This Privacy Statement aims to clarify what personal data we process, why we process it, who receives your data and how you can exercise your legal rights.
In this Privacy Statement, personal data means any information which directly identifies you as a person (like your full name and address), or can be used to identify you as a person (like a user ID connected to your identity). Similarly, processing refers to any operation performed on your personal data, for example, the collection, storage, use, disclosure, or destruction of your data.
Index
1. Summary
2. Who are we and how can you reach us?
3. What categories of personal data do we process?
4. What do we do with your personal data?
5. Who will receive your data and under what circumstances?
6. How do we transfer your personal data to other countries?
7. What are your legal rights?
8. How long do we keep your data?
9 . How do we use algorithmic decision making?
1. Summary
Topic | Explanation |
Who we are | We are Glovo (Foodinho S.R.L.). We are part of an international group of companies. Our group’s headquarters are located with Delivery Hero SE in Berlin, Germany. With regard to your privacy, it is us who decide how and for what purposes your personal data is processed while using our Platform and providing delivery services. You can contact us at: gdpr@glovoapp.com - in case you have questions related on how your personal data is processed, or; dpo@glovoapp.com - to contact our Data Protection Officer and exercise your rights, which can be found below. |
What data we process | Personal contact & account data Identification data Candidate data Contract data Payment & billing data Task-related data Location & device data Communication data |
Why & when we process your data | When you join our Platform, to manage your application and create your account. When you use our Platform, to enable you deliveries, assign you new deliveries, communicate with customers, send notifications to your device and calculate payments. For example, we can use personal data in order to evaluate the use of our Platform considering, among others, task-related data and location information in connection with the deliveries performed. Also, to improve and promote our service, ensure the quality and safety of our Platform. If you want, you can give us your consent for different things separately — like using our translation service, joining our incentive programs, receiving company updates, taking part in surveys or interviews, or getting notifications on your device. |
Who gets your data | Your data will be shared with other companies of the Delivery Hero group, third parties and service providers. Your data will also be disclosed in the event of Glovo partnering up with another company or if Prosecuting authorities, judges and other public authorities ask us to do so, including law enforcement agencies, courts, tax authorities, or other government bodies. In any event, we will make sure we disclose the minimum amount of data needed under confidentiality commitments and that your data is shared securely. |
Third-party service we use to process your data | Braze: enables us sending you updates, reminders and facilitating engagements mParticle: helps us bring your info together to give you a smoother, more personalized experience—while always respecting your privacy choices Konecta Italia: supports rider onboarding and coordination, helping you start smoothly and stay on track. MessageBird:Phone Number Masking When the rider and customer call each other, their real phone numbers are hidden. Talkdesk: connects riders to the right team directly from the delivery app. |
Transfers to other countries | We may transfer your data to countries outside the European Economic Area. We use strong safeguards, complying with data protection law, to protect your data while doing so. |
Your rights | You can access, correct, delete or limit your data, ask us to transfer it, object to its use, file a complaint and withdraw your consent at any time, whereas processing is based on your consent. |
How long do we keep your data | We keep your data only as long as we have a valid reason to do so or as long as your consent is not withdrawn, if the processing is based on your consent. |
2. Who are we and how can you reach us?
We are Foodinho, S.R.L. (“Glovo”) and we are located at Via Giovanni Battista Pirelli 31, 20124, Milano, Italia.
With regard to your privacy, it is us who decides how and for what purposes your personal data is processed while using our delivery platform (“Platform”) and providing delivery services. In data protection language that makes us a so-called data controller (the party responsible for why and how your personal data is processed).
If you have any questions related to how your personal data is processed, you can contact us at gdpr@glovoapp.com. If you would like to reach our data protection officer, please contact dpo@glovoapp.com.
3. What categories of personal data do we process?
As part of offering our Platform and enabling you to make deliveries (in other words, to become a “rider”) during the period that service is performed in the delivery zone (“session”), we process personal data provided by you, collected from your device when you interact with our Platform or obtained from permitted third parties. We process the following categories of personal data:
Personal contact & account data | including your name and surname, address, email address, password, phone number, city, internal ID, your photo, language and other profile settings |
Identification data | including information relating to government-issued documents such as driving licence, passport, ID card, residence or work permit, insurance information, certificates, tax number |
Candidate data | including applicant number, qualifications, skills, educational certificates, previous experience, referral information, interview information |
Contract data | including the type and duration of contract, vehicle and equipment information, city, emergency contacts, offboarding details |
Payment & billing data | including amounts due, status, bank account details, tax details, date and place of birth, nationality, gender, social security number, billing address, payment rules, invoice type, prepaid card, postal account |
Task-related data | including delivery details (for instance, date and time of the pick-up, delivery, distance), delivery time, accepted/in-progress/cancelled deliveries, session details, cash collection, absence and history, data relating to interactions with support agents traffic data, interactions with customers and businesses, activity carried out on the App during working hours, interaction with the app's features) |
Location & device data | including GPS coordinates (longitude and latitude), movement details, device ID, IP address, login details, metadata (app version, timestamp), device configuration settings, operating system, battery level and internet connection and other data obtained from the device. |
Communications data | including date, time and content of communications of riders with customers and agents. |
