Privacy Policy

1. Introduction

Fusion Link ("we", "us", or "our") operates a B2B chauffeur marketplace platform connecting professional drivers with ground transportation vendors in Italy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, including our website and mobile applications.

This policy addresses our obligations under the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Codice in materia di protezione dei dati personali (Legislative Decree 196/2003, as amended) (Italy). Where we operate in additional jurisdictions, this policy will be updated to reflect applicable local requirements.

Your use of the platform is also governed by our Terms of Service.

2. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our compliance with applicable data protection laws. For any questions about how we handle your personal data, or to exercise your data protection rights, you may contact our DPO at:

3. Information We Collect

3.1 Account Information

When you register for an account, we collect:

• Full name and contact details
• Phone number (used for authentication via OTP verification)
• Email address
• Profile photo
• Driver-specific information: driving licence details, vocational licence details, vehicle information, and identity documents
• Bank account and instant-pay details for payment processing

3.2 Location Data

We collect GPS location data when you are actively using the platform to perform jobs. Location data is used for job verification, checkpoint tracking, and ensuring accurate service delivery records. Location tracking is only active during job execution and is not collected in the background when you are not on an active job.

3.3 Photos and Media

We collect photos taken through the platform for job checkpoint verification (e.g., proof of pickup and drop-off). These images may include GPS metadata and timestamps embedded as watermarks. Images are stored securely on Cloudflare R2 storage infrastructure with encryption at rest and in transit.

3.4 Device Information

We automatically collect certain device information, including device type, operating system, browser type, and push notification tokens for delivering service notifications.

3.5 Usage Data

We collect information about how you interact with the platform, including pages visited, features used, job history, and timestamps of activity.

4. How We Use Your Information

We use your personal data for the purposes listed below. For each purpose, the legal basis on which we rely (for users in GDPR/UK GDPR/Swiss FADP jurisdictions) is shown in brackets:

• Authenticate your identity and manage your account [contractual necessity]
• Facilitate job matching between drivers and vendors [contractual necessity]
• Verify job completion through GPS location and photo evidence [contractual necessity; legitimate interests in fraud prevention and dispute resolution]
• Send transactional push notifications about job assignments and status updates [contractual necessity]
• Process wallet transactions and maintain financial records [contractual necessity; legal obligation for tax and bookkeeping retention]
• Improve, develop, and optimise the platform, its features, and related products and services by analysing aggregated, de-identified, or pseudonymised usage data [legitimate interests]
• Conduct analytics, research, statistical analysis, quality assurance, and evaluation of internal tooling on aggregated or de-identified data [legitimate interests]
• Comply with legal, regulatory, and tax obligations and resolve disputes [legal obligation; legitimate interests]
• Defend Fusion Link in any claim, investigation, or regulatory action, including by retaining and producing records as evidence [legitimate interests in establishing, exercising, or defending legal claims]
• Ensure the security and integrity of the platform and prevent fraud [legitimate interests; legal obligation where applicable]

Photographs and trip evidence. Checkpoint photos may incidentally capture identifiable individuals. We process these images strictly for verification, fraud prevention, and dispute resolution as described above; we do not use them for biometric identification or facial recognition. Where any image, document, or data could constitute a special category of personal data under Art. 9 GDPR (or equivalent), we rely on your explicit consent given at registration and on the necessity of processing for the establishment, exercise, or defence of legal claims.

Automated decisions. Some decisions on the Platform — including initial job-matching between drivers and vendors, and routine fraud-risk scoring of transactions — may be made on a solely automated basis within the meaning of Art. 22 GDPR. Such automated processing is necessary for entering into and performing the marketplace contract you have with us (Art. 22(2)(a) GDPR). You have the right to obtain human intervention, to express your point of view, and to contest any such decision by contacting our Data Protection Officer using the details in Section 2. Decisions with material consequence to your account (suspension, termination, dispute outcomes) are reviewed by a human before taking effect.

5. Legal Basis and Consent

We process your personal data on the following legal bases:

• Consent: We obtain your consent before collecting and processing your personal data during account registration. You may withdraw consent at any time, subject to legal and contractual restrictions.
• Contractual necessity: Certain data processing is necessary to provide the services you have requested, such as job matching, payment processing, and checkpoint verification.
• Legitimate interests: We may process data to improve our services, prevent fraud, and ensure platform security, where these interests do not override your data protection rights.
• Legal obligations: We process data as required by applicable law, including financial record-keeping and regulatory compliance.

