Privacy Policy

Last updated: March 2026

1. Who We Are

This Privacy Policy is issued by Westlake Adventure Sports Inc., a corporation incorporated under the laws of Canada, doing business as RideNet ("we," "us," or "our"). RideNet operates an IoT-connected e-bike rental platform that enables fleet operators and riders to manage, locate, and rent electric bicycles through our website, mobile application, and related services (collectively, the "Services").

This Privacy Policy applies to information we collect and process about users of our Services, and those who communicate with us about our Services, interact with us on social media, attend our events, participate in our surveys, contests and promotions, submit job applications, or are subscribed to our marketing and informational communications (the "Interactions"). In this Privacy Policy, "Services" means:

Westlake Adventure Sports Inc. and RideNet websites that link to this Privacy Policy, including any versions optimized for viewing on a mobile or tablet device (the "Sites");
RideNet mobile applications (each an "App");
RideNet-connected vehicles (each a "Vehicle"); and
The features and services available through our Sites, Apps, and Vehicles.

We are committed to protecting the privacy of every individual who interacts with our Services. This Policy explains what personal information we collect, why we collect it, how we use and share it, and what choices you have. It applies to all users of the Services, including riders, fleet operators, and visitors to our websites.

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL), and any substantially similar provincial privacy legislation that may apply — including Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25). Where we operate in jurisdictions with additional requirements — including the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) — we will meet those obligations as well.

Westlake Adventure Sports Inc. is headquartered at 15985 Loyalist Parkway, Bloomfield, Ontario, Canada K0K 1G0 and is the data controller for the personal data collected from all users.

This Privacy Policy forms part of a suite of legal documents governing your relationship with RideNet, including the Terms of Service, Rental Agreement, Rider Waiver & Liability Release, End User License Agreement, and Safe Riding Guide. In the event of a conflict between this Privacy Policy and any other document on matters relating to data collection, use, storage, sharing, or individual privacy rights, this Privacy Policy shall prevail, as set forth in the Document Hierarchy in the EULA.

2. Information We Collect

We collect personal information (i) directly from users related to our Services and Interactions; (ii) automatically related to the user's use of the Services and Interactions; and (iii) from third-party sources. We may combine the information we collect from these various sources.

2.1 Account Data

When you create an account, we collect your name, email address, phone number, date of birth, mailing address, and other contact information. This information is necessary to identify you, operate your account, verify age eligibility, and communicate with you about the Services. We also collect certain demographic data if you provide it to us, including age, gender, preferred language, and current location.

2.2 Identity Verification

To comply with safety and liability requirements, we may ask you to upload a government-issued photo identification document (e.g., driver's licence or passport). We capture an image of the document and use optical character recognition (OCR) to extract relevant fields such as your name, document number, and expiry date. This information is used solely to verify your identity and confirm that your identification is current.

No Biometric Data Collection. We do not extract, store, or process biometric identifiers (such as facial geometry, fingerprints, or iris scans) from identity documents, end-ride photos, profile photos, or any other photographic data collected through the Services. Our identity verification process relies solely on OCR text extraction and manual or automated comparison of document fields — not biometric analysis. If we ever introduce biometric processing in the future, we will update this Privacy Policy and obtain your explicit consent before collecting any biometric data.

2.3 Payment Data

Payments are processed by our third-party payment processor, Stripe, Inc. We do not receive or store your full credit or debit card number. We store a Stripe customer identifier and basic transaction metadata (amount, date, status) to link payments to your account, issue refunds, and maintain accurate financial records. We may also collect billing address, communications preferences, and payment and transaction history.

2.4 Location Data

Vehicle GPS: Each RideNet-connected vehicle transmits real-time GPS coordinates to our servers during rentals and at periodic intervals when idle. This data is essential for fleet management, theft prevention, geofencing, and providing riders with accurate vehicle locations on the map. We also collect the rental status of the Vehicles, Vehicle battery status, and GPS chip identifiers.