4. What do we do with your personal data?
This section outlines how your personal data is processed as a rider on our Platform. If additional purposes not outlined in this section require further processing of your data, you will be informed separately about such activities. For instance, if you are engaged on our Platform via a third party, they are obliged by applicable law to provide you with additional details of how they manage and process your information for their purposes.
A. When you join our Platform
1. Application
If you directly apply to become a rider on our Platform, you will be asked to provide your personal contact data such as email address, phone number, identification data such as government- issued documents (passport, work permit), contract data such as vehicle information. It may be the case that you are also asked to provide your candidate data including your qualification and experiences.
Once you provide your information, we may contact you through your preferred communication channels, which may include email, SMS, or social communication channels like WhatsApp. This communication may involve arranging or conducting interviews, reminding the upload of additional information or documents to the recruitment system. The data processed in this step is essential to verify that you can deliver the service and to become a rider on our Platform. If you apply through the “refer a friend” program, a record of this referral will also be kept and processed to fulfil any applicable referral bonus. The legal basis for the application process is therefore entering into a contract under Art. 6(1)(b) GDPR.
2. Onboarding and account creation
Once you successfully complete the application process, you will receive an invitation to enter into a contract to use our Platform as a rider. For this purpose, your personal contact & account, payment & billing, identification, as well as contract data will be processed. This basic information is the basis of our collaboration on our Platform.
In cases where your application documents, including your identification data, cannot be verified in person, we may utilise machine based technologies to verify your documents. If these technologies are used, we will ensure human evaluation of the process. You can oppose any dissatisfactory result of this verification process via Help Center within the Rider App and we will make sure the verification is reassessed.
Following these steps, you will be onboarded to the Platform and a rider account will be created. If you decide to use our equipment and/or outfit, we will also need details concerning the equipment you require. Your equipment preference will be documented, along with your personal contact and account data. The legal basis for this processing is therefore entering into or performance of a contract under Art. 6(1)(b) GDPR.
B. When you use our Platform
Going active in our “Free login” model
Based on the terms outlined in your contract, you will be able to activate a session at your preferred time. This process requires the processing of your contact & account, location, contract, and device data.
In order to start a session, you can just login to the Platform and confirm that you wish to receive delivery proposals. Similarly, you can stop receiving orders at any timect. As enabling you to get started a session and use our Platform is a crucial part of fulfilling the terms in your contract, the legal basis for this processing is performance of a contract under Art. 6(1)(b) GDPR.
Delivering orders
When you start your session for receiving orders, your personal contact & account, contract data such as your vehicle type, as well as location and device data will be used to calculate your proximity to the pick-up and drop-off locations, estimate the delivery time, and offer you a delivery based on this information while taking into account the delivery volume and weight.
Offering you the most suitable delivery in real time is only possible when we use algorithmic decision making processes that take into account all relevant factors mentioned above. If you have any inquiries regarding the delivery offers, you can always contact our support agents and request a human review of the process via Help Center within the Rider App or you can also write to gdpr@glovoapp.com to express your point of view and contest the decision. As offering you deliveries is an essential part of enabling you to operate on our Platform, the legal basis for this processing is performance of a contract under Art. 6(1)(b) GDPR and supported by Art. 22(2) (a) GDPR.
Once you get the delivery task, you are free to choose the route. Our Platform may offer an integrated maps function that you can use during deliveries. If you use this feature, your device data and location data will be shared with the navigation service provider. Similarly, in cases where customers provide delivery instructions in a language different from your preference, our Platform may incorporate a translation feature. This feature may connect you to a third-party translation service (for instance, Google Translate) that may process your communications data in line with their own privacy practices. Using these functionalities is optional and the legal basis for this processing is consent under Art. 6(1)(a) GDPR.
