Privacy policy

MYBEE PRIVACY POLICY

MyBee Estonia OÜ (hereinafter – we or the Company) values and protects the privacy and security of personal data, therefore in this Privacy Policy (hereinafter – the Privacy Policy) we explain how we handle the personal data of our Customers and other data subjects (hereinafter – you) when using: (a) the CityBee Mobile Application in order to use the MyBee Services (hereinafter – the Mobile Application); (b) MyBee vehicles – cars (hereinafter – the Vehicles); (c) MyBee website https://www.mybee.ee (hereinafter – the Website). We also explain how we process your data when you enter into the Services Agreement with us, communicate with us by phone, e-mail, or social networks regarding the MyBee Services, and inform you of the conditions and procedures for handling other information collected and/or received about you.

In this Privacy Policy, we provide the most important structured information about the protection of your personal data: i.e. what personal data we collect, how and why we use it, what legal bases we use to process it, how long we store it, to whom we transfer it, and your rights and how to exercise them.

We process personal data in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ((the General Data Protection Regulation (hereinafter – the GDPR)), the Estonian Personal Data Protection Act and other applicable legal acts in the field of personal data protection, as well as this Privacy Policy.

If you use the Website and/or the Mobile Application, we will consider that you have read this Privacy Policy and agree to the purposes, methods, and procedures for the processing of your personal data set out herein. If you do not agree with the Privacy Policy, please do not use our Website and the Mobile Application, and do not provide us with your personal data in any other way.

The Privacy Policy is a constantly changing document, therefore, we can improve, modify, and update it. You will be additionally informed about critical policy changes, but we encourage reviewing this Privacy Policy from time to time.

1. DEFINITIONS

The following terms are defined as follows in this Privacy Policy:

We or the Company shall mean MyBee Estonia OÜ, a private limited liability company, established and operating under the laws of the Republic of Estonia, legal entity code: 16462004, address of registered office: Toom-Kuninga 15-60, 10122 Tallinn, Republic of Estonia.

Services or MyBee Services shall mean all services that the Company offers and provides to you, including, among other things, (i) rent (use) of the Vehicle; (ii) maintenance of the Vehicle and assets therein, insurance as specified in the Services Agreement; (iii) other services provided on the Mobile Application and/or the Website.

Customer shall mean the natural person who concluded the Services Agreement with us, or if a legal person concluded the Services Agreement with us, then the natural person representing them, as well as the natural person to whom the person who concluded the Services Agreement with us has granted permission to possess and temporarily use the Vehicle.

Website shall mean the website accessible at https://www.mybee.ee.

Mobile Application shall mean the CityBee software for smartphones, tablets and/or other mobile devices, which is used to perform actions in connection with rent of MyBee Vehicle – Vehicle reservation, unlocking, locking and/or other actions provided for therein. The Mobile Application manager is CityBee Eesti OÜ, legal entity code: 14646800, address of registered office: Peetri 5, Tallinn 10411, Republic of Estonia (hereinafter – the Mobile Application Manager).

Account shall mean a digital account created in the Mobile Application.

Services Agreement shall mean the agreement on provision of the Services concluded between the Customer and the Company (e.g. Motor Vehicle Rental Agreement). Other terms shall have the meanings assigned to them and defined in the GDPR and/or the Services Agreement.

2. ON WHAT LEGAL GROUNDS DO WE PROCESS YOUR PERSONAL DATA?

We generally process your data specified in this Privacy Policy on the following legal bases:

for conclusion, performance, amendment and administration of the Services Agreement (Article 6(1)(b) of the GDPR);
for fulfilment of our legal obligations (Article 6(1)(c) of the GDPR);
for pursuing our legitimate interests and those of third parties (Article 6(1)(f) of the GDPR);
for acting in accordance with your consent (Article 6(1)(a) of the GDPR).

If we process your personal data based on legitimate interest, we have weighed the opposing interests and have decided that considering the purpose for processing personal data and the measures that we have taken, our (or the relevant third party‘s) interest in processing your personal data is not overridden by your interests or fundamental rights and freedoms which require protection of personal data. If you would like to receive more information about such assessment, please contact us. You also have the right to object to the processing of your personal data based on legitimate interest. Read more about your rights in Chapter 8 below.

In the scope and under the conditions set by applicable legal acts, one or several of the abovementioned legal grounds may apply to the processing of your personal data. The purposes and legal bases of processing your personal data are detailed in Chapter 13 below.

3. FROM WHICH SOURCES DO WE OBTAIN YOUR PERSONAL DATA?

We receive almost all your personal data from you when you enter into the Services Agreement with us, when you use the Mobile Application and/or the Website, or our other Services.

