Tutu PRIVACY POLICY

This Privacy Policy regulates the procedure for collecting and processing personal and other confidential data of individuals by the TuTu Taxi service (hereinafter referred to as the "Service") using automated tools via the Internet.

General Provisions

1.The following terms are used within this document:

1.1. Personal Data – any information that relates directly or indirectly to a specific or identifiable natural person (data subject).

1.2. Service – the entity that independently organizes and/or performs the processing of personal data, and determines the purposes of such processing, the scope of personal data to be processed, and the actions (operations) performed with personal data.

1.3. Website – a set of computer programs and other information contained in an information system, accessible via the Internet through domain names and/or network addresses, enabling identification of websites on the Internet, which is used by the Service to provide services to Customers. Website address: https://eshkataxi.com

1.4. Mobile Application – the software “Eshka Taxi: Taxi Booking” installed on the Customer's device running iOS, Android, or Windows Phone, integrated into the Service's software and hardware system, which allows automating the process of placing service requests.

1.5. Services – information services provided by the Service to the Customer, aimed at receiving, processing, and forwarding the Customer’s request to a Partner and informing the Customer about the order status. The scope and conditions of service provision are defined in the public offer available on the Website.

1.6. Customer – a natural person placing a service request via the Website, Mobile Application, or by calling the Service’s support number and providing their personal data for this purpose.

1.7. Partner – a person who independently provides services to the Customer such as passenger transportation, delivery of goods (cargo), or loading/unloading operations. The Service is not a transportation company and does not independently provide any transportation services to the Customer.

1.8. Order – a request generated by the Customer for transport services to be provided by the Partners.

1.9. Personal Data Processing – any operation or set of operations performed on personal data, with or without automation tools, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data.

1.10. Automated Personal Data Processing – processing of personal data using computing technology.

1.11. Provision of Personal Data – actions aimed at disclosing personal data to a specific person or a certain group of persons.

1.12. Personal Data Blocking – temporary suspension of personal data processing (except where processing is necessary for data clarification).

1.13. Personal Data Destruction – actions that render it impossible to restore the content of personal data in the personal data information system and/or result in the destruction of physical media containing personal data.

1.14. Personal Data Information System – a set of personal data contained in databases, along with information technologies and technical tools used for their processing.

1.15. Cookies – fragments of data sent by the Website and stored on the Customer's computer, mobile phone, or other device used to visit the Website, applied to store information about the Customer’s activity on the Website.

1.16. Device Identifier – unique data that allows the identification of the Customer’s device on which the Mobile Application is installed, provided by the device itself or generated by the Mobile Application.

2. By placing an order for services via the Website, Mobile Application, or by calling the Service’s support number, the Customer agrees to the terms of this policy, including giving consent to the Service for processing their personal data in cases where such consent is required by applicable law.

Personal Data

3. During the processing of personal data, the Customer has the right to:

3.1. Receive information related to the processing of their personal data, including:

3.1.1. Confirmation of the fact of personal data processing;

3.1.2. Legal grounds and purpose of personal data processing;

3.1.3. Purpose and methods of personal data processing used;

3.1.4. Information on the name and location of the person carrying out personal data processing, as well as on persons (except for Service employees) who have access to personal data or to whom personal data may be disclosed based on a contract with the Service or applicable law;

3.1.5. The personal data being processed that concerns the relevant data subject, and the source of its acquisition, unless a different procedure for providing such data is specified by applicable law;

3.1.6. Periods of personal data processing, including data retention periods;

3.1.7. The procedure for the Customer to exercise the rights stipulated by applicable law;

3.1.8. Information about cross-border data transfer that has occurred or is anticipated;

3.1.9. The name or full name and address of the person processing personal data on behalf of the Service, if such processing is or will be assigned to such a person;

3.1.10. Other information provided by applicable law.

3.2. Request the Service to update, block, or delete their personal data if it is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the declared processing purpose, and also take legally prescribed measures to protect their rights.

3.3. Appeal against the actions or inaction of the Service to the authorized body for personal data protection or in court if the Customer believes that the Service is processing their personal data in violation of applicable law or otherwise violates their rights and freedoms.

3.4. Protect their rights and legitimate interests, including claiming compensation for losses and/or moral damages through court proceedings.

4. During personal data processing, the Service undertakes to:

4.1. Provide the Customer, upon their request, with the following information:

4.1.1. Confirmation of the fact of personal data processing;

4.1.2. Legal grounds and purpose of personal data processing;

4.1.3. Purpose and methods of personal data processing used;

4.1.4. Its name and location, as well as information on persons (excluding employees) who have access to personal data or to whom such data may be disclosed based on a contract or the current legislation of Ukraine;

4.1.5. The Customer’s personal data being processed and the source of their acquisition, unless otherwise provided by applicable law;

4.1.6. Periods of personal data processing, including data retention periods;

4.1.7. The procedure for the Customer to exercise the rights provided by applicable law;

4.1.8. Information about cross-border data transfer that has occurred or is anticipated;

4.1.9. The name or full name and address of the person processing personal data on behalf of the Service, if such processing is or will be assigned to such a person;

4.1.10. Other information provided by applicable law.

4.2. Take measures to prevent unauthorized access to the Customer's personal data.

4.3. Publish or otherwise ensure unrestricted access to the document defining the personal data processing policy, as well as to information on personal data protection requirements that are implemented.

5. The purpose of collecting and processing the Customer’s personal data is to conclude an agreement between the Customer and the Service for the provision of services.

6. The Customer’s personal data is stored on electronic media and processed using automated personal data processing systems.

7. The Service collects and processes the following personal data of the Customer:

7.1. Surname, first name, patronymic;

7.2. Date of birth;

7.3. Subscriber phone number;

7.4. Address of residence;

7.5. Email address.

8. The following personal data may be voluntarily provided to the Service by the Customer and may also be changed and/or deleted at their discretion:

8.1. Surname, first name, patronymic;

8.2. Date of birth;

8.3. Address of residence;

8.4. Email address.

9. The Customer’s personal data is deleted by the Service in the following cases:

9.1. Three years after the termination of the provision of Services;

9.2. In case the Customer withdraws consent to the processing of their personal data.

10. The deletion of the Customer’s personal data is carried out without the possibility of further restoration.

11. Access to the Customers’ personal data is granted only to individuals directly involved in providing the Services. In all other cases, the Service does not disclose or provide access to the Customer’s personal data to third parties without the Customer’s prior written consent, except when data is provided at the request of authorized state bodies in accordance with applicable law.

12. The Service takes the following measures to prevent unauthorized access to the Customer’s personal data:

12.1. Appoints employees responsible for organizing the processing of personal data;

12.2. Applies organizational and technical measures to ensure the security of the Customer’s personal data, including:

12.2.1. Identifying threats to personal data security during processing in information systems;

12.2.2. Ensuring secure access to premises housing the information systems, preventing unauthorized access;

12.2.3. Ensuring the safekeeping of personal data storage media;

12.2.4. Approving a list of individuals granted access to personal data necessary for fulfilling their job duties;

12.2.5. Using protection measures to prevent unauthorized access to personal data;

12.2.6. Evaluating the effectiveness of measures taken to ensure personal data security;

12.2.7. Detecting unauthorized access to personal data and taking responsive action;

12.2.8. Restoring personal data that was modified or deleted due to unauthorized access (if technically possible);

12.2.9. Establishing access rules for personal data processed in the information system;

12.2.10. Monitoring and controlling the level of protection and security of the personal data information systems.

13. The Customer has the right to request the Service to clarify (update), block, or delete their personal data if it is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated purpose of processing. The Customer also has the right to withdraw their consent to personal data processing by submitting a written request or demand by registered mail with delivery confirmation, or by personally submitting it to the Service’s address. The addresses of the Service’s departments are listed in the corresponding section of the website. The request/demand must include the number of the main identification document of the Customer or their representative, the issuing authority and date, the Customer’s residence address, information confirming the Customer’s relationship with the Service (contract number, date, reference designation and/or other data), or any other information confirming the fact of personal data processing by the Service, the request for data clarification, blocking or deletion, or the notice of consent withdrawal, and the signature of the Customer or their representative. The Service is obliged to provide a reasoned response to the Customer’s request/demand within 30 calendar days from the date of receipt.

Geolocation Data

14. The Service receives location data (geolocation data) of the Customer via the mobile application. Geolocation data is transmitted to the Service only while the mobile application is in use. The Customer may, at their own discretion, prohibit the transmission of geolocation data by adjusting the relevant settings on their mobile device.

15. In order to fulfill the Order, the Service provides the Customer's geolocation data to its Partners who have accepted the Order for execution.

Payment Data

16. To enable payment for transportation services provided by Partners using cashless payment with bank cards, the Customer may link a bank card to their subscriber phone number. The card is linked by the Customer directly in the mobile application by entering the following information:

16.1. Bank card number;

16.2. Expiration date of the bank card;

16.3. Cardholder's surname and first name;

16.4. Card security code.

17. Payment by bank card is made according to the rules of international payment systems and in compliance with confidentiality and security requirements. The security of the Customer’s data is ensured by compliance with the Payment Card Industry Data Security Standard (PCI DSS), and no one, including the Service, can access this data. Card data entry is performed on a secure payment page of the acquiring bank, which ensures the ability to make a cashless payment.

Cookies

18. The Service may use the following types of cookies:

18.1. Strictly necessary cookies. These cookies are required to navigate the site and use the requested services. They are used during Customer registration and login. Without them, services requested by the Customer become unavailable. These are essential cookies and may be either persistent or session cookies. Without them, the site does not function properly.

18.2. Performance cookies. These cookies collect statistical data on site usage. They do not collect personal information of the Customer. All information collected by these cookies is statistical and anonymous. The purposes of using these cookies are:

18.2.1. Collecting site usage statistics;

18.2.2. Evaluating the effectiveness of advertising campaigns.

These cookies may be persistent or session-based and can be either first-party or third-party cookies.

18.3. Functional cookies. These cookies store information provided by the Customer (such as username, language, or location). These cookies use anonymous data and do not track Customer activity on other websites. The purposes of using these cookies are:

18.3.1. Remembering whether the Customer has previously received any services;

18.3.2. Improving the overall user experience by remembering Customer preferences.

These cookies may be persistent or session-based and can be either first-party or third-party cookies.

18.4. Advertising cookies. These cookies are used to manage advertisements on the site, limit the number of times an ad is viewed by the user, and evaluate the effectiveness of advertising campaigns. Advertising cookies are placed by third parties – such as advertisers and their agents. These cookies are associated with advertising on the site provided by third-party companies. They may be either persistent or session cookies.

19. Cookies may be blocked, deleted, or restricted through the browser settings used by the Customer.

Device Identifier

20. The data collected about the device identifier does not contain any personal data of the Customer.

21. The purpose of collecting information about the device identifier is the internal accounting of mobile application users.

Mobile Network Operator Data

22. The Service receives data via the mobile application about the operator providing mobile communication services to the Customer.

23. The data collected about the mobile network operator does not contain any personal data of the Customer.

24. The purpose of collecting information about the mobile network operator is to automatically set the country and interface language of the mobile application based on the Customer’s location.

Order History

25. The Service stores the Customer’s trip history, including the time the order was created, the pick-up address, intermediate and final route addresses, the applied fare, the payment method, and other data provided when placing the Order.

26. The purpose of collecting order history information is to improve the quality of services provided by automatically filling in order parameters using previously submitted data, thereby reducing the time required to place an order.