Privacy Policy

This Privacy Policy applies to Skootor Holdings (Aust) Pty Ltd (ABN 18 635 623 004) and its services (collectively, "Skootor", "we", or "us"). We are bound by the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) it sets out.

This policy explains what personal information we collect, why we collect it, how we use and share it, where we store it, how long we keep it, and the choices you have. By using Skootor, you agree to this policy.

We collect the following categories of personal information:

• Identity: full name, date of birth, profile photo.
• Contact: mobile phone number, email address, postal address (for receipts and physical mail).
• Licence: motorcycle (or equivalent) driver-licence number, issuing authority, expiry, and a photo of the licence card. For international riders, the IDP equivalent.
• Verification photos: a selfie compared against your licence photo at sign-up.
• Payment: card details are entered directly into Stripe's payment form and never touch our servers. We store only your Stripe customer ID, which lets us look up your saved payment methods from Stripe at the time of each transaction. We do not persist the card number, expiry, CVV, last-4 digits, or brand in our own database — they are fetched fresh from Stripe each time we need to display them.
• Ride data: start and end times, start and end locations, GPS trace during the ride, distance, average speed, fuel level, and any incident reports.
• Device & technical: IP address, browser type and version, device type, approximate geolocation derived from IP, app diagnostic logs and crash reports.
• Communications: messages you send via our in-app help chat, support emails, SMS exchanges with our verification system.
• Marketing preferences: opt-in status for promotional emails and SMS.

We collect personal information directly from you when you sign up, verify your licence, take a ride, contact support, or complete an incident report. We collect technical and ride data automatically through the rider app and the on-board GPS tracker on each scooter. We may also collect personal information from third parties — for example, licence verification services, fraud-prevention services, and law-enforcement requests where legally required.

We use the information we collect to:

• Provide and operate the rental service.
• Verify your eligibility to ride (licence, age, identity).
• Charge you for rides and process refunds.
• Locate and recover scooters in the event of theft, accident, or breakdown.
• Investigate incidents, traffic infringements, parking complaints, and damage.
• Comply with our legal obligations (taxation, road-rule cooperation, court orders).
• Improve and secure the service (analytics, fraud detection, abuse prevention).
• Send you operational communications (ride receipts, account alerts, service-status notices).
• Send you marketing communications, only where you have opted in.

Where we rely on consent, you can withdraw it at any time (see section 13).

We share personal information only with parties that need it to deliver the service or where required by law:

• Stripe (Stripe Payments Australia Pty Ltd): all payments processed through Stripe's PCI-DSS Level 1 environment. Stripe is the controller of your payment-card data; we never store the full card number, expiry, or CVV.
• Twilio (Twilio Inc., US): we send OTP verification codes and ride notifications via Twilio's SMS gateway.
• Sentry (Functional Software, Inc., US): application error reports for diagnostic purposes. Our Sentry SDK runs with default privacy settings (sendDefaultPii: false) so user IP addresses are not transmitted as part of error reports. We do attach minimal technical context — scooter IDs, booking IDs, error stack traces — which is necessary to triage the error but could be correlated back to your account via our internal logs.
• Render Services, Inc. (US): cloud hosting provider for our application servers and database.
• Cloudflare, Inc. (US): content delivery and DDoS protection.
• Mapbox (Mapbox, Inc., US): map tiles and search; we send anonymised location coordinates for map rendering, never associated with your identity.
• Anthropic (Anthropic, PBC, US): AI assistant for in-app support chat. Conversations are anonymised and not used to train models.
• Insurer (compulsory third-party + comprehensive fleet, [name TBA]): in the event of an incident, we may share rider, vehicle, and ride data with our insurer for claim assessment.
• Law-enforcement and regulators: where compelled by a valid Australian court order, warrant, or statutory notice (e.g., NSW road-rules enforcement, traffic-camera fines, parking infringements).
• Professional advisers: our lawyers, accountants, and auditors, under confidentiality obligations.
• Successor entities: in the event of a sale, merger, or restructure of Skootor, your information may be transferred to the successor entity, on the same privacy terms as this policy.

We do not sell your personal information. We do not share it for third-party marketing.

Several of our service providers (Stripe, Twilio, Sentry, Render, Cloudflare, Mapbox, Anthropic) are based in the United States. By using Skootor you consent to your personal information being disclosed to and processed in the US for the purposes set out in section 5. We require those providers to handle your data to standards consistent with the APPs.

We store your personal information in encrypted-at-rest PostgreSQL databases hosted by Render Services, Inc. in their Oregon, USA region. Communication between your device, our servers, and our service providers is encrypted with TLS 1.2 or higher. Access to our internal systems is restricted to authorised staff under role-based controls and is logged. Backups are encrypted and retained for [30] days.

Because our primary database is hosted in the United States, your personal information is disclosed to and processed in the US in the ordinary course of using our service. By using Skootor you consent to this cross-border disclosure. We rely on Render's contractual commitments and US-state-of-the-art security practices to protect data at rest and in transit; we will migrate to an Australian region once Render makes one available for our database tier.

No system is perfectly secure. If we become aware of a data breach that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

We retain personal information only as long as needed:

• Account information: for as long as your account is active, plus [7] years after closure for tax, accounting, and legal compliance.
• Licence verification photos: deleted [30] days after successful verification, or earlier on request.
• Ride data (GPS, timing): [7] years for tax / dispute reasons; aggregated/anonymised data may be retained indefinitely for analytics.
• Payment records: [7] years per Australian Taxation Office record-keeping requirements.
• Support communications: [2] years from the date of resolution.
• Marketing-opt-in records: until you unsubscribe, plus [12] months after for fraud-prevention.

Under the Privacy Act and the APPs, you have the right to:

• Access the personal information we hold about you.
• Correct personal information that is inaccurate, incomplete, or out of date.
• Delete your account and the personal information associated with it, subject to our legal-retention obligations.
• Withdraw consent for marketing communications at any time.
• Lodge a complaint with us, and escalate to the OAIC if unresolved.

To exercise any of these rights, email privacy@skootor.com. We will respond within 30 days.

We use a small number of essential cookies to keep you signed in and to remember your preferences. We use Sentry for error tracking and may use a privacy-conscious analytics product (e.g., Plausible or self-hosted Umami) — no third-party advertising trackers. You can disable cookies in your browser, but parts of the rider app may stop working.

Skootor is intended for adults aged 18 and over who hold a valid motorcycle (or equivalent) driver licence. We do not knowingly collect personal information from anyone under 18. If we discover we have collected such information, we will delete it.

We may update this policy from time to time. When we do, we will post the new version at this URL and update the "Last updated" date in the banner. For material changes (e.g., new disclosure categories), we'll also notify active riders by email or in-app notice.

Privacy questions or complaints: privacy@skootor.com

If you're not satisfied with how we've handled a privacy complaint, you can lodge it with the Office of the Australian Information Commissioner: oaic.gov.au or 1300 363 992.