Privacy Policy
Data protection declaration
We at Donkey Republic take the protection of your personal data very seriously. We shall therefore handle your personal data with due care, conscientiously and in accordance with the applicable laws.
The purpose of this document is to provide you with information about the data we collect and process when you use our services.
Section 1: Information on the collection of personal data
- According to GDPR Art.4, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- The data controller within the meaning of Article 4 (7) of the EU General Data Protection Regulation (GDPR) and, where applicable, the corresponding provision of the Swiss Federal Act on Data Protection (FADP) is:
DonkeyRepublic Admin Aps
Skelbækgade 4, trappe B, 4. sal.
1717 København V,
Denmark
Directors: Mr. Niels Henrik Rasmussen and Mr. Christian Dufft
Central business register (Denmark), CVR-number: 38049488
VAT-ID: DK 38049488
E-Mail: [email protected]
Telephone: (+45) 89 88 7227 (DK)
You can contact our data protection officer at [email protected] or through our postal address, stating clearly: “Data protection officer”.
- When you contact us by email, chat, Meta platforms including Facebook and Instagram, contact form or via phone, we store and process the data you provide (e.g. email address, name and any telephone number, contents of your message, etc.) in order to be able to respond to your inquiry. Data processing for purposes of contacting us is done with the legitimate interest of enabling and maintaining an effective and efficient client contact Article 6 (1) point (f) of the GDPR, and in accordance with Article 6 (1) point (a) of the GDPR, based on the consent you have given voluntarily. In case where the legal basis is based on your consent after Article 6 (1) point (a) of the GDPR, we note that you have the right to withdraw your consent after Article 7 (3) of the GDPR.
- To prevent unauthorised access by third parties to your personal data and in particular, financial data, the ordering process is encrypted using SSL (Secure Socket Layer). We also take reasonable physical, technical and administrative security measures to protect your personal data from loss, misuse, unauthorised access, disclosure and alteration. These security measures include firewalls, data encryption, physical access restrictions to our data centres, and access authorisation controls.
- The majority of all personal data is stored in data centers in EU countries. Some third party processors store data outside of the EU, under the Data Privacy Framework or by using Standard Contractual Clauses. You can find a list of all 3rd party processors and their hosting locations below.
Section 2: Information on the deletion of personal data
- Generally, we will retain your data for up to four years, however, in certain cases we will retain the personal data for a longer period of time, e.g., if we must secure a legal claim or if certain legislation requires it.
Section 3: Collection of personal data when visiting our website
- If you use the website for information purposes only, we only collect the personal data that your browser transmits to our server. This information is temporarily stored in a so-called log file. If you would like to visit our website, we shall collect the following data:
- IP address
- Date and time of the request
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/ HTTP status code
- Amount of data transferred
- The referring website
- Browser
- Operating system and its interface
- Language and version of the browser software
We process this data for the following purposes:
- To ensure smooth connectivity of the website,
- To ensure that our website is user-friendly,
- To evaluate the security and stability of the system, and
- for other administrative purposes.
The aforementioned data will be deleted no later than 30 days after you visited our website, in accordance with the data processing for webhosting Article 6 (1) point (f) in the GDPR.
Use of cookies
- On various pages of our website, we use cookies to make our website more user-friendly and to enable the use of certain functions and features to display needs-based products or for market research purposes. Cookies are small text files that are automatically stored on your device.
This website uses the following types of cookies, the scope and functionality of which will be explained below:
- Transient cookies
- Persistent cookies.
- Transient cookies are automatically deleted when you close your browser. These include, in particular, session cookies. They save a so-called session ID which is used to assign different requests from your browser to the common session. This allows your computer to be recognised when you return to our website. Session cookies are deleted when you log out or close the browser.
- Persistent cookies are automatically deleted after a specified period, which may differ, depending on the cookie. You can delete cookies at any time in the security settings of your browser.
- You may configure your browser settings according to your preferences and, for example, block the acceptance of third-party cookies or all cookies. Please note that if you do this, you may not be able to use all the functions and features of this website.
- For information about the length of storage, please refer to the overview in the cookie settings of your browser.
