Privacy Policy

I. Introduction

This policy for the protection of personal data aims to inform our users, clients, and partners about how we, at “Carreta” Ltd., collect, use, or share the personal data that you provide to us or that we have otherwise obtained while carrying out our activities.

This policy has been prepared in accordance with the requirements for transparency under Article 13 and Article 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “Regulation 2016/679”), and other applicable acts of the European Union and the Republic of Bulgaria. Through this policy, we aim to inform you about our activities related to the processing of your personal data, the purposes for which they are processed, the measures and safeguards we take to protect the processed data, your rights, and how you can exercise them. The data protection policy adopted by “Carreta” Ltd. is associated with the General Terms and Conditions for the use of the mobile application CARRETA but is not part of them.

The policy for the protection of personal data applies to all activities and operations related to the processing of personal data that we carry out, as well as to all modules and functionalities of the mobile application CARRETA.

“Carreta” Ltd. declares that, while carrying out activities related to the administration, management, and maintenance of a mobile application for vehicles and drivers named CARRETA, as well as a website with the URL address: https://carreta.app, it strictly adheres to European and national legislation concerning the protection of personal data. It applies the appropriate technical and organizational measures to ensure an adequate level of data protection while complying with the following principles outlined in Article 5, paragraph 1 of “Regulation 2016/679”:

Principle of Legality, Fairness, and Transparency – Your personal data is processed lawfully, fairly, and in a transparent manner, only when one or more valid legal grounds are present, namely:

a) You have explicitly given consent for the processing of your personal data for one or more specific purposes.

b) Processing is necessary for the performance of a contract to which you are a party or for taking pre-contractual steps at your request.

c) Processing is necessary to comply with a legal obligation that applies to us.

d) Processing is necessary for the purposes of our or a third party’s legitimate interests, except where such interests are overridden by your interests or fundamental rights and freedoms requiring the protection of personal data, especially when the data subject is a child.

When one or more of the above-mentioned grounds are present, we collect and process your data fairly and transparently, providing you with clear, accurate, and accessible information about the type of data we process, the purposes for which we process them, whether they will be shared with anyone and under what conditions, as well as what your rights are.

  1. Principle of “Purpose Limitation” – Your personal data is collected for specific, explicitly stated, and legitimate purposes and is not further processed in a manner incompatible with these purposes. Further processing for archiving in the public interest, for scientific or historical research purposes, or for statistical purposes is not considered incompatible with the initial purposes for which we have collected and processed your personal data.
  2. Principle of “Data Minimization” – The personal data we collect and process are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. We do not collect more personal data than we need, in line with the purposes for which we have gathered them.
  3. Principle of “Data Minimization” – The personal data we collect and process is appropriate, related, and limited to what is necessary in connection with the purposes for which they are processed. We do not gather more personal data than what is required, considering the purposes for which we have collected them.
  4. Principle of “Accuracy” – The personal data we collect, process, and store is accurate and kept up to date. We take all reasonable measures to ensure the timely deletion or correction of your inaccurate personal data, considering the purposes for which they are processed.
  5. Principle of “Storage Limitation” – We retain your personal data in a form that allows your identification for a period no longer than necessary for the purposes for which the personal data is processed. Your personal data may be stored for longer periods if we process them solely for archiving in the public interest, for scientific or historical research purposes, or for statistical purposes, provided that appropriate technical and organizational measures outlined in Regulation (EU) 2016/679 are implemented to ensure your rights are safeguarded.
  6. Principle of “Integrity and Confidentiality” – We process your personal data in a manner that ensures an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by applying suitable technical or organizational measures.
  7. Definitions

For the purposes of this policy, the listed terms have the following meanings:

– “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

– “Processing” means any operation or set of operations performed upon personal data or sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

– “Register of personal data” means any structured set of personal data whose access is determined based on specific criteria, whether centralized, decentralized, or distributed according to functional or geographical principles.

– “Controller” means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or specific criteria for its designation may be provided for by Union or Member State law.

– “Processor of personal data” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

– “Recipient” means a natural or legal person, public authority, agency, or another body to whom the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities complies with the applicable data protection rules according to the purposes of the processing.

– “Third party” means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

– “Consent of the data subject” means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of their personal data.

– “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

II. Data about the Controller and Contact Information

“Carreta” Ltd., hereinafter referred to as the Company, is a legal entity established in 2023, engaged in the administration, management, and support of a mobile application for vehicles and drivers named CARRETA, as well as a website with the URL address: https://carreta.app.

The mobile application CARRETA is designed for users — drivers, owners, and users of motor vehicles (MV), assisting and facilitating convenient and easy management of upcoming tasks and events related to driving and MV ownership.

The CARRETA mobile application provides functionalities enabling automatic validation of compulsory “Civil Liability” insurance, vignettes, annual vehicle inspections, and registered traffic violations of the users within the Ministry of Interior (MoI) system.

Additionally, the CARRETA mobile application offers its users additional modules such as: a Service Book (recording vehicle repairs and services), SMS parking, a digital wallet for cards, and validation of personal documents.

