We process personal data in strict compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy explains how Karos Mobility SAS ("Karos") handles your personal data when you use our websites ("Website") or Karos and goFLUX mobile applications ("Applications").

Karos's registered office is located at 10 rue de la Paix, 75002 Paris, France. For any questions regarding data protection, you may contact our Data Protection Officer (DPO) at rgpd@karos.fr.

1. DEFINITIONS

For the purposes of this policy:

"Application" means the Karos and goFLUX mobile applications.
"Member" means any user who has created an account through the Interface.
"Trip" means the journey completed by a driver and passenger.
"GDPR" means the General Data Protection Regulation (EU) 2016/679.
Website" means the websites presenting the Application operated by Karos and containing a download link, accessible at the following addresses:

2. COLLECTION AND PROCESSING OF PERSONAL DATA

2.1 Type of Data Collected

During your use of our services, we may collect and process the following categories of personal data. This information enables us to provide, operate, and improve our services:

Identification Data: Name, first name, postal and email addresses, mobile phone number, gender, date of birth, profile photo.
Authentication and Verification Data: Copies of identity documents, driving license, proof of residence.
Geolocation Data: Information collected during and outside trips to suggest carpooling matches and verify completed rides.
Payment Data: Bank card numbers, IBAN account number, transaction details.
Vehicle Data: Reference of the vehicle (make, model, colour, registration plate, fuel type, Crit’Air sticker).
Employment and Affiliation Data: Employer name, public transport subscription number, photo of transport card (when affiliated with an employer or public transport program).
Connection Data: connection logs, encrypted passwords.
Browsing Data : Ip address, , date and time of connection, browser used, operating system, user ID, MAID
Usage Data: Data about trips (time, duration, etc.) and more generally information about your interactions with the Application and the services.

This data may be collected directly from you (e.g., during account creation) or indirectly through your use of the Application.

2.2 Legal Bases and Purposes

2.2.1 Account Creation and Management

To benefit from our services, you must create a user account. During this process, we collect certain information about you. This processing is based on our contractual obligations. Mandatory fields include the following information:

First and last name
Email address
Mobile phone number
Street and house number
Postal code
City
Country

Optional fields may include the following information:

Gender
Date of birth
Profile photo
ID documents
Driver’s license
Geolocation information
Credit card numbers
IBAN
Vehicle reference (make, model, color, fuel type, license plate)
Employer
Public transportation subscription number
Photo of transit ticket
Favorite addresses

After successful registration, you can update your data.

Alternatively, you may register using “Sign in with Apple” or through single sign-on (SSO) with a public transport provider account. In such cases, we only receive the data you authorize for sharing. Refer to the privacy policy of the respective provider for more information.

Legal basis: Art. 6(1)(b) GDPR (contract performance)

2.2.2 Providing our Carpooling Services

To enable you to benefit from our carpooling service, we may:

Create a public user profile for you on the Application, visible to other community members.
Analyse your travel data (e.g., departure and arrival time and locations), including geolocation data, to suggest suitable rides for you.
Share your personal data with members you are carpooling with (eg. name, age, ratings, company name (if provided), profile information etc…)
Share your geolocation with members you are carpooling with to facilitate meeting.
Communicate with you – for example, to confirm a reservation or provide customer service.
Process payments, via our payment providers, for completed trips and transfers from your balance to your bank account. Payment processing includes a mandatory KYC (Know Your Customer) identity verification as required by anti-fraud and anti-money laundering laws.

Legal basis: Art. 6(1)(b) GDPR (contract performance)

2.2.3 Verifying Member Identity

In certain cases, Karos may request documents such as a driving license, proof of identity, and/or proof of residence. Data is processed via a secure interface with a third-party verification service

These documents and the information they contain are used for security purposes to verify member’s age, authenticity, and uniqueness of accounts. The documents and information may also be shared with our banking partners as part of European anti-money laundering efforts.

This may involve sharing data with banking partners.

