Privacy Policy

1 Introduction 

The purpose of this privacy policy is to inform users of the IDEFLEET platform about the collection and processing of their personal data. Personal data is considered to be any information that allows the identification of a user. This may include their names, surnames, email, or location (non-exhaustive list).  

1.1 Owners of rented vehicles 

The owners of the vehicles made available for rental and users of the IDEFLEET platform as fleet vehicle managers are referred to in this privacy policy as "our partners."   

1.2 The data controller 

The data controller responsible for processing personal data is IDEMOOV, a simplified joint-stock company (SAS) with a capital of €1,150,500.00, registered under Strasbourg B 830 613 808.  You can contact the data controller at the following postal address: IDEMOOV SAS, 1C Rue Pégase 67960 Entzheim France. Alternatively, you can reach them via email at [email protected] or by phone at  03.67.22.02.79.   

1.3 The data protection delegate 

The data protection officer (DPO) of the company is OLOWOLAGBA Man Su, whom you can reach at the following postal address: MD6 CONSULTING SAS, 1C Rue Pégase 67960 Entzheim France. You can also contact them via email at [email protected] or by phone at 03.88.55.00.28.  If you believe, after contacting us, that your "Information and Freedoms" rights are not being respected, you can submit a complaint to the CNIL.   

2 Data collection and processing when using our platform 

In accordance with Article 5 of the European Regulation 2016/679, personal data shall: 

  • Be processed lawfully, fairly, and in a transparent manner in relation to the data subject;
  • Be collected for specified, explicit, and legitimate purposes as outlined in this privacy policy and not further processed in a manner that is incompatible with those purposes;
  • Be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
  • Be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • Be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • Be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

The processing is only lawful if, and to the extent that, at least one of the following conditions is met:

  • The data subject has given consent to the processing of their personal data for one or more specific purposes;
  • The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • The processing is necessary for compliance with a legal obligation to which the controller is subject;
  • The processing is necessary to protect the vital interests of the data subject or of another natural person;
  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.  

2.1 Registration 

To access our services, creating an account is mandatory and requires the following personal data: name(s), first name(s), and email address. These data will be linked to your identity.   

2.2 Data collection and processing when using the application 

2.2.1 Application permissions

To use our services, it is necessary to access certain features of your device, commonly referred to as "permissions." Depending on your operating system, you must explicitly grant these permissions, and you also have the option to revoke them individually at any time. The data accessible through these permissions will be used exclusively for purposes specified in this privacy policy.  Camera: Access to the camera function is required to scan the QR code affixed to the vehicle before renting it. Camera access is also required when reporting an incident if you wish to attach one or more photos.

Location: We need information about your location to indicate the proximity of vehicles to you. Additionally, we process this location data when you use the application or rent a vehicle, in order to improve our services and personalize them according to your needs.  The legal basis is Article 6, Paragraph 1, Letter b of the GDPR, as data processing is necessary to provide the application's functionalities and our services.

2.2.2   Google Maps 

The IDEFLEET platform utilizes the Google Maps API, a service provided by Google Ireland Ltd., Google Building Gordon House, Barrow Street, Dublin 4, Ireland. It enables the use of interactive maps on our application, for example. This application is essential for the functionality and complete provision of our content and services. You can review Google's terms of use at the following address:   https://www.google.com/intl/de/policies/terms/.  Additional terms of use for Google Maps can be found here:   https://www.google.com/help/terms_maps.html.  Google's privacy policies are available at the following address:   https://www.google.com/intl/de/policies/privacy/.  The legal basis is Article 6, Paragraph 1, Letter b of the GDPR, as data processing is necessary to provide the application's functionalities and our services. 

2.3  Data collection and processing when renting a vehicle 

When you rent a vehicle, we collect and process additional data through our application and the connected devices in the vehicles. The legitimacy of this collection is based on Article 6, Paragraph 1, Letter b of the GDPR, to the extent that data processing is necessary for the performance of the rental contract. In other cases, this collection is based on Article 6, Paragraph 1, Letter f of the GDPR, relying on our legitimate interest to ensure continuous functionality and security, as well as the ongoing development of the application and our services.

2.3.1  Data collection in our application  

When you rent a vehicle, we record the location of your device at the beginning and end of the rental. Since a rental contract is concluded for each transaction, we also save the period of use and details of the rented vehicle. These data are primarily used for billing purposes related to the rental.

