GDPR and Data Processing Notice
Last updated
Last updated: 5.15.2026
Introduction
This GDPR and Data Processing Notice explains how AlphaWare s.r.o. processes personal data under the General Data Protection Regulation (GDPR) and other applicable data protection laws. This notice applies to our website, software platform, telematics services, electronic vehicle and machinery tracking systems, APIs, integrations, dashboards, reports, connected devices, and related services. This notice should be read together with our Privacy Policy, Terms of Service, and, where applicable, any written agreement, order form, data processing agreement, or service contract between us and our customer.
1. Purpose of This Notice
Our services are used to track, monitor, manage, and analyze vehicles, machinery, equipment, assets, telematics units, and related operations. Because telematics data may include GPS location, route history, timestamps, speed, driver behavior, operator activity, vehicle status, machinery status, device identifiers, and other information that may relate to identifiable individuals, such data may qualify as personal data under GDPR. This notice explains our role under GDPR, the types of personal data we process, why we process personal data, the legal bases for processing, customer responsibilities, data subject rights, use of aggregated and anonymized data, API restrictions, and our security, retention, and international transfer practices.
2. Definitions
For the purposes of this notice, Personal Data means any information relating to an identified or identifiable natural person. Customer means the company, organization, sole trader, or other legal entity using our services. Data Subject means an identified or identifiable individual whose personal data is processed, including drivers, employees, contractors, operators, account users, administrators, or other individuals. Customer Data means data submitted, uploaded, configured, or controlled by the customer through the service. Telematics Data means data generated, collected, transmitted, or processed by vehicles, machinery, equipment, assets, telematics units, sensors, APIs, integrations, or connected systems. API Data means data obtained through our API, webhooks, exports, or other automated access methods. Processing means any operation performed on personal data, including collection, storage, analysis, transmission, disclosure, deletion, aggregation, anonymization, or use.
3. Our Role Under GDPR
Depending on the processing activity, AlphaWare s.r.o. may act as either a processor or a controller. We usually act as a processor when we process personal data on behalf of a customer to provide the core telematics service, including storing customer account data, receiving data from connected telematics units, displaying assets on a map, generating route history, reports and alerts, providing dashboard access, processing customer-authorized integrations, and hosting customer data. We may act as an independent controller for account administration, billing, fraud prevention, free trial abuse prevention, platform security, service improvement, product development, analytics, internal business operations, legal compliance, dispute resolution, enforcement of our Terms of Service, and creation of aggregated, anonymized, de-identified, statistical, behavioral, routing, operational, or commercial data products where permitted by law.
4. Categories of Personal Data Processed
We may process account and business contact data such as names, email addresses, phone numbers, company details, billing information, credentials, user roles, and support communications. We may process driver, employee, contractor, and operator data where a vehicle, machine, or asset is linked to a person, including assignment history, route history, trip history, event history, and operational activity. We may process telematics and location data such as GPS location, route history, trip data, timestamps, speed, mileage, ignition status, movement status, fuel data, battery data, equipment status, and usage patterns. We may also process device and technical data including telematics unit identifiers, IP addresses, connection logs, API request metadata, authentication logs, and security logs, as well as website and cookie data such as browser type, session data, analytics data, and approximate location.
5. Purposes of Processing
We process personal data to provide the telematics platform, receive and process data from connected units, display vehicles and assets on maps, generate route history, trip history, reports, alerts, and dashboards, manage customer accounts, manage users and permissions, provide API access and integrations, provide customer support, troubleshoot technical issues, secure the platform, detect fraud, misuse, and abuse, prevent free trial abuse, enforce API restrictions, monitor rate limits, manage billing and subscriptions, improve service performance, develop new features and products, create analytics and insights, and comply with legal obligations, resolve disputes, and enforce our agreements.
