CLOVER PRIVACY POLICY
Version: 1.0
Effective date: February 2026
Last revised: February 2026
Clovertronix Southern Europe S.L. (hereinafter “Clover,” “we,” or “our”) considers the protection of your personal data to be of paramount importance. Therefore, we treat your data with the utmost care. With this Privacy Statement, we inform you about how we handle personal data.
A. Basic information on data protection
In accordance with Regulation (EU) 2016/679 (GDPR) and LOPDGDD 3/2018, the User is informed of the following:
1. Who is responsible for processing
The data controller is Clovertronix Southern Europe SL, with registered office at C/ dels Sants Just i Pastor, 133, Algirós, 46022 Valencia (Spain), Tax ID number B75861807.
The Operator provides a subscription service for mechanical bicycles and e-bikes under the CLOVER brand through the Clover APP and the website
http://www.rideclover.com.
2. Personal data processed
2.1 Categories of data
Depending on the relationship with the User (individual, professional, or business) and the use of the APP, the Operator will process the following categories of data:
A) Data necessary for the execution of the contract (Category A)
● First and last name, ID number, date of birth.
● Contact details: email, telephone number, postal address.
● Account and profile data in the Clover APP.
● Subscription data: type of plan (Solo, Duo, Pro, Business), registration and cancellation dates.
● Travel history: start/end date and time, GPS data, departure and arrival points, duration.
● Billing data: customer ID, payment and refund history, payment method details.
B) Data for security, legal compliance, and defense of interests
(Category B)
● Profile photo or ID document for verification upon registration, when required.
● Data relating to accidents, claims, incidents of use, or administrative penalties linked to the use of the bicycle (including data on third parties involved, where applicable).
● Data relating to the User’s health linked to claims arising from the information contained in their reports. Special Category.
● Information about claims, complaints, and communications with customer service.
● Data necessary to prevent, detect, and prosecute fraud or use contrary to the Terms and Conditions.
● Technical data of the device: IP address, device identifiers, operating system, access logs, APP errors.
C) Advanced usage, analytics, and marketing data (Category C – always with adequate basis).
● Real-time geolocation data of the bicycle and, where applicable, the device, during active trips.
● Behavioral data: frequency of use, route patterns, schedules, and types of trips.
● Cookies and similar technologies on the website and app (online identifiers, pages visited, session duration, referral campaigns).
● Communication and marketing preferences (channels, topics of interest).
D) Third-party data
To the extent that the User provides data from third parties (for example, data from a third party involved in an accident or from an Authorized Minor), they guarantee that they have previously informed said third parties and, where necessary, obtained their consent in accordance with applicable regulations.
B. Purposes of processing
1. Purposes of service provision
● Management of the subscription contract: user registration, bicycle allocation, management of plans and rates, processing of renewals, cancellations, and
contract modifications.
● Operational provision of the service: bicycle use, preventive and corrective maintenance, bicycle and battery exchange, appointment and delivery management.
● Financial management and billing: issuing invoices, periodic billing of fees, management of non-payments, refunds, and adjustment of charges.
● Geolocation and fleet control: bicycle location via GPS for security, theft prevention, recovery in case of theft or non-payment, verification of use within the authorized area and compliance with the T&C.
2. Security purposes, fraud prevention, and
legal compliance
● Prevention, investigation, and, where appropriate, prosecution of fraud, misuse of the service, or use contrary to the contractual conditions (e.g., using a personal plan for professional activity).
● Recording and management of incidents, accidents, damage to third parties, and civil liability claims, as well as collaboration with insurance companies.
● Compliance with legal obligations in relation to tax, accounting, traffic, road safety, compulsory insurance, and consumer and user protection.
● Responding to requests from judges, courts, law enforcement agencies, and supervisory authorities, including the AEPD.
3. Customer service and quality purposes
● Management of queries, incidents, complaints, and claims through support channels (email, telephone, chat in the APP).
● Recording of certain communications (when notified) for service quality purposes, internal training, and documentation of relevant incidents.
● Conducting satisfaction surveys and internal studies to improve the user experience and service quality (based on legitimate interest, weighed against the rights of the user).
4. Purposes of analysis and service improvement
● Statistical analysis and aggregation of data on the use of the service (e.g., kilometers traveled, peak usage times, most frequent incidents) to optimize the fleet, battery exchange infrastructure, and APP functionalities.
● Development and improvement of new or existing products and services (e.g., new plans, security features, integrations with other mobility services).
Whenever possible, aggregated or anonymized data will be used for these analysis purposes, minimizing the impact on privacy.
5. Commercial and marketing purposes
● Sending commercial communications about plans, services, promotions, discounts, and news related to CLOVER or business partners, by email, SMS, or push notifications, whenever that the User has given their express consent or there is another valid legal basis.
