Privacy Policy
This Data Privacy Policy explains:
1. The Definitions of the terms used in this Data Privacy Policy;
2. The Key principles which governs e4cars’ Processing of Personal Data;
3. What information e4cars collects and why it collects it, depending on the type of Data subjects concerned by the Processing of Personal Data;
4. How e4cars protects that information and data retention period ;
5. How e4cars secures the transfer of Personal Data;
6. How Data Subjects may exercise their rights pursuant to Applicable Data Protection Laws;
7. How to consult future changes in this Data Privacy Policy.
This Policy should not conflict with applicable national and/or regional laws in the jurisdictions in which e4cars operates and the Policy shall be so construed wherever possible. In the event of any conflict between this Policy and any applicable national and/or regional laws, the mandatory provisions of the relevant law shall prevail over the provisions of this Policy.
When you use e4cars, we collect some limited information about you. We hope this guide will help you understand what information we collect, what we do with it, and how your privacy rights work.
1. Definitions
1.1. “Applicable Data Protection Law(s)” means the relevant local personal data protection, data security, data retention, and data privacy laws and regulations to which the Personal Data are subject, including the GDPR.
1.2. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
1.3. “General Data Protection Regulation” or “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27th of April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.4. “e4cars” designates e4cars – CAROS, which Process Personal Data as a Controller or, as the case may be, as a Processor. e4cars – CAROS is a legal entity registered under the laws of France at 9 rue Anatole de la Forge, 75017 Paris, France, simplified public limited liability company (SAS) with a capital of 100,000.00€, RCS Paris – 979 702 792
1.5. “Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.6. “Process,” “Processes,” “Processing,” and “Processed” means any operation or set of operations which is performed on Personal Data or sets of Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.7. “Processor” means a natural or legal person which Processes personal data on behalf of the Controller, pursuant to specific and written instructions.
1.8. “Sensitive Personal Data” means Personal Data revealing information as to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, offenses, criminal convictions, criminal history, trade union membership, genetic data, biometric data, health, sex life or sexual orientation pursuant to Applicable Data Protection Law(s).
1.9. “Third Party(ies)” means e4cars’ authorized auditors, accountants, contractors, agents, vendors, and third party service providers that Process Personal Data.
2. Key Principles
2.1. Compliance with Data Protection Laws
In handling Personal Data as a Controller, e4cars and e4cars’ Personnel agree that Personal Data shall be:
- Processed by the e4cars lawfully, fairly and in a transparent manner in relation to the Data Subject (‘lawfulness, fairness and transparency’);
- Collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes (‘purpose limitation’);
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed (‘data minimisation’);
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are Processed, are erased or rectified without delay (‘accuracy’);
- Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’);
- Kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are Processed; Personal Data may be stored for longer periods insofar as the Personal Data will be Processed solely for archiving purposes in compliance with applicable regulations on statute of limitation (‘storage limitation’).
2.2. Lawfulness
e4cars will only Process Personal Data in accordance with Applicable Data Protection Laws, and more specifically in circumstances where:
(i) Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract (such as Processing of e4cars’ clients or suppliers Personal Data that are necessary for managing their contractual relationship);
(ii) The Data Subject has given consent to the Processing of their Personal Data for one or more specific purposes (such as Processing of geolocation data on trucks and drivers to trace and track goods delivery in the context of e4car’s activities);
(iii) Processing is necessary for compliance with a legal obligation to which the Controller is subject (such as financial accounting, handling employees’ payroll Processing, keeping records for tax purposes or providing information to public bodies, law enforcement agencies, or legitimate and authorized Third Parties such as e4cars’ attorneys or professional accountants in compliance with all applicable laws…);
(iv) Processing is necessary for the purposes of the legitimate interests pursued by e4cars or by a Third Party (such as Processing of relevant employees’ Personal Data by the Human resources department, handling recruitment, applying physical and logical security procedures…).