Geolocalization
We are dedicated to enable you deliveries in the most efficient manner and upholding an exceptional service to our customers. In this respect it's crucial to process your location data on certain instances detailed below. You can be assured that your device will not start sharing your location by default. Instead, you must manually activate location sharing in your device settings before you start using the Platform. In any case your location data will not be processed when you don’t have an active session on the Platform.
When the geolocation feature is active, its activation will be indicated by the presence of an icon visible in the top-right corner of the screen of the device. When you are in an active session, your location data will be processed throughout the entire session. For example, if you switch to a navigation app after a delivery is assigned to you, Rider App will continue running in the background and capture your location in order to disclose to the customer the delivery estimation (see section 4.C.5 Sharing information with customers and business partners for further information) and plan the best next delivery for you (see section 4.B.2.Delivering orders). As your location data during sessions is fundamental for operating on our Platform, deactivating location sharing within your device settings will unfortunately prevent you from receiving further deliveries. Meanwhile, during the delivery journey, you are free to disable location sharingvia your device’s settings menu, without this affecting your experience of using the application. However, in this case, you will need to reactivate the feature when the order is delivered to the customer for the sole purpose of marking the order as delivered. Finally, processing your location data will be deactivated at the end of the session, unless there is an ongoing order, in which case it will be deactivated after delivery.
Your location data captured during your session will also be processed for calculating payments (see section 4.B.6.Payment) and in certain cases to detect compliance with the Platform’s conditions of use (see section 4.C.4.Compliance) or in order to avoid fraud attempts (see section 4.D.2.Operational safety and fraud prevention).
When you are not in an active session, the Rider App defaults to a state where it does not collect or display your location. If you choose to use the in-app map for orientation — for instance, to navigate toward an operational area before starting a session — you can manually enable the “Observe Location Icon”. By doing so, your position (represented by 'Blue Dot') is processed and displayed on your screen based on your explicit consent.
The detection occurs in real-time to allow for navigation, but only for as long as the Icon remains active. To ensure your privacy, Observe Location Icon automatically resets to 'OFF' whenever you fully close the App, end a work session or log out.
This data remains strictly local; it is never transmitted to or processed by our backend systems.
Operational Geolocation (during an active session) is grounded in Art. 6(1)(b) GDPR (Contractual Necessity), as it is indispensable for the performance of the delivery service. User-Initiated Location Observation (the 'Observe Location' icon while offline) is grounded in Art. 6(1)(a) GDPR (Explicit Consent), as it is a voluntary feature enabled solely by the rider for their own orientation.
We would like to assure you that we keep your location data for a limited time and we apply further access restrictions in clearly pre-defined stages. For example, we remove location data from the order management system not later than 15 days after it is collected. During this time, it is processed for essential operational purposes, such as making sure your payments are accurate or solving any issues related to your deliveries. After these 15 days, access to the location data remains further restricted and accessed only when strictly necessary to address e.g. fraud claims and investigate specific problems such as insurance claims.
Your location data is then aggregated and retained overall for two years from the date it was collected and processed in an aggregated manner, e.g. in order to improve our services.(see section 4.F.2.Data analytics and business intelligence)
Communication with customers and rider support agents
If you experience any challenges when using our Platform, you can reach out to support agents or business partners (for instance, restaurants) through in-app chat or any other available channels (for instance, phone call). Similarly, if you encounter any difficulties with your delivery on our Platform, you can reach out to the customer through our Platform. In such instances, your personal contact & account, contract data such as your vehicle type, location & device data are processed and some of this data might be shared with the person you are communicating with (for instance, your name is shared with the customer).
Processing your data is necessary to resolve the issue you are experiencing and to ensure that our Platform is offered to you as promised. Therefore the legal basis for this processing is performance of a contract under Art. 6(1)(b) GDPR.
Sending device notifications
We may send you different types of device notifications, including “pop-up notifications” and “in-app messages” that appear on top of other open apps that require us to process your location & device data. You can consent to receive such notifications, and have the option to revoke this permission in your phone settings. Please be assured that when we are using these technologies we will never capture any information regarding other apps that you may have installed on your device or any personal data contained within those apps.
The legal basis for this processing is consent under Art. 6(1) (a) GDPR.
Payment
Based on the specific terms of your contract, the calculation of your payment may depend on factors such as the number of deliveries, the distance for delivery, and/or the hours worked. Processing of your personal contact & account, location, task-related, as well as payment & billing data, is necessary to accurately calculate your payment and facilitate the payment process.