● Basic personalization of the content of such communications based on the plans contracted, usage history, and preferences stated by the User.
The User may withdraw their consent for marketing purposes or object to the sending of commercial communications at any time, without this affecting the lawfulness of the previous processing or the provision of the main service.
C. Legal bases for processing
The processing of personal data by CLOVER is based on the following legal bases, which are applied in combination depending on the purpose.
1. Performance of a contract (Art. 6.1.b GDPR)
● Management of the subscription, provision of the rental service, maintenance, customer service related to the contract, and billing.
2. Compliance with legal obligations (Art. 6.1.c GDPR)
● Tax and accounting obligations.
● Collaboration with law enforcement agencies, judges, and courts.
● Claims management and compulsory insurance when required by law.
3. Legitimate interest (Art. 6.1.f GDPR)
● Service security, fraud prevention, and asset protection (bicycles, batteries, stations).
● Bicycle recovery in case of theft, loss, or non-
payment.
● Measuring customer satisfaction and improving internal processes.
● Legal defense against possible claims.
In these cases, a balance is struck between the interests of CLOVER and the rights and freedoms of the User, adopting measures to minimize data and ensure transparency.
4. Consent (Art. 6.1.a GDPR)
● Processing that is not strictly necessary for the performance of the contract, such as certain analytical cookies, direct marketing, or certain forms of commercial profiling.
● When processing is based on consent, it shall be freely given, specific, informed, and unambiguous, and the User may withdraw it at any time from the APP or through the contact channels.
D. Recipients and data processors
User data may be communicated to:
● Insurance companies and insurance brokers that provide coverage for civil liability and fleet damage.
● Financial institutions and payment gateways for the processing of subscription payments and other authorized charges.
● Technology and infrastructure providers (hosting, cloud, communications, ticketing systems, analysis tools) acting as data processors under contract in accordance with Article 28 of the GDPR.
● Customer service and call center services, when it is necessary to outsource part of the support.
● Law enforcement agencies, courts, tribunals, and public administrations when there is a legal obligation or judicial or administrative requirement.
● Law firms, consultants, and auditors when necessary for legaldefense or service auditing.
Under no circumstances will the User’s personal data be sold to third parties.
E. INTERNATIONAL TRANSFERS OF PERSONAL DATA
E.1 Existence of international transfers
In order to provide the CLOVER service, the Operator uses third-party technology providers whose activity involves the processing of personal data outside the European Economic Area (EEA), mainly in the United States of America.
Such transfers take place exclusively through providers that offer adequate data protection guarantees in accordance with the mechanisms provided for in Chapter V of Regulation (EU) 2016/679 (GDPR), detailed in the following points.
E.2 Applicable guarantee mechanisms
International data transfers carried out by the Operator or its providers are covered by the following mechanisms provided for in Chapter V of the GDPR:
a) European Commission Adequacy Decision — EU-US Data Privacy Framework: By Decision of the European Commission of July 10, 2023, an adequate level of protection is recognized for transfers to US organizations certified under this agreement. The providers listed in the table above that have this certification can be consulted in the public register available at: https://www.dataprivacyframework.gov.
b) European Union Standard Contractual Clauses (SCCs): In cases where the provider does not have certification under the EU-US DPF, or as an
additional complementary guarantee, the Standard Contractual Clauses adopted by the European Commission through Implementing Decision (EU)
2021/914 of June 4, 2021, in its current version, are used.
c) Supplementary technical and organizational measures: Additionally,
and in accordance with Recommendations 01/2020 of the European Data
Protection Board (EDPB), the Operator applies or requires its suppliers
to apply complementary technical measures (mainly encryption of data in
transit and at rest) to mitigate the risks of access by third-country
authorities.
E.4 User rights in relation to international transfers
The User has the right to:
Obtain additional information about the transfers made and the
safeguards applied by contacting the Operator’s Data Protection Officer
at:rodrigo@rideclover.com .
Request a copy of the Standard Contractual Clauses signed by the
Operator with its suppliers, to the extent that they do not contain
commercially confidential information.
Lodge a complaint with the Spanish Data Protection Agency (AEPD) if
they consider that the transfers do not have adequate safeguards.
F. Data retention periods
Personal data will only be retained for as long as necessary to fulfill
the purposes for which it was collected and, subsequently, for the
applicable legal liability limitation periods.
As a guide:
● User registration and profile data: While the subscription is
active and up to 2 years after its cancellation, for
the handling of possible consumer complaints and contractual
liabilities.
● Travel history (basic data): Up to 2 years from its
generation, for the management of disputes regarding billing and
use of the service.
● Detailed GPS geolocation data:
● During the active trip for the provision of the service.
