This Privacy Statement aims to clarify what personal data we process, why we process it, who receives your data and how you can exercise your legal rights. In this Privacy Statement, personal data means any information which directly identifies you as a person (like your full name and address), or can be used to identify you as a person (like a user ID connected to your identity). This includes your first and last name, address, phone number, date of birth, location data or email address. Similarly, processing refers to any operation performed on your personal data, for example, the collection, storage, use, disclosure, or destruction of your data
1. Who are we and how can you reach us?
This privacy policy sets out the basis which Delivery Hero Logistics (Thailand) Co., Ltd. (“foodpanda”, “we”, “us” or “our”) and our Affiliates (as the case may be) collect, use, disclose or otherwise process your (“rider” or “independent contractor”) personal data in accordance with all applicable laws (including the Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”)), regulations, guidance, advisories, notification and codes of practice, relating to the Processing of your personal data in the applicable jurisdiction and issued by the relevant regulatory authority governing the Processing (“Data Privacy Laws”).
With regard to your privacy, it is us who decides how and for what purposes your personal data is processed while using our delivery platform (“Platform”) and providing delivery services. In data protection language that makes us a so-called data controller (the party responsible for why and how your personal data is processed).
If you have any questions related to how your personal data is processed and would like to reach our data protection officer, please contact [email protected]
2. What categories of personal data do we process?
As part of offering our Platform and enabling you to make deliveries (in other words, to become a “rider”) during the period that service is performed in the delivery zone (“session”), we process personal data provided by you, collected from your device when you interact with our Platform or obtained from permitted third parties. In order to provide our delivery service to our customers, we use various tools and systems that are absolutely necessary for the delivery of orders. We also use external and internal tools and systems to process your personal data for personnel management and business operations.
We process the following categories of personal data:
Data categories | Explanation | |
Personal contact & account data | including your name, surname, address, date of birth, place of birth, nationality, gender, email address, password, phone number, city, internal ID, your photo, language and other profile settings | |
Identification data | including information relating to government-issued documents such as driving licence, passport, ID card, criminal record, work permit, insurance information, certificates | |
Candidate data | including applicant number, qualifications, skills, educational certificates, previous experience, referral information, interview information | |
Contract data | including the type and duration of contract, vehicle and equipment information, city, emergency contacts, offboarding details | |
Payment & billing data | including amounts due, status, bank account details, tax details, date and place of birth, nationality, gender, social security number, religion (if necessary), billing address, payment rules, invoice type | |
Task-related data | including delivery details (for instance, date and time of the pick-up, delivery, distance), delivery time, batch information, accepted deliveries, session details, cash collection, absence and history | |
Location & device data | including GPS coordinates (longitude and latitude), movement details, device ID, IP address, login details, device configuration settings, operating system, and other data obtained from the device | |
Communications data | including date, time and content of communications of riders with customers and agents. |
3. What do we do with your personal data?
This section outlines how your personal data is processed as a rider on our Platform. If additional purposes not outlined in this section require further processing of your data, you will be informed separately about such activities. For instance, if you are engaged on our Platform via a third party, they are obliged by applicable law to provide you with additional details of how they manage and process your information for their purposes.
A. When you join our Platform
1. Application
If you directly apply to become a rider on our Platform, you will be asked to provide your personal contact data such as email address, phone number, identification data such as governmentissued documents (passport, work permit, criminal record), contract data such as vehicle information. It may be the case that you are also asked to provide your candidate data including your qualification and experiences. Once you provide your information, we may contact you through your preferred communication channels, which may include email, SMS, or social communication channels like WhatsApp. This communication may involve arranging or conducting interviews, reminding the upload of additional information or documents to the recruitment system. The data processed in this step is essential to verify that you can deliver the service and to become a rider on our Platform. If you apply through the “refer a friend” program, a record of this referral will also be kept and processed to fulfil any applicable referral bonus. The legal basis for the application process is therefore entering into a contract under Section 24(3) of PDPA.
