Privacy policy

1. General Provisions

1.1. This Privacy Policy (hereinafter - the Policy) establishes the procedure by which GREEN WOOD LT, UAB (registration No. 304019937, registered address: Kaunas, Laisvės al. 85E-5, LT-44297), hereinafter - the Controller, processes, stores, and protects personal data provided by clients, drivers, and users when using the “Zuver” platform (hereinafter - the Platform), including the website, the mobile client application, and the mobile driver application.

1.2. The Controller processes personal data in accordance with:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter - GDPR);
• The Personal Data Processing Law of the Republic of Latvia;
• The Law on Legal Protection of Personal Data of the Republic of Lithuania;
• The Personal Data Protection Act of the Republic of Estonia;
• other applicable data protection legislation.

1.3. The Controller observes the following data processing principles: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability.

1.4. The Policy applies to all personal data processed through the Platform, regardless of whether the user is a client or a tow truck driver.

2. Personal Data Processed

2.1. The following personal data may be processed in the course of Platform operation:

Client data

2.1.1. first and last name;

2.1.2. phone number;

2.1.3. email address;

2.1.4. location address (for order placement);

2.1.5. order information and history;

2.1.6. payment information (invoice data, transaction history);

2.1.7. authentication identifiers from third-party identity providers (e.g. Google, Apple, Firebase phone authentication), used solely to associate an account with the corresponding sign-in method;

2.1.8. photographs of vehicles and damage uploaded by the client when placing an order.

Driver data (in addition to the above)

2.1.9. driving licence details and document scans uploaded for verification;

2.1.10. vehicle information (make, model, registration number, tow truck type);

2.1.11. continuous geolocation during active work sessions;

2.1.12. work session geolocation history retained for the period specified in §8.1.4;

2.1.13. work session history and statistics.

Technical data (all users)

2.1.14. IP address;

2.1.15. device type and operating system;

2.1.16. browser type and version;

2.1.17. cookies and similar technologies;

2.1.18. session data and usage statistics;

2.1.19. push notification tokens (Firebase Cloud Messaging);

2.1.20. content of in-app chat messages exchanged between clients and drivers during an order.

2.2. Full bank card numbers (PAN), CVV codes, and 3-D Secure credentials are not stored in the Controller’s systems. Card data is processed exclusively through a certified, PCI‑DSS Level 1 compliant payment service provider.

The Controller stores only non-sensitive card metadata returned by the payment service provider after a successful card verification, to enable repeat payments without re-entering card details:

• masked card number (e.g. “411111******1111”);
• card brand (Visa, MasterCard, etc.);
• last four digits;
• expiry month and year;
• a payment-provider token / customer reference.

This metadata alone is insufficient to initiate a payment without the payment provider’s authentication.

3. Methods of Data Collection

3.1. Personal data is collected in the following ways:

3.1.1. directly from the data subject - during registration on the Platform, placing an order, or contacting support;

3.1.2. automatically - through cookies, analytics tools, server logs, and GPS sensors on mobile devices;

3.1.3. from third parties - the payment service provider (transaction status), and identity providers used for sign-in.

4. Purposes of Data Processing

4.1. Personal data is processed solely for the following purposes:

4.1.1. service provision and fulfilment (tow truck dispatch, route calculation, order status tracking);

4.1.2. order placement, processing, and execution;

4.1.3. payment processing and confirmation;

4.1.4. communication with clients and drivers (push notifications, email, phone);

4.1.5. compliance with legal requirements (accounting, tax reports, regulatory obligations);

4.1.6. improvement of service quality and user experience;

4.1.7. fraud prevention and security;

4.1.8. dispute resolution and protection of legal interests;

4.1.9. authentication via third-party identity providers (Google, Apple) and SMS verification of phone numbers;

4.1.10. crash and error reporting to maintain platform stability;

4.1.11. storage of user-uploaded photographs (vehicle condition, damage) for order documentation and dispute resolution.

