Aroute Privacy Policy

§1. Data Controller

The data controller is:

§2. Definitions

1. Aroute Platform – a web application (PWA) and iOS mobile application for maintaining vehicle mileage records.
2. Organization – a business entity that has entered into a service agreement with the Controller.
3. Driver – a user assigned to an Organization, recording trips.
4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.

§3. Roles in Data Processing

3.1. Controller as Data Controller

The Controller (Emversa) is the data controller within the meaning of GDPR with respect to:

• data of Organization Administrators (management accounts),
• Organization contact data,
• marketing data (newsletter, consents),
• contact form data.

3.2. Controller as Data Processor

The Controller (Emversa) acts as a data processor within the meaning of Art. 28 GDPR with respect to:

• Driver data processed on behalf of the Organization,
• Driver trip and location data.

In this scope, the Organization is the data controller for its Drivers' personal data, and Emversa processes data based on the Data Processing Agreement (DPA).

3.3. Organization's Information Obligation

The Organization, as the data controller for Drivers' personal data, is obligated to fulfill the information obligation towards Drivers pursuant to Art. 13 GDPR before they start using the Platform.

§4. Categories of Processed Data

4.1. User Account Data

4.2. Organization Data

4.3. Trip Data

4.4. GPS Checkpoints

When GPS points are collected:

• At trip start
• Every 5 minutes during active trip
• Every 250 meters of movement
• At trip end
• Backbuffer (up to 5 minutes before trip confirmation in auto-trip mode)

Note: GPS points are NOT collected in manual entry mode.

§5. Purposes and Legal Bases for Processing

5.1. Contract Performance (Art. 6(1)(b) GDPR)

• Creating and managing user accounts
• Recording trips and maintaining mileage records
• Managing vehicles and drivers
• Generating reports (Vehicle Mileage Log, Reimbursement Summary) and exports
• Processing reimbursement claims
• Subscription management
• Customer support
• Sending email invitations
• Sending authentication emails

5.2. Legal Obligation (Art. 6(1)(c) GDPR)

• Tax documentation (EU VAT ID)
• Invoice data retention (5 years from end of tax year per Polish tax law). Customers are responsible for retaining invoices according to their local tax requirements.
• Mileage records for VAT purposes
• VAT verification data retention

5.3. Legitimate Interest (Art. 6(1)(f) GDPR)

• Abandoned registration recovery (lead capture)
• Service improvement and analytics
• Security monitoring and fraud prevention
• Fleet map visualization (paid feature)
• Speed analytics and trip statistics (paid feature)
• Mileage gap and discrepancy detection

5.4. Consent (Art. 6(1)(a) GDPR)

• Marketing email communication (optional checkbox)
• Analytics cookies (cookie banner)
• GPS checkpoint collection
• Auto-trip detection
• Contact form processing

§6. Data Processors (Sub-processors)

The Controller uses the following data processors:

§7. Data Transfers to Third Countries

Some data processors may transfer data outside the European Economic Area:

In case of data transfer to third countries, appropriate safeguards are applied pursuant to Chapter V of GDPR.

§8. Data Retention Periods

8.1. Active Accounts

8.2. After Subscription End

Voluntary cancellation:

• Grace period: 90 days from end of paid period
• During grace period: All data preserved, export available
• After grace period: Organization deactivated, data preserved per legal requirements

Non-payment:

• Immediate access suspension
• Data preserved for 30 days
• After 30 days: Organization deactivated

8.3. Account Deletion (GDPR Right to Erasure)

• Personal data: Deleted
• Trip and GPS data: Deleted
• Invoice data (VAT ID, address): Retained 5 years from end of tax year (Polish tax law). Customers are responsible for retaining invoices according to their local tax requirements.

8.4. Registration Leads

• Completed registrations: Converted to user account
• Abandoned registrations: 30 days, then soft delete

8.5. Contact Inquiries

• Active: Until inquiry resolution
• Resolved: Deleted after resolution

§9. Data Subject Rights

9.1. Rights Implemented in Platform

9.2. Rights Requiring Manual Process

9.3. Special Notes

• Invoice data: Retained 5 years from end of tax year per Polish tax law, even after account deletion request. Customers are responsible for retaining invoices according to their local tax requirements.
• Anonymization: Preferred over deletion when legal retention is required

§10. Data Security

10.1. Technical Measures

• Encryption in transit: TLS/HTTPS for all communication
• Encryption at rest: Database encryption (Supabase)
• Password hashing: bcrypt via Supabase Auth
• Data isolation: Row-Level Security (RLS) at database level
• Access control: RBAC (Driver < Administrator)

10.2. Organizational Measures

• Least privilege policy: Users have access only to necessary data
• Webhook verification: Stripe and Supabase signature verification
• Rate limiting: Implemented at edge level (Vercel)

§11. Cookies

Detailed information about cookies is contained in the Cookie Policy available at: aroute.eu/cookies.

§12. Data Breach

12.1. Supervisory Authority Notification

In case of a personal data breach that may pose a risk to the rights and freedoms of natural persons, the Controller will notify the competent supervisory authority within 72 hours of breach detection.

12.2. Data Subject Notification

If the breach may pose a high risk to the rights and freedoms of natural persons, the Controller will notify affected data subjects without undue delay.

§13. Minor's Data

1. The Aroute Platform is intended exclusively for business users (B2B). Organization account registration and the Administrator role requires being of legal age (18 years old).
2. A Driver on the Platform may be a minor (16-17 years old) if they are legally employed by the Organization and hold appropriate driving licenses in accordance with applicable national law.
3. In the case of minor Drivers, the Organization (as the data controller for its employees' personal data) is responsible for:
   • obtaining all required consents from parents or legal guardians in accordance with labor law provisions,
   • fulfilling the information obligation towards the minor and their legal guardians,
   • ensuring data processing compliance with regulations concerning the employment of minors.
4. Emversa does not direct marketing services or direct communication to minors.

§14. Do Not Track Signals

The Platform does not respond to "Do Not Track" (DNT) signals sent by web browsers. Users may manage their tracking preferences through cookie settings available in the Platform and in the cookie policy.

§15. Automated Decision-Making

The Platform does not use automated decision-making, including profiling, as referred to in Art. 22(1) and (4) of GDPR, which produces legal effects or similarly significantly affects users. All decisions regarding trip approvals, reimbursement claims, and similar matters are made by authorized users (Organization Administrators), not by algorithms.

§16. Changes to Privacy Policy

1. The Controller reserves the right to change this Privacy Policy.
2. Users will be notified of changes by email at least 14 days before the changes take effect.
3. The current version of the Privacy Policy is always available at: aroute.eu/privacy.