2. Onboarding and account creation
Once you successfully complete the application process, you will receive an invitation to enter into a contract to use our Platform as a rider. For this purpose, your personal contact & account, payment & billing, identification, as well as contract data will be processed. This basic information is the basis of our collaboration on our Platform. In cases where your application documents, including your identification data, cannot be verified in person, we may utilise machine based technologies to verify your documents. If these technologies are used, we will ensure human evaluation of the process and that you can oppose any dissatisfactory result of this verification process [email protected] or [email protected]. Following these steps, you will be onboarded to the Platform and a rider account will be created. If you decide to use our equipment and/or outfit, we will also need details concerning the equipment you require. Your equipment preference will be documented, along with your personal contact and account data. The legal basis for this processing is therefore entering into or performance of a contract under Section 24(3) of PDPA.
B. When you use our Platform
1. Choosing your sessions
Based on the terms outlined in your contract, you may be assigned specific sessions, given the option to book available sessions, or, directly begin working at your preferred time. This process requires the processing of your contact and account, contract, and task-related data such as your session details.
If you do not attend your session, we keep a record that you were not online in your session. If you are under an employment contract and to the extent we are permitted by law, we will also need to be notified when you are taking time off or vacation. As scheduling your sessions and management of absence are integral aspects of enabling you to use our Platform, the legal basis for this processing is performance of a contract under Section 24(3) of PDPA.
In addition to the data categories above, when you open your rider app, we may process your location data to offer you sessions (in areas where applicable) and ensure a seamless start to your planned session. The legal basis for this functionality is legitimate interest under Section 24(5) of PDPA.
2. Batch system
Our ‘batch system’ processes personal contact & account, contract, location & device, as well as task-related data such as the number of accepted and completed deliveries, number of orders delivered per hour. This system offers transparent insights into your statistics while operating within our Platform. For more detailed information regarding the ‘batch system’, you can easily review further insights and system-related information on the Platform.
The legal basis for processing your batch system data is performance of a contract under Section 24(3) of PDPA as this data is processed to ensure that you fulfil our operational requirements under the contract. This process is done automatically by taking into account all relevant factors mentioned above. If you have any inquiries regarding this process, you can always contact support agents and request human review.
3. Delivering orders
When you start your session for receiving orders, your personal contact & account, contract data such as your vehicle type, as well as location and device data will be used to calculate your proximity to the pick-up and drop-off locations, estimate the delivery time, and offer you a delivery based on this information while taking into account the delivery volume and weight. Offering you the most suitable delivery in real time is only possible when we use algorithmic decision making processes that take into account all relevant factors mentioned above. If you have any inquiries regarding the delivery offers, you can always contact our support agents and request a human review of the process. As offering you deliveries is an essential part of enabling you to operate on our Platform, the legal basis for this processing is performance of a contract under Section 24(3) of PDPA
Once you get the delivery task, you are free to choose the route. Our Platform may offer an integrated maps function that you can use during deliveries. If you use this feature, your device data and location data will be shared with the navigation service provider. Similarly, in cases where customers provide delivery instructions in a language different from your preference, our Platform may incorporate a translation feature. This feature may connect you to a third-party translation service (for instance, Google Translate) that may process your communications data in line with their own privacy practices. Using these functionalities is optional and the legal basis for this processing is consent under Section 19 of PDPA
4. Communication with support agents, business partners and customers
If you experience any challenges when using our Platform, you can reach out to support agents or business partners (for instance, restaurants) through in-app chat or any other available channels (for instance, phone call). Similarly, if you encounter any difficulties with your delivery on our Platform, you can reach out to the customer through our Platform. In such instances, your personal contact & account, contract data such as your vehicle type, location & device data are processed and some of this data might be shared with the person you are communicating with (for instance, your name is shared with the customer).
Processing your data is necessary to resolve the issue you are experiencing and to ensure that our Platform is offered to you as promised. Therefore the legal basis for this processing is performance of a contract under Section 24(3) of PDPA.
To ensure transparency and effective communication in our service operations, we provide relevant information to our customers and business partners (for instance, restaurants). This involves processing various types of data, including your personal contact & account, taskrelated data such as delivery details, as well as your location & device data. Part of this information, including your name, estimated delivery time, and sometimes your location, is shared with customers and business partners, only to the extent relevant for their order.
This process is designed to keep participants of our Platform well-informed about their orders and helps them anticipate when the delivery will arrive or when the parcel they shipped via foodorago/pandago will be delivered. We rely on our legitimate interest under Section 24(5) of PDPA as the legal basis for sharing your information with customers and business partners.
