Privacy Policy - CoordiApp

Information document pursuant to and for the purposes of articles 13/14 Regulation (EU) 2016/679 (GDPR).

This information applies to the CoordiApp mobile application (the "App") and its users ("Users" or "Coordinators"). The App is reserved for travel coordinators who collaborate with WeRoad on a self-employed basis (under ritenuta d'acconto or with VAT number) and is accessible only via accounts created and authorized by WeRoad — there is no public sign-up.

1. Data Controller

WeRoad S.p.A., a company belonging to the OneDay Group, with its registered office in Milan, Viale Cassala, 30, 20143, Tax Code and VAT No. 12474100968, Milan Companies Register 05/07/2022 No. 12474100968 | R.E.A. No.: MI-2664339.

• PEC for traveler complaints: weroaditaliaclaims@legalmail.it

• PEC for administration: weroaditalia@legalmail.it

(hereinafter, "WEROAD" or the "Data Controller").

Contacts:

• Email: privacy@weroad.it

• Postal mail: Viale Cassala n. 30 — 20143 Milan

The Data Controller has appointed a Data Protection Officer (DPO) pursuant to Article 37 GDPR, reachable at: dpo@weroad.com.

2. Type of Data Processed

We may process the following personal data of the Coordinator:

• Identification data: name, surname.

• Contact details: email and/or telephone number.

• Account credentials and authentication data: login tokens, OTP verification.

• Profile image, if uploaded by the Coordinator.

• Content generated by the Coordinator within the App: notes, photos and links added to the travel diary; posts, replies, reactions/likes and search activity in the tips forum.

• Invoice documents (typically images/PDFs) collected by the Coordinator from local suppliers during a tour and uploaded through the App. These documents are issued by suppliers and may incidentally contain personal data of the supplier's representatives.

• Approximate city-level location, not derived from device GPS but inferred from the tour schedule (i.e. the city where the Coordinator is expected to be on a given day), used to display nearby coordinators.

• Device push notification token.

• Technical and diagnostic data: device model, operating system version, App version, language, crash reports and performance traces collected for stability monitoring purposes.

In the course of carrying out their assignment, the Coordinator also accesses, as a person authorized by the Data Controller, personal data of WeRoad travelers participating in the tours assigned to them (the "Pax List"), including name, surname, contact details and, where applicable, special categories of data such as allergies, dietary requirements or other special needs declared by the traveler. Access to this data is governed by WeRoad's general traveler privacy policy; within the App, sensitive fields (e.g. phone number, email, special needs) are only available through dedicated API calls protected by audit logs that record each access by the Coordinator.

(collectively, "Personal Data")

3. Purpose and Legal Basis of the Processing

The following processing activities take place within the App.

3.1 Account Provisioning and Authentication

Coordinator accounts are created and authorized by WeRoad. The Coordinator authenticates by entering their email address and confirming a one-time password (OTP) sent by email. Authentication tokens are stored on the device in encrypted storage (Expo Secure Store).

• Legal basis: execution of the service agreement between WEROAD and the Coordinator (art. 6, par. 1, lett. b) GDPR), as well as the legitimate interest of the Data Controller in protecting access to the App (art. 6, par. 1, lett. f) GDPR).

• Necessity: mandatory; without these data, the Coordinator cannot access the App.

• Retention: for the duration of the collaboration with WeRoad — see § 8 Retention.

3.2 Access to Tour Data and Pax List

To allow the Coordinator to consult, while on tour, the schedule, daily activities, pax list, flight information and any other operational information needed to perform their role.

• Legal basis: execution of the service agreement (art. 6, par. 1, lett. b) GDPR). With reference to special categories of traveler data (e.g. allergies, special needs) accessed through the App, the legal basis is the explicit consent collected by WeRoad from the traveler (art. 9, par. 2, lett. a) GDPR); the Coordinator processes such data exclusively as a person authorized by the Data Controller, under documented instructions and within the audit-logged perimeter described above.

• Retention: processed for the time strictly necessary to manage the tour and retained according to WeRoad's general traveler retention policies.

3.3 Displaying Nearby Coordinators

To allow the Coordinator to see other coordinators expected to be in the same or nearby cities on a given day, in order to facilitate professional coordination and peer support during tours. The location displayed is city-level and is derived from the tour schedule, not from the device's GPS.

• Legal basis: legitimate interest of the Data Controller (art. 6, par. 1, lett. f) GDPR) in supporting on-the-ground coordination among Coordinators.

• Right to object: the Coordinator may object at any time by writing to privacy@weroad.it.

• Retention: for the duration of the relevant tour assignments.

3.4 Travel Diary

To allow the Coordinator to consult content prepared by the WeRoad team about each tour and to add their own notes, photos and links related to the tour for personal and operational use.

• Legal basis: execution of the service agreement (art. 6, par. 1, lett. b) GDPR).

• Necessity: optional with respect to the Coordinator's own contributions.

• Retention: for the duration of the collaboration with WeRoad.

