Date of last revision: 28/07/2023
1. Introduction
2. Scope: to whom does this Privacy Policy apply and what does it cover?
3. How do we obtain personal data?
4. Which personal data do we collect and process?
5. For which purposes and under which conditions your data are processed?
6. To whom can we transmit your personal data?
7. How is your personal data protected?
8. Where is your personal data stored?
9. What are your rights?
10. How can you contact us?
11. Modifications to this Privacy Policy
12. Third-party websites
13. Applicable law and competent courts
Poppy website (https://poppy.be) (the "Website") and Poppy mobile application (the “Application”) are the property of and are managed by Poppy Mobility SA/NV ("Poppy" or "we"), an environmentally friendly vehicles sharing company, established at Sanderusstraat 25, 2018 Antwerp, registered in the Register of Legal Entities of Antwerp under number 0681.505.370.
Poppy processes your personal data as controller since we determine the purposes and the means of the processing activities.
At Poppy, we do our utmost to protect and process the personal data that are entrusted to us in a compliant and transparent way, more particularly in accordance with the applicable law, especially with the General Data Protection Regulation 2016/679 of 27 April 2016 (“GDPR”) and the Belgian law of 30 July 2018 on the protection of individuals with regard to the processing of personal data ("Privacy Law").
This policy (“Privacy Policy”) applies to all individuals of whom we process personal data (“Data subjects” or “you”), such as clients, Website visitors and Application users.
Personal data is any information which allows Poppy to identify you as a natural person. With this Privacy Policy, we wish to inform you about how and why we process your personal data as a data controller when we perform our activities or when you visit this Website, use the Application or drive a vehicle, to whom we transmit this information, what are your rights and who you can contact for more information.
We obtain personal data directly from you when registering on the Website or Application and fill out the fields that request some personal data, rendering said data immediately available to Poppy.
We can also obtain your personal data through your use of our services, our Website or our Application or when you are in contact with our customer service.
Finally, some personal data are received from external sources, such as driving offense related data as provided by the police, parking fine related data as provided by city services in charge of parking fee collection or insurance exclusion related data as provided by insurance companies.
The personal data that we collect may include the following categories of data:
Identification and contact information
When you decide to sign up for our services and create an account, when you work with us, when you buy one of our packs or gift cards online, when you use our Application or Website, when you send us an email or communicate with our customer service, you are providing us with certain individually identifiable information that we collect and process. Such personal information includes your last name, first name, gender, language, date and place of birth, physical address, email address, telephone number, IP address, company details, billing information, driver license number and picture thereof, bank account number or other payment details such as credit card number or other payment method numbers, and the card’s expiration date.
Professional data
When you apply for a job at Poppy, we collect private and professional personal data such as your resume, employment status, education, training, diplomas, awards, motivation letter, hobbies, interests, financial situation, area of specialisation, professional skills, etc.
Selfie pictures data
We process your selfie pictures data and use a facial recognition technology (or “3D liveness check”) as an optional part of our account creation or identity verification process. This technology implies a processing of biometric data to help us verify your identity and ensure the security of the access to your account.
The processing is organised in order to minimise the use of the selfie pictures data to what is strictly necessary for a driving license check and is subject to your prior and explicit consent. The storage of such data is subject to strict security measures and its access is restricted to a limited number of Poppy’s employees who need to use them for performing their duties.
The processing of the selfie pictures data is exclusively used to combat fraud, identity theft, and driving by unauthorised people.
Usage data of our vehicles
When you decide to use any of our vehicles, you are providing us with certain information regarding their conditions and usage. We collect and process this information, which may include but is not limited to the type of vehicle you use, vehicle mileage, fuel gauge, the duration of your booking and the distance you drove a vehicle. This data constitutes personal data since we are able to identify the user that was driving the car at the time the data was generated.
Regarding our shared cars or vans, Poppy has also implemented a security system which constitutes a partially automated processing. This system informs Poppy’s employees when the driving of one of its users reveals a risk event, presenting risks for the driver but also for the other users of public roads. Based on this information and following internal guidelines defined by Poppy, Poppy may decide to activate the "Safety Mode" of the vehicle. Once the “Safety Mode” is activated, the user is prevented from restarting the engine once it has been stopped on parking position. This “Safety Mode” is only activated after several warnings sent to the user, repeated risk events detected, and human check by a Poppy’s employee (reviewer).
