Privacy Policy
Last updated: 2026-02-01
1. Introduction
Welcome to CFM - CONTROL FLEET MOTOS ("CFM", "we", "us", or "our"). We are committed to protecting the privacy and personal data of our users, customers, and website visitors. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our fleet management platform and related services.
CFM provides a cloud-based software-as-a-service (SaaS) platform designed for motorcycle rental businesses. Our platform enables fleet operators to manage their motorcycle inventory, rental agreements, maintenance schedules, financial records, and customer relationships.
This Privacy Policy applies to all personal data processed through our platform at https://fleetmoto.com, including data collected via our web application and any associated services. By accessing or using our platform, you acknowledge that you have read and understood this Privacy Policy.
If you have any questions about how we handle your personal data, please contact us using the details provided in Section 15 of this policy.
2. Data Controller
The data controller responsible for processing your personal data is:
| Company Name | Jerry Strait |
|---|---|
| Tax Identification Number (NIF) | 327380136 |
| Registered Address | Avenida Do Brasil 127, 2735-674 Agualva-Cacém, Portugal |
| contact@fleetmoto.com | |
| Phone | +351 939 048 392 |
| Data Protection Officer (DPO) | dpo@fleetmoto.com |
As the data controller, we determine the purposes and means of processing personal data in accordance with applicable data protection legislation. We are responsible for ensuring that all processing activities comply with the General Data Protection Regulation (GDPR) and Portuguese data protection laws.
For any requests, questions, or concerns regarding the processing of your personal data, please contact our Data Protection Officer at dpo@fleetmoto.com.
3. Legal Framework
Our data processing activities are governed by the following legal instruments:
- Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR/RGPD): The primary European Union regulation on data protection and privacy, directly applicable in all EU Member States, including Portugal. It establishes the rights of data subjects and the obligations of data controllers and processors.
- Lei n.º 58/2019, de 8 de agosto — Portuguese Data Protection Law: The national law that ensures the execution of the GDPR in the Portuguese legal order. It specifies national derogations, the competence of the supervisory authority, and specific provisions regarding data processing in the Portuguese context.
- Lei n.º 59/2019, de 8 de agosto — Portuguese Law on Electronic Privacy: Transposes EU Directive 2002/58/EC (ePrivacy Directive) into Portuguese law, governing the processing of personal data and the protection of privacy in the electronic communications sector, including rules on cookies, direct marketing, and traffic data.
- Comissão Nacional de Proteção de Dados (CNPD): The Portuguese national supervisory authority for data protection, established under the GDPR and Portuguese law. The CNPD supervises and enforces compliance with data protection legislation in Portugal.
We regularly review our data processing practices to ensure continued compliance with these legal frameworks and any subsequent amendments or guidance issued by the CNPD, the European Data Protection Board (EDPB), or relevant courts.
4. Data Collected
We collect and process the following categories of personal data, which vary depending on your role and use of our platform:
4.1. Account and Identity Data
- Full name
- Email address
- Password (stored securely; we never store plaintext passwords)
- Profile image (if voluntarily provided)
- User role and permissions within the platform
- Account creation and last login timestamps
4.2. Organization Data
- Organization name, identifier, and logo
- Organization membership details and user roles
- Invitation records (invitee email, role, status, expiry)
4.3. Fleet and Business Data
- Motorcycle fleet data: make, model, year, license plate, VIN, color, mileage, status, acquisition details (date, price, source), insurance information, and associated documentation
- Rental records: rental agreements, start/end dates, pricing, payment status, customer assignments, and contract terms
- Renter (customer) data: name, email, phone number, identification document details, driver's license information, address, and rental history
- Maintenance records: service type, date, cost, mileage at service, vendor information, and associated documentation
- Financial data: ledger entries, transaction amounts, payment categories, revenue and expense records, and tax-related documentation
4.4. Technical and Usage Data
- IP address
- Browser type and version
- Operating system
- Device type and screen resolution
- Pages visited and features used within the platform
- Date and time of access
- Referring URL
- Session tokens and authentication data
4.5. Communication Data
- Emails sent through the platform (e.g., invitation emails, notifications)
- Support requests and correspondence
We do not collect special categories of personal data (such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data) unless strictly necessary and with your explicit consent.
