Privacy Policy

1. Introduction and Scope

UpSteam Eesti OÜ, operating under the trade name “FleetFox” (“we,” “us,” or “our”), is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, process, disclose, and safeguard personal information when you use our website (fleetfox.eu) and our fleet management platform services (collectively, the “Services”).

This Privacy Policy complies with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), the Estonian Personal Data Protection Act, and other applicable data protection laws.

Important: Our Services are designed for business-to-business (B2B) use. This Privacy Policy primarily addresses the processing of personal data in a B2B context, including data of business contacts, Client employees, and Service Operators (independent contractors).

2. Data Controller and Contact Information

The data controller responsible for your personal data is:

For all data protection inquiries, requests to exercise your GDPR rights, or privacy-related questions, please contact us at info@fleetfox.eu with “Data Protection Request” in the subject line.

2.1 Role of Parties

For personal data of Client employees and contacts, the Client is the data controller and FleetFox acts as a processor providing the Platform and related services. For personal data of Service Operators, FleetFox is the data controller. See also our Terms & Conditions for further details on the relationship between parties.

3. Categories of Personal Data We Collect

We collect and process the following categories of personal data, depending on your relationship with FleetFox:

3.1 Fleet Operator Clients

• Contact and Account Information: Name, job title, email address, phone number, company name, business address
• Business Information: Fleet size, vehicle details (make, model, license plates, locations), service preferences, operational requirements
• Billing and Payment Information: Billing address, VAT number, payment method details, transaction history
• Communications: Email correspondence, support tickets, meeting notes, phone call recordings (with consent)
• Usage Data: Platform login activity, feature usage, service requests, Task history

3.2 Registered Service Operators (Foxes)

This section applies only to Service Operators who have completed registration on the FleetFox Platform.

• Identity Information: Full name, date of birth, nationality
• Contact Information: Email address, phone number, residential address
• Documentation: National ID or passport, driver’s license, work permits (where applicable), contractor registration documents
• Financial Information: Bank account details for payments, tax identification numbers
• Performance Data: Task completion records, quality ratings, photo verification submissions, SLA compliance metrics
• Location Data: GPS location during Task execution (to verify service delivery and for operational purposes)

3.3 Website Visitors

Depending on your cookie preferences and the tools active on our website, we may collect some or all of the following:

• Technical Data: IP address, browser type and version, operating system, device information, time zone settings
• Usage Data: Pages visited, time spent on pages, click behavior, referring website, exit pages
• Cookie Data: Cookie identifiers and preferences (see Section 11 for details)
• Marketing Data: Email address if you subscribe to newsletters or download resources, communication preferences

3.4 Special Categories of Personal Data

We do not intentionally collect or process special categories of personal data (also known as “sensitive data”) such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data, except where explicitly required and with your explicit consent or as permitted by law.

4. How We Collect Personal Data

We collect personal data through the following methods:

• Direct Interactions: When you register an account, request a quote, contact customer support, sign service agreements, or communicate with us
• Platform Usage: Automatically as you use the FleetFox Platform, including Task requests, service coordination, and photo uploads
• Third-Party Sources: From business directories, LinkedIn, credit reference agencies (for B2B credit checks), or marketing partners (with appropriate consents)
• Service Operators: Data submitted by Operators during onboarding, Task execution, and photo verification processes
• Automated Technologies: Cookies, web beacons, and analytics tools (see Section 11)

5. Legal Basis for Processing Personal Data

Under GDPR, we must have a lawful basis to process your personal data. We rely on the following legal bases:

5.1 Contract Performance (Article 6(1)(b) GDPR)

Processing is necessary to perform our service contracts with Fleet Operator Clients and Service Operators, including:

• Account creation and management
• Service coordination and Task execution
• Payment processing and invoicing
• Customer support and communications

5.2 Legitimate Interests (Article 6(1)(f) GDPR)

Processing is necessary for our legitimate business interests, including:

• Platform security, fraud prevention, and risk management
• Improving and optimizing our Services and user experience
• Business development and market research
• Internal analytics and performance monitoring
• Establishing, exercising, or defending legal claims

We have balanced these legitimate interests against your rights and freedoms. You have the right to object to processing based on legitimate interests (see Section 9).

