app users

your privacy naiss style ;)

welcome to naiss, the app that turns your daily commutes into something more than moving from A to B. here kilometers are added, emissions are reduced, and colleagues are made along the way.

but if there's one thing we take as seriously as naiss shots, it's your privacy.

this privacy policy exists to explain what data we collect, why we use it, and with whom we share it.

no fine print. no drama. and with the clarity you deserve.

responsible for processing:

Apollo Bros S.L.

nif/cif: B19352541

contact email: privacidad@naissride.com

whatsapp: +34 910 62 67 22

What personal data do we collect?

mandatory data when registering:

  • first and last name (mandatory)
  • date of birth (mandatory)
  • phone number (mandatory)

optional data in profile settings:

  • profile picture (optional)
  • social networks (if you choose to link them and optionally visibility for everyone or only for friends)
  • institutional email to unlock functionalities
  • information about the course and class you belong to or the position you hold in the entities
  • personal description (you can add a free text about yourself. remember that it is totally voluntary and that you are responsible for the content you publish).

data generated by app usage:

  • images or videos captured voluntarily through the camera (you will have previously given us your consent)
  • journeys made and role (driver or companion)
  • social interactions (likes, comments)
  • navigation and usage data within the app: sections visited, clicks, usage time, errors, interactions…
  • participation in rankings, challenges, and their results

some functionalities allow sharing content visible by others (such as images, comments, or interactions). this content may be moderated in accordance with the terms and conditions, and will be treated as personal data when it allows identifying you. you can consult the complete rules of use and the content removal procedure in our terms and conditions.

location (GPS) and journey data:

naiss is, at its core, a shared-journey app. to record a journey we need to know where you go while it lasts. when you start a journey in the app, we collect your location (GPS) in real time, and only during that journey:

  • precise location points (latitude and longitude), together with associated technical data such as speed, heading, altitude, and signal accuracy.
  • the reconstructed route of the journey (origin, route, stops, and destination), its distance, and its duration.
  • the provinces you cross, to classify the journey (urban/metropolitan or long-distance) for the purposes of the CAE program.
  • which people share the journey and the overlap between their routes, to confirm that the trip actually took place.

this collection may occur even when the app is in the background or with the screen locked, always while the journey is active and you have granted location permission. location turns on when you start the journey and stops when it ends (manually or automatically); not before, not after. we record this information because it is essential to validate journeys and because the CAE system regulations require us to verify the route as an anti-fraud measure. if you disable location you can still use other parts of the app, but we will not be able to validate your journeys or grant you the CAE program compensation.

vehicle data (if you drive):

if you participate as a driver, you can register your vehicle details (make, model, color, license plate, number of seats, and fuel type or consumption). this data is used to display journey information, calculate energy savings, and meet the requirements of the CAE program.

identity verification (DNI/NIE):

to participate in the CAE program and be able to receive compensation, the regulations require that each account be linked to an identity document. in that case we will ask you to verify your identity (first and last name, DNI or NIE, and date of birth) through a specialized identity verification provider. we explain this in detail in the "the CAE program" section. if you do not participate in the CAE, you do not need to verify your identity.

access to your contacts:

if you give us permission, we can access your phone's contact list to help you find and invite people you already know. we only use this information to suggest invitations to you and we never publish it. you can deny or revoke this permission at any time from your device settings; contact access is not necessary to use naiss.

voluntary data:

in addition to the data mentioned, you can voluntarily provide additional information in the context of your interaction with the app, such as:

  • forms and surveys: we may invite you to participate in surveys, opinion forms, or collaborative spaces to improve naiss and contribute to decisions related to the community or the development of functionalities. your participation is totally optional.
  • reporting channel and false journey reports: if you detect a suspicious or false journey, you can easily report it through the options menu accessible from the top right corner of each naiss shot. these reports will be reviewed by our team.
  • content report: you can also report inappropriate, offensive content or content contrary to community rules from the options button of each publication.
  • spontaneous communications: any other data you send us when writing to us directly (for example, suggestions, conflicts, thanks, or other interactions) will be treated with the exclusive purpose of managing your message and maintaining the quality of the naiss environment.

Specially sensitive data:

naiss does not collect or process, systematically, specially sensitive data in accordance with article 9 of the GDPR (related to health, ideology, religion, sex life, or trade union affiliation). if exceptionally a user enters this type of data in open fields, they will be treated with maximum confidentiality and exclusively under their explicit consent, and may be deleted if they are not necessary for the provision of the service.

cookies and similar technologies:

we only use essential technical cookies and third-party tools to guarantee the stability and improvement of the app, such as sentry (for technical error control) and posthog (for usage analysis and deployment of functionalities). both tools process data securely and, in the case of posthog, data is stored on servers within the European Union.

