Last updated 10 June 2025
Controller of personal data is:
Prizmos Ltd.
Reg. No 202432360
e-mail: dpo@caristaapp.com
We, at Prizmos Ltd. take protection of your Personal Data seriously. We are committed to protecting the privacy of any personal information you provide or is being collected in the course of your usage of our website (carista.com) and our services.
This Privacy Policy explains how we collect, share and use your Personal Data, and how you can exercise your privacy rights. We recommend that you read this Privacy Policy in full to ensure you are fully informed. This Privacy Policy applies to all Personal Data we collect about you, including information we collect in our app "Carista", on our website "carista.com" and any other information you provide to us with respect to the use of our services or products, including in testing mode, or when you request information about our services and products, all of which are referred to collectively as the “Services” and/or “Products”. By using the Services however they are used by you (whether via personal computers, mobile devices or otherwise) you’ll be confirming that you have read and understood and agree to this Privacy Policy.
Prizmos Ltd. collects and processes Personal Data with respect to the lawful execution of its activity upon observing the applicable requirements.
.
I. Key Terms
„Personal Data“ – any information that identifies or can be used to identify a person, directly or indirectly, including but not limited to names, date of birth, location data (GPS and IP), email address, physical address, gender, or other demographic information.
“Website(s)” – any website(s) we own and operate (such as carista.com) or any other we pages, interactive features, applications, widgets, blogs, social networks or other online, mobile or wireless offerings that post a link to this Privacy Policy.
“Carista App” – the software application we own and operate – Carista application, or other interactive features, through which we provide our software services, including in testing mode.
„Processing of Personal Data“ – any operation or set of operations which is performed on personal data by automated and other means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, alignment or combination, restriction, erasure or destruction of data.
II. Personal Data we collect
II.a). General conditions
To the extent that applicable data protection laws require special treatment of personally identifiable information, we shall take such measures as are necessary for compliance with these laws.
Our Services are not provided for persons aged below 16 and we do not deliberately collect Personal Data of persons below 16 years of age. In case we learn a person aged below 16 has provided Personal Data to us, we shall erase such data immediately.
II.b). Personal data you provide to us.
The Services provided through our Application are only available upon registration and creation of an account. For the purposes of creating an account, users provide the following information: names, e-mail address, and are also required to select a password. Registration in the Application may also be performed with the usage of third parties accounts (e.g. Google account, Facebook account). The personal information provided in such cases also includes names and e-mail address of the user and may include other personal information as provided by the user. We do not receive any of your log-in details (passwords) for these third parties.
The Services provided through our Application are only available upon registration and creation of an account. For the purposes of creating an account, users provide the following information: names, e-mail address, and are also required to select a password. Registration in the Application may also be performed with the usage of third parties accounts (e.g. Google account, Facebook account). The personal information provided in such cases also includes names and e-mail address of the user and may include other personal information as provided by the user. We do not receive any of your log-in details (passwords) for these third parties.
The provision of the Services for certain brands of vehicles requires additional personal information to be provided: address and phone number. This information is required by the manufacturer of the vehicles for the purposes of analysis of the market and other applicable purposes and conditions in accordance with their Privacy Policy. For further information of the collection and processing of such personal data, please consult the respective Privacy Policies of the vehicle manufacturer.
Provision of certain Services on certain vehicles of the Volkswagen group whenever involving advanced protective function SFD (SFD – Schutz der Fahrzeugdiagnose = Vehicle Diagnostics Protection) may require additional personal information to be provided. Personal data of user in the course of providing such Services is subject to the following specific conditions: i) each user is assigned with a pseudonymized ID by Prizmos Ltd; ii) personal data shall be stored for 30 years after an SFD request both by Prizmos Ltd and by Volkswagen in the course of providing SFD services; iii) personal data (pseudonymized ID and VIN) shall be transmitted to Volkswagen in the course of each SFD request; iv) personal data may be transmitted to Volkswagen or respective investigative authorities in cases of misuse or other forbidden or illegal behavior of the user; v) pseudonymized behavioral data may be processed by Volkswagen for analytical purposes; vi) data protection rights can be exercised by the user before Volkswagen only through the intermediary of Prizmos Ltd. Further information on protection of personal data of Volkswagen users with respect to SFD services can be found in the Privacy Policy for the SFD IT Backend, located at: Privacy Policy for the SFD IT backend
In the course of using the Services, you may provide additional information about your vehicle upon your desire. This information is only processed for the purposes of optimizing your user experience in the Application.
