Legal
Privacy Policy
1. Data Controller
The data controller for the personal data processed through the OFFWAN platform (the "Platform") is:
CARL HIVE, a French société par actions simplifiée with a share capital of €1,000, registered under SIREN 984 282 301 (RCS Lille Métropole), having its registered office at 679 avenue de la République, 59800 Lille, France.
Contact: contact@offwan.com
This Privacy Policy is established in accordance with Regulation (EU) 2016/679 of 27 April 2016 (the "GDPR") and French Law No. 78-17 of 6 January 1978 as amended (loi Informatique et Libertés).
2. Data We Collect
| Category | Examples | Origin |
|---|---|---|
| Registration data | Email address, first and last name, phone number | Provided directly by you |
| Identity verification data | Photograph of a government-issued identity document | Provided directly by you |
| Usage and navigation data | Device type, app interactions, connection logs, approximate location | Collected automatically |
| Payment-related data | Subscription plan and status (payment card details are not collected or stored by CARL HIVE) | Received from RevenueCat / Apple / Google |
| Published content | Vehicle listings, photographs, descriptions, in-app messages | Provided directly by you |
| Reputation data | Trust Score, ratings and reviews received from other Members | Generated on the Platform / provided by other Members |
3. Purposes and Legal Bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Account creation, authentication, and management of the contractual relationship | Performance of a contract (Art. 6.1.b) |
| Identity verification to secure the Platform and its Members | Legitimate interest — platform trust and safety (Art. 6.1.f) |
| Enabling connections and messaging between Members | Performance of a contract (Art. 6.1.b) |
| Calculation of the Trust Score and display of reviews | Legitimate interest — platform trust and safety (Art. 6.1.f) |
| Subscription billing and management | Performance of a contract (Art. 6.1.b) |
| Fraud prevention, content moderation, and enforcement of our Terms | Legitimate interest (Art. 6.1.f) and legal obligation (Art. 6.1.c) where applicable |
| Sending transactional emails (confirmations, security alerts) | Performance of a contract (Art. 6.1.b) |
| Compliance with accounting, tax, and legal record-keeping obligations | Legal obligation (Art. 6.1.c) |
| Optional marketing communications | Consent (Art. 6.1.a) — you may withdraw at any time |
4. Retention Periods
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy:
- Active account data is retained for the duration of your membership, for as long as your account remains active.
- Data following account deletion: upon a deletion request (see Section 7), your profile and published content are deleted or anonymized within thirty (30) days, save for data referred to below.
- Data retained for legal purposes: certain data (e.g., invoicing and accounting records, transaction-related logs necessary to defend against a legal claim) may be retained for the statutory periods required under French law, generally up to ten (10) years for commercial and accounting documents, notwithstanding account deletion.
- Identity verification documents are retained only for as long as necessary to verify eligibility and are deleted or securely archived in accordance with applicable retention obligations once no longer required for that purpose.
5. Recipients and Sub-processors
Your personal data may be shared with the following categories of recipients, strictly to the extent necessary for the purposes described above:
| Recipient | Role | Location |
|---|---|---|
| Supabase, Inc. | Database hosting and infrastructure provider | Frankfurt, Germany (EU) — AWS eu-central-1 |
| RevenueCat, Inc. | Subscription and in-app payment management | United States |
| Resend | Transactional email delivery | See provider's data processing terms |
| Apple Inc. | App Store distribution and payment processing (iOS) | United States |
| Google LLC | Google Play distribution and payment processing (Android) | United States |
| Other Members | Profile information, listings, and messages you choose to share are visible to Members you connect with | — |
| Competent authorities | Where required by law, court order, or to protect our rights or the safety of Members | — |
We do not sell personal data to third parties, and we do not share personal data with third parties for their own independent marketing purposes.
6. International Data Transfers
Our primary database infrastructure (Supabase, hosted on AWS in Frankfurt, Germany) is located within the European Union. However, certain sub-processors — namely RevenueCat, Apple, and Google — are based in or process data in the United States, which involves a transfer of personal data outside the European Economic Area.
Where such transfers occur, we ensure they are governed by appropriate safeguards recognized under the GDPR, in particular the European Commission's Standard Contractual Clauses (Art. 46 GDPR), and, where applicable, additional supplementary measures, and/or the recipient's adherence to an approved transfer framework (such as the EU-U.S. Data Privacy Framework, where the recipient is certified). You may request further information on these safeguards by contacting contact@offwan.com.
7. Your Rights
Under the GDPR, you have the following rights in relation to your personal data:
- Right of access — obtain confirmation of whether we process your data and a copy of it;
- Right of rectification — correct inaccurate or incomplete data;
- Right of erasure — request deletion of your data, subject to the retention exceptions in Section 4 (Art. 17 GDPR);
- Right to data portability — receive certain data in a structured, machine-readable format;
- Right to object — object to processing based on legitimate interest, including profiling relevant to the Trust Score;
- Right to restriction of processing — request that we limit how we use your data in certain circumstances.
You may exercise these rights directly within the mobile application (account settings) or by emailing contact@offwan.com. We will respond to your request within thirty (30) days, in accordance with Article 12 GDPR. We may request additional information to verify your identity before processing your request.
If you believe your data protection rights have not been respected, you have the right to lodge a complaint with the French data protection authority: Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France — www.cnil.fr — or with the supervisory authority of your habitual residence within the EU.
8. Cookies and Trackers
The Platform uses only cookies and similar technologies that are strictly necessary for its technical operation (e.g., maintaining your session, security). We do not use advertising, tracking, or analytics cookies. Full details are available in our dedicated Cookie Policy.
9. Data Security
We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction, including encryption of data in transit and at rest, restricted and role-based access to production systems, and regular review of our security practices. No method of transmission or storage is completely secure; we cannot guarantee absolute security but are committed to promptly addressing any identified vulnerability and to notifying competent authorities and affected Members of any personal data breach as required under Articles 33 and 34 GDPR.
10. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. In the event of a material change, we will notify you by email prior to the change taking effect. We encourage you to review this page periodically.
Last updated: July 2025 — Version 1.0