Risk-related statements
Before you can use our shared cars or vans, Poppy will ask you several questions in order to enable the insurance company to assess the risk covered by the insurance policy (e.g. “has your driver license already been revoked in the past?”). This constitutes judicial data. This data is collected by Poppy to comply with its legal obligation under the Royal Decree of 16 April 2018 on the conditions for compulsory motor vehicle liability insurance contracts. In addition, the collection of this data is necessary for the performance by Poppy of the insurance contract concluded with the insurance company that covers its vehicles. These data are stored securely, and their access is restricted to a limited number of Poppy’s employees who need to use them for performing their duties.
Location data
When you decide to use our Application on any mobile device, you may or may not use the geolocation options that come with the mobile phone (it is possible to turn off the geolocation option of your mobile phone at any time in your parameters). However, when you decide to book any of our vehicles you are required to activate this option so that we can locate you with respect to the vehicle as you need to be within a certain distance of the vehicle to be able to safely unlock it. We will only locate you when the Application is open. We also collect the car's mileage before and after you use it in order to calculate the price of your trip and we use the car location data to verify it is in a zone where it can be locked, to ensure compliance with the applicable public parking restrictions and to know the location of the car once the booking is over, so that we know where our cars are, and we can report the cars as available for other users. Cities allowing Poppy to operate its business are also requiring anonymised trip data in order to collect mobility statistics to be used for defining their further regulatory measures relating to mobility.
Poppy (or its processors) collects, uses, and processes your data in accordance with the GDPR and the Belgian Privacy Law, as described in this Privacy Policy.
A. To visit our website
You can visit our website and find out about our services without having to provide us with any personal information.
However, the use of certain cookies is necessary to browse our website. For further information in this respect, please refer to our Cookie Policy.
B. To communicate with you
Categories of data: We process your identification and contact data.
Purpose: We process these data when you contact us via our website's chat system, by email or by any other means, in order to communicate with you and answer your questions.
Legal basis: The processing of this data is necessary in order to answer your questions and provide the requested service. This data is therefore essential for the performance of our contract or pre-contractual measures. Without it, we cannot carry out our mission.
Retention period: Your data will be kept for one year from the last contact if these interactions have not resulted in any contract/creation of an account on the application.
Recipients: Data may be processed, upon our instructions, by our processors identified in point 6 below, including our ticketing and emailing service providers.
The data can also be transmitted to our lawyer and/or bailiff, in the event of a dispute.
C. To offer access to our service and create an account on our Application
Categories of data: We process your identification, contact data, language, date of birth, banking details, login data, one-time password received via SMS, IP address, device type and operating system version.
Once registered, Poppy will process your data, such as identification information, contact details and location data, to enable you to lock/unlock a vehicle, to calculate the costs of the services provided to you by Poppy, to process vehicles bookings and to allow the use of our vehicles via our Application.
Purpose: The creation of an account on our Application enables you to access and to benefit from our vehicle rental services.
Legal basis: The processing of this data is necessary for the provision of the requested service. This data is therefore essential for the performance of our contract. Without it, we cannot carry out our mission.
Retention period: Your data will be kept for 10 years from the last connection to our Application, for tax and accounting purposes and also for liability reasons.
Recipients: Data may be processed, upon our instructions, by our processors identified in point 6 below, including our hosting provider, customer relationship management tool provider, payment processing solution, ticketing service provider or our emailing service provider.
In the event that you are the author or victim of a traffic accident or offence while using a Poppy car, all information requested by our insurance partner(s) to settle any claim will be shared with them.
The data can also be transmitted to our lawyer and/or bailiff, in the event of a dispute.
D. To ensure compliance with legal requirements for access to the service
D.1. To ensure that you are of age to use our services and hold a driving license if necessary
Categories of personal data: we process your identification and contact data, language, your date of birth and/or a photo of your driving licence.
Purpose: If you want to use our eScooters or eBikes service, you have to be 16 years old.
