Version: December 2022
The information provided below gives you an overview over the processing of your personal data by us and your rights under data protection law applicable in the Cayman Islandsin connection with the use of our app for procuring Journeys for Drivers (“THUMB Driver App”).
Which of your personal data is processed is substantively determined based on the services or products you use.
Table of Contents
- Information Regarding the Data Controller
- Data Processing Activities and Purposes
- Data Exchange within the THUMB Group
- Processing in-/outside of the European Union / European Economic Area
- Your Rights
- Data Security
- Storage Period
- Updates and Changes
1. Information Regarding the Data Controller
For Drivers in the Cayman Islands the data controller is:
Thumb Ltd (“THUMB“)
P.O. Box 505
“Personal data” is all information which relates to an identified or identifiable natural person. Among these are, for example, name, postal address, e-mail address or telephone number, but also usage data like your IP address.
“THUMB Group” consists of Haulmont UK Sherlock, Haulmont.
“Processing” is every process carried out with or without automated assistance or every sequence of such processes in connection with personal data, e.g. obtaining, capturing, organising, ordering, saving, adjusting or modifying, sorting, accessing, using, disclosing by transmission, distributing or any other form of making available, comparing or connecting, limiting, deleting or destroying.
“Journey” is every tour intermediated between a Passenger and a Driver through the THUMB Driver application.
3. Data Processing Activities and Purposes
Below, we will inform you about the various types of personal data we process and for what purpose(s). The THUMB Driver App makes it possible for you to procure Journeys through us with Passengers. For the use of our THUMB Driver App for procurement of Journeys, you must provide personal data which we process in order to perform the respective service. If additional information can be voluntarily shared, these are indicated as being “optional“.
3.1. Journey Procurement
To procure journeys through us, the following personal data is processed:
3.1.1. General including on-boarding
To register for use of the THUMB Driver App, you must provide the following information:
First name and surname, date of birth, city, country, e-mail address, fax number, mobile phone number, information regarding your license, your GPS coordinates while being logged in to the THUMB Driver App and the same at time of booking, at the start, during the course of and at the destination of a particular Journey, information regarding your end user device (Device ID, time of access of the THUMB Driver App, browser type and operating system), information regarding the Transportation Company (for Drivers who are employees), company address (for Drivers who are, at the same time, sole proprietors), statements regarding ratings by Passengers (1 to 5 stars for the Driver and the vehicle as well as the average rating), license plate number, color and make of the vehicle, readiness status, user ID, number of Journeys, revenue, rate of concluding or breaking off Journeys, statements regarding payment by the Passenger including tips and, in encrypted form, the password you have selected, profile picture (optional input).
If you have registered with the THUMB Driver App, but have not completed the Driver on-boarding process, we may contact you using the email address and phone number that you provided during the registration process to remind you that the on-boarding is not yet complete. We rely on our legitimate interests in resourcing our business to carry out this processing.
You can consent to the usage of your GPS coordinates by THUMB during the installation of the THUMB Driver App. Via the operating system of your end user device (smartphone, tablet, etc.), you can also consent to the usage of your GPS coordinates by THUMB at a later point in time or withdraw your consent. In the absence of you sharing your GPS coordinates with us, we cannot procure Journeys for you or, as it may be, for your Transportation Company, since we communicate Passenger requests based on location in order to arrive at a short time delay until arrival.
For purposes of identification, we show your GPS coordinates as well as your name and, insofar as it has been provided to us, your profile picture and the license plate number to the Passenger who has booked a Journey with you. After accepting the Journey, during the Journey and for a certain period of time after the conclusion of the Journey, the Passenger is able to call you via the THUMB Passenger App. For this, we are using a phone number masking service (see point 3.1.2). In this way the Passenger can still call you after a Journey in order to ask, for example, about items forgotten in the vehicle but is not able to see your phone number at any time.
Without the processing of the foregoing personal data, we cannot procure any Journeys for you through your Transportation Company. This does not apply to optional inputs.
3.1.2. Multi-factor authentication and phone number masking via Twilio
For security reasons, when you register for the first time or log in from a new mobile device in the THUMB Driver App, we verify your registration with a code via SMS or email (“multi-factor authentication”). We use the service provider Twilio Inc. 375 Beale St, Suite 300 San Francisco, CA 94105, USA (“Twilio”) to send the SMS. In order to best protect your data, we also use Twilio’s calling service to mask your phone number to the relevant passenger. The passenger will still be able to call you (via Twilio) but will not know your phone number.