6. Legal Bases for Processing
Where we act as controller, we rely on one or more legal bases, including contractual necessity, legitimate interests, legal obligations, and consent where required. We process personal data where necessary to provide the service, manage accounts, process subscriptions, and perform our contractual obligations. We may rely on legitimate interests for operating and improving the service, securing the platform, preventing fraud and misuse, detecting free trial abuse, enforcing rate limits, protecting our business and customers, developing new services, generating internal analytics, creating aggregated or de-identified insights, and enforcing legal claims and agreements. We may process data where necessary to comply with legal obligations or where consent is required by applicable law. Where the customer acts as controller, the customer is responsible for establishing the correct legal basis for processing personal data.
7. Customer GDPR Responsibilities
Customers are responsible for ensuring that their use of the service complies with GDPR and other applicable privacy laws. Customers must identify the correct legal basis for tracking, inform drivers, employees, contractors, operators, and other affected individuals about tracking, explain what data is collected and why, explain retention periods and access rights, provide legally required notices, obtain consent where required, respond to data subject requests where applicable, configure permissions appropriately, avoid excessive or unlawful tracking, and ensure that integrations and API users comply with applicable law. Customers must not use the service for unlawful surveillance, stalking, harassment, discrimination, or any tracking activity that violates applicable law or the rights of individuals.
8. Processing of Location Data
Location data may be highly sensitive in practice because it can reveal routes, habits, working patterns, customer visits, homes, workplaces, and other behavioral information. We process location data to provide the telematics service, including live or recent tracking, route history, trip history, fleet and machinery management, asset protection, alerts, reporting, diagnostics, customer-authorized integrations, security, analytics, aggregated insights, and routing and operational analysis. Customers must ensure that the collection and use of location data is lawful, proportionate, transparent, and limited to legitimate purposes.
9. Data Processing Instructions
Where we act as processor, we process personal data only according to the customer’s documented instructions, as necessary to provide the service, as required by our agreement with the customer, as required by applicable law, or as otherwise permitted under the applicable data processing agreement. The customer’s use of the service, configuration of devices, assignment of drivers or operators, activation of integrations, use of API access, and use of platform features may constitute documented instructions. If we believe that an instruction violates applicable data protection law, we may notify the customer and may suspend processing where legally required or appropriate.
10. API Data and GDPR Restrictions
We may provide API access, webhooks, exports, or automated access methods to authorized customers and integrations. API users must only access data they are authorized to access and must protect API credentials, access tokens, webhook secrets, and integration keys. Unless expressly agreed otherwise in writing, API-obtained data may only be temporarily cached for up to 24 hours. API users must not permanently store, mirror, replicate, synchronize, archive, import, or save API-obtained data into their own database, data warehouse, analytics system, CRM, ERP, backup system, reporting platform, or any other persistent storage system. After the 24-hour cache period expires, API-obtained data must be deleted. Violation of this section may result in suspension or termination of API access, account suspension, contractual liability, claims for damages, legal action, and notification to affected customers, individuals, or authorities where required by law.
11. Aggregated, Anonymized, De-Identified, and Commercial Data Use
Subject to applicable law, we may create aggregated, statistical, anonymized, de-identified, pseudonymized, or otherwise non-identifying datasets, analytics, benchmarks, reports, models, insights, and commercial data products from data processed through the service. These datasets may relate to vehicle activity, machinery activity, routing patterns, trip patterns, usage behavior, operational trends, technical metadata, diagnostics, API usage, and platform performance. We may use, license, sell, disclose, publish, or otherwise provide aggregated, anonymized, de-identified, statistical, behavioral, routing, operational, or analytical data to business partners, infrastructure providers, analytics companies, insurers, service providers, researchers, public-sector bodies, and other commercial partners, provided such data does not directly identify a specific individual unless we have a lawful basis or other legal permission to do so.