5. Purpose and Legal Basis
We process your personal data for the following purposes, each supported by a lawful basis under Article 6(1) of the GDPR:
| Purpose | Legal Basis (Art. 6(1) GDPR) |
|---|---|
| Providing and maintaining the CFM platform, including user account creation, authentication, and session management | (b) Performance of a contract — Processing is necessary for the performance of the service agreement between you and CFM |
| Managing your organization, including team invitations, membership roles, and access permissions | (b) Performance of a contract — Necessary to deliver the SaaS service as agreed |
| Processing fleet management data, including motorcycle inventory, rental agreements, maintenance schedules, and financial records | (b) Performance of a contract — Core functionality of the service you have subscribed to |
| Sending transactional emails such as account invitations, password resets, and system notifications | (b) Performance of a contract — Necessary communications to deliver the service |
| Maintaining financial and tax records as required by Portuguese and EU law | (c) Legal obligation — Compliance with Portuguese tax and accounting regulations (Código do IRC, Código do IVA, and related legislation requiring retention of financial documentation) |
| Ensuring platform security, preventing fraud, and investigating unauthorized access or misuse | (f) Legitimate interest — Our legitimate interest in protecting the platform, our users, and their data from security threats |
| Generating aggregated usage analytics and performance metrics to improve the platform | (f) Legitimate interest — Our legitimate interest in understanding platform usage to improve service quality and reliability |
| Responding to support inquiries and providing customer assistance | (b) Performance of a contract and (f) Legitimate interest — Necessary to fulfill our service obligations and our interest in maintaining customer satisfaction |
| Complying with legal obligations, court orders, or lawful requests from public authorities | (c) Legal obligation — Processing required to comply with applicable laws |
Where we rely on legitimate interest as a legal basis, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time (see Section 7).
We do not use your personal data for automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.
6. Retention Periods
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The specific retention periods are as follows:
| Data Category | Retention Period | Justification |
|---|---|---|
| Account and identity data | Duration of the active account + 30 days after deletion request | Necessary for service provision and account recovery grace period |
| Organization and membership data | Duration of the organization's active subscription + 90 days | Necessary for service provision and data export period |
| Financial and tax records (ledger entries, invoices, transactions) | 10 years from the end of the fiscal year to which they relate | Required by Portuguese tax law (Código do IRC, Art. 123.º; Código do IVA, Art. 52.º) and general commercial obligations (Código Comercial, Art. 40.º) |
| Rental agreements and contracts | 10 years from the end of the contractual relationship | Portuguese civil statute of limitations for contractual claims (Código Civil, Art. 309.º) and tax documentation requirements |
| Renter personal data (customers) | Duration of the business relationship + 10 years for associated financial records | Legal obligations related to tax documentation and contractual liability |
| Motorcycle fleet data | Duration of ownership/management + 10 years for associated financial records | Necessary for service provision and financial/tax compliance |
| Maintenance records | Duration of vehicle management + 5 years | Necessary for warranty claims, liability, and fleet management history |
| Server logs and technical data (IP addresses, access logs) | 6 months | Necessary for security monitoring, incident investigation, and fraud prevention |
| Session and authentication data | Duration of the active session + 30 days | Necessary for security and authentication purposes |
| Support correspondence | 3 years from resolution | Necessary for service quality and dispute resolution |
When the retention period expires, personal data will be securely deleted or anonymized. Anonymized data, which can no longer be linked to an identifiable individual, may be retained indefinitely for statistical and analytical purposes.
If you request deletion of your account, we will delete or anonymize your personal data within 30 days, except for data that we are legally required to retain (such as financial and tax records) as outlined above.
7. Data Subject Rights
Under the GDPR (Articles 15 to 22) and Portuguese data protection law, you have the following rights regarding your personal data:
- Right of Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data along with information about the purposes of processing, the categories of data concerned, the recipients, the retention periods, and the source of the data.
- Right to Rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal data and to have incomplete data completed.
