GDPR Compliance

This page outlines how Koola complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and explains the rights available to data subjects whose personal data we process. This should be read alongside our Privacy Policy.

1. Data Controller

Koola acts as the data controller for personal data collected through the Koola Customer App and website. As the data controller, we determine the purposes and means of processing your personal data.

2. Data We Process

In accordance with GDPR principles, we process the following categories of personal data:

• Identity Data: Name, email address, phone number, and account credentials
• Transaction Data: Order history, payment records, and delivery details
• Technical Data: IP address, device type, browser, and operating system
• Usage Data: How you interact with our platform, features used, and preferences
• Location Data: Approximate or precise location (with consent) for delivery and pickup services
• Communication Data: Messages exchanged with support, sellers, or agents

We process data in accordance with the principles of data minimization and purpose limitation. We only collect data that is necessary for the specific purposes outlined in our Privacy Policy.

3. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

• Consent (Art. 6(1)(a)): For marketing communications, precise location tracking, and non-essential cookies
• Contract Performance (Art. 6(1)(b)): To fulfill orders, manage your account, and deliver our Services
• Legitimate Interests (Art. 6(1)(f)): For fraud prevention, platform security, and service improvement
• Legal Obligation (Art. 6(1)(c)): To comply with tax, accounting, and regulatory requirements

4. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing (Art. 18): Request limitation of how we process your data
• Right to Data Portability (Art. 20): Receive your data in a structured, commonly used format
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Rights Related to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing

To exercise any of these rights, please contact our Data Protection Officer at dpo@koola.app. We will respond to your request within 30 days.

5. International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission for recipient countries
• Binding Corporate Rules where applicable
• Explicit consent for specific transfers when no other safeguard is available

6. Data Security Measures

In compliance with GDPR Article 32, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Employee training on data protection best practices
• Incident response and data breach procedures
• Regular backups and disaster recovery planning

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

• Account Data: Retained for the duration of your account plus 30 days after deletion request
• Transaction Data: Retained for 7 years for tax and accounting compliance
• Technical Logs: Retained for up to 12 months for security and debugging purposes
• Marketing Data: Retained until you withdraw consent or opt out

8. Data Breach Notification

In accordance with GDPR Articles 33 and 34, in the event of a personal data breach:

• We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay
• We maintain detailed records of all data breaches, including their effects and remedial actions taken

9. Data Protection Officer

Koola has designated a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and compliance with GDPR. You can contact our DPO for any data protection inquiries:

10. Complaints

If you believe that our processing of your personal data infringes GDPR, you have the right to lodge a complaint with a supervisory authority. You may file a complaint with:

• The supervisory authority in the EU member state of your habitual residence
• The supervisory authority in the EU member state of your place of work
• The supervisory authority in the EU member state where the alleged infringement occurred

We encourage you to contact us first so we can address your concerns directly.

11. Contact Us

For any GDPR-related inquiries, data subject requests, or concerns about how we handle your personal data, please reach out to our team: