Privacy Policy

This Privacy Statement aims to clarify what personal data we process, why we process it, who receives your data, and how you can exercise your legal rights under the Personal Data Protection Law of the Kingdom of Saudi Arabia (PDPL).

In this Privacy Statement, “personal data” means any information which directly identifies you as a person (like the combination of your full name and address), or can be used to identify you as a person (like a user ID connected to your identity). Similarly, “processing” refers to any operation performed on your personal data, for example, the collection, storage, use, disclosure, or destruction of your personal data.

1. Who are we and how can you reach us?

We are HungerStation LLC and we are located at King Abdulaziz Road, Alyasmin, Riyadh, Saudi Arabia.

With regard to your privacy, it is us who decide how and for what purposes your personal data is processed. In data protection language that makes us a so-called “data controller” (the party responsible for how your personal data is processed).

If you have any questions related to how your personal data is processed, you can contact us at [email protected]. If you would like to reach our data protection officer, please contact [email protected].

2. What categories of personal data do we process?

When you use our platform, we process personal data actively provided by you, collected from your device when you interact with us, or obtained from third parties. Broadly speaking we will process the following categories of personal data:

You can find all the details about how we process your personal data below.

3. What do we do with your personal data?

A. When you create an account

● Account Creation

When creating a customer account we need to process your account data such as your name, email address, telephone number, country, and language. Once you have created an account, we will assign you a unique user ID. This measure will allow us to recognize you in our system without needing to use all of your account-related information. This ID cannot be used by any outside parties.

The information we request during the account creation process is necessary to take the first step in establishing a customer relationship with you so that we can provide you with our services.

The legal basis for this processing is our and your legitimate interest in concluding an agreement on the provision of our delivery services to you (Art. 6 (4) PDPL, comparable to entering into a contract under Art. 6(1)(b) of the EU GDPR).

We store this personal data as long as you remain our customer and in the ordinary course of things we delete it when you close your account, or after 3 years of inactivity, unless statutory legal requirements mandate longer retention.

● Managing Your Profile

You can access your profile at any time to make changes, provide additional information about yourself, or view your previous orders. Your data is also processed to administer your profile, which includes tasks such as ensuring the accuracy of your personal details, processing any modifications you make, and managing technical issues you might have.

The information we process about you for this purpose includes account data, order and delivery data, payment data, and device information.

Managing and administering your profile is a fundamental function of our platform. Without this process, we cannot provide our services to you. Therefore, the legal basis for the SSO process is the performance of the existing user agreement between you and us, under the applicable terms and conditions (Art. 6 (2) PDPL, also known as performance of contract under Art. 6(1)(b) of the EU GDPR).

We store this personal data as long as you remain our customer and in the ordinary course of things we delete it when you close your account, or after 3 years of inactivity, unless statutory legal requirements mandate longer retention.

B. When you browse our corporate website or platform

● Cookies and Web Tracking Technologies

We use web tracking technologies (e.g., cookies, SDKs, measuring pixels) when you browse our platform, whether you are a customer or a visitor. These technologies enable us to facilitate the functioning of our platform, improve its performance and security, or understand how our users interact with our platform. In addition, these technologies allow us to deliver customized content or targeted advertising to our users.

Cookies and web tracking technologies may be used to collect data that we classify as device information, including your device ID, IP address, session information, preferences such as language settings, platform interactions such as items added to the cart, platform performance analytics, and crash reporting.

The legal basis for the use of these technologies is our legitimate interest in keeping our website and platform secure, see Art. 6 (4) PDPL.

● Personalized Content and Suggestions

When you browse our platform, we show you a variety of vendors and products. We may customize the content on our platform so that you are shown vendors who are close to you, who you have ordered from in the past, or products we believe may be of interest to you. To make this feature available, we need your account data, location data, order and delivery data, and device information.

This process may involve customer segmentation based on the data we collect from you. Additionally, we can make predictions about our customers’ demographics (e.g., age, gender) or consumption preferences. As a result, our suggestions may highlight specific products or cuisines, such as Italian restaurants, or vegan products.

Please note that these processes will not have a legal or similar significant effect on you. The only result of this process will be that you will receive suggestions about products or vendors that match your interests and food preferences.

Our activities within personalized content and suggestions form the core of our platform, without which we could not offer you relevant products and therefore we would be unable to facilitate a ground for entering into a contract with you. We would like to highlight that personalized content that is shared in this context is separate from the marketing initiatives carried out on our platform.

The legal basis for processing your data for the purpose of suggesting products and vendors is ‘performance of a previous agreement’ under Art. 6 (2) PDPL. Additionally, we rely on ‘legitimate interest’ under Art. 6 (4) PDPL for customer segmentation.

We will process the data we process for this purpose for the same duration as your other account data.

C. When you place an order

● Shopping Cart and Storing the Added Items for Later

Once you login to your profile and select items, they will be saved in your cart. Even if you close your browser or app, you can continue your order from where you left off. To make this feature available on our platform, we process your account data, device information, and order and delivery data.
The shopping cart function is essential to our platform as it enables us to receive and process your order. Without it, we would not be able to enter into a contract with you.

The legal basis for this processing is 'performance of a previous agreement' under Art. 6 (2) PDPL.

This data is deleted as soon as we no longer need it, such as once you place your order or soon after you have removed everything from your shopping cart.

● Order Processing

Once you have successfully registered to our platform, you can place your order. To process the order you placed on our platform, we need to receive your personal data.

To process your order, we need your account data as well as your order and delivery data including your address, postcode, city, country, longitude and latitude, order ID, your order instructions, product names and quantities.

This information is necessary for us to forward your order for the following steps to ensure the successful delivery of your order. Without this information, we would be unable to take necessary steps to fulfill our contractual obligations to you.

The legal basis for this processing is ‘performance of a previous agreement’ under Art. 6 (2) PDPL.

We will process the data we process for this purpose for the same duration as your other account data.

● Invoicing

If you decide to proceed with your order, we will need to receive the payment for the items you have selected.

When you place an order and select a payment provider, your information will be shared with your selected payment provider to initiate the payment process. As a customer of these payment providers, you can find information on their privacy practices in their separate privacy statements.

Following the payment for your order, we are legally required to provide you with an invoice. To fulfill this requirement and to facilitate your payment, we need to process your account data, order and delivery data, and payment data including payment method data, payment amount, payment recipient details, refund details, and bank receipts.

In some cases, the vendor (e.g. restaurant, shop) that receives your order is responsible for issuing an invoice to you. In this case, personal information necessary to meet the invoicing requirements under applicable law is shared with the vendor for the sole purpose of issuing an invoice.

The legal basis for this processing is ‘legal obligation’ under Art. 6 (2) PDPL.

We store this personal data for 10 years after the invoice date.

● Saving your Payment Methods

In order to make the ordering process even more convenient for you, our platform offers you the option to save your preferred payment method. This means that, if you choose to save your payment method, you will not have to re-enter your payment details the next time you need to make payments on our platform.

The information you can save within this feature is payment data including your name, debit or credit card data, payment method data, payment amount, payment recipient details, refund details, and bank receipts.

The legal basis for this processing is ‘consent’ under Art. 5 (1) PDPL.

We will keep this personal information for as long as you choose to share it with us.

D. When we deliver your order

● Preparing Your Order

After receiving your order, we share your order data with the vendor (e.g. restaurants, shops) preparing your order. We minimize the information we share with our vendors so that they only see the information necessary to process your order and hand the order over to couriers. The data we share with the vendors include order and delivery related data. In addition, vendors may use our platform’s chat feature or call you by phone to contact you in exceptional cases such as if the items you ordered are out of stock.

As the preparation of your order is a fundamental part of the services provided on our platform, the legal basis for this processing is ‘performance of a previous agreement’ under Art. 6 (2) PDPL.

● Delivering Your Order

Once your order has been prepared by the vendor, it is handed over to couriers (also called “riders”) who are responsible for delivering your order. In order to enable the delivery of your order, and thus fulfill our contractual obligations to you, we need to process your personal data and share some of that data with the rider who will deliver your order.