5.3 Consent (Article 6(1)(a) GDPR)

Where required by law, we obtain your explicit consent for:

• Marketing communications (email newsletters, promotional offers)
• Non-essential cookies and tracking technologies
• Location tracking for Service Operators during Task execution
• Phone call recordings

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

5.4 Legal Obligation (Article 6(1)(c) GDPR)

Processing is necessary to comply with our legal obligations, including:

• Tax and accounting requirements
• Anti-money laundering (AML) and know-your-customer (KYC) obligations
• Responding to lawful requests from authorities
• Data retention requirements under Estonian and EU law

6. How We Use Personal Data

We use your personal data for the following purposes:

6.1 Service Delivery and Platform Operation

• Creating and managing user accounts
• Coordinating fleet care services and matching Clients with Service Operators
• Processing and tracking Task requests and completions
• Facilitating photo verification and quality control
• Providing customer support and resolving issues
• Managing SLA compliance and service quality

6.2 Business Operations

• Processing payments, invoicing, and managing billing
• Conducting credit checks for B2B clients where necessary
• Verifying Service Operator credentials and qualifications
• Managing insurance claims and damage reports
• Contract management and administration

6.3 Platform Improvement and Analytics

• Analyzing usage patterns to improve user experience
• Developing new features and services
• Conducting internal research and testing
• Generating aggregated, anonymized statistics and reports

6.4 Communications and Marketing

• Sending service notifications, updates, and confirmations
• Providing operational alerts (e.g., scheduled maintenance)
• Sending marketing communications about our services (with consent or legitimate interest)
• Conducting customer satisfaction surveys

6.5 Security and Legal Compliance

• Detecting and preventing fraud, security incidents, and abuse
• Enforcing our Terms & Conditions and service agreements
• Complying with legal obligations and responding to lawful requests
• Establishing, exercising, or defending legal rights

7. Data Sharing and Disclosure

We share personal data with third parties only as described below. We do not sell or rent personal data to third parties for their marketing purposes.

7.1 Service Operators (Independent Contractors)

When Clients request fleet care services, we share relevant information (vehicle details, location, Task specifications) with Service Operators necessary to execute the service. This is essential for contract performance.

7.2 Service Providers and Processors

We engage third-party service providers who process personal data on our behalf, including:

• Cloud hosting providers: For data storage and platform infrastructure
• Payment processors: For secure payment and invoicing services
• Email and communications services: For transactional and marketing emails
• Analytics providers: For website and platform analytics (e.g., Google Analytics)
• Customer support tools: For helpdesk and support ticket management
• Identity verification services: For Service Operator background checks

All service providers are bound by data processing agreements (DPAs) requiring them to protect personal data and process it only according to our instructions and GDPR requirements.

7.3 Legal and Regulatory Authorities

We may disclose personal data to law enforcement, regulatory authorities, courts, or government agencies when:

• Required by law or legal process (e.g., court orders, subpoenas)
• Necessary to protect our rights, property, or safety, or that of others
• Required to detect, prevent, or address fraud or security issues
• Necessary to comply with tax, accounting, or AML regulations

7.4 Business Transfers

In the event of a merger, acquisition, corporate reorganization, or sale of assets, personal data may be transferred to the acquiring entity. We will notify affected parties and ensure the receiving entity continues to comply with this Privacy Policy.

7.5 With Your Consent

We may share personal data with third parties where you have provided explicit consent for such sharing.

8. International Data Transfers

FleetFox primarily stores and processes personal data within the European Economic Area (EEA). We may transfer personal data outside the EEA where necessary to provide our Services. Where we do, we rely on lawful transfer tools such as European Commission adequacy decisions and Standard Contractual Clauses (SCCs) to ensure your data remains protected.

8.1 Safeguards for International Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

• European Commission Adequacy Decisions: Transfers to countries deemed to provide adequate data protection (e.g., UK, Switzerland, certain US companies under the EU-US Data Privacy Framework)
• Standard Contractual Clauses (SCCs): EU-approved contractual terms that require recipients to protect personal data according to EU standards
• Binding Corporate Rules: For transfers within multinational corporate groups

8.2 Requesting Transfer Information

You may request information about the specific safeguards used for international transfers by contacting info@fleetfox.eu.

9. Your Data Protection Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

9.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, to access that data along with information about:

• The purposes of processing
• The categories of personal data
• The recipients or categories of recipients
• The retention period or criteria used to determine it
• Your other GDPR rights

9.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data. We will correct or complete your data without undue delay.

