Privacy Policy

As part of the operation of the website - (hereinafter the "Website") and Doorhub’s application (hereinafter the "Application") for connecting natural or legal persons in need of a goods delivery service (hereinafter the "Users") with independent couriers available to provide such service (hereinafter the "Couriers"), operated by Limited whose registered office is at Krumtappen 2, 2500 Valby , 6. Plan, with the company number 39781948 (hereinafter the "Company"); the latter is required to collect a certain amount of personal data (hereinafter “the Data”).

The purpose of this privacy policy is to inform the data subjects concerned by this Data processing and provide a framework for the use and protection of such Data by the Company in compliance with the provisions of European Regulation No. 2016/679 of 27 April 2016 on personal data protection (hereinafter the "GDPR").

This privacy policy may be modified or supplemented by the Company, in particular in order to comply with any changes in legislation, regulations, case law or technology. In such an event, the update date will be specified at the beginning of this policy. As these changes are binding upon Users and Couriers as soon as they are posted online, the Company encourages them to regularly consult this policy in order to become aware of any changes and to stay informed about personal data protection practices and their rights.

1. Contact details of the data controller and data protection officer

The Data controller is the Company with the following contact details: Doorhub ApS, Krumtappen 2, 6. Floor, 2500 Valby, Denmark.

The contact details of the data protection officer are as follows: Shah Md. Shamsul Alam (data protection officer) - Krumtappen 2, 6.Floor, 2500 Valby, Denmark

2. Data collected by the Company

The Data that may be collected during the operation of the Website and Application are detailed below.

2.1. User and Courier Data
2.1.1. When a User or Courier creates an account

the Company collects the following Data directly provided by them:

User Account:
  • First name
  • Last name
  • postal address (or of the company’s location)
  • email address
  • telephone number
  • company name
  • name of legal representative (if different from the account holder’s first and last names)
  • business sector
  • credit card/bank details
  • password

Courier Account:
  • First name
  • Last name
  • postal address (or of the company’s location)
  • email address
  • telephone number
  • bank account details
  • Personal number
  • city of birth
  • country of birth
  • password
  • VAT number (if applicable)
  • identity card
  • passport or any other document that proves the Right to Work in the EU & UK
  • for Couriers using a motor vehicle (moped or car): insurance certificate.

These data are imperative for the creation of an account to access the services via the Website or the Application and are a prerequisite for the signing of the General and Special Conditions of Use (GCU).

Save for as set out under 2.1.3 below, they are kept by the Company in an active database for a period of 12 months (twelve months) from the last login by the User or by the Courier into the Application and 48 (forty-eight) months in intermediate archiving (that is, restricted access, retention necessary to meet legal obligations or to invoke a right before the courts). With regard to the identity card, passport or any other document that proves the Right to Work in the United Kingdom, such documents are necessary for the Company to fulfil its legal obligations and to prove such fulfilment in the event of audit. They are to be kept in a database that is separate from the others, access to which is restricted and only for this purpose.

2.1.2. When a User or Courier uses the Website or Application

the Company collects:

  • the IP address of the User or Courier
  • the login data of the User or Courier
  • the Website or Application navigation data (including timestamp information)

These data are to be retained by the Company in an active database for a period of 6 (six) months after the last login of the User or Courier into the Application and 6 (six) months in intermediate archiving.

at the time of entering the goods pickup address, so that it can automatically suggest an address, the precise location of the User's terminal by means of the Website or Application if the User authorises it to access the terminal's location services, the precise location of the Courier’s terminal throughout the duration of the delivery of goods using the Application owing to its authorisation to access the terminal’s location services pursuant to the GCU, the history of the deliveries of goods carried out, including the date, with the history of the goods’ route possibly including the User’s location on a fixed date and time and including the Courier’s precise location during the delivery of goods, a record of written messages and, if any, telephone conversations (in case of the recording of a telephone exchange, the person is accordingly informed and has the opportunity to refuse to continue the communication) among the User, the Courier and the Company in the event of a claim, incidents occurring a delivery of goods, statistics on the delivery of goods such as its duration, distance and transport method used/preferred, the User’s signature if the latter is the sender or recipient, the information provided by the User regarding the goods, Courier performance data and metrics.

Save for as set out in clause 2.1.3 below, these data are to be retained by the Company in an active database for a period of 12 (twelve) months after the last login of the User or Courier into the Application and 48 (forty-eight) months in intermediate archiving. By way of exception, the record of a telephone conversation is retained in an active database for a period of 6 (six) months after the concerned telephone conversation.