Also, when permitted by law and when necessary to achieve the performance of the Services Agreement and/or the purposes of processing your personal data, the Company collects and receives information about you from the following various sources:

1. From the Mobile Application Manager when you have already provided the personal data to the Mobile Application Manager by installing and registering for the Mobile Application. Such personal data will be transferred to us if you choose to receive the MyBee Services and consent to it – but only to the extent necessary to provide the MyBee Services. See Chapter 13 below for more information.
2. From the following third parties under a legitimate basis:

from appointed institutions – data of periodic (regular) verification of driving license validity;
from the police, insurance companies, and other institutions or persons – information about violations of road traffic regulations, traffic accidents, damage to the Company, Vehicles, or third parties;
from payment service providers – information about your payment transactions;
from insurance companies, authorities (e.g. police), and institutions – information on inquiries and requests regarding you;
from debt recovery companies, claims management, and credit rating companies – your debt or financial data;
from providers of Internet services, and communication service providers – transferred data when you use the Internet and communications services;
information we receive from our service providers, partners, competent authorities (e.g. during the investigation in the Data Protection Inspectorate), and other data controllers indicated in Chapter 4 of the Privacy Policy;
from public registers – information accessible from the systems (applicable to business Accounts).

4. DO WE SHARE YOUR PERSONAL DATA WITH OTHERS?

Yes, the Company discloses all or part of your personal data to the following data recipients: various service providers with whom we have entered into service and data processing agreements, the Mobile Application Manager, the companies belonging to the same group as the Company, competent authorities and other data controllers who have a right to information in accordance with the applicable law and/or our legitimate interests. Also, with your consent, your personal data may be disclosed to persons and/or companies specified by you. More specifically:

1. The Company uses a variety of service providers (e.g. software, server hosting, data center, cloud, IT, payment, accounting, tax advisory, claims management, debt collection, etc.). All service providers have entered into service and data processing agreements with us and are considered to be processors of your personal data who may process your personal data only in accordance with our instructions and in strict compliance with the purposes of processing. All data processors, like us, must ensure the security of your personal data in accordance with applicable laws and the agreements entered into with us.
2. The Mobile Application Manager, acting as an independent data controller, has access to all data entered into and/or generated by the Mobile Application. The Mobile Application Manager also provides us identification and driving license verification, remote contract conclusion, service payment administration, service contract mediation, and other necessary services. During the provision of these services, the Mobile Application Manager processes the personal data as a service provider and is considered to be a processor of your personal data.
3. In order to ensure the smooth provision and quality of the Services, it may be necessary to transfer some of your personal data to other companies belonging to the same group as the Company. All companies in the Company’s group are considered to be service providers and processors of your personal data.
4. If necessary and legally justified, we also provide your personal data to service providers that are separate data controllers, as well as competent authorities, institutions, organisations, and other data controllers who are entitled to receive information in accordance with applicable legal acts and/or our legitimate interests:

we contact (or that is done by service providers selected by us) the authority that issued the driving license to make sure that the driving license you have provided is valid;
in the event of an accident, your data will be transferred to insurance companies and, if necessary, to other parties involved in the accident;
we have the right and, in certain cases, an obligation to report information about violations of road traffic regulations (e.g. speeding, drunk-driving) to the competent authorities (e.g. the police) based on the Vehicle data available to us;
we have the right and, where appropriate, obligation to transfer information to the competent authorities (e.g. law enforcement authorities, courts, other dispute resolution authorities) for the purposes of prevention of fraud, offence, and crimes, as well as investigation;
if you fail to meet your financial obligations under the Services Agreement and do not pay your debt within the period specified in the notice, we have the right to transfer your debt and personal data (including name, personal identification number and other evidence of debt) to persons with legitimate interest in obtaining such data for the purposes of debt management, credit rating and/or debt recovery;
your personal data may also be transferred to other data controllers (insurance companies, vehicle maintenance service providers or other additional service providers) if you order additional services, as well as to the providers of vehicle financial lease services, and credit institutions;
your personal data may also be transferred to service providers that are independent data controllers whose offers you have agreed to receive;
in the case of fines for parking violations, we transfer your data to the parking managers or vehicle collection companies who contact us on their behalf.

5. DO WE TRANSMIT DATA OUTSIDE THE EEA?

The data processors and controllers we share your personal data with are usually located in the Member States of the European Union or the European Economic Area (EEA) or store the data entrusted to them by us in the European Union or the EEA. However, we have cases where carefully selected processors (such as Google, Microsoft Azure, etc.) and controllers (such as social networking platform operators LinkedIn, Facebook) process data outside the EEA.

We closely follow the practices and guidelines of supervisory authorities regarding the transfer of personal data outside the EEA and carefully assess the conditions under which the data are transferred and may be further processed and stored after the transfer outside the EEA. To ensure an appropriate level of data security and to guarantee the lawful transfer of data, we sign, where possible, the Standard Contractual Clauses approved by the European Commission for the transfer of data outside the EEA or ensure it is done otherwise in accordance with the GDPR.

If you would like to receive more information about how we ensure the security of your personal data when transferring it outside the EEA, please contact us on the contact details specified in Chapter 11 below.

6. HOW LONG DO WE STORE YOUR PERSONAL DATA?

We store your personal data for no longer than required for the purpose(s) of processing or as required by law. Details of the possible purposes for which your personal data will be processed and the duration for the retention of personal data processed for those purposes are set out in Chapter 13 of this Privacy Policy.

