Last modified: 12 December 2020
This Policy applies to our customers, passengers, agents, vendors, suppliers, partners (such as driver and merchant partners), contractors and service providers (collectively “you”, “your” or “yours”).
“Personal Data” is any information which can be used to identify you or from which you are identifiable. This includes but is not limited to your name, nationality, telephone number, bank and credit card details, personal interests, email address, your image, government-issued identification numbers, biometric data, race, date of birth, marital status, religion, health information, vehicle and insurance information, employment information and financial information.
I. COLLECTION OF PERSONAL DATA
We collect Personal Data about you in the ways listed below. We may also combine the collected Personal Data with other Personal Data in our possession. If you have or are a party to multiple relationships with us (for example if you use our Services across our various business verticals, or if you are both a driver partner/delivery partner as well as a passenger on our transport vertical or a customer on our other business verticals), we will link your Personal Data collected across your various capacities to facilitate your use of our Services and for the Purposes described below.
You provide your Personal Data to us
We collect your Personal Data when you voluntarily provide it to us. For example, you may provide your Personal Data to us when you:
- complete a user profile or registration forms (such as your name, contact information and other identification information where needed);
- provide information to assess your eligibility to provide services as a OOhsem driver partner or delivery partner (such as your driver’s license information, vehicle
- interact with our social media pages (such as your social media account ID, profile photo and any other publicly available data);
- participate in contests or events organised by us (such as the pictures, audio files, or videos you may submit, which may include images of yourself);
- verify your identity through various means (such as social media logins, submission of selfie images or independently verified payment card information);
- fill up demographic information in surveys (such as your age, gender, and other information you may volunteer such as your marital status, occupation and income information); and
- agree to take a ride with in-vehicle audio and/or video recording features.
In certain circumstances, you may need to provide your Personal Data in order to comply with legal requirements or contractual obligations, or where it is necessary to conclude a contract. Failure to provide such Personal Data, under such circumstance, may constitute failure to comply with legal requirements or contractual obligations, or inability to conclude a contract with you, as the case may be.
When our services are used
Personal Data may be collected through the normal operation of our Apps, Websites and Services. Some examples are:
- your location (to detect pick-up locations and abnormal route variations);
- feedback, ratings and compliments;
- transaction information (such as payment method and distance travelled);
- information about how you interacted with our Apps, Website or Services (such as features used and content viewed);
- device information (such as hardware model and serial number, IP address, file names and versions and advertising identifiers or any information that may provide indication of device or app modification);
- personal data you enter in messages when you use our in-app communication features; and
- personal data that may be captured through your interaction with us, our agents, in-vehicle audio and/or video recording during a ride (such as your image or voice or both, and its related metadata).
From other sources
When we collect Personal Data, including but not limited to your name, contact information and other identification information where needed from other sources, we make sure that that data is transferred to us in accordance with applicable laws. Such sources include:
- referral programmes;
- our business partners, such as fleet partners, payment providers, ride-hailing partners and transport partners;
- insurance and financial providers;
- credit bureaus and other credit reporting agencies;
- publicly available sources of data;
- governmental sources of data;
- when our users add you as an emergency contact; and
- marketing services providers or partners.
Personal Data about driver partners
If you are a driver partner, we may collect:
- telematics data (such as your speed, acceleration, and braking data);
- device data (such as accelerometer data, GPS location, your IMEI number and the names of apps you have installed on your device);
- your vehicle registration data; and
- personal data that may be captured through your interaction with us, our agents, our in-vehicle audio and/or video recording during a ride (such as your image or voice or both, and its related metadata).
Sensitive Personal Data
Some of the Personal Data that we collect is sensitive in nature. This includes Personal Data pertaining to your race, national ID information, religious beliefs, background information (including financial and criminal records, where legally permissible), health data, disability, marital status and biometric data, as applicable. We collect this information only with your consent and/or in strict compliance with applicable laws.
