What personal data do we collect?

mandatory data when registering:

• first and last name (mandatory)
• date of birth (mandatory)
• phone number (mandatory)

optional data in profile settings:

• profile picture (optional)
• social networks (if you choose to link them and optionally visibility for everyone or only for friends)
• institutional email to unlock functionalities
• information about the course and class you belong to or the position you hold in the entities
• personal description (you can add a free text about yourself. remember that it is totally voluntary and that you are responsible for the content you publish).

data generated by app usage:

• images or videos captured voluntarily through the camera (you will have previously given us your consent)
• journeys made and role (driver or companion)
• social interactions (likes, comments)
• navigation and usage data within the app: sections visited, clicks, usage time, errors, interactions…
• participation in rankings, challenges, and their results

some functionalities allow sharing content visible by others (such as images, comments, or interactions). this content may be moderated in accordance with the terms and conditions, and will be treated as personal data when it allows identifying you. you can consult the complete rules of use and the content removal procedure in our terms and conditions.

voluntary data:

in addition to the data mentioned, you can voluntarily provide additional information in the context of your interaction with the app, such as:

• forms and surveys: we may invite you to participate in surveys, opinion forms, or collaborative spaces to improve naiss and contribute to decisions related to the community or the development of functionalities. your participation is totally optional.
• reporting channel and false journey reports: if you detect a suspicious or false journey, you can easily report it through the options menu accessible from the top right corner of each naiss shot. these reports will be reviewed by our team.
• content report: you can also report inappropriate, offensive content or content contrary to community rules from the options button of each publication.
• spontaneous communications: any other data you send us when writing to us directly (for example, suggestions, conflicts, thanks, or other interactions) will be treated with the exclusive purpose of managing your message and maintaining the quality of the naiss environment.

Specially sensitive data:

naiss does not collect or process, systematically, specially sensitive data in accordance with article 9 of the GDPR (related to health, ideology, religion, sex life, or trade union affiliation). if exceptionally a user enters this type of data in open fields, they will be treated with maximum confidentiality and exclusively under their explicit consent, and may be deleted if they are not necessary for the provision of the service.

cookies and similar technologies:

we only use essential technical cookies and third-party tools to guarantee the stability and improvement of the app, such as sentry (for technical error control) and posthog (for usage analysis and deployment of functionalities). both tools process data securely and, in the case of posthog, data is stored on servers within the European Union.

How do we use your data?

we use them to:

• manage your registration and profile
• verify identity and reputation
• allow functionalities that require camera use or notifications (with prior consent)
• activate gamified functionalities (new rankings, institutions, locations, journeys, etc …)
• show relevant journey data
• send notifications (with your permission)
• prevent fraud, improper use, or conduct contrary to our cohabitation rules
• respond to queries, claims, or reports
• analyze how the app is used to improve its functioning, design, and content, using anonymous identifiers to evaluate which functions are liked more and show you specific news through "feature flags" (functionalities in testing)
• comply with legal obligations and respond to administrative or judicial requirements
• communicate certain information to collaborating institutions when you are part of them. we explain more in the section "With whom do we share your data?"

are automated decisions made?

at naiss we apply automated evaluation mechanisms that allow assigning you points, rankings, or access to rewards based on your journeys, interactions, or participation in the community. this is part of the gamified system that makes naiss fun, motivating, and efficient.

some of these decisions may influence your access to real benefits such as giveaways, advantages offered by collaborating institutions, recognitions, or material rewards. therefore, they may be considered decisions based exclusively on automated processing with significant effects, within the meaning of article 22 of the GDPR.

however, according to the regulations, this type of decision is permitted when:

• it is necessary for the performance of the contract, that is, so that you can use naiss with its reward system activated.
• you have given your prior and specific consent, for example, by accepting to participate in challenges or rankings that give access to prizes.

in all cases, in accordance with the provisions of the GDPR, we guarantee that:

• you can obtain human intervention if you do not agree with an automated decision that affects you.
• you have the right to express your point of view and to challenge the decision.
• you can exercise these rights by writing to: soporte@naissride.com

what is the legal basis for processing?

How long do we retain your data?

• while you maintain an active account.
• after cancellation, we will retain your data for a maximum period of 5 years, exclusively to comply with legal obligations or attend to potential claims.
• data necessary for tax or accounting obligations will be retained during the legally established periods.
• anonymized data, which does not allow identifying you, may be retained indefinitely for statistical or analytical purposes.