Legal basis: Art. 6(1)(f) GDPR (legitimate interests), Art. 6(1)(c) GDPR (legal obligation), Art. 88(1) GDPR in conjunction with § 26(1) BDSG (Germany)

2.2.4 Verifying Carpools and Triggering Payments

Karos analyses your geolocation data during carpools to verify that the carpool occurred and to trigger payment to the driver and debit the passenger.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in fraud prevention)

2.2.5 Improving Our Services

We analyse your activity and interactions with the Application to improve our services (e.g., improving mobile app interfaces or customer service messages).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in service improvement)

2.2.6 Referring Friends via the Application

With your consent, the Application may access your phone contacts to send invitations. Your friends will not receive any additional commercial messages. Only the phone numbers of selected contacts are collected and processed by Karos. The selected friends’ numbers are kept for 2 months to activate a referral bonus if the contact signs up. Make sure your friends have agreed to receive such messages. .

Legal basis: Art. 6(1)(a) GDPR (consent, revocable at any time)

2.2.7 Receiving Public Subsidies or Bonuses via National programs

Spain: Participation in the Energy Savings Certificate (CAE) System

In order for the user to participate in and benefit from the Energy Savings Certificate system promoted and implemented by the Ministry for the Ecological Transition and the Demographic Challenge (MITECO), we must collect and process identifying data (such as name, last name, and DNI/NIE) and technical data about the vehicle (make, model, license plate, type of combustion), for the purpose of recording the savings generated by shared journeys and transferring them to the authorised bodies or entities for validation.

Legal basis: Art. 6(1)(b) GDPR (contract performance)

2.2.8 Receiving Public Subsidies or Bonuses via Regional programs

In certain regions, carpoolers are eligible for public subsidies or bonuses. These amounts are received by Karos and redistributed to its members.

In this context, Karos may be required to provide certain data (e.g., date, origin, destination of your carpools, proof that carpools occurred...) to the public authorities granting the subsidy or bonus.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

2.2.9 Participating in Your Regional Carpooling Program

In some regions, Karos collaborates with local authorities like the ones managing public mobility to provide its services. In this context, we may share certain data (e.g., your name, first name, email address, phone number, transport card number...) with our partner.

We also provide aggregated information about Karos usage in the area.

Legal basis: Art. 6(1)(f) GDPR (Legitimate interest in enabling regional carpooling programs and improving mobility services)

2.2.10 Participating in Your Company or School’s Carpooling Program

When a company or school partners with Karos:

If a member chooses to affiliate with the relevant company or school, in accordance with our terms of use, Karos may share necessary identification data with the company or school for administrative management of affiliations, such as name, first name, and any other strictly required information to enable reliable identification, as a data processor.
This sharing is solely for administrative purposes, including allowing partner companies to maintain updated lists of their active employees and partner schools to maintain updated lists of their active students.
We also provide them with certain aggregated and anonymised data on the platform’s use by Karos members who have identified themselves as their employees or students, for statistical purposes or to evaluate the program.
We may also provide them with certain individualised data (eg. for tax or compliance purposes) when members have given their consent.
In some cases, we and your employer jointly determine the purposes and means of data processing (e.g., reporting ride distances for tax or mobility programs). Responsibilities are defined in a separate agreement.

Legal basis: Art. 6(1)(f) GDPR (Legitimate interest in enabling regional carpooling programs and improving mobility services) and Art. 6(1)(a) GDPR (Consent) for individualised data.

2.2.11 Partnerships with Route-Finding Services

Karos has established certain partnerships to display available trips from its platform on third-party route-finding services. In this context, we may share with our partners certain data regarding our members and the trips they offer.

Legal basis: Art. 6(1)(f) GDPR (Legitimate interest in enhancing visibility of trips via partnerships while protecting user data)

2.2.12 Receiving Return Assistance

If your carpools are eligible for a return assistance program, we share your contact information and addresses with our partner transport providers.