This process is done automatically by taking into account all relevant factors mentioned above. If you have any inquiries regarding the payment process, you can always contact support agents and request human review by contacting the support available in the Privacy Center under Help Center. We process your data for this purpose if the calculation and provision of your payment is a fundamental aspect of the relationship between you and our Platform, the legal basis for this processing is performance of a contract under Art. 6(1)(b) GDPR.
Ending our collaboration
When our collaboration comes to an end, we will be required to process certain personal data to ascertain that your offboarding has been properly completed. This data includes your personal contact & account, contract data such as offboarding details including termination date and reason, payment & billing, and task-related data. The legal basis for this processing is performance of a contract under Art. 6(1)(b) GDPR.
After termination of our collaboration, we will archive certain personal data pertaining to you as long as such storing is necessary for us to meet statutory requirements and necessary for handling claims or reporting reasons in accordance with the table given below (in Section 7. How long do we keep your data?). The legal basis for processing your data for archiving is legal obligation under Art. 6(1)(c) GDPR and for addressing post-termination requirements is legitimate interest under Art. 6(1)(f) GDPR.
C. When we ensure the quality of our Platform
1. Operation management and service optimization
We are dedicated to delivering exceptional service to our customers, which requires efforts to manage and optimise the operations offered on our Platform. This process involves the processing of your personal contact & account as well as contract data such as vehicle information, task-related data such as delivery details, and your location & device data.
Wherever possible, we aggregate and pseudonymize personal data, which means that we cannot identify you individually or limit the ability to link data to you specifically. In case your personal data is involved, these efforts are carried out based on our legitimate interest under Art. 6(1)(f) GDPR.
In order to optimise our services we need to address potential disruptions. For instance, if the order assigned to you is cancelled by the customer,, we may need to process your contact data to send you a notification in order to inform you. n These decisions can be met automatically only after the process is evaluated by a human being prior to system implementation. If you have any inquiries regarding this process, you can always contact support agents via Help Center and request human review. The legal basis for service optimization is performance of a contract under Art. 6(1)(b) GDPR and supported by Art. 22(2)(a) GDPR as this data is processed to ensure that you fulfil our operational requirements under the contract you have entered into with us.
2. Incentives
We offer a variety of incentives to make our Platform more attractive to you and to ensure that you enjoy all the advantages that our Platform has to offer. These initiatives may be initiated for different purposes, such as improving your road safety and driving standards. When you participate in these programs, we may process your personal contact & account data, task-related data. In addition, our Refer a Friend program allows you to invite your friends to our Platform and obtain rewards such as referral bonuses. As part of this program, we may process your personal contact & account data, and a record of your referral.
Your participation in these incentives will be on a voluntary basis, therefore we will rely on consent under Art. 6(1)(a) GDPR as a legal basis. If you have already given your consent, you are free to revoke your consent at any time.
3. Training and medical checks
We are dedicated to upholding professional standards in our training and education programs. These initiatives include optional and mandatory training modules designed to ensure a high standard of service, as well as compliance with industry-specific requirements, such as those related to food handling or road safety. To provide you access to these offerings or, in the case of mandatory training, to track your attendance and compliance, we will need to process your personal contact & account, contract data, as well as proof of completion of training.
When using our Platform you may be requested to perform a medical check by a medical service provider to ensure you are in good health and able to perform your activity. If a medical check is requested, you will receive an email with all relevant instructions to be followed. Please be assured that Glovo will only receive confirmation from the medical service provider regarding your fitness for work and no other health information will be shared or processed.
The legal basis for this processing is legal obligation under Art. 6(1)(c) GDPR in the case of legally required training and the medical checks, and, for the training to uphold professional standards, legitimate interest under Art. 6(1)(f) GDPR.
4. Compliance
In addition to legal requirements, we expect all of our Platform participants to comply with the requirements of our conditions of use, code of conduct, similar rules and processes as they apply to them. The purpose of this is to prevent and mitigate business risks and to ensure compliance with legal and ethical standards. Accordingly, irregularities will be investigated and upon confirming such deviation, we may take appropriate actions such as termination or suspension of the account involved, subject to legal prerequisites. In this context we may process your personal contact & account, contract, payment & billing, task-related, location & device, as well as communications data.
This process is based on our legitimate interest under Art. 6(1)(f) GDPR as we have a strong interest in maintaining our Platform safe for all participants and upholding the integrity of our operations.
5. Sharing information with customers and business partners
To ensure transparency and effective communication in our service operations, we provide relevant information to our customers and business partners (for instance, restaurants). This involves processing various types of data, including your personal contact & account, task-related data such as delivery details, as well as your location & device data. Part of this information, including your name, estimated delivery time, and sometimes your location, is shared with customers and business partners, only to the extent relevant for their order.