After the end of your data processing and storage period, we destroy your data or anonymise them irreversibly and reliably as soon as possible, within a period reasonably necessary for performance of such an action.

If different processing or storage periods can be applied to the same data category for different purposes in accordance with this Privacy Policy, the longest of the applicable periods shall apply.

Your personal data can be stored for a period longer than indicated in this Privacy Policy only when:

your data is necessary for the proper administration of the debt, damages (for example, you have not fulfilled your financial obligations or have caused damage to us or other persons), examination and settlement of a dispute, complaint, the protection of our legitimate interests or those of third parties;
it is necessary for us to defend ourselves from existing or threatening demands, claims or legal actions and exercise our rights;
there is reasonable suspicion of violations or illegal activities, which are or may be subject to investigation;
it is necessary for ensuring the functioning, resilience, integrity of backup copies, information systems, traceability of operations, statistical and other similar purposes;
there are other grounds provided for in legal acts.

7. HOW DO WE ENSURE THE SECURITY OF YOUR PERSONAL DATA?

We process your personal data responsibly and securely in accordance with our internal personal data policies and appropriate technical and organizational measures, including protection against unauthorized or unlawful processing of data and against accidental loss, destruction, damage, alteration, disclosure, or any other unlawful processing. We follow the following basic principles of data processing:

we collect personal data only for defined and legitimate purposes;
we process personal data fairly and only for the original purpose;
we store personal data for no longer than required by the established purposes or as required by legal acts;
we assign the processing of personal data only to employees who have been granted such a right and official access;
we only process personal data using appropriate technical and organisational measures;
we disclose personal data to third parties only if there is a legal basis for it;
if applicable, we inform the Data Protection Inspectorate about the recorded or alleged personal data breaches;
we carry out periodic data protection trainings for our employees;
we perform periodic internal and/or external IT security audits.

We emphasize that we regularly monitor our systems for possible breaches or attacks, but it is not possible to guarantee full security of information transmitted online or avoid breaches that may occur due to your negligence or data disclosure to others. In view of this, you provide your personal data to us by use of the Internet connection, via the Mobile Application and the Website, at your own discretion and assuming any associated risks.

8. WHAT RIGHTS DO YOU HAVE?

If we process your personal data for the purposes set out in this Privacy Policy or if you have reasons to believe that we are processing your personal data, then you have the following rights:

to obtain confirmation as to whether or not your personal data is being processed, and where that is the case, to request access to your personal data and get their copy;
to request rectification of inaccurate or incomplete personal data;
to request deletion or restriction of processing of personal data;
to object to the processing of your personal data based on legitimate interest or for direct marketing purposes;
to receive your personal data that you have provided to us in a structured, machine-readable format and to transmit that data to another controller;
to withdraw your consent at any time if data processing is based on your consent. Withdrawal of consent shall not affect the lawfulness of processing before the withdrawal of the consent;
to file a complaint with the Estonian Data Protection Inspectorate (in Estonian: Andmekaitse Inspektsioon; www.aki.ee; info@aki.ee; +372 6828 712; Tatari 39, 10134 Tallinn, Republic of Estonia) or the supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement (see: https://edpb.europa.eu/about-edpb/about-edpb/members_en), but we would recommend contacting us first and we will try to resolve all your concerns together with you.

8.1. The right to obtain confirmation as to whether your personal data is being processed, the right to access your personal data and the right to obtain a copy of personal data:

In order to exercise this right, contact us in ways indicated in Chapter 9 of this Privacy Policy and we will send you a letter with information (or will explain in person) how you can obtain a copy of your personal data.

8.2. Right to rectification of personal data:

In case of changes in the data submitted by you to us (e.g. surname, e-mail address, telephone number), change of driving license data (e.g. you changed or updated your driving license) or in case you think that the information processed by us about you is inaccurate or incorrect, you have the right to demand to modify, amend or correct such information.

You can make some corrections and changes to your data on your Account on the Mobile Application (e.g. upload a new driving license after the previous license expires). In other cases, you must contact us in the ways indicated in Chapter 9 of the Privacy Policy and request that we correct or amend your data.

8.3. Right to withdraw consent:

In case where we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time, in which case the data processing based on your consent will stop.

For example, you can withdraw your consent to receive offers and marketing information at any time. The withdrawal of such consent will not prevent you from continuing to use our Services, but this will mean that we will not be able to send you offers that may be useful to you. In order to exercise this right, please contact us in the ways indicated in Chapter 9 of the Privacy Policy.

8.4. Right to erasure (right to be forgotten):

When there are certain circumstances indicated in legal acts on personal data protection (e.g. when the basis for data processing has disappeared, etc.), you have the right to request that we erase your personal data (e.g. the Account in the Mobile Application, Customer employee Accounts are no longer in use (after the Services Agreement has been terminated), etc.). In order to exercise this right, please contact us in the ways indicated in Chapter 9 of the Privacy Policy.