How do we use your data?

we use them to:

  • manage your registration and profile
  • verify identity and reputation
  • allow functionalities that require camera use or notifications (with prior consent)
  • activate gamified functionalities (new rankings, institutions, locations, journeys, etc …)
  • show relevant journey data
  • send notifications (with your permission)
  • prevent fraud, improper use, or conduct contrary to our cohabitation rules
  • respond to queries, claims, or reports
  • analyze how the app is used to improve its functioning, design, and content, using anonymous identifiers to evaluate which functions are liked more and show you specific news through "feature flags" (functionalities in testing)
  • comply with legal obligations and respond to administrative or judicial requirements
  • communicate certain information to collaborating institutions when you are part of them. we explain more in the section "With whom do we share your data?"
  • record, validate, and display your shared journeys, calculating their distance, duration, and the energy savings generated
  • manage your participation in the CAE program (energy savings certificates) and, where applicable, calculate and pay the corresponding compensation
  • verify your identity (DNI/NIE) when you participate in the CAE and prevent fraud in accordance with applicable regulations
  • collect your location during active journeys to reconstruct the route and confirm that the trip took place

the CAE program (energy savings certificates)

when you carpool you stop using another vehicle, and that generates measurable energy savings. in spain, those savings can be turned into energy savings certificates (CAE), a regulated system (royal decree 36/2023 and implementing regulations) through which companies obligated to save energy buy those savings. naiss lets you take part in this system and receive compensation for the journeys you share.

your journeys can fall under two official methodologies ("fichas") depending on the route: TRA040 for urban or metropolitan journeys (within the same province) and TRA030 for long-distance journeys (between provinces). the app determines which one applies based on the journey's GPS route.

it's voluntary (and for over-18s)

taking part in the CAE is entirely optional: you decide whether to join and give your consent for it. because it involves verifying your identity with an official document and receiving monetary compensation, participation in the CAE is reserved for people over 18, even though the rest of the app can be used from age 14. you can withdraw your consent at any time, without it affecting journeys already certified.

identity verification

the CAE anti-fraud regulations require that each participating account be linked to a DNI or NIE and that the identity of everyone on the journey be verified. that's why, when you join the CAE, we will ask you to verify your identity (first and last name, DNI/NIE, and date of birth) through a specialized identity verification provider (didit). this provider performs the check and reports the result to us; naiss processes the identifying data necessary to manage your participation, certify journeys, and pay the compensation.

what data we process in the CAE and why

to certify journeys and calculate energy savings, we process:

  • identifying data: first and last name, DNI/NIE, date of birth, and phone number.
  • journey data: GPS route (origin, route, and destination), distance, duration, provinces crossed, date and time, and role (driver or companion).
  • vehicle data: vehicle type, license plate, and consumption data, when you participate as a driver.
  • the calculated energy savings (kWh) and the methodology (ficha) applied to each journey.
  • your responses to surveys about the alternative transport you would have used, needed to reliably calculate the savings (the "c" factor).

who do we share your data with in the CAE?

to process the certificates and the compensation, we communicate strictly necessary data to:

  • delcae: our delegate in the CAE system, which acts as a data processor to verify the eligibility of journeys and submit the certification application to the competent administration.
  • independent auditor: an external auditing entity that verifies the reliability of the data and of the savings calculation, as required by CAE regulations.
  • CAE system authorities and bodies: the national coordinator of the CAE system, the obligated or delegated parties, the autonomous communities, and the ministry for the ecological transition and the demographic challenge (MITECO), when they intervene in the verification, processing, or settlement of the savings.
  • payment provider: a payment service provider (such as stripe) that handles the payment of the compensation. naiss does not store the full details of your bank account or card.

transfer of savings and compensation (sparkies)

by participating in the CAE you agree to transfer to naiss the energy savings generated by your journeys so that it can certify and monetize them as energy savings certificates —naiss becoming the owner of those savings— in exchange for the compensation recognized to you. this compensation is expressed in "sparkies", which you accumulate for the validated kilometers of each shared journey.

when journeys are certified and the savings are monetized, sparkies are converted into monetary compensation in accordance with the program's terms (which you'll find in the terms and conditions). the compensation is conditional on the savings being validated by the CAE system: if a journey is not validated, we won't be able to pay it. it is promotional in nature and does not constitute a salary or an employment or professional relationship.