5. Legal Basis for Processing

5.1. Personal data is processed on the basis of one or more of the following legal grounds (Article 6 GDPR):

5.1.1. Consent (Article 6(1)(a) GDPR) - the data subject has given consent to the processing for one or more specific purposes (e.g., geolocation use, push notifications);

5.1.2. Contract performance (Article 6(1)(b) GDPR) - processing is necessary for the performance of a contract with the client or driver, or for taking steps prior to entering into a contract;

5.1.3. Legal obligation (Article 6(1)(c) GDPR) - processing is necessary for compliance with a legal obligation to which the Controller is subject;

5.1.4. Legitimate interests (Article 6(1)(f) GDPR) - processing is necessary for the legitimate interests pursued by the Controller (e.g., fraud prevention, service security), except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

6. Geolocation Data Processing

6.1. Geolocation data processing is essential for the Platform’s operation:

Clients

6.1.1. location is determined at the time of order placement to calculate the route and costs;

6.1.2. location is used to show the nearest available tow truck;

6.1.3. geolocation is obtained only with the user’s permission and only during active use of the application.

Drivers

6.1.4. during an active work session, the driver’s location is recorded continuously to enable order distribution and inform the client of the tow truck’s location;

6.1.5. geolocation data is stored during the work session and retained as part of order history;

6.1.6. geolocation data is not processed outside of work sessions.

7. Data Storage and Protection

7.1. The Controller’s primary database, application servers, and uploaded files are hosted with an infrastructure provider operating data centres located within the European Economic Area (EEA). The current hosting provider and data-centre location are listed in the Sub-Processor table in §16.

7.2. Personal data is protected by appropriate technical and organisational measures, including:

7.2.1. data encryption in transit and at rest (SSL / TLS);

7.2.2. access restrictions and rights management;

7.2.3. regular review and updating of security measures;

7.2.4. data backup;

7.2.5. staff training in data protection.

7.3. Access to personal data is granted only to authorised employees and partners who require it for the performance of their duties.

7.4. Personal data breach notification. In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, the Controller shall notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach (Article 33 GDPR). Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, the Controller shall also communicate the breach to affected data subjects without undue delay (Article 34 GDPR), through the most appropriate channel (email, push notification, or in-app message). The Controller maintains an internal register of all data breaches in accordance with Article 33(5) GDPR.

8. Data Retention Periods

8.1. Personal data is retained:

8.1.1. for the duration of the contractual relationship and a reasonable period thereafter;

8.1.2. accounting records - 10 years in accordance with the laws of the Republic of Lithuania;

8.1.3. order and route history - 3 years after order completion;

8.1.4. geolocation data (drivers) - during the work session and up to 1 year as part of order history;

8.1.5. until withdrawal of consent, where processing is based on consent and no other legal basis exists;

8.1.6. as long as a legitimate interest exists (e.g., for dispute resolution - in accordance with limitation periods);

8.1.7. in-app chat messages - until deletion of the corresponding order (see 8.1.3) or 1 year from the date the message was sent, whichever is earlier;

8.1.8. driver document scans (driving licence, vehicle documents) - for the validity period of the document plus 1 year for archival and audit purposes.

8.2. Upon expiry of the retention period, personal data is deleted or anonymised.

9. Data Sharing with Third Parties

9.1. Personal data may be shared with third parties only to the extent necessary for service provision or compliance with legal requirements.

9.2. Personal data may be shared with the following categories of recipients. The current list of specific vendors within each category is set out in the Sub-Processor table in §16:

9.2.1. Payment service provider - for payment authorisation, capture, refund, and storage of tokenised card metadata. Acts as a separate Controller under PCI‑DSS for raw card data and as a Processor for tokenised data.

9.2.2. Push notification provider - for delivery of push notifications to client and driver mobile applications.

9.2.3. Authentication providers - Google Sign In, Sign in with Apple, and a phone-number SMS verification service. These providers verify the user’s identity and return an opaque identifier which the Controller stores to link sign-in methods to a Platform account. (Sign-in brands are named here because they are visible to the user in the application interface.)