This process is designed to keep participants of our Platform well-informed about their orders and helps them anticipate when the delivery will arrive or when the parcel they shipped via Glovo-on-demand will be delivered. We rely on our legitimate interest under Art. 6(1)(f) GDPR as the legal basis for sharing your information with customers and business partners.
6. Sending device notifications
We may send you different types of device notifications, including ‘pop-up notifications’ that appear on top of other open apps that require us to process your device information. We will seek your consent to send you such notifications, and you will always have the option to revoke this permission. Please rest assured that when we are using these technologies we will never capture any information regarding other apps that you may have installed on your device or any personal data contained within those apps.
The legal basis for this processing is consent under Art. 6(1)(a) GDPR.
D. When we ensure the safety of our Platform
1. IT infrastructure, database hosting, and systems security
We use state of the art servers, network equipment and cloud services to operate our Platform, to ensure high performance and uninterrupted service. All types of personal information you provide and the information we collect about you are stored and protected within the secure environment of our Platform.
In order to achieve this, we use tools such as endpoint security detection, traffic monitoring, backup systems and data loss prevention solutions to keep your data secure. The legal basis for processing your data to host and ensure the security of your personal data is legitimate interest under Art. 6(1)(f) GDPR.
2. Operational safety and fraud prevention
One of our main priorities is to ensure a secure Platform and safe delivery experience for everyone participating in our Platform. To achieve this objective, proactive measures to prevent fraudulent activity and to ensure operational safety are implemented. This process includes the processing of personal contact & account data such as your internal ID and photo, contract data such as vehicle information, task-related, location & device, as well as identification data including government-issued documents, and work permit.
We employ various processes to detect and prevent fraudulent activities, including those involving session and location manipulation. While we rely on systems to conduct fraud analysis, we always make sure that the system output is assessed by a human and your explanation is asked before any decision is met; accordingly, you will not be subject to automated decision making. For example, If we detect an unusual occurrence that may appear as a fraud attempt, one of our team members will personally review the issue and reach you via email, sharing the details and ask for a response. Only after this process with your explanations taken into account, a team member will decide on an action regarding your account. The legal basis for processing your data for the purposes of operational safety and fraud prevention is legitimate interest under Art. 6(1)(f) GDPR.
E. When we promote our Platform
1. Onboarding campaigns
We utilise targeted campaigns to onboard more riders on our Platform, which involves displaying customised advertisements on websites tailored to specific audience segments. Additionally, if you visit our website to explore becoming a rider, we may utilise cookies and web trackers to remind you to submit your application. Typically, this practice only involves anonymized information, and we do not process personal data for this purpose. However, in exceptional cases where personal data is processed, it may include device, as well as personal contact & account data.
We rely on our legitimate interest under Art. 6(1)(f) GDPR as the legal basis for promoting our Platform to new riders.
2. Corporate communications
Photos and video footage might be published on our social media sites such as LinkedIn or Instagram to promote our Platform and culture. For group photos, you will be given the opportunity to object to both the taking and the publication of the photo or video. You are free to request the deletion of a specific image at any point in time. Please note that, in order to review your request, we will require you to indicate exactly which photo or video recording you would like to have removed from a certain service. We will process this data until you object to the processing, or withdraw your consent (in the case of portrait photos).
In any case, your express consent for the publishing and usage of your image will be requested.
Our legal basis for the processing of photos will be consent per Art. 6(1)(a) GDPR.
F. When we improve our services
1. Surveys and interviews
We always aim to improve our services, and your valuable feedback is an important part of that process. As such, we sometimes ask for your feedback or invite you to an interview. Surveys are usually performed on an anonymous basis; in case it will be requested to collect some personal information you will be informed. For interviews, we process your personal contact & account, task-related, device data.
Participation in the surveys and interviews requires your consent under Art. 6(1)(a) GDPR. After you provide your consent to participate in our surveys, we may contact you through your preferred communication channels, which may include email, SMS, or social communication Platforms such as WhatsApp. If you have already given your consent and would like to revoke it with future effect, please let us know by contacting us. In this case, we will exclude you from participating in interviews and ensure that you don't receive any further invitations. We will keep the data we process within user surveys and interviews for as long as you grant us consent to do so. At the latest, when you delete your account, we will consider your declaration of consent to have been withdrawn.
