The personal data of the User collected by Karos on behalf of and for the account of Île-de-France Mobilités are subject to processing within the meaning of the amended French Data Protection Act of January 6, 1978, and of the European Regulation 2016/679 of April 27, 2016, on data protection, known as the “GDPR,” for the purpose of providing the carpooling service offered on the Covoit IDFM application.
This Privacy Policy explains how Île-de-France Mobilités (“Île-de-France Mobilités” or “we”), as the data controller within the meaning of Article 4 of the GDPR, processes your personal data when you use the Covoit’IDFM mobile application (the “Application”) operated by Karos Mobility SAS, acting as data processor within the meaning of Article 28 of the GDPR.
The registered office of Île-de-France Mobilités is located at 39bis-41 rue de Châteaudun, 75009 Paris, France. For any questions regarding data protection, you may contact our Data Protection Officer (DPO) at: dpo@iledefrance-mobilites.fr.
Karos Mobility SAS (10 rue de la Paix, 75002 Paris, France) acts solely as a data processor within the meaning of Article 28 of the GDPR.
1. DEFINITIONS
For the purposes of this policy:
« Application » means the Covoit IDFM mobile application.
« Member » means any user who has created an account through the Application.
« Trip » means the journey completed by a driver and passenger.
« GDPR » means the General Data Protection Regulation (EU) 2016/679.
« Website » means the Île-de-France Mobilités websites presenting the Application and containing a download link, accessible at the following address: www.covoit.idfm.fr.
2. COLLECTION AND PROCESSING OF PERSONAL DATA
Karos, on behalf of and for the account of Île-de-France Mobilités, processes Personal Data within the framework of the following processing activities:
The creation and management of the user account;
The provision of the carpooling service;
Legal compliance (anti–money laundering, fraud prevention, security);
Technical diagnostics and statistical analyses;
Management of user complaints;
Communication with users (via opt-in).
2.1 Type of Data Collected
During your use of the Application, we may collect and process the following categories of personal data. This information enables us to provide, operate, and improve the services:
Identification data
Authentication and Verification Data
Geolocation Data
Payment Data
Vehicle Data
Professional data and affiliation with a transport program
Connection Data
Browsing Data
Usage Data
This data may be collected directly from you (e.g., during account creation) or indirectly through your use of the Application.
The legal bases and purposes are detailed in the following section.
2.2 Legal Bases and Purposes
2.2.1 Creation and Management of the User Account
To benefit from the services offered through the Application, you must create a user account. During this process, we collect certain information about you. This processing is based on our contractual obligations. Mandatory fields include the following information:
First and last name
Email address
Mobile phone number
Street and house number
Postal code
City
Country
After successful registration, you can update your data.
We also invite you to create a password or to register via “Sign in with Apple” or through single sign-on (SSO) using an IDFM Connect account. In the latter case, we only receive the data that you authorize us to share. For more information, please consult the privacy policy: https://www.iledefrance-mobilites.fr/cgu-compte
Legal basis: Art. 6(1)(b) GDPR (contract performance)
2.2.2 Providing our Carpooling Services
To enable you to benefit from our carpooling service, we may in particular:
Create a public user profile for you on the Application, visible to other community members (e.g., Name, Profile photo, Employer).
Analyse your travel data (e.g., departure and arrival time and locations), including geolocation data, to suggest suitable rides for you.
Share your personal data with members you are carpooling with (eg. name, age, ratings, company name (if provided), profile information etc…)
Share your geolocation with members you are carpooling with to facilitate meeting (eg. GPS location).
Communicate with you – for example, to confirm a reservation or provide customer service.
Generate billing based on your Trips and your eligibility for subsidies (e.g., Trip information cross-referenced with geolocation data and the individual’s identity).
Process payments, via our payment providers, for completed trips and transfers from your balance to your bank account (e.g., Bank card numbers, IBAN, transaction details, nationality, etc.). Payment processing includes a mandatory KYC (Know Your Customer) identity verification as required by anti-fraud and anti-money laundering laws.
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(a) of the GDPR (consent, revocable at any time) for optional profile information.
2.2.3 Verification of Eligibility for the Service
In certain cases, and in order to verify Eligibility for the Service, we may ask you to provide documents such as a driving licence, identity card, and/or proof of address. Data is processed via a secure interface with a third-party verification service
These documents and the information they contain are used for security purposes to verify member’s age, authenticity, and uniqueness of accounts. The documents and information may also be shared with our banking partners as part of European anti-money laundering efforts.
This may involve sharing data with banking partners.