2.3. Transparency
e4cars Processes Personal Data fairly and lawfully in accordance with Applicable Data Protection Law(s). To this end, e4cars informs Data Subjects of the purposes for which it will Process their Personal Data and provide all of the information that it must provide in accordance with Applicable Data Protection Law(s), to ensure that the Data Subjects understand how their Personal Data will be Processed by e4cars. Non-exhaustive examples of Personal Data Processing which could be made by e4cars are briefly described in Section 3 of the Data Privacy Policy.
2.4. Purpose limitation
e4cars will only Process Personal Data for the purposes (i) set out in any notice made available to the relevant Data Subject, (ii) as required by law or (iii) where consented to by the relevant individuals. Notice can be made, among other ways, through this Policy, e4cars’ website, contractual arrangements, billboards, formal notices, newsletter, etc.
2.5. Access, rectification, deletion and objection
Data Subjects should have access to their Personal Data held by e4cars where those requests are reasonable and permitted by Applicable Data Protection Law. e4cars agrees to rectify, amend, or delete the Data Subject’s Personal Data upon request where it is inaccurate or where it is being used contrary to this Policy. Data Subjects may object to the Processing of their Personal Data for legitimate reasons, to the extent required or permitted by Applicable Data Protection Laws. In order to exercise their rights, Data Subjects may contact e4cars pursuant to Section 6 of this Data Privacy Policy.
2.6. Data Quality and Proportionality
Personal Data should be kept accurate and where necessary, up to date. The Personal Data held by e4cars must be adequate, relevant and not excessive and should only be retained for as long as necessary for the purposes of the relevant Processing, all in compliance with e4cars’ archiving policies and the provisions of Applicable Data Protection Law(s) on data retention obligations.
3. Type of information Processed and reasons for Processing
3.1. Processing carried out by e4cars as a Controller
e4cars may Process the following categories of Personal Data which may vary depending on the Data Subject’s profile.
- All users of e4cars’ applications (for the purpose of logging in):
- Personal contact information: an email address is required as an identifier, and a unique user ID is set at the account creation.
- Clients and prospective clients (for the purpose of managing e4cars’ contractual relationship with its clients and prospective clients and informing them about its services):
- Mandatory
- Personal contact information: first name, last name, full address.
- Optional (if not provided, e4cars will not be able to communicate about the progress of their order, via email or text message)
- Personal contact information: telephone number, email address, title;
- Financial information: payment information, customer relationship management data, information related to the invoices payment process and follow up.
- Mandatory
- Suppliers and subcontractors (for the purpose of managing e4cars’ contractual relationship with its Suppliers and subcontractors, and for tracking and tracing the goods that e4cars handles in the context of its activities via certain applications or services):
- Optional (if not provided, e4cars will not be able to communicate about the progress of their order, via email or text message)
- Personal contact information: such as name, email address, telephone number, title, address;
- Financial information: payment information, information related to the invoices payment process and follow up;
- Images: photos and videos.
- Optional (if not provided, e4cars will not be able to communicate about the progress of their order, via email or text message)
- Employees (for the purpose of handling recruitment and human resources within e4cars):
- Optional
- Candidates and employees personal contact information: such as name, email address, telephone number, title, address;
- Employees’ administrative data: such as information related to their career, evaluation, training, allocation of IT resources, cars…
- Data related to the employees’ work organization: such as information on employees’ agendas, business travel arrangements…
- Optional
- Visitors (in the context of controlling access to e4cars’ premises):
- Optional
- Personal contact information: such as name, email address, telephone, company name…
- Images: captured by its video protection and video surveillance systems.
- Optional
3.2. Processing carried out by e4cars as a Processor
Occasionally, e4cars may act as a Processor of Personal Data on behalf of clients. In such a case, e4cars will only act in accordance with clear and detailed instructions of the client, which shall be in written form. If this is not possible (for example due to a conflict with current or future legislation), e4cars will promptly inform the client of its inability to comply with its instructions. When e4cars ceases to act on behalf of a client, it will (at the client’s option) return, destroy or continue to properly protect all Personal Data it had received from that client.