2.3.2 Data Collection by Our Vehicles  

Our partners' vehicles are equipped with what are known as "IoT-connected devices" that send data (such as vehicle position and diagnostic data like battery status, speed, etc.) at regular and close intervals. This allows our partners and vehicle owners to determine the whereabouts of our vehicles and their speed of travel.   We process the data in the context of rentals, including for the following purposes: 

  • To determine if a vehicle is within a respective operating area defined by our partner or if the end of the rental will occur outside the operating area, as this would be contrary to these terms and conditions. In this case, vehicles may trigger a sound alert ("geofencing").
  • In the event of an unusually long period of use (especially if the vehicle is not moved), we may terminate the rental.
  • For requests addressed to our customer service (for example, if a reservation cannot be made, a vehicle cannot be located, or assistance is needed in case of an accident).
  • As evidence in the event of an accident or damage.
  • For billing purposes. We record in your booking history the starting and ending points of your trips as well as parking locations, if applicable.
  • To improve our services by analyzing aggregated statistics of where users make bookings and end their trips, as well as frequent routes, our partners can optimize the distribution of vehicles.  

2.4   Payment processing  

To facilitate payment processing, we enlist the services of external providers to whom we transmit the necessary data to complete the transaction. This information includes the name, email address, and payment method. Upon termination of your account on our platform, this data is deleted. However, please note that this information is not erased from the provider's backups, and transaction details remain accessible. This includes the payment method used, transaction amount, unique user identifier associated with the transaction, date and time of the transaction, and the vehicle fleet associated with the transaction.

For information on the legal basis for data processing by payment service providers, please refer to the privacy policies provided by these respective service providers.  Stripe Payments Europe Ltd, 25/28 North Wall Quay, Dublin 1, Ireland ("Stripe"). For more information, please consult Stripe's privacy policy (https://stripe.com/en/privacy).   Payment options offered may vary depending on the country.   Unless you have given us your consent to do so in accordance with Article 6, paragraph 1, letter a of the GDPR, the legal basis for transmitting data to payment service providers in the context of contract processing is Article 6, paragraph 1, letter b of the GDPR, as processing is necessary to settle the rental contract.   

2.5  Damage and accidents 

In case of damages or accidents involving vehicles from our partners, we will provide your data (including basic, contractual, location, and route data) to the vehicle owner for customer assistance, claims settlement, processing, and settlement, to receive and process complaints, to ensure and enforce their own claims, and to prevent further damage to you or us.   In this context, the vehicle owner may also be required to transmit data to insurance companies for claims settlement and to competent authorities (for example, in the context of hearings as a witness or accused in an administrative offense or criminal proceedings).

The legal bases are Article 6, paragraph 1, letters b, c, f of the GDPR, and if health data were involved in an accident, Article 9, paragraph 2, letter f of the GDPR. Our legitimate interest lies notably in settling claims and accidents to avoid any damage to our partner.   

2.6   Disclosure of Data in Cases of Criminal or Administrative Offenses or Contract Violations  

In the context of investigations related to criminal or administrative offenses, we may disclose data (such as basic data, information on routes/positions, data related to communications and contracts) to competent investigative authorities. This may occur during hearings as a witness or accused, especially in connection with violations of traffic regulations, parking rules, and similar laws. For example, if a vehicle is improperly parked, in violation of our partners' contractual provisions or traffic regulations, and our partner is at risk of a fine or penalty, we may share with the competent authorities data concerning the individual as well as the date of the vehicle's last rental and last parking. This practice also applies to accidents, speeding, and other similar offenses. In cases where a third party presents legitimate claims against our partner or IDEMOOV in the situations mentioned above, we also reserve the right to share your data with the applicant.  If you are suspected by competent authorities of having committed a criminal or administrative offense related to our partners' vehicles or our services, we may also process data provided to us by the competent authorities in this context.

The legal basis is Article 6, paragraph 1, letter c of the GDPR in the case of a legal obligation to disclose; otherwise, in accordance with Article 6, paragraph 1, letter f of the GDPR, our legitimate interest is to prevent damage to our business as well as to protect our vehicles and exercise our contractual and non-contractual rights.     

2.7   Other purposes of data processing

We also process your personal data for the following additional purposes:   In accordance with Article 6, paragraph 1, letter f of the GDPR, based on our legitimate interests: 

  • To continuously improve our offers and services and further tailor them to the needs of our users.
  • To conduct internal quality controls.
  • To detect, eliminate, and prevent errors, malfunctions, and potential abuses.
  • To ensure the security of networks and information.
  • For fraud prevention.
  • To ensure and enforce our legal claims.
  • To prevent the re-registration of users who have been blocked due to contractual breaches, fraud, or abuse.
  • For accounting purposes and risk management.