2.1.4. Invoicing of goods delivery operations:

invoices relating to deliveries of goods issued by the Company in the name of and on behalf of Couriers

invoices relating to fees/commissions charged by the Company against the amounts paid to the Couriers, the amount for the transactions carried out as well as the date and time of such transactions.

Such data shall be retained by the Company in intermediate archiving for a period of ten (10) years after the end of the financial year to which the invoice relates.

2.1.5. For online payment

the Company collects the Users’ bank card data. To ensure the security of online payments, the Company uses the services of Stripe Payments.

When you create your account on the Website and you enter your bank card data or you decide to pay by card or by direct debit a goods delivery order, our payment page connects in real time with the provider system that collects your data and performs various checks to avoid abuse and fraud.

The data are stored on the servers of the provider and are not transmitted at any time to the servers of the Company.

2.2. Third party data

During the delivery of goods the Company may collect the last name, first name, postal address, telephone number, signature and other additional information (for example, digicode, floor, etc.) of the sender and/or recipient that is not the User. Such data are entered by the User when ordering a delivery of goods and are processed by the Company on behalf of the User.

With regard to this data processing, the User is the data controller and the Company acts as processor. The safeguards governing this subcontracting of Data processing are set forth in Article 11 of this Privacy Policy.

Such data are to be retained by the Company in intermediate archiving for a period of 12 (twelve) months after the completion of the goods delivery.

2.3. Data collected automatically when you merely visit Website or Application

The Company automatically collects certain information about your devices simply when you visit our Website or Application, without identifying you, using cookies. The choices that you have regarding the use of cookies are set forth in Article 10 of this Privacy Policy.

3. Fate of data at the end of the retention period

At the end of the aforementioned retention periods, the Data will be anonymised in order to make it impossible to "re-identify" persons, such that the data are no longer personal within the meaning of the GDPR

As an exception, the Data may be retained for longer durations in intermediate archiving to the extent, in particular, that:

  • there is a legal or regulatory obligation to retain the Data for a fixed duration, the Data are of interest, particularly in the event of litigation, justifying their retention for the periods set forth by applicable rules relating to limitation periods/lapse of rights (for example, in civil, commercial, criminal, accounting and tax matters) or until the end of the proceedings initiated.

In this case, only the Data strictly necessary for the fulfilment of the intended purposes will be retained.

The Data will be anonymised when the reason justifying the archiving is no longer exist.

4. Use of Data by the Company

The Company undertakes to process the Data only in accordance with one of the following legal grounds provided by the GDPR:

the processing is necessary for the provision of the services subscribed to (in particular via the use of the Website or Application) in accordance with the GCU accepted by the User or Courier:

  • to create, maintain and administer an account to use the Website or Application
  • to enable the establishment of contact between Users and Couriers in order to deliver goods through automated decision-making, particularly based on location data
  • to monitor deliveries of goods as well as assistance to and communication with Users and Couriers regarding deliveries of goods
  • to facilitate intermediation between a User and a Courier, in particular for the issuance of invoices and the payment thereof
  • to provide technical and operational application support to facilitate the use of the Website and Application
  • to manage the coverage of eligible Couriers under the health insurance, pension and professional liability policies taken out by the Company for their benefit (this is also a legal obligation for pension and health insurance policies)
  • to forward information relating to complaints, in particular compensation claims, in connection with a delivery of goods

the processing is necessary for the purposes of legitimate interests of the Company or third parties:

  • to maintain, optimize and improve the Website, Application and our services and to develop new ones
  • to contact Users and Couriers to provide them with any news or developments necessary to continue using the Website and Application
  • to maintain or improve the security of Users and Couriers, in particular by informing the police or any other service concerned in the event of a threat or breach of the security of property or safety of persons
  • to prevent, detect and combat fraud when using the Website and Application
  • to ensure compliance with the GCU
  • to forward information relating to complaints, in particular compensation claims, in connection with a delivery of goods
  • to allow the Company to ensure that it partners with appropriate Couriers
  • to safeguard the Company's interests in the event of dispute or litigation

the processing is necessary to fulfil a legal obligation of the Company:

  • to keep track of payments made by Users and of the income obtained by Couriers when they use the Website or Application
  • to check that the Couriers can legally carry out their independent goods delivery activity and prove such check
  • to inform the Couriers of their tax and social security obligations

the processing is also possible when the data subject has given his/her consent (in such case, it is to be very clearly specified when the data subject's consent is sought):

  • to contact the Users and Couriers to inform them about new offers of services and promotions that may be of interest to them. We may also send you such messages based on the "Company’s legitimate interests", as the case may be. In any event, you can always unsubscribe from such emails
  • to conduct voluntary surveys.