Save as specifically provided otherwise in the agreement entered between e4cars (as Data Processor) and the client (as Data Controller), e4cars is authorized to:
(i) Use any technical means it finds suitable to provide the services and Process Personal Data (such as selecting appropriate software solutions) all in accordance with e4cars’ security policies;
(ii) Engage sub-processors to provide parts of the services, access and use client data, including outside the European Union, provided that sub-processors are bound by written agreements that require them to provide at least the level of Personal Data protection required by this Data Privacy Policy and any appropriate mechanism pursuant to Section 5 of this Data Privacy Policy (Transfer of Personal Data).
Where e4cars acts as a Processor, e4cars will collaborate with the client in order to comply with the Applicable Data Protection Law(s), for example by:
(i) Informing the client about the Processing activities that e4cars carries out so that they may inform the Data Subjects accordingly;
(ii) At the clients’ request, putting in place reasonable measures to have the Personal Data updated, corrected, anonymized or deleted (subject to certain limited exceptions);
(iii) Sending to the client any requests it receives from individuals for access to their Personal Data that e4cars Processes, so that the client may respond to those requests.
Where acting as a Processor of Personal Data, e4cars will in any event treat such Personal Data in accordance with its security policies and procedures, and will only transfer Personal Data where the client has agreed to such a transfer (which it may do in advance under the terms of the agreement signed with e4cars) and inform the client if there is a serious breach of security in relation to Personal Data so that the client may inform the Data Subjects concerned, if and where necessary.
3.3. Precisions regarding the Geolocation Data
3.3.1. Purposes for Processing
e4cars collects geolocation Data even when the app is closed or not in use, for the following purposes:
- Allow the tracking and history of the work on the trips the driver has been assigned to;
- Compute the distance traveled;
- Inform customers of the arrival of the delivery;
- To provide recommendations and services based on location;
- To ensure user safety and prevent fraudulent activities;
- To conduct analyses and research to better understand usage trends and improve e4cars services.
3.3.2. Type of Data Processed
The location Data collected includes:
- Vehicle geolocation Data related to the service
- Distance traveled
- Routes taken
- Date and time of travel
- Vehicle information and history
- GPS coordinates (latitude and longitude)
3.3.3. Security and Data sharing
e4cars implements appropriate technical and organizational security measures to protect the geolocation Data against unauthorized access, disclosure, alteration, or destruction. Measures include:
- The geolocation Data may be shared with Third parties only under the following circumstances:
- With Mapbox API(s) for route calculation: e4cars sends GPS coordinates for the start and destination points without specifying what they correspond to;
- With an external map application (like Google Maps): when the user chooses to open the route in an external map application, e4cars provides the start and end coordinates along with a label indicating whether it is a pickup or delivery. e4cars does not specify if this corresponds to the user’s GPS location;
- Legal Obligations: e4cars may disclose the geolocation Data if required by law or if it is believed in good faith that such action is necessary to comply with a legal obligation, protect e4cars rights, or ensure the safety of the users.
- Access Controls: only authorized personnel have access to geolocation data, and only for specific job-related purposes. e4cars may share data with trusted service partners who assist in providing e4cars services, subject to strict confidentiality and security obligations.
- Security Audits: regular security audits are conducted to identify and mitigate potential risks.
- Storage: personal geolocation data is stored in a separate database to ensure security and privacy, and deleted after 90 days.
3.3.4. User Controls
Users have the right to control the collection and storage of their geolocation Data. They can:
- Access their Data: request access to the geolocation Data e4cars has collected.
- Rectify or Delete: request rectification or deletion of their geolocation Data.
- Disable Collection: disable the collection of their geolocation Data through the settings of their device.
