1. Introduction
1.1. This Privacy Policy explains how PALMBAY SOFTWARE LTD, a company registered in England and Wales under company number 16380280, with registered office at 20 Wenlock Road, London, N1 7GU, England ("Company," "we," "us," "our"), collects, uses, stores, shares, and protects personal data when you use the MotoMoto App mobile application and website at https://moto-moto.app/ (together, the "Platform"). MotoMoto App is an unregistered trading name of PALMBAY SOFTWARE LTD.
1.2. We are the data controller under:
(a) the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 for data of individuals in the United Kingdom;
(b) the EU General Data Protection Regulation (EU GDPR) for data of individuals in the European Economic Area; and
(c) the Indonesian Personal Data Protection Law (UU PDP, Law No. 27 of 2022) for data of individuals in Indonesia, where applicable.
1.3. For privacy questions, data rights requests, or concerns about how we process personal data, contact our Privacy Contact at privacy@moto-moto.app.
1.4. Contact points:
- Privacy Contact: privacy@moto-moto.app
- Security Contact: security@moto-moto.app
- Support Contact: support@moto-moto.app
- Legal Contact: legal@moto-moto.app
1.5. This Policy applies to all users of the Platform, including prospective customers, customers, Hosts, and visitors to our website.
1.6. This Policy should be read with our Cookie and Tracking Technologies Policy at https://moto-moto.app/legal/cookies, Renter Terms of Service at https://moto-moto.app/legal/renter-terms, Host Service Agreement at https://moto-moto.app/legal/host-service-agreement, Acceptable Use Policy at https://moto-moto.app/legal/acceptable-use-policy, and Review Guidelines at https://moto-moto.app/legal/review-guidelines.
2. Data we collect
2.1 Information you provide
2.1.1. All users may provide:
- identity data: name, date of birth, nationality, profile photo;
- contact data: email address, phone number where provided, address where required;
- account data: username, password hash, account preferences, language preferences, authentication data;
- driving eligibility information: self-certification that you hold the driving licence, International Driving Permit, local permit, vehicle category entitlement, and any other authorisation required by law in the rental location; any licence, permit, or entitlement evidence you voluntarily provide or we request for a specific booking, dispute, claim, safety review, fraud review, insurance or claims handling, or legal compliance purpose;
- identity document data: passport, national identity card, or other government-issued document used for identity verification;
- verification data: selfie, liveness check, verification status, verification result, and related metadata processed through Stripe Identity or other verification tools we may use from time to time;
- payment-related data: payment method tokens and transaction data processed by Stripe. We do not store full card numbers, CVV codes, or magnetic stripe data;
- billing data: billing address, invoice details, payment confirmations, refunds, chargeback information;
- booking data: booking requests, confirmed bookings, pickup and return details, vehicle selected, rental duration, cancellation records, disputes, incident reports, and support records;
- communications: in-app chat messages, support tickets, reviews, complaints, safety reports, and legal notices;
- content: reviews, photos, listing feedback, vehicle condition photos, and uploaded files.
2.1.2. We do not collect or store driving licence images by default at launch. We may request driving licence information or evidence in specific cases, including fraud prevention, safety concerns, disputes, legal compliance, insurance or claims handling, or where required for a particular vehicle, location, or booking.
2.1.3. Hosts additionally may provide:
- bank account details for Wise payouts, including account number, bank name, SWIFT/BIC where applicable, and account holder name;
- tax identification numbers, including NPWP for Indonesian Hosts where applicable;
- vehicle registration documents;
- insurance policy documents and renewal certificates where required;
- inspection certificates and maintenance records;
- ownership or authorisation documents;
- vehicle photographs and descriptions;
- permits, licences, and business registrations;
- payout statements, invoices, and tax information;
- information about GPS trackers, dashcams, immobilisers, telematics devices, AirTags, anti-theft devices, or other monitoring technologies installed in or on the vehicle.
2.1.4. Hosts must not request, collect, photograph, copy, scan, upload, store, retain, or hold customer passports, identity documents, driving licences, International Driving Permits, local permits, payment cards, or other documents as security or deposit. A Host may visually inspect a customer's identity document, driving licence, International Driving Permit, local permit, or other evidence of entitlement at pickup only where reasonably necessary to confirm identity or apparent legal driving entitlement, but must not copy, photograph, scan, upload, store, retain, or share it unless required by law and expressly approved by us.