Legal basis to use the services of Twilio is our legitimate interest pursuant to improve the security of our services.
We have entered into a data processing agreement with Twilio to ensure that your personal data will only be processed in accordance with our instructions and with applicable data protection law. The lawfulness of the data transfer to the USA is ensured by Twilios’ binding corporate rules. Additionally, standard contractual clauses (SCCs) have been concluded. Further information on the privacy settings of Twilio can be found at www.twilio.com/legal/privacy.
3.1.3. Contact with THUMB
THUMB provides several means of contact for its customers such as our online contact form: https://thumb.ky/. You can further contact THUMB per letter or phone. Whenever you get in touch with THUMB, we store and process your personal data.
Depending on the means of contact you chose, THUMB is processing the following of your personal data:
name, e-mail address, country, phone number, voice recordings, content of your messages, attachments
Legal basis for this processing generally is our legitimate interest, in responding to your messages. When you initiate a contact in order to enter into a contract or because of a contract with THUMB.
To use our online form you are only required to provide us with your e-mail address for us to respond to your message. Communication with THUMB is deleted after 3 years, based on our legitimate interest, for the establishment, exercise or defence of legal claims.
When calling THUMB your phone call may be recorded, based on our legitimate interest in improving our customer service quality, training our agents and verifying call contents. Call recordings get automatically deleted after 90 days. You can object to the processing of your personal data, please contact us at https://thumb.ky/ or or send a formless letter to the address given at the top.
Parts of your communications with THUMB concerning individual passengers may be subject to disclosure to those passengers exercising their rights. Where THUMB receives such a request, it will either seek your consent to disclose any information which identifies you or where it is reasonable to comply with the request without your consent (such as when the passenger is already aware of your identity), THUMB will take steps to minimise and redact information about you.
3.1.4. Integration of Google Maps
In order to make it possible to conduct payment pursuant to the respectively applicable “THUMB Procurement Framework Agreement” and the respectively valid “Terms and Conditions for Taxi Companies”, the following personal data will be processed for the purpose of performance of the contract:
Your first name and surname, the number of Journeys, revenue and, if you are yourself a Transportation Company, information regarding payments and bank account.
3.3. Rating of Drivers and Passengers
Via the THUMB Passenger App, Passengers can rate you and your vehicle after a Journey with between 1 to 5 stars. The individual rating flows into the average value which we have determined for you and your vehicle. The individual rating is only visible to the respective Passenger who provides it, to you as the Driver and to THUMB. For Drivers who are employed with a Transportation Company, we only transmit the individual rating to your Transportation Company with your consent.
Further, Passengers can add Drivers as favorite Drivers in their THUMB Passenger App profiles. In this context, your first name and surname, your rating and the profile picture will be saved in the THUMB Passenger App of the respective Passenger.
The processing of this data takes place on the basis of our legitimate interest to ensure a reasonable standard of quality and ensure Passenger security.
Beyond this, you have the possibility of rating Passengers. The ratings are only visible to THUMB and will only be transmitted to the affected Passenger upon request in an anonymised form. The processing of personal data by THUMB will take place on the basis of your consent which you have given by providing a rating.
3.4. Fraud Prevention
THUMB is invested to make its platform a secure space for passengers and drivers. Therefore, THUMB has implemented measures to detect and prohibit fraudulent behaviour in order to protect passengers and drivers. Also, THUMB wants to reduce the risk of financial damages due to fraudulent behaviour. For this reason THUMB will conduct an evaluation of risk for fraudulent behaviour on the basis of a mathematical-statistical model (scoring). This processing is based on the abovementioned legitimate interest.
To determine the score, the following personal data will be processed:
- Passenger and Driver data such as: phone number, email address, name, device identifiers,
- Tour data such as: length of the tour, distance to the passenger, used incentives, tour value, starting location and destination location,
- Payment data such as: payment method.
The values stemming from this data are compared to a set of previously defined scenarios that indicate fraudulent behaviour. Based on the number of scenarios that we identify, our fraud prevention service provider will calculate a score revealing the likelihood of fraudulent behaviour. Based on that score a specially trained THUMB employee will further investigate if there can be any confirmation of fraudulent behaviour. The score will not be used for any automated decision-making. Any actions taken will never be justified by the score and will always involve human oversight.