12. Ownership, Licensing, and Derived Data
Customers retain any ownership rights they may have in Customer Data submitted to the service. However, data generated, collected, received, processed, or derived by telematics units, vehicles, machinery, sensors, APIs, integrations, connected systems, or platform usage through our backend and services may be used by us as described in this notice and our Privacy Policy. Customers grant us a worldwide, non-exclusive, transferable, sublicensable, royalty-free license to host, store, process, transmit, analyze, transform, aggregate, anonymize, de-identify, derive insights from, and otherwise use such data for providing the service, maintaining and securing the platform, troubleshooting and support, improving features, developing new products and services, creating analytics and insights, and creating or commercializing aggregated or de-identified data products where permitted by law.
13. Sub-Processors
We may use trusted sub-processors to provide the service, including providers of cloud hosting, database infrastructure, mapping, routing, geocoding, mobile connectivity, email delivery, notifications, payments, analytics, monitoring, security, customer support, backups, logging, and infrastructure operations. We require sub-processors to protect personal data and process it only for authorized purposes. Where required by GDPR, we maintain appropriate contractual arrangements with sub-processors.
14. International Transfers
Personal data may be processed in countries outside the European Economic Area, the United Kingdom, Switzerland, or the country where the customer, users, drivers, operators, vehicles, machinery, or assets are located. Where required by law, we use appropriate safeguards for international transfers, such as Standard Contractual Clauses, adequacy decisions, contractual protections, technical and organizational safeguards, and other legally recognized transfer mechanisms. Customers are responsible for ensuring that their own use of the service, including integrations and API access, complies with any applicable international transfer requirements.
15. Security Measures
We use reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, disclosure, or destruction. These measures may include access controls, authentication, password protections, API authentication, webhook secrets, encryption where appropriate, rate limiting, logging and monitoring, backups, internal access restrictions, security reviews, abuse detection, fraud detection, incident response processes, and infrastructure security controls. No system is completely secure, and customers are responsible for keeping account credentials, API keys, devices, users, permissions, and integrations secure.
16. Confidentiality
Personnel authorized to process personal data are subject to confidentiality obligations or appropriate contractual duties. Access to personal data is limited to personnel, contractors, service providers, or sub-processors who need such access for authorized purposes.
17. Data Retention
We retain personal data only for as long as necessary for the purposes described in this notice, our Privacy Policy, customer agreements, legal obligations, dispute resolution, security, fraud prevention, billing, and business operations. Retention periods may vary depending on the customer subscription plan, type of data, customer configuration, legal requirements, technical requirements, security needs, audit needs, backup and disaster recovery processes, and contractual obligations. API users may cache API-obtained data for no longer than 24 hours unless expressly authorized otherwise in writing. Aggregated, anonymized, de-identified, statistical, derived, or non-identifying data may be retained indefinitely where permitted by law.
18. Data Subject Rights
Depending on applicable law, data subjects may have the right to request access to personal data, request correction of inaccurate personal data, request deletion of personal data, request restriction of processing, object to processing, request data portability, withdraw consent where processing is based on consent, and lodge a complaint with a supervisory authority. Where we act as processor, data subjects should normally contact the relevant customer directly. Where we act as controller, data subjects may contact us using the details below. We may need to verify identity before responding to a request.
19. Assistance to Customers
Where we act as processor, and where required by GDPR, we will provide reasonable assistance to customers with data subject requests, data protection impact assessments, security obligations, breach notifications, deletion or return of personal data, and information required to demonstrate compliance. Such assistance may be subject to the customer's agreement, technical feasibility, legal requirements, and reasonable fees where permitted.
20. Data Protection Impact Assessments
Customers may be required to conduct a Data Protection Impact Assessment where their use of the service creates a high risk to individuals, especially where tracking employees, drivers, contractors, operators, vehicles, machinery, or location data on a systematic basis. Customers are responsible for determining whether a Data Protection Impact Assessment is required. Where legally required and reasonably possible, we may assist customers by providing relevant information about our processing activities.
21. Contact
For questions about this GDPR and Data Processing Notice, or to exercise applicable rights where AlphaWare s.r.o. acts as controller, you can contact us at AlphaWare s.r.o., Husitská 344/63, 130 00, Praha 3, by email at tony@alpha-matics.com, or by phone at +420 774 003 101.