Privacy policy

Last updated: 02.06.2026

1. Controller

Smile Cars Costa Blanca SL
Calle Caballero de Rodas 120
03182 Torrevieja
Alicante, Spain

📧 Email: hello@smilecars.com

For the purposes of applicable data protection laws, in particular the EU General Data Protection Regulation (Regulation (EU) 2016/679 – “GDPR”) and the Spanish LOPDGDD (Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales), we are the data controller of your personal data.

No Data Protection Officer has been appointed, as there is currently no legal obligation to do so.

2. Scope of This Privacy Policy

This Privacy Policy explains how we collect, use, store, and disclose personal data when you:

  • use our mobile application for car sharing,
  • visit or book vehicles via our website (Shopify),
  • rent vehicles on a long‑term basis,
  • subscribe to our newsletter,
  • contact our customer support, or
  • interact with our payment, billing, analytics, or verification services.


Our services are offered via two separate channels:

  • app‑based car sharing;
  • website‑based long‑term rentals.

Depending on the service used, different data categories and service providers may apply.

3. How We Obtain Personal Data

We obtain personal data from the following sources:

  • directly from you, when you create an account, make a booking, rent a vehicle, subscribe to the newsletter or contact us;
  • automatically through your use of our app, vehicles and website, e.g. via telematics units, cookies and similar technologies;
  • from our service providers (e.g. Google Ireland Limited for Firebase, Veriff, Stripe, Chargebee, Shopify, INVERS GmbH) acting on our behalf;
  • from payment and billing partners in connection with payments, chargebacks or fraud prevention.

4. Categories of Personal Data We Process

a) Account & Contact Data

  • Name
  • Email address
  • Phone number (optional)
  • Billing address (where required for invoicing)
  • Preferred language
  • Account identifiers

We do not collect a general residential address unless required for billing or contractual purposes.

b) Authentication & Credentials

User authentication for the app is handled via Firebase Authentication, provided by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
Passwords and authentication credentials are not stored by us and we do not have access to user passwords.

c) Payment & Billing Data

  • Payment status (e.g. paid, pending, failed)
  • Transaction and booking references
  • Invoices and invoice details
  • Subscription or long‑term rental information

Full payment card details are processed directly by our payment providers and are never stored on our systems; we only receive tokens and status information where necessary.

d) Vehicle, Location & Telematics Data (Car Sharing)

When using our car‑sharing service, vehicles are equipped with telematics hardware operated by INVERS GmbH. Processed data may include:

  • vehicle GPS location,
  • trip start and end times,
  • vehicle usage, status and diagnostic data (e.g. lock/unlock, ignition state).

Telematics data is collected by telematics units provided and operated by INVERS GmbH, transmitted to INVERS GmbH’s systems and shared with us for operational, billing, safety and legal purposes.

INVERS GmbH acts as a processor on our behalf under Art. 28 GDPR or, where it pursues its own purposes, as an independent controller with its own privacy notice. For details on INVERS’ processing, please refer to INVERS GmbH’s privacy information on its website.

e) Driver Verification Data (Car Sharing)

To verify driving eligibility, we use Veriff. Processed data may include:

  • driver’s license images,
  • identity document images,
  • selfie / liveness verification images,
  • verification result and status.

Provider: Veriff OÜ – see Veriff’s Privacy Notice at https://www.veriff.com/ for details on their processing and retention practices.

f) App Analytics & Stability Data

For app performance, security and reliability, we process:

  • app usage statistics,
  • crash and error reports,
  • device information (e.g. operating system, device type, app version, language).

These data are collected via Firebase Analytics and Firebase Crashlytics, provided by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

5. Purposes of Processing

We process personal data for the following purposes:

  • account creation, login and account management;
  • driver’s license and identity verification;
  • vehicle booking, unlocking/locking and rental execution;
  • payment processing, invoicing and accounting;
  • fraud prevention, misuse detection and security of vehicles and systems;
  • account restriction, suspension and reactivation;
  • customer support and communication;
  • newsletter distribution (where subscribed);
  • app analytics, performance monitoring and technical stability;
  • compliance with statutory retention and legal obligations.

6. Legal Bases (GDPR Art. 6)

We rely on the following legal bases under Art. 6 GDPR:

  • Art. 6(1)(b) GDPR – performance of a contract or steps prior to entering into a contract (e.g. bookings, rentals, payments, account administration);
  • Art. 6(1)(c) GDPR – legal obligations (e.g. accounting, tax laws, retention requirements);
  • Art. 6(1)(f) GDPR – legitimate interests (e.g. security of vehicles and systems, fraud prevention, support, service optimisation);
  • Art. 6(1)(a) GDPR – consent (e.g. newsletter, optional analytics or marketing features where legally required).

7. Account Restrictions, Suspension & Payment Failures

We may restrict or suspend accounts where:

  • there is misuse or violation of our terms or policies,
  • we suspect fraud, abuse or security incidents,
  • required data for safe operation is missing, or
  • payments are failed or outstanding.

If a payment fails, the account may be temporarily restricted; access is typically restored once valid payment data is provided and outstanding amounts are settled.

In cases of serious abuse, deliberate damage or legal violations, permanent suspension and blocking of re‑registration may occur. Such processing is based on our legitimate interest in protecting vehicles, users and our services, and in ensuring legal compliance (Art. 6(1)(f) GDPR).