2. Data analytics and business intelligence
We perform data analytics and develop business intelligence to improve our Platform in terms of product development, efficient resource management, and, ultimately, improve business performance. For example, this is the case when personal data is processed to measure the efficiency and efficacy and identify potential improvements in our operational structures and business processes. For this purpose, we process personal contact & account, task-related, contract, and location & device data.
These insights are typically aggregated (meaning processed fully anonymously, so you can never be identified as a person by anybody) or pseudonymized (meaning it will be very hard to identify you as a person). The legal basis for processing your data for this purpose is legitimate interest under Art. 6(1)(f) GDPR.
G. When we are required to comply with laws and regulations
1. Legal proceedings and Authority requests
As with any organisation, there are instances when we are required to share personal data with public authorities. Additionally, there might be instances where we have to process your personal data to initiate or defend legal claims and uphold our rights and interests. For this purpose, we may disclose and process certain data we hold about you, to the extent strictly necessary to conclude these legal proceedings and investigations.
We retain this information for as long as necessary to comply with legal obligations related to ongoing proceedings and investigations. After the final closing of the respective legal proceedings, we will delete your data immediately. The legal basis for processing your data for complying with public authority requests is legal obligation under Art. 6(1)(c) GDPR; and for initiating and defending legal claims is legitimate interest under Art. 6(1)(f) GDPR.
2. Responding to data subject requests
Data protection laws grant you various legal rights. We are committed to respecting them at all times. When you exercise these rights, we must process your data to effectively address your request. For instance, if you choose to exercise your right to access, we need to gather all of the information we hold about to meet our obligation to respond.
To achieve this, we may process any type of data we hold about you, only to the extent necessary to comply with our obligations. The legal basis for processing your data for complying with data subject requests is a legal obligation under Art. 6(1)(c) GDPR. We retain this information for as long as necessary to comply with our legal obligations.
3. Regulatory Compliance
Under various regulatory frameworks in the EU such as financial services regulations, antitrust and competition laws, the Digital Services Act (DSA) or the Platform-to-Business Regulation we are required to share certain aggregated data with the parties specified in these laws (for example, the business partners on our Platform, or the regulating bodies under the DSA). While this data will originate from personally identifiable data, we are generally not required to share personal data with third parties under these laws.
Moreover, compliance with relevant laws such as social security, employment, or commercial laws requires the collection and retention of personal information for regulatory purposes. To fulfill these obligations, we are obligated to process various types of data such as identification data including government-issued identification documents, insurance information, contract data including type and duration of contract, as well as payment & billing data including date and place of birth, nationality, gender, social security and number.
This process may involve verification and confirmation of compliance with legal age requirements, possession of necessary permits (for instance, driver's licence, work permit), availability of health insurance coverage, or creating necessary proof of work. This process is crucial to ensure that all Platform participants comply with the statutory requirements for operating in our Platform. The processing of personal data is based on the legal basis of legal obligation under Art. 6(1)(c) GDPR.
5. Who will receive your data and under what circumstances?
We explained above the details of data processing including the usual recipients in the course of your regular activities on our Platform. These will be typically customers, business partners such as restaurants, rider support agents and marketing partners. In addition, our staff members will receive access to your data to fulfil their professional duties, such as providing you with a great online experience or looking into your support request, on a need to know basis.
In certain scenarios, we also need to share your personal data with recipients outside of our company. Please be assured that your data is shared with these recipients only to the extent necessary for the specified purposes and only as we are legally permitted to do so. In addition to sharing data with the parties already specified above, we will only share your data as follows:
A. Delivery Hero group companies
We are part of an international group of companies with legal entities in many parts of the world, including our group’s headquarters located with Delivery Hero SE in Berlin, Germany. To utilise our resources efficiently and ensure that our business processes function properly, we utilise our group-wide shared technological support services that sometimes necessitate sharing personal data with our parent company, Delivery Hero SE, or with the locations of our global tech hubs. In certain situations, we might also share limited data with other group companies, for example, to assist with payment collection or to implement security measures.
Delivery Hero group companies are bound by strict intra-group data transfer agreements ascertaining compliance with data protection requirements whenever sharing personal data with group companies.
B. Data processors
We use various third-party service providers to perform our operations. Many of these providers process your personal data as so-called “data processors''. This means they are only allowed to process your personal data under our instructions and have no claims whatsoever to process your personal data for their own, independent purposes. Our processors are strictly monitored and we only engage processors who meet our high data protection standards.