legal basis for processing in the CAE

  • your consent, when you voluntarily join the CAE program (art. 6.1.a GDPR).
  • compliance with legal obligations arising from CAE regulations, in particular identity verification (DNI/NIE) and the collection of location as an anti-fraud measure (art. 6.1.c GDPR).
  • performance of the contract, to certify journeys and pay you the compensation (art. 6.1.b GDPR).

retention

we will retain the supporting documentation of certified journeys for the period required by CAE regulations (counting from the validation of the certificates) and by the tax obligations associated with the compensation, even if you have stopped participating or have deleted your account.

are automated decisions made?

at naiss we apply automated evaluation mechanisms that allow assigning you points, rankings, or access to rewards based on your journeys, interactions, or participation in the community. this is part of the gamified system that makes naiss fun, motivating, and efficient.

some of these decisions may influence your access to real benefits such as giveaways, advantages offered by collaborating institutions, recognitions, or material rewards. therefore, they may be considered decisions based exclusively on automated processing with significant effects, within the meaning of article 22 of the GDPR.

however, according to the regulations, this type of decision is permitted when:

  • it is necessary for the performance of the contract, that is, so that you can use naiss with its reward system activated.
  • you have given your prior and specific consent, for example, by accepting to participate in challenges or rankings that give access to prizes.

in all cases, in accordance with the provisions of the GDPR, we guarantee that:

  • you can obtain human intervention if you do not agree with an automated decision that affects you.
  • you have the right to express your point of view and to challenge the decision.
  • you can exercise these rights by writing to: soporte@naissride.com

what is the legal basis for processing?

purpose of processinglegal basis (art. 6 GDPR)
create and manage your user account in the appperformance of contract (art. 6.1.b GDPR)
verify your identity and reputation in the communityperformance of contract (art. 6.1.b)
activate functions that require camera, location, or notificationsexplicit consent (art. 6.1.a)
participate in rankings, challenges, rankings by institutions, journeys, etc.performance of contract / legitimate interest (art. 6.1.b / 6.1.f)
show relevant information of shared journeysperformance of contract (art. 6.1.b)
send push notificationsconsent (art. 6.1.a)
prevent fraud, improper use, and guarantee environment securitylegitimate interest of the controller (art. 6.1.f)
analyze app usage and perform technical and functional improvementslegitimate interest (art. 6.1.f)
attend to queries, claims, or incidentsperformance of contract / legitimate interest (art. 6.1.b / 6.1.f)
comply with legal obligations (tax, road safety, etc.)legal obligation of the controller (art. 6.1.c)
share information with collaborating entities (if you are part of them)performance of contract / legitimate interest (art. 6.1.b / 6.1.f)
management of reports, content reports, false journeys, surveys, and voluntary communicationslegitimate interest / consent (art. 6.1.f / 6.1.a, depending on the case)
retention of data after cancellation for regulatory compliance and defense against claimslegal obligation / legitimate interest (art. 6.1.c / 6.1.f)
collect your location (GPS) during active journeysconsent / legal obligation in the CAE (art. 6.1.a / 6.1.c)
verify your identity (DNI/NIE) to participate in the CAE programlegal obligation (art. 6.1.c)
record and validate journeys and calculate energy savingsperformance of contract / legal obligation (art. 6.1.b / 6.1.c)
communicate data to the CAE delegate (delcae), auditors, and CAE system authoritieslegal obligation (art. 6.1.c)
manage and pay the CAE program compensation (sparkies)performance of contract (art. 6.1.b)
access your contact list to suggest invitations to youconsent (art. 6.1.a)

How long do we retain your data?

  • while you maintain an active account.
  • after cancellation, we will retain your data for a maximum period of 5 years, exclusively to comply with legal obligations or attend to potential claims.
  • data necessary for tax or accounting obligations will be retained during the legally established periods.
  • anonymized data, which does not allow identifying you, may be retained indefinitely for statistical or analytical purposes.
  • documentation of journeys certified in the CAE program is retained for the period required by CAE regulations and by the associated tax obligations, as detailed in the "the CAE program" section.

