Privacy Policy of the Charge4All applications

General information

The “Charge4All” mobile application (the “App” or the “Mobile App”) is owned by DELKASOFT SRL (a Romanian limited liability company, hereinafter named the “Company”). By using this App, you agree to the content of this Privacy Policy.

The Company acknowledges the scope and implications of Regulation (EU) 2016/679 (GDPR) as well as the related legislation on the protection of personal data and is committed to safeguarding your rights and freedoms by processing your personal data securely and in full compliance with all applicable legal obligations.

We reserve the right to update and amend this Privacy Policy from time to time, in order to reflect any changes in the way we process your personal data or any changes in the applicable legal requirements. In the event of any such changes, we will display the revised version of the Privacy Policy within the “Charge4All” Mobile App. We therefore encourage you to review its content periodically.

Key Definitions

1. “Responsible person” means an employee of the Data Controller who, due to the nature of their work, is authorised to perform specific functions related to data processing.
2. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance).
3. “Employee” means a person who has concluded an employment agreement or a similar contract (e.g. a service provision contract) with the Data Controller.
4. “Data/Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
5. “DPA” means a data processing agreement that must be signed with each Data Controller under the conditions set out in Section 3 below.
6. “Recipient” means a natural or legal person, public authority, agency or other body to whom the personal data are disclosed, whether a third party or not.
7. “Data Subject” means a client or employee of the Data Controller or any other individual whose personal data are processed by the Data Controller.
8. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
9. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.
10. “App” and “Mobile App” mean the “Charge4All” mobile application, available on the Apple Store and Google Play.
11. “Data Controller” and “Mobile App Owner” mean DELKASOFT SRL, with its registered office in Sfântu Gheorghe, Bartók Béla Street, No. 4, Covasna County, Romania, registered with the Trade Register under no. J2012000015140, VAT no. RO29594343, email: info@chargeforall.app.
12. “Client” means any individual who uses or has used the services provided by the Data Controller.
13. “Policy” means this Privacy Policy.
14. For the purposes of this Policy, other terms shall have the meaning assigned to them under the GDPR and applicable national legislation (hereinafter referred to as the “Law”).

 

General provisions

1. The Data Controller collects certain personal data for the purpose of managing and carrying out its own activities, as well as for fulfilling its legal obligations.
2. This Policy sets out the fundamental principles and procedures for the collection, processing, and storage of personal data of users of the App, managed by the Data Controller. Before using the Mobile App, you must carefully read and familiarise yourself with this Policy. By using the services provided by the Data Controller, you confirm that you agree to comply with this Policy.
3. The Data Subject is not entitled to use the Mobile App unless they have read and accepted the Policy. Where the Data Subject does not agree with the Policy or with any relevant part thereof, they must not use the Mobile App. Otherwise, it shall be deemed that the Client has read, unconditionally accepted, and explicitly agreed to the Policy upon registration.
4. The Data Controller must respect the confidentiality of personal data. This Policy outlines the acceptable privacy practices applicable within our Company. It explains how we collect and use your personal data, and the rights you may exercise.
5. Use of third-party services, such as Facebook social networking services, may be subject to the general terms and conditions of those third parties. For example, all Facebook users and visitors are subject to Facebook’s Privacy Policy. Therefore, in order to use third-party services, we recommend that you review their applicable terms and conditions.
6. The Data Controller shall ensure compliance with the following fundamental data protection principles:
   1. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject (lawfulness, fairness and transparency);
   2. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes (purpose limitation);
   3. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
   4. Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy);
   5. Personal data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as they are processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) GDPR, subject to the implementation of appropriate technical and organisational measures required under the GDPR to safeguard the rights and freedoms of the Data Subject (storage limitation);
   6. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality);
   7. The Data Controller shall be responsible for, and able to demonstrate, compliance with the above principles (accountability).
7. Data shall be processed by providing an appropriate privacy notice to the Data Subjects. Users of the Mobile App must explicitly agree to the Data Controller’s privacy notice and policy before registering and installing the App.
8. Data shall be retained for the periods specified for each category of personal data, as outlined in this Policy.
9. The rights of the Data Processor in relation to personal data shall be revoked upon termination of their agreement with the Data Controller.
10. Data shall be disclosed to Recipients in accordance with this Policy or where legal regulations provide the right and/or obligation to do so on legitimate grounds.
11. The Data Controller shall have the right to provide personal data to investigative bodies, law enforcement authorities, or courts, for administrative, civil, or criminal proceedings, or in other cases provided for by law.

