Covoit IDFM Mobile App Privacy Policy

Published on

November 2025

The User's personal data collected by Karos in the name and on behalf of Ile-de-France Mobilités are processed within the meaning of the amended law of 6 January 1978 relating to information technology and civil liberties and European Regulation 2016/679 of 27 April 2016 on data protection, known as the "GDPR", for the purpose of performing the carpooling service offered on the Covoit IDFM application.

This Privacy Policy explains how Île-de-France Mobilités ("Ile-de-France Mobilités" or "We"), as a data controller within the meaning of Article 4 of the GDPR, processes your personal data when you use the Covoit IDFM mobile application (the "Application") operated by Karos Mobility SAS as a processor within the meaning of Article 28 of the GDPR.

Île-de-France Mobilités' registered office is located at 39bis-41 rue de Châteaudun, 75009 Paris, France. If you have any questions about data protection, you can contact our Data Protection Officer (DPO) at the following address: [email protected].

Karos Mobility SAS (10 rue de la Paix, 75002 Paris, France) acts only as a processor within the meaning of Article 28 of the GDPR.

1. DEFINITIONS

For the purposes of this policy:

  • "Application" means the Covoit IDFM mobile application.
  • "Member" refers to any user who has created an account via the Application
  • "Trip" means the trip made by a driver and a passenger.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Site" refers to the Île-de-France Mobilités website presenting the Application, and containing a download link, accessible at the following address: www.covoit.idfm.fr.

2. COLLECTION AND USE OF PERSONAL DATA

Karos, in the name and on behalf of Ile-de-France Mobilités, processes Personal Data in the context of the following processing:

  • The creation and management of the user account;
  • The provision of the carpooling service;
  • Legal compliance (anti-money laundering, fraud, security);
  • Technical diagnosis and statistical analyses;
  • Management of user complaints;
  • Communication to users (via opt-in).

2.1 Types of data collected

When you use the App, we may collect and process the following categories of personal data. This information allows us to provide, operate and improve the services:

  • Identification data
  • Authentication and verification data
  • Geolocation data
  • Payment data
  • Vehicle data
  • Professional and Transportation Program Affiliation Data
  • Login details
  • Browsing data
  • Usage Data
  • This data may be collected directly from you (e.g. when creating an account) or indirectly through your use of the App.

The legal bases and purposes are detailed in the next section.

2.2 Legal Basis and Purposes

2.2.1 Creation and management of the user account

To benefit from the services offered on the Application, you must create a user account. During this process, we collect certain information about you. This processing is based on our contractual obligations. Required fields include the following information:

  • First and last name
  • Email address
  • Mobile phone number
  • Street and house number
  • Zip code
  • Town
  • Country

After successful registration, you can update your data.

We also invite you to create a password or register via "Sign in with Apple" or through single sign-on (SSO) with an IDFM connect account. In the latter case, we only receive the data that you authorize us to share. For more information, please see the privacy policy: https://www.iledefrance-mobilites.fr/cgu-compte.

Legal basis: Article 6(1)(b) of the GDPR (performance of the contract).

2.2.2 Provision of our ride-sharing services

To allow you to benefit from our carpooling service, we are required to:

  • Create a public user profile for you on the App that is visible to other community members (e.g., name, profile picture, employer).
  • To analyse your travel data (e.g. departure and arrival times and locations), including geolocation data, in order to offer you suitable journeys.
  • Share your personal data with the members with whom you carpool (e.g. name, age, ratings, company name if provided, profile information, etc.).
  • Share your geolocation with the members with whom you carpool to facilitate the meeting (e.g. GPS position);
  • To communicate with you, for example, to confirm a reservation or provide user service.
  • Generate billing based on your Journeys and your eligibility for subsidies (e.g. Journey information cross-checked with geolocation and personal identity data)
  • Process payments, via our payment providers, for journeys made and transfers from your balance to your bank account (e.g. credit card numbers, IBAN, transaction details, nationality etc.). Payment processing includes mandatory KYC (Know Your Customer) identity verification in accordance with anti-fraud and anti-money laundering laws.

Legal basis: Article 6(1)(b) GDPR (performance of contract) and Article 6(1)(a) GDPR (consent, revocable at any time) for optional profile information.

2.2.3 Verification of eligibility for the Service

In some cases and in order to verify eligibility for the Service, we will ask you to provide us with documents such as a driver's license, ID and/or proof of address. The data is processed through a secure interface with a third-party verification service.