Mobile App Location: If you grant location permission in the RideNet mobile application, we collect your device's location to show nearby available vehicles, provide navigation assistance, and enable location-based features. We also collect and store the location information (e.g., city, province, or postal code where available) associated with the IP address of the device you use to access the Services. You may revoke location permission at any time through your device settings, though some features may become unavailable.

2.5 Vehicle Telemetry

Our IoT-connected vehicles transmit operational telemetry including battery level, current speed, lock/unlock status, cellular signal strength, total mileage, altitude, routes taken, and hardware diagnostics. This data is used to maintain vehicle health, ensure rider safety, optimize fleet distribution, and improve the overall service.

2.6 Trip Data

When you start and end a rental, we record the start location, end location, distance travelled, duration, and route taken. Trip data is used for billing, service analytics, safety investigations, and to provide you with your ride history.

2.7 Camera and Photographic Data

RideNet collects photographic data through the mobile application. This includes:

End-Ride Photos: Riders are required to take and submit a photo of the Vehicle's parking location upon completing their ride. We retain this image to verify ride completion, ensure that the Vehicle has been parked in a safe and appropriate place, and to analyze parking behaviour. End-ride photos may be shared with the applicable Fleet Operator for the purpose of verifying Vehicle condition and parking compliance. Fleet Operators are required to delete end-ride photos within ninety (90) days of receipt unless they are needed for an active damage claim or dispute.
QR Code Scanning: Access to the camera is required to scan the Vehicle's QR code to initiate a rental.
Identity Verification Photos: The camera may be used to photograph your driver's licence or other identification for verification purposes.
Customer Support Photos: Photos sent during interactions with our customer support team are collected and used to assist in resolving queries.
Profile Photos: You may, at your sole discretion, add a photo to your user profile.

Depending on your device's operating system, you must explicitly grant camera permission, and you can revoke it on a case-by-case basis through your device settings. Data accessed within the framework of camera authorizations will only be used for the purposes indicated in this Privacy Policy.

2.8 Waiver Signatures

Before your first ride, you may be asked to sign a liability waiver electronically. We capture your hand-drawn signature as an image and store it alongside the waiver text and the date and time of signing. This serves as a legal record of your acceptance.

2.9 Chat and AI Interactions

Our Services may include AI-powered chat assistants that help you with booking, support questions, and local recommendations. We collect the messages you send and the responses generated, along with token-usage metadata used to manage costs and monitor quality. Chat data may be reviewed to improve our AI models and the accuracy of responses.

2.10 Course and Education Data

If you enrol in safety courses or educational programs through the Services, we collect your enrolment details, exam answers, scores, and any certificates earned. This information is used to track your progress, issue certificates, and ensure compliance with operator training requirements.

2.11 Quiz and Preference Data

We may ask you to complete optional preference quizzes (e.g., fitness level, riding interests, group type) to personalize your experience and recommend suitable vehicles or routes.

2.12 Newsletter Subscriptions

If you subscribe to our newsletter, we collect your email address and any preferences you express. You may unsubscribe at any time using the link in each email.

2.13 Device and Browser Data

When you access the Services, we automatically collect technical information such as your IP address, device identifiers and other unique identifiers, user-agent string, browser type, browser language, operating system name and version, device name and model, referring and exit pages, dates and times you access our Services, the length of time that you are logged into or using our Services, the links you click or features you use, software crash reports, and session identification number. This information helps us secure the Services, diagnose technical issues, and understand how users interact with the platform.

2.14 Audit Logs

We maintain internal audit logs that record user actions (such as account creation, rental start/stop, and administrative changes) together with timestamps. These logs support security monitoring, dispute resolution, and regulatory compliance.

2.15 Event, Survey, Contest, and Promotion Data

If you register for or attend our events, participate in surveys, contests, sweepstakes, or promotions sponsored by Westlake Adventure Sports Inc. or RideNet, we collect your registration details, responses, and any other information you submit in connection with your participation.

2.16 Job Application Data

If you submit an application or resume to work at Westlake Adventure Sports Inc. or RideNet, we collect the information contained in your application, resume, cover letter, and any supporting materials. This information is used solely for the purpose of evaluating your candidacy and will be retained in accordance with applicable employment laws.