You may additionally by your desire assist us in testing new versions and/or features of our Services by participating in testing modes of the Application/ Services. Your explicit consent for providing personal data in the course of such testing will be requested each time.
The information collected in the process of registration and creation of an account is processed by Prizmos Ltd solely for the purposes of providing the requested Services through the Application, for enhancing your user experience when receiving the Services in the Application and for communication with you when required or needed.
Occasionally we may process the provided email address for sending you promotional messages with information about our products and services. You may object to processing for the purpose of such marketing upon creating your account or at any time afterwards.
Apart from the account information, you provide to us your personal data usually, but not exclusively, when you visit our Website, sign up for and use our Services and Products (including when creating a user in our Carista app), consult with our customer support team, send us an email, integrate the Services with another website or service, or communicate with us in any other way.
We do not use automated decision-making when processing Personal Data, except in cases of profiling. We do profiling only for the purposes of personalized marketing messages whenever we have explicit consent to do so. Profiling is a processing of personal data by analysis and assessment of specific characteristics or potential preferences and interests of a specific person.
II.c). Information we collect automatically
When you use our Website, our Services and Products we may automatically collect certain information about your device and usage of the Services. We use cookies and other tracking technologies to collect some of this information. Our use of cookies and other tracking technologies is discussed in detail below. The only data we collect beyond the data you provide to us are your IP address, browser software, operating system and the time and date you visited our Website. When you use our Website we use data from Google’s Interest-based advertising or 3rd party audience data (such as age, gender and interests) with analytical services provided by Google (Google Analytics), we use Google Display Network Impression Reporting and we may use Facebook custom audiences for our marketing strategy.
For more information on how Google Analytics uses your information, please see the page “How Google uses information from sites or apps that use our services”, located at https://policies.google.com/technologies/partner-sites?hl=en . You may opt out of the automated collection of information by third-party ad networks for the purpose of delivering advertisements tailored to your interests, by visiting the consumer opt-out page for the Self-Regulatory Principles for Online Behavioral Advertising at http://www.aboutads.info/choices/ and edit or opt-out your Google Display Network ads’ preferences at http://www.google.com/ads/preferences/. You can also use the Google Analytics opt-out browser Add-on.
II.d). Payment Processors
We use third-party payment processors to process payments for our Services and Products. Depending on the user’s location, we have partnered with Stripe.com or Shopify to offer safe and secure credit card transactions for our customers whenever you purchase our Services and we our Products directly on our Website. Our Products are also available for direct purchase on Amazon. Our services are also available through Carista App provided by Google Play or Apple Store depending on your device.
The Stripe.com or Shopify through its service Shopify Payments manages the complex routing of sensitive customer information through the credit card processing networks. In connection with the processing of such payments we never see, nor store your credit card information. Rather, all such information is provided directly to Stripe.com or Shopify, whose use of your personal information is governed by their privacy policy respectively at https://stripe.com/privacy or https://www.shopify.com/legal/privacy.
Based on our agreements with these third-party providers, we receive only e-mail address information for the respective purchases.
Shopify Inc. is a U.S state incorporated in Canada and has partnered with licensed third-party payment provider throughout the world. Stripe Payments Company is a U.S. state licensed money transmitter and federally registered money service business. Both Stripe.com and Shopify adhere to strict industry standards for payment processing.