We will treat your request to erase all your data as a request to terminate the Services Agreement, which shall be terminated in accordance with the Services Agreement.

If you express a wish “to be forgotten”, we will no longer process such data that will no longer be necessary for the purposes for which they were collected or otherwise processed. After you have exercised the right “to be forgotten”, your personal data will nevertheless be further processed for the following main purposes and on the following main legal bases (the list is non-exhaustive):

some personal data will be further processed for the purposes of meeting accounting, tax, or other requirements deriving from legal acts in accordance with Article 6(1)(c) of the GDPR (data processing is necessary to fulfil the legal obligation imposed on the data controller);
GPS (location) data will be further processed in accordance with Article 6(1)(f) of the GDPR (data processing is necessary in pursuance of legitimate interests of the data controller or a third party to determine any violations of applicable legal acts and/or the Services Agreement);
in order to manage Customers’ complaints and other requests and inquiries, personal data will be processed in accordance with Article 6(1)(b) of the GDPR (it is necessary to process data in order to fulfil the Services Agreement to which the data subject is a party) and/or Article 6(1)(f) of the GDPR (data processing is necessary in pursuance of legitimate interests of the data controller or a third party for the establishment, exercise, or defence of legal claims and/or respond to requests and inquiries);
in case of disputes, need to administer damages and debts, or to pursue our other legal claims and protect our rights, some personal data will be further processed in accordance with Article 6(1)(f) of the GDPR (data processing is necessary in pursuance of legitimate interests of the data controller or a third party for the establishment, exercise, or defence of legal claims).

If you delete (uninstall) the Mobile Application, it shall not automatically bring about the termination of the Services Agreement, which will continue in effect until terminated in accordance with the Services Agreement.

8.5. Right to restriction of processing:

When there are certain circumstances indicated in legal acts on personal data protection (when personal data are processed unlawfully and you oppose the erasure of the personal data and request the restriction of their use instead, when you challenge the accuracy of the personal data and we need to verify the accuracy thereof, when you object to processing on the basis of our legitimate interest and we need to verify whether our legitimate interest prevails or not, etc.), you also have the right to restrict the processing of your personal data. However, we must point out that this may lead to us being unable to guarantee you all the Services which may lead to the suspension or termination of the Services Agreement.

In order to exercise this right, please contact us in the ways indicated in Chapter 9 of the Privacy Policy.

8.6. Right to data portability:

You have the right to receive your personal data, which you have provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller, where the processing is based on consent or on a contract and the processing is carried out by automated means. You have the right to have the personal data transmitted directly to another controller where this is technically feasible.

8.7. Right to lodge a complaint:

You have the right to lodge a complaint with the Estonian Data Protection Inspectorate (in Estonian: Andmekaitse Inspektsioon; www.aki.ee; info@aki.ee; +372 6828 712; Tatari 39, 10134 Tallinn, Republic of Estonia) or the supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement (see: https://edpb.europa.eu/about-edpb/about-edpb/members_en).

However, if you think that we process your personal data in breach of personal data protection laws, we always ask that you contact us directly at first. We believe that our good will efforts will be enough to disperse any doubts you may have, to answer your questions, to satisfy your requests and correct any errors we have made, if any.

9.HOW CAN YOU EXERCISE YOUR RIGHTS?

You can submit your requests to exercise your rights (as far as MyBee Services are concerned) in the following ways:

you can unsubscribe from the newsletter at any time by clicking on the “Unsubscribe from Newsletter” link in the email;
you can unsubscribe from push notifications in the Mobile Application settings or by changing your device’s operating system settings;
you can exercise your rights by submitting a digitally signed application by e-mail to info@mybee.ee;
you can also exercise your rights by calling us and requesting to exercise your right(s). In this case, we will first verify your identity by asking you to indicate your Account information or other information that should be only known by you. In the performance of this verification, we may send a control notification to the last contact that was on the Account (SMS or e-mail), asking to take an authorization action, request additional documents, or ask you to provide written confirmation. If the verification procedure fails, we will be forced to state that you are not the data subject of the requested data and we will have to reject your request;
you can also exercise your rights upon arrival at our customer service department and filling in the application form (in which case we will ask for an identity document);

in cases where you do not have an Account or it is not possible to complete your verification via phone call, please send us a digitally signed request by e-mail to info@mybee.ee or visit our customer service department.

10. HOW DO WE PROCESS YOUR REQUESTS TO EXERCISE YOUR RIGHTS?

In order to protect your data from illegal disclosure, upon receipt of your request to exercise your right(s), we will have to verify your identity. For identity verification, we, first of all, use the ways indicated in Chapter 9 of the Privacy Policy.

Upon receipt of your request to exercise your right(s) and having successfully performed the above-indicated verification procedure, we undertake without undue delay, but in any case no later than within one month after receipt of your request and completion of the verification procedure, to give you information about actions we took upon your request. With regard to complexity and number of requests, we have the right to extend the period of one month by two more months, informing you about it before the end of the first month and indicating reasons for such an extension.