5. Sending device notifications
We may send you different types of device notifications, including ‘pop-up notifications’ that appear on top of other open apps that require us to process your device information. We will seek your consent to send you such notifications, and you will always have the option to revoke this permission. Please rest assured that when we are using these technologies we will never capture any information regarding other apps that you may have installed on your device or any personal data contained within those apps. The legal basis for this processing is consent under Section 19 of PDPA.
6. Operation management and service optimization
We are dedicated to delivering exceptional service to our customers, which requires efforts to manage and optimise the operations offered on our Platform. This process involves the processing of your personal contact & account as well as contract data such as vehicle information, task-related data such as delivery details, and your location & device data.
Our operation management efforts include determining the number of available sessions, and adjusting schedules to ensure efficient resource utilisation. Wherever possible, we aggregate and pseudonymize personal data, which means that we cannot identify you individually. In case your personal data is involved, these efforts are carried out based on our legitimate interest under Section 24(5) of PDPA.
In order to optimise our services we need to address potential disruptions. For instance, if you are outside the delivery zone you selected, we may need to process your contact data to send you a notification in order to inform you. If we suspect that the disruption of the service might be caused by fraudulent behaviour, we may temporarily pause your access to the Platform. This measure is crucial to protect the service continuity and avoid defrauding the interest of consumers. These decisions can be met automatically only after the process is evaluated by a human being prior to system implementation. If you have any inquiries regarding this process, you can always contact support agents and request human review. The legal basis for service optimization is performance of a contract under Section 24(3) of PDPA as this data is processed to ensure that you fulfil our operational requirements under the contract you have entered into with us.
7. Incentives
We offer a variety of incentives to make our Platform more attractive to you and to ensure that you enjoy all the advantages that our Platform has to offer. These initiatives may be initiated for different purposes, such as improving your road safety and driving standards. When you participate in these programs, we may process your personal contact & account data, taskrelated data, as well as analysis of location & device data including motion analysis. In addition,
our Refer a Friend program allows you to invite your friends to our Platform and obtain rewards such as referral bonuses. As part of this program, we may process your personal contact & account data, and a record of your referral.
Your participation in these incentives will be on a voluntary basis, therefore we will rely on consent under Section 19 of PDPA as a legal basis. If you have already given your consent, you are free to revoke your consent at any time.
8. Training
We are dedicated to upholding professional standards in our training and education programs. These initiatives include optional and mandatory training modules designed to ensure a high standard of service, as well as compliance with industry-specific requirements, such as those related to food handling or road safety. To provide you access to these offerings or, in the case of mandatory training, to track your attendance and compliance, we will need to process your personal contact & account, contract data, as well as proof of completion of training.
The legal basis for this processing is legal obligation under Section 24(6) in the case of legally required training, and, for the training to uphold professional standards, legitimate interest under Section 24(5) of PDPA.
9. Payment
Based on the specific terms of your contract, the calculation of your payment may depend on factors such as the number of deliveries, the distance for delivery, and/or the hours worked. Processing of your personal contact & account, location, task-related, as well as payment & billing data, is necessary to accurately calculate your payment and facilitate the payment process.
This process is done automatically by taking into account all relevant factors mentioned above. If you have any inquiries regarding the payment process, you can always contact support agents and request human review. We process your data for this purpose if the calculation and provision of your payment is a fundamental aspect of the relationship between you and our Platform, the legal basis for this processing is performance of a contract under Section 24(3) of PDPA
10. Ending our collaboration
When our collaboration comes to an end, we will be required to process certain personal data to ascertain that your offboarding has been properly completed. This data includes your personal contact & account, contract data such as offboarding details including termination date and reason, payment & billing, and task-related data. The legal basis for this processing is performance of a contract under Section 24(3) of PDPA
After termination of our collaboration, we will archive certain personal data pertaining to you as long as such storing is necessary for us to meet statutory requirements and necessary for handling claims or reporting reasons in accordance with the applicable laws. The legal basis for processing your data for archiving is legal obligation under Section 24(6) of PDPA and for addressing post-termination requirements is legitimate interest under Section 24(5) of PDPA
C. When we ensure the safety of our Platform
1. IT infrastructure, database hosting, and systems security
We use state of the art servers, network equipment and cloud services to operate our Platform, to ensure high performance and uninterrupted service. All types of personal information you provide and the information we collect about you are stored and protected within the secure environment of our Platform.