5. Data Recipients

The Data are retained by the Company and used by the internal teams in charge of executing the services and the proper functioning of the Website and Application.

They are also forwarded to any User or Courier concerned by a delivery of goods.

The Data may also be shared in other cases with the consent or in accordance with the instructions of the data subject when the Company is required to do so by law. So, User or Courier Data may be forwarded by the Company to partners for the purpose of prospecting electronically in the event that the data subject has expressly given his/her consent before any transmittal.

In the event that all or part of the Company's business is sold off, the Data may be communicated to the purchaser in order to ensure the continuity of services.

6. Data Transfers outside of the European Union

The Company carries out the bulk of data processing within the territory of the European Union.

However, for certain specific services, particularly IT services, the Company may use subcontractors based outside of the European Union. Certain Data may then be shared within the strict limits of their assignments.

In such case, the Company makes sure beforehand and requires that subcontractors provide adequate guarantees necessary for the supervision, confidentiality and securing of such transfers. There are various legal guarantees allowing the transfer of Data outside of the territory of the European Union which the Company may use, including the following:

  • the recipient country is considered by the European Commission as providing an adequate level of protection
  • we sign, with the subcontractor, the standard contractual clauses of the European Commission that guarantee a sufficient level of Data protection
  • the subcontractor is part of a group that has put in place binding corporate rules (BCR) to ensure a satisfactory level of protection during Data transfers
  • the subcontractor has put in place an approved code of conduct containing
  • the binding and enforceable undertaking by the subcontractor to apply the appropriate safeguards
  • in the event of transfer to the United States, the Data shall only be transferred to companies listed in the Privacy Shield register.

7. Rights of data subjects in the collection of Data

In accordance with personal data protection regulations, any person whose personal data have been collected has the right, at any time, to invoke the following rights against the Company, subject to meeting the following conditions:

  • right to be informed: right to receive clear, transparent and easily understandable information about how the Data are processed. This is why this Privacy Policy has been put in place
  • right of access: right to demand access to one’s own personal data processed by the Company
  • right of rectification: right to demand the modification or updating of one’s own personal data when they are inaccurate or incomplete
  • right to erasure: right to demand permanent deletion of one’s own personal data
  • right to restriction of processing: right to request that the processing of all or part of one’s own personal data be stopped
  • right to object: right to oppose the processing of one’s own personal data:
    • invoked on the basis of the legitimate interests of the Company for reasons relating to the particular circumstances of the data subject, or for the purpose of prospecting, with no particular reason
  • right to portability: the right to demand a copy of one's own personal data in an accessible and transferable format and the right to demand the transmittal of one's own personal data to another data controller
  • the right not to be subject to decision-making based exclusively on automated means, including profiling, except when such decision is necessary for entering into or enforcing the GCU or is based on the explicit consent of the data subject
  • the right to give instructions for the retention, erasure and disclosure of your Data after your death

8. How data subjects can exercise their rights

To exercise such rights against the Company, all you need to do is send a simple e-mail to the Company at the address, making sure to prove your identity (mention the first and last names and e-mail address, and attach a copy of your identification document).

A response will be sent within one (1) month of the date of receipt of the request. If necessary, this period may be extended by two (2) months by the Company, which will alert the data subject, taking into account the complexity and/or number of requests.

In the event of a request for erasure or deletion of Data, the Company may, however, retain the Data in the form of an intermediate archive for the period necessary to meet its legal, accounting and tax obligations and in accordance with the applicable rules of limitation, in order to prevent possible unlawful behaviour after the deletion of the account of a User or Courier or during a litigation period.

It is specified that a request to delete the account of a User or Courier is not interpreted by the Company as an express request to exercise the rights under the aforementioned Article 7. The account will become inactive and the Data will be retained under the conditions and for the durations referred to in the present policy.

9. Data Security and Protection

9.1. Data Protection

The Company undertakes to adopt all measures to ensure the security and confidentiality of the Data collected. Although no system can be completely secure, the Company has put in place and applies various appropriate technical and organisational policies and measures to ensure a level of security that is appropriate to the risks and to protect Data, in particular against any unauthorised or illegal access, use or disclosure, as well as against accidental damage, loss, alteration or destruction.