3.5 Tips Forum

To allow Coordinators to share suggestions and recommendations with other Coordinators in a forum-style section. Each post displays the author's name, surname, profile image, content (including text, photos and links), number of likes and replies, and is searchable by other Coordinators.

• Legal basis: legitimate interest of the Data Controller (art. 6, par. 1, lett. f) GDPR) in fostering knowledge sharing within the coordinator community.

• Right to object: the Coordinator may at any time delete their contributions or object to the processing by writing to privacy@weroad.it.

• Retention: posts and replies remain visible to other Coordinators until deleted by the author or by the Data Controller.

3.6 Upload of Supplier Invoices

To allow the Coordinator to upload invoices issued on-site by local suppliers during a tour, for accounting and reimbursement purposes.

• Legal basis: execution of the service agreement (art. 6, par. 1, lett. b) GDPR) and compliance with legal obligations to which the Data Controller is subject (art. 6, par. 1, lett. c) GDPR), in particular tax and accounting obligations.

• Necessity: mandatory to process the related expense; failure to upload the invoice prevents reimbursement.

• Retention: for the periods required by applicable tax and accounting law (typically 10 years).

3.7 Saving Traveler Phone Numbers to the Device's Contacts

At the Coordinator's request, the App can write the phone numbers of travelers belonging to the current tour into the device's address book, in order to make it easier to call or message them during the tour. The App requests the operating system's "Contacts" permission for this purpose.

The App does not read the existing contacts of the device and does not transmit any contact data from the device to WEROAD.

• Legal basis: execution of the service agreement (art. 6, par. 1, lett. b) GDPR).

• Revocation: the Coordinator can revoke the contacts permission at any time through the device settings; data already written to the device's address book remain under the Coordinator's control and can be removed manually.

3.8 Navigation and Maps

To help the Coordinator navigate while on tour, the App may request access to the device's location ("when in use" or "always") in order to display the user's position on a map.

Location data obtained via GPS is processed locally on the device for the sole purpose of rendering the map view and is not transmitted to or stored by WEROAD.

• Legal basis: execution of the service agreement (art. 6, par. 1, lett. b) GDPR).

• Revocation: the Coordinator can revoke the location permission at any time through the device settings.

3.9 Operational Push Notifications

To send the Coordinator service-related push notifications, such as changes to the tour schedule, operational updates concerning their assignments, and reminders to perform certain tasks within the App.

Push notifications are not used for marketing or promotional purposes.

• Legal basis: execution of the service agreement (art. 6, par. 1, lett. b) GDPR) and the legitimate interest of the Data Controller (art. 6, par. 1, lett. f) GDPR) in ensuring the proper management of tours.

• Revocation: the Coordinator can disable push notifications at any time through the device settings; this may, however, affect their ability to receive timely operational updates.

• Retention: the push token is processed for as long as notifications are enabled on the device.

3.10 Offline Availability of Tour Data

To allow the Coordinator to access tour information even with limited or no connectivity, the App caches API responses locally on the device using an encrypted-at-rest key-value store (MMKV). Authentication tokens are stored separately in the device's secure storage (Keychain on iOS, Keystore on Android, via Expo Secure Store).

• Legal basis: execution of the service agreement (art. 6, par. 1, lett. b) GDPR) and legitimate interest of the Data Controller (art. 6, par. 1, lett. f) GDPR) in ensuring service continuity in low-connectivity environments.

• Retention: cached data are deleted when the Coordinator logs out, when the App is uninstalled, or after the configured cache lifetime (up to 7 days for most data).

3.11 Crash Reporting and App Stability Monitoring

We use Sentry to collect crash reports, error logs and performance traces in order to detect and fix bugs and to monitor the App's stability. This processing may include technical identifiers, device model, OS version, App version, the screen path that triggered the issue and stack traces.

We do not use this data for behavioral profiling or marketing.

• Legal basis: legitimate interest of the Data Controller (art. 6, par. 1, lett. f) GDPR) in maintaining a secure and reliable service.

• Right to object: the Coordinator may object at any time by writing to privacy@weroad.it.

• Retention: according to Sentry's default retention (typically up to 90 days).

3.12 Respond to Contact Requests

When the Coordinator contacts WEROAD through the App or via the contact addresses indicated in this policy.

• Legal basis: execution of pre-contractual or contractual obligations (art. 6, par. 1, lett. b) GDPR) and, where applicable, legitimate interest of the Data Controller in responding to the request (art. 6, par. 1, lett. f) GDPR).

• Retention: WEROAD will delete the personal data processed to respond to such requests within 1 year from the date of closure of the request, except where longer retention is required to defend a right.

3.13 Management of Claims and Defense in Court

• Legal basis: execution of the service agreement (art. 6, par. 1, lett. b) GDPR) and legitimate interest of the Data Controller (art. 6, par. 1, lett. f) GDPR).

• Retention: for the duration of the claim and in any case within the limitation periods set forth by applicable law (generally up to 10 years, depending on the nature of the claim).