3.4.2 GPS Tracking
In order to prevent fraudulent activity, we store your GPS location data sent to us by your mobile device at short intervals from the time of acceptance until the end of a tour. This allows THUMB to create a map of the entire course of a tour. In this way, we want to ensure that drivers do not deliberately extend the route in order to achieve a higher fee. At the same time, we can rectify unjustified passenger complaints by being able to follow the actual course and route to a tour. The processing of your GPS location data during a tour takes place for your own protection, as well as for the protection of the passenger and for our protection.
3.5. Bug Fixing and Functionality Improvements
In order to fix bugs in the THUMB Driver App and to improve functionality of the THUMB Driver App and to adjust it to suit the needs of Drivers, we process the following personal data on the basis of our legitimate interest:
First name and surname, date of birth, city, country, e-mail address, fax number, mobile phone number, information regarding your license, your GPS coordinates while being logged into the THUMB Driver App and at the time of booking, time of starting and during the course and at the destination of a particular Journey, information regarding your end user device (Device ID, time of access of the THUMB Driver App, browser type and operating system), information regarding the Transportation Company (for Drivers who are not themselves Transport Companies), company address (for Drivers who are, at the same time, Transportation Companies), information regarding the rating of Passengers (1 to 5 stars for the Driver and the vehicle as well as the average rating), license plate, color and make of the vehicle, readiness status, user ID, number of Journeys, revenue, rate of concluding or breaking off Journeys, statements regarding payment by the Passenger including tips and, in encrypted form, the password you have selected.
Inasmuch as it is sufficient for the performance of the respective purpose, we work with anonymous data and not with personal data.
3.6. News & Personalised Offers
When you provide THUMB the permission to send push notifications during THUMB Driver App installation, THUMB will send you push notifications based on your provided consent. This consent is overridden if, in the context of the registration process or later in the profile of the THUMB Driver App under the rubric “Privacy“, consent is given to receive news & personalized offers (advertising, coupons and special offers) and to show usage-based advertising („Retargeting“), and the correspondingly placed toggle has been activated, you will receive offers and advertising from us, and also for products and services of other companies of the THUMB Group. In this respect, your end user device (smartphone, tablet, PC, etc.) will receive personalized advertisements via electronic post (e-mail, SMS, MMS) or by another electronic means (via in-app messages, push messages).
In connection with this, we process the following personal data, insofar as you have given us the corresponding consent:
First name and surname, driver ID, e-mail address, business address, mobile phone number, profile picture (optional input), registration data, language setting, type of Journey (booking, try-out ride), version of the THUMB Driver App, login information, your GPS location data at the time of the booking and at the time of the end of the Journey or, as it may be, the pickup and destination locations, device ID (device identifier), IDFA (advertising identifier Apple Identifier for Advertisers), IFV (advertising identifier, Identifier Vendor), GAID (Google Advertising Identifier), IP address and usage data (usage frequency, information relating to the downloading of the THUMB Driver App, status of the registration of Journeys), language, time zone and city.
If you do not wish to receive the foregoing stated news & personalized offers, you can – just as easily as you consented – withdraw your consent by activating the corresponding toggle. Of course, you can also contact us via https://thumb.ky/ or send a formless letter to Thumb Ltd, P.O. Box 505, George Town, Grand Cayman, KY1-1110.
Please note that the withdrawal and ensuing changes are valid only for the future and will be effective or, as it may be, implemented by no later than 48 hours from withdrawal. This is for reasons of a technical nature, which do not permit faster implementation.
3.6.2. Direct Advertising for Existing Customers
If, in connection with the performance of our procurement services, we have received your e-mail address or mobile phone number and you have completed at least one Journey which we procured, we will use these exclusively for our own direct advertising of our own products and services via electronic post (e-mail, SMS and MMS), unless you have rejected such direct advertising. To this purpose, on the basis of our legitimate interest, we process the following data: e-mail address and mobile phone number. Our legitimate interest lies in intensifying customer relationships by proposing appropriate and interesting product information. The objection to direct advertising is possible at any time with effect for the future by clicking on the corresponding link in a relevant e-mail (e.g. to unsubscribe to a newsletter) or by contact via SMS. The direct advertisement sent by us is not personalized. Please take into account that the objection and the modifications required thereby are valid only for the future and will be effective or, as it may be, implemented by no later than 48 hours from withdrawal. This is for reasons of a technical nature, which do not permit faster implementation.