With whom do we share your data?

data processors:

we work with external providers that act as data processors, which access personal data only to provide services under our instructions and with the guarantees required by the GDPR:

  • convex: infrastructure and database where the app's information is hosted. data is stored on servers located in the European Union (Ireland).
  • sentry: technical error monitoring to guarantee the stability and security of the app.
  • posthog: usage analysis tool and deployment of functionalities (feature flags). data is stored on servers within the European Union.
  • twilio: sending sms messages to verify your phone number when you register or log in.
  • google: maps and address autocomplete (google maps and google places) to display journeys and help you enter locations.
  • expo: sending push notifications to your device.
  • didit: identity verification (DNI/NIE) to participate in the CAE program.
  • delcae: CAE system delegate that verifies the eligibility of journeys and processes the energy savings certificates before the administration.
  • stripe: payment processing to pay the CAE program compensation.

each of them has its own privacy policy, which the user can consult. some (such as didit, delcae, or stripe) only intervene if you participate in the CAE program.

app technologies that involve processing of personal data:

  • location (GPS): to record and validate your journeys while they are active, even in the background
  • camera: if you choose to capture or upload images from the app
  • contacts: to help you invite people you already know, if you give us permission
  • notifications: for journey alerts, interactions, or relevant notices

these functionalities require your prior permission and you can manage them from device permissions.

collaborating entities:

naiss may collaborate with universities, companies, and other organizations to which you belong, for example, within the framework of sustainable mobility or corporate welfare programs.

when there is a formal collaboration agreement between naiss and an entity, we may share with it minimum identifying information (such as name, institutional email, or participation in rankings or challenges) and justified for analysis purposes and improvement of service quality, as well as to explore possible shared mobility initiatives adapted to the needs of the community in question.

In cases where an agreement does not yet exist, but we detect that a significant community of users (by number, frequency of use, or shared journeys) belongs to the same entity, we may generate and communicate aggregate and anonymized statistical data to said entity. for example:

"a group of 53 people who work in your organization have made 1,200 shared journeys this month with naiss."

this information does not allow identifying specific individuals and has the sole objective of fostering a possible collaboration agreement.

public authorities:

we will only share data when there is a legal obligation, for example, before judicial or administrative requirements.

international transfers:

the app's information is stored primarily on servers located in the European Union (Ireland). however, some of our providers may process data outside the European Economic Area (EEA). in those cases we ensure that adequate guarantees exist in accordance with the GDPR, such as the standard contractual clauses approved by the European Commission.

What are your rights?

as a user, you have the right to control the use we make of your personal data. specifically, you can exercise the following rights and when appropriate, also before the collaborating entity, in case of joint responsibility:

  • right of access: know what personal data of yours we are processing and for what purposes.
  • right of rectification: correct inaccurate or incomplete data.
  • right of erasure: request that we delete your data when they are no longer necessary or you withdraw your consent.
  • right to restriction of processing: request that the use of your data be restricted in certain circumstances (for example, while a claim is being reviewed).
  • right to object: object to the processing of your data for reasons related to your particular situation, except for compelling legitimate reasons.
  • right to data portability: receive the data you have provided us in a structured format and transmit them to another controller.
  • right to withdraw consent: at any time, without this affecting the lawfulness of the processing based on consent before its withdrawal.

you can exercise these rights free of charge by sending an email to privacidad@naissride.com

by exercising the rights of erasure, restriction, objection, or withdrawing consent, the user might no longer be able to use the app.

to process your request, we may need to verify your identity and we will respond within a maximum period of 1 month (extendable by another 2 months in complex cases, according to art. 12.3 GDPR).

if you consider that we have not treated your personal data properly, you can file a claim before the competent supervisory authority:

Spanish Data Protection Agency (AEPD) – www.aepd.es

Are your data secure?

we apply technical and organizational measures aligned with the National Security Scheme (ENS), such as:

  • encryption of data in transit and at rest
  • robust authentication and access control
  • logging and auditing of activities
  • continuous supervision through tools like sentry.
  • periodic risk evaluation, audits, and incident response plans

information about minors

the app is intended for persons over 14 years of age. we do not knowingly collect data from children under that age.

if we detect a minor has provided personal data without the verifiable consent of their parents or legal guardians, we will proceed to delete them immediately.

participation in the CAE program (energy savings certificates) requires verifying your identity with an official document and receiving monetary compensation, so it is reserved for people over 18. under-18s can use the rest of the app, but cannot join the CAE or accumulate or collect sparkies.

important: in case a minor uses naiss to offer journeys as a driver, it will be understood that neither the app validates nor assumes any responsibility for the legality of such conduct. it is the exclusive responsibility of the user to comply with current regulations, including the minimum driving age and possession of a valid driver's license.

want to delete your account?

as a good naisser, surely you have already read our T&C and know that in this community we value good atmosphere, respect, and commitment to the rules. if you breach those rules, we can deactivate your account. but we also understand that if at any point you feel naiss is not for you, you can cancel by your own decision.

you can delete your account from the app following this path:

settings > account management > delete account > confirm

but beware: that you delete your account does not mean we delete all your data immediately. remember that:

  • we retain certain information for a maximum period of 5 years, only to comply with legal obligations or defend ourselves against potential claims.
  • data necessary for tax or accounting issues will be retained during the periods required by law.
  • and data that we have anonymized —and which no longer allows identifying you— can be retained indefinitely for statistical analysis that help us improve naiss.

if you have doubts about your cancellation or the subsequent processing of your data, write to us at privacidad@naissride.com

Changes to this policy

we may update this policy to reflect legal, technical, or functional changes. if the changes are relevant, we will notify you through the app or by email.

contact

for any doubt, request, or claim about your privacy, you can write to us at privacidad@naissride.com

collaborating entities

naiss collaborates with universities, companies, and institutions interested in promoting sustainable mobility within their communities. these collaborations can take different forms, depending on the degree of involvement of the entity and the level of participation of its members in the app.

a. aggregate information without prior agreement

even without a formal agreement, if we detect a critical mass of users belonging to the same organization (for example, users who register an institutional domain), naiss can generate and communicate aggregate and anonymized statistics to said entity, such as:

  • total number of users with verified institutional email.
  • kilometers traveled in shared journeys.
  • estimated CO₂ emissions avoided.
  • level of participation in collective rankings.
  • frequency of app usage.

these statistics do not allow identifying specific individuals and their sole purpose is to foster a collaboration agreement that allows offering benefits, rewards, or other advantages to active members.

b. institutional access with formal agreement

when there is an agreement between naiss and a collaborating entity, the latter may access an institutional web panel, developed by naiss, which offers more specific and personalized information about the activity of its members, for purposes such as:

  • incentivize collective participation.
  • evaluate the impact of sustainable commuting.
  • certify journeys, challenges, or achievements linked to internal programs (e.g., scholarships, recognitions, prizes, etc.).

in these cases, the processed data may include, upon an adequate legal basis:

  • name and institutional email.
  • participation in challenges or rankings.
  • validated journeys made.

the processing of these data is based on the explicit consent of the user (art. 6.1.a GDPR) and on a joint responsibility or data processing agreement between the entity and naiss, in accordance with articles 26 or 28 of the GDPR.

only users who have verified their belonging to an entity can appear in internal rankings of said entity.

institutional access: contact data and obligations

collaborating entities with a formal agreement access the naiss institutional panel through the web www.naissride.com, using a user (institutional email) and password (created by naiss).

this access is restricted to personnel authorized by the institution and configured with different visibility levels as agreed in the collaboration agreement.

naiss will process the following contact data of the persons designated by each institution:

  • first and last name.
  • corporate email address.
  • professional phone number.
  • entity address.
  • position or function within the organization.
  • additional information voluntarily provided by said person (e.g., objectives, interests of the collaboration, desired action lines, strategic preferences, etc.).

these data will be used only to manage the relationship between naiss and the entity, coordinate joint actions, and facilitate monitoring of the impact generated by the linked community.

obligations of the collaborating institution

every entity with access to data derived from the use of naiss by its naissers must treat them with the same level of diligence, confidentiality, and security as naiss. this includes, among others:

  • restricting access only to authorized personnel.
  • not using the data for purposes other than those contemplated in the signed agreement.
  • applying technical and organizational security measures proportional to the risk, in accordance with article 32 of the GDPR.
  • complying with current legislation on data protection, including the duty to inform data subjects if it acts as a joint controller or independent controller.

naiss may perform audits, require evidence of compliance, and, in case of serious or repeated breach, suspend or revoke access to the institutional platform.

institutional access logs

naiss will maintain a secure record of accesses to the institutional panel, including:

  • date and time of each access,
  • IP address,
  • identified user,
  • relevant actions within the panel (queries, exports, modifications if any).

this record will be kept for auditing, traceability, and prevention of improper access purposes, and may be used to review security incidents or respond to regulatory requirements.

institutional panel providers

the institutional web panel is built and maintained by naiss with technical tools such as:

  • next.js (web structure)
  • supabase (data management)
  • sentry (error control)
  • redis / upstash (events and cache)
  • postmark (transactional email delivery)

security and conservation

collaborating entities that access personal data must apply security measures equivalent to those required by naiss, in accordance with the National Security Scheme (ENS). any improper use, unauthorized access, or breach of these obligations may lead to the immediate suspension of access to the panel.

data derived from these collaborations will be retained during the validity of the agreement and up to a maximum of five years after its termination, unless there is a specific legal obligation. anonymized data may be retained indefinitely for statistical purposes.

exercise of rights

users can exercise their rights of access, rectification, erasure, restriction, objection, and portability before naiss or, when appropriate, also before the collaborating entity, in case of joint responsibility.

📩 privacy contact: privacidad@naissride.com