In order to achieve this, we use tools such as endpoint security detection, traffic monitoring, backup systems and data loss prevention solutions to keep your data secure. The legal basis for processing your data to host and ensure the security of your personal data is legitimate interest under Section 24(5) of PDPA
2. Compliance
In addition to legal requirements, we expect all of our Platform participants to comply with the requirements of our conditions of use, code of conduct, similar rules and processes as they apply to them. The purpose of this is to prevent and mitigate business risks and to ensure compliance with legal and ethical standards. Accordingly, irregularities will be investigated and upon confirming such deviation, we may take appropriate actions such as termination or suspension of the account involved, subject to legal prerequisites. In this context we may process your personal contact & account, contract, payment & billing, task-related, location & device, as well as communications data.
This process is based on our legitimate interest under Section 24(5) of PDPA as we have a strong interest in maintaining our Platform safe for all participants and upholding the integrity of our operations.
3. Operational safety and fraud prevention
One of our main priorities is to ensure a secure Platform and safe delivery experience for everyone participating in our Platform. To achieve this objective, proactive measures to prevent fraudulent activity and to ensure operational safety are implemented. This process includes the processing of personal contact & account data such as your internal ID and photo, contract data such as vehicle information, task-related, location & device, as well as identification data including government-issued documents, and work permit.
We employ various processes to detect and prevent fraudulent activities, including those involving session and location manipulation. We also leverage analysis of device data to identify road safety issues and improve driving standards. Some of these processes may be done automatically by taking into account all relevant factors mentioned above. If you have any inquiries regarding this process, you can always contact support agents and request human review. The legal basis for processing your data for the purposes of operational safety and fraud prevention is legitimate interest under Section 24(5) of PDPA.
We may use facial recognition, ID verification and liveness detection technologies to ensure that only legitimate account holders access rider accounts. For this purpose, we utilise ARKit and TrueDepth technologies for Apple devices and MLKit for Google devices that serve us to confirm the image of your face belongs to you. We assure that during this process your data is not used for any other purpose and not disclosed to any other unauthorised third parties. Rest assured, your images are deleted immediately after the purpose is fulfilled with respect to applicable statutory retention periods. The legal basis for this processing is consent under Section 19 of DPA.
D. When we promote our Platform
1. Onboarding campaigns
We utilise targeted campaigns to onboard more riders on our Platform, which involves displaying customised advertisements on websites tailored to specific audience segments. Additionally, if you visit our website to explore becoming a rider, we may utilise cookies and web trackers to remind you to submit your application. Typically, this practice only involves anonymized information, and we do not process personal data for this purpose. However, in exceptional cases where personal data is processed, it may include device, as well as personal contact & account data.
We rely on our legitimate interest under Section 24(5) of PDPA as the legal basis for promoting our Platform to new Riders.
2. Corporate communications
Photos and video footage might be published on our social media sites such as Linkedin or Instagram to promote our Platform and culture. For group photos, you will be given the opportunity to object to both the taking and the publication of the photo or video. You are free to request the deletion of a specific image at any point in time. Please note that, in order to review your request, we will require you to indicate exactly which photo or video recording you would like to have removed from a certain service. We will process this data until you object to the processing, or withdraw your consent (in the case of portrait photos).
Our legal basis for the processing of photos will be either your consent per Section 19 of PDPA in the case of portrait photos showing only you as a person, or legitimate interest under Section 24(3) of PDPA in the case of group photos showing you as part of a larger group of multiple people.
3. Cookies
In order to make the visit of our website attractive and to enable the use of certain functions, we use so-called cookies on various pages. These are small text files that are stored on your device. Some of the cookies we use are deleted after the end of the browser session, i.e. after closing your browser (so-called session cookies). Other cookies remain on your device and allow us or our affiliate to recognize your browser on your next visit (persistent cookies). You can set your browser so that you are informed about the setting of cookies and individually decide on their acceptance or exclude the acceptance of cookies for specific cases or in general. Failure to accept cookies may limit the functionality of our website/app.
You can install additional add-ons in your browser that block unnecessary cookies. By doing so, you will not see any interest-based advertisements.