2.17 Information from Third-Party Sources

In some cases, we collect user information from third parties:

Third-Party Platforms and Social Media Sites. When you interact with us or post content about us on third-party social media platforms (e.g., Facebook, Instagram, X/Twitter, Google, LinkedIn, YouTube, or Pinterest), we may collect certain information about such interaction. We may also allow you to log in to the Services using your personal third-party social media platform accounts. In such instances, you will be asked to consent to our access and collection of certain information from your third-party account, and such access will be subject to the platform's policies.
Other Third-Party Sources. We may collect information about you from business partners, marketers, analysts, and other sources to verify and update the information in our records and to better customize the Services to you. We may also collect information from credit reporting agencies to determine your creditworthiness, credit score, and credit usage, solely to the extent permitted by applicable law.
Referrals. We may conduct referral services so that you may introduce people you know to our Services. If you choose to use a referral service, we will provide you with a template message and referral code. We will only collect the referred person's information if they sign up for the Services using the referral code.

3. Legal Bases for Processing

We process your personal information on the following legal bases, depending on the nature of the processing and the applicable jurisdiction:

Performance of a Contract: We process account data, payment data, trip data, and vehicle telemetry as necessary to perform our contract with you — that is, to provide the Services you have requested, including facilitating rentals, processing payments, and providing customer support.
Consent: We process certain information only with your explicit consent, including: location data collected from your mobile device; camera and photographic data; marketing and promotional communications; newsletter subscriptions; optional quiz and preference data; and any data collected through social media login integrations. You may withdraw your consent at any time as described in Section 7 (Your Choices). Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.
Legitimate Interests: We process certain information where it is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include: fraud prevention and security monitoring; fleet management and vehicle health monitoring; analytics and service improvement; enforcing our Terms of Service; and protecting the safety of riders, Fleet Operators, and the public.
Legal Obligation: We process certain information as necessary to comply with our legal obligations, including: tax record-keeping requirements; responding to lawful requests from law enforcement or government authorities; identity verification where required by applicable regulation; compliance with PIPEDA, CASL, GDPR, CCPA, Quebec's Law 25, and other applicable data protection legislation; and retention of waiver signatures and audit logs for legal and regulatory purposes.

Where we rely on consent as the legal basis for processing, we obtain consent through clear, affirmative mechanisms including: in-app consent dialogs for location and camera permissions; click-through acceptance for waivers and terms; opt-in checkboxes for marketing communications; and explicit permission prompts for social media account linking. Under Quebec's Law 25 and the GDPR, consent must be freely given, specific, informed, and unambiguous. We do not use pre-checked boxes or treat silence or inactivity as consent.

4. How We Use Your Information

We use the personal information we collect for the following purposes:

Service Delivery: Operating the platform, connecting riders with available vehicles, processing rentals, and providing customer support.
Payments: Processing charges, issuing refunds, managing holds, and maintaining billing records.
Safety and Security: Monitoring vehicle locations and telemetry to prevent theft, detect unsafe riding behaviour, respond to accidents, verify proper parking through end-ride photos, and maintain the integrity of the fleet.
Fleet Management: Helping operators track vehicle health, optimize distribution, schedule maintenance, and understand usage patterns.
Communication: Sending transactional notifications (booking confirmations, receipts, safety alerts), responding to your inquiries, and, with your consent, sending promotional messages. All commercial electronic messages are sent in compliance with CASL, including providing a clear unsubscribe mechanism and identifying the sender.
Legal Compliance: Meeting our obligations under PIPEDA, CASL, Quebec's Law 25, GDPR, CCPA, tax law, consumer protection regulations, and responding to lawful requests from government authorities.
Analytics and Improvement: Analysing aggregated and anonymized usage data to improve the Services, develop new features, compile reports on user activity, and enhance the user experience. This includes aggregate usage patterns, user preferences, peak demand times, and common routes.
AI-Powered Assistance: Providing intelligent booking help, local recommendations, and support through our AI chat assistants, and improving the quality of those assistants over time.
Personalization: Customizing your experience based on your preferences, quiz responses, and usage patterns, and recommending suitable vehicles, routes, or content.
Advertising and Marketing: Displaying relevant advertising on our Services, managing advertising on third-party sites and apps, and measuring and improving our ads and marketing efforts, as described in Section 7.