Legal basis: Art. 6(1)(c) GDPR (legal obligation)
2.2.4 Verifying Carpools and Triggering Payments
We analyze your connection and geolocation data during carpools to verify that the carpooling actually took place under the conditions defined at the time of booking, to trigger the driver’s payment, and to charge the passenger. Your trip and contact data may be shared with our anti-fraud verification partners so that they can carry out verification calls.
Legal basis: Art. 6(1)(c) of the GDPR (legal obligation for fraud prevention required by Class C of the Carpooling Proof Register).
2.2.5 Security Assurance and Improvement of Our Services
We analyse your activity and interactions with the Application to improve the offered services (e.g., improving mobile app interfaces or customer service messages).
Legal basis: Art. 6(1)(b) of the GDPR (Performance of the contract in order to ensure security, carry out proper technical diagnostics, and guarantee the proper functioning and continuous improvement of the Service).
2.2.6 Referring Friends via the Application
With your consent, the Application may access your phone contacts to send invitations. Your friends will not receive any additional commercial messages. Only the phone numbers of the selected contacts are collected and processed by Île-de-France Mobilités, via Karos acting as data processor. The selected friends’ numbers are kept for 2 months to activate a referral bonus if the contact signs up. Make sure your friends have agreed to receive such messages. .
Legal basis: Art. 6(1)(a) GDPR (consent, revocable at any time).
2.2.7 Receiving Public Subsidies or Bonuses via National programs
Spain: Participation in the Energy Savings Certificate (CAE) System
In order for the user to participate in and benefit from the Energy Savings Certificate system promoted and implemented by the Ministry for the Ecological Transition and the Demographic Challenge (MITECO), we must collect and process identifying data (such as name, last name, and DNI/NIE) and technical data about the vehicle (make, model, license plate, type of combustion), for the purpose of recording the savings generated by shared journeys and transferring them to the authorised bodies or entities for validation.
Legal basis: Art. 6(1)(b) GDPR (contract performance).
2.2.8 Receiving Public Subsidies or Bonuses via Regional programs
In certain regions, carpoolers are eligible for public subsidies or bonuses. These amounts are received by Île-de-France Mobilités, via Karos acting as data processor, and redistributed to its Members.
In this context, certain data (e.g., date, origin, and destination of your trips, proof that the trips took place, etc.) may be provided to the public authorities granting the subsidy or bonus.
Legal basis: Art. 6(1)(b) of the GDPR (Performance of the contract to enable the management of regional programs and the calculation of subsidies).
2.2.9 Participating in Your Regional Carpooling Program
In some regions, we collaborate with local authorities like the ones managing public mobility to provide its services. In this context, we may share certain data (e.g., your name, first name, email address, phone number, transport card number, postal address...) with our partner.
Aggregated information on the use of the Application in the area may also be provided.
Legal basis: Art. 6(1)(b) of the GDPR (Performance of the contract to enable the management of regional programs and the calculation of subsidies).
2.2.10 Participating in Your Company or School’s Carpooling Program
When a company or school partners with Île-de-France Mobilités as part of a Carpooling Program: If a member chooses to affiliate with the relevant company or school, in accordance with our terms of use, Karos may share necessary identification data with the company or school for administrative management of affiliations, such as name, first name, and any other strictly required information to enable reliable identification, as a data processor.
This sharing is solely for administrative purposes, including allowing partner companies to maintain updated lists of their active employees and partner schools to maintain updated lists of their active students.
Aggregated and anonymized data on the use of the Application by Members identified as employees or students may also be provided for statistical purposes or to evaluate the program.
Individualized data (for example, for tax or compliance purposes) may also be transmitted when Members have given their consent.
In certain cases, the purposes and means of data processing may be jointly determined with the employer (for example, reporting distances traveled for tax or mobility programs). The respective responsibilities are defined in a separate agreement.
Legal basis: Art. 6(1)(b) of the GDPR (Performance of the contract to enable the calculation of subsidies).
2.2.11 Partnerships with Route-Finding Services
We have established certain partnerships to display available trips from its platform on third-party route-finding services. In this context, we may share with our partners certain data regarding our members and the trips they offer.
Legal basis: Art. 6(1)(f) GDPR (Legitimate interest in enhancing visibility of trips via partnerships while protecting user data).
2.2.12 Receiving Return Assistance
If your carpools are eligible for a return assistance program, we share your contact information and addresses with our partner transport providers.
Legal basis: Art. 6(1)(a) GDPR (consent).
2.2.13 Receiving Reserved Parking Spaces
If your carpools entitle you to a reserved parking space, we share your contact information and addresses with the relevant partner to reserve your parking space and for control purposes.
Legal basis: Art. 6(1)(a) GDPR (consent).