Legal basis: Art. 6(1)(a) GDPR (consent)

2.2.13 Receiving Reserved Parking Spaces

If your carpools entitle you to a reserved parking space, we share your contact information and addresses with the relevant partner to reserve your parking space and for control purposes.

Legal basis: Art. 6(1)(a) GDPR (consent)

2.2.14 Receiving Gifts or Privileges

Your carpools or activity may entitle you to certain benefits, such as gifts, vouchers or other perks, if you participate in the games we offer.

Legal basis: Art. 6(1)(b) GDPR (contract performance as per the terms set out in the T&Cs)

2.2.15 Growing our User Community

We carry out various actions to grow our community of members:

Newsletters: we may send periodic newsletters, in-app messages and surveys using third party partners. You may unsubscribe anytime using the link provided in the communication. Legal basis: Art. 6(1)(a) GDPR (consent)
Contests and Giveaways: we may organize contests. We process participant data (e.g., name, email) to conduct contests. Data is deleted afterward unless legally required otherwise. Third-party sharing only occurs if necessary (e.g., for sending prizes). Legal basis: Art. 6(1)(a) GDPR (consent, )
User feedback: To improve our services, we may also contact you to provide user feedback. Legal basis: Art. 6(1)(f) GDPR (Legitimate interest in improving our services)

2.2.16 Building and Maintaining Safety and Courtesy within the Community

Within the Application, registered members can interact with each other using features such as:

Sending messages
Rating past rides

During such interactions, the following data may be visible:

Your user profile (name, age, mobile number)
Your received ratings
Messages and ratings shared with other users

When necessary, especially in cases of abnormal behaviour or user reports, Karos analyses user interactions and discussions on the Application. Karos has a team of moderators.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in delivering safe services)

2.2.17 Special Categories of Data

Special categories of data (Art. 9 GDPR) which include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, biometric or health data, or data concerning sexual life or orientation, are not explicitly requested nor intentionally collected. If they are explicitly provided, it is upon the user consent.

2.2.18 Links

Some sections of our Website and Application include links to third-party websites including social networks (e.g., Instagram, Facebook, LinkedIn, YouTube, X). Clicking these links forwards you to the respective platform, which may receive user data. Please refer to the platforms’ privacy policies for details. These sites operate under their own privacy policies. We are not responsible for their operations, including data handling.

If you send information to or via such third-party sites, please review their privacy policies before submitting any personally identifiable information. This applies especially to websites of partners mentioned in the rewards program.

2.2.19 Informational Use of the Website

You can use our Website without providing personal information. We do not store any personal data, except for the technical information automatically transmitted by your browser:

IP address
Port number
Referrer URL (the address of the previously visited site)
Browser type and version
Operating system used
Screen resolution and inner window size
JavaScript and cookies enabled
Date and time of access

Legal basis: Art. 6(1)(f) GDPR (legitimate interest for ensuring a smooth connection and to guarantee technical security)

2.2.20 Cookies and Tracking technologies

To make our Website user-friendly, we use analytics tools and cookies for detailed analysis of your behaviour. Cookies are small text files stored on your device. They are used to provide technical functionality of the Website.This data is not merged with other data. Possible data collected includes:

Login or return visit status
User behaviour analysis
YouTube video settings and stats
Facebook ad optimisation

We differentiate between the following categories of cookies:

Necessary cookies: These are technically required to ensure the basic functions of the Website.
Analytics cookies (e.g., Google Analytics): Used to statistically evaluate user behaviour. These cookies are only set with your explicit consent.
Marketing cookies (e.g., DoubleClick, Facebook Pixel): Used to optimise advertisements and targeted ads. These cookies are also only set with your prior consent.
Cookies to control newsletter subscription: Used to check whether a user has subscribed to the newsletter.

Some features of our Website cannot be provided without the use of cookies. Data stored in cookies is used only for the purposes described here and not to create comprehensive user profiles or track behaviour outside the stated purposes.

