KAROOT MOBILITY SERVICES IKE (Private Company) is committed to protecting your privacy and handling your personal data (hereafter Personal Data) in an open and transparent manner and in accordance with the definitions and requirements of Regulation (EU) 2016 /679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter GDPR) and Greek Law 4624/2019 as in force each time.

The collection and processing of personal data depends on the service that has been assigned or agreed upon, on the case-by-case contractual relationship connecting us with the Personal Data subject, on the legal obligations imposed on us and the legal rights granted to us by the applicable legislation, as well as on the subject’s express consent as the case may be.

Such data are processed within the expressly defined purposes, based on the principles of lawfulness, fairness and transparency; purpose and storage limitation; data minimisation; accuracy, integrity and confidentiality, and within the framework of necessity and proportionality governing each processing operation. At the same time, this ensures “by design and by default” the taking of technical and organisational security measures to comply with the above system of principles, as well as its periodic review and update.

1. 1. Company details

   “KAROOT MOBILITY SERVICES IKE” has its corporate seat in the Industrial Area of Sindos in Thessaloniki and is registered in the General Commercial Register (G.E.MI.) under G.E.M.I. No. 157085505000 (hereinafter referred to as “KAROOT”) and acts as controller of your personal data thekarootapp@thekaroot.com.

2. 2. Scope of Privacy Policy

   This document defines the status of protection of personal data in the context of their processing by the company and describes the system of rules based on which this processing is carried out, as well as the way of use of your personal data which are collected through the “KAROOT” application (hereinafter “KAROOT Application”, “Application”, “App”).

3. 3. Definitions

   In the context of this document, the GDPR definitions are used, indicatively the following:
   
   personal data” means any information relating to identified or identifiable natural persons (“data subjects”), i.e. persons who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
   
   “personal data processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Finally,
   
   “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

4. 4. Purpose of Personal Data Processing

   Depending on the purpose for which we may be required to process your data, we will process on a case-by-case basis certain categories of personal data, which are indicatively the following:

   • your basic identification data.
   • your contact details related to the services we provide.
   • information regarding the transactions required to provide our services.
   • login and geolocation data.
   • information about your habits and preferences, as well as
   • any other information you may voluntarily provide to us.

   We remind you that every time we ask you to fill in your personal data in order to access any function or service of the Application, we will mark certain fields as required, since this is the basic information we need to be able to provide you with the service. Please note that if you do not provide us with such data, you may not be able to complete your registration or take advantage of the relevant services.
   
   Depending on how you interact with the Application, we will process your personal data for the following purposes:

   1. 4.1. Managing your registration as a user of the Application

      If you decide to register as a user of the Application, we must process your data to identify you as a user of the Application and ensure that you can access it as a registered user. You can cancel/delete the account in question by selecting it through the Application on your device.

   2. 4.2. Calling a taxi

      The Application enables you to call a taxi with a taxi driver (“Taxi Operator”) for your ride. You will have to disclose your personal data in order to use the application as a passenger who wishes to be transported by calling a taxi, and this data is subject to our processing for the purpose of providing the specific service. In the context of this service, the following personal data will be processed in accordance with Article 6(1)(b) of the General Data Protection Regulation (GDPR) for the purpose of executing the contract:

      • Name, email address and mobile telephone number (master data).
      • Your geographic location data via the Global Positioning System (GPS) and/or other geolocation methods provided by the devices) at the time of booking, the coordinates of the start of your ride and its final destination, information about your terminal equipment (device ID), as well as your chosen password (in encrypted form) are similarly processed.
   3. 4.3. Payment

      In the context of the payment, the following personal data will be processed in accordance with Article 6(1)(b) of the General Data Protection Regulation (GDPR) for the purpose of executing the contract:

      • Your name, address, the coordinates of the start of your ride and its final destination, your country, language, email address, mobile telephone number, credit card key code, last digits of the credit card number, the e-mail address of your PayPal account (if available), as well as information related to your terminal equipment (device ID, etc.).

      We are unable to offer you certain means of payment if we do not process the personal data in question. However, you can always pay cash directly to the Taxi Operator without any further involvement of the application.
      
      For payments through the KAROOT Software using the Passenger’s credit/debit card (“payments via Application”), KAROOT has entered into and maintains in force a Contract with a licensed electronic payment service provider for the acceptance and receipt of electronic payment services.

   4. 4.4. News, promotions and personalised offers

      You will only receive offers and advertisements from us if, during the registration process, you consented to the receipt of news and personalised offers (advertising, coupons and offers) and to the display of usage-based news. This applies to both non- personalised (sent to all customers) and personalised (sent only to you and based on an analysis of your personal data that you have expressly provided to us or that resulted from your use of the Application) newsletters that are sent electronically (email, SMS, in-App messages, promotional messages) to your terminal equipment (smartphone, tablet, PC, etc.).
      