 

Processing of personal data for the provision of electric vehicle charging stations

1. The Data Controller offers its Clients a comprehensive electric vehicle charging service via the publicly accessible “Charge4All” Charging Station network. In this context, the following categories of Clients’ Personal Data are processed (either directly by the Data Controller or Mobile App Owner, or by subcontractors mandated to carry out such operations in full compliance with the GDPR):
   1. Personal data such as:
      • First and last name
   2. Contact details such as:
      • Residential/home address
      • Workplace address / Employer’s address (if registration was created on behalf of the user by their employer)
      • Service or product delivery address
      • Email address / Fax number
   3. Transaction details such as:
      • Purchase history or history of service usage
      • Client ID
      • Information regarding the services accessed and payment history
      • Bank account number
      • Credit / debit facility
      • Records of communications between the service provider and the Client
   4. Security-related data such as:
      • Username and password
      • Facility and system monitoring information
      • Information concerning security breaches
   5. IT-related data such as:
      • IP address, operating system data, location data, and other non-identifying mobile device information collected during installation of the Mobile App
      • Details related to the equipment associated with the provided services, including technical identifiers, location, communication data and metadata
      • Technical events and service-related data, including usage logs, system and application logs
      • Note: In order to access the service, the Client must provide their payment card information by registering directly on the payment transaction administrators’ platform.
2. The data listed under Sections 1.1 to 1.5 are provided directly by the Client. However, some of the data stored in the system may also be obtained from the Client’s employer, where the Client uses the Data Controller’s services as an employee of that company.
3. For the purpose of Client registration and the conclusion, management and performance of the contract, compliance with legal accounting obligations, and the protection and control of the Company’s assets, the Data Controller additionally processes the following data:
   1. start and end time of the electric vehicle charging session
   2. applicable fee
   3. information relating to payment obligations (level of liability, amount, due date, date of payment)
4. Former Clients’ data shall only be disclosed to law enforcement authorities in accordance with the procedure established by law.
5. The legal bases for processing personal data are Article 6(1)(b) and Article 6(1)(c) of the GDPR.
6. With the Data Subject’s consent, location data from the mobile device may also be collected during use of the Mobile App, in order to notify the Client of nearby charging stations while using the application. The Data Subject retains the right to withdraw their consent at any time by modifying their mobile device settings.
7. On the basis of legitimate interest — namely the protection and management of the Data Controller’s assets and the development of its business (Article 6(1)(f) GDPR) — data may also be processed for the following purposes:
   • establishment, exercise and defence of legal claims
   • statistical analysis and marketing research concerning the services used by our Clients, after anonymisation and removal of any identifiable personal data
8. The Data Controller does not process genetic data, biometric data, data concerning health, criminal convictions, religious beliefs, philosophical beliefs, trade union membership, racial or ethnic origin, political opinions, sexual life or sexual orientation.
9. To ensure high-quality and efficient settlement of payments for the services provided, the Mobile App Owner concludes agreements with payment service providers who act as intermediaries for executing payment operations.
10. The Data Controller confirms that all appropriate technical and organisational measures for data protection have been duly implemented.
11. In order to ensure the quality of the services provided and to respond promptly to Client inquiries, employees of the Data Controller acting as customer service specialists are responsible for handling Client emails and providing written support accordingly. Client communications are retained for a period of 180 (one hundred and eighty) days.

 

Processing of data for direct marketing purposes

1. The Data Controller may carry out direct marketing activities in relation to its Clients.
2. To receive proposals or offers related to the services provided by the Data Controller, the Client must give their consent to the processing of Personal Data for direct marketing purposes at the time of registration.
3. The Data Controller processes the following categories of Clients’ personal data for direct marketing purposes:
   • First name
   • Last name
   • Email address
   • Telephone number
   • Address
4. The Data Controller may also engage in direct marketing (such as sending newsletters and promotional offers via email) to individuals who have entered their email address into the Mobile App and requested to receive such communications. In this case, the Data Controller processes the individual’s email address.
5. The Data Subject may withdraw their consent at any time and opt out of receiving newsletters by clicking the dedicated unsubscribe link included in the emails we send, by adjusting their account notification settings, or by sending a specific request for such a change.
6. Personal data processed for direct marketing purposes shall not be disclosed by the Data Controller to any Recipients.
7. The legal basis for processing personal data for direct marketing is Article 6(1)(a) of the GDPR.