Whenever you purchase our Products through Amazon, the entire process is held through Amazon, and the respective privacy policy is applicable towards your interaction. With respect to your purchases we never see, nor store your credit card information All your data is provided to and stored directly through Amazon. You may further consult the terms and conditions for usage of Amazon here: https://www.amazon.com/gp/help/customer/display.html?nodeId=508088
and their respective privacy policy at: https://www.amazon.com/gp/help/customer/display.html?nodeId=468496
All purchases done through Carista App are facilitated by Google Play or Apple Store. We never see, nor store your credit card information. All your data is provided directly through Google Play or Apple Store. You may consult their privacy policy respectively at: https://policies.google.com/privacy or https://www.apple.com/legal/privacy/data/en/app-store/.
Each of those third party payment operator provides us with your e-mail address for the purposes of communication with you regarding your purchase, sending requests for invalid payments, notifications for your purchase, including upon upcoming auto-renewal or cancellation, and other administrative information and communication.
Upon your purchase with Shopify we will send you a one-time e-mail requesting your review of our Product/ Service. It’s your sole discretion whether you’ll provide a review or not and what its contents will be. Reviews will not be automatically published and Prizmos retains its right to confirm validity of a review.
III. Grounds and purposes for use or process of Personal Data
Our primary purpose for the processing of Personal Data is to provide you with the Services and Products you request and for those purposes which we believe will help you optimize your use of the Services. We may process Personal Data on different grounds on which the purposes of processing will vary, including to carry our legitimate interest in the business, to perform a contract or to fulfil a legal obligation. Whenever use and process of Personal Data is based on consent, we will identify the purposes of processing such data and will provide you with relevant information, as well with the option to decline the processing.
The types of user data which we gather and process in the course of Carista app functioning, is, as follows:
| Type of personal data | Purpose | Ground for processing personal data |
|---|---|---|
| Name and family name | Carista app registration for the specific user; providing the information, Services, Products and support as requested by the user | Execution of contract/service |
| IP address | Carista app registration for the specific user; providing the information, Services, Products and support as requested by the user | Execution of contract/service |
| VIN | Carista app registration for the specific user; providing the information, Services, Products and support as requested by the user | Execution of contract/service |
| Communication regarding payments, notifications regarding payments, including upcoming payments or cancelled payments | Legitimate interest | |
| Upon purchase with Shopify for requesting individual review | Legitimate interest | |
| Carista app registration for the specific user; providing the information, Services, Products and support as requested by the user | Execution of contract/service | |
| General marketing messages with information about our products and services | Legitimate interest | |
| Device identifiers | Carista app registration for the specific user; providing the information, Services, Products and support as requested by the user | Execution of contract/service |
| Logs, date of payments | Carista app registration for the specific user; providing the information, Services, Products and support as requested by the user | Execution of contract/service |
| First name, family name, e-mail, IP address, VIN, device identifiers | Testing of new versions and/ or features of Carista app | Consent |
The types of user data which we gather and process in the course of your interactions with us via e-the feedback form in our official website (or if signing to our newsletter), is, as follows:
| Type of personal data | Purpose | Basis for processing personal data |
|---|---|---|
| Contacting us through the contact form in our website or make the newsletter available; process complaints or customer service inquiries, handling disputes, performing audits | Consent | |
| IP address | Process complaints or customer service inquiries, handling disputes, performing audits | Execution of contract/service |
| Cookies | Technical functionality | Execution of contract/ service |
| Marketing cookies | Marketing strategy and actions; Promoting our Services and Products | Consent |
| E-mail and purchases | Personalized marketing messages with information about our products and services based on your previous purchases | Consent |
IV. Period for processing of Personal Data
Notwithstanding any rights outlined below, we retain Personal Data only as long as is necessary for the purposes set out in this Privacy Notice, or as required by applicable law. Information, related to your usage of our Services and Products, including names, email, dates of payments, logs of your use of the licensed software application, vehicle identification number, requests for providing of Services and/ or Products, shall be processed for a period of 5 years after execution, for the purposes of potential dispute settlements. At the end of the applicable retention period, we will either securely delete or deidentify your Personal Data, or if deletion or deidentification is not possible, we will securely store your Personal Data separate from any further processing until deletion is possible.