2.2 Information collected automatically
2.2.1. We may collect:
- device data: IP address, browser type, device type, operating system, app version, unique device identifiers, and security identifiers;
- usage data: pages viewed, screens viewed, buttons clicked, searches performed, booking steps completed, timestamps, session identifiers, referral source, and interaction patterns;
- performance and reliability data: crash reports, error logs, diagnostic data, request logs, latency, server logs, and app stability events;
- security data: authentication events, failed login attempts, fraud signals, access logs, session data, suspicious activity indicators, and abuse prevention signals;
- location-related data: approximate location from IP address and, where you grant permission or where needed for booking fulfilment, precise location for pickup logistics, nearby vehicle display, safety, fraud prevention, vehicle recovery, dispute resolution, legal compliance, or customer support;
- cookies and local storage data, as described in the Cookie and Tracking Technologies Policy at https://moto-moto.app/legal/cookies.
2.2.2. At launch, we use first-party product analytics and first-party operational logs. This may include screens viewed, buttons clicked, searches performed, booking steps completed, errors, timestamps, device type, app version, account identifiers, and session identifiers.
2.2.3. We use this information for product improvement, platform security, fraud prevention, debugging, service reliability, and customer support.
2.2.4. We do not use Google Analytics, Meta Pixel, TikTok Pixel, Amplitude, Mixpanel, third-party analytics SDKs, advertising identifiers, or third-party marketing pixels at launch.
2.2.5. We do not use advertising identifiers such as IDFA or GAID at launch.
2.3 Information from third parties
2.3.1. We may receive information from:
- Stripe, including Stripe payments, Stripe Radar, and Stripe Identity, for payment processing, identity verification, fraud prevention, chargeback handling, sanctions or compliance screening signals where used, and transaction monitoring;
- Wise, for Host payouts, bank account validation, payout processing, and compliance checks;
- sanctions, PEP, adverse media, fraud, and financial crime screening sources or providers where used;
- identity, fraud, device, and risk tools we may use from time to time;
- app stores and operating system providers, including Apple and Google, where necessary for app distribution, operating-system notification delivery, crash diagnostics, security, or user permissions;
- Hosts and customers in relation to bookings, pickup, return, incidents, damage, disputes, reviews, and safety reports;
- law enforcement, regulators, courts, insurers, legal advisers, claims handlers, or public authorities where lawful and relevant;
- public sources, where necessary for fraud prevention, sanctions screening, PEP screening, adverse media checks, legal claims, or safety.
2.3.2. We use Stripe Identity for identity verification, document checks, and selfie matching where required. Stripe Identity may process identity documents, selfies, verification results, and related technical data for the purpose of verifying your identity and helping us prevent fraud.
2.3.3. We may use additional or alternative verification tools where necessary to verify identity, driving eligibility, fraud risk, sanctions compliance, financial crime risk, or legal compliance.