If you want to use our type B vehicle rental service, you must hold a valid driving license.
We process your personal data to make sure that you fulfil the legal conditions applicable to the service you use.
Legal basis: The processing is necessary for compliance with a legal obligation to which Poppy is subject regarding the legal age to drive eScooters and type B vehicles.
Article 4 of the law of 15 May 2022, amending the Royal Decree of December 1, 1975, on the general regulations governing road traffic and the use of public highways, with regard to the regulation of mobility devices stipulates that the user of an eScooter must be 16 years of age.
Article 18, 2° of the Royal Decree of March 23 1998, on driving licenses stipulates that the minimum age for a driving license is 18 for categories A1, B, B+E, C1 and C1+E.
Article 21 of the law of 16 March 1968, on road traffic police provides that no one may drive a (motor vehicle) on public roads unless he or she holds a driver's license. In addition, article 32 of the same law punishes with a fine of up to 1000 euros anyone who knowingly entrusts a motor vehicle to a person without a driving license.
The operating licenses granted by the cities in which Poppy operates also require Poppy to monitor compliance with service access conditions.
The processing is also necessary for the execution of the contract, since Poppy imposes a minimum age of 16 years old for riding its eBikes as well.
In addition, the eScooter and eBike rental service is provided through the same accounts. This means that Poppy must verify the age of all users who wish to rent an eScooter or an eBike, as the same account allows access to both services.
Retention period: Your data will be kept for 10 years from your last connection to our Application, for tax and accounting purposes and also for liability reasons.
Recipients: Data may be processed, upon our instructions, by our processors identified in point 6 below, including our hosting infrastructure, driver's license identification and validation service provider.
These data can be transmitted to our insurance company for auditing and compliance control performed by the insurance company.
The data can also be transmitted to our lawyer and/or bailiff, in the event of a dispute.
D.2. To verify your identity (as driving license holder if applicable)
Categories of data: We process your identification and contact data but also a photo of your driving licence and picture and selfie picture of yourself to verify your identity. For that purpose, we might process biometric data (selfie pictures) subject to your prior explicit consent, for the purpose of verifying the identity of each natural person wishing to use our services which require a valid driving license.
Purpose: If you want to use our type B vehicle rental service, we process your data to verify that you are the holder of a driving license. This verification can be done through different means.
Legal basis: The processing of your data is based on your explicit consent (art. 6, §1, a) and 9, §§ 1 and 2, a) of the GDPR).
Upon the creation of an account and only if you give your explicit consent to this specific processing, you will be asked to provide a picture of your driver license and to take several selfie pictures of yourself for what is called a “3D liveness check”. An automated processing system is then used to match the driver license and the selfie pictures as to ensure they belong to the same person.
In case of any doubt about the identity of the person using a certain account, a new 3D liveness check might also be requested to the person using a certain account before they are able to use Poppy services (e.g. driving a vehicle which requires a driving license) to ensure it is indeed the person that registered the account who now wishes to use said account.
If said automated processing fail or does not reach a sufficient level of certainty, a check shall be performed by an employee of Poppy.
If you do not consent to the automated processing comparing your selfie picture data with your driving license photo, an alternative solution of manual identification is offered to you, without service restriction or any additional cost. We will then follow-up your request per email and revert to you. In this case, the photo of your driving license as well as a photo of you holding your driving license are checked by one of Poppy’s employees. This employee will verify that the person on the driving license photo and the one on the selfie picture are the same. If so, your identity shall be considered as confirmed and your account will be validated.
You can also choose not to send any biometric data or photos to Poppy. In this case, you still have the alternative of subscribing to our eScooter and eBike services.
If you gave your explicit consent to the processing of your biometric data or if you agreed to send us your picture for manual identity verification, you can withdraw such consent at any time directly by sending an email to privacy@poppy.be. We may then invite you to follow up the alternative solution to ensure proper identification if need be.
Retention period: In all cases, the selfie pictures will be kept for one year after the verification of your identity. If the selfie pictures are deleted and a new identity verification is required, new selfie pictures will be requested and compared with the driving license..