● Records kept for a maximum of 120 days, unless
there is an incident, ongoing investigation, or claim that
justifies its retention for a longer period.
● Data relating to accidents, incidents, and claims: Up to 5 years
from the date of the incident, in accordance with civil and,
where applicable, criminal statutes of limitations.
civil and, where applicable, criminal statutes of limitations.
● Payment data: Complete card details are not stored; only secure
references provided by the gateway are stored for the time
strictly necessary for payment management.
Returns and fraud prevention.
● Analytical cookies and similar technologies: For the periods
indicated in the applicable Cookies Policy, with a usual maximum
of 13 months for non-exempt analytical cookies.
Once the above periods have elapsed, the data will be securely deleted
or irreversibly anonymized for use for statistical or internal research
purposes.
G. Geolocation, profiling
and automated decisions
The bicycle may incorporate geolocation systems (GPS) that allow
positioning data and certain usage parameters to be known.
This data is used to:
● Ensure the safety of the User and third parties.
● Prevent and manage theft, loss, or non-payment (including
bicycle recovery).
● Analyze compliance with the Terms and Conditions,
especially when personal and professional use plans are
distinguished.
The Operator may use basic automated rules (e.g., detection of patterns
of fraud risk or use contrary to the contracted conditions), but will
not make decisions that produce significant legal effects based solely
on automated processing without meaningful human intervention, unless
the safeguards provided for in Article 22 of the GDPR (prior
information, right to human intervention, to express their point of
view, and to challenge the decision) are in place.
H. Processing of data relating to
minors
The Terms and Conditions establish that the service can only be
contracted by a person over the age of 18 with full legal capacity.
When an Authorized Minor (over 16 years of age) is allowed to use a
bicycle, the processing of their personal data (e.g., identification,
age, status as an authorized minor) is limited to what is strictly
necessary for:
● Verify compliance with age and authorization
requirements.
● Document liability and insurance coverage.
● Ensure the safety of the minor when using the bicycle.
The User who has parental authority or guardianship of the minor is
responsible for informing the minor and, where applicable, obtaining
their consent when required by law.
I. Cookies and similar technologies
The Clover website and app use cookies and similar technologies to:
● Ensure the basic functioning of the site and the APP (technical
cookies).
● Measure audience and service usage (analytical cookies).
● Remember certain User preferences.
● Where applicable, carry out marketing and personalization
actions, always with the corresponding legal basis.
Detailed information on the types of cookies used, their purposes,
duration, and how to configure or revoke them is included in the Cookie
Policy, accessible from the website and the APP.
J. Information security
CLOVER applies appropriate technical and organizational measures to
protect personal data against accidental or unlawful destruction, loss,
alteration, disclosure, or unauthorized access.
Among others, the following are used:
● Encryption in transit and, where appropriate, at rest.
● Role-based access control and least privilege principle.
● Logging and monitoring of system access.
● Internal procedures for managing security incidents and data
breaches.
● Periodic risk assessments and review of technology
providers.
In the event of a personal data security breach, its severity will be
assessed and, if appropriate, the AEPD and the data subjects concerned
will be notified in accordance with the terms set out in Articles 33
and 34 of the GDPR.
K. User rights regarding data
protection
The User may exercise the following rights recognized by the GDPR
before CLOVER:
● Right of access: Obtain confirmation as to whether
processing their personal data and, if so, to access it and
certain associated information.
● Right to rectification: Request the correction of
inaccurate or incomplete data.
● Right to erasure (“right to be forgotten”): Request the
deletion of your data when, among other reasons, it is no longer
necessary for the purposes for which it was collected,
without prejudice to legal retention obligations.
● Right to restriction of processing: Request that the processing
of your data be restricted in certain cases.
● Right to portability: Receive your data in a structured, commonly
used, machine-readable format
structured, commonly used, and machine-readable format, and to
transmit it to another controller when the processing is based on
consent or a contract and is carried out by automated means.
● Right to object: To object at any time, on grounds relating to
your particular situation, to the processing of data based on
legitimate interest, including profiling
, as well as to oppose processing for direct marketing purposes.
● Right not to be subject to automated individual decisions:
Request human intervention, express your point of view, and
challenge decisions made exclusively by automated processing,
where appropriate.
automated processing, where applicable.
1. Exercising rights
The User may exercise their rights through the following channels:
● By sending an email to the DPO: dpo@rideclover.com
indicating in the subject line “Exercise of GDPR CLOVER rights”
and including: name and surname(s), copy of a valid identity
document
identity document, the right they wish to exercise, and a
description of the request.
● Through the mechanisms enabled in the Clover APP when available.
If the User considers that their rights have not been adequately
addressed, they may file a complaint with the Spanish Data Protection
Agency (AEPD).