3. Legal bases and purposes
3.1 Legal bases table
| Purpose | Legal basis under UK/EU GDPR | Legal basis under UU PDP where applicable |
|---|---|---|
| Account creation and management | Contract, Art. 6(1)(b) | Contractual necessity |
| Booking processing and fulfilment | Contract, Art. 6(1)(b) | Contractual necessity |
| Driving eligibility self-certification and entitlement checks | Contract, Art. 6(1)(b); legitimate interests, Art. 6(1)(f); legal obligation where applicable | Contractual necessity; legitimate interest; legal obligation |
| Payment processing through Stripe | Contract, Art. 6(1)(b); legitimate interests, Art. 6(1)(f) for fraud prevention | Contractual necessity; legitimate interest |
| Host payouts through Wise | Contract, Art. 6(1)(b); legal obligation where applicable | Contractual necessity; legal obligation |
| Customer and Host support | Contract, Art. 6(1)(b); legitimate interests, Art. 6(1)(f) | Contractual necessity; legitimate interest |
| Identity verification through Stripe Identity | Contract, Art. 6(1)(b); legitimate interests, Art. 6(1)(f); explicit consent for biometric processing where required | Contractual necessity; legitimate interest; explicit consent for specific personal data where required |
| Fraud prevention and platform security | Legitimate interests, Art. 6(1)(f); legal obligation where applicable | Legitimate interest; legal obligation |
| Sanctions, PEP, adverse media, fraud, and financial crime screening | Legal obligation, Art. 6(1)(c); legitimate interests, Art. 6(1)(f) | Legal obligation; legitimate interest |
| First-party product analytics linked to your account | Legitimate interests, Art. 6(1)(f) | Legitimate interest |
| Debugging, service reliability, and operational logs | Legitimate interests, Art. 6(1)(f) | Legitimate interest |
| Precise geolocation where required for nearby vehicles, pickup, safety, or recovery | Consent where required; contract where necessary for booking fulfilment; legitimate interests for safety and fraud prevention | Explicit consent where required; contractual necessity; legitimate interest |
| Host-installed tracking disclosures and vehicle recovery support | Contract; legitimate interests; legal obligation where applicable | Contractual necessity; legitimate interest; legal obligation |
| In-app chat and booking communications | Contract; legitimate interests | Contractual necessity; legitimate interest |
| Reviews and trust features | Legitimate interests; contract | Legitimate interest; contractual necessity |
| Enforcing Renter Terms and Host Agreement | Legitimate interests | Legitimate interest |
| Tax reporting and record-keeping | Legal obligation, Art. 6(1)(c) | Legal obligation |
| Responding to lawful authority requests | Legal obligation, Art. 6(1)(c) | Legal obligation |
| Marketing communications | Consent where required; legitimate interests for limited existing-user communications where permitted | Explicit consent where required |
| Non-essential cookies or tracking technologies | Consent, Art. 6(1)(a), where required | Explicit consent where required |
| Defending legal claims | Legitimate interests, Art. 6(1)(f) | Legitimate interest |
| Corporate transactions | Legitimate interests, Art. 6(1)(f) | Legitimate interest |
3.2 Special category and sensitive data
3.2.1. Identity documents, selfies, liveness checks, and verification data may contain biometric data or other sensitive data, depending on how verification is performed.
3.2.2. We do not collect or store driving licence images by default at launch. Where we request driving licence evidence, International Driving Permit evidence, local permit evidence, or similar entitlement evidence in a specific case, that information may be sensitive depending on applicable law and context.
3.2.3. Under UK/EU GDPR, where we process biometric data for the purpose of uniquely identifying you, we rely on explicit consent under Art. 9(2)(a) or another lawful condition where applicable.
3.2.4. Under UU PDP, identity documents, biometric data, and similar information may be treated as specific personal data and processed with explicit consent or another lawful basis where applicable.
3.2.5. You may withdraw consent where consent is the applicable basis. However, withdrawal may prevent you from using parts of the Platform because identity verification, safety checks, and eligibility verification may be essential to our service.
3.3 Legitimate interest assessments
3.3.1. Where we rely on legitimate interests, we balance our interests against your rights and freedoms.
3.3.2. Our legitimate interests include operating a safe rental marketplace, preventing fraud, enforcing contracts, improving the Platform, debugging systems, protecting users, handling disputes, sanctions and financial crime controls, complying with legal obligations, and defending legal claims.
3.3.3. You have the right to object to processing based on legitimate interests. Where you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or we need the data to establish, exercise, or defend legal claims.