This data includes your delivery related data such as your name, telephone number, and delivery address. In addition, riders may use our platform’s chat feature or call you by phone to contact you if there are any exceptional delivery-related issues such as if the rider needs assistance during the delivery process. We will always ascertain that the rider receives as little information about you as possible.

As the delivery of your order is a fundamental part of the services provided on our platform, the legal basis for this processing is ‘performance of a previous agreement’ under Art. 6 (2) PDPL.

In some cases, our riders will be asked to provide proof of delivery. This proof of delivery may include details such as the time and date of delivery, your name, and in some cases, a signature or photo as evidence. In case of any disputes or issues, having this information helps us investigate and resolve matters efficiently, providing you with a higher level of customer satisfaction.

The legal basis for proof of delivery is ‘legitimate interest’ under Art. 6 (4) PDPL.

We will process the data we process for this purpose for the same duration as your other account data.

● Customer Care

In case you have questions or issues regarding your order, depending on the nature of your request, we will need your account data, order and delivery data, delivery related data, payment data, and the data you share with us when submitting your request. This information allows us to understand the specifics of your order, enabling us to provide you with relevant and accurate assistance.

As part of our customer care service, we may use automation for certain functions. For example, actions such as canceling your order or changing delivery instructions may be automated. In addition, our support agents may utilize algorithmic decision making processes for the purpose of calculating compensation for any issues you may experience, and for issuing a refund or voucher.

We may use artificial intelligence technology such as chatbots powered by large language models as part of our customer care processes. When we do so, we will ensure that we remain the controller of your data and that your data is not shared with third parties to train their AI models.

As resolving your issues is an essential part of the complete fulfillment of the service we provide to you, the legal basis for processing your data for this purpose is ‘performance of a previous agreement’ under Art. 6 (2) PDPL.

We will keep the data we process within the customer care center feature for the duration of the statutory limitation periods for legal claims in your jurisdiction (which might range from 3 up to 6 years).

● User Reviews

Once your order has been delivered, you can rate and review the vendor you have ordered from. In this case, your first name will be displayed on our platform next to the content of your review. For this purpose, your account data; and the content of your review will be processed.
The legal basis for this processing is ‘consent’ under Art. 5 (1) PDPL.

We will keep your reviews for as long as you choose to share it with us. If you no longer wish your review to be available, you can delete it at any time.

E. When we promote our platform or vendor services

● App/SMS Notifications and Email Newsletters

We may send you in-app or push notifications, as well as newsletters via email, or text messages informing you about new restaurants, offers and promotions on our platform. We use a range of criteria to ensure that the content we provide is similar to the products you have previously ordered. As such, these communications may emphasize specific products or cuisines, such as sushi deals, or vegan products.

To make this possible, we use your account data, location data, as well as order and delivery data. This information enables us to promote products and services available on our platform.

You are always free to opt-out from such communications. To ensure we comply with your choice to opt-out, we will keep your contact details on a separate list of customers who prefer not to receive direct marketing communications. In this case, we will unsubscribe you from customized communications and you will not receive such communications in the future.

The legal basis for this processing of your data for the purpose of sending app notifications and email/sms newsletters is ‘consent’ under Art. 5 (1) PDPL.

We will process the data we process within this purpose for the duration of your account with us. The information if you have opted in to or out of receiving such communications we will store for the duration of the statutory limitation periods for legal claims in your jurisdiction (which might range from 3 up to 6 years).

● Incentives

We use a variety of incentives to make our platform more attractive to you and to ensure that you enjoy all the advantages that our platform has to offer. These incentives include, customer referral program(i.e. Refer a Friend), vouchers, customer competitions, and bonus programs.

When you use vouchers on our platform, we may process your account data, and the associated discount or promotion. We process this data to apply the voucher to your order, and ensure the proper functioning of this feature.

Our "Refer a Friend" program allows you to invite your friends to our platform and earn rewards. As part of this program, we may process your account data, the associated discount or promotion, and a record of the connection between participants.
When you participate in user competitions or bonus programs on our platform, we may process your account data, data relevant to the program, including your status, points and rewards earned. This data is processed to administer those programs and grant you prizes or discounts.

