Privacy Notice
Last updated: June 12, 2025
ASR Tech Oy (hereinafter "Cabinvo", “we”, or “us”) respects your privacy. This notice applies when you visit cabinvo.com (the “Website”) or use the app.cabinvo.com application (the “App”). Together, they constitute the “Service”.
Three Parties
1. Customer (Taxi Company)
• Data controller for passenger and trip data (Cabman data).
2. Partner
• Processor authorized by the Customer: provides support, adds new integrations (Cabman, accounting software), and accesses Customer data via the App UI.
3. Cabinvo (ASR Tech Oy)
• Sub-processor for both Customer and Partner: maintains infrastructure, handles DevOps, and has access to all data.
• Controller for its own user accounts and Website analytics.
1 Contact Details
| Cabinvo (Controller & Sub-processor) | ASR Tech Oy – Business ID 2946518-6 |
| Address | Minna Canthin katu 66 lh 1, 70100 Kuopio, Finland |
| privacy@asrt.fi | |
| Partner (Processor) | Company and Business ID provided to Customer in contract |
| Customer (Controller for trip data) | Taxi company name and ID shown in the App settings |
| Sub-processors | AWS, Fathom, accounting software, all under GDPR Art. 28 DPA + SCC as needed |
| Supervisory Authority | Office of the Data Protection Ombudsman (tietosuoja.fi) |
2 What Data We Process and Why
2.1 Website Visitors (Cabinvo as Controller)
| Data Group | Examples | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Technical Logs | IP, user-agent, URL | Security | Legitimate interest (f) | 30 days |
| Analytics | Pageviews (pseudonymized) | Website improvement | Consent (a) | 24 months |
| Contact Form | Name, email, message | Customer service | Consent (a) | 12 months |
2.2 Logged-in Users (Cabinvo as Controller)
| Data Group | Examples | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Account Data | Name, email, password hash | Login | Contract (b) | Deleted + 60 days |
2.3 Trip Data (Customer as Controller)
| Data Group | Examples | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Location & Time | Start/end coordinates, timestamps | Processing trip data to support business operations (e.g. invoicing, driver logs, reporting) | Contract (b) | 6 years / per Customer's instructions |
| Trip Parameters | Price, payment method, extra services | Same | Same | Same |
| Free-text Notes | Accessibility needs, instructions for driver | Same | Same | Same |
Special categories of data. Notes may contain health data (e.g. wheelchair access); these are deleted along with the trip data.
3 Processing Roles and Agreements
- Customer ⇄ Partner
• Agreement on use of Cabman API and processing Cabman data in Cabinvo.
• Partner acts as Processor (GDPR Art. 28). - Partner ⇄ Cabinvo
• Reseller & DPA agreement: Cabinvo as Sub-processor. - Customer ⇄ Cabinvo (technical terms)
• Customer authorizes Cabinvo infrastructure (SaaS-EULA & SCC). - Support Process
• Customer → Partner (first tier).
• Partner escalates to Cabinvo if needed; Cabinvo may access all data to resolve issues.
4 Recipient Groups and Transfers
| Recipient | Service | Location | Transfer Basis |
|---|---|---|---|
| AWS (infra) | RDS, S3, ECS | eu-central-1 | SCC + technical safeguards |
| Cabman API | Trip data retrieval | EU | Intra-EU |
| Accounting Software (e.g. Procountor) | Bookkeeping & invoice archive | EU/EEA | Intra-EU |
| Fathom | Minimal analytics | EU | Intra-EU |
| CloudFront | Static content; logs in EU bucket for 24h | Global edge | SCC / DPF, technical safeguards |
5 Transfers Outside the EU/EEA
Cabinvo stores all data primarily within the EU/EEA. Some technical services such as CloudFront may process IP addresses temporarily outside the EU due to CDN routing. In these cases, we apply Standard Contractual Clauses (SCCs) and technical safeguards, such as EU-based buckets and short retention times.
6 Data Subject Rights
You have the right to:
- access your personal data
- request correction of inaccurate data
- request deletion of your data
- restrict or object to processing
- data portability
- withdraw consent
Requests: Contact us
We respond within 2 business days, no later than 30 days.
You may also file a complaint with the Data Protection Ombudsman (tietosuoja.fi).
7 Security Measures
- TLS 1.3 in transit, AES-256 at rest
- Production & test environments are separated
- Least-privilege IAM
- Daily EU backups (30 days retention)
- 2FA (optional)
- Automated dependency scanning, monthly update cycle
8 Cookies and Tracking
| Type | Name | Purpose | Duration | Basis |
|---|---|---|---|---|
| Necessary | App session cookies | Session handling, CSRF protection | Until session ends | Art. 6(1)(b) + ePrivacy 5(3) |
| Analytics | – | Fathom collects anonymous pageviews without cookies | – | Consent (a) |
9 Limitation of Liability
Cabinvo’s liability for any damages arising from use of the Service is limited to the amount paid by the Customer for the Service during the twelve (12) months preceding the incident.
This limitation does not apply to damages caused intentionally or by gross negligence, or to any liability required by applicable data protection law.
10 Changes
We will notify you of significant changes via an in-app banner and/or email at least 30 days before they take effect.
Legal bases: (a) consent, (b) contract, (f) legitimate interest