4. Data sharing
4.1 Recipients
| Recipient | Data shared | Purpose |
|---|---|---|
| Other Platform users | Renters see Host first name, profile photo where used, vehicle details, location information needed for booking, rating, and listing information. Hosts receive only customer information reasonably necessary to fulfil a confirmed booking. At launch, customer-Host communication is handled through in-app chat. | Facilitating rentals, pickup, return, support, and trust features |
| Stripe, including Stripe payments, Stripe Radar, and Stripe Identity | Payment data, transaction data, identity verification data, device and fraud signals, sanctions or compliance screening signals where used | Payment processing, identity verification, fraud prevention, chargeback management, sanctions compliance, and platform security |
| Wise | Host bank details, payout amounts, Host identity data, compliance information | Host payouts |
| Sanctions, PEP, adverse media, and compliance screening tools we use from time to time | Name, date of birth, nationality, address, identity data, booking data, payment risk signals, and screening results | Sanctions compliance, financial crime prevention, fraud prevention, legal compliance, and platform safety |
| OVHcloud | Platform data hosted on infrastructure servers located in Singapore | Hosting, storage, computing, availability |
| Apple and Google operating-system notification services | Push notification tokens and technical data where push notifications are enabled and where required by the operating system | Delivering push notifications where available |
| Self-hosted email infrastructure operated by PALMBAY SOFTWARE LTD | Email address, message content, delivery metadata | Transactional emails, support, account notices |
| Professional advisers | Information necessary to provide legal, tax, accounting, insurance, or compliance advice | Compliance and professional services |
| Insurers, legal advisers, claims handlers, or authorities | Claim-relevant data only where necessary | Legal compliance, dispute resolution, safety, claims, defence of legal claims |
| Legal and regulatory authorities | Data required by law, court order, lawful request, or regulatory obligation | Legal compliance |
| Law enforcement | Data required or permitted on lawful request | Criminal investigation, public safety, fraud prevention |
| Acquirer, investor, or restructuring party | Relevant business and user data subject to confidentiality and legal safeguards | Merger, acquisition, financing, asset sale, insolvency, restructuring |
4.2. We do not sell personal data to third parties.
4.3. We do not use Google Analytics, Meta Pixel, TikTok Pixel, Amplitude, Mixpanel, third-party analytics SDKs, advertising identifiers, or third-party marketing pixels at launch.
4.4. Hosts must not request, collect, photograph, copy, scan, upload, store, retain, or hold customer passports, identity documents, driving licences, International Driving Permits, local permits, payment cards, or other documents.
4.5. A Host may visually inspect a customer's identity document, driving licence, International Driving Permit, local permit, or other evidence of entitlement at pickup only where reasonably necessary to confirm identity or apparent legal driving entitlement, but must not copy, photograph, scan, upload, store, retain, or share it unless required by law and expressly approved by us.
4.6. Service providers may process personal data only as necessary for the services they provide to us and subject to contractual controls where required by applicable law.
5. International transfers
5.1. We operate from the United Kingdom and initially support Hosts in Indonesia and customers worldwide. Personal data may be transferred to and processed in countries other than your country of residence.
5.2. We host our core application infrastructure on OVHcloud servers located in Singapore. This means that personal data of users in the United Kingdom, European Economic Area, Indonesia, and other countries may be transferred to and processed in Singapore.
5.3. We manage the application layer ourselves and use OVHcloud as our infrastructure hosting provider.
5.4. We use Stripe and Stripe Identity for payments and verification, and Wise for Host payouts. These providers may process data in multiple jurisdictions according to their own compliance, security, fraud prevention, and operational requirements.
5.5. Where required, we use appropriate safeguards for international transfers, including contractual protections, standard contractual clauses where applicable, transfer risk assessments, access controls, encryption, and other technical and organisational measures.
5.6. For transfers from Indonesia to any jurisdiction outside Indonesia, we comply with the cross-border transfer requirements of UU PDP where applicable, which may include ensuring adequate protection, implementing contractual safeguards, obtaining consent where required, or relying on other lawful mechanisms recognised under applicable law.
5.7. You may request information about relevant transfer safeguards by contacting privacy@moto-moto.app.
6. Data retention
6.1. We keep personal data only as long as reasonably necessary for the purposes described in this Policy, unless a longer period is required or permitted by law.
