Privacy Policy

Effective Date: November 27, 2025

Service Provider: WeOrbis B.V. ("WeOrbis", "we", "us", or "our")

Applicable Services: WeOrbis Driver Application, WeOrbis POS Application (collectively, the "Services")

Translations: This document may be available in other languages. In the event of any discrepancy between the English version and a translated version, the English version shall prevail and be considered the authoritative text.

WeOrbis B.V. is dedicated to safeguarding the privacy and integrity of the Personal Data entrusted to us. This Privacy Policy ("Policy") delineates our practices regarding the collection, use, processing, and disclosure of Personal Data through our mobile applications and associated services. This Policy is drafted in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

1. Roles and Responsibilities

To ensure clarity regarding our data processing activities under the GDPR:

Data Controller: The organization or entity (e.g., your employer) that has engaged WeOrbis B.V. to provide the Services acts as the Data Controller. They determine the purposes and means of processing your Personal Data.
Data Processor: WeOrbis B.V. acts primarily as the Data Processor, processing Personal Data on behalf of and in accordance with the instructions of the Data Controller.
Independent Controller: For specific limited purposes, such as account administration, service improvement, and compliance with legal obligations applicable directly to WeOrbis B.V., we may act as an independent Data Controller.

Note to Drivers: As WeOrbis B.V. primarily acts as a Data Processor, questions regarding the purposes of data processing, data sharing with specific partners, and data retention periods should be directed to your employer (the Data Controller). WeOrbis processes your data solely in accordance with their documented instructions.

2. Collection of Personal Data

We collect and process Personal Data strictly to the extent necessary for the provision of our Services. The categories of data collected include:

2.1 Data Provided by the User or Controller

Identity and Contact Data: Includes full name, email address, phone number, and organizational credentials required for authentication and account management.
Profile Data: Includes language preferences, profile imagery, and configuration settings.
User-Generated Content: Includes digital signatures, photographic evidence (e.g., proof of delivery), and operational notes submitted via the Services.

2.2 Data Collected Automatically

Geolocation Data (Driver App): We collect precise real-time geolocation data (GPS) to facilitate route optimization, arrival detection, and service verification. Background Processing: This data may be collected while the application is running in the background, provided an active service session has been initiated by the User. Session Management: Location tracking is active only during an authorized service session. For your privacy protection, the Services include an automatic termination feature that ends the session and ceases location tracking automatically 15 minutes after the scheduled task end time, unless manually extended or terminated earlier by the User.
Device and Technical Data: Includes hardware model, operating system version, unique device identifiers (UDID), IP address, and network connectivity status.
Usage and Telemetry Data: Includes interaction logs, feature utilization metrics, and error reporting data necessary for system stability and performance monitoring.
Session Replay Data: In production environments, we may record visual replays of app sessions to diagnose errors and improve user experience. These replays capture screen layouts and user interactions (such as taps, scrolls, and navigation patterns). Screens containing personal information (including profile details, passwords, and guest personal data) are automatically masked and excluded from recordings. Session replays are processed by our error monitoring sub-processor (Sentry) and are subject to applicable data processing agreements. A sample of normal sessions and all sessions in which an error occurs may be recorded.
Motion and Sensor Data: Includes accelerometer and gyroscope data utilized for activity recognition to optimize power consumption during active tracking.

3. Legal Basis for Processing

We process Personal Data based on the following legal grounds pursuant to GDPR Article 6:

Performance of a Contract (Art. 6(1)(b)): Processing is necessary for the performance of the service agreement with the Data Controller and to facilitate the User's utilization of the Services.
Legitimate Interests (Art. 6(1)(f)): Processing is necessary for our legitimate interests in maintaining service security, preventing fraud, and improving system performance.
Performance of Contract & Controller Instructions: Regarding the sharing of real-time location data with Commercial Partners (e.g., Tour Operators), we process this data strictly in accordance with the documented instructions of the Data Controller (your organization) and as necessary for the performance of the service agreement. WeOrbis does not share this data for its own independent commercial purposes.
Legal Obligation (Art. 6(1)(c)): Processing is necessary for compliance with a legal obligation to which WeOrbis B.V. is subject (e.g., tax and accounting retention requirements).

4. Purpose of Processing

Personal Data is processed for the following specific purposes:

Service Execution: To manage logistical tasks, execute point-of-sale transactions, and synchronize operational data with the Data Controller's systems.
Operational Communication: To transmit service-related notifications, task updates, and critical system alerts.
Security and Integrity: To verify User identity, monitor for unauthorized access, and ensure the physical safety of personnel and assets.
System Optimization: To analyze usage patterns for the purpose of technical debugging and feature enhancement.