OOhsem’s applications or devices
OOhsem may install in-vehicle audio and/or video recording applications or devices to promote the safety and security of OOhsem driver partners, delivery partners and passengers. Your Personal Data may be captured in these audio and/or video recordings. Where in-vehicle audio and/or video recordings are made, such recordings are collected, processed, used and stored in a manner that is compliant with applicable laws.
Personal In-vehicle cameras
Some OOhsem partners may install personal in-vehicle cameras in their vehicles for their own purposes (including safety and security). The use of such in-vehicle cameras is not endorsed or prohibited by OOhsem. The collection, use and disclosure of Personal Data obtained from personal in-vehicle cameras is the responsibility of the relevant partner. Please check with the relevant partner if you have any queries about their use of personal in-vehicle cameras.
OOhsem works with some partners (including, but not limited to, Toyota and Hyundai) to install telematics devices in selected rental vehicles for the following purposes:
- To ensure that the vehicle is maintained appropriately and serviced in a timely fashion;
- To help maintain the safety, security and integrity of our products and services;
- To improve and enhance our products and services; and
- For internal tracking of the vehicle, analysis and administrative purposes.
If you are a driver partner, these devices will collect telematics data (such as your speed, acceleration, and braking data) and your location information. If you are a passenger onboard one of our vehicles fitted with these devices, your location data (i.e. the position of the car) will be incidentally collected as well. The data collected by these devices are owned by these partners who have entered into appropriate contractual undertakings with OOhsem to safeguard this data. While these partners share such telematics data with us (to enable us to fulfil the purposes stated above), we do not share any personally identifying information about our driver partners or passengers with these partners.
Personal Data of minors
As a parent or legal guardian, please do not allow minors under your care to submit Personal Data to OOhsem. In the event that such Personal Data of a minor is disclosed to OOhsem, you hereby consent to the processing of the minor’s Personal Data and accept and agree to be bound by this Policy and take responsibility for his or her actions.
When you provide Personal Data of other individuals to us
In some situations, you may provide Personal Data of other individuals (such as your spouse, family members or friends) to us. For example, you may add them as your emergency contact. If you provide us with their Personal Data, you represent and warrant that you have obtained their consent for their Personal Data to be collected, used and disclosed as set out in this Policy.
II. USE OF PERSONAL DATA
OOhsem may use, combine and process your Personal Data for the following purposes (“Purposes”):
Providing services and features
Your Personal Data will be used to provide, personalise, maintain and improve our Apps, Websites and Services. This includes using your Personal Data to:
- provide you with Services across our various business verticals;
- engage you to provide Services;
- create, administer and update your account;
- conduct due diligence checks;
- verify your identity;
- verify your age (where necessary);
- validate your ride and process payments;
- offer, obtain, provide, facilitate or maintain insurance or financing solutions;
- track the progress of your trip and detect abnormal trip variations;
- enable features that personalise your App, such as lists of your favourite places and previous destinations;
- make your experience more seamless, such as automatically filling in your registration information (such as your name or phone number) from one Service to another Service or when you participate in our surveys;
- perform internal operations necessary to provide our Services, including troubleshooting software bugs and operational problems, conducting data analysis, testing and research, monitoring and analysing usage and activity trends;
- protect the security or integrity of the Services and any facilities or equipment used to make the Services available;
- process and manage your rewards;
- enable communications between our users;
- process, manage or verify your application of promotions, rewards and subscriptions with OOhsem;
- enable our partners to manage and allocate fleet resources; and
- fulfil the services to you as a data processor, where you have provided consent to the data controller (i.e. the organisation you had purchased goods or services from, and for whom OOhsem is providing services on behalf of) for such services to be rendered.
Safety and security
We use your data to ensure the safety and security of our Services and all users. This includes:
- screening driver and delivery partners before enabling their use of our Services;
- identifying unsafe driving behaviour such as speeding, harsh braking and acceleration, and providing personalised feedback to driver partners;
- verifying your identity when you log in to OOhsem;
- using device, location, profile, usage and other Personal Data to prevent, detect and combat fraud or unsafe activities;
- sharing drivers and passengers’ location and details when the emergency button or the “Share My Ride” feature is activated;
- monitoring compliance with our terms and conditions, policies and Driver’s Code of Conduct; and
- detecting, preventing and prosecuting crime.