The main data processor for cloud technology on our Platform is our group’s headquarters located with Delivery Hero SE in Berlin. Delivery Hero SE provides us with a wide range of services of technology, such as cloud hosting, platform security, marketing or customer relationship management tools. Our Platform and databases run on cloud resources provided by the EU subsidiaries of Google Cloud Platform and Amazon Web Services. We will make use of other data processors for various purposes as follows:
Third-Party name | Service Provided | Categories of Personal Data |
Braze Inc. | Braze enables us sending you updates, reminders and facilitating engagements | Personal contact and account data, Location and Device data, Communication data |
Konecta Italia | Konecta Italia supports rider onboarding and coordination, helping you start smoothly and stay on track. | Personal Contact and account data, Identification data, Contract data, Payment and Billing data, Task-related data, Location and Device data |
MessageBird | Phone Number Masking When the rider and customer call each other, their real phone numbers are hidden. There are no automated messages in this case. | Communication data |
mParticle | mParticle helps us bring your info together to give you a smoother, more personalized experience—while always respecting your privacy choices. | Personal contact and account data , Identification data, Task related data, Location and Device data, Communication data |
Talkdesk | Connects riders to the right team directly from the delivery app. Helps resolve delivery issues quickly and efficiently. Improves communication quality with smart support tools. | Personal contact and account data, Communication data |
Legal basis for processing:
- Performance of Contract – to fulfill obligations toward riders (e.g. onboarding, support)
- Legitimate Interest – for internal quality assurance, performance monitoring, or fraud prevention
- Consent – where applicable for optional communications, digital marketing and personalization (e.g. Braze)
C. Other third parties and service providers
We work with third parties, to whom we need to share your personal data and unlike data processors, they are not bound by our instructions and instead will process your data independently. These may be our consultants, lawyers or accountants who receive your data from us under a contract and process your personal data for legal reasons, or to protect our own interests. Similarly, this may involve sharing information with the insurance companies directly or with a third party acting on their behalf, to manage your insurance arrangements or facilitate your insurance coverage. In case you are recruited by a third-party-logistics provider, they will need to have visibility on certain task-related data in order to meet their legal or contractual obligations.
Under no circumstances will we sell or rent your personal information to third parties without your explicit, informed consent.
D. Mergers & acquisitions, change of ownership
In the event of a merger with, or acquisition by, another company or group of undertakings, we may need to disclose limited information to that company and their advisors who are under professional obligations to maintain the confidentiality of your personal data. This may occur in circumstances such as mutual due diligence assessments and regulatory disclosures.
In any event, we will ensure that we only disclose the minimum amount of information necessary to conduct the transaction, while also carefully considering the feasibility of removing or anonymising any data that could identify individuals.
E. Prosecuting authorities, courts and other public authorities
From time to time we may be requested to disclose personal data to public authorities. In some circumstances, we may disclose personal data with public bodies to bring or defend against legal claims, to protect our rights and interests, or to address security concerns.
Examples of such situations include cooperating in the detection and prevention of crime, responding to legal processes such as court orders or subpoenas, or sharing data with tax authorities for tax-related purposes. The public authorities involved in these scenarios may include law enforcement agencies, courts, tax authorities, or other government bodies.
6. How do we transfer your personal data to other countries?
We and the parties we share your personal data with may transfer personal data to countries other than the country in which you use our services. Where such transfers take place, we take appropriate measures to ensure that your data is always afforded an adequate level of protection in the countries to which it is transferred.
For example, if we transfer your personal data from a country within the European Economic Area (EEA) to a country outside of the EEA, we take appropriate safeguards to ensure that these transfers provide a level of protection that complies with data protection requirements. If there are specific further requirements of the law of the country in which you use our services, we will abide by them as well. Specifically, as far as transfers from the EEA to countries outside the EEA are concerned, we rely on a number of appropriate safeguards:
- Adequacy decisions by the EU Commission (also including the United States, to the extent recipients have certified under EU-US Privacy Framework or other applicable mutual agreement between the EU and the US),
- Standard contractual clauses mutually agreed in our contract with the data recipient (including any supplementary measures, if required),
- Further appropriate safeguards in accordance with Art. 46 GDPR (for example binding corporate rules). If you would like to receive a copy of the appropriate safeguards securing the data transfer, please contact us.