5. Data Sharing

We share personal information only as described below. We do not sell your personal information to third parties.

5.1 Fleet Operators

When you rent a vehicle that belongs to a fleet operator on our platform, we share relevant rental details with that operator, including your name, contact information, rental times, trip summary, and end-ride photos. Operators need this information to manage their fleets, handle damage claims, verify parking compliance, and provide local support. Fleet Operators are contractually required to handle your information in accordance with applicable privacy laws and are prohibited from using your information for purposes unrelated to the rental.

5.2 Affiliates and Subsidiaries

We may share your information with any of our affiliates or subsidiaries, and such entity's use of your information will be subject to this Privacy Policy.

5.3 Sub-Processors

We use the following sub-processors to process personal information on our behalf. Each sub-processor is bound by a data processing agreement and is contractually required to protect your information to a standard consistent with this Privacy Policy:

| Sub-Processor | Service | Data Processed | Location | |---------------|---------|---------------|----------| | Stripe, Inc. | Payment processing | Payment data, transaction metadata | United States | | Google LLC | Maps, Vertex AI, Analytics | Location data, chat interactions, usage analytics | United States | | Amazon Web Services (AWS) | Hosting, email delivery (SES) | All data categories (encrypted at rest) | Canada (ca-central-1), United States (us-east-1) | | Convex, Inc. | Real-time database, serverless backend | Account data, trip data, telemetry, vehicle state | United States | | Meta Platforms (Instagram Graph API) | Marketing content retrieval | Publicly available business content only | United States |

We maintain an up-to-date register of sub-processors. If we engage a new sub-processor that will process your personal information, we will update this Privacy Policy accordingly. For GDPR-covered individuals, we will provide reasonable advance notice of any new sub-processor engagement where practicable.

5.4 Business Partners

We may share your information with business partners who jointly sponsor events with us. Where required by applicable law, we will obtain your consent prior to doing so. You may withdraw your consent or request that we stop sharing your information with business partners by following the process described in the "Your Choices" section below.

5.5 Third-Party Service Providers

We may share your information with third-party service providers that perform functions on our behalf, including but not limited to hosting, push notifications, storage, bandwidth, content management tools, analytics, customer service, and fraud protection.

5.6 General Business Operations

Where necessary for the administration of our general business, we may share your information with professionals and their agents retained to perform functions such as accounting, record keeping, legal services, tax services, and other professional services.

5.7 Law Enforcement and Legal Obligations

We may disclose personal information when we believe in good faith that disclosure is necessary to (i) comply with a legal obligation, respond to a valid court order or subpoena; (ii) establish, protect and defend our rights or property, the Services, or our users, including investigation of illegal activities, suspected fraud, potential threats to safety, or violations of our Terms of Service or other agreements; (iii) act under emergency circumstances to protect the personal safety of our users, affiliates, agents, or the public; or (iv) prevent fraud or provide information to other companies and organizations regarding fraud protection.

5.8 Other Users

Certain features of our Services make it possible for you to share comments, reviews, or other content publicly with other users. Any information that you submit through such features is not confidential and may be accessed by other persons. You should take care when using these features. If you want to request removal of information that we have posted about you, please contact us as set forth in the "Your Choices" section.

5.9 Aggregate and Anonymous Information

We may share aggregated or anonymized information about use of the Services with third parties for research, marketing, analytics, and other purposes, provided such information does not identify a particular individual. The sharing of such data is unrestricted.

5.10 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, personal information may be transferred to the acquiring entity. We will provide notice before your personal information becomes subject to a different privacy policy. We will comply with any additional restrictions required under applicable laws.

6. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods are as follows:

Account Data: Retained for as long as your account is active, plus two (2) years after account deletion to handle any outstanding disputes, chargebacks, or legal claims.
Trip and Telemetry Data: Retained for twenty-four (24) months from the date of collection, after which it is anonymized or deleted.
Identity Documents: Retained until the document expiry date or for five (5) years from the date of upload, whichever is later, to comply with identity-verification obligations.
End-Ride Photos: Retained by RideNet for twelve (12) months to support parking compliance analysis and dispute resolution, after which they are deleted. Fleet Operators who receive end-ride photos are required to delete them within ninety (90) days unless needed for an active damage claim or dispute.
Waiver Signatures: Retained indefinitely as a permanent legal record of your acceptance of our terms and liability waiver.
Chat History: Retained for twelve (12) months, after which it is deleted or anonymized.
Audit Logs: Retained for three (3) years to support security investigations and regulatory compliance.
Job Application Data: Retained for the duration of the hiring process, plus twelve (12) months, unless a longer retention period is required by law or you consent to a longer period.
CASL Consent Records: Records of consent to receive commercial electronic messages are retained for as long as the consent is active, plus three (3) years after the last commercial electronic message is sent, to demonstrate compliance with CASL.

When personal information is no longer needed, we securely delete or irreversibly anonymize it so that it can no longer be associated with you.

7. Cookies, Tracking Technologies, and Online Advertising

7.1 Cookies

We use cookies — small alphanumeric identifiers transferred to your device — to record preferences, maintain your session state, and gather information about the use of our Services. Some cookies allow us to make it easier for you to navigate our Services, while others are used to enable a faster log-in process, personalize your use of the Services, or track your activities while using our Services.

Cookies used by the Services:

| Name | Type | Function | Duration | |------|------|----------|----------| | Session JWT | Strictly Necessary | Authentication cookie containing a JSON Web Token issued by our authentication system (better-auth). Identifies you as a logged-in user. | ~5 minutes (auto-refreshed) | | Session State | Strictly Necessary | Maintains your state as you navigate the Services (e.g., selected fleet, active rental context). | Session (expires when browser closes) | | _tracking_consent | Functional | Stores your tracking and cookie consent preferences. | 1 year | | _landing_page | Analytics | Records the first page you visited on the Site for attribution purposes. | 14 days | | _orig_referrer | Analytics | Records the referring URL that brought you to the Site. | 14 days | | Google Analytics (_ga, _gid) | Analytics | Used by Google Analytics to distinguish users and throttle request rate. Collects anonymized data about how you use our website. | _ga: 2 years; _gid: 24 hours |

The length of time that a cookie remains on your device depends on whether it is a "persistent" or "session" cookie. Session cookies last until you stop browsing and persistent cookies last until they expire or are deleted.

Many web browsers automatically accept cookies, but you can usually modify your browser's settings to decline or block cookies. If you delete or block cookies, some features of the Services may not work properly or at all. For more information, visit www.allaboutcookies.org.

7.2 Pixel Tags and Web Beacons

We or our service providers may use pixel tags (also known as web beacons or clear GIFs) — tiny graphics with a unique identifier embedded invisibly on web pages or within emails — in connection with our Services to track the activities of users, help manage content, measure ad performance, compile statistics about usage, track email response rates, identify when our emails are viewed, and track whether our emails are forwarded.

7.3 Analytics Services

We may use third-party analytics services, including Google Analytics, to help us analyse how users interact with and use the Services, compile reports on user activity, and provide other services related to activity and usage. These services may use cookies and other tracking technologies to collect information such as your IP address, time of visit, whether you are a return visitor, and any referring website or app. You may learn more about Google's analytics services and how to opt out at https://policies.google.com/technologies/partner-sites.

7.4 Online Advertising

In order to display more relevant advertising on our Services, manage our advertising on third-party sites, mobile apps, and online services, and measure and improve our ads and marketing efforts, we may work with the following third-party advertising partners (and others from time to time):

Google Ads — for search and display advertising
Meta (Facebook/Instagram) — for social media advertising and Custom Audience campaigns

These third parties may use cookies, web beacons, or other tracking technologies to collect information about your use of the Services and your activities across other websites and online services, which may be associated with persistent identifiers and used to provide you with more relevant advertising or targeted content.