If your request is submitted electronically, we will give the answer to you electronically, too, unless it is impossible (e.g. due to a particularly large scope of information) or when you request us to answer you in some other way.

We have the right to refuse to satisfy your request by our reasoned written response under the conditions and grounds provided for in legal acts. We will provide you with information free of charge, however, if the requests are manifestly unfounded or disproportionate, in particular because of their repetitive content, we may require a reasonable fee to cover administrative costs or may refuse to act upon your request.

11. HOW CAN YOU CONTACT US?

The data controller that processes your personal data indicated in this Privacy Policy when you use the Company’s Services is MyBee Estonia OÜ, legal entity code: 16462004, address of registered office: Toom-Kuninga 15-60, 10122 Tallinn, Republic of Estonia.

You can contact us about all issues concerning this Privacy Policy and the processing of your personal data as follows:

by e-mail: dpo@mybee.ee
by phone: X

Also note that a lot of relevant information can be found in the FAQ section on our Website.

12. VALIDITY OF AND CHANGES TO THE PRIVACY POLICY

If we change this Privacy Policy, we will publish its updated version on our Website and in the Mobile Application. You will be additionally informed about the most important/essential changes via e-mail and/or otherwise. The latest changes to the Privacy Policy were made on and are valid from X.

13. ADDITIONAL INFORMATION ABOUT PROCESSING YOUR PERSONAL DATA

The tables below, which are divided into convenient individual categories, provide an additional description of data processing processes and detailed information about how we collect, process and store your personal data.

13.1.ACCOUNT CREATION IN THE MOBILE APPLICATION

If you wish to start using the MyBee Services provided by the Company, you must first create an account in the Mobile Application that is managed by the Mobile Application Manager, who acts as an independent data controller.

Please be informed that to use the Mobile Application and to access the MyBee Services, you will have to read and accept the terms of the Mobile Application Manager and also become their client. The Mobile Application terms and privacy policy will be presented to you before you install the Mobile Application and will always be accessible on the CityBee website at https://citybee.ee/en/ (at the bottom of the page).

You are aware and understand that MyBee Services can only be used through the Mobile Application following the procedure provided therein. If you do not agree to become a Mobile Application Manager client or that your personal data would be processed through the Mobile Application then you will not be able to use the MyBee Services.

Data categories	In the account creation process, you provide the Mobile Application Manager with and we receive (after you complete the second step of the Vehicle checkout process) the following data: first name, surname, mobile phone number, e-mail address, address of your place of residence. Also technical data, such as account creation date, account verification logs and details, IP address, specific consents, and other technical data.
Legal grounds for data processing	Conclusion, performance, amendment and administration of the Services Agreement (Article 6(1)(b) of the GDPR).
Duration of data processing	If the Mobile Application account was terminated/deleted without using any MyBee or Mobile Aplication Manager‘s services – during the effective term of the account and for a maximum period of 1 year after its expiry.
	In all other cases, during the effective term of the Mobile Application account and for a maximum period of 5 years after its expiry.
	Chapter 6 of the Privacy Policy lists cases and conditions when your personal data can also be stored or otherwise processed for a longer period of time.

13.2. USE OF THE MOBILE APPLICATION AND THE SERVICES

There is an electronic system installed in each Vehicle that records and transmits to us information on the location of the Vehicle, distance covered by the Vehicle, speed, and other data relating to the Vehicle. We need these data to provide the Services to you and otherwise perform the Services Agreement, as well as ensure the performance of the Services Agreement by you.

If during the use of the Vehicle you connect your device to the Vehicle devices (e.g. navigation, multimedia systems), your device data (e.g. the given name, contacts stored on the device, and Bluetooth ID), shall be stored in the Vehicle‘s devices unless you delete them following the instructions of the Vehicle manufacturer.

When you use the Services, we have the right to periodically check the validity of your driving license (when it was provided for the creation of a natural person’s Account). If we notice that your driving license is about to expire, we may contact you (by e-mail, SMS, push notifications, or other notifications (in the Mobile Application)) and inform you about the expiry of the driving license.