      We will also process your personal data in order to organise promotional activities. By participating in any promotional activity, you authorise us to process the personal data you have shared with us in relation to the promotion and to disclose them through different means or through the Application itself.
      
      If you do not wish to receive the news and personalised offers mentioned above, you may withdraw your consent by means of a written statement to the Company.
      
      Please note that the withdrawal and subsequent changes are only valid for the future and will take effect or be implemented no later than 48 hours from the time of withdrawal.

5. 5. Recipients of Personal Data - Disclosure

   In the course of fulfilling our contractual and legal/regulatory obligations, your personal data may be given to third parties for purposes related to the necessity of data processing, in accordance with the respective contractual/regulatory framework and against which the necessary provisions for the protection and lawful processing of your personal data have been taken, under the supervision of the legal representative of the controller. All third parties to whom the Personal Data are disclosed undertake to observe the principle of confidentiality and to operate with a view to protecting such data in accordance with domestic law and the principles of the GDPR. Similarly, all processors appointed by us to process personal data on our behalf are contractually bound to comply with the provisions of the GDPR.
   
   In particular, we disclose your necessary personal data to taxi drivers using the Application in order to fulfil your requirements.
   
   Furthermore, in order to achieve the purposes described in this Privacy Policy, we may disclose or grant access to your personal data to third parties who provide us with support in the services we provide to you, such as:

   • financial institutions;
   • technology service providers;
   • providers of customer support services;

   partners and service providers involved in advertising and marketing. We will also disclose your personal data when required by law or when we believe that disclosure is necessary to protect our rights and/or to comply with a legal process, court order, request from a regulatory authority, or any other legal process notified to us.

6. 6. Personal data retention time

   We will retain your personal data for the duration of our transactional or other contractual relationship with you, or for the duration provided for by your legal consent, or for the duration required by fiscal and other laws of the state or the exercise of our legal right and the serving of legitimate interests, or for the duration specified by the instructions of the competent data protection authority.

7. 7. Rights of Subjects

   In the context of the application of the GDPR, you maintain the following rights, which you can exercise electronically or in writing:

   • Right of access (information on the Personal Data retained and the means of obtaining copies)
   • Right to rectification (rectification of inaccurate or incorrect information in the retained Personal Data)
   • Right to erasure (deletion of data or cessation of its use, subject to the limitations provided by the GDPR)
   • Right to restriction (under the conditions provided for in the GDPR)
   • Right to portability (direct transfer of Personal Data to a third-party organisation indicated by you, in an appropriately structured format)
   • Right to object (provided that there are no compelling and legitimate grounds for processing which outweigh your interests, rights or freedoms or for the purpose of the establishment, exercise or support of legal claims)

   Each of your requests regarding the Personal Data that concern you and the exercise of your relevant rights shall be submitted in writing to the e-mail address or to the postal address of the data controller or in person (or through a third party, with an authorisation certified for the authenticity of the signature) at the company’s corporate seat.
   
   The company responds to your requests free of charge, without undue delay and within a month of their receipt, except in special cases where the above deadline can be extended by two more months, if required, given the complexity or volume of the requests. In the latter case, the company informs you of the extension and the reasons for the delay within one month of receiving the request. If the controller considers that your request is manifestly unfounded or excessive, the company reserves the right to impose a reasonable fee for processing it, taking into account the costs for its satisfaction, or even to refuse to proceed with it.
   
   In the event that your request cannot be satisfied, then the company will inform you without delay and within one month of its receipt, regarding the relevant reasons and your right to file a complaint with the competent supervisory authority for GDPR implementation issues, namely the Hellenic Data Protection Authority (DPA– 1-3 Kifisias St., Post Code 11523, Athens, tel.: 210-64.75.600 or e-mail: contact@dpa.gr), with which you reserve the right to file a complaint if you consider that the processing of your personal data is in breach of the applicable legislation, but also regarding your right to appeal to the competent judicial authorities.

8. 8. Changes to the Privacy Policy

   We review this Privacy Policy regularly and reserve the right to revise this Privacy Policy regularly and make changes at any time. If we take the above actions, we will notify you by various procedures through the Application or by means of a notification to your email address.
   
   We recommend that you check this Privacy Policy from time to time in case minor changes have been made or in case we make any interactive improvement, taking advantage of the opportunity to always find it as a permanent point of information on our Website and in our Application.

9. 9. Contact us

   If you have any questions about this Policy or about the way in which we handle your Personal Data, or if you wish to exercise your rights, please contact KAROOT’s Data Protection Officer at the email address below thekarootapp@thekaroot.com.