3.6.3. Sending news and service communications
For sending news, service communication and advertising e-mails, SMS, service communications and in-app messages, we make use of the service provider Mailgun Technologies, Inc., a Delaware corporation (“Mailgun”).
The personal data processed includes
- contact data, e.g. e-mail address, phone number, name
- location data, e.g. language, country, city
- content data, e.g. tour data, incentives data
- usage data, e.g. log-in times, log-out times
We have concluded data processing agreements with our service providers which ensures that the service provider exclusively processes your personal data pursuant to our instructions and in accordance with current data protection law.
We have concluded standard contractual clauses (SCCs) with Mailgun to ensure an adequate level of data protection when processing your data.
Our legitimate interest in the engaging of these service providers lies in the professional and reasonable organization of automated processes in an economically sensible way which makes it possible to provide you a positive user experience.
You can object to data processing at any time by sending a message via https://thumb.ky/.
3.7. Studies & Surveys
If you have consented in the course of the registration process or, later, in the profile of the THUMB Driver App under “Data Protection“, to receive studies & surveys, and have activated the corresponding toggle, we will contact you after a Journey or at some other time in the context of personalized (sent only to you and based on an analysis of the THUMB Driver App usage frequency) studies & surveys sent by electronic post (e-mail, SMS, MMS) or otherwise electronically (in-app messages, push messages) and request your participation. For example, we carry out quest campaigns at regular intervals, with the help of which we aim to increase and optimise the tours we arrange. In studies and surveys, the following personal data may be processed by us in accordance with Art. 6 (1) a) GDPR:
First name and surname, Driver ID, e-mail address, business address, mobile phone number, profile picture (optional input), method of payment, registration data, language set, THUMB Driver App profile (business or private customer), type of Journey (booking, try-out ride), THUMB Driver App version, login information (user name), your GPS coordinates at the time of booking and at the end of the Journey and usage data (usage frequency, information regarding the download of the THUMB Driver App, status of registrations or Journey), registration data, date of last login, push tokens, Device ID (device identifier), IDFA (advertising identifier, Apple Identifier for Advertisers), IFV (advertising identifier, Identifier Vendor), GAID (Google Advertising Identifier) and IP address
If you do not wish to be contacted in this regard, you can – just as easily as you gave consent – declare your withdrawal by accordingly activating the “Studies & Surveys” toggle. Of course, you can also contact us via https://thumb.ky/ or send a formless letter to Thumb Ltd, P.O. Box 505, George Town, Grand Cayman, KY1-1110, Cayman Islands.
Please note that the withdrawal and ensuing changes are valid only for the future and will be effective or, as it may be, implemented by no later than 48 hours from the withdrawal. This is for reasons of a technical nature, which do not permit faster implementation. In case of withdrawal, we reserve the right to process your personal data in anonymous form for internal analysis purposes.
3.8.2. Links to social networks Instagram, Twitter, LinkedIn, Xing, YouTube
On our website and in our newsletters we link our accounts on other social media platforms Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; „Instagram“), LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; „LinkedIn“); Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland; „Twitter“), YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; „YouTube“) and Xing (New Work SE, Dammtorstraße 30, 20354 Hamburg, UKy; „Xing“) via the icon of the respective social network. When you click the links or visit our pages on the platform directly, you are on the website of the respective social media platform. The general terms and conditions and privacy policies of the respective social media network provider. We would like to inform you that we do not receive any information about the content and extent of the data processing performed by the social media network. Information on how the respective social media platform handles your data can be found in the following privacy policies:
- for Instagram under http://instagram.com/about/legal/privacy/
- for LinkedIn under https://www.linkedin.com/legal/privacy-policy
- for Xing under https://privacy.xing.com/en und https://privacy.xing.com/en/privacy-policy
- for Twitter under: https://twitter.com/en/privacy and https://help.twitter.com/en/rules-and-policies/twitter-cookies
- for YouTube: https://policies.google.com/privacy?hl=en&gl=de
We process personal data on our social media pages as far as the user interacts with us directly, by commenting or liking our posts or sending messages. Legal basis for this kind processing is the user‘s consent. As the case may be, we share content on our social media page, if this is a function of the social media platform and communicate with you via this platform. The processing is performed due to a legitimate interest in public relations and communications.