2.2.14 Receiving Gifts or Privileges
Your carpools or activity may entitle you to certain benefits, such as gifts, vouchers or other perks, if you participate in games organized by Île-de-France Mobilités, through Karos acting as data processor.
Legal basis: Art. 6(1)(b) GDPR (contract performance as per the terms set out in the T&Cs).
2.2.15 Growing our User Community
Newsletters: we may send periodic newsletters, in-app messages and surveys using third party partners. You may unsubscribe anytime using the link provided in the communication.
Legal basis: Art. 6(1)(a) GDPR (consent).
Contests and Giveaways: When organizing contests, participants’ data (e.g., name, email address) are processed in order to carry out the operation. The data are subsequently deleted unless otherwise required by law.
Legal basis: Art. 6(1)(a) GDPR (consent).
User feedback: To improve the services, feedback may be collected from members.
Legal basis: Art. 6(1)(a) GDPR (consent).
2.2.16 Building and Maintaining Safety and Courtesy within the Community
Within the Application, registered members can interact with each other using features such as:
Sending messages
Rating past rides
During such interactions, the following data may be visible:
Your user profile (name, age, mobile number)
Your received ratings
Messages and ratings shared with other users
When necessary, especially in cases of abnormal behaviour or user reports, we may analyze user interactions and discussions on the Application.
Legal basis: Art. 6(1)(b) of the GDPR (Performance of the contract to ensure security and compliance with community rules).
2.2.17 Special Categories of Data
We kindly ask you not to communicate, enter, or transmit, when using this service, any information that falls within the special categories of personal data (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, or data concerning health, sex life, or sexual orientation). Such data have no direct or necessary connection with the service offered, and we are not authorized to collect or process them, even if you consent to their use.
2.2.18 Links
Some sections of our Website and Application include links to third-party websites including social networks (e.g., Instagram, Facebook, LinkedIn, YouTube, X). Clicking these links forwards you to the respective platform, which may receive user data. Please refer to the platforms’ privacy policies for details. These sites operate under their own privacy policies. We are not responsible for their operations, including data handling.
Please refer to the privacy policies of these platforms for more details. These sites operate under their own privacy policies. We are not responsible for their operation, including their management of data.
2.2.19 Cookies and communication
We may use cookies to analyze your behavior in detail. Cookies are small text files stored on your device. They are used to ensure certain technical functionalities of the site. These data are not merged with other data. The information collected may include:
YouTube video settings and stats
Facebook ad optimisation
We differentiate between the following categories of cookies:
Marketing cookies (e.g., DoubleClick, Facebook Pixel): Used to optimise advertisements and targeted ads. These cookies are also only set with your prior consent.
Cookies to control newsletter subscription: Used to check whether a user has subscribed to the newsletter.
The data stored in cookies are used solely for the purposes described above and are not used to create complete user profiles or to track behavior beyond the specified purposes.
Legal basis: Art. 6(1)(a) GDPR (consent).
2.2.20 Management of user complaints
As part of user support and complaint handling, Île-de-France Mobilités, through Karos acting as a data processor, processes certain personal data in order to identify Members, analyze the reported situations, and provide an appropriate response.
The processing operations include, in particular:
Consultation and verification of user account information, including contact details (first name, last name, email address, phone number) and the trip history associated with the account.
Access to travel information during and outside of trips, such as GPS positions and geolocation data, when necessary to verify a trip, resolve a dispute between carpoolers, or prevent fraudulent behavior.
Access to the user database, limited to authorized customer service and technical support agents, to manage requests, ensure traceability of communications, and provide effective support.
Analysis of activity logs and connection data to diagnose technical malfunctions or identify potential misuse of the Application.
The data processed in this context are used solely for the purposes of resolving requests, preventing fraud, and improving user support.
Where applicable, they may be shared with service providers involved in handling the complaint (for example: payment providers, mobility partners, technical support), but only to the extent strictly necessary to resolve the issue.
Legal basis: Art. 6(1)(b) of the GDPR — Performance of the contract (assistance and dispute resolution).
2.2.21 Compliance with Legal Obligations
We process personal data to fulfill legal obligations, such as trade, business, or tax retention periods.
Legal basis: Art. 6(1)(c) GDPR in conjunction with applicable commercial, trade, or tax laws.
We process personal data to assert legal claims or defend against them, and to investigate or prevent criminal acts.
Legal basis: Article 6(1)(c) of the GDPR (Legal obligation for legal protection and security).
2.2.22 Automated Decision-Making / Profiling
We do not use automated decision-making or profiling as defined in Art. 22 GDPR.
3. DATA SHARING AND PROTECTION
3.1 Data Protection
Île-de-France Mobilités, with the support of Karos acting as data processor, ensures the protection of user data through state-of-the-art encryption, authentication, and fraud detection techniques. Dedicated teams work daily to protect the community from fraudulent and abusive uses.
