Privacy Policy of Northride

Privacy Policy, Vapaus Bikes New Zealand Limited, brand name in New Zealand: Northride

Updated 8.12.2025

Vapaus Bikes New Zealand Limited ("Vapaus" or "we") markets and offers carbon negative mobility services, including, without limitation, mobility equipment, commuter bicycles and other related accessories, to its customer companies and/or customer prospects ("Customer") through the Vapaus-managed Vapaus.io platform, available at app.vapaus.io/user (the website, platform and services collectively, the "Service"), which allows Vapaus' Customers and their employees, agents or other persons authorized by the Customer to purchase and manage commuter bicycles and reserve mobility equipment for time- and place-limited mobility.

This Privacy Policy explains how we Process personal information relating to Customers and Service users. We comply with the New Zealand Privacy Act 2020 (Privacy Act) and EU General Data Protection Regulation (GDPR) when handling personal information. This Privacy Policy explains how we collect, hold, use, disclose and protect your personal information.

"User" means users of the Service as defined by Vapaus’ Customers. We may update this Privacy Policy as necessary due to changes in the Processing of personal information or for any other reason. For the most up-to-date version, please visit our website. This Privacy Policy applies only to the collecting, using, holding, storing, disclosing or retaining (“Processing”) of personal information for which Vapaus is the agency.

 

1. CONTACT INFORMATION

Company: Vapaus Bikes New Zealand Limited

NZBN: 9429052660047

Privacy Officer, Kasper Hannula, kasper@vapaus.io.

 

2. PERSONAL INFORMATION

 

PROCESSED AND DATA SOURCES

The personal information we collect and Process in connection with the implementation and use of the Service and in connection with logging in to the Service can be divided into three main categories: Customer Data, User Data and Analytical Data.

In connection with the marketing and implementation of the Service, Vapaus collects and Processes information relating to the Customer and the Customer's contact persons and prospects, such as name, telephone number, title, customer number, email address and messages, language preference, customer feedback and satisfaction data, the level and duration of the loyalty benefit program, purchase data for the Service, and the results of market research and opinion polls ("Customer Data").

Vapaus collects and Processes information about Users who book transportation through the Service such as name, telephone number, username, password, email address and messages, language preference, address, content provided by the User on the Service (such as feedback or additional information provided by the User about himself/herself), information about the benefit bike (such as taxable value, contract period, bike details), and restrictions and prohibitions related to the User ("User Data"),

We automatically collect and Process certain analytics data about your use of the Service through the information systems and technical tools at our disposal, such as IP address, device and device number, browser and browser version used, operating system, internet service provider, device advertising identifier, Customer segmentation, time spent on the Service and times of visits ("Analytics Data").

We may also collect location data of the vehicle booked and used by the User if the vehicle is equipped by us with location-enabled telematics equipment.

The above-mentioned location data is not collected for benefit bikes.

In principle, Vapaus collects Customer Data directly from Customers and/or Customer prospects. Vapaus collects User Data in principle directly from Users, either provided by the User, generated by the Service, or based on the use of the Service and/or from the Customers.

Vapaus automatically collects Analytics Data based on the use of the Service on our Service. Although we do not normally use Analytics Data to identify natural persons, a User may sometimes be identifiable from it, either alone or in combination or combination with User Data. In these cases, the Analytics Data will be considered personal information for the purposes of applicable law and we will treat the data as personal information.

 

3. THE PURPOSE AND BASIS OF THE PROCESSING OF PERSONAL INFORMATION

PURPOSES

Vapaus Processes the Customer's and User's personal information to provide our Service and to fulfil our obligations under contractual relationships, to comply with our legal obligations, for handling claims and legal proceedings, for customer communication and marketing purposes, and to improve quality and to analyse usage trends.

 

To provide Service:

Vapaus Processes the Customer's and User's personal information in order to provide the Customer and User with the Service in accordance with the agreement between the Customer and Vapaus. If, as a Customer or User, you contact our customer service, we will use the information you provide to answer questions and resolve any problems you may have.

 

To comply with our legal obligations:

Vapaus Processes the Customer’s and/or User’s personal information to administer and fulfil its legal obligations under New Zealand, EU and EU member state laws. This includes Processing data to comply with accounting obligations and providing information to the relevant authorities, such as tax authorities.

For claims handling and legal proceedings:

Vapaus may Process the Customer’s and/or User’s personal information in connection with legal claims, collection and legal proceedings. We may also Process data to prevent fraud and misuse of our services and for data, system and network security purposes.

 

For customer communication and marketing purposes:

Vapaus may Process the Customer’s and/or User’s personal information to contact the Customer and/or User in connection with our Service and to notify them of changes to our Service. We also use Customer personal information to market our Service and other relevant services and products to the Customer.

 

To improve quality and to analyse usage trends:

We may Process User information about the use of our Service to improve the quality of our Service, for example, by analysing various trends related to the use of our Service. We may also use the Customer’s and/or User’s personal information for customer satisfaction surveys to ensure that our Services are performing as desired. Where possible, we will only use aggregated information that does not identify an individual for this purpose.

 

Limits on Use of Personal information

We will only use your personal information for the purposes for which it was collected, or for purposes directly related to those purposes, unless:

 

  • You have authorised us to use the information for another purpose;
  • We are required or authorised by law to use the information for another purpose;
  • The use is necessary to prevent or lessen a serious threat to public health or safety, or the life or health of any individual;
  • The use is necessary for the enforcement of criminal law or of a law imposing a pecuniary penalty, or for the protection of public revenue;
  • The use is necessary in connection with legal proceedings or for establishing, exercising or defending legal rights; or
  • The information is publicly available information.

Where we use your personal information for a purpose other than that for which it was collected, we will ensure that the new use falls within one of the permitted exceptions above and, where practicable, we will notify you of the new purpose.

 

LEGAL BASIS UNDER GDPR

Legal basis for the Processing of personal information:

Vapaus Processes the Customer’s personal information in order to fulfil its contractual obligations to the Customer.

We Process the Customer's and/or User's personal information in order to fulfil our obligations under the contractual relationship. We may also Process the Customer's personal information for the purposes of Processing credit information, collecting payments and dealing with breaches of contract.

In addition, we Process the Customer's and/or User's personal information on the basis of our legitimate interests in order to conduct, maintain and develop our business and to establish and maintain customer relationships. Where we Process the Customer’s and/or User’s personal information on the basis of our legitimate interests, we will balance our legitimate interests against the Customer's and/or User's right to privacy and provide our Customers with, for example, easy ways to opt-out of our marketing communications. We will also use pseudonymised or aggregated data from which the User cannot be identified, wherever possible.

We may also Process the Customer’s and/or User’s personal information to comply with our legal obligations.

Some parts of our Service may require the User's consent to the Processing of personal information. The User may withdraw such consent at any time.

We ask for your consent to the use of cookies that are not strictly necessary to enable the core functionality of our website and to provide the service you request when you visit our website. In this case, the basis for Processing is based on consent.

In some situations, we Process personal information on the basis of a secondary purpose and legitimate interest. In the context of this Processing, based on the Privacy Act we have reasonable grounds to use the information for such purposes such as marketing, and we have carried out a balancing test under the GDPR to assess whether the interests of the agency/controller or a third party outweigh the rights and freedoms of the individual/data subject. Based on our balancing test, we have concluded that our Processing does not undermine the rights and freedoms of the individual. If you would like more information about the balancing test carried out and its key criteria, please contact us.

4. DISCLOSURE OF PERSONAL INFORMATION

We will only disclose your personal information in accordance with Information Privacy Principle 11 of the Privacy Act. This means we will only disclose your personal information:

 

  • For the purpose for which it was collected, or for a purpose directly related to that purpose, where you would reasonably expect us to disclose the information for that purpose, such as offering the Service;
  • Where you have authorised the disclosure;
  • Where we are required or authorised by law to disclose the information;
  • Where disclosure is necessary to prevent or lessen a serious threat to public health or safety, or the life or health of any individual;
  • Where disclosure is necessary for the enforcement of criminal law or of a law imposing a pecuniary penalty, or for the protection of public revenue;
  • Where disclosure is necessary in connection with legal proceedings or for establishing, exercising or defending legal rights; or
  • Where the information is publicly available information.

When determining whether a disclosure is for a “directly related purpose” under paragraph (b) above, we consider whether you would reasonably expect us to disclose your information for that purpose, taking into account:

 

  • The nature of the information;
  • The circumstances in which it was collected;
  • The relationship between you and Vapaus;
  • The purpose of the disclosure; and
  • Any other relevant factors.

RECIPIENTS OF PERSONAL INFORMATION

We share your personal information with third parties, such as our partners, affiliates and service providers, only to the extent reasonably necessary for the purposes of this Privacy Policy or to establish, exercise or defend a legal claim relating to the Service. We may also disclose your personal information to public authorities if we are required to do so by law.

Where third parties Process data on behalf of Vapaus, Vapaus has taken appropriate contractual and organisational measures to ensure that the Processing of personal information is carried out solely for the purposes set out in this Privacy Policy and in accordance with applicable laws, regulations and our instructions, subject to appropriate confidentiality obligations and security measures.

Where the User discloses personal information directly to a third party, for example through a link on our website, the Processing of personal information will normally be based on that third party's own privacy policy and Processing principles.

 

In accordance with the above principles, we may disclose your personal information to the following categories of recipients:

To service providers:
To the extent that third parties need access to personal information in order to perform the Service, we may transfer personal information to such third parties. Such third parties include, but are not limited to, payment service providers, affiliates, sales and marketing service providers, data storage and service providers, and competent authorities.

Legal and regulatory authorities:

We may disclose personal information to third parties outside our organization if access to and use of the personal information is reasonably necessary (i) to comply with any applicable law, regulation and/or court order; (ii) to detect, prevent and address fraud, crime or security or technical issues; and/or (iii) to protect the interests or property of Vapaus, the Customer or the User or to ensure security or protect the public interest in accordance with law. Where possible, we will notify the Customer and/or User of such transfer and Processing.

Business transfers:
If Vapaus is a party to a merger, asset deal or other acquisition, we may disclose personal information to a third party involved in that acquisition. However, we will ensure that all personal information remains confidential. In such a case, we will notify of the transfer as soon as reasonably possible to the Customers and/or Users whose personal information is affected by the transfer or whose personal information will be subject to a different privacy policy.

With your consent:
We may disclose personal information to third parties outside of Vapaus where we have the express consent of the Customer and/or User. You have the right to withdraw your consent at any time

DISCLOSURE OF PERSONAL INFORMATION OUTSIDE NEW ZEALAND

Due to the nature of our business operation, we may disclose your personal information to overseas recipient, including:

  • Our group companies and affiliated entities in Finland, Sweden and France;
  • Service providers and data processors located in the European Union/European Economic Area (EU/EEA);
  • Cloud service providers with servers located in various jurisdictions; and
  • Other third parties as described in this Privacy Policy.

Before disclosing personal information to an overseas recipient, we will comply with Information Privacy Principle 12 of the Privacy Act. This means we will only disclose your personal information to an overseas recipient if one or more of the following applies:


a) Express Authorisation: You have authorised the disclosure after we have expressly informed you that the overseas recipient may not be required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act;

b) Subject to Privacy Act: We believe on reasonable grounds that the overseas recipient is subject to the Privacy Act (for example, if they have operations in New Zealand);

c) Comparable Privacy Laws: We believe on reasonable grounds that the overseas recipient is subject to privacy laws that, overall, provide comparable safeguards to those in the Privacy Act. We consider that recipients located in the EU/EEA are generally subject to the General Data Protection Regulation (GDPR), which provides comparable safeguards;

d) Binding Schemes: We believe on reasonable grounds that the overseas recipient is a participant in a prescribed binding scheme (such as binding corporate rules or approved certification mechanisms);

e) Prescribed Country: We believe on reasonable grounds that the overseas recipient is subject to privacy laws of a country prescribed by regulations as providing comparable safeguards; or

f) Contractual Safeguards: We believe on reasonable grounds that the overseas recipient is required to protect your personal information in a way that, overall, provides comparable safeguards to those in the Privacy Act, for example pursuant to:
  • Using Model Agreement’s based on the Privacy Act
  • Standard Contractual Clauses approved by the European Commission;
  • Data Processing Agreements containing appropriate safeguards; or
  • Other contractual arrangements that ensure appropriate protection.

 

SAFEGUARDS FOR INTERNATIONAL TRANSFERS

 

Where we transfer personal information outside New Zealand, we implement appropriate safeguards, including:

  • Conducting assessments of the data protection laws applicable in the recipient country;
  • Entering into data processing agreements with overseas recipients that include appropriate data protection obligations;
  • Using Model Agreement’s according to the Privacy Act as well as

Standard Contractual Clauses approved by the European Commission where transfers are made to countries outside the EU/EEA that do not have an adequacy decision;

  • Implementing technical and organisational security measures to protect data during transfer and storage; and
  • Regularly reviewing and updating our international transfer mechanisms to ensure ongoing compliance.

NOTIFICATION

Where practicable, we will inform you about the countries in which your personal information may be Processed. If you would like more information about our international transfers or the safeguards we have in place, please contact our Privacy Officer using the details in Section 1.

 

5. RETENTION PERIOD

Vapaus will not retain personal information for longer than the maximum period permitted by law and only for as long as is necessary for the purposes of this Privacy Policy. The retention period depends on the nature of the data and the purpose of the Processing. The maximum retention period may therefore vary from case to case.

Most personal information relating to an individual’s User account will be deleted within 90 days after the individual has deleted their account. Thereafter, we may retain some personal information for as long as we are required to do so by law or have a legitimate reason to retain the data, for example, for claims Processing, accounting, internal reporting or dispute resolution purposes. All personal information relating to a User's account will be anonymized or destroyed within ten (10) years after the User has deleted their account related to the Service, unless longer retention is exceptionally necessary, for example, for legal proceedings.

6. YOUR RIGHTS

 

Your choice:

Please review this Privacy Policy carefully. By providing personal information to us, you acknowledge that we will Process your personal information in accordance with this Privacy Policy. Providing personal information to us is voluntary; however, if you choose not to provide it, this may impact our capacity to deliver our Services to you and may affect your use of our Services. Should we receive personal information about you from a third party, we will protect it in accordance with this Privacy Policy. If you are a third party providing personal information about another person, you represent and warrant that you have obtained that person's consent to provide the personal information to us.

Right of correction:

As a Customer and/or User, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information. 

Right of access:

As a Customer and/or User, you have the right to access and obtain information about the personal information we Process about you. Customers and Users have the possibility to access certain Customer and User Data through their user account. You have the right to request a copy of your personal information from us.

Right to withdraw consent:

Where Processing is based on consent given by the User, the User may withdraw consent at any time. Withdrawal of consent may limit the User's ability to use the Service. Withdrawal of consent does not affect the legitimacy of the Processing of personal information that we Processed prior to the withdrawal.

 

Right to rectification:

As a Customer and/or User, you have the right to require us to rectify or complete any inaccurate or outdated personal information we hold by contacting us. Customers and/or Users may rectify or update some of their personal information relating to them through their user account.

Right to erasure:

As a Customer and/or User, you may request us to erase your personal information from our systems. We will comply with your request if we have no legitimate reason not to erase your data.

 

Right to object:

As a Customer and/or User, you may object to the Processing of your personal data where the data is Processed for purposes other than to provide our Service or to comply with our legal obligations. However, objecting may limit your ability to use our Service.

 

Right to restriction of Processing:

As a Customer and/or User, you may request us to restrict the Processing of your personal information, for example, where your request for erasure, rectification or objection is pending and/or where we do not have legitimate grounds to Process your data. However, this may limit your ability to use our Service.

Right to data portability:

As a Customer and/or User, you have the right to receive your personal information from us in a structured and commonly used format and the right to transfer the data independently to a third party.

 

The right not to be subject to automated decision-making:


We do not make decisions based solely on automated Processing that would affect a Customer’s and/or User 's rights or obligations in a material way. Any personal information Processing Processes will be developed in such a way that they do not involve decisions of legal or contractual significance without human involvement. If we subsequently decide to use automated decision-making, we will inform you of this separately and ensure that you still have the right to request a review and human assessment if a decision is based partly or wholly on automated Processing.

 

Exercise of rights:

The above-mentioned rights may be exercised by sending an email to the above-mentioned addresses containing the following information: full name, address, email address and telephone number. We may request additional information necessary to prove the identity of the Customer and/or User. We may reject requests that are unreasonably repetitive, excessive or manifestly

unfounded or for any other legal reason.

7. DIRECT MARKETING

The Customer and/or User has the right to prohibit us from using Customer Data and/or User Data for direct marketing, market research and profiling for direct marketing purposes by contacting us using the contact details provided above or by using the unsubscribe option provided in direct marketing messages.

8. LODGING A COMPLAINT

If the Customer and/or User considers that our Processing of personal information is in breach of applicable data protection legislation, they may lodge a complaint with the local supervisory authority. The local supervisory authority in New Zealand is  Office of the Privacy Commissioner (OPC) (www.privacy.org.nz).

9. INFORMATION SECURITY

We use administrative, organisational, technical and physical safeguards to protect the personal information we collect and Process. The measures we use include

data encryption, pseudonymisation, firewalls, secure facilities and systems protected by limited access rights. Our security measures are designed to maintain an appropriate level of data confidentiality, integrity, availability, resilience and recoverability. We regularly test our Service, systems and other hardware for vulnerabilities.

If, despite our security measures, a data breach occurs that is likely to have an adverse effect on the privacy of Customers and/or Users, we will notify the relevant Customers and/or Users and other affected parties as required by applicable law and, where required by applicable data protection legislation, the authorities as soon as possible. The notification to the local supervisory authority will be made at the latest within 72 hours of the discovery of the breach, as required by law, where the breach may pose a risk to the rights or freedoms of natural persons.

COOKIES


We use various technologies, including cookies, pixel and web beacon technology, to collect and store Customer Data, Analytics Data and other information related to a User's visit to the Service. Cookies may also collect personal information about Customers and/or Users.

Cookies are small text files sent to and stored on the Customer's and/or User's device that enable us to identify visitors to our Service, facilitate visitors' use of the Service, and allow us to compile aggregate information about visitors to our Service. This feedback allows us to improve the functionality of our Service and

to monitor and analyse the use of our Service. Cookies do not harm your devices or your files. We use cookies in order to provide our Users with the Service and information that meets their individual needs.

We ask for your consent to the use of cookies that are not strictly necessary to enable the core functionality of our website and to provide the service you request when you visit our website. You can disable cookies at any time by changing your browser settings. Below you will find detailed instructions on how to do this.

The cookies we use may already be Vapaus’ and/or a third party’s cookies and can be categorised as persistent or session cookies. A persistent cookie is a text file that is sent to the Customer's and/or User's device and is permanently stored by the browser used until a specified deletion time (unless the Customer and/or User disables the cookie before the specified deletion time). A session cookie is a text file sent to the Customer's and/or User's device and is stored by the browser used until the end of the session. Cookies are divided into the following four categories. All categories include third-party cookies, which can be used to transfer data to third parties.

Necessary cookies

These cookies are needed to make our website work safely and correctly. Necessary cookies allow you to browse our website and enable us to provide the service you want. Necessary cookies enable basic website functions, such

as identifying you and detecting repeated failed login attempts. We do not need your consent to use these cookies, but you can opt out of them by changing your browser settings. However, this will affect the functioning of the website, and some essential functions may not work.

Functional cookies

These cookies allow us to use useful features to improve your user experience, such as remembering your login information and preferences.

Analytical cookies

These cookies give us information about how you use our website and allow us to improve your user experience.

Third party cookies

We use third party cookies on our website. Vapaus uses external platforms for digital communication and marketing, including LinkedIn, Youtube, Facebook, Yahoo and Google Ads. These platforms use both first-party and third-party cookies to advertise and track advertising results.

Managing your cookies settings:

As a Customer and/or User, you may accept the use of cookies when visiting the Service's website. You may also pre-block the use of cookies in certain browsers or set your browser to warn you if cookies are attempted to be applied.

For example, the following links provide information on how to change your cookie settings in the most popular browsers:

  • Safari
  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox

Please note, however, that some parts of our Service may not function properly if the use of cookies necessary for the functionality of the Service is blocked. For more information about cookies in general, including how to manage and delete them, please visit www.aboutcookies.org or www.allaboutcookies.org.

Some of the third-party cookies we use are so-called web analytics services and other web analytics tools used by our Service to collect Analytics Data and reports on the use of the Service website (Google Analytics and Leadfeeder). For more information about Google Analytics, please visit the Google Analytics website. You can opt-out of the collection of data by Google Analytics by downloading the Google Analytics opt-out add-on for your browser.