- We use tracking software to track your behaviour on the website for example clicking a button to download the Donkey Republic app, software including Google Analytics 4. It helps us to improve our services.
- The legal basis for aforementioned data processing is Article 6 (1) point (f) of the GDPR. The purposes of data processing named above constitute our legitimate interests.
- Read more about our Cookies and how they operate here.
Section 4: Collection of personal data when renting a Vehicle or becoming a member
- If you like to rent a bike, ebike, etc. (“Vehicle”) or becoming a member, you will need to provide personal data (e.g. name, email address, mobile number, payment method, credit card number etc.) in order to conclude the contract. In addition, we need this personal information in order to process your order. The legal basis for this is Article 6 (1) point (b) of the GDPR. We store these data as long as you are our customer with an active account. Your account is regarded inactive, if you have not made use of the account for 48 consecutive months, after which point in time the order data will be erased, if we are not obliged to retain the data as described below.
- Under the provisions of the applicable commercial and tax laws, we are obliged to retain your order data for the legally prescribed period. The legal basis for this is Article 6 (1) point (c) of the GDPR. At the end of the statutory retention periods stipulated by the commercial and tax laws, we shall erase your order data.
- We also collect and process the following data when you use a Vehicle:
- Location and route of the Vehicle
- Duration of the use of the Vehicle
- Vehicles locks and unlocks
- Occurred errors
We collect and process this data at various cities and periods, analyse the resulting data to drive our strategic and operations decisions such as where to place hubs or how many mechanics to employ to take care of the Vehicles. We also use the data to optimise our App.
Phone location data is only collected when your phone has location services turned on. Turning off location services will automatically opt-out of the collection of location data.
Phone location is collected for the following purposes:
- Unlocking, locking the Vehicle and ending a rental requires location services to be turned on to ensure that a vehicle can be found and rented again. It also enables our technical staff to find bikes that need repairs.
- If location services are turned on, they will also be used to determine accurate product prices on the local market where a user is present.
The legal basis for this type of data processing are Article 6 (1) point (f) and Article 6 (1), point (b) of the GDPR. The aforementioned purposes constitute our legitimate interests. We store this data for 48 months and then anonymise and aggregate the data.
Section 5: Advertising
We also collect and process your data to send you personalized advertising (this is referred to as profiling). For that reason, we may use the information you provided during sign up, such as email address, user behavior (e.g. booking history and ride duration), and location (city and country), in order to provide you with suggestions for products and services that are available in your area. The legal basis for processing your data for personal advertising purposes is in accordance with GDPR article 6, (1) point (f), due to our legitimate interest.
You have the right to object to this processing of your personal data, and may exercise this right by submitting a request for objection by contacting us at [email protected], clicking on the unsubscribe link available in each email, or closing your account.
Newsletter
You also have the option to subscribe to receive our rider newsletter with information about our products, curated news, and exclusive offers. We only send these emails if you have given your explicit consent. The legal basis for this is GDPR article 6 (1), point (a).
- We collect and record your consent to the receipt of the newsletter through an in-app button. In addition, we store your email address and the date and time of your subscription and confirmation. This process allows us to prove that you have indeed subscribed to the newsletter and to investigate any possible misuse of your personal data. The legal basis for this is GDPR article 6, (1), point (f). The purposes listed above constitute our legitimate interests.
- You can unsubscribe from the newsletter at any time by clicking on the unsubscribe link available in each email or by contacting us at [email protected].
Product recommendations and updates
- We reserve the right to send you important product service updates through emails or push notifications, even if you have not subscribed to our newsletter. The legal basis for this is GDPR article 6 (1), point (f). You will, however, only receive these emails if you use our service.
- You can choose to stop receiving these types of communication at any time by clicking on the unsubscribe link available in each email or by changing the push notification settings in your device.
Emails from Donkey Republic partners
- In certain locations, our rental system is administered by Donkey Republic partners. We may forward the following personal data to these partners for the purpose of providing you with local support, if needed: name, phone number, and email address.
