What the GDPR is

The GDPR is a new comprehensive data protection law in the EU that updates existing laws to strengthen the protection of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state. It is effective from May 25, 2018. EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents’ personal data in any manner, regardless of location, has obligations to protect the data. We fully understand this, so we collect as little personal data as possible and safeguard it as well as we can.

The Right of Access

Data subjects have the right to access all data a business holds about them at any time. This includes session and payment data.

What if a customer demands to see their data?
As a data processor, we’re under a legal obligation to assist the data controller to provide this information.

One thing to bear in mind is that there’s a big risk around Data Subject Right Requests: They can be used for fraud. We have to be careful to authenticate the customer before providing the information. We don’t want an identity thief to exploit your system in order to steal consumer information.

The Right to be Forgotten – what data you can (and can’t) delete

Another important Data Subject Right is the Right to be Forgotten. In a marketing context, this means deleting every record of the consumer and never contacting them again. This is straightforward. But it’s not so clear-cut when it comes to payment and bookkeeping data, and there are situations when certain data can’t be revoked.

There are situations when certain data can’t be revoked.

For example, in a product sales scenario, where there are statutory warranties in place, e.g. if your customer has an annual subscription, which hasn’t been canceled, you need to keep the data in order to continue billing or store data for bookkeeping.

Who the GDPR applies to

The GDPR applies to all organizations operating in the EU or processing “personal data” of EU and Switzerland residents.

What data the GDPR applies to

Under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”). Personal Data is anything that you could conceivably use to identify a person within a larger group. That includes name, address, email, IP address, cookies, location etc.

What personal data we collect and why

When registered

Data collected Comment Purpose
Mobile number Every account is unique due to the uniqueness of the mobile number, which is used to identify you as a user, log you in, notify you, connect to you. User identification
Country (from ip info)
Loading relevant settings for user


When used the service

Data collected Comment Purpose
Type of service used (e.g. parking, pre-booking)
Can be referred to as Session info
Bookkeeping, Statistics, customer support
Timestamp, when used
Place, where used and price


When added payment method

Payments, invoicing
Credit card type Credit card info stored by Adyen.
Mobile operator
Company name
Company address
Company VAT ID


3rd parties with whom personal information may be shared

Data disclosed Purpose
InvoiceOcean Name, email, vehicle registration plate number, used services To create invoices automatically Invoicing
Zoho Name, email, vehicle registration plate number, used services Bookkeeping related info
Messente Mobile number SMS authentication
IpInfo IP address Setting automatically users country/language and calling code. In order to detect the misuse of the system, combat abuse, and for logging purposes.
Clevertap Email, phone, country, name, language, session info Analytics, reminders, payment info for end users, push notifications.
Adyen Credit card info, email Payments

Data is stored in a database hosted in DigitalOcean’s data center in Amsterdam, Netherlands and AWS server in Ireland.