These documents and the information contained therein are used for security purposes to verify the member's age, authenticity, and uniqueness of accounts. Documents and information may also be shared with our banking partners as part of European anti-money laundering obligations.

This may involve sharing data with our banking partners.

Legal basis: Article 6(1)(c) GDPR (legal obligation)

2.2.4 Verification of Carpools and Triggering of Payments

We analyse your connection and geolocation data during carpooling in order to verify that the carpooling has taken place under the conditions defined at the time of booking, to trigger the driver's payment and to debit the passenger. Your journey and contact data may be shared with our anti-fraud verification partners so that they can make control calls.

Legal basis: Article 6(1)(c) of the GDPR (legal obligation to prevent fraud requested by class C of the Carpooling Evidence Register)

2.2.5 Ensuring security and improving our Services

We analyze your activity (e.g. login data) and your interactions with the App in order to improve the services offered (e.g., the mobile app interface or user service messages).

Legal basis: Article 6(1)(b) of the GDPR (Performance of the contract in order to guarantee security, make the correct technical diagnosis and ensure the proper functioning and continuous improvement of the Service).

2.2.6 Referral via the App

With your consent, the App may access your phone contacts to send invitations. Your friends will not receive any additional commercial messages. Only the numbers of the selected contacts are collected and processed by Île-de-France Mobilités, via Karos as a subcontractor. The numbers of the selected friends are kept for 2 months in order to activate a referral bonus if the contact registers. Make sure your friends have agreed to receive such messages.

Legal basis: Article 6(1)(a) of the GDPR (consent, revocable at any time).

2.2.7 Receiving Public Grants or Bonuses through National Programs

Spain: Participation in the Energy Savings Certificate System (CEE)

In order for the user to participate in the system of energy saving certificates promoted and implemented by the Ministry of Ecological Transition and Demographic Challenge (MITECO), we must collect and process identification data (such as name, surname and CNI/NIE) as well as technical data about the vehicle (make, model, registration, type of fuel), with the aim of recording the savings generated by shared journeys and transferring them to authorised bodies or entities for validation.

Legal basis: Article 6(1)(b) of the GDPR (performance of the contract).

2.2.8 Receiving Public Grants or Bonuses through Regional Programs

In some regions, carpoolers can benefit from public subsidies or bonuses. These amounts are received by Île-de-France Mobilités, via Karos as a subcontractor, and redistributed to its Members.

In this context, certain data (e.g. date, origin, destination of your journeys, proof that the journeys have taken place, etc.) may be provided to the public authorities granting the subsidy or bonus.

Legal basis: Article 6(1)(b) of the GDPR (Performance of the contract to enable the management of regional programmes and calculation of subsidies).

2.2.9 Participate in Your Regional Carpooling Program

In some areas, we work with local authorities, such as those managing public mobility, to provide its services. In this context, certain data (e.g. surname, first name, e-mail address, telephone number, transport card number, postal address, etc.) may be shared with the Partner.

Aggregated information about the use of the App in the area may also be provided.

Legal basis: Article 6(1)(b) of the GDPR (Performance of the contract to enable the management of regional programmes and calculation of grants).

2.2.10 Participation in Your Company or School's Carpooling Program

When a company or school collaborates with Île-de-France Mobilités as part of a Carpooling program: If a Member chooses to affiliate with the company or school concerned, in accordance with the terms of use, certain necessary identification data (such as name, surname, and any other strictly required information) may be shared with the company or school for the administrative management of the Affiliations.

This sharing is for administrative purposes only, including to allow partner companies to keep their active employee list up to date and for educational institutions to keep their active student list up to date.

Aggregated and anonymized data on the use of the Application by Members identified as employees or students may also be provided for statistical purposes or to evaluate the program.

Individualized data (e.g. for tax or compliance purposes) may also be transmitted where Members have given their consent.

In some cases, the purposes and means of the data processing may be determined jointly with the employer (e.g. reporting of distances travelled for tax or mobility programmes). Responsibilities are defined in a separate agreement.

Legal basis: Article 6(1)(b) of the GDPR (Performance of the contract to enable the calculation of subsidies).

2.2.11 Partnerships with Route Finder Services

We have established certain partnerships to display available rides from the App to third-party route search services. In this context, certain data about Members and the journeys they offer may be shared with partners.

Legal basis: Article 6(1)(f) of the GDPR (legitimate interest to improve the visibility of journeys via partnerships while protecting user data).

