About GDPR

The General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) is the EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also governs the transfer of personal data outside the EU/EEA. Since 2025, the GDPR Enforcement Procedure Regulation (Regulation (EU) 2024/2217) has streamlined how data protection authorities cooperate on cross-border cases, ensuring faster and more consistent enforcement.

VoltVerse acts as the data controller for the personal data you provide when using our platform. We are committed to processing your data lawfully, fairly, and transparently, and to upholding your rights under GDPR.

Legal Basis for Processing

We process personal data only where a valid legal basis under GDPR Article 6 applies:

  • Performance of a Contract

    To provide your account, charging services, marketplace orders, and premium features.

  • Consent

    For marketing communications, web push notifications, non-essential cookies, and optional profiling.

  • Legitimate Interests

    For fraud prevention, IT security, service improvement, and enforcing our Terms and Conditions.

  • Legal Obligation

    To comply with tax, consumer protection, and product safety laws, including the Digital Services Act and General Product Safety Regulation.

Your Rights Under GDPR

Right to Access

Access all your personal data through our export data feature. Export is available in JSON format and includes profile, vehicles, charging sessions, posts, messages, marketplace activity, and more.

Right to Rectification

Update your information at any time through your profile settings. All changes are logged with timestamps for security.

Right to Erasure

Request account deletion through our delete account page. We will process your request in line with our retention policy and applicable legal obligations.

Right to Restrict Processing

Contact our Data Protection Officer to request restrictions on certain data processing activities, for example while a dispute is being resolved.

Right to Data Portability

Export your data in a machine-readable JSON format. Under the EU Data Act (Regulation (EU) 2023/2854), you may also request direct transfer of certain data to another service where technically feasible.

Right to Object

Opt-out of marketing communications and object to automated decision-making, including profiling, in your account settings and consent centre.

Our Data Protection Principles

  • Lawful, Fair, and Transparent Processing

    We process personal data lawfully, fairly, and in a transparent manner.

  • Purpose Limitation

    We collect personal data for specified, explicit, and legitimate purposes only.

  • Data Minimization

    We only collect data that is adequate, relevant, and limited to what is necessary.

  • Accuracy

    We ensure personal data is accurate and kept up to date.

  • Storage Limitation

    We keep personal data only as long as necessary for the purposes collected.

  • Integrity & Confidentiality

    We implement appropriate security measures to protect personal data.

  • Accountability

    We take responsibility for complying with these principles and can demonstrate our compliance.

Security Measures

Encryption

• Data at rest: AES-256 encryption

• Data in transit: TLS 1.3 with perfect forward secrecy

• End-to-end encryption for sensitive communications

Access Control

• Role-based access control (RBAC) with least privilege

• Multi-factor authentication for administrative access

• Just-in-time access provisioning

Infrastructure Security

• Regular vulnerability scanning (weekly)

• Web Application Firewall (WAF) protection

• DDoS protection and rate limiting

Development Security

• Secure coding standards (OWASP Top 10)

• Automated dependency scanning

• Code review requirements for security changes

External Services

Open Charge Map

We use Open Charge Map to provide you with accurate charging station information.

Data Shared
  • Approximate user location (coordinates)
Data Received
  • Charging station details including location
  • Availability information
  • Technical specifications
Privacy & Security
  • Location data is not stored long-term and is only used for real-time queries
  • Data Processing Agreement in place with Open Charge Map
Payment Providers (Stripe/PayPal)

We use secure payment providers for premium memberships and marketplace transactions. Raw payment details are never stored on our servers.

Data Security
  • Payment tokens only (no raw card data)
  • PCI-DSS compliant processing
  • Secure tokenization
Retention
  • Transaction tokens for billing history
  • 7 years for financial records (legal compliance)
Web Push Notification Services

We use web push services to deliver notifications to your devices with your explicit consent.