The activities of third parties and your choices regarding their use of your information to personalize ads to you are subject to their own policies. You can learn about your options to opt out of mobile app tracking through your device settings:

Apple: https://support.apple.com/kb/HT4228
Android: https://www.google.com/policies/technologies/ads/
Windows: https://choice.microsoft.com/en-US/opt-out

Please note that opting out of advertising network services does not mean that you will not receive advertising while using our Services, nor will it prevent the receipt of interest-based advertising from third parties that do not participate in these programs. If you would like to opt out of being included in Custom Audience campaigns, please contact us at privacy@ridenet.ca.

7.5 Do-Not-Track Signals

Your browser or device may include "Do-Not-Track" settings or functionality. Because there is no consistent industry understanding of how to respond to "Do-Not-Track" signals, our systems do not currently alter our data collection and usage practices when we detect such a signal from your browser. Our information collection and disclosure practices, and the choices that we provide, will continue to operate as described in this Privacy Policy, whether or not a Do-Not-Track signal is received. For more information about Do-Not-Track signals, please visit https://allaboutdnt.com/.

If we introduce additional analytics, advertising, or marketing cookies in the future, we will update this Policy and obtain your consent where required.

8. Your Choices

You have choices about how we use your information:

Marketing Communications. If you would like to update your preferences on the types of communications you receive from us, or opt out of marketing communications, you may do so at any time by updating the communication preferences in your account profile or by emailing us at privacy@ridenet.ca. All commercial electronic messages include a clear unsubscribe mechanism as required by CASL. Please note that we may continue to send non-promotional communications such as important notices, payment confirmations, transaction-related emails, and other information about your use of the Services.
Location Permissions. You may revoke location permission at any time through your device settings. Please note that disabling location services may prevent certain features of the Services from functioning.
Camera Permissions. You may revoke camera permission at any time through your device settings. Please note that camera access is required for certain functions such as QR code scanning and end-ride photos.
Cookie Preferences. You can control and manage cookies through your browser settings. Please note that blocking cookies may not completely prevent how we share information with third parties such as advertising partners. Please see Section 7 for more information.
Advertising Opt-Out. You may opt out of interest-based advertising as described in Section 7.4, including Custom Audience campaigns.
Newsletter Unsubscribe. You may unsubscribe from our newsletter at any time using the link provided in each email.
Account Deletion. You may request the deletion of your account and personal information as described in Section 9.
Data Portability. You may request a copy of your personal information in a structured, commonly used, and machine-readable format (JSON or CSV) by contacting us at privacy@ridenet.ca. We will provide the exported data within thirty (30) days of your request.

9. Your Rights Under Privacy Law

9.1 Rights Under PIPEDA (Canada)

As a Canadian privacy law, PIPEDA grants you several rights with respect to your personal information. You may exercise any of these rights by contacting us at privacy@ridenet.ca.

Right of Access: You have the right to request access to the personal information we hold about you. We will respond within thirty (30) days and provide the information in a clear and understandable format.
Right of Correction: If you believe that any personal information we hold about you is inaccurate or incomplete, you have the right to request that we correct it.
Right of Deletion: You may request that we delete your personal information. We will comply unless we are required to retain the information for legal, contractual, or legitimate business reasons (e.g., waiver records, outstanding payment disputes).
Right to Withdraw Consent: Where we rely on your consent to process personal information, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal. Please note that withdrawing consent for essential processing (e.g., location data during an active rental) may prevent you from using certain features.
Right to Complain: If you are not satisfied with our response to a privacy concern, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada.

We will not charge a fee for responding to reasonable access or correction requests. In exceptional circumstances (e.g., repetitive or manifestly unfounded requests), we may charge a reasonable fee or decline to act, and we will explain our reasons.