| Data type | Retention period | Reason |
|---|---|---|
| Active user accounts | Duration of account plus up to 6 years | Contract administration and legal claims |
| Booking records | 6 years from completion | Contract records, legal claims, tax records |
| Payment records | 7 years | Tax, accounting, fraud prevention, chargeback records |
| Identity verification data | Account duration plus up to 1 year, unless longer retention is required for legal, fraud, sanctions, or dispute purposes | AML, fraud prevention, dispute resolution, legal compliance |
| Driving eligibility self-certifications and requested entitlement evidence | Duration of account plus up to 6 years where linked to bookings, disputes, claims, safety reviews, fraud, or legal compliance | Legal compliance, safety, claims, dispute resolution |
| Host insurance, permit, registration, and vehicle documents | Account duration plus up to 6 years | Indemnity, liability claims, legal compliance |
| In-app messages and support tickets | 3 years, unless needed longer for safety, legal claims, fraud, or disputes | Dispute resolution, safety, support |
| First-party analytics and operational logs | Up to 26 months unless anonymised or required longer for security, fraud, or legal reasons | Product improvement, reliability, security |
| Marketing consent records | Duration of consent plus 1 year | Proof of consent |
| Sanctions, PEP, adverse media, and financial crime screening records | Up to 5 years from account closure, or longer where required | Financial crime compliance |
| Cookie consent records | 13 months or the period stated in the Cookie Policy | Consent management |
| Legal claims and regulatory records | Duration of proceedings plus applicable limitation period | Legal defence and compliance |
6.2. After retention periods expire, data is securely deleted, aggregated, or irreversibly anonymised where reasonably practicable.
6.3. Anonymised data may be retained indefinitely for statistical, product, operational, and research purposes where it cannot reasonably be linked back to you.
6.4. Stripe, Stripe Identity, Wise, Apple, Google, OVHcloud, and other service providers may retain certain data under their own legal, compliance, security, fraud prevention, and operational obligations.
6.5. If you request account deletion, we will delete or anonymise personal data associated with your account within 30 days, except where we must retain limited records for legal, tax, accounting, fraud prevention, sanctions compliance, safety, dispute resolution, chargeback, or legal claims purposes. We retain such records only for the minimum period necessary for the relevant purpose.
7. Your rights
7.1 Rights under UK and EU GDPR
7.1.1. Where UK GDPR or EU GDPR applies, you may have the right to:
(a) access your data;
(b) rectify inaccurate or incomplete data;
(c) erase your data, subject to legal retention obligations;
(d) restrict processing in certain circumstances;
(e) receive your data in a structured, commonly used, machine-readable format and transmit it to another controller;
(f) object to processing based on legitimate interests or direct marketing;
(g) withdraw consent at any time where processing is based on consent;
(h) not be subject to solely automated decision-making that produces legal or similarly significant effects, subject to legal exceptions; and
(i) lodge a complaint with a supervisory authority.
7.2 Rights under Indonesian PDP Law
7.2.1. Where UU PDP applies, you may have rights to:
(a) be informed about the purpose, identity, accountability, and legal basis of data processing;
(b) access your data;
(c) complete, update, or correct inaccurate data;
(d) obtain your data in accordance with applicable law;
(e) end processing, delete, or destroy your data, subject to legal exceptions;
(f) withdraw consent;
(g) object to automated decision-making that has legal effect or significant impact;
(h) delay or restrict processing proportionate to the purpose;
(i) sue and receive compensation for breaches of your rights where applicable; and
(j) use and transmit your data to another controller where technically feasible and legally required.
7.3 How to exercise your rights
7.3.1. Contact privacy@moto-moto.app with your request.
7.3.2. We may need to verify your identity before responding to prevent unauthorised disclosure.
7.3.3. We aim to respond within one month where UK/EU GDPR applies. This may be extended by two months for complex requests, with notice.
7.3.4. Where UU PDP applies, we will acknowledge and respond within applicable legal timeframes.
7.3.5. There is no charge for making a request unless it is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse the request where permitted by law.
7.4 Complaints to supervisory authorities
7.4.1. You may lodge a complaint with:
- UK: Information Commissioner's Office, ico.org.uk;
- EU: your local data protection authority;
- Indonesia: the Ministry of Communication and Informatics or its successor authority responsible for UU PDP enforcement.
7.4.2. We encourage you to contact us first at privacy@moto-moto.app so we can address your concern directly.
8. Data Protection Impact Assessments
8.1. We conduct or will conduct Data Protection Impact Assessments where processing is likely to result in high risk to individuals.
8.2. Relevant areas may include identity document verification, selfie matching, precise geolocation, fraud detection, trust and safety profiling, Host-installed tracking disclosures, and future high-risk processing.