7. What are your legal rights?
Under the data protection laws, you are entitled to the following rights:
Right to access | You have the right to access your personal data and obtain additional information on how we process it. You may also request a copy of your personal data. |
Right to rectification | If you notice that your personal data is incorrect, you can always request that we correct it. |
Right to erasure | You have the right to ask us to delete your personal data. Please note that even if you exercise this right, we may be required to retain some of your information if we process it as part of our legal obligations, or in pursuit of our own (or a third party’s legitimate interests) such as the assertion of, or defence against legal claims, concluding customer care inquiries, preventing fraud or protecting ourselves or others against abusive behaviour. |
Right to restriction of processing | If you have requested the deletion of your personal data, but we are legally prevented from immediately deleting it, we will store your data in our archives and retain them for the sole purpose of meeting our legal obligations. However, you will not be able to use our services during this time, as this would require us to de-archive your personal data. |
Right to data portability | You can ask us to provide you or another data controller with your personal data in a machine-readable format. However, please note that this right only applies to data that we process based on your consent. |
Right to object | You have the right, for reasons arising from your particular situation, to object at any time to any processing of your personal data, which is processed on the basis of our legitimate interests. If you object, we will no longer process your personal data unless we can prove compelling grounds for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise, or defend against legal claims. You also have the right to object at any time, without giving any explanations, to the process of your personal data for direct marketing (including any associated profiling). |
Right of complaint | You can raise a complaint about our processing with the data protection authority in the country of your habitual residence, place of work, or the place where you think a violation of data protection laws has occurred. In the case of cross-border data processing, you can also lodge a complaint with our lead supervisory authority in Berlin, Germany. |
Right not to be subject to a decision based solely on automated processing | You have the right to object to a fully automated decision (i.e. without any human intervention in the decision-making process) that has legal effects or significantly affects you. |
To exercise your rights, we encourage you to use the functions available in your account at any time. For example, if you would like to delete your data, you can directly do so by following the relevant steps in your profile. These self-service methods are designed to expedite the process of fulfilling your rights. Alternatively, you can exercise your privacy rights at any time HERE, by raising a complaint within the Help Center under Privacy Center or by sending us an email to gdpr@glovoapp.com.
8. How long do we keep your data?
We retain your personal data for as long as it is necessary to achieve the purposes we described above. The duration for which we retain your personal data is determined by factors such as the scope, nature and purposes of the personal data processing, and whether we have legitimate interests or legal obligations that require us to retain your personal data.
In the ordinary course of operations, your data will be deleted according to the table below once the contract allowing you to operate on our Platform is terminated, unless we are legally required to retain it for a longer time.
Data Category | Retention Period |
Personal contact & account data Basic contact data Address information | 10 years Art. 2935 Art 2946 Italian Civil Code 2 years Circolari Agenzia Entrate (tax Authority) for incomes certification documents |
Identification data Personal ID Passport data Work permit and visa related information Driver’s license Training data | 10 years Art. 2946 cc Until end relationship 5 years Art. 2948 cc 5 years |
Contract data Basic Workforce Data Contract Information Emergency Contract Information Equipment Data Termination Data Vehicle Data | 10 years Art. 2935 Art 2946 Italian Civil Code 10 years Art. 2935 Art 2946 Italian Civil Code Until the end of the relationship 10 years from end of relationship Dlgs 81/08, Art. 2935 Art 2946 Italian Civil Code 10 years from end of relationship Art 2946 Italian Civil Code 5 years after the end of relationship about vehicle type (car, bicycle, motorbike) 2 years for other data Art. 2948 cc Art. 2947 Italian Civil Code |
Payment & billing data Staff payroll accounting data Bank data Payment data VAT | 10 years Art. 2946 italian civil code L.241/1990 10 years |
Task-related data Delivery data Cash collection Performance data | 10 years from end of relationship Art. 2935 Art 2946 Italian Civil Code |
Location & device data Access, Account & Device Data | 2 years, Art. 2947 Civil Code 10 years after the end of relationship Art. 2935, Art. 2946 Italian Civil Code |
Communications data | 30 days |
9. How do we use algorithmic decision making?
Some of our processes include the use of algorithmic decision making and machine learning. We consistently strive to implement methods that ensure a significant level of human oversight in the decision making process, enabling us to modify or reverse decisions as needed.
In many cases, the algorithmic decision making processes without human oversight will not have legal or similar significant effects on you. Whereas they do, we will ensure that you have the right not to be subject to the algorithmic decision making processes, unless those processes are authorised by applicable law or are necessary for the entering into or performance of a contract. In these cases, you can always oppose the decision and request a human evaluation by contacting us.
To fully access all the information related to our algorithms please visit the link: https://glovoapp.com/docs/it/legal/transparency/.
Changes to this Privacy Statement
We may update this Privacy Statement from time to time to reflect our new processes, new technologies, and legal obligations. We are committed to keeping you informed of any changes to our privacy practices, so we encourage you to review this privacy statement to stay updated.
Last modified: February 2026