Recipients: Data may be processed, upon our instructions, by our processors identified in point 6 below, including our hosting provider, driver's license identification and validation service provider.
For selfie data, we work with Sumsub, our subcontractor for this data processing activity. Sumsub is a company that provides an all-in-one technical and legal platform for identity verification and compliance. Sumsub platform allows us to streamline the process of verifying the identities of our customers, ensuring that we are in compliance with various regulations and helping us to prevent fraudulent activities. Sumsub uses a combination of machine learning and human expertise to analyse documents and biometric data from customers, providing a secure and efficient method for identity verification. The processing is organised in order to minimise the use of the selfie data to what is strictly necessary for driving license check. The storage of such data is subject to strict security measures and its access is restricted to a limited number of Poppy’s employees who need to use them for performing their duties.
The data can also be transmitted to our lawyer and/or bailiff, in the event of a dispute.
E. To prevent the use of the service by unwanted users
Categories of data: We process your identification and contact data to prevent the creation of an account by an unwanted user.
Purpose: We will process your data to verify that you comply with our general terms and conditions (i.e., the contract that exists between you and Poppy), notably on the various prohibitions of use of our vehicles that are in place.
Indeed, Poppy may prohibit a former user to rent its vehicles or create a new account on the Application after his or her former account has been terminated by Poppy for one of the following reasons: payment incidents; traffic accidents; repeated damage or incivilities towards our employees; fraudulent use of the service; use of our vehicles in violation of the general rental conditions.
Legitimate basis: The processing of this data is based on Poppy’s legitimate interest to prevent fraudulent use of our service, protect our own rights, employees and our fleet so that we can continue to offer our service to rule-abiding users.
Your interests and fundamental rights do not override our legitimate interests. However, you can always exercise your right to object (cfr. point 9 below of the present Privacy Policy), at any time and free of charge, if you consider that your rights take precedence over our legitimate interests.
Retention period: Your data will be kept for as long as you lose access to Poppy's services, i.e.:
· 8 months in case of identified risk that does not trigger the Safety Mode;
· 1 year in case of identified risk triggering the Safety Mode threshold;
· 3 years in case of an accident at fault;
· 5 years in case of a total loss at fault or in case of fraud.
In the event of litigation, this data is kept until the end of the dispute.
Recipients: Data may be processed, upon our instructions, by our processors identified in point 6 below, including our hosting provider, emailing service provider, ticketing service provider, customer relationship management tool provider, driver's license identification and validation service provider.
The data can also be transmitted to our lawyer and/or bailiff, in the event of a dispute.
F. To comply with the requirements of legally mandated insurance
Categories of data: We process your identification and contact data, photo of your driving licence and your risk-related statements about driving licence withdrawal or conviction for dangerous driving when creating an account, which constitutes judicial data.
Our insurance requires information such as a copy of your driving license and information about possible revocation of such license in the past (judicial data). Those data are collected to provide you with an insurance coverage, as legally mandated, when you are driving Poppy’s vehicles as requested by the law and the insurance contract terms and conditions.
Purpose: The aim of the processing is for Poppy to be able to contract an insurance for all of its fleet, which constitutes a legal obligation as well as a contractual obligation imposed upon Poppy by its insurance company.
Legal basis: The processing of the driving licence is necessary for compliance with a legal obligation to which Poppy is subject.
Indeed, the law of 21 November 1968 requires all vehicles to be insured. As the owner, Poppy is obliged to insure her cars. The insurance companies require this information in order to accept covering personal liability of the driver of the Poppy’s vehicle, as legally mandated.
Also, article 1.1 of the insurance contract between Poppy and AXA (“Contrat d'assurance pour la Flotte n°75530”) stipulates as a condition for insurance coverage that the policyholder will only accept an authorised driver after having obtained a copy of the "authorised driver's" valid European type B driving license.
Poppy must therefore collect this information and pass it on to the insurance company that insures the car, in order to comply with the law on compulsory car insurance.
Poppy is also under the legal obligation to collect information to assess the risk covered by the insurance policy (e.g., “has your driver license already been revoked in the past?”). This constitutes judicial data. This data is collected by Poppy to comply with its legal obligation under the Royal Decree of 16 April 2018 on the minimum conditions for compulsory motor vehicle liability insurance contracts. In addition, the collection of this data is necessary for the performance by Poppy of the insurance contract concluded with the insurance company that covers its vehicles. Article 1.1 of the contract requires Poppy to ask these questions.
