Privacy policy

Privacy is of utmost importance to our customers and their employees when using our services. It is therefore crucial for us that our customers and users can trust that all their personal data processed by Taggr is protected and handled correctly in line with the European General Data Protection Regulation (GDPR), ensuring the right to privacy is maintained.

We strive to be transparent about the personal data processing we conduct on behalf of our customers and provide tools and information to help them comply with GDPR as smoothly as possible.

Processing of personal data

In the development and updating of our services and features, Taggr aims to only process personal data and other information that is required. This means we do not collect more data than necessary, delete information when it is no longer needed, and only use the data for its original purpose. Access to personal data in Taggr’s systems is currently available only to users with the appropriate authorization. For instance, drivers can generally only view their own trips, and if these trips are private, other users cannot access them.

Data processing agreement

Taggr acts as a data processor for our customers (data controllers). When you become a customer with us, a data processing agreement must be signed to ensure that we can process personal data on behalf of our customers correctly.

Personal data processed and purpose of data collection

We process the following personal data for our users and drivers: name, email, password (encrypted), private locations and addresses, and phone number. In some cases, we also process registration numbers for private vehicles (we do not classify company-owned vehicles as personal data). The data is used for accessing and utilizing our services and for electronic driver logs to meet the Swedish Tax Agency’s requirements with driver details per trip. Private trips and, in some cases, vehicles are also processed but are only accessible to the driver or authorized users.

Contact details and device data are also used for proactive and reactive customer support, automatic troubleshooting, system updates, and support. For processing related to sending newsletters with updates, product offers, and customer surveys, Taggr is the data controller. The personal data processed includes name, title, email, and phone number.

How personal data is processed

When collecting and setting up new users with login access to the system, an email address is entered by one of the company’s administrators or by Taggr’s customer center.

For drivers who do not have access to the system, we will not request or store consent for processing from them. This must be done by the customer (data controller) themselves through agreements, legitimate interest, or consent. The processing performed for drivers without login access involves the connection between the driver and the trip in the driver log and analysis reports.

Authorized Taggr personnel working with customer support also use personal data for case registration, contact and troubleshooting upon request, or when deviations are identified during proactive customer support. The data is accessible via a support tool where all changes made by Taggr personnel are registered and logged.

Contact details for contract signatories, service orderers, and shipment recipients are also processed in internal and external systems for billing, administration, and delivery.

The handling of email notifications for operational information, updates, product offers, and customer surveys is done outside the system by subprocessors to whom recipients have consented to processing from various sources.

IP addresses are logged when visiting Taggr’s website or system to conduct investigations of potential hacking attempts and analyze web activities. No lookup of IP addresses to retrieve personal data or link between users and IP addresses is performed.

Registration numbers are used for identification and are also looked up via a subprocessor to supplement the vehicle record with car model and fuel consumption data.

Retention policies

Retention of personal data in the system is as follows:

• User data (name, email, phone number) is stored as long as the customer relationship exists and is only purged upon termination or request.
• Driver logs (start/stop address, distance, odometer reading, type, and purpose) are stored as long as the customer relationship exists and are only purged upon termination or request. This also applies to driver logs in old vehicles that have been sold or replaced.
• Vehicle positions are available for three months.

Retention of personal data in other systems is as follows:

• Contact information (name, title, email, and phone number) for sending updates, product offers, and customer surveys is removed upon request or if consent to processing is denied.
• Deletion upon request begins immediately and is completed within 30 days.

Withdrawal of consent and request, correction or deletion of personal data

If a user withdraws or does not consent to processing in the system, the service will be blocked, and the customer’s (data controller’s) administrators will be notified. The user or administrator should then contact the data controller (typically the employer) who forwards the request to Taggr’s customer center. The customer center will then ensure the right person authorized requests or wants to delete data. Corrections can be made either in the system or via a request to the data controller.

For processing in sending newsletters, product offers, and customer surveys, Taggr is the data controller. When a registered individual denies consent for their personal data to be processed, the personal data is deleted and removed from handling.

Contact Taggr to correct, request copies, or delete personal data.

Security measures and data protection

We actively work on information security and use the latest technology for firewalls, antivirus protection, and monitoring to ensure data protection. Through systematic improvement work, data protection is continuously developed and kept up to date to ensure we maintain the appropriate security level.

Taggr has an on-call team for operational monitoring, and only members of this team have direct access to personal data records in the production system. Taggr does not use subprocessors or processing in third countries that do not meet applicable conditions for transfer according to relevant data protection legislation or match our standards.

Data processing agreement

Taggr has agreements with all its partners and subprocessors handling personal data. All data in the system is stored on servers in Sweden by Swedish hosting partners certified according to ISO27001.

Third-party services

Taggr uses some third-party organizations to assist in providing services with high availability and quality. Third-party services are used for cloud service hosting, order and billing services, email notifications, customer surveys, email handling and document storage, and vehicle information lookup. All third-party organizations comply with the obligations specified in the data processing agreement.

Handling personal data incidents

A personal data incident is an event leading to accidental destruction, loss, alteration, unauthorized disclosure of, or access to personal data processed by Taggr.

In the event of a personal data incident, the following steps are taken:

1. Investigation of the incident.
2. Appropriate measures to reduce the incident’s impact and prevent recurrence.
3. Report to the data controller containing:
   • Description of the nature of the personal data incident.
   • Categories and approximate number of data subjects concerned.
   • Categories and approximate number of personal data records concerned.
   • Description of the likely consequences of the personal data incident.
   • Description of the measures taken by the data processor to address the personal data incident.
   • Contact details for the person providing further information and responding to questions.

The data controller is responsible for reporting the personal data incident to the Swedish Authority for Privacy Protection within 72 hours if the incident is likely to result in risks to individuals’ rights. In other cases, no report is necessary.