The legal basis for these processing activities is 'performance of a previous agreement' under Art. 6 (2) PDPL. We use this data for the purpose of providing you with discounts and promotions as part of our services.

We store this personal data as long as you remain our customer and in the ordinary course of things we delete it when you close your account, or after 3 years of inactivity, unless statutory legal requirements mandate longer retention.

● Online Marketing

We utilize marketing processes to reach as many potential customers as possible. These processes encompass a range of marketing strategies, including targeted advertisements,  both on our own platform, or on online media properties (e.g, websites, social platforms) owned and operated by third-party publishers.

For this purpose, we process account data, location data, order and delivery data, and device information such as session information, your configuration settings, platform interactions such as items added to the cart, and data obtained through web-trackers (e.g. cookies, SDKs, pixels).

When we perform targeted advertisements for our platform, we use customer segmentation based on the data we collect from you. This segmentation may include predictions about our users’ demographics (e.g., age, gender) or consumption preferences. These insights are typically aggregated and pseudonymized, which means that we cannot identify you individually. We use these insights when defining our online marketing strategies.

Your prior explicit ‘consent’ under Art. 5 (1) PDPL is requested to show you our online targeted advertisements. If you do not consent to personalized online advertisements, please note that you may still receive ads related to our service and products. However, these ads will be generic and not result from specific targeting processes.

We will keep this personal information for as long as you choose to share it with us but in any case we will delete the data we process within this purpose after deletion of your account.

● Helping Business Advertising Partners Promote Their Goods and Services on Our Platform

We display various types of advertisements on our platform. Our objective is to provide you with advertisements that are truly relevant to your interests and that add value to your online experience. For this purpose, we process account data, location data, order and delivery data, and device information.

To ensure the relevance of ads, we may use user segmentation involving automated processing of your personal data. Additionally, we may make predictions about your demographics (e.g., age, gender) or your consumption preferences. These processes will not have a legal or similarly significant effect on you. The only result of this process will be that you will receive advertisements that match your interests and food preferences.

Using these insights, our platform may display both our own ads and ads from third parties (such as restaurants and food brands). These ads may take the form of standard display ads, 'featured restaurants'  that appear on top of a list, or special promotions that offer you limited time deals.

We do not share your personal data with third parties who promote their products on our platform. However, in some cases, we can share advertising performance insights to these third parties. These insights are typically aggregated and anonymized, ensuring that your personal data remains protected. These insights may relate to the effectiveness of their advertisements, such as the number of clicks or engagement metrics.

We ask your “consent” under Art. 5 (1) PDPL in order to show you personalized advertisements. If you do not consent to personalized advertisements, please note that you will still receive ads, however, they will not be tailored to your personal interests.

We will keep this personal information for as long as you choose to share it with us but in any case we will delete the data we process within this purpose after deletion of your account.

● Social Media Pages

We maintain profiles on various social media platforms through which we advertise our products and engage with customers. When you visit our pages on social media platforms such as Facebook and Instagram, the operators of these platforms process your personal data, as explained in their own privacy statements. For Facebook and Instagram the data controller is Meta Ireland Ltd. (“Meta”)

Meta provides us with aggregated statistics and insights about our social media pages, allowing us to understand the types of actions users take on their pages. Please be informed, however, that we at no point can attribute any page visit or other interaction to individual social media profiles.

In terms of collecting your personal data on our social media pages and analyzing the user interactions, both we and the respective operators of the social media platforms (such as Meta) act as joint controllers. To formalize this arrangement, we have entered into joint controller agreements with these operators.

For Facebook and Instagram, the following links will show you exactly which data is collected by Meta and how you can exercise your data subject rights in connection with the user insights:

Meta Privacy Policy

Meta Controller Addendum

The legal basis for processing of your data for the purpose of engaging with users and utilizing user insights is ‘legitimate interest’ under Art. 6 (4) PDPL.