9.3 Right to Erasure / “Right to be Forgotten” (Article 17)

You may request deletion of your personal data where:

• The data is no longer necessary for the purposes it was collected
• You withdraw consent (where processing is based on consent)
• You object to processing based on legitimate interests and there are no overriding legitimate grounds
• The data was unlawfully processed
• Erasure is required to comply with a legal obligation

Note: This right is not absolute. We may retain data where we have overriding legal obligations (e.g., tax records, legal claims) or other lawful grounds.

9.4 Right to Restriction of Processing (Article 18)

You may request that we limit processing of your personal data where:

• You contest the accuracy of the data (during verification)
• Processing is unlawful but you prefer restriction over erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing (pending verification of legitimate grounds)

9.5 Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you have the right to:

• Receive your personal data in a structured, commonly used, and machine-readable format (e.g., CSV, JSON)
• Transmit that data to another controller without hindrance
• Request that we transmit the data directly to another controller where technically feasible

9.6 Right to Object (Article 21)

You have the right to object to processing based on:

• Legitimate interests: We must cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms
• Direct marketing: You may object at any time to processing for marketing purposes. We will cease such processing immediately upon request

9.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

9.8 Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with the relevant data protection supervisory authority, particularly in the EU Member State of your habitual residence, workplace, or place of the alleged infringement.

For Estonia, the supervisory authority is:

9.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: info@fleetfox.eu (Subject: “Data Protection Request”)
• Include sufficient information to verify your identity and specify which right(s) you wish to exercise

We will respond to your request without undue delay and in any event within one month of receipt. This period may be extended by two months where necessary, considering the complexity and number of requests, and we will inform you of such extension.

Important: We may request additional information to verify your identity before responding to data subject requests. This is a security measure to ensure personal data is not disclosed to unauthorized parties.

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

Retention periods below apply unless a service-specific notice states otherwise. Where periods differ across products or countries, the longer period required for legal claims or statutory duties applies.

10.1 Retention Periods

Specific retention periods include:

• Client account data: Duration of business relationship plus 7 years (for tax, accounting, and legal compliance under Estonian law)
• Service Operator data: Duration of engagement plus 7 years
• Transaction and invoice records: 7 years from end of financial year (Estonian Accounting Act requirement)
• Task records and photo verification: 3 years from Task completion (for quality assurance and dispute resolution)
• Location/GPS data (Service Operators): 2 years from collection (for service verification and dispute resolution)
• In-app communications: 60 days for general messages; up to 3 years if related to disputes or claims
• Marketing data (consented): Until consent is withdrawn or 3 years of inactivity
• Website analytics data: 26 months (Google Analytics default)
• Support communications: 3 years from resolution
• Legal claims data: Until claim resolution plus applicable statute of limitations period

10.2 Anonymization and Aggregation

After the retention period expires, we may retain data in anonymized or aggregated form (where individual identities cannot be determined) for statistical analysis, research, and business intelligence purposes indefinitely.

10.3 Secure Deletion

When personal data is no longer needed, we securely delete or destroy it in accordance with industry best practices, ensuring data cannot be reconstructed or recovered.

11. Cookies and Tracking Technologies

11.1 What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They help websites recognize your device and remember information about your visit.

11.2 Cookies We Use

We use the following categories of cookies:

• Essential/Strictly Necessary Cookies: Required for the Platform to function, including authentication, security, and session management. These cannot be disabled.
• Performance/Analytics Cookies: Collect information about how visitors use our website (e.g., Google Analytics) to help us improve user experience. These are subject to your consent.
• Functional Cookies: Remember your preferences and settings (e.g., language, region) to provide enhanced functionality.
• Marketing/Advertising Cookies: Track your browsing activity to deliver relevant advertisements. These require your explicit consent.

11.3 Third-Party Cookies

We use services from third parties who may place cookies on your device, including:

• Google Analytics: For website traffic analysis and user behavior insights
• Social media platforms: For social sharing features and analytics (e.g., LinkedIn, Facebook)

11.4 Managing Cookie Preferences

You can control and manage cookies through:

• Cookie Consent Banner: When you first visit our website, you can accept or decline non-essential cookies
• Browser Settings: Most browsers allow you to refuse or delete cookies. Instructions vary by browser:
  • Chrome: Settings > Privacy and security > Cookies
  • Firefox: Settings > Privacy & Security > Cookies and Site Data
  • Safari: Preferences > Privacy > Cookies
  • Edge: Settings > Cookies and site permissions

Note: Disabling essential cookies may prevent you from accessing certain features of the Platform.

