Last updated: 15 October 2025
Operated by: Dayoffcar OÜ, registry code 16221625, Hobujaama 4, 10111 Tallinn, Estonia (“Caround”, “we”, “our”, or “us”)
This Privacy Policy describes how Caround collects, uses, discloses, and protects your personal data when you use our website https://www.caround.eu and the Caround mobile application (together, the “Platform”). Caround is committed to protecting your privacy and complying with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), and other applicable EU data protection laws. By registering an account, listing or renting a vehicle, or otherwise using our Platform, you agree to this Privacy Policy.
Dayoffcar OÜ
Hobujaama 4, 10111 Tallinn, Estonia
privacy@caround.eu
Caround determines the purposes and means of personal data processing. We also cooperate with trusted third-party data processors to provide identity verification, payment facilitation, and smart-locker access. Stripe, Veriff, and Igloohome act as independent processors or controllers for their respective services. Vonage (Nexmo) acts as a data processor that handles the delivery of SMS notifications and verification messages on our behalf.
Caround processes personal data that are necessary to operate the Platform, manage bookings, and comply with legal obligations. Some data are collected directly by Caround, while other data are handled by trusted partners who act as independent controllers or processors.
We collect the personal data you provide when registering or using your account, such as:
Name, surname, and date of birth
Email address and phone number
Password and authentication details
Preferred language and communication settings
We may also collect additional information you choose to provide in your profile (e.g., profile photo or vehicle ownership details). Purpose: To create and manage your account, communicate with you, and enable use of the Platform. Legal basis: Performance of contract (Art. 6 (1)(b) GDPR).
Identity and driving-licence verification are performed directly by Veriff OÜ when you register as a driver or vehicle owner. Caround does not collect or store your ID documents, facial images, or licence scans. Caround only receives a verification status and timestamp. Controller status: Caround and Veriff act as joint controllers for the verification purpose. Veriff privacy policy: https://www.veriff.com/privacy-policy
Payments and payouts are processed by Stripe Payments Europe Ltd, a licensed PSD2 payment institution. Caround does not collect or store card numbers or bank credentials. Caround may access limited transaction data (e.g., customer name, booking amount, payout status) via the Stripe dashboard to manage rentals, refunds, and invoices. Controller status: Caround and Stripe act as joint controllers for transaction records. Legal basis: Performance of contract (Art. 6 (1)(b)) and legal obligation (Art. 6 (1)(c)). Stripe privacy policy: https://stripe.com/privacy
Vehicle registration number, model, and photos (for Owners)
Booking history and trip details
Messages between users and support
Purpose: To match owners and renters, manage bookings, and resolve disputes. Legal basis: Performance of contract (Art. 6 (1)(b)) and legitimate interest (Art. 6 (1)(f)).
Caround uses the Igloohome smart-locker system to enable secure, keyless access to vehicles. When a booking is confirmed, Caround requests a unique, time-limited PIN code from the Igloohome system and shares it with the relevant vehicle Owner and Renter through the Platform or automated message.
Processed data:
Locker and vehicle identifiers
Access PINs generated per booking
Access timestamps and event logs
Device identifiers and technical metadata
Purpose: To authenticate valid bookings, facilitate handovers, and maintain security records. Legal basis: Performance of contract (Art. 6 (1)(b)) and legitimate interest in preventing unauthorised access (Art. 6 (1)(f)). Storage and access: PINs and logs are stored within the Igloohome system. Caround may view them via its dashboard for up to 3 years for dispute resolution. Owners and Renters receive only the PIN for their active booking and must not reuse or share it. Processor: Igloohome Pte Ltd acts as a data processor on behalf of Caround under a data-processing agreement and European Commission Standard Contractual Clauses (SCCs).
Caround uses Vonage (also known as Nexmo) to send transactional SMS messages (e.g., verification PINs, booking updates, security alerts) to the phone number linked to your account.
Processed data:
Phone number
Message content limited to one-time verification codes and essential service notifications
Message ID, delivery status/receipts, country code, timestamps, and technical routing metadata
Purpose: To authenticate logins and critical actions, deliver booking/status notifications, and protect accounts. Legal basis: Performance of contract (Art. 6(1)(b) GDPR) and legitimate interest in platform security and reliable communications (Art. 6(1)(f)). If we ever send promotional SMS, we will do so only with your prior consent (Art. 6(1)(a)), and you may withdraw consent at any time (e.g., by replying STOP where supported or via account settings). Storage and access: Verification codes are one-time and time-limited. Caround stores minimal SMS metadata in its systems; message delivery data are stored in Vonage systems on Caround’s instructions. Access is restricted to authorised personnel for support, security, and fraud prevention.
Caround currently does not use browser cookies or collect analytics data. If such technologies are introduced later, users will be notified and able to manage consent in accordance with the ePrivacy Directive and GDPR.