Categories of personal data: Limited device information such as IP address, device ID, MAC address, operating system, device type, Apple Advertiser ID (IDFA) or Android Ad ID (AAID)
E. When we improve our services
1. Surveys and interviews
We always aim to improve our services, and your valuable feedback is an important part of that process. As such, we sometimes ask for your feedback or invite you to an interview. For surveys and interviews, we process your personal contact & account, task-related, device data, and the content of your feedback. We may also record your usage behaviour as part of the user interviews.
Participation in the surveys and interviews requires your consent under Section 19 of PDPA. After you provide your consent to participate in our surveys, we will contact you through your preferred communication channels, which may include email, SMS, or social communication Platforms such as WhatsApp. If you have already given your consent and would like to revoke it with future effect, please let us know by contacting us. In this case, we will exclude you from participating in interviews and ensure that you don’t receive any further invitations. We will keep the data we process within user surveys and interviews for as long as you grant us consent to do so. At the latest, when you delete your account, we will consider your declaration of consent to have been withdrawn.
2. analytics and business intelligence
We perform data analytics and develop business intelligence to improve our Platform in terms of product development, efficient resource management, and, ultimately, improve business performance. For example, this is the case when personal data is processed to measure the efficiency and efficacy and identify potential improvements in our operational structures and business processes. For this purpose, we process personal contact & account, task-related, contract, and location & device data.
These insights are typically aggregated (meaning processed fully anonymously, so you can never be identified as a person by anybody) or pseudonymized (meaning it will be very hard to identify you as a person). The legal basis for processing your data for this purpose is legitimate interest under Section 24(5) of PDPA
You can find our cookie policy with all the cookies we use in our Cookies and Web-Tracking Policy.
F. When we are required to comply with laws and regulations
1. Legal proceedings and authority requests
As with any organisation, there are instances when we are required to share personal data with public authorities. Additionally, there might be instances where we have to process your personal data to initiate or defend legal claims and uphold our rights and interests. For this purpose, we may disclose and process certain data we hold about you, to the extent strictly necessary to conclude these legal proceedings and investigations.
We retain this information for as long as necessary to comply with legal obligations related to ongoing proceedings and investigations. After the final closing of the respective legal proceedings, we will delete your data immediately. The legal basis for processing your data for complying with public authority requests is legal obligation under Section 24(6) of PDPA ; and for initiating and defending legal claims is legitimate interest under Section 24(5) of PDPA.
2. Responding to data subject requests
Data protection laws grant you various legal rights. We are committed to respecting them at all times. When you exercise these rights, we must process your data to effectively address your request. For instance, if you choose to exercise your right to access, we need to gather all of the information we hold about to meet our obligation to respond.
To achieve this, we may process any type of data we hold about you, only to the extent necessary to comply with our obligations. The legal basis for processing your data for complying with data subject requests is a legal obligation under Section 24(6) of PDPA. We retain this information for as long as necessary to comply with our legal obligations.
3. Regulatory compliance
Under various regulatory frameworks in the Thailand such as financial services regulations, antitrust and competition laws, the Royal Decree on Business Operations of digital platform services or the Platform-to-Business Regulation we are required to share certain aggregated data with the parties specified in these laws (for example, the business partners on our Platform, or the regulating bodies under this law). While this data will originate from personally identifiable data, we are generally not required to share personal data with third parties under these laws.
Moreover, compliance with relevant laws such as social security, employment, or commercial laws requires the collection and retention of personal information for regulatory purposes. To fulfill these obligations, we are obligated to process various types of data such as identification data including government-issued identification documents, insurance information, contract data including type and duration of contract, as well as payment & billing data including date and place of birth, nationality, gender, social security number, and religion.
This process may involve verification and confirmation of compliance with legal age requirements, possession of necessary permits (for instance, driver’s licence, work permit), availability of health insurance coverage, or creating necessary proof of work. This process is crucial to ensure that all Platform participants comply with the statutory requirements for operating in our Platform. The processing of personal data is based on the legal basis of legal obligation under Section 24(6) of PDPA.
4. Who will receive your data and under what circumstances?
We explained above the details of data processing including the usual recipients in the course of your regular activities on our Platform. These will be typically customers, business partners such as restaurants, rider support agents and marketing partners. In addition, our staff members will receive access to your data to fulfil their professional duties, such as providing you with a great online experience or looking into your support request, on a need to know basis.