 

Data disclosure

1. The Data Controller shall maintain confidentiality and shall not disclose Personal Data to third parties, except with the consent of the Data Subjects or in cases permitted by law. In certain situations, the Data Controller has a legal obligation to disclose data to third parties or an obligation arising from the performance of the contract with the Data Subject.
2. Subject to appropriate safeguards and control measures, disclosure may be made to service providers in order to ensure the proper functioning of the electric vehicle charging service and the high quality of services, as well as to comply with the legislation in force at the time the services are provided. This includes, but is not limited to, fulfilling the Data Controller’s accounting reporting obligations and complying with applicable tax law requirements (e.g., server providers, electric vehicle charging platform operators, newsletter delivery services, statistical analysis, legal services, etc.). In such cases, the service providers engaged by the Data Controller are strictly required to comply with both their contractual obligations and the applicable legal provisions on personal data protection, including by implementing the necessary measures to safeguard the confidentiality of the Personal Data received.
3. Where justified, the Data Controller may also disclose Personal Data for the purpose of preventing fraud, enforcing the general terms of use of the Mobile App, protecting the Company’s property, rights and legitimate interests, as well as safeguarding the security, rights and interests of other Clients or third parties.

 

Data transfers outside the EU

1. The transfer of Personal Data to a third country or international organisation outside the European Union and the European Economic Area is prohibited, unless one of the following conditions is met:
   1. The Company is established in the United States and the transfer is carried out in accordance with the provisions of the EU-U.S. Data Privacy Framework;
   2. There is a decision by the European Commission confirming that the third country to which the data is transferred ensures an adequate level of protection for personal data;
   3. The Data Subject has given their explicit consent after being informed of the possible risks associated with the transfer due to the absence of an adequacy decision and appropriate safeguards;
   4. The transfer is necessary for the performance of a contract between the Data Subject and the Data Controller, or for the implementation of pre-contractual measures taken at the Data Subject’s request;
   5. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Company/Group and another natural or legal person;
   6. The transfer is necessary for the establishment, exercise or defence of legal claims, including where the Company or the Data Subject is or may be a victim of fraud;
   7. The transfer is carried out via a public register, in accordance with the GDPR.
2. At present, data transfers outside the European Union (EU) are only required in connection with our trusted newsletter and hosting service partners based in the United States.

Data retention period

1. The Data Controller applies different retention periods for Personal Data, depending on the categories of Personal Data processed and the purposes of the processing.
2. The Data Controller applies the following retention periods for Personal Data:
   

   1	Data related to legal actions and accounting	5 years from the date of contract termination or from the date the payment obligation is extinguished, whichever is later.
   2	Clients’ personal data processed for the purpose of providing electric vehicle charging services	3 years from the later of the following dates: contract termination or settlement of the payment obligation. Clients whose accounts are inactive will have their data stored for 3 years from the date of last login.
   3	Data used for direct marketing purposes	3 years from the date of last login.
   4	Details regarding the charging process	2 years from the later of the following dates: contract termination or settlement of the payment obligation. Clients whose accounts are inactive will have their data stored for 2 years from the date of last login.

3. Exceptions to the above-mentioned retention periods may apply, provided that such deviations do not infringe upon the rights of the Data Subjects, comply with legal requirements, and are properly documented.
4. Client documents and data in respect of which the Data Controller has initiated administrative or judicial proceedings shall be retained for a period of 5 years from the conclusion of the proceedings, either by means of a final court decision or payment of the debt, and shall subsequently be destroyed in accordance with the instructions of the legal department.
5. Upon expiry of the applicable retention periods, the Data shall be either anonymised or securely destroyed by deletion from IT systems and, where applicable, by shredding of physical paper copies.