9.2 Additional Rights Under Quebec's Law 25

If you are a resident of Quebec, you have the following additional rights under the Act Respecting the Protection of Personal Information in the Private Sector (Law 25):

Right to Data Portability: You have the right to receive your personal information, or have it transferred to another organization, in a structured, commonly used technological format.
Right to Be Informed of Automated Processing: You have the right to be informed when a decision that concerns you is made exclusively by automated processing. See Section 10 (Automated Processing and Profiling) for details.
Right to De-Indexing: You have the right to request that personal information collected about you cease to be disseminated if such dissemination contravenes the law or a court order.
Privacy Impact Assessments: In accordance with Law 25, we conduct privacy impact assessments before implementing new systems, projects, or practices that involve the collection, use, or disclosure of personal information, or before transferring personal information outside Quebec.

Our designated privacy officer for the purposes of Law 25 is reachable at dpo@ridenet.ca.

9.3 Rights Under GDPR (European Economic Area)

If you are a resident of the European Economic Area (EEA), you have the following additional rights under the General Data Protection Regulation:

Right of Access: You have the right to access the personal data we hold about you.
Right to Rectification: You have the right to request correction of inaccurate personal data.
Right to Erasure: You have the right to request deletion of your personal data under certain circumstances.
Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data.
Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV), and to transmit that data to another controller. You may also request that we transmit the data directly to another controller where technically feasible.
Right to Object: You have the right to object to our processing of your personal data, including processing for direct marketing purposes.
Right Regarding Automated Decision-Making: You have the right to object to processing based solely on automated decision-making (which includes profiling) when that decision-making has a legal effect on you or otherwise significantly affects you. See Section 10 (Automated Processing and Profiling) for details on how we use automated processing.

To exercise any of these rights, please contact us at privacy@ridenet.ca. You also have the right to lodge a complaint with your local data protection supervisory authority.

9.4 Rights Under CCPA (California)

If you are a resident of California, you have the following rights under the California Consumer Privacy Act:

Right to Know: You have the right to request that we disclose what personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting it, the categories of third parties with whom we share it, and the specific pieces of personal information we have collected about you.
Right to Delete: You have the right to request the deletion of your personal information, subject to certain exceptions.
Right to Correct: You have the right to request correction of inaccurate personal information.
Right to Opt Out of Sale: We do not sell your personal information. If this practice changes, we will provide you with the right to opt out.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
Authorized Agents: You may designate an authorized agent to submit requests on your behalf by contacting us at privacy@ridenet.ca.

10. Automated Processing and Profiling

We use limited automated processing in the operation of the Services. The following automated systems may affect your experience:

Geofence Enforcement: Vehicles are automatically subject to speed reduction or shutdown when operated outside a designated geofenced area, based on real-time GPS data. This is a safety measure and does not involve profiling of individual riders.
Overage Billing: Rental overage charges are automatically calculated and applied based on the duration of your Rental Period relative to your booking. This is a contractual billing function, not a decision based on profiling.
Fraud Detection: We may use automated tools to flag transactions or account activity that exhibits patterns consistent with fraud. Flagged activity is reviewed by a human before any action is taken on your account.

We do not engage in fully automated decision-making that has a legal or otherwise significant effect on you. Any automated system that could result in the suspension or termination of your account, the denial of service, or a material charge to your payment method is subject to human review before a final decision is made. If you believe that an automated decision has adversely affected you, you may contact us at privacy@ridenet.ca to request a human review.