In certain scenarios, we also need to share your personal data with recipients outside of our company. Please be assured that your data is shared with these recipients only to the extent necessary for the specified purposes and only as we are legally permitted to do so. In addition to sharing data with the parties already specified above, we will only share your data as follows:
A. Delivery Hero group companies
We are part of an international group of companies with legal entities in many parts of the world, including our group’s headquarters located with Delivery Hero SE in Berlin, Germany. To utilise our resources efficiently and ensure that our business processes function properly, we utilise our group-wide shared technological support services that sometimes necessitate sharing personal data with our parent company, Delivery Hero SE, or with the locations of our global tech hubs. In certain situations, we might also share limited data with other group companies, for example, to assist with payment collection or to implement security measures.
Delivery Hero group companies are bound by strict intra-group data transfer agreements ascertaining compliance with data protection requirements whenever sharing personal data with group companies.
B. Data processors
We use various third-party service providers to perform our operations. Many of these providers process your personal data as so-called “data processors”. This means they are only allowed to process your personal data under our instructions and have no claims whatsoever to process your personal data for their own, independent purposes. Our processors are strictly monitored and we only engage processors who meet our high data protection standards. The main data processor for cloud technology on our Platform is our group’s headquarters located with Delivery Hero SE in Berlin. Delivery Hero SE provides us with a wide range of services of technology, such as cloud hosting, Platform security, marketing or customer relationship management tools.
Delivery Hero SE will also use data processors (as so-called “sub-processors”), as follows:
● Our Platform and databases run on cloud resources provided by the EU subsidiaries of Google Cloud Platform and Amazon Web Services.
● We use marketing and communications tools by companies such as SalesForce or Braze.
● Our finance and accounting platforms are provided by SAP. If you would like to request the full list of recipients of your personal data, you are free to do so at any point in time.
C. Other third parties and service providers
We work with third parties, to whom we need to share your personal data and unlike data processors, they are not bound by our instructions and instead will process your data independently. These may be our consultants, lawyers or accountants who receive your data from us under a contract and process your personal data for legal reasons, or to protect our own interests. Similarly, this may involve sharing information with the insurance companies directly or
with a third party acting on their behalf, to manage your insurance arrangements or facilitate your insurance coverage. In case you are recruited by a third-party-logistics provider, they will need to have visibility on certain task-related data in order to meet their legal or contractual obligations.
Under no circumstances will we sell or rent your personal information to third parties without your explicit, informed consent.
D. Mergers & acquisitions, change of ownership
In the event of a merger with, or acquisition by, another company or group of undertakings, we may need to disclose limited information to that company and their advisors who are under professional obligations to maintain the confidentiality of your personal data. This may occur in circumstances such as mutual due diligence assessments and regulatory disclosures.
In any event, we will ensure that we only disclose the minimum amount of information necessary to conduct the transaction, while also carefully considering the feasibility of removing or anonymising any data that could identify individuals.
E. Prosecuting authorities, courts and other public authorities
From time to time we may be requested to disclose personal data to public authorities. In some circumstances, we may disclose personal data with public bodies to bring or defend against legal claims, to protect our rights and interests, or to address security concerns.
Examples of such situations include cooperating in the detection and prevention of crime, responding to legal processes such as court orders or subpoenas, or sharing data with tax authorities for tax-related purposes. The public authorities involved in these scenarios may include law enforcement agencies, courts, tax authorities, or other government bodies.
4. Who will receive your data and under what circumstances?
We explained above the details of data processing including the usual recipients in the course of your regular activities on our Platform. These will be typically customers, business partners such as restaurants, rider support agents and marketing partners. In addition, our staff members will receive access to your data to fulfil their professional duties, such as providing you with a great online experience or looking into your support request, on a need to know basis.
In certain scenarios, we also need to share your personal data with recipients outside of our company. Please be assured that your data is shared with these recipients only to the extent necessary for the specified purposes and only as we are legally permitted to do so. In addition to sharing data with the parties already specified above, we will only share your data as follows:
A. Delivery Hero group companies
We are part of an international group of companies with legal entities in many parts of the world, including our group’s headquarters located with Delivery Hero SE in Berlin, Germany. To utilise our resources efficiently and ensure that our business processes function properly, we utilise our group-wide shared technological support services that sometimes necessitate sharing personal data with our parent company, Delivery Hero SE, or with the locations of our global tech hubs. In certain situations, we might also share limited data with other group companies, for example, to assist with payment collection or to implement security measures.