2.2.12 Receiving Return Assistance

If your carpools are eligible for a return assistance program, your contact information and addresses may be shared with our transportation partners.

Legal basis: Article 6(1)(a) of the GDPR (consent).

2.2.13 Benefit from Reserved Parking Spaces

If your carpooling entitles you to a reserved parking space, your contact details and addresses may be shared with the relevant partner in order to reserve your space and for possible checks.

Legal basis: Article 6(1)(a) of the GDPR (consent).

2.2.14 Receiving Gifts or Benefits

Your carpooling or your activity may entitle you to certain benefits, such as gifts, vouchers or other privileges, if you participate in the games organised by Île-de-France Mobilités, via Karos as a subcontractor.

Legal basis: Article 6(1)(b) of the GDPR (performance of the contract as defined in the GTCU).

2.2.15 Growing our user community

Newsletters: Periodic newsletters, in-app messages, and surveys may be sent through third-party partners. You can unsubscribe at any time by using the link provided in the communication.
 Legal basis: Article 6(1)(a) of the GDPR (consent).

Contests and Sweepstakes: When organising competitions, the data of the participants (e.g. name, e-mail address) is processed in order to carry out the operation. The data is deleted afterwards unless otherwise required by law.
Legal basis: Article 6(1)(a) of the GDPR (consent).

User Reviews : To improve the Services, reviews may be collected from Members                                        
Legal basis: Article 6(1)(a) of the GDPR (consent).

2.2.16 Ensuring Security and Comity within the Community

In the Application, registered Members can interact with each other through various features, such as:

● Sending messages

● Evaluation of past journeys

During these interactions, the following data may be visible:

● Your user profile (name, age, mobile number)

● Your Feedback Received

● Posts and ratings shared with other users

When necessary, such as in the event of abnormal behavior or a report by a user, we may analyze interactions and discussions on the App.

Legal basis: Article 6(1)(b) of the GDPR (Performance of the contract to ensure security and compliance with community guidelines).

2.2.17 Special Categories of Data

Please do not provide, enter or transmit any information relating to special categories of personal data (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric, health, sex life or sexual orientation data) when using this service. This data has no direct or necessary link to the service offered and we are not allowed to collect or process this data, even if you consent to it.

2.2.18 Links

Certain sections of our Site and App contain links to third-party sites, including social networks (e.g., Instagram, Facebook, LinkedIn, YouTube, X). Clicking on these links redirects you to the relevant platform, which may receive user data.

Please refer to the privacy policies of these platforms for more details. These sites operate under their own privacy policies. We are not responsible for their operation, including their data management.

2.2.19 Cookies and communication

We may use cookies to analyse your behaviour in detail. Cookies are small text files that are stored on your device. They are used to ensure certain technical functions of the site. This data is not merged with other data. The information collected may include:

  • YouTube video settings and statistics
  • Facebook Ads Optimization

We distinguish between the following categories of cookies:

  • Marketing cookies (e.g. DoubleClick, Facebook Pixel): Used to optimise advertising and deliver targeted ads. These cookies are also only stored with your prior consent.
  • Newsletter subscription management cookies : used to check whether a user has subscribed to the newsletter.

The data stored in the cookies is used only for the purposes described above and is not used to create complete user profiles or to track behavior outside of the stated purposes.

Legal basis: Article 6(1)(a) GDPR (user consent)

2.2.20 Management of user complaints

As part of the assistance to users and the processing of complaints, Île-de-France Mobilités, via Karos as a subcontractor, processes certain personal data in order to identify Members, analyse the situations reported and provide an appropriate response.

Treatments include:

  • Viewing and verifying user account information, including contact details (name, surname, email address, phone number) and trip history associated with the account.
  • Access to travel information during and outside of trips, such as GPS positions and geolocation data, when necessary to verify a trip, resolve a dispute between carpoolers, or prevent fraudulent behavior.
  • Access to the user database, limited to authorized customer service and technical support agents, to enable the management of requests, the traceability of exchanges, and the provision of effective support.
  • The analysis of activity logs and connection data, in order to diagnose technical malfunctions or to identify possible non-compliant uses of the Application.

The data processed in this context is only used for the purpose of resolving requests, preventing fraud and improving user support.

It may, if necessary, be shared with the service providers involved in the handling of the complaint (e.g. payment providers, mobility partners, technical support), only to the extent strictly necessary to resolve the problem.