Retention period: Your data will be kept for 10 years from your last connection on our Application, for tax and accounting purposes and also for liability reasons.
Recipients: Data may be processed, upon our instructions, by our processors identified in point 6 below, including our hosting infrastructure, emailing service provider and our ticketing service provider.
Data can also be shared with the insurance company for risk assessment and auditing/control purposes.
The data can also be transmitted to our lawyer and/or bailiff, in the event of a dispute.
G. To manage our contractual relationship
Categories of data: We process your identification and contact data but also your invoicing and location data.
Purpose: Your data is used for billing and retrieval purposes, or to notify you of changes to the contract or the present data protection policy (including new purposes).
Legal basis: The processing of this data is necessary for the provision of the requested service. This data is therefore essential for the performance of our contract. Without it, we cannot carry out our mission.
Retention period: Your data will be kept for 10 years from your last connection to our Application, for tax and accounting purposes and also for liability reasons.
Recipients: Data may be processed, upon our instructions, by our processors identified in point 6 below, including our hosting provider, customer relationship management tool provider, payment processing solution, emailing service provider, ticketing service provider, accounting solution and our debt collection solution.
Data is transmitted to tax authorities and to our accountant. It may also be passed on to our lawyer and/or bailiff in the event of a dispute.
H. To promote our services
Categories of data: We process your contact data (email address) and data relating to the use of our Application and/or Website.
Purpose: We process this data to inform you about Poppy's services and keep you informed of our features, services and news.
Legal basis: The processing of your personal data for the purpose of the distribution of our newsletter and our marketing activities is based on our legitimate interests (and, partly, we believe, on the user’s interests). The user can then stay informed of upcoming events, products, and services from Poppy and of the improvements we are making.
Retention period: We keep your contact data for this purpose until you ask us to stop, but no longer than five (5) years after the last interaction with Poppy.
You can notify us at any time that you no longer wish to receive advertisements or newsletter. Simply send us an email to privacy@poppy.be or click on the unsubscribe link at the bottom of any electronic communication we send you for this purpose.
Recipients: Data may be processed, upon our instructions, by our processors identified in point 6 below, including our hosting provider, customer relationship management tool provider, emailing service provider, analytics solutions and our feedback form builders.
The data can also be transmitted to our lawyer and/or bailiff, in the event of a dispute.
I. To allow you to exercise your rights
Categories of data: We process your surname, first name, request, proof of action taken by Poppy following the request.
Purposes: When you exercise the rights conferred on you by the GDPR and described in this data protection policy (right of access, rectification, etc.), we keep the data strictly necessary to prove that we have indeed taken useful action.
Legal basis: The retention of this data stems from the legal obligation imposed by Article 5.2 GDPR, namely the duty of accountability.
Retention period: Your data are kept for as long as we could be liable for non-compliance with requests, i.e., for a maximum of 10 years after the last interaction with Poppy.
Recipients: This data is not passed on to any recipient other than the data protection authority, and our hosting provider, emailing service provider and ticketing service provider.
The data can also be transmitted to our lawyer and/or bailiff, in the event of a dispute.
J. To manage our social network accounts
Categories of data: We may process data linked to your account, data linked to the sharing of content or to your interactions with other people.
Purposes: The data you communicate when visiting our accounts on social networks is or may be processed jointly by the social network provider and Poppy for the following purposes:
- the collection of certain data using cookies;
- to obtain statistics on the page's audience.
Legal basis: This data will only be processed by Poppy in the context of its legitimate interest in obtaining statistics on visitors to its page, in order to promote its page appropriately. The audience statistics established by the social network are only transmitted to Poppy in an anonymised form.
Retention period: This data is or may be processed for as long as our accounts on the social network exist and as long as you visit it.
The privacy policy of each social network can be found by clicking on the following links:
- Twitter,
- Youtube,
Recipients: This data may be processed by the above-mentioned social networks and may be processed, upon our instructions, by our processors identified in point 6 below, including our hosting provider and analytics solutions.