Data categories related to the use of the MyBee Services	If you require to use the MyBee Services and conclude the Services Agreement with us, we collect the following additional data: payment card information (card type, card four last digits, expiry date). In case of creation of a natural person’s Account, we also collect the following data: your facial image (selfie), photo of the first side of your driving license, driving license number, personal ID number and/or date of birth, expiry date, your facial image and other information from the driving license, the state and the authority that issued the driving license, driving license validity verification data (we do it by involving service providers), data of matching the facial image with the photo on the driving license, date of uploading the driving license to the Account, other settings and system data. When you use the MyBee Services (as either a natural person or business Customer) we collect the fact of Vehicle reservation, the time of locking/unlocking it, information on the Vehicle you used, date and time of use of the Vehicle, the Vehicle GPS data, route, speed, travel distance, duration, other travel, and Vehicle parameters, price of Services provided to you, discounts, fact of payment, fact of invoicing, fact and amount of debt, etc., payments you made for our Services, other data of performed payment transactions (date, amount, last four digits of the card used for payment, etc.), data of periodic (regular) verification of driving license validity, information on performance of the Services Agreement (violations, fines, etc.), violations of road traffic regulations.
Data categories related to the use of the Mobile Application	The operating system of your device, version of the Mobile Application used, technical and system data of using the Mobile Application, IP address, and other technical data we have collected. Internal information about your Account in order to use MyBee Services: Account creation date and status, Customer and Account identifiers, date of adding the driving license, the fact of blocking (suspension of the Services Agreement) and the reason for it, actions of changing your Account details to the extent it is related to MyBee Services, actions on the Account, various systemic Account data, other information related to the use of the Account for MyBee Services.
Legal grounds for data processing	Conclusion, performance, amendment, and administration of the Services Agreement (Article 6(1)(b) of the GDPR). Our legitimate interest and that of third parties (Article 6(1)(f) of the GDPR): to make sure that only persons entitled to drive can order and use our Services; to make sure that the identity of our Customers is properly verified and that identity theft is prevented; to ensure performance of contractual obligations, defence of rights. Legal obligations and requirements of legal acts (Article 6(1)(c) of the GDPR) in the following areas: accounting, taxes, other public obligations; protection of consumer rights; product safety; road safety, road traffic regulations; information security.
Duration of data processing	If the Services Agreement was terminated before you used Services under the Services Agreement – during the effective term of the Account and for a maximum period of 1 year after its expiry.
	Route GPS data, speed data – no longer than 12 months after their generation.
	In all other cases – during the effective term of the Services Agreement and for a maximum period of 5 years after its expiry.
	Chapter 6 of the Privacy Policy lists cases and conditions when your personal data can also be stored or otherwise processed for a longer period of time.

13.3. CONCLUDING AN AGREEMENT WITH PRIVATE NATURAL PERSON CUSTOMERS

In order to use the MyBee Services, it is not enough to create an Account in the Mobile Application – you also have to conclude the Services Agreement with us. The Services Agreement for natural person Customers is concluded and signed only electronically via the Mobile Application after choosing the Vehicle model and specific rental conditions and also by performing all verification and confirmation steps requested in the Mobile Application.

Data categories	In order to conclude the Services Agreement, we will process the following personal data: all personal data stated in Clause 13.1. Also, all information provided in the Services Agreement (e.g. payment method, pre-payment amount, monthly payments, length of the Services and etc.). Additionally, technical data, such as Mobile Application Account creation date, acceptance to the Services Agreement and Privacy Policy, confirmation code, log details, date of accepting the last version of the terms, consents, and IP address.
Legal grounds for data processing	Conclusion, performance, amendment, and administration of the Services Agreement (Article 6(1)(b) of the GDPR).
Duration of data processing	During the effective term of the Services Agreement and for a maximum period of 10 years after its expiry.
Duration of data processing	Chapter 6 of the Privacy Policy lists cases and conditions when your personal data can also be stored or otherwise processed for a longer period of time.

13.4. CONCLUDING AN AGREEMENT WITH BUSINESS CUSTOMERS

If the Services Agreement is sought to be concluded by a business Customer (company, institution, organization), the GDPR does not apply. However, by concluding the Services Agreement or by providing the Services, we process the personal data of representatives/employees of the business Customers who are subject to GDPR protection.

Business Customers with whom the Services Agreement is concluded shall ensure and undertake that:

they have the right to transfer to us the personal data of their representatives/employees required for the creation of the Account and provision of the Services;
their representatives/employees are informed that a representative of the business Customer will have a possibility to see and process data on the trips of the business Customers’ representatives/employees who will be using the MyBee Services on behalf of the business Customer and other Services provided to them when they use the business Customer’s Account;
their representatives/employees would get familiar with and properly comply with the Services Agreement (and all parts thereof) as well as this Privacy Policy.

Data categories	Company name, address, legal entity code, VAT number (when the entity is registered as a VAT payer). First name, surname, title, e-mail address, telephone number of the person responsible for the performance of the Services Agreement (representative/employee of the business Customer), the proof of legal ground for representation. Also, all information provided in the Services Agreement (such as Vehicle, payment method, pre-payment amount, monthly payments, length of the Services, payment card details and etc.). Additionally, all other personal data of the representative/employee of the business Customer as specified in Chapter 13.
Legal grounds for data processing	Conclusion, performance, amendment, and administration of the Services Agreement (Article 6(1)(b) of the GDPR). Our legitimate interest and that of third parties (Article 6(1)(f) of the GDPR): to conclude, perform, amend, and administer the Services Agreement concluded with a business Customer; to perform risk assessment, protection of our assets, ensuring the security of third parties and their assets; to ensure collection of fees for the Services provided, administration of debts, and management of damages; to ensure pursuance of our own and third parties‘ rights and legitimate interests; to ensure the functionality of the Mobile Application and information systems when you use the Services; to ensure the prevention of fraud, and other actions of bad faith; to administer, manage and recover your debts and damages inflicted on us and our property; to ensure the provision of the Services, support, and improvement; to ensure the necessary communication with authorised persons of the business Customer, who are not parties to the Services Agreement. Legal obligations and requirements of legal acts (Article 6(1)(c) of the GDPR) in the following areas: accounting, taxes, other public obligations; protection of consumer rights; information security.
Duration of data processing	During the entire effective term of the Services Agreement and for a maximum period of 5 years after its expiry or as specified next to each personal data processing purpose in Chapter 13.
Duration of data processing	Chapter 6 of the Privacy Policy lists cases and conditions when your personal data can also be stored or otherwise processed for a longer period of time.