3.2 Data Sharing with Partners
Only our internal teams have access to your data. By exception, certain data may be shared with partners and service providers, to whom they may be transmitted, subject to your consent when required. These recipients include, in particular:
Karos Mobility SAS, acting as the technical data processor appointed by Île-de-France Mobilités for the operation of the Covoit’IDFM Application;
Service providers we use to provide our services, such as payment service providers, analytics providers, hosting providers, messaging providers, debt collection services and legal counselor, identity verification providers;
Transport services implementing our return assistance program, where applicable;
Social media platforms you may link your Covoit IDFM account to, particularly during registration;
Public partners with whom we provide our services in certain territories;
Private partners who have chosen Karos for their corporate carpooling program;
Public authorities establishing a carpooling evidence register and/or paying subsidies to carpoolers through us;
Our commercial partners for our gifts and privileges program.
Here is our current list of providers we may share data with:
Payment providers: Mangopay (www.mangopay.com/privacy/)
Messaging providers: Vonage (www.vonage.com/privacy-policy), Twilio (www.twilio.com/legal/privacy), Prelude (prelude-so.notion.site/Prelude-Privacy-Cookies-Policy), Brevo (www.brevo.com/de/features/data-security/, fr.sendinblue.com/legal/privacypolicy/)
Analytics tools: Google Analytics (policies.google.com/privacy)
Customer service tools: Intercom (www.intercom.com/legal/privacy), Ringover (www.ringover.fr/confidentialite)
Hosting providers: Google Cloud (cloud.google.com/security/privacy/)
Marketing and CRM tools: Braze (www.braze.com/company/legal/privacy), Typeform (admin.typeform.com/to/dwk6gt), Google DoubleClick & Google Tag Manager (policies.google.com/privacy), YouTube (policies.google.com/privacy), SalesViewer (www.salesviewer.com/en/privacy-policy)
Fraud verification calls: Sqwad (www.sqwad.fr/politique-de-confidentialite)
Data is also shared with public authorities and partners for:
Energy savings programs (SIPLEC / PNCEE)
Regional carpooling initiatives
Employer or school carpooling programs
We only share data necessary for the specific purpose and in accordance with Art. 28 GDPR (data processor agreements) or Art. 26 GDPR (joint controllership agreements).
We anonymise and aggregate trip information, routes, and certain user profile characteristics to produce usage statistics intended for third parties.
3.3 Data Retention Periods
We undertake, in accordance with the provisions of the GDPR, to retain personal data only for as long as necessary for the purposes for which they are processed:
Account data: until a closure request or 2 years after last use;
Financial data: legal accounting and tax retention period;
Public subsidies or grants: duration required by regulations;
Geolocation data: 1 year;
Suspended/blocked account: 5 years;
User-generated content: anonymized after account deactivation, unless otherwise required by law.
3.4 Security Measures
We implement appropriate security measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access, and any other processing that does not comply with our privacy policy.
4. DATA CONTROL AND ACCESS
According to GDPR, you have the following rights:
Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to withdraw consent
Right to object (Art. 21 GDPR)
Right to lodge a complaint (Art. 77 GDPR)
You can exercise your rights by sending a request to dpo@iledefrance-mobilites.fr. Proof of identity will be required.
You may also contact rgpd@karos.fr (technical data processor).
In the event that your rights are not respected, you may lodge a complaint with the CNIL or any other competent authority.
You can also delete your Covoit IDFM account directly from the Application.
5. DATA TRANSFER TO THIRD COUNTRIES
With the exception of the processing operations listed below, your data used for the operation of the Service are processed within the European Union.
Purpose | Partner and country to which your data are transferred | Transfer safeguards |
Tracking of promotional campaigns | Branch - US | Data Processing Agreement (DPA) |
Tracking of statistical usage data and management of advertising campaigns | Google Analytics & Tag Manager - US | Data Processing Agreement (DPA) |
Occasional user surveys | Typeform - US | Data Processing Agreement (DPA) |
Confirmation SMS and SMS journeys | Vonage - US | Data Processing Agreement (DPA) |
Statistical tracking of Application usage | Amplitude - US | Data Processing Agreement (DPA) |
We carry out these transfers on the basis of the Standard Contractual Clauses (SCCs) approved by the European Commission.
6. CHANGES TO THIS PRIVACY POLICY
We reserve the right to change this privacy policy at any time.
Application members are informed directly in the Application and must comply with them to continue using the services.
Unless otherwise stated, such changes are effective upon publication.
We recommend checking this policy regularly.