1 and 2 and your licence identification number.
  5. a photograph of your face (taken as a selfie).
  6. your credit card details, including data in point 1 and your credit card number.

We collect and process this data in order to identify you as our contractual partner and for the fulfilment of various mutual contractual obligations, including in particular processing of payments and ensuring that you are entitled to operate the Vehicle, as well as to be able to contact you if necessary. The legal basis for this processing is necessary for the performance of your contract with us (legal basis for processing is therefore Article 6(1)(b) GDPR). If you do not provide us with this data, we will be unable to conclude our contract with you.

Recipients of data: insurance company, IT service providers.

2.2 Fraud prevention

We furthermore process your credit card details (your name, title, credit card number), your address, your cell phone number and your driving license details (your name, license number, birthdate, expiration date) in order to perform a fraud check. The legal basis for this processing is our legitimate interest (Article 6(1)(f) GDPR) to ensure that you are able to fulfil your payment obligations pursuant to the General Terms and Conditions.

Recipients of data: Our service provider that provides us with background checks

2.3 Lease of a Vehicle

During lease of a Vehicle, we collect:

  • your start location, destination, start time, destination time, and duration of the lease. This data is not used to create a movement profile.
  • if you are involved in a serious accident which is detected by sensors built into the Vehicle, the time and the location of the accident (if applicable).

We use geo-fencing technology, which defines a virtual area using GPS coordinates and creates a virtual boundary around these. This is used to define the Home Area, allowing us to detect when the Vehicle is back in the Home Area and a lease can be ended. Geo-fencing is not used to create a movement profile.

Geo-fencing is also used to define the territory of the European Union. Should you leave the European Union in a Vehicle, the position will be recorded by GPS, and Eloop will be notified by a silent alarm, as this constitutes a breach of our General Terms and Conditions.

These forms of data processing are performed to ensure our legitimate interests, in accordance with Article 6(1)(f) GDPR. These legitimate interests are:

  • the necessity to monitor the use of the Vehicles in order to be able to precisely calculate the lease fees;
  • monitoring the compliance with our General Terms and Conditions and identifying breaches thereof; and
  • collecting data to be used as evidence in potential legal proceedings related to accidents in order to be able to assert our claims.

Furthermore, the name, address and lease details of the User will be transferred to the relevant authority in the event of justified official enquiries. In the event of claims that the rights of a third party has been breached (e.g. property damage during a lease), the name, address and lease details of the User will be transferred to the third party.

Recipients of data: IT Service providers, if necessary relevant authorities (in case of legal proceedings)

2.4 How long is your data stored?

All of the above data (2.1. -2.3.) is stored for the duration of Master Agreement, and will be deleted on termination of either you or us in accordance with the Eloop General Terms and Conditions. Your data may be retained for a longer period to the extent we are subject to a mandatory retention obligation under statutory law (such as the 7 years retention period regarding financial records), or to the extent we have a specific and justified reason to retain your data, e.g. in case of pending claims.

 

3. Processing of data on our website

 

We process a number of data on our website for different purposes. You can find the details regarding the particular data processing below. Please note that due to implemented Social media plugins, also third parties can process your personal data. You can further detail in the section B.2. Third party processing on our website.

3.1. Comments on blog posts

The users of our website are allowed to comment in our Caroo Eloop blog section. We collect your name, your email address and optionally other data, that you decide to share with us in the comment. We process this data to ensure that we know who this person is in the event of complaints or illegal comments and in case of complaints we can tell the commenting person is a user of Eloop. Your data will be deleted after 3 months.

Your data is processed on the basis of Article 6 Para 1 Subpara a - consent. You can withdraw your consent by writing an email to office@eloop.to at any time, without affecting the lawfulness of processing based on consent before its withdrawalYour data is processed on the basis of Article 6 Para 1 Subpara a - consent. You can withdraw your consent by writing an email to (please insert email addressoffice@eloop.to) at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Recipients of personal data: Our IT Provider.

 

3.2. Talkus

This website uses the Talkus application by Talkus SAS, Attn: Data Protection Officer / Legal Department, 24 rue Alphonse Daudet, 91400 Saclay, France. This application serves to offer visitors a live chat on our website. If you use Talcus following data are collected - data you disclose to us in your message and optionally Your email address.

These data are processed on the ground of your consent - Article 6 Para 1 Subpara a GDPR. You can withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Recipient of your data is Talkus (processor). The data are stored at Caroo Mobility GmbH for 24 hours and then deleted. If a visitor wishes to prematurely delete them, they can do so by sending an e-mail to office@caroo.ateloop.to.

 

4. Newsletter

If you wish to receive the newsletter offered on this website, we will collect your email address. We also collect your first, last name on an optional basis.
After confirming your registration we collect your login, confirmation times and the IP address.  Legal ground for this processing is your consent - Article 6 Para 1 Subpara a GDPR.

We will process these data until you revoke your consent. You can revoke consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Recipients of your data: MailChimp (for more information regarding this data transfer and the way we use MailChimp please see below).

The registration to the newsletter is done via a so-called double-opt-in procedure. In other words, you will receive an e-mail after logging in, requesting confirmation of your registration. This confirmation is necessary so that nobody can register with external e-mail addresses.

The registration for the newsletter will be logged in order to prove the registration process according to the legal requirements. This includes saving the login and confirmation times and the IP address. The changes of your stored data will also logged be with the newsletter provider of the operator of this website.

 

5. Mailchimp

We use MailChimp, a newsletters shipping platform owned by Rocket Science Group, LLC, 675 Ponce De Leon Ave NE # 5000, Atlanta, GA 30308, USA, as a processor to send you our newsletter. The headquarters of MailChimp is in the United States of America. MailChimp is a participant in the EU-US Privacy Shield, which requires the company to maintain a level of data protection consistent with European privacy standards. The Privacy Shield certification can be viewed at https://www.privacyshield.gov/list.

MailChimp will receive your name, first name and your e-mail address in order to contact you. MailChimp uses so-called web beacons in e-mails - these are small graphics in the e-mails that allow a log file recording for statistical purposes. Your IP address, browser, time of retrieval or e-mail client type will be collected; the use of this web beacons shows us if you have opened our email sent to you and if you have clicked certain links. For technical reasons, this information can be assigned to the individual newsletter recipients. The use of web beacons is common in the Internet sector. Web beacons are used in emails only with your consent. You can revoke this consent at any time by sending us an e-mail to office@eloop.to or contacting us by post at the addresses below.

There are cases when we direct the newsletter recipients to the MailChimp websites. For example, our newsletters contain a link that enables newsletter recipients to retrieve newsletters online (for example, in the event of problems with the e-mail program). Furthermore, newsletter recipients may save their data, such as your Email-Address. For example, you can correct the e-mail address later. Similarly, the privacy policy of MailChimp is only available on their page.

In this context we point out that on the websites of MailChimp cookies are used and thus personal data are processed by MailChimp, their partners and service providers used (e.g. Google Analytics). We have no influence on this data collection. For more information, see the privacy policy of MailChimp.

6. Your rights

As a data subject under GDPR, you have certain rights regarding your personal data. These are:

  • under Article 15 GDPR, you have the right to information about any data held by Eloop;
  • under Article 16 GDPR, you have the right to have incorrect personal data corrected;
  • under Article 17 GDPR, under certain circumstances, you have the right to have your personal data deleted;
  • under Article 18 GDPR, under certain circumstances, you have the right to request a restriction on the processing of your personal data;
  • under Article 20 GDPR, under certain circumstances, you may have the right to receive personal data concerning you, which you have provided us, in a structured, commonly used and machine readable form and you may have the right to transmit those data to another entity without hindrance from us;
  • under Article 7(3) GDPR, if you have given us your consent to data processing, you can withdraw this consent at any time with future effect; and
  • under Article 77 GDPR, you have the right to lodge a complaint with the competent data protection supervisory authority, in particular in the EU Member State of your habitual residence or of an alleged infringement of GDPR.

If you wish to exercise your rights as listed above, please contact us in writing using the contact details provided in clause 1 above.

7. Updates to this Privacy Policy

This Privacy Policy may be updated by us from time to time to adapt to our growing business, and to ensure compliance with any new laws. If this happens, we will send a copy of the new Privacy Policy within a reasonable timeframe prior to the revised policy’s effective date to our Users by email and update the Privacy Policy on our publicly accessible website at www.eloop.to/privacy so you can evaluate the impact of the change and exercise your rights if necessary.

B. Cookie policy

We use a number of analytic services in order to continuously optimize our website and provide you with a better browsing experience. We also use advertising services and have built Social Media Plugins and content of third parties (Embeds content) into our website. You can review the list of used Cookies here. You can review the comprehensive list of Social Media Plugins here.

B.1. Cookies

Legal basis:

The Austrian Telecommunications Act ("TKG") differs between cookies that can be used without consent and those that require a prior consent in order to be used lawfully.  

We use only cookies that require your prior consent. The legal basis for initial use is your prior consent pursuant to provision 96 (3) TKG.

Processed data categories:

Your IP-Address, All cookies, Server-Logfiles

We process the given data exclusively for the purposes below. We neither sell these data to third parties nor combine them with data from other data sources.

In addition to the data generated by your use of our website, we also process data that you send to us yourself. For more Information see our Data Privacy Notice above.

Analytics cookies

Google Analytics

We use Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA ("Google"). We have also added the code "anonymizeIP" on this website to Google Analytics. This guarantees the masking of your IP address so that all data is collected anonymously. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there. Google is Privacy Shield certified. Thus Google has the comply with legal frameworks that establish an equivalent level of data protection with EU law.