The data can also be transmitted to our lawyer and/or bailiff, in the event of a dispute.
K. To apply for a job at Poppy
Categories of data: We process your identification and contact data as well as your professional data.
Purpose: If you send us a spontaneous application or respond to a job offer issued by Poppy, your data will be processed at your request in order to assess the possibility of a contractual relationship.
Legal basis: The processing is necessary in order to take steps at the request of the data subject prior to entering into a contract.
Retention period: The data you provide us as part of a job application will be deleted within 6 months of the end of the selection process.
Recipients: Data may be processed, upon our instructions, by our processors identified in point 6 below, including our recruitment services and head-hunters, candidate application management.
The data can also be transmitted to our lawyer and/or bailiff, in the event of a dispute.
L. To comply with legal obligations and authorities’ requests
Categories of data: We process your identification data and data relating to your use of the Poppy services (trip date and time, starting point and endpoint).
Purpose: In the event that Poppy receives a request from the police services or other law enforcement bodies and when this request is lawful (for example regarding violations of the traffic legislation or offences committed with our vehicles), your personal data will be shared with the involved police department or law enforcement bodies.
We may also process your data to comply with the law, to complete all legally obligated paperwork in each country/region in which either you or Poppy is active.
Legal basis: The processing is necessary for Poppy to comply with a legal obligation, including the obligation provided for in article 67ter of the law of 16 March 1968 related to traffic police.
Retention period: We retain your data for as long as we could be liable for non-compliance with requests, i.e., for a maximum of 10 years.
Recipients: Data may be processed, upon our instructions, by our processors identified in point 6 below, including our hosting service provider and our emailing service provider.
Data may also be shared with police and other public authorities in charge of enforcement of the rules governing the use of a vehicle on public roads.
The data can also be transmitted to our lawyer and/or bailiff, in the event of a dispute.
M. Risk management and promotion of safe driving practices
Categories of data: We process your identification data but also data relating to the vehicle’s condition, location data and data about the risks identified during your trips.
Purpose: We process personal data such as your identification details and the risk events detected during your use of Poppy’s vehicle to prevent potential accidents (excessive speed, abrupt change of direction, etc.) and the implementation of the “Safety Mode” (if relevant). The Safety Mode is a partially automated security system which informs Poppy when car parameters highlight specific risk events during a trip. Based on this information, a Poppy’s employee may decide to activate the Safety Mode which will block any further use of a vehicle once the vehicle is parked and the engine is switched off.
Legal basis: The processing is necessary to pursue Poppy’s legitimate interest to avoid damages to its property but first and foremost to protect the physical integrity of drivers, passengers and all road users and reduce the number of accidents, and to comply with obligation to take action to promote safe driving by its users (city license obligation with the cities in which Poppy operates).
Retention period: When the “Safety Mode” is not activated, data relating to the user's driving is deleted 12 months after the end of the driving session.
However, the data will be kept for as long as a limitation to your access to Poppy's services is applied, i.e., at least:
- 8 months in case of risk event that did not trigger the Safety Mode;
- 1 year in case of risk event triggering the Safety Mode;
- 3 years in case of an accident at fault;
- 5 years in case of a total loss at fault or in case of fraud.
In the event of litigation, this data is kept until the end of the dispute.
Recipients: Data may be processed, upon our instructions, by our processors identified in point 6 below, including our hosting provider, customer relationship management tool provider, emailing service provider and ticketing service provider.
The data can also be transmitted to our lawyer and/or bailiff, in the event of a dispute.
N. To improve our services
Categories of data: We process data relating to your use of our Application and our Services, including statistical information about the location of users who opened the Application but did not finalise a booking.
When you decide to provide us with further information through the form of a survey or use any of our services, you are providing us valuable data. This data will be processed in an aggregated format and will stay anonymous (e.g. how many trips are made between different cities by users rather than which user is doing these trips). This processing will help us at better understanding our users’ needs and improve our services.
Purpose: The processing of statistical information about the use of our Application and services allows us to improve our services.