- Right to Erasure ("Right to Be Forgotten") (Art. 17 GDPR): You have the right to request the deletion of your personal data where: the data is no longer necessary for its original purpose; you withdraw consent (where consent was the legal basis); you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or deletion is required to comply with a legal obligation. This right is subject to exceptions, including our legal obligation to retain financial and tax records.
- Right to Restriction of Processing (Art. 18 GDPR): You may request that we restrict the processing of your data in certain circumstances, such as when you contest the accuracy of the data, when the processing is unlawful but you oppose erasure, when we no longer need the data but you require it for legal claims, or when you have objected to processing pending verification.
- Right to Data Portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance, where the processing is based on consent or contract and is carried out by automated means.
- Right to Object (Art. 21 GDPR): You have the right to object to the processing of your personal data based on legitimate interest (Art. 6(1)(f) GDPR). Upon receiving your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
- Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. CFM does not currently engage in such automated decision-making.
- Right to Withdraw Consent: Where we process your data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
How to Exercise Your Rights
To exercise any of these rights, please contact our Data Protection Officer at dpo@fleetmoto.com or write to us at Avenida Do Brasil 127, 2735-674 Agualva-Cacém, Portugal. We will respond to your request within one (1) month of receipt. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request.
We may request proof of identity before processing your request to ensure the security of your personal data. We will not charge a fee for exercising your rights, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.
If you believe that we have not adequately addressed your request, you have the right to lodge a complaint with the Portuguese supervisory authority (CNPD) — see Section 15.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Article 32 of the GDPR. These measures include, but are not limited to:
8.1. Technical Measures
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
- Encryption at rest: Database storage is encrypted at rest by our infrastructure partners.
- Password security: User passwords are hashed using industry-standard cryptographic algorithms and are never stored in plaintext.
- Session management: Secure session tokens with appropriate expiration policies.
- Data isolation: Strict organizational data separation ensuring that each organization can only access its own data.
- Input validation: All user inputs are validated and sanitized using schema-based validation to prevent injection attacks.
- Role-based access control: Granular permission system ensuring users can only access data and features authorized for their role.
8.2. Organizational Measures
- Access to personal data is restricted to authorized personnel who need it to perform their duties.
- Regular security assessments and code reviews are conducted.
- Incident response procedures are in place for handling data breaches (see Section 12).
- Third-party processors are vetted and bound by data processing agreements (see Section 9).
- Regular backups are maintained with appropriate access controls and encryption.
While we take extensive measures to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We continually evaluate and improve our security practices to maintain the highest level of protection.
9. Third-Party Processors
We engage the following third-party data processors to provide and support our platform. Each processor is bound by a Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR, and we have verified that they implement appropriate technical and organizational measures to protect personal data.
| Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase, Inc. | Database hosting and file storage | All platform data stored in the database (user accounts, organization data, fleet records, rental agreements, financial data) and uploaded documents/images | EU region (Frankfurt, Germany) — data remains within the European Economic Area |
| Vercel, Inc. | Application hosting, edge computing, and content delivery | Technical data (IP addresses, access logs) and page content | Global Edge Network — primary compute in EU regions; content may be cached at edge locations worldwide; Vercel complies with GDPR through Standard Contractual Clauses (SCCs) |
| Resend, Inc. | Transactional email delivery | Recipient email addresses, email subject lines, and email body content (invitation emails, password reset emails, system notifications) | United States — Resend processes data under Standard Contractual Clauses (SCCs) and adheres to GDPR requirements |
We do not sell, rent, or share your personal data with third parties for their own marketing or commercial purposes. Data is only shared with the processors listed above, and only to the extent necessary to provide our services.
We regularly review our processor agreements and may update this list as our service infrastructure evolves. Any material changes to our sub-processors will be reflected in this Privacy Policy.
10. International Data Transfers
CFM is a Portuguese company and our primary data storage is within the European Economic Area (EEA). However, some of our third-party processors may process personal data outside the EEA, particularly in the United States.
When personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, in accordance with Chapter V of the GDPR (Articles 44–49):
- EU Adequacy Decisions (Art. 45 GDPR): Where the European Commission has determined that a third country ensures an adequate level of data protection, transfers are made on the basis of that adequacy decision. The EU-US Data Privacy Framework applies to certified US organizations.