9.2.4. Map, geocoding, and routing service - to display maps, autocomplete addresses, calculate routes, and resolve coordinates entered by the user. Coordinates and address strings are transmitted to this service when the user interacts with map or address fields.

9.2.5. SMS gateway operator - for transactional SMS notifications and verification codes.

9.2.6. Crash and error diagnostics service - for collection of anonymised crash reports and stability metrics from mobile applications.

9.2.7. Hosting and infrastructure provider - see §7.1 and the Sub-Processor table in §16. User-uploaded photographs, document scans, and database backups are stored on the same EEA-resident hosting infrastructure.

9.2.8. Tow truck drivers - receive the client’s name, phone number, pickup and destination locations strictly for order fulfilment.

9.2.9. Clients - receive the driver’s name, vehicle information (make, model, registration number), and live location during order execution.

9.2.10. State authorities - in cases prescribed by law (court orders, official requests under applicable law).

9.3. All third parties processing personal data on behalf of the Controller must comply with GDPR requirements, and appropriate data processing agreements are concluded with them (Article 28 GDPR).

10. Data Transfers to Third Countries

10.1. The primary processing and storage of personal data takes place within the European Economic Area (EEA).

10.2. A subset of processors - in particular certain authentication providers, the map and routing service, and crash diagnostics - may process personal data on infrastructure located outside the EEA, including the United States. The specific processors and their jurisdictions are set out in the Sub-Processor table in §16.

10.3. For all such transfers the Controller relies on one or more of the following safeguards under Chapter V GDPR:

10.3.1. transfers to organisations certified under the EU-US Data Privacy Framework, where applicable;

10.3.2. Standard Contractual Clauses (SCCs) approved by the European Commission;

10.3.3. supplementary technical measures, including encryption in transit (TLS 1.2+) and at rest;

10.3.4. data minimisation - only the data strictly necessary for the requested operation is transmitted.

10.4. Data Processing Agreements (Article 28 GDPR) are concluded with each processor. The Controller maintains the current register of sub-processors in §16 and will provide a copy of the relevant DPA template upon written request to [email protected].

11. Cookies and Analytics

11.1. The Platform’s website may use cookies and similar technologies.

11.2. Types of cookies used:

11.2.1. Essential cookies - ensure basic website functionality (session management, security). These cookies do not require consent.

11.2.2. Functional cookies - save user preferences (language, region).

11.2.3. Analytics cookies - help understand how users interact with the service.

11.2.4. Marketing cookies - the Platform does not currently set marketing or advertising cookies. If introduced in the future, they will require explicit opt-in consent.

11.3. Users may manage cookie settings:

11.3.1. using the cookie consent tool (cookie banner) on the website;

11.3.2. by changing browser settings;

11.3.3. disabling cookies may affect service functionality.

12. Data Subject Rights

12.1. Under the GDPR, data subjects have the following rights:

12.1.1. Right of access (Article 15 GDPR) - to request information about whether and what personal data is being processed and to obtain a copy.

12.1.2. Right to rectification (Article 16 GDPR) - to request correction of inaccurate or incomplete data.

12.1.3. Right to erasure (Article 17 GDPR) - to request deletion of personal data (“right to be forgotten”) where no other legal basis for retention exists.

12.1.4. Right to restriction of processing (Article 18 GDPR) - to request restriction of processing in certain circumstances.

12.1.5. Right to data portability (Article 20 GDPR) - to receive personal data in a structured, commonly used, and machine-readable format.

12.1.6. Right to object (Article 21 GDPR) - to object to processing based on legitimate interests.

12.1.7. Right to withdraw consent - to withdraw previously given consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

12.1.8. Right to lodge a complaint - to file a complaint with a supervisory authority.

12.2. To exercise their rights, data subjects may contact the Controller at: [email protected].

12.3. The Controller shall review requests and provide a response within 30 (thirty) calendar days of receipt. In complex cases, the deadline may be extended by 60 (sixty) days, with the data subject being informed accordingly.