6. Data Sharing

We may share your information with:

• Vendors: When a driver accepts a job, relevant driver information (name, contact details, vehicle information) is shared with the assigning vendor to facilitate service delivery.
• Service Providers: We use third-party services including Google Cloud Platform (Firebase) for authentication and data storage, Cloudflare R2 for media storage, Twilio for OTP verification, Stripe for payment processing, and Sentry for crash reporting and error monitoring. Sentry may receive technical diagnostic data including device information, IP address, and user identifiers to help us identify and resolve application errors. These providers process data on our behalf under strict contractual obligations.
• Legal Requirements: We may disclose information when required by law, regulation, or legal process, or to protect the rights, property, or safety of Fusion Link, our users, or others.

We do not sell your personal data to third parties.

7. Cross-Border Data Transfers

Your personal data may be transferred to, stored, and processed in countries outside of your country of residence, including but not limited to the United States, as part of our use of cloud infrastructure providers. Specifically:

• Google Cloud Platform (Firebase): Account data, authentication records, and application data are stored on Google Cloud infrastructure.
• Cloudflare R2:Photos and media files are stored on Cloudflare's globally distributed storage network.
• Twilio: Phone numbers are processed for OTP delivery.
• Stripe: Payment card details and transaction data are processed for customer booking payments.
• Sentry: Crash reports and error diagnostics, which may include device information, IP address, and user identifiers, are processed for application stability monitoring.

We ensure that cross-border transfers are protected by appropriate safeguards, including (as applicable to the destination and the data subject):

• The European Commission's Standard Contractual Clauses (SCCs, Commission Decision 2021/914) for transfers from the EEA
• The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs for transfers from the United Kingdom
• The Swiss SCC addendum approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC) for transfers from Switzerland
• Reliance on a recipient's certification under the EU-US Data Privacy Framework (DPF), UK Extension to the DPF, or Swiss-US DPF where the recipient (such as Google Cloud, Cloudflare, Stripe, or Sentry) is certified
• Transfer Impact Assessments (TIAs) where required by EDPB Recommendations 01/2020
• Contractual data-processing agreements (Art. 28 GDPR) with all third-party providers
• Encryption of data in transit (TLS) and at rest
• Access controls ensuring only authorised personnel can access personal data

For Italy users: Cross-border transfers of personal data outside the European Economic Area are made only on the basis of Adequacy Decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules under Chapter V of the GDPR, ensuring an essentially equivalent level of protection.

8. Data Retention

We retain your personal data for as long as is reasonably necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law, by a contractual obligation, or for legitimate business purposes such as fraud prevention, dispute resolution, enforcement of our Terms, or tax, accounting, and regulatory compliance. The specific retention period for any category of data depends on the nature of the data, the purpose for which it is processed, the risk of harm from unauthorised disclosure, and the applicable legal and regulatory retention requirements in the jurisdictions where we operate.

When you delete your account, we will take reasonable steps to remove or anonymise your personal data without undue delay and in any event within one (1) month of receiving your request (extendable by up to two further months for complex requests, with notice and reasons), except where retention is required or permitted as described above.

9. Data Security

We take reasonable technical and organisational measures to protect your personal data, including encryption in transit (TLS) and at rest, Firebase Auth with phone OTP, role-based access controls enforced at the database level, isolated per-user media folders on Cloudflare R2, and rate limiting on API endpoints. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for any activity that occurs under your account.

10. Data Breach Notification

In the event of a data breach that affects your personal data, we will take the following steps:

• Assessment: We will promptly assess the scope and impact of the breach.
• Containment: We will take immediate steps to contain the breach and prevent further unauthorised access.
• Notification (Italy): In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the Garante per la protezione dei dati personali without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. Affected individuals will be informed where the breach is likely to result in a high risk.

11. Your Rights

All Users

Regardless of your jurisdiction, you have the right to:

• Access your personal data that we hold
• Correct inaccurate or incomplete personal data
• Delete your account and associated personal data
• Withdraw consent for data processing, subject to legal and contractual restrictions

To exercise any of these rights, please contact our Data Protection Officer using the details in Section 2. We will respond to your request without undue delay and in any event within one (1) month of receipt. Where the request is complex or where we receive a high volume of requests, we may extend this period by up to two further months and will notify you of any extension and the reasons within the initial one-month period.

You can also self-serve a copy of your data or permanently delete your account from your privacy controls.

12. Children's Privacy

Fusion Link is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take steps to delete that information promptly.

13. Push Notifications

We use push notifications to inform you about job assignments, status updates, and important platform announcements. You can manage your notification preferences through your device settings at any time.

14. Changes to This Policy

We may amend, update, or replace this Privacy Policy at any time, in our sole discretion, with or without prior notice. The current version and its effective date are shown at the top of this page. It is your responsibility to review this Privacy Policy periodically for changes. Your continued use of the platform after any change constitutes your acceptance of the updated policy. If you do not agree to any change, your sole and exclusive remedy is to stop using the platform and close your account.

15. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

Regulatory authorities:

• Italy: Garante per la protezione dei dati personali (Garante) — www.garanteprivacy.it