3.3.5. Data retention period
The geolocation data will be retained for as long as necessary to fulfill the purposes outlined in this Privacy Policy, or as required or permitted by law. The retention period may vary, but e4cars commits to not retaining the geolocation Data longer than necessary. For example, precise geolocation Data at the delivery or pickup is retained for a period up to one year after collection.
3.3.6. Geolocation API
(i) Google
e4cars uses the Geolocation API(s), therefore e4cars is bound by the terms of their Agreement with Google. Subject to the terms of the Agreement, e4cars must not prefetch, index, store, or cache any Content except under the limited conditions stated in the terms. By using e4cars, users are also bound by Google Privacy Policy.
Note that the place ID, used to uniquely identify a place, is exempt from the caching restrictions. The place ID is returned in the `place_id` field in Geolocation API responses.
(ii) Mapbox
e4cars uses Mapbox, therefore e4cars is bound by the terms of their Agreement with Mapbox. By using e4cars, users are also bound by Mapbox Privacy Policy.
4. Security and Confidentiality
4.1. Protection of the information
e4cars takes reasonable precautions to secure Personal Data against accidental or unlawful destruction or loss, alteration, unauthorized disclosure or access. These precautions include technical, physical and organizational security measures, such as measures to prevent unauthorized access. The applicable measures are kept confidential but are duly documented in IT and risk management policies adopted by e4cars.
4.2. Data retention period
The information Processed is only retained as long as it is needed. For example, e4cars uses the information to provide services and to comply with legal obligations. When the information is no longer needed, it is deleted within a reasonable time period.
However, the Data may be retained for a longer period in the following cases:
- For one year for the purpose of proving the performance of services, if it is not possible to provide this proof by other means;
- In the event of a dispute over the services performed, until the dispute is resolved.
5. Transfer of Personal Data
5.1. Transfer of Personal Data
e4cars Processes and shall cause Third Parties to Process Personal Data in adequate jurisdictions as defined in Applicable Data Protection Law(s). If the Processing involves a transfer of Personal Data to a country outside the European Union and which is not covered by one of the exceptions provided for in Applicable Data Protection Laws, e4cars undertakes to secure the transfer by one of the following mechanisms:
- Standard Contractual Clauses approved by the European Commission (such as Standard Contractual Clauses for Data Controllers 2004/915/EC or Standard Contractual Clauses for Data Processors 2010/87/EU or any subsequent version);
- Binding Corporate Rules: in case the Third Parties concerned have adopted EU Binding Corporate Rules that cover the Personal Data that Third Parties Process.
- Any other mechanism officially recognized by Applicable Data Protection Laws as ensuring an adequate level of protection of Personal Data.
For example, only for the purpose of performing the transport service, customer contact information is accessible to the subcontractor carrying out the service.
3.2. Third-Party Data Receipt
e4cars receives certain Data from third parties. Below is described the category of these third parties.
- Authentication Partners : if you sign up or log in to the e4cars service through another service, that service will provide e4cars with your information. This information helps us create your account in e4cars’ system.
6. Contact, Questions & Complaints
To exercise your rights, express a concern, raise a question, make a complaint, or to obtain additional information about the Processing of your Personal Data by e4cars, you may send an email to the following address: data.privacy@e4cars.com, accompanied by a valid proof of ID (unless the Data Subject is a e4cars employee).
You can also contact the Data Protection Officer Gabriel Allaigre at gabriel.allaigre@e4cars.com.
e4cars undertakes to respond to your request within a reasonable time, up to 3 months, depending on the complexity of the request and/or of the number of requests it receives. In case of dispute, the Data Subject may lodge a complaint with the local Data Privacy Regulatory Authority (in France, the CNIL).
7. Changes to this Policy
e4cars may modify this Data Privacy Policy from time to time to reflect its current privacy practices. When we make changes to this statement, we will revise the “updated” date at the top of this document. We encourage you to periodically review this Privacy Policy to be informed about how e4cars is protecting your Personal Data.