For example, by analysing the locations where users open the Application but don't finalise their order, we can find out where there might be an unmet demand for vehicles. However, such data is obtained by Poppy in an anonymised form and for statistical purposes only.
Legal basis: This processing is justified by Poppy's legitimate interest to improve the efficiency of its services. The data subject is informed of such processing and can refuse such processing.
Retention period: Statistical data is only stored in anonymised form. No specific retention term applies.
Recipients: Data may be processed, upon our instructions, by our processors identified in point 6 below, including our hosting provider, analytics solution provider and feedback form builder.
The data can also be transmitted to our lawyer and/or bailiff, in the event of a dispute.
Your data may be processed by:
- our hosting provider
- our customer relationship management (CRM) provider
- our accounting solution provider
- our debt collection solution provider
- our driver’s license identification and validation provider
- our e-mailing service provider
- our customer ticketing service
- recruitment services and head-hunters
- our candidate application management provider
- our analytics solution provider
- our feedback form builders.
Those IT service providers process the data for the purposes strictly necessary to comply with the instructions we send them. They act as processor in this respect. With a view to the optimal protection of the personal data of our customers, we have made the necessary contractual arrangements with the aforementioned data processors to ensure that they apply the highest privacy standards. In any event, data processors shall be required to ensure the security and confidentiality of the personal data. Therefore, a data processing agreement is systematically signed according to article 28 GDPR.
A processor is the natural or legal person who processes your personal data upon request and on behalf of the data controller. The processor is required to ensure the security and confidentiality of the data. The processor shall always act on the instructions of the data controller.
We may also transmit your personal data to other third parties who process it for their own purposes (as separate data controller from Poppy), such as:
- third parties' platforms. Should you use Poppy through a third-party platform (such as Skipr), some of your personal data might be transferred to said third party for the execution of the contract you have concluded with said third party;
- our lawyers and bailiffs, in defending our rights (particularly in the event of a dispute);
- insurance companies covering the use of vehicles provided by Poppy;
- the police and other competent public authorities, in the event of a request relating to possible offences committed in connection with the use of vehicles made available by Poppy.
Poppy protects the confidentiality, integrity and availability of your personal data. We use various technological, organisational, contractual, and procedural security measures in order to protect your personal data from loss, misuse, alternation or destruction, including encryption and logical and physical access control measures.
Your data are mainly stored on servers located in the European Economic Area.
If necessary, in some circumstances, your data may be transferred to a country outside the European Economic Area. In such cases, we will ensure that the recipients are obliged to comply with the same data protection standards as in the EU by means of standard contractual clauses as edited by the European Commission, with supplementary security measures where required.
You have several rights regarding the personal data that we process. In particular, you have the right:
For more information about your rights: https://www.autoriteprotectiondonnees.be/citoyen/vie-privee/quels-sont-mes-droits-
You can exercise your rights by sending an email to privacy@poppy.be.
Furthermore, if you think that Poppy did not act in accordance with the legislation concerning the processing of personal data, you can file a complaint with the Belgian Data Protection Authority (Data Protection Authority, drukpersstraat 35, 1000 Brussel, +32 (0)2 274 48 00, contact@apd-gba.be)
If you have any questions regarding this Privacy Policy, you can contact us:
We can modify this Privacy Policy at all times. In order to keep you informed of the latest modification of this Privacy Policy, we shall adapt the revision date each time it is modified. The modified Privacy Policy shall enter into force as of that date.
Please consult this page regularly to keep informed of any modifications and/or additions.
We will also proactively inform you about important changes to the Privacy Policy, per email or through a pop-up on our Application and on our Website.
Poppy’s privacy policy is available in several languages. In the event of any differences in content between the versions, the English version shall prevail.
Our website contains hyperlinks to third-party websites and information about them. We have no control over these sites, and are not responsible for their privacý policies, which we invite you to consult.
This Privacy Policy is governed by and construed in accordance with the Belgian legislation that is exclusively applicable to any potential dispute.
In the event of a dispute, the parties will attempt to resolve it amicably. In the event of failure to resolve the dispute amicably, the competent courts will be settled by the Belgian courts, competent for either the place of residence of the Data Subject, or the courts of Brussels.