With whom do we share your data?

data processors:

we work with external providers that act as data processors, which access personal data only to provide services under our instructions and with the guarantees required by the GDPR:

• supabase: infrastructure and database, secure hosting of app information.
• sentry: technical error monitoring to guarantee the stability and security of the app.
• posthog: usage analysis tool and deployment of functionalities (feature flags). data is stored on servers within the European Union.
• postmark: platform for sending transactional emails (such as account verification or notifications).

each of them has its own privacy policy, which must be consulted by the user.

app technologies that involve processing of personal data:

• camera: if you choose to capture or upload images from the app
• notifications: for journey alerts, interactions, or relevant notices

these functionalities require your prior consent and you can manage them from device permissions.

collaborating entities:

naiss may collaborate with universities, companies, and other organizations to which you belong, for example, within the framework of sustainable mobility or corporate welfare programs.

when there is a formal collaboration agreement between naiss and an entity, we may share with it minimum identifying information (such as name, institutional email, or participation in rankings or challenges) and justified for analysis purposes and improvement of service quality, as well as to explore possible shared mobility initiatives adapted to the needs of the community in question.

In cases where an agreement does not yet exist, but we detect that a significant community of users (by number, frequency of use, or shared journeys) belongs to the same entity, we may generate and communicate aggregate and anonymized statistical data to said entity. for example:

"a group of 53 people who work in your organization have made 1,200 shared journeys this month with naiss."

this information does not allow identifying specific individuals and has the sole objective of fostering a possible collaboration agreement.

public authorities:

we will only share data when there is a legal obligation, for example, before judicial or administrative requirements.

international transfers:

some of our providers may be located outside the European Economic Area (EEA). in these cases, we review that they have adequate data protection guarantees in accordance with the GDPR, such as standard contractual clauses approved by the European Commission. if these guarantees do not exist, we will evaluate their incorporation or the change of provider in the future.

What are your rights?

as a user, you have the right to control the use we make of your personal data. specifically, you can exercise the following rights and when appropriate, also before the collaborating entity, in case of joint responsibility:

• right of access: know what personal data of yours we are processing and for what purposes.
• right of rectification: correct inaccurate or incomplete data.
• right of erasure: request that we delete your data when they are no longer necessary or you withdraw your consent.
• right to restriction of processing: request that the use of your data be restricted in certain circumstances (for example, while a claim is being reviewed).
• right to object: object to the processing of your data for reasons related to your particular situation, except for compelling legitimate reasons.
• right to data portability: receive the data you have provided us in a structured format and transmit them to another controller.
• right to withdraw consent: at any time, without this affecting the lawfulness of the processing based on consent before its withdrawal.

you can exercise these rights free of charge by sending an email to privacidad@naissride.com

by exercising the rights of erasure, restriction, objection, or withdrawing consent, the user might no longer be able to use the app.

to process your request, we may need to verify your identity and we will respond within a maximum period of 1 month (extendable by another 2 months in complex cases, according to art. 12.3 GDPR).

if you consider that we have not treated your personal data properly, you can file a claim before the competent supervisory authority:

Spanish Data Protection Agency (AEPD) – www.aepd.es

Are your data secure?

we apply technical and organizational measures aligned with the National Security Scheme (ENS), such as:

• encryption of data in transit and at rest
• robust authentication and access control
• logging and auditing of activities
• continuous supervision through tools like sentry.
• periodic risk evaluation, audits, and incident response plans

information about minors

the app is intended for persons over 14 years of age. we do not knowingly collect data from children under that age.

if we detect a minor has provided personal data without the verifiable consent of their parents or legal guardians, we will proceed to delete them immediately.

important: in case a minor uses naiss to offer journeys as a driver, it will be understood that neither the app validates nor assumes any responsibility for the legality of such conduct. it is the exclusive responsibility of the user to comply with current regulations, including the minimum driving age and possession of a valid driver's license.

want to delete your account?

as a good naisser, surely you have already read our T&C and know that in this community we value good atmosphere, respect, and commitment to the rules. if you breach those rules, we can deactivate your account. but we also understand that if at any point you feel naiss is not for you, you can cancel by your own decision.

you can delete your account from the app following this path:

but beware: that you delete your account does not mean we delete all your data immediately. remember that:

• we retain certain information for a maximum period of 5 years, only to comply with legal obligations or defend ourselves against potential claims.
• data necessary for tax or accounting issues will be retained during the periods required by law.
• and data that we have anonymized —and which no longer allows identifying you— can be retained indefinitely for statistical analysis that help us improve naiss.

if you have doubts about your cancellation or the subsequent processing of your data, write to us at privacidad@naissride.com

Changes to this policy

we may update this policy to reflect legal, technical, or functional changes. if the changes are relevant, we will notify you through the app or by email.

contact

collaborating entities

naiss collaborates with universities, companies, and institutions interested in promoting sustainable mobility within their communities. these collaborations can take different forms, depending on the degree of involvement of the entity and the level of participation of its members in the app.

a. aggregate information without prior agreement

even without a formal agreement, if we detect a critical mass of users belonging to the same organization (for example, users who register an institutional domain), naiss can generate and communicate aggregate and anonymized statistics to said entity, such as:

• total number of users with verified institutional email.
• kilometers traveled in shared journeys.
• estimated CO₂ emissions avoided.
• level of participation in collective rankings.
• frequency of app usage.

these statistics do not allow identifying specific individuals and their sole purpose is to foster a collaboration agreement that allows offering benefits, rewards, or other advantages to active members.

b. institutional access with formal agreement

when there is an agreement between naiss and a collaborating entity, the latter may access an institutional web panel, developed by naiss, which offers more specific and personalized information about the activity of its members, for purposes such as:

• incentivize collective participation.
• evaluate the impact of sustainable commuting.
• certify journeys, challenges, or achievements linked to internal programs (e.g., scholarships, recognitions, prizes, etc.).

in these cases, the processed data may include, upon an adequate legal basis:

• name and institutional email.
• participation in challenges or rankings.
• validated journeys made.

the processing of these data is based on the explicit consent of the user (art. 6.1.a GDPR) and on a joint responsibility or data processing agreement between the entity and naiss, in accordance with articles 26 or 28 of the GDPR.

only users who have verified their belonging to an entity can appear in internal rankings of said entity.

institutional access: contact data and obligations

collaborating entities with a formal agreement access the naiss institutional panel through the web www.naissride.com, using a user (institutional email) and password (created by naiss).

this access is restricted to personnel authorized by the institution and configured with different visibility levels as agreed in the collaboration agreement.

naiss will process the following contact data of the persons designated by each institution:

• first and last name.
• corporate email address.
• professional phone number.
• entity address.
• position or function within the organization.
• additional information voluntarily provided by said person (e.g., objectives, interests of the collaboration, desired action lines, strategic preferences, etc.).

these data will be used only to manage the relationship between naiss and the entity, coordinate joint actions, and facilitate monitoring of the impact generated by the linked community.

obligations of the collaborating institution

every entity with access to data derived from the use of naiss by its naissers must treat them with the same level of diligence, confidentiality, and security as naiss. this includes, among others:

• restricting access only to authorized personnel.
• not using the data for purposes other than those contemplated in the signed agreement.
• applying technical and organizational security measures proportional to the risk, in accordance with article 32 of the GDPR.
• complying with current legislation on data protection, including the duty to inform data subjects if it acts as a joint controller or independent controller.

naiss may perform audits, require evidence of compliance, and, in case of serious or repeated breach, suspend or revoke access to the institutional platform.

institutional access logs

naiss will maintain a secure record of accesses to the institutional panel, including:

• date and time of each access,
• IP address,
• identified user,
• relevant actions within the panel (queries, exports, modifications if any).

this record will be kept for auditing, traceability, and prevention of improper access purposes, and may be used to review security incidents or respond to regulatory requirements.

institutional panel providers

the institutional web panel is built and maintained by naiss with technical tools such as:

• next.js (web structure)
• supabase (data management)
• sentry (error control)
• redis / upstash (events and cache)
• postmark (transactional email delivery)

security and conservation

collaborating entities that access personal data must apply security measures equivalent to those required by naiss, in accordance with the National Security Scheme (ENS). any improper use, unauthorized access, or breach of these obligations may lead to the immediate suspension of access to the panel.

data derived from these collaborations will be retained during the validity of the agreement and up to a maximum of five years after its termination, unless there is a specific legal obligation. anonymized data may be retained indefinitely for statistical purposes.

exercise of rights

users can exercise their rights of access, rectification, erasure, restriction, objection, and portability before naiss or, when appropriate, also before the collaborating entity, in case of joint responsibility.