- Standard Contractual Clauses (SCCs) (Art. 46(2)(c) GDPR): Where no adequacy decision exists, we rely on the European Commission's Standard Contractual Clauses, as approved by Commission Implementing Decision (EU) 2021/914, which contractually oblige the data importer to protect personal data to EEA standards.
- Supplementary Measures: Where necessary based on a Transfer Impact Assessment, additional technical measures (such as encryption in transit and at rest) or organizational measures are implemented to ensure an essentially equivalent level of protection.
Our database and primary file storage (via Supabase) are hosted in EU regions (Frankfurt, Germany), ensuring that the bulk of personal data remains within the EEA. Vercel processes data primarily in EU regions but may use its global edge network for content delivery; all such processing is covered by SCCs. Resend processes email data in the United States under SCCs and the EU-US Data Privacy Framework.
You may obtain a copy of the safeguards we have put in place for international transfers by contacting our DPO at dpo@fleetmoto.com.
12. Data Breach Notification
In the event of a personal data breach, we will comply with the notification obligations set out in Articles 33 and 34 of the GDPR.
12.1. Notification to the Supervisory Authority (Art. 33 GDPR)
Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Portuguese supervisory authority (Comissão Nacional de Proteção de Dados — CNPD) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. If notification is not made within 72 hours, we will provide reasons for the delay.
The notification to the CNPD will include:
- A description of the nature of the breach, including the approximate number of data subjects and records concerned
- The name and contact details of our Data Protection Officer
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
12.2. Communication to Data Subjects (Art. 34 GDPR)
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the breach to the affected data subjects without undue delay, in clear and plain language. This communication will describe the nature of the breach and provide recommendations for the data subject to mitigate potential adverse effects.
Communication to data subjects may not be required where: we have implemented appropriate technical protections (such as encryption) that render the data unintelligible; we have taken subsequent measures that ensure the high risk is no longer likely to materialize; or it would involve disproportionate effort, in which case a public communication or similar measure will be made instead.
12.3. Internal Breach Response
We maintain an internal data breach response plan that includes procedures for identifying, containing, assessing, and documenting all personal data breaches, regardless of whether they are reportable. All breaches are logged in an internal register as required by Article 33(5) of the GDPR.
13. Children's Privacy
CFM - CONTROL FLEET MOTOS is a business-to-business (B2B) SaaS platform designed for motorcycle rental businesses. Our services are not directed at individuals under the age of 16, which is the minimum age for consent to information society services in Portugal under Lei n.º 58/2019, Art. 16.º (implementing Art. 8 GDPR).
We do not knowingly collect personal data from children under the age of 16. If we become aware that we have inadvertently collected personal data from a child under 16 without appropriate parental or guardian consent, we will take steps to delete that data as soon as possible.
If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at dpo@fleetmoto.com so that we can take appropriate action.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or our services. When we make changes, we will update the "Effective Date" at the top of this policy.
For material changes that significantly affect how we process your personal data, we will provide prominent notice through the platform (such as a banner or notification) and, where required by law, seek your consent before continuing to process your data under the updated terms.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data. Continued use of the platform after changes are posted constitutes your acknowledgment of the revised policy, except where consent is required.
Previous versions of this Privacy Policy are available upon request by contacting our DPO at dpo@fleetmoto.com.
15. Contact and Complaints
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
| Data Protection Officer | dpo@fleetmoto.com |
|---|---|
| General Contact | contact@fleetmoto.com |
| Phone | +351 939 048 392 |
| Postal Address | Jerry Strait Avenida Do Brasil 127 2735-674 Agualva-Cacém, Portugal |
Right to Lodge a Complaint
If you believe that our processing of your personal data infringes the GDPR or Portuguese data protection law, you have the right to lodge a complaint with the Portuguese supervisory authority:
Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134 - 1.º
1200-651 Lisboa, Portugal
Phone: +351 213 928 400
Fax: +351 213 976 832
Email: geral@cnpd.pt
Website: www.cnpd.pt
You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, in accordance with Article 77 of the GDPR.
We encourage you to contact us first to attempt to resolve any concerns before filing a formal complaint with a supervisory authority.
Effective Date: 1 February 2026