Legal basis: Article 6(1)(b) of the GDPR – Performance of the contract (assistance and dispute resolution).

2.2.21 Compliance with Legal Obligations

We process personal data in order to comply with legal obligations, such as commercial, business or tax retention periods. Legal basis: Article 6(1)(c) of the GDPR in conjunction with applicable commercial, professional or tax laws

We process personal data in order to assert or defend against legal claims, as well as to investigate or prevent criminal offences.

Legal basis: Article 6(1)(c) GDPR (Legal Requirement for Legal Protection and Security)

2.2.22 Automated Decision-Making / Profiling

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.

3. DATA SHARING AND PROTECTION

3.1 Data protection

Île-de-France Mobilités, with the support of Karos as a subcontractor, ensures the protection of user data through state-of-the-art encryption, authentication and fraud detection techniques. Dedicated teams work daily to protect the community from fraudulent and abusive use.

3.2 Sharing Data with Partners

Only our internal teams have access to your data. As an exception, certain data may be shared with partners and service providers, to whom it may be transmitted, subject to your consent where required. These recipients include:

  • Karos Mobility SAS, as a technical subcontractor mandated by Île-de-France Mobilités for the operation of the Covoit'IDFM Application;
  • Service providers we use to provide our services, such as payment, analytics, hosting, messaging, debt collection and legal advice providers, as well as identity verification providers;
  • Transportation services implementing our return assistance program, if applicable;
  • Social media platforms to which you can link your Covoit IDFM account, including during registration;
  • Public partners with whom we offer our services in certain territories;
  • Private partners who have chosen Karos for their corporate carpooling program;
  • Public authorities setting up a register of proof of carpooling and/or paying subsidies to carpoolers through us;
  • Our business partners as part of our gift and privilege program.

Here is the current list of our service providers with whom data may be shared:

The data is also shared with public authorities and partners to:

  • Energy saving programs (SIPLEC / PNCEE)
  • Regional carpooling initiatives
  • Corporate or educational carpooling programs

We only share data that is strictly necessary for the intended purpose and in accordance with Art. 28 GDPR (data processing agreements) or Art. 26 GDPR (joint responsibility contracts).

We anonymize and aggregate trip information, itineraries and certain characteristics of user profiles in order to produce usage statistics for third parties.

3.3 Data retention periods

In accordance with the provisions of the GDPR, we undertake to retain personal data only for as long as is necessary for the purposes for which they are processed:

  • Account data: until request for closure or 2 years after last use;
  • Financial data: legal accounting and tax period;
  • Public subsidies or bonuses: duration required by the regulations;
  • Geolocation data: 1 year;
  • Account suspended/blocked: 5 years;
  • User-generated content: anonymised after account deactivation, unless required by law.

3.4 Security Measures

We implement appropriate security measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, as well as against any other processing not in accordance with this Privacy Policy.

4. CONTROL AND ACCESS TO DATA

In accordance with the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to withdraw your consent
  • Right to object (Art. 21 GDPR)
  • Right to lodge a complaint (Art. 77 GDPR)

You can exercise your rights by sending a request to [email protected]. Proof of identity will be required.
 You can also contact [email protected] (technical processor).

In the event of non-compliance with your rights, you can refer the matter to the CNIL or any other competent authority.
You can also delete your Covoit IDFM account directly from the App.

5. TRANSFER OF DATA TO THIRD COUNTRIES

With the exception of the processing listed below, your data contributing to the operation of the Service is processed within the European Union.

Purpose / Partners / Countries to which your data is transferred / Guarantees governing the transfer

Follow-up of promotional campaigns / Branch/US /Data Processing Agreement (DPA)

Tracking statistical usage data and advertising campaign management /Google Analytics & Tag Manager /US/ Data Processing Agreement (DPA)

Occasional User Surveys /Typeform/US /Data Processing Agreement (DPA)

SMS Confirmation & SMS Journey /Vonage /US / Data Processing Agreement (DPA)

Statistical monitoring of the use of the Application / Amplitude / US / Data Processing Agreement (DPA)

We make these transfers on the basis of the Standard Contractual Clauses (SCCs) approved by the European Commission.

6. CHANGES TO THIS PRIVACY POLICY

We reserve the right to change this Privacy Policy at any time.

Members of the Application are informed directly via the Application and must comply with the changes to continue using the services.

Unless otherwise specified, such changes are effective immediately upon posting.

We recommend that you review this policy regularly.