In the event of a security incident affecting Data, the Company undertakes to comply with the obligation to notify personal data breaches, in particular to the ICO.

9.2. Security of User or Courier Passwords

The Company takes all manner of useful precautions to ensure the secure storage of the password of the User or Courier account.

10. Use of Cookies

When using our Website, information relating to browsing on your terminal (computer, tablet, smartphone, etc.) may be recorded in "Cookie" files stored on your terminal, subject to such choices as you may have made regarding Cookies

Cookies relate to browsing by the User or Courier on the Website or Application and allow monitoring of their activity, particularly to determine which pages he/she visited and the date and time of the visit as well as to memorise data over the duration of the validity or storage of the cookie.

At no time do these cookies allow the Company to personally identify the User or the Courier but, rather, they identify a browser or terminal.

10.2. Which cookies are stored on the terminal when browsing on the Application?
10.2.1. Cookies of the Company

The Company uses its own cookies (linked in particular to the language of the Website) to provide an optimal user experience adapted to the personal preferences of the User or Courier.

10.2.2. Third Party Cookies

The Company also uses the cookies of third-party applications (Google, Facebook, LinkedIn, etc.) that, in particular, enable the collection of anonymous statistical data on visits to our sites and applications in order to improve their ergonomics.

10.3. How long are these cookies kept?

The retention time for these cookies on the User or Courier terminal does not exceed thirteen (13) months.

10.4. How to refuse the placement of cookies?

By using the Website or Application, the User or Courier consents to the use of cookies.

The User or Courier is informed, during his/her first visit, that he/she has the right to object to the storage of cookies, in particular by configuring his/her web browser to do so or by setting the Website or Application options from the “Cookie Banner “.

More help is available on the dedicated pages of the browser (following are the most common browsers):

  • Internet Explorer
  • Google Chrome
  • Safari
  • Firefox

The User or Courier can also set his/her browser so that it sends a code indicating the websites that you do not want to be tracked ("Do No Track" option):

  • Internet Explorer
  • Chrome
  • Firefox

That notwithstanding, Users and Couriers are informed that cookies play an important role in the functioning of the Company's services. Therefore, if they refuse or delete cookies, this could affect the availability and functioning of the services.

11. Processor safeguards

With regard to the processing of the Data of senders and/or recipients for whom the User is the data controller and the Company is the processor, the latter undertakes to:

  • process the Data only for the purpose(s) mentioned in Section 4 of this Privacy Policy
  • process the data in accordance with the documented instructions, if any, from the User. If the Company considers that an instruction constitutes a violation of the GDPR or of any other provision of EU law or of the law of Member States relating to data protection, it shall immediately inform the User accordingly
  • guarantee the confidentiality of the Data processed when using the Website and Application
  • ensure that the persons authorised to process the Data in accordance with the GCU:
    • undertake to respect confidentiality or are bound by an appropriate legal duty of confidentiality
    • receive the necessary training on personal data protection
  • with respect to its tools, products, applications or services, be mindful of the principles of data protection from the design stage and data protection by default
  • scrupulously respect the entirety of this Privacy Policy, in particular regarding Data retention and anonymisation periods, security measures, Data transfer, etc.

The Company may use another subcontractor (see Article 5 on Data recipients) to perform specific services, including IT. The User, who is duly informed by means of this Privacy Policy, gives a general authorisation to the Company to do so. The Company shall ensure that the ultimate processor provides the same sufficient guarantees as to the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the GDPR.

It is the responsibility of the User to provide information to senders and/or recipients concerned by processing operations at the time of data collection.

To the extent possible, the Company shall assist the User in fulfilling his/her obligation act on requests to exercise data subject rights. When the sender and/or recipient makes a request to the Company to exercise his/her rights, the Company shall upon receipt email such requests to the User.

The Company shall notify the User, by email, about any personal data breach as soon as possible after being informed. Such notification shall be accompanied by any useful documentation enabling the User, if necessary, to give notice of such breach to the competent supervisory authority as well as to the data subjects.

The Company shall assist the User in conducting data protection impact assessments and in carrying out prior consultation with the supervisory authority.

The Company shall make available to the User all information necessary to demonstrate fulfilment of all its obligations and allow the performance of audits, including inspections, by the User or any other auditor appointed by him/her, as well as help with such audits.