The Company’s registered office and management address are: Sofia, postcode 1172, Izgrev district, Dianabad residential area, block 15, apt. 2.

Requests to the Company as the data controller can be sent to the above address and may also be submitted to any of our offices.

You can also direct your inquiries to the following email address: support@carreta.app

III. Personal Data We Collect and Process. Legal Basis and Purposes for Processing Personal Data

When you register and use the CARRETA mobile application, you voluntarily and knowingly provide us with specific information about yourself. For various actions and the use of different functionalities within the CARRETA mobile application, we process the following personal data:

  • Data related to your physical identity – names, email address, phone number, and your Google, Apple, or Facebook account: You provide us with this information necessary for your initial registration and when logging into your user profile within the CARRETA mobile application, enabling us to identify you within the application.
  • Data related to your Personal Identification Number (EGN) and driver’s license number: You provide this data only if you wish to check for registered violations in the Ministry of Interior system under your name. If you do not wish to perform such checks, you should refrain from entering this information in your user profile. Information on the presence or absence of fines from the Ministry of Interior system is not stored by “Carreta” Ltd. through the mobile application.
  • Data concerning your plastic card number/barcode: You should provide this information if you wish to use our card wallet service.
  • Data related to your phone number and vehicle registration number: You provide this information if you wish to use our SMS parking service.
  • Vehicle data: This data should be provided if you are using the application’s “Service Book” functionality.
  • Vehicle registration number: This data should be provided if you intend to verify the validity of compulsory “Civil Liability” insurance, vignettes, or annual vehicle inspections.
  • Data related to physical identity – names, Personal Identification Number (EGN), date and place of birth, address, phone number, and email address: This information might be requested only if required to enter into or perform contracts and agreements on your behalf.

These details are collected for different purposes, such as user identification, service provision, and, when applicable, contractual obligations or agreements. Please note that certain information might not be necessary for specific functionalities, and users have the discretion not to provide such details if they choose not to use certain services or functionalities.

Through the CARRETA mobile application, we receive and process certain technical information about your IP address, MAC address, device name, as well as specific analytical data obtained using third-party analytical tools such as Google Analytics. These data are necessary and assist us in analyzing the functionalities utilized within the application. The collection of this data does not allow your identification as an individual user.

All data described above, excluding the technical information collected through analytical tools, is entered into the mobile application by you personally and is stored in your user profile until their removal or until the deletion of your user profile.

We process your personal data based on one or more legal grounds:

Your explicit informed consent – for example, when voluntarily entering data personally into your user profile, as well as when using certain types of ‘cookies’ or other analytical tools. The processing of personal data based on your consent is carried out by us strictly in compliance with the conditions set forth in Article 7 of ‘Regulation 2016/679,’ only if the expressed consent is given freely, specifically, informatively, and unambiguously. The consent given by you can be withdrawn at any time, completely free of charge, in one of the following ways: by submitting a written request sent to the management address of ‘Carreta’ Ltd and the following email address: support@carreta.app

The withdrawal of consent does not affect the lawfulness of the processing of personal data based on the withdrawn consent before its withdrawal and the processing of personal data for purposes that do not require consent, as provided for in this Policy. Withdrawing your consent may lead to the inability to use some features of the application or the need to delete the user profile entirely.”

Our or a third party’s legitimate interest, except when your interests or fundamental rights and freedoms that require personal data protection take precedence over this interest – An example of our legitimate interest is evident in cases of detecting or preventing abuse, breaches of the application’s security, unauthorized access, improving and expanding the services we provide, asserting legal claims, legal proceedings, etc.; • Compliance with statutory obligations – These obligations may arise from national legislative and sub-legislative acts, as well as from Union law; Execution of a contract to which you are a party, or to take steps at your request before concluding a contract. An example of this is when you have completed your registration and agreed to our Terms and Conditions, as well as when you authorize us to conclude an agreement on your behalf with a third party, whether an individual or a legal entity (assignment agreement).

We process your personal data lawfully and fairly to achieve one or more of the following purposes:

To provide you with the services of the CARRETA mobile application, ensuring trouble-free use of all its functionalities by checking the validity of mandatory Civil Liability Insurance, Vignettes, Annual Vehicle Inspections, the presence of registered driver-user violations in the MVR system, Service Book (recording repairs and maintenance on vehicles), SMS parking, Digital wallet with card details, and the validity of personal documents. • To comply with national and international legislation. • To enhance what we have created by improving the services offered, developing new features and modules, and enhancing the application’s interface and security. • To protect our rights and legitimate interests.

After achieving the purpose of processing, your personal data contained in the databases and systems maintained by “Carreta” Ltd. is destroyed in accordance with the rules and procedures set out in the applicable legislative acts and our adopted internal rules and measures for the protection of personal data.

The CARRETA mobile application is designed to allow you to delete the personal information you have entered at any time. Once deleted from your user profile, the information cannot be restored by the administrator or any third party, and it is not stored or archived in the cloud infrastructure.

The CARRETA mobile application allows you to repeatedly enter and delete your personal data in your user profile according to your preferences for its use.