We use Personal Data to resolve customer support issues. For example, we may:
- investigate and address concerns;
- monitor and improve our customer support responses;
- respond to questions, comments and feedback; and
- inform you about steps taken to resolve customer support issues.
Research and development and security
We may use the Personal Data we collect for testing, research, analysis and product development. This allows us to understand and analyse your needs and preferences, protect your Personal Data, improve and enhance the safety and security of our Services, develop new features, products and services, and facilitate insurance and finance solutions.
We may use the Personal Data we collect to investigate and resolve claims or disputes, or as allowed or required by applicable law.
We may also use your Personal Data when we are required, advised, recommended, expected or requested to do so by our legal advisors or any local or foreign legal, regulatory, governmental or other authority.
For example, we may use your Personal Data to:
- comply with court orders or other legal, governmental or regulatory requirements;
- enforce our Terms of Service or other agreements; and
- protect our rights or property in the event of a claim or dispute.
We may also use your Personal Data in connection with mergers, acquisitions, joint ventures, sale of company assets, consolidation, restructuring, financing, business asset transactions, or acquisition of all or part of our business by another company.
Marketing and promotions
We may use your Personal Data to market OOhsem and OOhsem’s partners’, sponsors’ and advertisers’ products, services, events or promotions. For example, we may:
- send you alerts, newsletters, updates, mailers, promotional materials, special privileges, festive greetings; and
- notify, invite and manage your participation in our events or activities.
We may communicate such marketing to you by post, telephone call, short message service, online messaging service, push notification by hand and by email.
If you wish to unsubscribe to the processing of your Personal Data for marketing and promotions, please click on the unsubscribe link in the relevant email or message. Alternatively, you may also update your preferences in our App settings.
III. DISCLOSURE OF PERSONAL DATA
We need to share Personal Data with various parties for the Purposes. These parties include:
- If you are a passenger, we may share your pick-up and drop-off locations with our driver partner fulfilling your service request.
- If you are a driver partner, we may share your Personal Data with your passenger including your name and photo; your vehicle make, model, number plate, location and average rating.
- If you are a delivery partner, we may share your Personal Data with your selected merchant and user, including your name and photo; your vehicle make, model, location and average rating.
- If you are using our OOhsemDelivery service, we may share your Personal Data with the recipient of your parcel, and vice versa, as well as the delivery partner in charge of fulfilling your service request.
- If you use our in-app chat service, we may share your mobile number and OOhsem -registered name with the other parties to your chat.
With third parties
For example, we may share a vehicle’s location and driver’s and/or passenger’s name with third parties when a passenger uses the “Share My Ride” feature or activates the Emergency Button.
With OOhsem partners at your request
For example, if you requested a service through a OOhsem partner or used a promotion provided by a OOhsem partner, OOhsem may share your Personal Data with that OOhsem partners. Our partners include partners that integrate with our App or our App integrates with, vehicle services partners, or business partners which OOhsem collaborates with to deliver a promotion, competition or other specialised service.
With the owner of OOhsem accounts that you may use
For example, your employer may receive trip data when you use your employer’s OOhsem for Business account.
With subsidiaries and affiliates
We share Personal Data with our subsidiaries, associated companies, jointly controlled entities and affiliates.
With OOhsem’s service providers and business partners
We may provide Personal Data to our vendors, consultants, marketing partners, research firms, and other service providers or business partners. This includes:
- payment processors and facilitators;
- debt collectors;
- credit bureaus and other credit reporting agencies;
- background check and anti-money laundering service providers;
- cloud storage providers;
- marketing partners and marketing platform providers;
- data analytics providers;
- research partners, including those performing surveys or research projects in partnership with OOhsem or on OOhsem’s behalf;
- fleet and merchant partners;
- insurance and financing partners;
- third party intermediaries involved in the managed investment of funds, such as brokers, asset managers, and custodians;
- service providers who perform identity verification services; and
- vehicle solutions partners, vendors or third-party vehicle suppliers.