Delivery Hero group companies are bound by strict intra-group data transfer agreements ascertaining compliance with data protection requirements whenever sharing personal data with group companies.
B. Data processors
We use various third-party service providers to perform our operations. Many of these providers process your personal data as so-called “data processors”. This means they are only allowed to process your personal data under our instructions and have no claims whatsoever to process your personal data for their own, independent purposes. Our processors are strictly monitored and we only engage processors who meet our high data protection standards. The main data processor for cloud technology on our Platform is our group’s headquarters located with Delivery Hero SE in Berlin. Delivery Hero SE provides us with a wide range of services of technology, such as cloud hosting, Platform security, marketing or customer relationship management tools.
Delivery Hero SE will also use data processors (as so-called “sub-processors”), as follows:
● Our Platform and databases run on cloud resources provided by the EU subsidiaries of Google Cloud Platform and Amazon Web Services.
● We use marketing and communications tools by companies such as SalesForce or Braze.
● Our finance and accounting platforms are provided by SAP. If you would like to request the full list of recipients of your personal data, you are free to do so at any point in time.
C. Other third parties and service providers
We work with third parties, to whom we need to share your personal data and unlike data processors, they are not bound by our instructions and instead will process your data independently. These may be our consultants, lawyers or accountants who receive your data from us under a contract and process your personal data for legal reasons, or to protect our own interests. Similarly, this may involve sharing information with the insurance companies directly or with a third party acting on their behalf, to manage your insurance arrangements or facilitate your insurance coverage. In case you are recruited by a third-party-logistics provider, they will need to have visibility on certain task-related data in order to meet their legal or contractual obligations.
Under no circumstances will we sell or rent your personal information to third parties without your explicit, informed consent.
D. Mergers & acquisitions, change of ownership
In the event of a merger with, or acquisition by, another company or group of undertakings, we may need to disclose limited information to that company and their advisors who are under professional obligations to maintain the confidentiality of your personal data. This may occur in circumstances such as mutual due diligence assessments and regulatory disclosures.
In any event, we will ensure that we only disclose the minimum amount of information necessary to conduct the transaction, while also carefully considering the feasibility of removing or anonymising any data that could identify individuals.
E. Prosecuting authorities, courts and other public authorities
From time to time we may be requested to disclose personal data to public authorities. In some circumstances, we may disclose personal data with public bodies to bring or defend against legal claims, to protect our rights and interests, or to address security concerns.
Examples of such situations include cooperating in the detection and prevention of crime, responding to legal processes such as court orders or subpoenas, or sharing data with tax authorities for tax-related purposes. The public authorities involved in these scenarios may include law enforcement agencies, courts, tax authorities, or other government bodies.
5. How do we transfer your personal data to other countries?
We and the parties we share your personal data with may transfer personal data to countries other than the country in which you use our services. Where such transfers take place, we take appropriate measures to ensure that your data is always afforded an adequate level of protection in the countries to which it is transferred.
For example, if we transfer your personal data from a country within the European Economic Area (EEA) to a country outside of the EEA, we take appropriate safeguards to ensure that these transfers provide a level of protection that complies with data protection requirements. If there are specific further requirements of the law of the country in which you use our services, we will abide by them as well.
We process your data mainly within the Asia-Pacific (APAC). However, some of our service providers mentioned above are based outside of APAC.
All our data receivers have to measure up to certain requirements for the transfer of personal data to third countries. Before we transfer your data to a service provider in third countries, every service provider is first assessed with regard to its data protection level. Only if they can demonstrate an adequate level of data protection will they be shortlisted for service providers.
Regardless of whether our service providers are located within APAC or in third countries, each service provider must sign a contract with us, which shall contain the provisions as required by the PDPA. We shall ensure that any personal data transferred out of Thailand is protected to a comparable standard as that required under the PDPA.