2. Contacting the Data Protection Officer
For any questions related to this Privacy Policy or the processing of
your personal data, the User may contact the CLOVER Data Protection
Officer viadpo@rideclover.com .
L. Changes to the Privacy Policy
CLOVER may update this Privacy Policy to adapt it to legislative
changes, AEPD criteria, or modifications to the service.
When the modifications are relevant to the rights or expectations of
Users, they will be notified in a prominent manner (for example,
through a notice in the APP or by email) and, where legally necessary,
consent will be sought again.
The current version of the Privacy Policy will always be available on
the website and in the Clover APP.
M. BUSINESS
TRANSFER
AND CHANGE
OF CONTROLLER FOR PROCESSING
1. APPLICABLE CASES
This clause regulates the processing of the User’s personal data
in cases where the Operator is subject to a total or partial
transfer of the business, including but not limited to:
● Sale of all or part of the company’s business.
● Merger, takeover, or corporate spin-off.
● Global transfer of assets and liabilities.
● Contribution of the business to a new company.
Any other similar corporate restructuring operation involving the
replacement of the Operator as the data controller.
2. LEGAL BASIS
In the above cases, and in accordance with Article 6.1.f of
Regulation (EU) 2016/679 (GDPR), the transfer of personal data to
the new owner does not constitute a transfer of data requiring
the prior consent of the User, as there is a legitimate interest
on the part of the Operator and the acquirer that prevails over
the reasonable expectation of privacy of the data subject,
provided that:
a) The purpose of processing the transmitted data shall not vary
from the purposes stated in this Privacy Policy.
b) The purchaser expressly assumes, through a binding
contractual clause, the same data protection obligations that
this document and the Terms and Conditions impose on the
Operator.
c) The purchaser certifies its compliance with the GDPR and,
where applicable, the LOPDGDD or other regulations applicable
in the territory where it operates.
d) The transmission does not involve an international transfer
of data to countries outside the European Economic Area
without the guarantees provided for in Articles 44 to 49 of
the GDPR (European Commission adequacy decision or Standard
Contractual Clauses in force).
3. OBLIGATION TO INFORM THE USER IN
ADVANCE
Before the transfer takes effect, the Operator or the acquirer
shall notify the User in accordance with Article 14 of the GDPR,
at least 30 days in advance, by written communication to the
email address registered in the account, of the following minimum
information:
● Identity and contact details of the new data
controller.
● Contact details of the acquirer’s Data Protection
Officer, if any.
● The purposes of the processing, which will remain the
same, or an explicit and detailed description of any
changes to the purposes.
● The User’s rights and how to exercise them before the
new controller.
● The User’s right to cancel their subscription and request
the deletion of their data before the transfer takes
effect, under the terms of the following section.
4. USER’S RIGHT TO OBJECT AND CANCEL
TRANSFERS.
Users who do not want their data to be transferred to the
acquirer, or who do not accept the new terms of service resulting
from the transfer, shall have the right, within 30 days of
receiving the notification, to:
a) Cancel their subscription without any extraordinary penalty,
although the ordinary penalties due for the minimum contract
period will apply.
b) Request the deletion of their personal data (Art. 17 GDPR)
with effect from the date of transfer, without prejudice to
the applicable legal obligations of retention.
c) If deemed appropriate, file a complaint with the Spanish Data
Protection Agency (AEPD) or the competent supervisory authority.
Failure to cancel the subscription within 30 days of receiving
the notification will imply the unopposed continuation of data
transfer to the new controller, under the terms communicated.
5. CONDITIONS REQUIRED OF THE PURCHASER
As a contractual condition of the transfer of the business, the
Operator will require the purchaser to:
a) Maintain this Privacy Policy in force until its update, which
must be published within 30 days of the effective date of the
transfer.
b) Appoint a Data Protection Officer (DPO) if required under
Article 37 of the GDPR.
c) Not to alter the legal basis for the processing of GPS
geolocation data or use it for purposes other than
management of the rental service, security, and asset recovery,
without first obtaining the express consent of the Users
concerned.
d) Not to sell or transfer Users’ personal data to third parties
beyond the provisions of this Policy.
6. DUE DILIGENCE PHASE.
Prior to the closing of the transfer transaction, during the due
diligence phase, any personal data that the Operator shares with
the potential acquirer or its advisors will be subject to the
following guarantees:
● Only information strictly necessary for the valuation of
the business will be provided, preferably in anonymized or
pseudonymized format.
● The corresponding Non-Disclosure Agreements (NDAs) will be
signed and, in the event of access to identifiable data, a
data processing agreement will be signed in accordance with
Article 28 of the GDPR.
● The potential buyer may not use such data for any purpose
other than the evaluation of the transaction.
● If the transaction does not materialize, the potential
acquirer must destroy or return all information
received.