With our legal advisors and governmental authorities
We may share your Personal Data with our legal advisors, law enforcement officials, government authorities and other third parties. This may take place to fulfil the legal purposes (mentioned above), or any of the following circumstances:
- where it is necessary to respond to an emergency that threatens the life, health or safety of a person; or
- where it is necessary in the public interest (e.g. in a public health crisis, for contact tracing purposes and safeguarding our community).
IV. RETENTION OF PERSONAL DATA
We retain your Personal Data for the period necessary to fulfill the Purposes outlined in this Policy unless a longer retention period is required or allowed by law. Once your Personal Data is no longer necessary for the Services or Purposes, or we no longer have a legal or business purpose for retaining your Personal Data, we take steps to erase, destroy, anonymise or prevent access or use of such Personal Data for any purpose other than compliance with this Policy, or for purposes of safety, security, fraud prevention and detection, in accordance with the requirements of applicable laws.
V. INTERNATIONAL TRANSFERS OF PERSONAL DATA
Your Personal Data may be transferred from country, state and city (“Home Country”) in which you are present while using our Services to another country, state and city (“Alternate Country”).
When we transfer your Personal Data from your Home Country to the Alternate Country, we will comply with our legal and regulatory obligations in relation to your Personal Data, including having a lawful basis for transferring Personal Data and putting appropriate safeguards in place to ensure an adequate level of protection for the Personal Data. We will also ensure that the recipient in Alternate Country is obliged to protect your Personal Data at a standard of protection comparable to the protection under applicable laws.
Our lawful basis will be either consent (i.e. we may ask for your consent to transfer your Personal Data from your Home Country to the Alternate Country at the time you provide your Personal Data) or one of the safeguards permissible by laws.
VI. COOKIES AND ADVERTISING ON THIRD PARTY PLATFORMS
Additionally, we may share non-personally identifiable Personal Data with third parties, such as location data, advertising identifiers, or a cryptographic hash of a common account identifier (such as an email address), to facilitate the display of targeted advertising on third party platforms.
If you do not wish for your Personal Data to be collected via Cookies on the Websites, you may deactivate cookies by adjusting your internet browser settings to disable, block or deactivate cookies, by deleting your browsing history and clearing the cache from your internet browser. You may also limit our sharing of some of this Personal Data through your App (Settings > Privacy > Ads) and mobile device settings.
VII. PROTECTION OF PERSONAL DATA
We will take reasonable legal, organisational and technical measures to ensure that your Personal Data is protected. This includes measures to prevent Personal Data from getting lost, or used or accessed in an unauthorised way. We limit access to your Personal Data to our employees on a need to know basis. Those processing your Personal Data will only do so in an authorised manner and are required to treat your information with confidentiality.
Nevertheless, please understand that the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your Personal Data transmitted through any online means, therefore, any transmission remains at your own risk.
VIII. YOUR RIGHTS WITH RESPECT TO YOUR PERSONAL DATA
In accordance with applicable laws and regulations, you may be entitled to:
- ask us about the processing of your Personal Data, including to be provided with a copy of your Personal Data;
- request the correction and/or (in some cases) deletion of your Personal Data;
- in some cases, request the restriction of the processing of your Personal Data, or object to that processing;
- withdraw your consent to the processing of your Personal Data (where we are processing your Personal Data based on your consent);
- request receipt or transmission to another organisation, in a machine-readable form, of the Personal Data that you have provided to us where we are using your Personal Data based on consent or performance of a contract; and
- complain to the relevant data privacy authority if your data privacy rights are violated, or if you have suffered as a result of unlawful processing of your Personal Data.
Where you are given the option to share your Personal Data with us, you can always choose not to do so. If we have requested your consent to processing and you later choose to withdraw it, we will respect that choice in accordance with our legal obligations.
However, choosing not to share your Personal Data with us or withdrawing your consent to our use of it could mean that we are unable to perform the actions necessary to achieve the purposes of processing described in Section II (Use of Personal Data) or that you are unable to make use of the Services. After you have chosen to withdraw your consent, we may be able to continue to process your Personal Data to the extent required or otherwise permitted by applicable laws and regulations.