- If agreed , we can provide an option for our riders to opt-in to receive advertising emails from our partner by submitting their name and email address. This information will also be forwarded to the partner. The legal basis for sending these emails is your consent, which you may withdraw at any time, according to GDPR article 6 (1), point (a).
- The partner shall hereafter be considered a separate data controller and is individually responsible for complying with any data protection legislation applicable from time to time, including the GDPR for any processing of personal data carried out in connection with such relation.
Section 6: User research and surveys
- We may invite you to voluntarily participate in user research through surveys or ratings in order to improve our products and services and better understand our riders. The legal basis for this is our legitimate interest in accordance with GDPR Article 6 (1), point (a). If you consent to take part, we will store and process the personal data you provide to us in this context only for as long as it is necessary or until you withdraw your consent to this type of data processing in accordance with GDPR article 6 (1), point (a).
- We reserve the right to share the aggregated and anonymized results from our surveys with our partners, such as municipalities, regions or transport authorities, if and when requested by these institutions in order to improve their services in a determined region.
Section 7: 3rd parties with whom personal information may be shared
- We may disclose or make your personal information available to the following recipients:
- 3rd party processors that process personal data on our behalf. For a complete list, please see below;
- Donkey Republic’s affiliated companies;
- Employers who have a corporate account and/or employee benefit scheme;
- Suppliers, business partners or other cooperating partners;
- Public authorities and municipalities;
- Independent controllers with whom we have a business cooperation;
- Payment service providers (e.g. credit card company etc.) to process your order.
- Other external companies will not receive or process your personal information unless the law permits the disclosure and processing hereof.
- If the external companies or cooperating partners are data processors for us, your personal information will always be processed in accordance with a data processing agreement meeting the legislative requirements. If the external companies or cooperating partners are independent data controllers, your personal information will be processed in accordance with their own privacy policy, data protection policy or personal data protection policy, which you will be made aware of by the external companies unless the law prescribes otherwise.
- Should you have any questions about our use of data processors, about the cooperation with other data controllers or transferring of data to third countries, including a request to be provided with a copy of documentation that the required guarantees have been made, please contact us. Our contact details are found at the top of this Policy.
Section 8: Transfer of personal data at specific rental locations
- At locations where a Donkey Republic partner operates and manages the rental bike fleet, each party shall be deemed to be a separate data controller and shall be responsible for compliance with applicable data protection laws, including the GDPR, when processing personal data in connection with this Agreement.
- When a customer rents a bike in the system administered by the partner then Donkey Republic will forward the following data to the partner for the purpose of the partner providing support locally to the customer if needed:
- Name
- Phone number
- Location and route of the vehicles
- If agreed between the parties, Donkey Republic can, through Donkey Republic’s system, provide an option for customers to opt-in to receive marketing material from the partner by submitting name and email address. This information will also be forwarded to the partner. The partner will hereafter be responsible for handling the consent with respect to the customers’ rights.
Section 9: Your rights
- You have the following rights with respect to personal data concerning you:
- Right to information (Article 15 of the GDPR)
- Right to rectification of data (Article 16 of the GDPR)
- Right to erasure of data (Article 17 of the GDPR)
- Right to restriction of processing (Article 18 of the GDPR)
- Right to data portability (Article 20 of the GDPR)
- In addition, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes against this regulation (Article 77 of the GDPR).
- You have the right to withdraw the consent you once gave to us with regard to data processing any time (Legal basis: Article 6 (1), point (a) of the GDPR). As a result, we shall no longer be allowed to process data based on this consent going forward. The withdrawal of consent shall not affect the legality of the processing done on the basis of this consent before its withdrawal.
- In relation to the right of erasure you may request the deletion of your user account and thereby all personal information by pressing the button “delete account” in the user profile section of the App.
- Right to object to processing (Article 21 of the GDPR).
Right to object |
Donkey Republic and 3rd party processors
Keeping our users’ data safe has always been a core concern for us. On this page, we give you an overview over the 3rd party processors we are using to process personal data. We also describe what we use them for and the data protection setup that applies in the respective case.
We never sell or profit directly from any of your personal data.