In accordance with Article 6, paragraph 1, letter c of the GDPR, to fulfill legal obligations, for example, to comply with commercial and tax retention obligations or to fulfill obligations to provide data due to a legally binding court or administrative order.

2.8   Data hosting

The IDEFLEET platform is hosted by MD6 CONSULTING SAS, 1C Rue Pégase, 67960 Entzheim, France. You can contact them at [email protected] or by phone at 03.88.55.00.28. 

3   Transmission of personal data 

Each transfer of data collected by us occurs as explained above and otherwise primarily only if: 

  • You have expressly consented to it in accordance with Article 6, paragraph 1, letter a of the GDPR.
  • The transfer is necessary for asserting, exercising, or defending legal claims in accordance with Article 6, paragraph 1, letter f of the GDPR, and there is no reason to believe that you have an overriding legitimate interest in preventing your data from being transferred.
  • We are legally obliged to transfer the data in accordance with Article 6, paragraph 1, letter c of the GDPR.
  • It is legally permitted and necessary for the processing of contractual relationships with you or for the execution of pre-contractual measures, which will take place at your request, in accordance with Article 6, paragraph 1, letter b of the GDPR.

For data processing, we collaborate with external service providers who act on our behalf and have no authorization to process personal data for their own purposes. In addition to the service providers explicitly mentioned in this privacy policy, this may include IT service providers and data centers, technical service providers, agencies, affiliated companies within a group of enterprises, and consultants.

It's possible that we may engage service providers established or processing personal data in "third-party countries" outside the European Union or the European Economic Area. In such cases, in the absence of an adequacy decision pursuant to Article 45 of the GDPR for these countries, we have implemented appropriate measures to ensure an adequate level of data protection during any data transfer. These measures include, but are not limited to, the use of European Union standard contractual clauses (where applicable, with additional agreements in line with the recommendations of data protection authorities) or the adoption of binding corporate rules on data protection. 

4   Deletion of personal data 

All data used for aggregation purposes will be retained. For example, application usage statistics based on user age will be maintained. Data will be anonymized upon account deletion, including email address, name, surname, hashed password, personal data at the Stripe provider, user journeys (including vehicle positions), and vehicles used by the user.  For user-taken images, a request can be made to blur them. Similarly, for conversations including your name, surname, or other personal information.

In case of an account deletion request, the account will be anonymized after 15 days. The user can cancel the deletion request by logging in before this deadline. Data may not be immediately deleted in case of a dispute and will be retained until the dispute is resolved.

For evidential purposes, we are able to retain contractual data for a period of three years from the end of the fiscal year in which the commercial relationship with you ends. Any claims will expire no earlier than this date, in accordance with legal prescription periods.

Even after this period, some of your data must be retained due to accounting obligations. This retention is required under legal documentation obligations arising from commercial law, tax law, banking law, anti-money laundering law, and securities trading law. The retention and documentation periods specified in these laws range from two to ten years. 

5   User Rights 

Any user affected by the processing of their personal data may exercise the following rights, in accordance with European Regulation 2016/679 and the French Data Protection Act (Law 78-17 of January 6, 1978): 

  • Right of access, rectification, and erasure of data (as set forth respectively in Articles 15, 16, and 17 of the GDPR);
  • Right to data portability (Article 20 of the GDPR);
  • Right to restriction (Article 18 of the GDPR) and objection to data processing (Article 21 of the GDPR);
  • Right not to be subject to a decision based solely on automated processing;
  • Right to determine the fate of data after death;
  • Right to lodge a complaint with the competent supervisory authority (Article 77 of the GDPR).

To exercise your rights, please send your correspondence to IDEMOOV SAS.  In order for the data controller to comply with your request, you may be required to provide certain information such as your name, email address, and proof of identity.  Visit the cnil.fr website for more information on your rights. 

6  Modification of the privacy policy 

The editor of the IDEFLEET platform reserves the right to modify this Policy at any time to ensure compliance with applicable law for the site's users. Any potential modifications will not affect purchases made prior to the changes, which remain subject to the Policy in effect at the time of purchase and as accepted by the user upon validation of the purchase. Users are encouraged to review this Policy each time they use our services, without formal notification of changes.  This current policy, edited on 04/22/2024, was last updated on 04/22/2024.  

Request a Demo

Contact our sales teams for a presentation

Send us a message
or
Schedule an appointment