If you wish to make a request to exercise your rights, you can contact us through our contact details set out in Section X (How to Contact Us) below.
We will screen and verify all requests beforehand. In order to verify your authority to make the request, we may require you to provide supporting information or documentation to corroborate the request.
Once verified, we will give effect to your request within the timelines prescribed by applicable laws.
IX. AMENDMENTS AND UPDATES
OOhsem shall have the right to modify, update or amend the terms of this Policy at any time by placing the updated Policy on the Websites. By continuing to use the Apps, Websites or Services, purchase products from OOhsem or continuing to communicate or engage with OOhsem following the modifications, updates or amendments to this Policy, you signify your acceptance of such modifications, updates or amendments.
X. HOW TO CONTACT US
If you have any queries about this Policy or would like to exercise your rights set out in this Policy, please contact our Data Protection Officer at:
OOhsem Data Protection Officer
c/o SMH DIGITAL SDN. BHD.
The original of this Policy is written in the English language. In the event of any conflict between the English and other language versions, the English version shall prevail.
ADDENDUM 1: OOHSEM FOR BUSINESS
II. OOHSEM’S RELATIONSHIP WITH USERS AND CLIENTS
How OOhsem for Business works
OOhsem for Business is provided as an add-on feature to facilitate corporate billing for the Authorised Users’ use of OOhsem’s Services in the course of work.
As part of this feature, OOhsem will disclose detailed trip and booking information that Authorised Users have tagged as being for business purposes to the Client. Apart from this, OOhsem does not disclose other Personal Data of its Authorised Users to the Client.
Alternatively, an individual user may choose to set up a business profile within the App to facilitate the tagging of business-related rides and to generate consolidated trip reports to facilitate the submission of claims from his or her employer. When used in this mode, the claims process is user-driven and the user’s employer need not be a Client.
For ease of reference, Authorised Users and individual users will each be referred to as a “User” and collectively as “Users” in this Addendum.
OOhsem is a data controller, so are our Clients
Due to the way OOhsem for Business works, OOhsem does not process any Personal Data for and on behalf of the Client. Accordingly, OOhsem is not the data processor of the Client, but an independent data controller in respect of all Personal Data that it processes in the course of providing the OOhsem for Business feature. Likewise, the Client is an independent data controller of the Personal Data (e.g. the Linking Data and Portal Data) that it discloses to and/or receives from OOhsem.
III. WHAT PERSONAL DATA IS COLLECTED, PROCESSED AND DISCLOSED
What OOhsem collects as part of OOhsem for Business
In order to provide the OOhsem for Business feature, the individual user or the Client will be required to provide the following information about the Authorised User to OOhsem:
- full name;
- business email address; and
- other identifying information about the Authorised User as reasonably requested by OOhsem.
OOhsem will use this information for the purposes of:
- authenticating the User;
- where applicable, linking the Authorised User’s account with the Client’s OOhsem for Business account or tracking the Authorised User’s business profile bookings on the Apps, as the case may be;
- where applicable, verifying the Corporate Billing status of such Authorised User from time to time; and
What OOhsem discloses to its Clients
OOhsem will disclose relevant trip and booking information as determined by OOhsem from time to time to the Client to facilitate Corporate Billing.
What OOhsem discloses to its individual user
Depending on the business profile settings selected by the individual user, the user may retrieve and generate reports containing his/her relevant trip and booking information.
IV. PARTIE’S OBLIGATIONS
The Client and OOhsem shall each:
- individually inform their data subjects of how each processes Personal Data and allow their data subjects to exercise their rights under the local data protection/data privacy laws;
- comply with the obligations applicable to each party under the applicable data protection/data privacy laws when processing any Personal Data of the Proposed or Authorised Users;
- obtain the necessary consents (if applicable) to facilitate the provision of the OOhsem for Business feature; and
- implement appropriate legal, technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against unauthorised loss, destruction, damage, alteration, or disclosure, as well as any breach or attempted breach of each party’s security measures (“Information Security Incident”).