We process your personal data only for specific, lawful purposes in accordance with the GDPR and Estonian law:
We do not combine or enrich personal data with external datasets for profiling.
| Purpose | Example | Legal Basis (GDPR) |
|---|---|---|
| Account creation and authentication | Creating and managing user accounts | Art. 6(1)(b) – Contract |
| Identity verification | Checking driver eligibility in line with the Traffic Act via Veriff OÜ | Art. 6(1)(b) – Contract; Art. 6(1)(c) – Legal obligation |
| Payment processing | Processing payments and payouts via Stripe Payments Europe Ltd | Art. 6(1)(b) – Contract; Art. 6(1)(c) – Legal obligation (PSD2) |
| Smart-locker access | Managing keyless entry and security logs via Igloohome | Art. 6(1)(b) – Contract; Art. 6(1)(f) – Legitimate interest |
| Transactional SMS delivery | Sending verification PINs, booking and security alerts via Vonage | Art. 6(1)(b) – Contract; Art. 6(1)(f) – Legitimate interest; Art. 6(1)(a) – Consent (marketing SMS only) |
| Platform security & fraud prevention | Detecting abuse, preventing unauthorised use | Art. 6(1)(f) – Legitimate interest |
| Legal compliance | Meeting tax, accounting, AML, and KYC requirements | Art. 6(1)(c) – Legal obligation |
| Marketing & communication | Sending updates and offers (with your consent) | Art. 6(1)(a) – Consent |
| Dispute resolution & claims handling | Managing complaints, insurance, or legal defence | Art. 6(1)(f) – Legitimate interest |
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy or to comply with our legal obligations. When the retention period ends, data are securely deleted or anonymized.
The data shared with Vonage are limited to what’s necessary to send the SMS and manage delivery (phone number, message content for codes/alerts, and delivery metadata). Vonage is bound by a data-processing agreement and appropriate safeguards. You may request further information about our data-processing partners or the applicable Standard Contractual Clauses (SCCs) by contacting privacy@caround.eu.
| Data Type | Retention Period | Purpose / Legal Justification |
|---|---|---|
| Account data | While account is active and for 3 years after closure | For contractual performance, dispute resolution, and consumer protection (VÕS §146) |
| Verification data (Veriff) | 5 years from verification date | AML/KYC record-keeping in accordance with Estonian law (RahaPTS) |
| Payment & transaction records (Stripe) | 7 years | Accounting and taxation compliance (Estonian Accounting Act §12(1)) |
| Locker access logs (Igloohome) | 3 years | Security, fraud prevention, and dispute resolution |
| SMS delivery logs (Vonage) | Up to 12 months (longer only if needed for dispute resolution or legal obligations) | Service reliability, security, and audit trail; legitimate interest (Art. 6(1)(f)) |
| Communication & support messages | 2 years from last interaction | Service improvement and record of support interactions |
| Analytics & cookies | See Cookies Policy | Used only with consent; retention defined in the Cookies Policy |
Retention periods may be extended where required by law, active disputes, or regulatory investigations.
Caround shares personal data only with trusted partners and public authorities when necessary for legal, security, or operational purposes. All partners are bound by data-processing agreements or equivalent safeguards ensuring confidentiality and GDPR compliance.
| Partner | Role | Purpose | Location |
|---|---|---|---|
| Veriff OÜ | Joint controller | Identity and driving-licence verification | Estonia / EU |
| Stripe Payments Europe Ltd | Joint controller | Payment processing and KYC compliance | Ireland / EU |
| Igloohome Pte Ltd | Data processor | Smart-locker access management and PIN generation on Caround’s instruction | Singapore (with SCCs) |
| Vonage (Nexmo) | Data processor | Transactional SMS delivery (verification codes, booking/security notifications) on Caround’s instructions | EU/EEA and, where necessary, outside EEA with SCCs |
| Cloud hosting and IT providers | Processor | Secure data storage and platform operations | EU / EEA |
| Insurance or claims partners (if applicable) | Processor | Handling damage or accident claims related to bookings | EU / EEA |
We may disclose personal data to law-enforcement, tax, insurance, or road-safety authorities only when required by law, a court order, or to defend our legal rights. Such disclosures are always limited to the minimum data necessary.
Some of our partners are located outside the European Economic Area (EEA), such as Igloohome Pte Ltd (Singapore), which provides smart-locker access services. When personal data are transferred to a country without an EU adequacy decision, we ensure that:
The transfer takes place under European Commission Standard Contractual Clauses (SCCs) or another lawful transfer mechanism; and
Equivalent data-protection safeguards are implemented to maintain the level of protection required by the GDPR.
Where SMS delivery requires routing through non-EEA carriers or infrastructure, transfers are protected by European Commission Standard Contractual Clauses (SCCs) and equivalent safeguards with Vonage and its sub-processors, ensuring your GDPR rights remain protected. You may request a copy or summary of the applicable safeguards at privacy@caround.eu. These safeguards ensure that your rights and protections remain the same wherever your data are processed. You may request a copy or summary of the applicable safeguards by contacting privacy@caround.eu
Caround maintains appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, or unauthorised access. These measures include:
TLS encryption and HTTPS communications
Role-based access controls and confidentiality agreements for staff
Secure encrypted storage and regular backups
Periodic security audits, monitoring, and incident-response procedures
One-time verification codes sent by SMS are generated per event, time-limited, and cannot be reused; delivery metadata are access-controlled and logged.