F. When we ensure the security of our platform

● IT Infrastructure, Database Hosting, and Systems Security

We use state of the art servers, network equipment and cloud services to deliver our platform, to ensure high performance and uninterrupted service. All types of personal information you provide and the information we collect about you is stored and protected within the secure environment of our platform. We also use tools such as 2-factor authentication, endpoint security detection, traffic monitoring, backup systems and data loss prevention solutions to keep your data secure at all times.

The legal basis for processing your data for the purposes of hosting and ensuring the security of your personal data is ‘legitimate interest’ under Art. 6 (4) PDPL.

We delete daily backups after 90 days.

● Fraud Detection and Prevention

One of our main priorities is to provide you with a secure platform and a safe ordering experience. Part of achieving this goal involves implementing proactive measures to detect and prevent fraudulent activity.

For this purpose, we process your account data, payment data, location data, device information, and order and delivery data such as invoices, order IDs, successful orders and canceled orders.

To achieve effective fraud detection and prevention, we use this data to apply state-of-the-art fraud detection and prevention measures, which may include algorithmic decision making and machine learning processes. These measures include fraud scoring and flagging, transaction analysis, user behavior modeling, and, in confirmed cases, automated account suspension and blocking. Our fraud assessments will be based on your previous behavior and also sometimes information obtained from third parties (e.g. when you use a credit card which has been reported as stolen by its owner).

We work with Mastercard for the purposes set out in this section, and in particular in our efforts to improve order acceptance on our platform. In the course of our work, we may exchange personal data with Mastercard. For details on how Mastercard handles your personal data and your data subject rights when they act as a data controller, as well as Mastercard's binding corporate rules under Art. 47 GDPR, please see the link below:

Mastercard Ekata Global Privacy Notice

If any such decision (i) results in a negative, legally binding outcome for you, (ii) similarly significantly affects, or (iii) you believe there has been an error, you can contact our customer care team. In this case, we will individually assess the circumstances of your case.

The legal basis for processing your data for the purposes of fraud detection and prevention is ‘legitimate interest’ under Art. 6 (4) PDPL.

We will keep the data we process within fraud detection and prevention purposes for the duration of your account and, after closure, for as long as it is required to clarify if your account is linked to any other fraudulent activity on our platform. This time period will vary depending on the activity in your account. If you are a trusted customer, we will delete your data, as it is no longer required.

G. When we improve our services

● User Surveys and Interviews

We are always aiming to improve our services, and your valuable feedback is an important part of that process. As such, we sometimes include surveys in our newsletters, asking for your feedback or inviting you to a user experience interview.

For the purposes of user surveys and interviews we process your account data, order and delivery data, device information, and the content of your feedback. We also record your usage behavior as part of the user interviews.

Participation in the surveys and interviews require your ‘consent’ under Art. 5 (1) PDPL. After you provide your consent to participate in our user surveys, we will contact you through your preferred communication channels, which may include email, SMS, or social communication platforms such as Whatsapp.
If you have already given your consent and would like to revoke it for the future, please let us know by contacting us. In this case we will exclude you from participating in interviews and ensure that you don't receive any further invitations.

We will keep the data we process within user surveys and interviews for as long as you grant us consent to do so. At the latest, when you delete your account, we will consider your declaration of consent to have been withdrawn.

● Data Analytics

We perform data analytics to improve our platform in terms of user experience, product development, pricing, promotions, and customer engagement. For instance, to analyze and optimize our user experience, we may show our customers different versions of our platform interface in the context of so-called A/B testing. Analyzing how users interact with different versions enables us to define which version performs better. Similarly, by analyzing customer responses to different pricing models, we are able to determine the right pricing strategies.

To achieve this, we process order and delivery data, and device information. These insights are typically aggregated (meaning process fully anonymously, so you can never be identified as a person by anybody) or pseudonymized (meaning it will be very hard to identify you as a person).

The legal basis for processing your data for this purpose is ‘legitimate interest’ under Art. 6 (4) PDPL.

• ● Business Intelligence, Insights & Group-level Statistics Reporting

We process customer data in an aggregated form to identify market trends, and make informed decisions about our market strategy. This analysis involves processing various types of data, including account data, device information, as well as order and delivery data.
Utilizing this data, we create statistical reports at group level, such as our market statements and trading updates. Creating business insights and statistical reports allows us to draw meaningful conclusions from a wide range of customer interactions.