Data Shared
  • Subscription endpoints
  • Encryption keys (P256dh, Auth)
Privacy
  • Browser-level permission control
  • Data retained until unsubscribed
  • In-app granular preferences

Automated Decision-Making and AI

Some platform features use automated systems to help keep VoltVerse safe and relevant. Under the EU AI Act (Regulation (EU) 2024/1689), we are committed to transparency and human oversight where AI systems are used.

Content Moderation Assistance

Automated tools may flag or prioritise user-generated content for human review, for example to detect spam, prohibited content, or policy violations. Final moderation decisions are made by humans.

Recommendations and Ranking

Marketplace and community content may be ranked using algorithms based on popularity, relevance, and your preferences. You can manage personalisation settings in your account.

Your Rights

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects, unless it is necessary for a contract, authorised by law, or based on your explicit consent.

How to Object

To request human review, challenge an automated decision, or turn off personalisation, contact our Data Protection Officer or use your account settings.

Data Breach Protocol

Our Response Process

In the event of a personal data breach, we follow a strict protocol in line with GDPR Articles 33 and 34:

  • Detection & Assessment: 24/7 monitoring with initial assessment within 2 hours
  • Containment: Immediate isolation of affected systems
  • Notification: Supervisory authorities notified without undue delay and, where feasible, within 72 hours
  • Remediation: Full investigation, root-cause analysis, and security enhancements

Affected users will be notified without undue delay when there is a high risk to their rights and freedoms.

International Data Transfers

Your personal data is primarily processed within the European Union and the European Economic Area. When we transfer data outside the EU/EEA, for example to payment providers, hosting infrastructure, or analytics services, we ensure an adequate level of protection through:

  • Adequacy decisions adopted by the European Commission (where available)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules (where applicable)
  • Other legally recognised transfer safeguards

You may request a copy of the safeguards we use by contacting our Data Protection Officer.

Cookies and Similar Technologies

We use cookies and similar technologies in accordance with the ePrivacy Directive and national cookie laws. Our consent banner allows you to choose which categories of cookies you accept, including:

  • Essential cookies — required for the platform to function and cannot be disabled.
  • Functional cookies — remember your preferences and improve your experience.
  • Analytics cookies — help us understand how the platform is used.
  • Marketing cookies — used to deliver relevant advertisements and measure their effectiveness.

You can update your cookie preferences at any time via the consent banner or your account settings.

Children's Privacy

VoltVerse is not directed at children under 16. If you are between 13 and 16 years old, you may use the platform only with the consent of a parent or guardian. We do not knowingly collect personal data from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly.

Your Right to Complain

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU data protection authorities is available from the European Data Protection Board.

Contact Us

If you wish to exercise any of these rights or have questions about our data protection practices, please contact our Data Protection Officer:

Phone: Available on request via email
Mailing Address: Available on request via email
Note: We may need to verify your identity before processing certain requests to ensure the security of your personal data. We aim to respond to GDPR requests within one month, which may be extended by two further months for complex requests.

Data Retention Policy

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, and reporting requirements. The table below sets out typical retention periods.

Data Category Retention Period Legal Basis / Reason
Account Information Until account deletion is completed Performance of contract
User Content (Posts, Comments) Until account deletion or 3 years after last activity User-generated content / Legitimate interest
Direct Messages Until account deletion or 2 years after last activity Communication history / Legitimate interest
Vehicle Information Until account deletion Core service functionality
Charging Sessions Until account deletion or 3 years after creation User history and analytics
Marketplace Listings and Orders 7 years after order completion Legal and tax compliance / P2B Regulation
Push Notification Subscriptions Until unsubscribed Consent
Consent Preferences Until account deletion or 5 years after last update Compliance & evidence of consent
Server Logs 90 days Security & debugging
API Request Logs 90 days Security & rate limiting
Moderation Reports and Appeals 3 years after resolution Digital Services Act / Legal compliance
Exported Data Files 7 days from creation Temporary download availability
Financial Records 7 years Legal & tax compliance
Anonymized Analytics Indefinite Service improvement (no PII)
IP Addresses 30 days (anonymized after) Security & fraud prevention
Last Updated: June 26, 2026