In order to evaluate the behaviour of the visitors of this website, Google Analytics uses the information generated by the cookies. This information is transmitted to Google's servers in the USA and stored there. This data processing is profiling. This processing constitutes profiling. You can object to it here.

 

Heap Analytics

We use Heap Analytics, a web analytics service of Heap Analytics, Inc., 225 Bush St. 2nd Floor, San Francisco, CA 94104, USA ("Heap Analytics"). Heap Analytics use cookies to analyse the use of the website. The cookie-generated information about your use of this website is typically transmitted to and stored by a Heap Analytics server in the United States. The IP address sent by your browser as part of Heap Analytics will not be merged with other Heap Analytics data. You can prevent the storage of cookies by configuring your browser software accordingly; however, we point out that in this case you may not be able to use all the features of this website in full extent. For more information on Heap Analytics and Privacy, please visit this link: https://heapanalytics.com/privacy.

Hotjar

We use Hotjar to better understand the needs of our users and their experiences while browsing our website (for example, how much time our users spend on which pages or which links they click). This helps us to optimize our website and provide you with a better browsing experience. Hotjar uses cookies and other technologies to collect information about your devices (such as the type of browser you use, screen size, device type). Your IP address will only be processed in anonymous form. Hotjar stores this information in a pseudonymous user profile. The information will not be used by Hotjar or by us to identify individual users or be aggregated with other data about individual users. This data processing is profiling.

You can find further information in the Hotjar Privacy Policy.

Advertising Cookies

We use Google AdWords, a internet advertising service that allows advertisers to run both Google and Google Network search engine. This service is provided by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA ("Google"). Google is Privacy Shield certified. Thus Google has the comply with legal frameworks that establish an equivalent level of data protection with EU law.

Google AdWords uses cookies to generate information about the visitor of our website. This information is transmitted and stored on servers in United States of America. This information allows to determine whether a visitor has found our website trough a Google search. This processing constitutes profiling. You can object to it here.

Pixel Services

We use the so called Tracking Pixel services ("Pixel services") of different social media providers:

  • Facebook Pixel, offered by Facebook Inc., Facebook Headquarters, 1 Hacker Way Menlo Park, CA 94025 
  • Twitter Pixel, offered by LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA.
  • LinkedIn Pixel, LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA.

By using these Pixel services, we can track users' behavior after seeing or clicking on a Facebook/Twitter/LinkedIn ad. This process is designed to evaluate the effectiveness of Facebook/Twitter/LinkedIn advertisements for statistical and market research purposes and may help to optimize advertising efforts. The Pixel services can save cookies on your device.

For further information, please visit the respective privacy and cookie policies of these companies:

1.: Facebook -   Privacy policy : https://www.facebook.com/policy.php

                        Cookie policy: https://www.facebook.com/policies/cookies/

2.: Twitter -      Privacy policy : https://twitter.com/en/privacy

                        Cookie policy: https://help.twitter.com/en/rules-and-policies/twitter-cookies#

3. LinkedIn -      Privacy policy : https://www.linkedin.com/legal/privacy-policy?src=or-search&veh=www.google.com

                        Cookie policy: https://www.linkedin.com/legal/cookie-policy

Legal basis for transfer to Third Countries

Your data can be transmitted to the servers of the respective company in the USA. Twiter, Facebook and LinkedIn are participants to EU-US Privacy Shield, which requires the company to maintain a level of data protection consistent with European privacy standards. The Privacy Shield certification can be viewed at https://www.privacyshield.gov/list.

Cookie list

Cookie name: _ga

Category: Analyse

Duration: 2 Years

The cookie captures and stores the Client ID field; a unique, randomly generated string that gets stored in the browser’s cookies, so subsequent visits to the same site can be associated with the same user. If not removed, the cookie is stored for two years.

Cookie name: _gid

Category: Analyse

Duration: 24h

The cookie also captures and stores the Client ID field. If not removed the cookie is stored for 24 hours.

Cookie name: _fbp

Category: Analyse

Duration: 10 min

Facebook pixel allows us to report conversions, build audiences and get rich insights about how people use our website.

Cookie name: _hjIncludedInSample

Category: Analyse

Duration: 365 Days

This cookie is set to let Hotjar know whether that visitor is included in the sample which is used to generate Heatmaps, Funnels, Recordings, etc.

B.2. Third party processing on our website

We have built the plug ins of the typical Social media platforms into our website, so you can share the contents of our website on your favourite social media. We have also build in ("embed") content of third parties into our website. We do not have any influence whatsoever on the processing of your personal data by these third party. The Social Media Plugins and embed content are loaded only after you have consented to do so.

We have built in following Social media Plugins:

  • Facebook: Privacy policy https://www.facebook.com/policy.php
  • LinkedIn: Privacy policy https://www.linkedin.com/legal/privacy-policy?src=or-search&veh=www.google.com
  • Twitter: Privacy policy https://twitter.com/en/privacy

We have built in following third party content:

  • Google maps: https://policies.google.com/privacy?hl=en