2. Data We Collect
Depending on use, Caroto may collect:
- Account details (email, name, phone number, user ID)
- Driving behavior data (speed patterns, braking, acceleration, usage metrics)
- Location data (only while the app is in use and with your permission)
- Device information (device model, operating system version)
- App usage data (feature interactions, session duration)
- Vehicle information (vehicle type, license plate or name)
- Purchase and transaction data (order history, payment status)
- Push notification tokens (for delivering notifications)
No data is collected without user consent where required by GDPR.
3. Purpose of Processing
Your data is used to:
- Provide Caroto app services including navigation, route planning, and driving analytics
- Generate driving insights, safety scores, and reward points
- Process payments and manage orders
- Send push notifications about order updates and rewards
- Improve app performance and user experience
- Ensure security and fraud prevention
- Comply with legal obligations
4. Legal Basis (GDPR Art. 6)
Processing is based on:
- Consent — for location tracking, push notifications, and marketing
- Contractual necessity — to provide the services you requested
- Legitimate interest — for analytics, security, and app improvement
- Legal obligations — for regulatory compliance and fraud prevention
5. Data Sharing
Data may be shared only with:
- Technical service providers (hosting, payment processing, maps)
- Partner vendors (only order-related data necessary to fulfill your purchases)
- Reward partners (only anonymized or consent-based data)
- Authorities when legally required
We do not sell personal data.
6. Third-Party Services
Caroto uses the following third-party services that may process your data:
- Convex — backend database and real-time data
- Stripe — payment processing
- Mapbox — maps and navigation
- Expo / React Native — app framework and push notifications
- Google OAuth — optional sign-in
- Twilio — phone verification
Each service operates under its own privacy policy and data processing agreements.
7. Data Retention
Data is retained only as long as necessary for the purposes described above or as required by law. Specifically:
- Account data is retained while your account is active
- Driving and ride data is retained for up to 3 years for analytics purposes
- Transaction records are retained for 5 years as required by tax regulations
- Push notification tokens are removed when they become inactive
When you delete your account, all personal data is permanently erased, except where retention is required by law.
8. User Rights (GDPR)
You have the right to:
- Access your personal data
- Correct inaccurate or incomplete data
- Delete your data (“right to be forgotten”)
- Restrict processing of your data
- Object to processing based on legitimate interest
- Data portability — receive your data in a structured format
- Withdraw consent at any time without affecting prior processing
To exercise any of these rights, contact us at privacy@smartwagon.gr.
You also have the right to file a complaint with the Hellenic Data Protection Authority (www.dpa.gr).
9. Data Security
We apply technical and organizational measures to protect your data, including encryption in transit (TLS), secure authentication, and access controls. However, no system is 100% secure, and we cannot guarantee absolute security.
10. Children's Privacy
Caroto is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@smartwagon.gr and we will promptly delete such data.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the app or via email. Continued use of the app after changes constitutes acceptance of the updated policy.