8. Payments & Billing Providers

a) Website Payments & Long‑Term Rentals (Shopify)

Bookings and payments made via our website are processed by Shopify and its integrated payment providers. For long‑term rentals, we use the izy rent booking solution within Shopify. Shopify handles checkout, orders and payment processing in accordance with its own privacy standards and acts as a processor or independent controller, depending on the specific processing.

b) App Payments & Billing

Payments and subscriptions related to app‑based car sharing are processed by Stripe, Inc.; billing and invoicing are handled via Chargebee Inc.

These providers process payment and billing data as independent controllers in accordance with their own privacy notices. For further details on their processing, please refer to:

We only receive the information necessary to manage bookings, payments and invoicing (e.g. status, tokens, references).

9. Customer Support & Communication

When users contact us (e.g. via email or in‑app support), we process:

  • name,
  • email address,
  • booking or account reference,
  • communication content.

Processing is based on Art. 6(1)(b) GDPR (performance of a contract or pre‑contractual steps) or Art. 6(1)(f) GDPR (legitimate interest in providing effective customer support). Support communications are retained only as long as necessary to resolve the request and to comply with legal retention obligations.

10. Newsletter

Users may subscribe to our newsletter to receive updates, offers and information about our services. For this purpose, we process the email address and, where applicable, consent metadata (date/time, IP, opt‑in mechanism).

Subscription is voluntary and based on explicit consent (Art. 6(1)(a) GDPR). We generally use a double opt‑in procedure where required by law. Users may withdraw their consent at any time by using the unsubscribe link in each newsletter or by contacting us at hello@smilecars.com. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

11. Data Sharing & Service Providers

We share personal data only where necessary and on the basis of a legal ground, in particular with:

  • INVERS GmbH – vehicle telematics provider for operational vehicle and trip data (e.g. location, trip times, vehicle status);
  • Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland – Firebase Authentication, Firebase Analytics and Firebase Crashlytics (authentication, app analytics, crash reporting);
  • Veriff OÜ – driver verification;
  • Stripe, Inc. – payment processing;
  • Chargebee Inc. – billing and invoicing;
  • Shopify and izy rent – online store and booking services;
  • hosting, infrastructure, IT‑security and support providers.

Where these third parties act as processors, they process personal data strictly on our instructions under Art. 28 GDPR and are bound by appropriate contractual safeguards. Where they act as independent controllers, their processing is governed by their own privacy policies.

12. International Data Transfers

Some of our service providers are located outside the European Union / European Economic Area, in particular in the United States. Where such transfers occur, they are safeguarded by:

  • EU Standard Contractual Clauses (SCCs) adopted by the European Commission; and/or
  • participation in the EU–US Data Privacy Framework or other adequacy decisions, where applicable.

13. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy or as required by law:

  • account data: for the duration of the customer relationship and for a reasonable period thereafter, e.g. for limitation periods;
  • billing and invoicing data: for the statutory retention periods under tax and commercial law;
  • vehicle usage and telematics data: for the duration necessary for operational purposes (e.g. billing, dispute handling, claims) and for applicable limitation periods in case of damage, accident or legal proceedings;
  • verification data (Veriff): for the period required to demonstrate compliance with legal obligations, prevent fraud and defend legal claims, after which the data are deleted or anonymized, subject to Veriff’s own retention practices;
  • support communications: until the request is resolved and statutory retention periods have expired.

After the relevant periods have expired, personal data are deleted or irreversibly anonymized.

14. User Rights (GDPR)

Subject to the legal requirements and limitations, you have the following rights under the GDPR:

  • right of access to your personal data;
  • right to rectification of inaccurate or incomplete data;
  • right to erasure (“right to be forgotten”);
  • right to restriction of processing;
  • right to data portability;
  • right to object to processing based on legitimate interests, including profiling;
  • right to withdraw consent at any time with effect for the future.

You may exercise these rights by contacting us at hello@smilecars.com. We may need to verify your identity before acting on your request.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement. In Germany, this may be the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

15. Cookies & Website Tracking

Our website uses cookies and similar technologies to ensure essential functionality and security, particularly in connection with Shopify’s store and checkout features.

Where additional analytics or marketing cookies and comparable tracking technologies are used, these will only be activated on the basis of your consent, which is obtained via a cookie banner or preference management tool, in accordance with applicable law. Further details on the types of cookies used, their purposes and storage periods are provided in our cookie settings or a separate cookie policy where available.

16. Third‑Party Websites & Links

Our services may contain links to websites or services of third parties. We are not responsible for the privacy practices or content of those websites; please refer to the respective privacy policies of such third‑party providers.

17. Children

Our services are not intended for minors and we do not knowingly collect personal data from children under the age required by applicable law to enter into car‑rental or car‑sharing contracts. If we become aware that personal data of a child have been collected unintentionally, we will delete such data without undue delay.

18. Security

We apply appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. However, no system can guarantee absolute security; residual risks inherent to internet communications can remain.

19. Changes to This Policy

We may update this Privacy Policy from time to time, for example to reflect changes to our services or legal requirements. The updated version will be published on our website and, where appropriate, within the app, indicating the “Last updated” date.

20. Contact

For privacy‑related questions or to exercise your rights, please contact:

📧 hello@smilecars.com