Note: In any case of request of a SFD service your user's and personal data obtained through the Carista App will continue to be stored in our systems for up to 30 years after the initial registration in the App, even after a user account has expired or been deactivated. The personal data transmitted to Volkswagen under this Privacy Policy, shall also be stored by Volkswagen for a period of 30 years.
V. Security of Personal Data
In accordance with applicable laws and regulations, we have undertaken appropriate technical and organizational measures to safeguard the security of Personal Data against unauthorized or unlawful access. We believe the measures implemented by Prizmos Ltd, as well as the Information Security Management System in place, based on the TISAX requirements, reduce our potential vulnerability to a level adequate to the types of data we process.
We process and store Personal Data on our servers or on the servers of our third-party service providers in the USA and in other countries within the European Union where we or our service providers do business. This means that when we collect your Personal Data we may process this data in any of these countries, including countries other than the country in which you reside. Regardless of where Personal Data is processed we take steps to ensure that your Personal Data is protected in compliance with applicable data protection law and this Privacy Policy.
We periodically review our information collection, storage and processing practices, including physical security measures. We restrict access to Personal Data to employees and agents who need to know that information in order to process it for us and who are subjects to strict contractual confidentiality obligations.
VI. Data Protection Rights
You have the following data protection rights, as may be amended from time to time by applicable law:
- Right to access – you have the right to receive at any time information from Prizmos Ltd for the Personal Data we retain about you, of their source and purpose, as well as you can obtain a copy of the Personal Data retained about you.
- Right to correct – you have at any time the right to request the timely correction or update of your Personal Data.
- Right to restrict processing – you have the right to request the restriction of the processing of your Personal Data in certain cases. Should you require such restriction, please contact us at dpo@caristaapp.com.
- Right to request deletion (right to be forgotten) – you are entitled to request Prizmos Ltd to delete your Personal Data, when there is no legitimate reason to continue processing the data, as well as when the processing is not in compliance with the applicable law, except in cases where deletion is not possible or a legitimate reason for processing is applicable or a legal obligation is applicable.
- Right to request portability – you have the right to request the transfer of your Personal Data to you or to a third party in a structured, commonly used and machine-readable format.
- Right to object to processing – you are entitled to object to processing of your Personal Data if you have a legitimate interest or you deem your rights and freedoms are violated. You have the right to object at any time to processing of your Personal Data for the purposes of direct marketing.
- Right to withdraw your consent – if we have collected and processed your Personal Data based on your consent, you may withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing conducted prior to your withdrawal, nor will it affect processing of your Personal Data conducted in reliance upon lawful processing grounds other than consent.
- Right to complain – you can complain to the national data protection authority at any time about the collection and use of your Personal Data.
Exercise of Data Subject Right
Should you desire to exercise your data protection rights you can do so at any time by contacting us via one of the contact options available to you on our contact sheet at the end of this Privacy Policy. We respond to all requests we receive from individuals wishing to exercise their rights within a reasonable time in accordance with applicable law (within 1 month).
You may further exercise your rights towards Volkswagen with respect to you SFD requests made through Carista App, by contacting us via one of the contract options available at the end of this Privacy Policy.
If you believe that your personal data protection rights have been violated, you have the right to lodge a complaint with the respective supervisory authority, depending on the country you are in – for Bulgaria this is the Commission for Personal Data Protection at the address: Sofia 1592, 2 Prof. Tsvetan Lazarov Str., tel. 02 / 91-53-519, email: kzld@cpdp.bg, website: www.cpdp.bg.
VII. External parties, with whom we share Personal Data
Contractors
We only share Personal Data with external parties when there is a good reason (i.e., contractual obligation, legal requirement) to do so.