11.5 Do Not Track Signals

Some browsers include “Do Not Track” (DNT) features. Currently, there is no universal standard for how websites should respond to DNT signals. We do not currently respond to DNT signals, but we respect your cookie preferences as set through our cookie consent mechanism.

12. Data Security Measures

We implement appropriate technical and organizational security measures to protect personal data against unauthorized access, accidental loss, destruction, alteration, or disclosure.

12.1 Technical Security Measures

• Encryption: Data in transit is encrypted using TLS (Transport Layer Security). Sensitive data at rest is encrypted using industry-standard encryption algorithms.
• Access Controls: Role-based access controls (RBAC) limit access to personal data to authorized personnel only, on a need-to-know basis.
• Authentication: Multi-factor authentication (MFA) for administrative accounts and secure password policies.
• Firewalls and Intrusion Detection: Network security measures to prevent unauthorized access.
• Regular Security Updates: Timely application of security patches and software updates.
• Secure Development Practices: Code reviews, vulnerability testing, and secure coding standards.

12.2 Organizational Security Measures

• Employee Training: Regular data protection and security awareness training for all staff.
• Confidentiality Agreements: All employees and contractors sign confidentiality and data protection agreements.
• Data Processing Agreements: Third-party processors are bound by contractual obligations to implement appropriate security measures.
• Incident Response Plan: Procedures to detect, respond to, and recover from security incidents.
• Regular Audits: Periodic security audits and assessments to identify and address vulnerabilities.

12.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Estonian Data Protection Inspectorate without undue delay and, where feasible, within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
• Provide information about the nature of the breach, likely consequences, and measures taken to mitigate harm

12.4 Limitations

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of data transmitted over the internet or stored in our systems. You are responsible for maintaining the confidentiality of your account credentials and should notify us immediately of any suspected unauthorized access.

13. Children’s Privacy

Our Services are designed for businesses and are not intended for individuals under the age of 18. We do not knowingly collect, process, or solicit personal data from children under 18 years of age.

If we become aware that we have collected personal data from a child under 18 without parental consent, we will take steps to delete that information as soon as possible.

If you believe we may have collected information from a child under 18, please contact us immediately at info@fleetfox.eu.

14. Automated Decision-Making and Profiling

We do not engage in fully automated decision-making (including profiling) that produces legal effects or similarly significantly affects individuals, as defined under Article 22 of the GDPR.

We may use limited automated processing for:

• Fraud detection: Automated systems flag potentially fraudulent transactions or activities for human review
• Service matching: Algorithms suggest suitable Service Operators for Tasks based on location, availability, and skills
• Performance metrics: Automated calculation of SLA compliance and quality scores

In all cases, significant decisions affecting individuals involve human oversight and review. If you have concerns about automated processing, please contact us at info@fleetfox.eu.

15. Third-Party Links and Services

Our website and Platform may contain links to third-party websites, applications, or services that are not operated by us. This Privacy Policy applies only to FleetFox services.

We are not responsible for the privacy practices, content, or security of third-party websites or services. We encourage you to review the privacy policies of any third-party sites you visit.

Third-party integrations we use (such as payment processors or analytics providers) have their own privacy policies. By using their services through our Platform, you consent to their data processing practices as described in their respective privacy policies.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations.

16.1 Notification of Changes

When we make material changes to this Privacy Policy, we will:

• Update the “Last updated” date at the top of this policy
• Notify you via email (to the address associated with your account) at least 30 days before changes take effect
• Display a prominent notice on our website or Platform
• Request renewed consent where required by law

16.2 Reviewing Changes

We encourage you to periodically review this Privacy Policy to stay informed about how we protect your personal data. Continued use of the Services after changes become effective constitutes acceptance of the revised Privacy Policy.

17. Contact Us and Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

17.1 General Data Protection Inquiries

17.2 Lodging a Complaint with Supervisory Authority

You have the right to lodge a complaint with the Estonian Data Protection Inspectorate or your local supervisory authority: