About GDPR
The General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) is the EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also governs the transfer of personal data outside the EU/EEA. Since 2025, the GDPR Enforcement Procedure Regulation (Regulation (EU) 2024/2217) has streamlined how data protection authorities cooperate on cross-border cases, ensuring faster and more consistent enforcement.
VoltVerse acts as the data controller for the personal data you provide when using our platform. We are committed to processing your data lawfully, fairly, and transparently, and to upholding your rights under GDPR.
Legal Basis for Processing
We process personal data only where a valid legal basis under GDPR Article 6 applies:
-
Performance of a Contract
To provide your account, charging services, marketplace orders, and premium features.
-
Consent
For marketing communications, web push notifications, non-essential cookies, and optional profiling.
-
Legitimate Interests
For fraud prevention, IT security, service improvement, and enforcing our Terms and Conditions.
-
Legal Obligation
To comply with tax, consumer protection, and product safety laws, including the Digital Services Act and General Product Safety Regulation.
Your Rights Under GDPR
Right to Access
Access all your personal data through our export data feature. Export is available in JSON format and includes profile, vehicles, charging sessions, posts, messages, marketplace activity, and more.
Right to Rectification
Update your information at any time through your profile settings. All changes are logged with timestamps for security.
Right to Erasure
Request account deletion through our delete account page. We will process your request in line with our retention policy and applicable legal obligations.
Right to Restrict Processing
Contact our Data Protection Officer to request restrictions on certain data processing activities, for example while a dispute is being resolved.
Right to Data Portability
Export your data in a machine-readable JSON format. Under the EU Data Act (Regulation (EU) 2023/2854), you may also request direct transfer of certain data to another service where technically feasible.
Right to Object
Opt-out of marketing communications and object to automated decision-making, including profiling, in your account settings and consent centre.
Our Data Protection Principles
-
Lawful, Fair, and Transparent Processing
We process personal data lawfully, fairly, and in a transparent manner.
-
Purpose Limitation
We collect personal data for specified, explicit, and legitimate purposes only.
-
Data Minimization
We only collect data that is adequate, relevant, and limited to what is necessary.
-
Accuracy
We ensure personal data is accurate and kept up to date.
-
Storage Limitation
We keep personal data only as long as necessary for the purposes collected.
-
Integrity & Confidentiality
We implement appropriate security measures to protect personal data.
-
Accountability
We take responsibility for complying with these principles and can demonstrate our compliance.
Security Measures
Encryption
• Data at rest: AES-256 encryption
• Data in transit: TLS 1.3 with perfect forward secrecy
• End-to-end encryption for sensitive communications
Access Control
• Role-based access control (RBAC) with least privilege
• Multi-factor authentication for administrative access
• Just-in-time access provisioning
Infrastructure Security
• Regular vulnerability scanning (weekly)
• Web Application Firewall (WAF) protection
• DDoS protection and rate limiting
Development Security
• Secure coding standards (OWASP Top 10)
• Automated dependency scanning
• Code review requirements for security changes
External Services
Open Charge Map
We use Open Charge Map to provide you with accurate charging station information.
Data Shared
- Approximate user location (coordinates)
Data Received
- Charging station details including location
- Availability information
- Technical specifications
Privacy & Security
- Location data is not stored long-term and is only used for real-time queries
- Data Processing Agreement in place with Open Charge Map
Payment Providers (Stripe/PayPal)
We use secure payment providers for premium memberships and marketplace transactions. Raw payment details are never stored on our servers.
Data Security
- Payment tokens only (no raw card data)
- PCI-DSS compliant processing
- Secure tokenization
Retention
- Transaction tokens for billing history
- 7 years for financial records (legal compliance)
Web Push Notification Services
We use web push services to deliver notifications to your devices with your explicit consent.