Similarly, as part of our business intelligence, we provide our vendors (e.g., restaurants, shops) with access to certain general information regarding sales and engagement rates (so-called vendor insights). These insights are generated by aggregated analysis of the order and delivery data and device information of our users. The purpose of this analysis is to provide vendors with recommendations to improve their services. For instance, vendor insights provide information on potential reasons why users might have chosen a different vendor. The insights are aggregated and anonymized, which means that vendors cannot identify users individually.

The legal basis for processing your data for this purpose is ‘legitimate interest’ under Art. 6 (4) PDPL.

H. When we are required to comply with laws and regulations

• ● Legal Proceedings and Authority Requests

As with any organization, there are instances when we are required to share personal data with public authorities. Additionally, there might be instances where we have to process your personal data to initiate or defend legal claims and uphold our rights and interests. For this purpose, we may disclose and process certain data we hold about you, to the extent strictly necessary to conclude these legal proceedings and investigations.

The legal basis for processing your data for complying with public authority requests is ‘legal obligation’ under Art. 6 (2) PDPL; and for initiating and defending legal claims is ‘legitimate interest’ under Art. 6 (4) PDPL.

We retain this information for as long as necessary to comply with legal obligations related to ongoing proceedings and investigations. After the final closing of the respective legal proceedings we will delete your data immediately.

● Responding to Data Subject Requests

Data protection laws grant you various legal rights. We are committed to respecting them at all times. When you exercise these rights, we must process your data to effectively address your request. For instance, if you choose to exercise your right to access, we need to gather all of the information we hold about to meet our obligation to provide a response. To achieve this, we may process any type of data we hold about you, only to the extent necessary to comply with our obligations. The legal basis for processing your data for complying with data subject requests is ‘legal obligation’ under Art. 6 (2) PDPL.

We retain this information for as long as necessary to comply with our legal obligations.

4. Who will receive your data and under what circumstances?

You can trust that, within our company, only those staff members will receive access to your personal data who need them in order to fulfill their professional duties, such as providing you with a great online experience, or looking into your support request. In certain scenarios, we also need to share your personal data with recipients outside of our company. Please be assured that your data is shared with these recipients only to the extent necessary for the specified purposes and only as we are legally permitted to do so.

In addition to sharing data with the parties already specified above, we will only share your data as follows:

A. Delivery Hero group companies

We are part of an international group of companies with legal entities in many parts of the world, including our group’s headquarters located with Delivery Hero SE in Berlin, Germany. To utilise our resources efficiently and ensure that our business processes function properly, we utilise our group-wide shared technological support services that sometimes necessitate sharing personal data with our parent company, Delivery Hero SE, or with the locations of our global tech hubs. In certain situations, we might also share limited data with other group companies, for example, to assist with payment collection or to implement security measures.

Delivery Hero group companies are bound by strict intra-group data transfer agreements ascertaining compliance with data protection requirements whenever sharing personal data with group companies. The legal basis for these transfers is Art. 29 (1)(d) PDPL (in conjunction with Art. 2 (4)(a) of the Implementing Regulations), as they are required for carrying out our commercial activities, including our central management operations.

B. Data processors

We use various third-party service providers to perform our operations. Many of these providers process your personal data as so-called “data processors”. This means they are only allowed to process your personal data under our instructions and have no claims whatsoever to process your personal data for their own, independent purposes. Our processors are strictly monitored and we only engage processors who meet our high data protection standards. The main data processor for cloud technology on our platform is our group’s headquarters located with Delivery Hero SE in Berlin. Delivery Hero SE provides us with a wide range of services of technology, such as cloud hosting, platform security, marketing or customer relationship management tools.

Delivery Hero SE will also use data processors (as so-called “sub-processors”), as follows:

Our user platforms and databases run on cloud resources provided by the EU subsidiaries of Google Cloud Platform and Amazon Web Services. We use marketing and communications tools by companies such as SalesForce or Braze. If you would like to request the full list of recipients of your personal data, you are free to do so at any point in time.