IV. Methods to collect and process your personal information and with whom we may share it

We gather and process information about you in various ways. In most cases, we obtain information directly from you during your registration and use of the CARRETA mobile application, through voluntary completion within your user profile.

You provide this information to us voluntarily and explicitly consent to us processing it. This information includes your name, email address, phone number, data about your car, insurance, comments, and any other information that you choose to provide us.

As mentioned earlier, we also receive technical information when you use the mobile application, such as data related to your IP address, MAC address, device name, as well as specific analytical data through the use of third-party analytical tools like Google Analytics. This information is necessary and helps us analyze the functionalities you use within the application. The collection of this data does not enable the identification of you as an individual user.

V. Whom do we share your data with

We do not provide your personal data to third parties/entities without your explicit consent, except when necessary to fulfill our legal obligation or when there is our legitimate interest or legal grounds for providing such data to third parties.

Outside the above cases, recipients of the data may include:

  • Governmental bodies and entities performing public functions within their competencies (e.g., National Revenue Agency, National Social Security Institute, Ministry of Interior, etc.) when there is a legal basis for it.
  • Accounting companies providing accounting services to the company based on a concluded explicit contract and agreement on the conditions for processing personal data.
  • Banks and financial institutions.
  • Courier companies and postal operators for the purpose of correspondence with individuals – data subjects.
  • Service providers (IT specialists, lawyers, etc.).

The provision of your information to third parties occurs only after a written agreement has been concluded with the third party regarding the conditions for processing personal data and the necessary protective measures.

The transmission of your data to natural and legal persons established outside the EU and EEA is carried out in compliance with the requirements outlined in Regulation (EU) 2016/679, namely: when the relevant country or international organization has an adequate level of protection established with a decision of the European Commission; in the presence of an alternative legal mechanism that guarantees compliance with the requirements of Regulation (EU) 2016/679; with other grounds (derogations) provided in Regulation (EU) 2016/679, such as your explicit consent.

VI. How long do we keep your data

We process and store your personal data for a minimally necessary period, in line with the purposes for processing and in accordance with the principle of storage limitation. Depending on the purposes for which your data was collected and processed, the duration of their storage varies.

In cases where your data is processed based on your given consent, the storage period is limited by the purposes for which they were collected and processed, related to the specific functionalities of the mobile application. Upon expiration of the specified periods and in the absence of a legal basis related to information subject to archiving, your data is destructed in accordance with the established procedure.”

VII. Rights of data subjects – individuals

The provided text outlines the rights granted to individuals concerning the processing and storage of their personal data. It details several fundamental rights and how they can be exercised, in accordance with Regulation 2016/679 and the GDPR:

Right of Access: You have the right to confirm whether your personal data is being processed and obtain a copy of this data. This includes details regarding the purposes of processing, the categories of personal data involved, recipients of the data, and the retention period.

Right to Rectification: You can request the correction of inaccurate or incomplete data. If the data is stored in your user profile and entered by you, you’ll be notified to make the corrections yourself.

Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data in specific circumstances, such as when the data is no longer necessary for the purposes it was collected or processed for, or when consent is withdrawn.

Right to Restriction of Processing: You can request a restriction on the processing of your data in certain situations, such as when the data is inaccurate or processed unlawfully.

Right to Data Portability: Under specific conditions, you have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format.

Right to Object: You have the right to object to the processing of your personal data, especially when it’s done for direct marketing or profiling purposes.

Rights Related to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

These rights can be exercised by submitting a request to the data controller, in this case, “Карета” ООД, either in writing or electronically. If you believe your rights under Regulation 2016/679 have been violated, you have the right to lodge a complaint with the Data Protection Commission or the competent administrative court.

VIII. Measures for protecting personal data implemented by “Carreta” Ltd

By adopting internal regulations and measures for the protection of personal data, “Carreta” Ltd has established measures for effective protection of processed personal data and the opportunity to exercise your rights provided for in Regulation 2016/679.

We use and apply a wide range of measures for adequate protection of your personal data, including but not limited to:

Personnel protection, which requires employees and all third parties processing personal data under a contract with “Carreta” Ltd to undergo training and become familiar with the regulatory framework in the field of personal data protection and internal regulations.

With the internal rules and personal data protection measures introduced by “Carreta” Ltd, there is a prohibition on sharing sensitive information (identifiers, access passwords, etc.) among employees and other external individuals not authorized by the management.

Physical protection, through organizational and technical measures that prevent unauthorized access and ensure the protection of our offices and premises.

Protection of automated information systems and networks, through technical and organizational measures to prevent unauthorized access to our systems and networks where your personal data is created, processed, and stored. Access to systems processing your personal data is limited by introducing user profiles and identifiers that allow monitoring of usage and prevention of information copying. We also provide protection against malicious software by using standard configurations for each computer and/or network platform, maintained solely by authorized specialists.

Cryptographic protection is documentary protection, including the creation and maintenance of records for processed personal data, specifying clear and precise conditions for processing personal data – categories, purposes, methods, storage periods, etc.

Additional information on personal data protection measures in “Carreta” Ltd can be obtained electronically by sending an inquiry to the following email address: support@carreta.app

 

To see the document in PDF format click here.