 

Rights of the data subject

1. The Data Subject has the ability to exercise the following rights in accordance with the procedure established under the GDPR:
   1. Right of access: This right allows the Data Subject to obtain a copy of the Personal Data held by the Data Controller, as well as information regarding its processing. Access to the history of services used by the Data Subject and the Data provided during registration may be obtained by submitting a request for access.
   2. Right to be forgotten (erasure): This right allows the Data Subject to request the deletion of their Personal Data where there is no legitimate reason for the Data Controller to continue processing it, for example where the purpose for which the data was collected has been fulfilled or the Data Subject has withdrawn their consent. If the legal conditions are met, the Data Controller shall delete the Personal Data within one month, unless there is a legal obligation to continue processing or retention is necessary for the establishment, exercise or defence of legal claims.
   3. Right to rectification: This right allows the Data Subject to request the correction of any incomplete or inaccurate data concerning them. The Data Subject is required to update their Personal Data in their account in a timely manner or to notify the Data Controller of any changes.
   4. Right to restrict processing: This right allows the Data Subject to request the temporary suspension of Personal Data processing, for example, when they wish to verify the accuracy of the data or the purposes for which it is being processed.
   5. Right to data portability: This right applies only when the data is processed automatically and provided by the Data Subject on the basis of their consent or for the performance of a contract. It allows the Client to request that their Personal Data be provided in a structured, commonly used, and machine-readable format or transferred to a third party.
   6. Right to object: Where the Data Controller relies on its legitimate interests as the legal basis for processing, the Data Subject may object to such processing on grounds relating to their particular situation. The Data Subject also has the right to object where the data is processed for direct marketing purposes or for statistical purposes.
   7. Rights related to automated decision-making and profiling: The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or significantly affects them in a similar way. This right does not apply where the automated decision (i) is necessary for entering into or performing a contract with the Data Subject, (ii) is authorised by law and adequate safeguards are in place to protect the rights and freedoms of the Data Subject, or (iii) is based on the Data Subject’s explicit consent.
   8. Withdrawal of consent: The Data Subject has the right to withdraw their consent at any time if they have previously given it, without affecting the lawfulness of processing carried out prior to the withdrawal. Where consent has been given for direct marketing purposes, the Data Subject may opt out of receiving newsletters at any time by sending an email request to: support@chargeforall.app. If the individual has granted access to their location via a mobile device in order to locate charging stations, they may change this setting at any time.
   9. Right to lodge a complaint: If the Data Subject believes that any of their rights have been violated, they have the right to lodge a complaint with the supervisory authority — the National Supervisory Authority for Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) – https://www.dataprotection.ro.
   10. The Data Controller nonetheless encourages Data Subjects to contact it first and assures that it will make every effort to resolve any issue amicably.
2. Requests may be submitted by the Data Subject or by an authorised representative. The Data Controller shall take steps to verify the identity of the Data Subject in order to protect the Data. The Data Controller is required to process Data Subject requests, as described in Article 8.1. of this Policy, within the time limits set forth by the GDPR.

 

Procedures for handling personal data breaches and associated remedies

1. If employees of the Data Controller, who have authorised access to the Data, detect or are informed of any data breaches (omissions or actions by various individuals that may lead or have led to a risk to data security), they are required to notify the Responsible Person and their manager.
2. Taking into account the risk factors associated with the breach of data security, the severity of the breach, the harm caused, and the consequences, and in line with relevant internal procedures, the Data Controller will decide on the necessary measures to address the breach and its consequences, and will notify the affected individuals accordingly.

 

Technical and organisational measures to ensure personal data security

1. The organisational and technical data security measures implemented by the Data Controller must ensure an adequate level of security corresponding to the nature of the data being processed and the risks arising from such processing, including, but not limited to, the measures described in this section.
2. Personal Data security measures include at least the following:
   1. Technical and software protection (server, IT system and database management, workstation maintenance, operating system protection, user access monitoring/control, antivirus protection, etc.);
   2. IT system and database administration, workstation maintenance, operating system protection, antivirus protection, etc.;
   3. Communication and computer network protection (technical and software measures for the encryption and transmission of general-purpose data, applications, personal data; filtering of unwanted data packets, etc.);
3. The Data Controller shall implement other appropriate measures to ensure the security of personal data, including appropriate technology, restricted and secure access, and control over the security of Personal Data.

 

Contact details

You may contact us if you have any questions regarding this Policy and/or data protection in general using the following contact details: Email: support@chargeforall.app

 

Final provisions

1. This Policy is reviewed periodically at the initiative of the Data Controller and/or in the event of changes to the legal provisions governing the processing of personal data.
2. The Policy and any amendments thereto shall enter into force on the date of their adoption