8.3. Summaries of DPIAs may be made available on request to privacy@moto-moto.app, subject to protection of proprietary, legal, operational, and security-sensitive information.
9. Cookies and similar technologies
9.1 Launch configuration
9.1.1. At launch, we do not use third-party advertising cookies, third-party marketing pixels, third-party analytics SDKs, Google Analytics, Meta Pixel, TikTok Pixel, Amplitude, or Mixpanel.
9.1.2. We may use strictly necessary cookies and local storage for authentication, security, fraud prevention, session management, and user preferences.
9.1.3. Where non-essential cookies or tracking technologies require consent, we will request consent before using them.
9.2 Categories
| Type | Consent required | Purpose |
|---|---|---|
| Strictly necessary | No | Platform functionality, security, authentication, session management, fraud prevention |
| Functional | Yes where required | Remembering preferences, language settings, usability features |
| First-party analytics | Consent where required; otherwise legitimate interests where lawful | Product improvement, reliability, debugging, security |
| Marketing | Yes | Not used at launch |
9.3 Management
9.3.1. You can manage cookie preferences through the Cookie Settings link at https://moto-moto.app/cookie-settings where available.
9.3.2. Browser-level settings may also allow you to block or delete cookies. Blocking strictly necessary cookies may prevent essential Platform features from working.
9.3.3. For more detail, see the Cookie and Tracking Technologies Policy at https://moto-moto.app/legal/cookies.
10. Children
10.1. The Platform is not directed at and is not intended for use by anyone under 18 years of age.
10.2. We do not knowingly collect personal data from anyone under 18.
10.3. We identify potential underage accounts through age fields at registration, date-of-birth checks during identity verification, user reports, and internal signals.
10.4. If we become aware that we have collected personal data from a minor, we will close the account, cancel active bookings where required, and delete or retain data only as necessary for legal, fraud prevention, sanctions compliance, safety, dispute resolution, chargeback, and evidential purposes.
10.5. If you believe a minor has provided us with personal data, contact privacy@moto-moto.app.
11. Security
11.1. We implement appropriate technical and organisational measures to protect personal data, including:
- encryption in transit using TLS;
- encryption at rest where supported by our systems;
- access controls and least-privilege principles;
- administrative access controls;
- account authentication controls;
- regular security review and vulnerability management;
- incident response procedures;
- secure development practices;
- audit logging for sensitive actions;
- vendor security review where applicable; and
- staff privacy and security training appropriate to role.
11.2. Our core application infrastructure is self-managed by PALMBAY SOFTWARE LTD on OVHcloud servers located in Singapore.
11.3. We send transactional emails from our own self-hosted email infrastructure operated by PALMBAY SOFTWARE LTD.
11.4. We do not use SMS messaging at launch.
11.5. If you enable push notifications, we may send push notifications from the MotoMoto App backend through Apple Push Notification service (APNs) for iOS devices and Google Android notification delivery infrastructure where required by the operating system.
11.6. No system is completely secure. We cannot guarantee absolute security but are committed to protecting personal data using reasonable safeguards appropriate to the nature of the data and risks involved.
11.7. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within applicable legal timeframes and notify affected users where required.
11.8. Card payment data is collected, processed, and stored directly by Stripe, a PCI Service Provider Level 1 certified payment processor. We do not store full card numbers, CVV codes, or magnetic stripe data.
12. Automated decision-making and profiling
12.1 Uses
12.1.1. We may use automated or semi-automated systems to support:
(a) identity verification;
(b) fraud prevention;
(c) sanctions and financial crime screening;
(d) payment risk assessment;
(e) account security;
(f) booking risk checks;
(g) deposit assessment where applicable;
(h) abuse prevention; and
(i) platform safety.
12.1.2. These systems may consider factors such as verification status, transaction behaviour, device and session information, failed login attempts, payment risk signals, sanctions screening results, booking history, dispute history, and safety reports.
12.2 Human oversight
12.2.1. You may request human review of any automated decision that has a legal or similarly significant effect on you, in line with applicable law. You may also express your point of view, contest the decision, and request an explanation of the main factors involved.
12.2.2. We do not use automated decision-making as the sole basis for permanent account termination unless this is permitted by applicable law and appropriate safeguards are in place.
12.2.3. We may not disclose detailed fraud, sanctions, or security logic where disclosure would undermine safety, security, or legal compliance.
12.3 Your rights
12.3.1. You may have the right to object to certain profiling or automated decision-making, request human intervention, express your point of view, contest a decision, and request an explanation of the main factors involved, subject to applicable law and safety, fraud, sanctions, and legal compliance exceptions.
13. Marketing communications
13.1. We may send service and transactional messages necessary for account management, bookings, payments, security, safety, legal notices, support, and Platform operation. These are not marketing messages.
13.2. We send marketing communications only where permitted by law, including where you have consented or where another lawful basis applies.
13.3. You can opt out of marketing emails by using the unsubscribe link where provided or contacting support@moto-moto.app.
13.4. We do not use advertising identifiers, third-party marketing pixels, or third-party advertising cookies at launch.
14. Vehicle location, Host-installed tracking, and monitoring devices
14.1. Some vehicles may contain Host-installed GPS trackers, telematics devices, immobilisers, dashcams, anti-theft devices, AirTags, or similar tracking or monitoring technology. Hosts are required to disclose such devices to us and to customers before rental.
14.2. We prohibit undisclosed tracking.
14.3. If we receive or process vehicle location data through the Platform, we use it only for booking fulfilment, pickup logistics, safety, fraud prevention, vehicle recovery, dispute resolution, legal compliance, or customer support.
14.4. Hosts must not use tracking data to follow, harass, intimidate, contact, or monitor customers outside legitimate vehicle security, recovery, legal compliance, safety, or dispute resolution purposes.
14.5. If you believe a Host is using undisclosed tracking or misusing tracking data, contact security@moto-moto.app and support@moto-moto.app.
15. Changes
15.1. We may update this Policy from time to time.
15.2. Material changes will be notified by email, in-app notice, website notice, or other reasonable means.
15.3. Changes take effect on the date stated in the updated Policy.
15.4. Continued use of the Platform after the effective date means you acknowledge the updated Policy.
16. Accessibility of this Policy
16.1. We aim to make this Policy clear and accessible. If you need this Policy in another format or experience accessibility issues, contact support@moto-moto.app.
17. Contact
PALMBAY SOFTWARE LTD 20 Wenlock Road London N1 7GU England
- Privacy Contact: privacy@moto-moto.app
- Security Contact: security@moto-moto.app
- Support Contact: support@moto-moto.app
- Legal Contact: legal@moto-moto.app
- Website: https://moto-moto.app/
18. Annex — Summary for mobile users
18.1. Who controls your data: PALMBAY SOFTWARE LTD, trading as MotoMoto App.
18.2. What we do: operate a scooter and motorcycle rental marketplace where customers contract with us and Hosts provide vehicle availability.
18.3. Payments: customer payments are processed through Stripe. We do not store full card numbers, CVV codes, or magnetic stripe data.
18.4. Identity verification: we use Stripe Identity for document checks and selfie matching where required.
18.5. Host payouts: Host payouts are processed through Wise.
18.6. Hosting: core application infrastructure is self-managed by us on OVHcloud servers located in Singapore.
18.7. Email: transactional emails are sent through our own self-hosted email infrastructure.
18.8. SMS: we do not use SMS at launch.
18.9. Push notifications: where enabled, push notifications may be sent through Apple APNs for iOS and Google Android notification delivery infrastructure where required by the operating system.
18.10. Analytics: at launch, we use first-party product analytics and operational logs only. We do not use Google Analytics, Meta Pixel, TikTok Pixel, Amplitude, Mixpanel, advertising identifiers, or third-party marketing pixels.
18.11. Host document handling: Hosts must not copy, photograph, store, retain, or hold your passport, identity document, driving licence, or payment card. They may only visually inspect documents where reasonably necessary.
18.12. Tracking devices: Host-installed trackers, dashcams, AirTags, immobilisers, and similar devices must be disclosed before rental. Hidden tracking is prohibited.
18.13. Your rights: you can contact privacy@moto-moto.app to exercise data rights.
END OF PRIVACY POLICY