6. What are your legal rights?
Under the data protection laws, you are entitled to the following rights:
Right to access | You have the right to access your personal data and obtain additional information on how we process it. You may also request a copy of your personal data. | |
Right to rectification | If you notice that your personal data is incorrect, you can always request that we correct it. | |
Right to erasure | You have the right to ask us to delete your personal data. Please note that even if you exercise this right, we may be required to retain some of your information if we process it as part of our legal obligations, or in pursuit of our own (or a third party’s legitimate interests) such as the assertion of, or defence against legal claims, concluding customer care inquiries, preventing fraud or protecting ourselves or others against abusive behaviour. | |
Right to restriction of processing | If you have requested the deletion of your personal data, but we are legally prevented from immediately deleting it, we will store your data in our archives and retain them for the sole purpose of meeting our legal obligations. However, you will not be able to use our services during this time, as this would require us to de-archive your personal data. | |
Right to data portability | You can ask us to provide you or another data controller with your personal data in a machine-readable format. However, please note that this right only applies to data that we process based on your consent. | |
Right to object | You have the right, for reasons arising from your particular situation, to object at any time to any processing of your personal data, which is processed on the basis of our legitimate interests. If you object, we will no longer process your personal data unless we can prove compelling grounds for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise, or defend against legal claims. You also have the right to object at any time, without giving any explanations, to the process of your personal data for direct marketing (including any associated profiling). |
To exercise your rights, we encourage you to use the functions available in your account at any time. For example, if you would like to delete your data, or receive a copy of it, you can directly do so by following the relevant steps in your profile. These self-service methods are designed to expedite the process of fulfilling your rights. Alternatively, you can also reach out to our rider support channels to assist you.
7. How long do we keep your data?
We retain your personal data for as long as it is necessary to achieve the purposes we described above. The duration for which we retain your personal data is determined by factors such as the scope, nature and purposes of the personal data processing, and whether we have legitimate interests or legal obligations that require us to retain your personal data.
In the ordinary course of operations, your data will be deleted according to the table below once the contract allowing you to operate on our Platform is terminated, unless we are legally required to retain it for a longer time.
Data Category | Retention Period | |
Personal contact & account data | We shall retain your Personal Data for the period necessary to fulfill the Purposes outlined in this Policy unless a longer retention period is required or allowed by law. | |
Identification data | We shall retain your Personal Data for the period necessary to fulfill the Purposes outlined in this Policy unless a longer retention period is required or allowed by law. | |
Candidate data | We shall retain your Personal Data for the period necessary to fulfill the Purposes outlined in this Policy unless a longer retention period is required or allowed by law. | |
Contract data | We shall retain your Personal Data for the period necessary to fulfill the Purposes outlined in this Policy unless a longer retention period is required or allowed by law. | |
Payment & billing data | We shall retain your Personal Data for the period necessary to fulfill the Purposes outlined in this Policy unless a longer retention period is required or allowed by law. | |
Task-related data | We shall retain your Personal Data for the period necessary to fulfill the Purposes outlined in this Policy unless a longer retention period is required or allowed by law. | |
Location & device data | We shall retain your Personal Data for the period necessary to fulfill the Purposes outlined in this Policy unless a longer retention period is required or allowed by law. | |
Communications data | We shall retain your Personal Data for the period necessary to fulfill the Purposes outlined in this Policy unless a longer retention period is required or allowed by law. |
8. How do we use algorithmic decision making?
Some of our processes include the use of algorithmic decision making and machine learning. We consistently strive to implement methods that ensure a significant level of human oversight in the decision making process, enabling us to modify or reverse decisions as needed.
In many cases, the algorithmic decision making processes without human oversight will not have legal or similar significant effects on you. Whereas they do, we will ensure that you have the right not to be subject to the algorithmic decision making processes, unless those processes are authorised by applicable law or are necessary for the entering into or performance of a contract.
In these cases, you can always oppose the decision and request a human evaluation by contacting us.
Data Protection Officer
You may contact our Data Protection Officer (DPO) to exercise your data subject rights or find out more about our data protection processes and how we process your personal data by emailing [email protected] or [email protected].
Changes to this Privacy Statement
We may update this Privacy Statement from time to time to reflect our new processes, new technologies, and legal obligations. We are committed to keeping you informed of any changes to our privacy practices, so we encourage you to review this privacy statement to stay updated.
Last updated: 24 July 2024