4. Data Exchange within the THUMB Group
For internal administration and standardization purposes, we may transfer personal data of drivers or passengers within the THUMB Group.
4.1. Joint Controller Agreement
THUMB has entered into a Joint Controller Agreement with Haulmont UK, Labs House, 15-19 Bloomsbury Way, WC1A 2TH. The Parties have jointly determined the order of the processing of your personal data in each section of processing.
The purpose of this agreement is to unify the handling of Driver data and billing across the entire THUMB Group. The Parties jointly agreed on which obligations each party fulfils.
Haulmont UK is processing jointly the Drivers’ personal data of THUMB to improve the software of the THUMB Driver application and provide technical know-how to THUMB. THUMB is responsible for all data processing with regard to the local usage of the THUMB Driver application.
Despite the existence of a joint controllership, the Parties fulfil the obligations under data protection law in accordance with their respective competences. The Parties shall provide any information referred to in Articles 13 and 14 GDPR to you free of charge in a concise, transparent, intelligible and easily accessible form, using clear and plain language. For this purpose, each Party shall provide the other Party with all necessary information relating to their respective operating range. The Parties shall immediately inform each other about the exertion of your rights and provide the other Party with all necessary information referred to the right of access. Pursuant to Articles 15 through 22 GDPR, you may exercise your rights under the GDPR in respect of and against each of the Parties. However, to speed up the response, we would kindly ask you to contact THUMB to exercise your rights via https://thumb.ky/.
5. Processing in-/outside of the Cayman Islands
In part, we arrange for external service providers to process your data (e.g. troubleshooting, creation of mailings). To this end it is necessary for us to transmit your personal data to our external service providers for a specified purpose (confined to the purpose in question). We have selected our service providers carefully and engaged them in writing. They are bound by our instructions and we have obtained information about their technical and organisational measures for the secure processing of personal data. We also require that our service providers comply with the applicable data protection regulations. We work with service providers from the Cayman Islands, USA, EU and EEA countries. We have concluded data processing agreements with our external service providers in accordance with Art. 28 (3) GDPR, inasmuch as this is required for the contractual purpose. The transfer to service providers outside of the Cayman Islands and the Global Area takes place correspondingly on the basis of decisions by the Cayman Islands Government and the EU Commission pursuant to The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and Art. 45 GDPR respectively (an ‘adequacy’ decision) or on the basis of standard EU contractual clauses.
We store all our data with a cloud service provider within the US or in IT infrastructures and systems (employee computers) at our sites within the Cayman Islands or the EU.
We do not sell any personal data to third parties.
However, we do reserve the right to disclose information about you if we are legally obligated to do so or if we are asked to surrender it by administrative or law enforcement bodies (e.g. police or Prosecution Service).
6. Your Rights
You have the right to obtain confirmation as to whether or not personal data concerning you is being processed by us. Where this is the case, we will be pleased to give you access to the personal data and the information listed in Art. 15 GDPR.
In addition, you have the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR) and the right to data portability (Art. 20 GDPR), subject to the relevant legal requirements. In addition, you have the right to object to the processing under the statutory conditions (Art. 21 GDPR) or to withdraw any consent you have given at any time with effect for the future (Art. 7 (3) GDPR).
In order to assert your rights against us, it is sufficient to send a message via https://thumb.ky/ or a postal letter to the address mentioned under “1. Information regarding the Data Controller”.
7. Data Security
We have taken appropriate technical and organisational measures to guarantee data security, in particular to protect your personal data against access by third parties, as well as accidental or intentional modification, loss or destruction. Such measures are reviewed periodically and adapted in line with the state of the art. The transfer of your personal data from your end user device (e.g. smartphone) to us is always encrypted. THUMB is PCI DSS (Payment Card Industry Data Security Standard) certified.
8. Storage Periode
The data provided by you to us is only stored for as long as is required to perform the respective purpose for which you have transmitted your data, or inasmuch as it is required for conformity with statutory or official requirements. personal data is anonymised by us, in principle, after three years, unless we have a legitimate interest in a longer storage period (e.g. bookkeeping requirements).
9. Updates and Changes