1. Responsible Party

Sponti-Car GmbH Talstrasse 24 8852 Altendorf Switzerland

E-mail: info@sponti-car.ch Data Protection Contact: Mark Ritzmann 

Sponti-Car is the controller within the meaning of the Swiss Data Protection Act (DSG) and the EU General Data Protection Regulation (GDPR) for the processing of your personal data.

2. Scope

This privacy policy applies to all customers (private and business customers) who use Sponti-Car's car-sharing vehicles, visit the app or website, as well as to all other persons whose data is processed within the scope of the service.

By registering for the first time you accept this privacy statement in its current version. The German version is binding.

3. Which personal data we process
   
   Upon registration and account opening

• First and last name, date of birth, address, telephone number, email address
• Driver's license data (incl. place of origin, nationality, issue date, validity)
• Biometric data (Selfie and ID data via Stripe Identity)
• Payment information
• Credit information (risk score via CRIF)
• IP address, registration date, acceptance of the terms and conditions
  
  When using the vehicles (über ibiola-Software)

• Booking and usage data (start/end time, mileage, location/GPS data)
• Vehicle data and driving behavior (speed, sensors, locking, vehicle condition)
• App usage data (Gerätetyp, App-Version, location at booking/Rückgabe)
  When contacting and support

• Korrespondenzdaten (E-Mails, Chat, Telefon)
  
  Bei Nutzung der Website / App

• Cookies und Tracking-Daten (insb. via Google Analytics)
  
  Zwecke der Datenbearbeitung und Rechtsgrundlagen

Wir bearbeiten Ihre Daten:

• Zur Vertragserfüllung (Buchung, Fahrzeugnutzung, Abrechnung) – Art. 13 Abs. 2 lit. a DSG / Art. 6 Abs. 1 lit. b DSGVO
• Zur Bonitätsprüfung und Missbrauchsprävention (berechtigtes Interesse / Vertrag) – Art. 13 Abs. 2 lit. b DSG / Art. 6 Abs. 1 lit. f DSGVO
• For identity verification (Stripe Identity) – contract + legitimate interest
• To improve our offering and statistics (Google Analytics – consent only)
• To fulfill legal obligations (accounting, authority requests)

In case of automated credit decision (CRIF) we inform you in advance and grant a right to human review.

5. Transfer to third parties and data processors

We only share your data if it is required for contract performance, due to legal obligations, or based on our legitimate interest.

The following table shows our most important service providers (data processors):

Further possible recipients and processors (the list is not exhaustive): We can further share your personal data with the following parties or use additional service providers for internal business processes (e.g., accounting, communication, support, administration):

• Authorities (in case of legal obligation or upon official order)
• Insurers (in case of claims or within the contract processing)
• Additional payment service providers

Additional data processors employed:

• Bexio AG (Accounting and ERP software) – Privacy policy: https://www.bexio.com/de-CH/richtlinien/datenschutz
• OpenAI (ChatGPT) – Privacy policy: https://openai.com/policies/eu-privacy-policy/ (Europe) respectively https://openai.com/policies/row-privacy-policy/
• xAI (Grok) – Privacy Policy: https://x.ai/legal/privacy-policy
• WhatsApp (Meta Platforms Inc.) – Privacy Policy: https://www.whatsapp.com/legal/privacy-policy-eea
• Microsoft Corporation (Office 365, Teams, Outlook and other Microsoft products) – Privacy Policy: https://www.microsoft.com/en-us/privacy/privacystatement

Important note regarding all listed service providers:. The specific privacy regulations, retention periods, Übermittlungen to abroad and security measures of the respective companies can be found directly in their linked privacy policies above. These können sich ändern – we recommend you check them regularly.

Additional recipients may be added on a case-by-case basis (e.g., additional IT service providers or partners), provided this is permissible under data protection law. In such cases, the transfer is carried out exclusively in compliance with legal requirements.

6. Data transfer abroad

• Austria (ibiola): Adequate level of protection (EU adequacy decision).
• USA (Stripe, Google, OpenAI, xAI, Microsoft, WhatsApp/Meta): EU‑US Data Privacy Framework (DPF) + Standard Contractual Clauses (SCC) + additional measures where applicable. You can request a copy of the protection guarantees at any time.

7. Retention period

We store your data only as long as necessary for the purpose:

• Contract data: during the contract term + 10 years (legal retention obligation accounting)
• Creditworthiness and identity data: up to 5 years after contract end (or earlier upon deletion request)
• Google Analytics data: automatically after 14 months (anonymized)
• Biometric data with Stripe: only for the duration of the verification + short security period

8. Your rights

You have the following rights at any time (free, except for obviously unfounded requests):

• Information about your stored data
• Correction, deletion or restriction
• Data portability
• Complaint to the supervisory authority: Federal Data Protection and Information Commissioner (EDÖB), Feldeggweg 1, 3003 Bern or to the Austrian Data Protection Authority (for GDPR aspects).

Simply contact us at info@sponti-car.ch.

9. Cookies and Tracking (Google Analytics)

We use Google Analytics with IP anonymization and Consent Mode v2. You can withdraw your consent at any time in the cookie banner. Details about Google: https://policies.google.com/privacy

10. Data security

We take appropriate technical and organizational measures (encryption, access restrictions, regular audits).

11. Changes to this privacy policy

We adapt this statement as needed (e.g., new service providers). The current version is always available on our website.