3rd parties with whom personal information may be shared
Party name | Personal data disclosed | Purpose | Transfer Mechanism | Hosting Location |
Name, email address, Payment card, IP Address and user location (only in case of dispute) | Payment provider | N/A, since no data is transferred outside of the EU | EU | |
Name, email address, Phone number, User location, Advertising ID, IP address, User id, rental data, usage data, web browsing data | Store and analyze data | DPF | Different locations where Amplitude operates**** | |
Name | Google Play Store and Apple App Store review aggregator | N/A, since no data is transferred outside of the EU | EU | |
Name, email address, Payment card, IP Address | Payment provider for PayPal | BCR, SCCs | Different locations where PayPal operates* | |
User name, email address address | Deeplinks for apps | SCCs, DPF | US | |
Name, email address, phone number. Rental data, member status, app language, user id | Transactional, support and marketing email addresss | N/A, since no data is transferred outside of the EU | France, Belgium | |
Name, email address, Phone number, User, Advertising ID, IP address | Marketing automation, operational information, push notifications | DPF | EU | |
Name, email address, Phone number, Location, IP Address | Server logging used for performance and security monitoring | N/A, since no data is transferred outside of the EU | Germany | |
Name, email address, Phone number, User location, IP Address, rental data, member status, app language, user id, last four digits of payment card | Customer support | SCCs | EU, Suriname | |
Name, demographic data | Research management tool | DPF, SCCs | US | |
Google LLC | Name, email address, Phone number, User location, IP address, Advertising ID, User id, rental data, usage data, web browsing data. | Marketing activities, ads tracking, storing and analysis of data, crash reporting, remote configuration, app store for Android devices, sign in/up method, maps and location provider. This includes the tools Firebase, Analytics, PlayStore, WhatsApp, Cloud and Ads. | DPF, SCCs | US, any country where Google or its Subprocessors maintain facilities** |
Name, email address, Phone number, User location, IP address | Heroku hosts our backend service and the databases where we collect data | DPF,SCCs | EU, US | |
Advertising ID, Event data on ride booking and membership signup, meta user name | Facebook, Instagram. Marketing activities, customer communication, research recruitment | DPF | Different locations where Meta products are available*** | |
Name, email address | Payment provider | BCR, SCCs | Different locations where PayPal operates* | |
Name, email address, Phone number, User location, IP address, Advertising ID, User id, web browsing data | Collect and forward data | DPF, SCCs, BCR | US | |
Name, email address, Phone number, User location, Advertising ID, IP address | Store and analyze data | SCCs | US | |
Name, email address, Payment card, IP Address and user location (only in case of dispute) | Payments processing | SCCs, DPF | US | |
Name, email address | Research incentive management | SCCs | US | |
Email address, phone number, name. | Product rating, review platform | N/A, since no data is transferred outside of the EU | EU | |
Name | Research survey tool | SCCs | US | |
Phone number | SMS service provider. Phone number verification,user communication | DPF, SCCs | US | |
email address, phone number. Support or user may disclose Full name, one or more locations of the user; last 4 digits of payment card | Customer Support, issue tracking. | DPF | EU |
DPF = Data Privacy Framework (Home (data privacy framework.gov))
SCC = Standard Contractual Clauses (Standard Contractual Clauses (SCC) – European Commission (europa.eu))
BCR = Binding Corporate Rules (Binding Corporate Rules (BCR) – European Commission)
* See PayPal’s transfer policies here
** See Google’s data transfer policies here
*** See Meta’s DPA and transfer policies here
**** See Amplitude’s DPA and transfer policies here
In certain cases, we may transfer your data to countries without an adequate level of data protection based on an exception, such as if you consent to the transfer, in case of legal proceedings abroad, or if the transfer is necessary for the performance of a contract.
Changes to the list of 3rd party providers
We reserve the right to make changes to this list at any time by giving notice on this page. It is strongly recommended to check this page regularly, referring to the date of the last modification listed on the bottom. If you object to any of the changes to this list, you must cease using this service and can request removal of the personal data.
Get in touch with us
If you have any concern about your personal data, please contact us at support@donkeyrepublic.com.
Donkey Republic, February 2024, version 1.2