C. Other third parties and service providers

In addition to data processors, we also work with third parties, to whom we share your personal data, but who are not bound by our instructions and instead will process your data independently. These may be our consultants, lawyers or accountants who receive your data from us under a contract and process your personal data for legal reasons, or to protect our own interests. Under no circumstances will we sell or rent your personal information to third parties without your explicit, informed consent.

D. Mergers & acquisitions, change of ownership

In the event of a merger with, or acquisition by, another company or group of undertakings, we may need to disclose limited information to that company and their advisors who are under professional obligations to maintain the confidentiality of your personal data. This may occur in circumstances such as mutual due diligence assessments and regulatory disclosures.

In any event, we will ensure that we only disclose the minimum amount of information necessary to conduct the transaction, while also carefully considering the feasibility of removing or anonymising any data that could identify individuals.

E. Prosecuting authorities, courts and other public authorities

From time to time we may be requested to disclose personal data to public authorities. In some circumstances, we may disclose personal data with public bodies in order to bring or defend legal claims, to protect our rights and interests, or to address security concerns.
Examples of such situations include cooperating in the detection and prevention of crime, responding to legal processes such as court orders or subpoenas, or sharing data with tax authorities for tax-related purposes. The public authorities involved in these scenarios may include law enforcement agencies, courts, tax authorities, or other government bodies.

5. How do we transfer your personal data to other countries?

We and the parties we share your personal data with may transfer personal data to countries other than the country in which you use our services. Where such transfers take place, we take appropriate measures to ensure that your data is always afforded an adequate level of protection in the countries to which it is transferred.

For example, if we transfer your personal data from a country within the European Economic Area (EEA) to a country outside of the EEA, we take appropriate safeguards to ensure that these transfers provide a level of protection that complies with data protection requirements. If there are specific further requirements of the law of the country in which you use our services, we will abide by them as well. Specifically, as far as transfers from the EEA to countries outside the EEA are concerned, we rely on a number of appropriate safeguards:

- Adequacy decisions by the EU Commission (also including the United States, to the extent recipients have certified under EU-US Privacy Framework or other applicable mutual agreement between the EU and the US);

- Standard contractual clauses mutually agreed in our contract with the data recipient (including any supplementary measures, if required).

- Further appropriate safeguards in accordance with Art. 46 GDPR (for example binding corporate rules).

If you would like to receive a copy of the appropriate safeguards securing the data transfer, please contact us.

6. What are your legal rights?

Under the data protection laws, you are entitled to the following rights:

To exercise your rights, we encourage you to use the functions available in your account at any time. For example, if you would like to delete your data, or receive a copy of it, you can directly do so by following the relevant steps in your profile. These self-service methods are designed to expedite the process of fulfilling your rights. Alternatively, you can also reach out to our customer care team to assist you.

7. How long do we keep your data?

We retain your personal data for as long as it is necessary to achieve the purposes we described above. The duration for which we retain your personal data is determined by factors such as the scope, nature and purposes of the personal data processing, and whether we have legitimate interests or legal obligations that require us to retain your personal data.

8. How do we use algorithmic decision making?

Some of our processes include the use of algorithmic decision making and machine learning. We consistently strive to implement methods that ensure a significant level of human oversight in the decision making process, enabling us to modify or reverse decisions as needed.

In many cases, the algorithmic decision making processes without human oversight will not have legal or similar significant effects on you. Where they do, we will ensure that you have the right not to be subject to the algorithmic decision making processes, unless those processes are authorized by applicable law or are necessary for the entering into or performance of a previous agreement. In these cases, you can always oppose the decision and request for a human evaluation by contacting us.
For detailed information about the specific instances in which algorithmic decision making processes are used, please visit the sections above that explain how we use your personal information.

9. Changes to this Privacy Statement

We may update this Privacy Statement from time to time to reflect our new processes, new technologies, and legal obligations. We are committed to keeping you informed of any changes to our privacy practices, so we encourage you to review this privacy statement to keep updated.

Last modified: [v3.0 September 2024]