We Are contractually obliged to transmit your personal data (e.g. the pseudonymised user ID or VIN)for every SFD request with a joint processor - VOLKSWAGEN AG.
Details about the processing of such personal data is provided hereinabove at Section II.
The Privacy Policy of Volkswagen can be found here:
https://datenschutz.volkswagen.de/?lang=en-GB
The Terms of Use for the SFD IT backend can be found here: Terms of Use for the SFD IT backend
The Privacy Policy for the SFD IT Backend can be found here: Privacy Policy for the SFD IT backend
Delivery of the Services
We may share Personal Data with third parties who help deliver our Products and Services. This may include hosting of our web servers, data analysis about the use or our Services and Products, delivery and monitoring of marketing initiatives, providing customer support services. We may provide Personal Data to our affiliates or other trusted business or persons to process that information for us, based on our instructions and in compliance with our Privacy Policy and any other applicable confidentiality and security measures.
Legal obligation or Law enforcement
We may disclose Personal Data to enforce our policies, to comply with our legal obligations or in the interest of security, public interest or in response to requests by law enforcement, regulatory or government authorities in any country where we have entities of affiliates. We may also disclose certain Personal Data in connection with actual or proposed litigation, or to protect our property, security, people and other legitimate rights or interests as allowed by law.
Corporate Organization
In the event of a merger, acquisition, reorganization, bankruptcy or other similar events, Personal Data may be transferred to a third party. Potential purchasers and their advisors may have limited access to corporate data that includes Personal Data as a part of the sale process. In any of these cases the use and processing of Personal Data shall remain subject to this Privacy Policy.
Transfer to third parties (all outside the EU, EEA and Switzerland)
We are not sharing your personal data with third countries or international organizations. If, at any point, such transfer is needed, it will be done only provided that the requirements of the GDPR are met or to countries with an adequate level of protection, according to a published by the European Commission List.
VIII. Cookies and tracking technologies
We and our partners may use various technologies to collect and store information when you use our Services, including cookies and similar tracking technologies. We use these technologies to personalize your experience when using our Services, for various business analytics to improve our Services, and for our marketing strategy.
A cookie is a small text file that is delivered with pages from the Website and which is stored by your browser on the hard drive of your device. Cookies have various functions, such as to store your language preferences. Cookies do not usually contain any information that could personally identify you. You can turn off the use of cookies via the settings on your device. Please note, turning off cookies may result in some functions of the website or application not working properly.
Necessary cookies are those allowing you general access to the Website and use of its main functions. These cookies don’t incorporate any personal data. These cookies are normally installed as a response to your actions, representing a request for services on the Website. These cookies are necessary for the use of the Website.
Statistics cookies collect temporary (normally for the period of the browser session only) information about your use of the Website. These cookies are used for statistical purposes such as analyzing behavior and reporting interactions with the Website. Statistics cookies can be installed only with the user’s consent.
Marketing cookies are used for tracking the users between separate websites. Their purpose is to tailor the client and allow advertisements that are individual towards the preferences of the user. Marketing cookies can be installed only through the consent of the user.
IX. Limitation of Privacy Policy
Our website may contain links or references to third parties’ websites. We are not responsible for the privacy practices or content of third party sites and services, even if we provide links or references for your convenience. Please read the policies and terms of use for any third party before using the site or services.
The services used by third party sites, including social media, may not be secure. Despite reasonable security measures, use of the internet is not secure and unlawful or unauthorized access to private transmissions or data is possible.
X. Contacts
If you have any question about our use of Personal Data, please contact us:
e-mail: dpo@caristaapp.com
147 Knyaz Boris I Str., 1000 Sofia, Bulgaria
This Privacy Policy was last updated on the date listed at the top of the page and applies from that date. We may occasionally update this policy and will announce it on our website. If any changes are material or apply to information we have already collected, we may provide additional notice and/or request additional consent as appropriate.