5. Disclosure and Transfer of Data

WeOrbis B.V. maintains strict confidentiality regarding Personal Data. Disclosure is limited to the following circumstances:

The Data Controller: Your employer or the contracting organization has full access to data generated via the Services, including location history and task performance.
Commercial Partners and Intermediaries: At the instruction and on behalf of the Data Controller, we share specific Driver Data (including but not limited to name, vehicle identification, and real-time geolocation) with the Data Controller's designated commercial partners, such as tour operators, travel agencies, and booking platforms ("Partners"). The Data Controller determines which Partners receive this data and for what purposes. This data sharing is strictly limited to the duration of the service and is necessary to enable service execution, safety monitoring, and communication as directed by the Data Controller.
Sub-processors and Service Providers: We engage third-party vendors (e.g., cloud infrastructure providers, notification services, analytics providers) to support our Services. These entities act as Sub-processors and are bound by Data Processing Agreements (DPAs) ensuring compliance with GDPR standards.
Legal Compliance: We may disclose data if required by law, court order, or governmental regulation, or to protect the rights, property, or safety of WeOrbis B.V. or others.

6. International Data Transfers

Where Personal Data is transferred to a country outside the European Economic Area (EEA) that has not been deemed to provide an adequate level of protection by the European Commission, WeOrbis B.V. ensures appropriate safeguards are in place. These safeguards typically include the execution of the European Commission's Standard Contractual Clauses (SCCs) with the receiving entity.

7. Data Retention Policy

Personal Data is retained only for the duration necessary to fulfill the purposes outlined in this Policy, or as required by applicable law:

Account Data: Retained for the duration of the active service relationship plus a reasonable post-termination period for audit and backup purposes.
Operational Data: Transactional and logistical records are retained in accordance with the Data Controller's policies and statutory retention periods (e.g., 7 years for fiscal records).

8. Rights of the Data Subject

Under the GDPR, Users ("Data Subjects") possess the following rights:

Right of Access (Art. 15): To obtain confirmation as to whether Personal Data is being processed and access to such data.
Right to Rectification (Art. 16): To request the correction of inaccurate or incomplete Personal Data.
Right to Erasure ('Right to be Forgotten') (Art. 17): To request the deletion of Personal Data where applicable grounds exist.
Right to Restriction of Processing (Art. 18): To request the limitation of processing under certain circumstances.
Right to Data Portability (Art. 20): To receive Personal Data in a structured, commonly used, and machine-readable format.
Right to Object (Art. 21): To object to processing based on legitimate interests.
Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Account Deletion Requests: The WeOrbis Driver Application includes a functionality to request account deletion directly within the app settings. Activating this feature opens your device's native email client with a pre-addressed message to WeOrbis B.V. at info@weorbis.com. Upon receipt of your deletion request, we will immediately forward it to your organization (the Data Controller) for validation and execution in accordance with their data retention policies.

To exercise these rights, Users should primarily contact the Data Controller (their organization). WeOrbis B.V. will assist the Data Controller in fulfilling these requests in accordance with our contractual obligations. Drivers may also contact us directly at info@weorbis.com, and we will coordinate with the relevant Data Controller to address the request.

9. Security Measures and Data Breaches

WeOrbis B.V. implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including pseudonymization, encryption (HTTPS/TLS), and regular security audits. However, the User acknowledges that no electronic transmission or storage system is entirely infallible.

Data Breach Notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will also communicate the breach to you without undue delay.

10. Automated Decision-Making

We do not use automated decision-making or profiling (as defined in Art. 22 GDPR) that produces legal effects concerning you or similarly significantly affects you.

11. Cookies and Tracking Technologies

Our Services may use cookies, unique device identifiers, and similar tracking technologies to maintain user sessions, analyze app performance, and ensure security. We do not use these technologies for third-party advertising purposes. You can manage your cookie preferences through your device settings.

12. Age Limitation

The Services are strictly intended for authorized personnel who are at least 18 years of age. We do not knowingly collect or solicit Personal Data from individuals under the age of 18. In the event that we learn that we have collected Personal Data from a child under 18, we will delete that information as quickly as possible.

13. Contact Information

For inquiries regarding this Policy or our data protection practices, please contact:

WeOrbis B.V.
Attn: Data Protection Officer
Email: info@weorbis.com
Address: Vinkenburgstraat 2A, 3512 AB Utrecht, The Netherlands

Users also retain the right to lodge a complaint with the Dutch Data Protection Authority ( Autoriteit Persoonsgegevens ) or their local supervisory authority.