13. Processing of Minors’ Data

13.1. The Platform’s services are intended for persons who have reached the age of 18.

13.2. The Controller does not knowingly collect or process personal data from persons under 18 years of age.

13.3. If the Controller becomes aware that a minor’s personal data has been processed without parental or guardian consent, such data will be deleted immediately.

13.4. The Controller relies on user self-declaration of age during registration and on the practical fact that payment instruments in Latvia, Lithuania, and Estonia are typically issued from age 18. Where the Controller becomes aware of inconsistencies (e.g., evidence in support correspondence), the account is suspended pending age verification.

14. Automated Decision-Making and Profiling

14.1. The Platform performs automated matching of orders to available drivers based on:

• geographical proximity to the pickup location;
• driver availability (online status);
• vehicle category capabilities;
• scheduled-order time windows.

14.2. This matching does not constitute solely automated decision-making within the meaning of Article 22 GDPR, as:

(a) it does not produce legal effects concerning the data subject;

(b) the data subject (client) actively chooses to confirm or cancel each order;

(c) human intervention is available via support ([email protected]).

14.3. The Controller does not perform profiling for marketing, credit-scoring, or behavioural advertising purposes.

15. Contact Information

15.1. For questions regarding personal data processing or the application of this Policy, data subjects may contact the Controller:

15.2. Supervisory authorities:

Lithuania: Valstybinė duomenų apsaugos inspekcija (VDAI), L. Sapiegos g. 17, 10312 Vilnius, www.ada.lt

Latvia: Datu valsts inspekcija, Elijas iela 17, Rīga, LV-1050, www.dvi.gov.lv

Estonia: Andmekaitse Inspektsioon, Tatari 39, 10134 Tallinn, www.aki.ee

16. Sub-Processor List

16.1. The following third parties process personal data on behalf of the Controller within the categories described in §9.2. The list is reviewed regularly and reflects the state of vendor engagements as of the “Last updated” date set out at the top of this Policy.

Vendor	Role	Data categories	Country	Safeguard
SIA DECTA	Payment processor	Tokenised card metadata, payment status	Latvia (EEA)	DPA · EEA-internal
EEA-resident hosting provider	Hosting, database, file storage	All Platform data at rest	Finland (EEA)	DPA · EEA-internal
Google Ireland Ltd. / Google LLC	Firebase Cloud Messaging (push), Firebase Authentication (SMS), Crashlytics, Firestore (in-app chat), Google Maps Platform	Push tokens, phone numbers, crash reports, chat messages, coordinates and address strings	Ireland (EEA) + United States	DPA · EU-US DPF · SCCs
Apple Inc.	Sign in with Apple (iOS clients only)	Apple subject identifier (sub), verification token	United States	DPA · SCCs
SMSAPI sp. z o.o.	SMS gateway	Phone numbers, transactional SMS bodies	Poland (EEA)	DPA · EEA-internal

16.2. The Controller will notify users of material changes to this list at least 14 days before they take effect, by:

• publishing an update notice on the Platform;
• sending email or push notification to registered users where the change involves a new category of recipient or a new third country.

16.3. Data subjects may object to the engagement of a new sub-processor by contacting [email protected] within 14 days of the published notice. Where an objection cannot be reasonably accommodated, the data subject may exercise the right to terminate the use of the Platform.

17. Amendments to the Policy

17.1. The Controller reserves the right to amend this Policy at any time by publishing the updated version on the Platform.

17.2. Users will be notified of significant changes:

17.2.1. via a notice on the website or in the mobile application;

17.2.2. via push notification or email.

17.3. By continuing to use the Platform after publication of amendments, the user confirms their acceptance of the updated Policy.