3.14 Corporate Transactions

To share personal data in relation to, or during, negotiations of extraordinary transactions involving all or part of WEROAD's business.

• Legal basis: legitimate interest of the Data Controller (art. 6, par. 1, lett. f) GDPR).

• Retention: data stored for this purpose are deleted at the end of the transaction.

The Data Controller bases the processing of Personal Data on the principles of minimization, verifying on an annual basis the need to retain the data for a period not exceeding that required by the purposes for which they were collected. Where retention is no longer necessary, the Data Controller will either delete the data or implement appropriate measures to anonymize them.

4. Web Counterpart

A web administration interface for coordinators is available at https://admin-coordinators.weroad.co. The App and the web interface are independent products: there is no deep-linking between them, and authentication is performed separately. The processing of personal data on the web interface is governed by its own privacy notice.

5. Data Recipients

Personal data are processed by employees and collaborators of the Data Controller who are expressly authorized to process them under our instructions and protected by appropriate organizational and technical measures.

The following categories of external recipients may also access or process the data, either as independent controllers or as processors appointed by WeRoad (all bound by EU Standard Contractual Clauses where applicable). For details or a full list of processors, contact privacy@weroad.it:

5.1 IT, Infrastructure and Development

• Cloud hosting and infrastructure providers used to host the App's backend and storage.

• Software development and data-analysis consultants supporting WeRoad in maintaining the App.

5.2 Application Monitoring

• Functional Software, Inc. d/b/a Sentry — crash reporting, error tracking and performance monitoring.

5.3 Communications and Authentication

• Providers used to deliver one-time-password (OTP) emails for authentication.

• Push notification services provided by Apple (APNs) and Google (FCM) for the delivery of operational notifications to the device.

5.4 Professional Advisors

• Law firms, auditors and accountants, where strictly necessary to defend WeRoad's rights or comply with legal obligations.

6. Permissions Requested by the App

For transparency, the following operating-system permissions may be requested by the App:

Notifications

Deliver operational push notifications.

Contacts

Write the phone numbers of travelers in the current tour to the device's address book at the Coordinator's request. The App does not read existing contacts.

Location

Display the Coordinator's position on the in-App map for navigation purposes. Location data is processed locally on the device and is not transmitted to WEROAD.

Photo library / Camera

Allow the Coordinator to upload a profile picture, attach photos to travel diary notes and tips posts, and upload supplier invoices.

Each permission can be granted or revoked at any time through the device settings.

7. Transfer of Data to a Non-EU Country

Personal data are primarily processed within the European Union. Some of our service providers (in particular Sentry and the push-notification services operated by Apple and Google) may process personal data outside the European Economic Area. In such cases, the Data Controller transfers personal data to third countries only:

• where the European Commission has issued an adequacy decision under Article 45 GDPR; or

• on the basis of the Standard Contractual Clauses approved by the European Commission pursuant to Article 46(2) GDPR, accompanied where appropriate by additional technical and organizational measures.

8. Methods of Data Processing

The data are processed in compliance with the principles of fairness, lawfulness and transparency, by manual and automated means and through paper and electronic media, in any case within the limits of the purposes set out in this policy and always ensuring the security and confidentiality of the data.

9. Retention

Personal data of the Coordinator are retained for as long as the Coordinator is active within the WeRoad coordinator community. If the Coordinator ceases their collaboration with WeRoad, the personal data are retained until the Coordinator requests their deletion, except where longer retention is required by law (e.g. tax and accounting obligations on invoices) or is necessary to ascertain, exercise or defend a legal claim.

Specific retention periods are indicated, where relevant, in the description of each processing activity in § 3.

10. Rights of the Interested Parties

The data subject may at any time exercise the following rights, within the conditions and limits set forth in Articles 12–22 of the GDPR, by sending an email to privacy@weroad.it:

• Right of access — confirmation as to whether or not personal data concerning them are being processed and, where that is the case, access to the personal data (Art. 15 GDPR).

• Right to rectification of inaccurate personal data and to have incomplete personal data completed (Art. 16 GDPR).

• Right to erasure of personal data, where they are no longer necessary, where consent is withdrawn or there is a legitimate objection to the processing, where the processing is unlawful, or where there is a legal obligation to erase (Art. 17 GDPR).

• Right to restriction of processing in the cases provided for by Art. 18 GDPR.

• Right to object to processing carried out on the basis of legitimate interest (Art. 21 GDPR), including profiling — although, as stated above, no profiling activities are carried out within the App.

• Right to data portability with respect to data processed by automated means on the basis of consent or contract (Art. 20 GDPR).

• Right to lodge a complaint with the supervisory authority (Art. 77 GDPR), in particular in the Member State of habitual residence, place of work or place of the alleged infringement (in Italy: Garante per la protezione dei dati personali, https://www.garanteprivacy.it/).

Where the legal basis for processing is consent, the data subject has the right to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Last updated: May 2026