Legal bases for processing cookie data:

Contract performance: Art. 6(1)(b) GDPR (contract performance - e.g., using the Website to access Application information)
Necessary cookies: Art. 6(1)(f) GDPR (technical necessity)
Analytics and marketing cookies: Art. 6(1)(a) GDPR (user consent)
Legitimate interests: Art. 6(1)(f) GDPR (Website availability, optimisation, cyber risk prevention – with right to object)

If you access our Website from the Application, we do not use analytics or tracking cookies—unless you give explicit consent. Only technically necessary cookies will be used.

2.2.21 Active Use of the Website

In addition to purely informational use, we also allow you to actively contact us, apply for a position, or subscribe to our newsletter. For these activities, we process additional personal data necessary to respond to your request.

User inquiries: To respond to your inquiries (e.g., via contact form or email), we process the information you provide—such as name, email address, and message content. If you are contacted by phone, we also collect your phone number and first and last name.

Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in appropriately responding to customer inquiries outweighs the user’s interest in not processing this data). You have the right to object to this processing (see section “Your Rights”).

Applicant data: During the application process, we typically collect the following data:
- First and last name
- Academic title (if applicable)
- Date and place of birth
- Contact details (address, email, phone/mobile)
- Application documents (cover letter, resume, certificates)
- Language skills and other qualifications
- Additional information you provide during the application. This may include special categories of personal data, which you submit voluntarily—despite our request not to do so.

This data is used to make hiring decisions and is processed in accordance with statutory provisions.

Legal basis: Art. 88(1) GDPR in conjunction with § 26(1) sentence 1 BDSG (new)

2.2.22 Compliance with Legal Obligations

We process personal data to fulfill legal obligations, such as trade, business, or tax retention periods. Legal basis: Art. 6(1)(c) GDPR in conjunction with applicable commercial, trade, or tax laws

We process personal data to assert legal claims or defend against them, and to investigate or prevent criminal acts. Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in legal protection and security)

2.2.23 Automated Decision-Making / Profiling

We do not use automated decision-making or profiling as defined in Art. 22 GDPR.

3. DATA SHARING AND PROTECTION

3.1 Data Protection

Karos ensures the protection of user data through state-of-the-art encryption, authentication, and fraud detection techniques. Dedicated teams work daily to protect the community from fraudulent and abusive uses.

3.2 Data Sharing with Partners

In general, only our employees have access to your data. In addition, data may be shared with certain partners and service providers to whom it may transmit data concerning you, subject to your consent where required. These data recipients notably include:

Service providers we use to provide our services, such as payment service providers, analytics providers, hosting providers, messaging providers, debt collection services and legal counselor, identity verification providers;
Transport services implementing our return assistance program, where applicable;
Social media platforms you may link your Karos account to, particularly during registration;
Public partners with whom we provide our services in certain territories;
Private partners who have chosen Karos for their corporate carpooling program;
Public authorities establishing a carpooling evidence register and/or paying subsidies to carpoolers through us;
Our commercial partners for our gifts and privileges program.

Here is our current list of providers we may share data with:

Payment providers: Mangopay (www.mangopay.com/privacy/)
Prestataires de messagerie : Vonage (www.vonage.com/privacy-policy), Twilio (www.twilio.com/legal/privacy), Prelude (prelude-so.notion.site/Prelude-Privacy-Cookies-Policy), Brevo (www.brevo.com/de/features/data-security/, fr.sendinblue.com/legal/privacypolicy/)
Analytics tools: Google Analytics (policies.google.com/privacy)
Customer service tools: Intercom (www.intercom.com/legal/privacy), FrontApp (frontapp.com/privacy-policy), Ringover (www.ringover.fr/confidentialite)
Identity verification: Onfido (onfido.com/privacy/)
Electronic signature services: Universign (www.universign.com/en/personal-data-protection-policy)
Hosting providers: Google Cloud (cloud.google.com/security/privacy/)
Marketing and CRM tools: Braze (www.braze.com/company/legal/privacy), Surveymonkey (www.surveymonkey.com/mp/legal/privacy/), Typeform (admin.typeform.com/to/dwk6gt), Google DoubleClick & Google Tag Manager (policies.google.com/privacy), YouTube (policies.google.com/privacy), SalesViewer (www.salesviewer.com/en/privacy-policy
Fraud verification calls: Sqwad (www.sqwad.fr/politique-de-confidentialite)

