GDPR Compliance for UK and EU

---

At IceRide, we are committed to ensuring the privacy and protection of our users' personal data when we operate in the United Kingdom and the European Union (EU). As part of this commitment, we fully comply with the General Data Protection Regulation (GDPR), which sets stringent requirements on how businesses collect, process, and store personal information from EU and UK citizens. This compliance policy outlines our practices in alignment with GDPR when we expand our services to these regions.

1. Data Controller Responsibilities:As the data controller, IceRide is responsible for determining the purposes and means of processing personal data. We ensure that all personal information is collected lawfully, fairly, and transparently. We only collect data that is necessary for the performance of our services and limit its use to the intended purposes.

2. Lawful Basis for Processing:We process personal data under several lawful bases, including but not limited to:

• Consent: Users provide explicit consent to process their personal data for specific purposes, such as creating an account or signing up for newsletters.
• Contractual Necessity: Personal data is processed to fulfill contractual obligations, such as managing ride bookings, payment processing, and driver communication.
• Legitimate Interests: We process data to improve our platform, enhance user experience, and ensure the security of our operations, as long as these interests do not override the privacy rights of individuals.

3. Data Subjects’ Rights:Under GDPR, IceRide ensures that individuals in the EU and UK have full control over their personal data. We uphold the following rights:

• Right to Access: Users have the right to request access to their personal data that we hold.
• Right to Rectification: Users can request the correction of inaccurate or incomplete data.
• Right to Erasure (Right to be Forgotten): Users may request the deletion of their personal data, subject to certain conditions.
• Right to Restrict Processing: Users can request restrictions on how their data is processed.
• Right to Data Portability: Users can request a copy of their personal data in a machine-readable format to be transferred to another service provider.
• Right to Object: Users can object to the processing of their personal data for marketing or other purposes.
• Right to Withdraw Consent: Users can withdraw their consent at any time, without affecting the lawfulness of data processing based on prior consent.

4. Data Retention Policy:Personal data is retained only for as long as it is necessary to fulfill the purposes for which it was collected or as required by applicable laws. Once the retention period has expired, we ensure that personal data is securely erased or anonymized.

5. Data Transfers Outside the EU/UK:To provide our services globally, IceRide may transfer personal data outside of the EU/UK to locations where our data centers or service providers are based. In such cases, we ensure that adequate data protection measures are in place. This may include standard contractual clauses (SCCs), binding corporate rules (BCRs), or other mechanisms recognized under GDPR to safeguard data transfers.

6. Data Breach Notifications:In the event of a personal data breach that may result in a risk to the rights and freedoms of individuals, IceRide will promptly notify the relevant data protection authorities within 72 hours, as required by GDPR. If the breach poses a high risk to users, we will also inform the affected individuals without undue delay.

7. Data Protection by Design and Default:We follow the principles of data protection by design and default, ensuring that privacy is embedded into our systems and operations from the outset. Our products and services are built with robust security measures to protect personal data and limit its exposure.

8. Data Processing Agreements:IceRide enters into Data Processing Agreements (DPAs) with all third-party service providers who process personal data on our behalf. These agreements ensure that all processors meet GDPR requirements and implement appropriate technical and organizational measures to safeguard personal data.

9. Data Protection Officer (DPO):To oversee compliance with GDPR, IceRide appoints a Data Protection Officer (DPO) who is responsible for monitoring our data protection practices, addressing user concerns, and liaising with regulatory authorities. The DPO can be contacted at:

Data Protection Officer
5000 CentreGreen Way, Suite 500
Cary, North Carolina 27513
Email: dpo@iceinnovations.ai

10. User Consent and Transparency:We ensure that all data collection processes are transparent, and users are provided with clear information about the data being collected, the purpose of collection, and how it will be processed. Where necessary, users are required to provide explicit consent before their personal data is processed.

11. Cookies and Tracking Technologies:IceRide uses cookies and similar tracking technologies to enhance user experience, improve website functionality, and analyze usage patterns. EU and UK users are provided with a cookie banner that allows them to opt in or out of specific cookie categories. Detailed information on our cookie use can be found in our Cookie Policy.

12. Complaints and Dispute Resolution:If a user believes that IceRide has violated their privacy rights under GDPR, they can file a complaint with our Data Protection Officer (DPO). Additionally, users in the EU and UK have the right to lodge a complaint with their local data protection authority if they are unsatisfied with how their data has been handled.

Contact Information:
For inquiries related to GDPR compliance or any data protection concerns, please contact us at:

Email: dpo@iceinnovations.ai
Mailing Address:
IceRide
5000 CentreGreen Way, Suite 500
Cary, North Carolina 27513

This GDPR Compliance Policy is effective as of [Insert Date] and is subject to updates and amendments as necessary to comply with evolving data protection regulations.