Data Shared
- Subscription endpoints
- Encryption keys (P256dh, Auth)
Privacy
- Browser-level permission control
- Data retained until unsubscribed
- In-app granular preferences
Automated Decision-Making and AI
Some platform features use automated systems to help keep VoltVerse safe and relevant. Under the EU AI Act (Regulation (EU) 2024/1689), we are committed to transparency and human oversight where AI systems are used.
Content Moderation Assistance
Automated tools may flag or prioritise user-generated content for human review, for example to detect spam, prohibited content, or policy violations. Final moderation decisions are made by humans.
Recommendations and Ranking
Marketplace and community content may be ranked using algorithms based on popularity, relevance, and your preferences. You can manage personalisation settings in your account.
Your Rights
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects, unless it is necessary for a contract, authorised by law, or based on your explicit consent.
How to Object
To request human review, challenge an automated decision, or turn off personalisation, contact our Data Protection Officer or use your account settings.
Data Breach Protocol
Our Response Process
In the event of a personal data breach, we follow a strict protocol in line with GDPR Articles 33 and 34:
- Detection & Assessment: 24/7 monitoring with initial assessment within 2 hours
- Containment: Immediate isolation of affected systems
- Notification: Supervisory authorities notified without undue delay and, where feasible, within 72 hours
- Remediation: Full investigation, root-cause analysis, and security enhancements
Affected users will be notified without undue delay when there is a high risk to their rights and freedoms.
International Data Transfers
Your personal data is primarily processed within the European Union and the European Economic Area. When we transfer data outside the EU/EEA, for example to payment providers, hosting infrastructure, or analytics services, we ensure an adequate level of protection through:
- Adequacy decisions adopted by the European Commission (where available)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Binding Corporate Rules (where applicable)
- Other legally recognised transfer safeguards
You may request a copy of the safeguards we use by contacting our Data Protection Officer.
Cookies and Similar Technologies
We use cookies and similar technologies in accordance with the ePrivacy Directive and national cookie laws. Our consent banner allows you to choose which categories of cookies you accept, including:
- Essential cookies — required for the platform to function and cannot be disabled.
- Functional cookies — remember your preferences and improve your experience.
- Analytics cookies — help us understand how the platform is used.
- Marketing cookies — used to deliver relevant advertisements and measure their effectiveness.
You can update your cookie preferences at any time via the consent banner or your account settings.
Children's Privacy
VoltVerse is not directed at children under 16. If you are between 13 and 16 years old, you may use the platform only with the consent of a parent or guardian. We do not knowingly collect personal data from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly.
Your Right to Complain
If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU data protection authorities is available from the European Data Protection Board.
Contact Us
If you wish to exercise any of these rights or have questions about our data protection practices, please contact our Data Protection Officer:
Data Retention Policy
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, and reporting requirements. The table below sets out typical retention periods.
| Data Category | Retention Period | Legal Basis / Reason |
|---|---|---|
| Account Information | Until account deletion is completed | Performance of contract |
| User Content (Posts, Comments) | Until account deletion or 3 years after last activity | User-generated content / Legitimate interest |
| Direct Messages | Until account deletion or 2 years after last activity | Communication history / Legitimate interest |
| Vehicle Information | Until account deletion | Core service functionality |
| Charging Sessions | Until account deletion or 3 years after creation | User history and analytics |
| Marketplace Listings and Orders | 7 years after order completion | Legal and tax compliance / P2B Regulation |
| Push Notification Subscriptions | Until unsubscribed | Consent |
| Consent Preferences | Until account deletion or 5 years after last update | Compliance & evidence of consent |
| Server Logs | 90 days | Security & debugging |
| API Request Logs | 90 days | Security & rate limiting |
| Moderation Reports and Appeals | 3 years after resolution | Digital Services Act / Legal compliance |
| Exported Data Files | 7 days from creation | Temporary download availability |
| Financial Records | 7 years | Legal & tax compliance |
| Anonymized Analytics | Indefinite | Service improvement (no PII) |
| IP Addresses | 30 days (anonymized after) | Security & fraud prevention |