13.5. CUSTOMER SERVICE – INQUIRIES, REQUESTS, COMPLAINTS

If you contact our customer service center by phone and agree that your telephone call is recorded, we will record the information you provide, including personal data, so that we can properly examine your request and/or respond to your question, request or complaint.

If you contact us in writing (by e-mail or otherwise), we will store the fact of you contacting us and the information provided, including personal data, so that we can properly examine your request and/or respond to your question, request or complaint.

Data categories	The telephone number you are calling from or the e-mail address you send an email from, other information pertaining to your inquiry, including, but not limited to, first name, surname, licence plate number of the Vehicle you drive. Call record, technical details of the call (date, duration, etc.), history of calls. Complaint, request, inquiry text, description of the circumstances of the complaint or another inquiry, break-down, traffic accident data, etc., documents supporting the complaint, request, inquiry, other information provided to us.
Legal grounds for data processing	Your consent (Article 6(1)(a) of the GDPR). Conclusion, performance, amendment, and administration of the Services Agreement (Article 6(1)(b) of the GDPR).
Duration of data processing	Call records are stored for a maximum period of 6 months from the moment of the call.
	Complaints, claims, written requests related to the performance of the Services Agreement and/or Website which may be related to disputes, shall be stored throughout the entire effective term of the Services Agreement no longer than for 5 years after its expiry, unless longer periods specified below apply.
	Chapter 6 of the Privacy Policy lists cases and conditions when your personal data can also be stored or otherwise processed for a longer period of time.

13.6. DIRECT MARKETING – NOTIFICATIONS, OFFERS AND INFORMATION BY E-MAIL AND SMS

In order to provide you with the most effective customer engagement experience, to expand the range of Services we offer and to constantly improve them, to provide you relevant, engaging, and valuable offers and other information about our Services, we process your personal data by periodically sending you general and personal offers (including offers from our partners) and other information. We can send notifications, offers, and information to you in several ways: e-mail or SMS (only with your consent).

You can easily unsubscribe from e-mail newsletters at any time by clicking on the “Unsubscribe from Newsletter” link in the e-mail or by contacting us. See also Chapter 9 of the Privacy Policy.

Data categories	Your name, surname, e-mail address and/or telephone number, country, city, date of birth, Mobile Application registration status (complete/incomplete), Customer type (natural person/business), direct marketing consents and waivers. The Mobile Application version and operating system, the Website usage statistics. Other statistical details, such as number of trips per period, the amount of money spent on Services, date, time and places of the trip, Vehicle used (this information is used anonymously).
Legal grounds for data processing	Our legitimate interest (Article 6(1)(f) of the GDPR, for electronic direct marketing, also Article 13(2) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) and § 103¹ (3) of the Estonian Electronic Communications Act): to send you general and personalized offers and information. Your consent (Article 6(1)(a) of the GDPR): to receive notifications about our Services, offers and other information via phone call, e-mail, or SMS; to send you push notifications in the Mobile Application; to send you our partners’ offers and information.
Duration of data processing	The consent validity period shall be up to 36 months, unless it is withdrawn by you earlier. We will store the fact of consent during the period of validity of the consent and for 6 months after its expiry.
Duration of data processing	Chapter 6 of the Privacy Policy lists cases and conditions when your personal data can also be stored or otherwise processed for a longer period of time.

13.7. OPTIMISATION OF THE MARKETING TOOLS

In order to improve the efficiency of the management of our various marketing tools, we might use advanced tools to help us collect your data related to your behaviour on the Website and/or interest in our ads displayed on the Website etc. For this purpose, we may analyse the data collected and evaluate the effectiveness, efficiency, and payback of our marketing decisions (e.g. evaluate channels where ads are displayed, their number, etc.) and take better marketing decisions for the sake of more efficient re-attracting of Customers.