We regularly review and update these controls to reflect technological and regulatory developments. While we take all reasonable precautions, no online system is completely risk-free.
Under the GDPR and Estonian law, you have the following rights regarding your personal data:
Right to Access – Request a copy of your personal data.
Right to Rectification – Correct inaccurate or incomplete data.
Right to Erasure (“Right to be Forgotten”) – Ask us to delete your data where legally permitted.
Right to Restrict Processing – Request limited use of your data in specific situations.
Right to Data Portability – Receive your data in a structured, machine-readable format.
Right to Object – Object to processing based on legitimate interests or direct marketing.
Right to Withdraw Consent – Withdraw any marketing or optional consent at any time.
You can exercise these rights by emailing privacy@caround.eu. We may ask for proof of identity to protect your data. We aim to respond within 30 days in accordance with the GDPR, unless legal obligations require a different timeframe. If you are not satisfied with our response, you may contact the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.
We encourage you to contact us first at privacy@caround.eu if you have any questions or concerns about how we handle your personal data. If you believe your rights have been violated, you may also file a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or with the data-protection authority in your EU member state of residence or work.
Andmekaitse Inspektsioon
Tatari 39, 10134 Tallinn, Estonia
info@aki.ee
https://www.aki.ee
Caround is intended only for persons 18 years of age or older who can legally enter into binding agreements. Because our service involves vehicle access and payments, it is not designed for minors. We do not knowingly collect personal data from anyone under 18. If you believe that a minor has created an account or provided personal data, please contact us immediately at privacy@caround.eu, and we will promptly delete the information and deactivate the account.
Caround does not make decisions about users that produce legal or similarly significant effects based solely on automated processing. Certain verification or risk-assessment steps (for example, fraud prevention or identity validation) may include algorithmic analysis, but such assessments always involve human review and final decision-making. You have the right to obtain human intervention, express your point of view, and contest any decision resulting from an automated assessment by contacting privacy@caround.eu.
Our mobile application uses limited technical and analytics tools to ensure security, stability, and performance. The Caround app does not use browser cookies but may include software development kits (“SDKs”) that collect minimal technical information about how the app is used.
SDKs Used
Supabase (EU Hosting – Supabase Inc.) – provides backend infrastructure, authentication logs, and basic analytics to monitor app stability and performance.
Data collected includes: app version, device type, operating system, anonymized usage identifiers, and error logs.
Legal basis: Legitimate interest (Art. 6 (1)(f) GDPR) – to maintain service reliability and detect technical issues.
Stripe Payments SDK (Stripe Payments Europe Ltd.) – processes payments securely and fulfils anti-fraud / KYC obligations.
Legal basis: Contract (Art. 6 (1)(b)) and legal obligation (Art. 6 (1)(c)).
Igloohome Access System (Igloohome Pte Ltd.) – records smart-locker access events for security and dispute resolution.
Legal basis: Contract (Art. 6 (1)(b)) and legitimate interest (Art. 6 (1)(f)).
Analytics or Attribution SDKs (e.g., Appsflyer, Adjust) – used only with your consent to analyze installations or marketing performance.
Legal basis: Consent (Art. 6 (1)(a)). You may withdraw consent anytime in the app settings.
SMS Delivery (Vonage) – not an analytics SDK; used solely to deliver transactional SMS (verification codes and essential service notifications).
Legal basis: Contract (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f)).
Retention and Access Data collected through SDKs is stored securely within the EEA (primarily in EU-based Supabase and Stripe environments) and retained no longer than 12 months unless anonymized or aggregated for statistical purposes.
International Transfers Only partners located outside the EEA (e.g., Igloohome Pte Ltd, Singapore) receive limited data. Such transfers occur under European Commission Standard Contractual Clauses (SCCs) and equivalent safeguards.
Your Choices You can withdraw or object to optional analytics in the app settings or by contacting privacy@caround.eu. We will disable non-essential tracking as soon as technically feasible. Caround does not use third-party advertising networks or behavioural profiling without your explicit consent.
We may revise this Privacy Policy from time to time to reflect changes in law, technology, or our business practices. Updated versions will be published on our website and in the mobile app, and the “Last updated” date will change accordingly. If any change materially affects your rights or how we process your personal data, we will notify you directly where required by law. We encourage you to review this Policy periodically to stay informed about how we protect your information.
We aim to respond to privacy-related inquiries within 30 days in accordance with the GDPR.
For questions, concerns, or requests related to your personal data or this Privacy Policy, please contact us at:
Dayoffcar OÜ (“Caround”)
Hobujaama 4, 10111 Tallinn, Estonia