11. Data Breach Notification

We maintain an incident response plan to address data breaches promptly and effectively. In the event of a breach of security safeguards involving personal information that creates a real risk of significant harm to individuals, we will:

Notify Affected Individuals: We will notify you as soon as feasible, and in any event within the timeframes required by applicable law. Under PIPEDA, we will notify you as soon as feasible after determining that the breach creates a real risk of significant harm. Under GDPR, we will notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms. Under Quebec's Law 25, we will notify you with diligence after becoming aware of the incident. Notification will be made by email to the address associated with your account, and/or by prominent notice within the Services.
Notify Regulators: We will report the breach to the applicable privacy regulator, including the Office of the Privacy Commissioner of Canada (under PIPEDA), the Commission d'accès à l'information du Québec (under Law 25), and/or the relevant EU supervisory authority (under GDPR), as required by applicable law.
Content of Notification: Our notification to you will include: a description of the nature of the breach; the categories and approximate number of records involved; the likely consequences of the breach; the measures we have taken or propose to take to address the breach and mitigate potential adverse effects; and contact information for our Data Protection Officer to whom you can direct further questions.
Record-Keeping: We maintain an internal register of all breaches of security safeguards, regardless of whether they meet the threshold for notification, as required by PIPEDA and Law 25.

12. Children

The Services are not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete that information as soon as practicable. If you believe that a child under 18 has provided us with personal information, please contact us at privacy@ridenet.ca.

13. International Data Transfers

RideNet is a Canadian company, but some of the service providers we rely on process data outside of Canada. Please refer to the sub-processor table in Section 5.3 for a complete list of providers and their locations.

When your personal information is transferred outside of Canada, it may be subject to the laws of the jurisdiction in which it is held. We take contractual and technical measures to ensure that your information receives a comparable level of protection regardless of where it is processed. Under PIPEDA, we remain accountable for the protection of personal information transferred to third parties for processing.

For EEA residents, where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or other legally recognized transfer mechanisms.

For Quebec residents, in accordance with Law 25, we conduct a privacy impact assessment before transferring personal information outside Quebec and ensure that the receiving jurisdiction provides adequate protection or that contractual safeguards are in place.

14. Security

We implement reasonable technical, physical, and organizational security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction. These measures include:

Encryption of data in transit using TLS/SSL across all connections, including between IoT vehicles and our gateway servers.
Encryption of sensitive data at rest, including identity documents and payment tokens.
Role-based access controls that limit employee and operator access to personal information on a need-to-know basis.
Regular security reviews and monitoring of our infrastructure for vulnerabilities and unauthorized access.
Secure authentication mechanisms, including short-lived session tokens and server-side validation.

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security, but we continuously work to improve our safeguards.

Your Responsibilities. You should take steps to protect your information and prevent unauthorized access to your password or account, including: (i) signing off after using a shared computer or device; (ii) choosing a robust, unique password; and (iii) keeping your log-in credentials private. We are not responsible for any lost, stolen, or compromised passwords, or for any activity on your account via unauthorized password activity.

15. Third-Party Links and Services

The Services may contain links to third-party websites and may contain third-party plug-ins and functionalities (such as social media sharing buttons). If you choose to use these sites or features, in addition to disclosing your information to those third parties, you may also disclose such information to their users and/or the public, depending on how their services function. We are not responsible for the content or practices of any third-party websites or services. The collection, use, and disclosure of your information will be subject to the privacy policies of each individual third-party website or service, and not this Privacy Policy. We urge you to read the privacy and security policies of these third parties.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email (sent to the address associated with your account) and/or by posting a prominent notice within the Services or our mobile application prior to the changes taking effect.

We encourage you to review this Policy periodically. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Policy. If you do not agree with the updated terms, you should discontinue use of the Services and contact us to delete your account.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

Email: privacy@ridenet.ca
Data Protection Officer: dpo@ridenet.ca
Phone: +1 (613) 242-0837
Mail: Westlake Adventure Sports Inc., Attn: Privacy Officer, 15985 Loyalist Parkway, RR2, Bloomfield, Ontario K0K 1G0, Canada

We will acknowledge receipt of your inquiry within five (5) business days and aim to provide a substantive response within thirty (30) days.

Complaints. If you are not satisfied with our response, you may make a complaint to the applicable privacy regulator or supervisory authority. In Canada, you may contact the Office of the Privacy Commissioner of Canada. In Quebec, you may contact the Commission d'accès à l'information du Québec. If you are in the EEA, you may contact your local data protection supervisory authority. Alternatively, you may seek a remedy through local courts if you believe your rights have been breached.