Data categories	Technical information related to the Customer’s device, such as browser type, device type and model, processor, system language, memory, OS version, Wi-Fi status, time stamp and zone, device motion or other parameters. Technical identifiers that normally identify only a computer, device, browser, or program, such as an IP address, user agent, IDFA (identifier for advertisers), Android ID (in Android devices), Google advertiser ID, other similar unique identifiers. Engagement information, i.e. information related to ad campaigns and ultimate actions of the Customer, such as clicks on ads, display of revised ads, audiences or segments, to which the ad campaign is assigned, the type of ads and a website or program where such ads were displayed, websites visited by the Customer, URL from the referring site, program downloads and installs, and other interactions, events and Customer actions in the program (e.g. selected Vehicle, clicks, entry time, etc.).
Legal grounds for data processing	Your consent (Article 6(1)(a) of the GDPR): for us to use cookies on the Website. Our legitimate interest (Article 6(1)(f) of the GDPR: to group and categorise Customers, test marketing tools used, and organise automated use of marketing tools for the most effective Customer engagement.
Duration of data processing	The consent validity period shall be up to 36 months, unless it is withdrawn by you earlier. We will store the fact of consent during the period of validity of the consent and for 6 months after its expiry.
Duration of data processing	Chapter 6 of the Privacy Policy lists cases and conditions when your personal data can also be stored or otherwise processed for a longer period of time.

13.8. MARKETING AND COMMUNICATION IN SOCIAL MEDIA

Data categories	Name, surname, gender, country, photograph, information about communication in the account (“like”, “follow”, “comment”, “share”, etc.), notifications sent, information on notifications (message receipt time, message content, message attachments, correspondence history, etc.), comments, reactions to published entries, sharing, information on participation in events and/or games organized by us.
Legal grounds for data processing	Your consent (Article 6(1)(a) of the GDPR). Our legitimate interest (Article 6(1)(f) of the GDPR) to manage our social media profiles.
Duration of data processing	Personal data used for this purpose shall be stored as long as you are registered on a specific social network or as stated in the specific social network privacy policy.
Duration of data processing	Chapter 6 of the Privacy Policy lists cases and conditions when your personal data can also be stored or otherwise processed for a longer period of time.

13.9. FRAUD PREVENTION AND ENFORCMENT OF LEGAL REQUIREMENTS, ADMINISTRATION OF DEBTS AND DAMAGES

Data categories	Information on your debt to the Company, including the debt amount, date, history, information on performance of the Services Agreement. Information about inquiries, requests, information, etc. provided by companies (e.g. insurance companies), authorities (e.g. police), medical institutions, other organisations. Information on assets, driving license data, information about other persons that were in the Vehicle and/or were driving it (in case of damage, violations of the road traffic regulations, etc.). Information from authorities about initiated proceedings and investigations, etc. For business Accounts, data from public registers and information systems lawfully available to our service providers (involved in debt administration, administration of damages, debt recovery). All other personal data specified in this Privacy Policy.
Legal grounds for data processing	Conclusion, performance, amendment, and administration of the Services Agreement (Article 6(1)(b) of the GDPR). Our legitimate interest (Article 6(1)(f) of the GDPR): to perform risk assessment and management; to ensure protection of our property, property interests and those of our customers, other persons; to ensure collection of fees for the Services provided, administration of debts, management of damages; to ensure prevention of fraud, other actions of bad faith; to administer, manage and recover your debts and damages inflicted on us and our property.
Duration of data processing	During the entire effective term of the Services Agreement and for a maximum period of 5 years after its expiry.
Duration of data processing	Chapter 6 of the Privacy Policy lists cases and conditions when your personal data can also be stored or otherwise processed for a longer period of time.

13.10. COMPLIANCE WITH TAX, ACCOUNTING, OTHER STATUTORY OBLIGATIONS

Data categories	First name, surname, address, personal ID number, VAT number (when a person is registered as a VAT payer), copy of the Services Agreement, data about used Services (description of the Services, price/amount paid), issued accounting documents and their details, other accounting and tax data that we must collect, process and store under laws and other legal acts.
Legal grounds for data processing	Legal obligations and requirements of legal acts (Article 6(1)(c) of the GDPR): accounting, taxes, other public obligations; protection of consumer rights; product safety; information security; other areas relevant for us.
Duration of data processing	Legal acts provide for periods of storing documents and data therein (e.g. a period of 7 years is set for accounting documents, invoices, etc.).
Duration of data processing	Chapter 6 of the Privacy Policy lists cases and conditions when your personal data can also be stored or otherwise processed for a longer period of time.

13.11. WEBSITE ADMINISTRATION, SUPPORT, IMPROVEMENT

Data categories	Data about use of the Website: data about the device operating system, use, changes, settings, other system parameters, IP address, duration of Website visit, pages visited, devices and applications used for web browsing, cookies consent and collected data.
Legal grounds for data processing	Your consent (Article 6(1)(a) of the GDPR): for using cookies. The legitimate interest pursued by us or by third parties (Article 6(1)(f) of the GDPR): to ensure security, resilience, recoverability, traceability, integrity, functioning of actions, operations of the Website and information systems.
Duration of data processing	Logs and related entries – up to 3 months.
	Cookies – see the Cookie Policy.
	Chapter 6 of the Privacy Policy lists cases and conditions when your personal data can also be stored or otherwise processed for a longer period of time.

END OF THE PRIVACY POLICY.