Data is also shared with public authorities and partners for:

Energy savings programs (SIPLEC / PNCEE)
Regional carpooling initiatives
Employer or school carpooling programs

We only share data necessary for the specific purpose and in accordance with Art. 28 GDPR (data processor agreements) or Art. 26 GDPR (joint controllership agreements).

Karos anonymises and aggregates trip information, routes, and certain user profile characteristics to produce usage statistics intended for third parties.

3.3 Data Retention Periods

Karos undertakes, in accordance with the provisions of the GDPR, to retain personal data only for as long as necessary for the purposes for which they are processed:

Account data: your account data is retained until you request account closure or 2 years after your last use of our service if you have not closed your account.
Financial data (e.g., payments, refunds, etc.): data is retained for the period required by applicable tax and accounting laws.
Public subsidies or bonuses: Data required for public subsidies or bonuses is retained for the period required by the regulations of the relevant systems.
Geolocation data: data is retained for 1 year.
Suspended/blocked account: In the event an account has been suspended or blocked, we retain the data for 5 years from the suspension date to prevent circumvention of the platform’s rules.
User-generated content (eg. ratings and comments): data is anonymised after account deactivation—unless otherwise specified. Once limitation periods expire, we delete your data—unless legal retention obligations exist (e.g., per §§ 238, 257(4) HGB or § 147(3), (4) AO), which may require storage for 2–10 years.

3.4 Security Measures

Karos implements appropriate security measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access, and any other processing that does not comply with our privacy policy.

4. DATA CONTROL AND ACCESS

According to GDPR, you have the following rights:

Right of access (Art. 15 GDPR): Request confirmation and details on the processing of your data, including copies.
Right to rectification (Art. 16 GDPR): Have incorrect or incomplete data corrected.
Right to erasure (Art. 17 GDPR): Have your data deleted—unless required for legal compliance or legal defense.
Right to restriction of processing (Art. 18 GDPR): Temporarily block processing under certain conditions.
Right to data portability (Art. 20 GDPR): Receive your data in a structured, commonly used, machine-readable format.
Right to withdraw consent: Withdraw any consent given with future effect.
Right to object (Art. 21 GDPR): Object to processing based on Art. 6(1)(f) or (e) GDPR. We will stop processing unless overriding reasons apply or legal claims are involved.
Right to lodge a complaint (Art. 77 GDPR): File a complaint with a supervisory authority—typically where you reside.

You can exercise your rights by sending a request to rgpd@karos.fr. Proof of identity will be required.

If you believe that your rights are not being respected, you may lodge a complaint with the French Data Protection Authority (CNIL) or any other competent authority. You can close your Karos account directly in the Application under the “help” section.

5. DATA TRANSFER TO THIRD COUNTRIES

When using Google tools (e.g., Google Analytics), your IP address may be transferred to the USA.

This transfer is based on Standard Contractual Clauses (SCCs) approved by the European Commission.

6. SCOPE OF YOUR OBLIGATION TO PROVIDE DATA

In general, you are not required to provide personal data. However, without it, we may not be able to:

Provide the Website or Application
Respond to your inquiries
Conclude or fulfill contracts

7. CHANGES TO THIS PRIVACY POLICY

We reserve the right to change this privacy policy at any time.

Application members are informed directly in the Application and must comply with them to continue using the services.

Updates will be published here.

Unless otherwise stated, such changes are effective upon publication. We recommend checking this policy regularly.