Last updated: February 10, 2026

With this Privacy Policy, issued in accordance with the Swiss Federal Act on Data Protection (FADP) and, where applicable, Article 13 of the General Data Protection Regulation (GDPR – Regulation UE 2016/679), we wish to transparently inform users about the modalities, purposes, and tools for processing their Personal Data collected during browsing, registration, or purchase of services on the official website and mobile application of Blacklux®.

This information document, coordinated with the Cookie Policy and the General Terms and Conditions of Service, establishes the basis on which Users’ personal data will be processed.

1. Data Controller

The exclusive Data Controller for the personal data collected and processed through the digital infrastructure and services branded under Blacklux® is Vip limousine, with registered and corporate headquarters located in Zurich (Switzerland), official e-mail address: info@blackluxt.com. An updated list of external data processors and any co-controllers can be requested by the data subject at any time by writing directly to the indicated e-mail address.

2. Principles and Processing Modalities

Personal Data provided or acquired will be processed in accordance with the principles of fairness, lawfulness, transparency, and protection of confidentiality under current regulations. Appropriate security measures are implemented to prevent unauthorized access, disclosure, modification, or destruction of Personal Data. Processing is carried out using computer and/or telematic tools, with organizational procedures strictly related to the stated purposes.

3. Categories of Personal Data Processed

When the User visits the Site, creates an account, places an order, or contacts us, we process the following Personal Data:

• Identification, contact, and access data: First and last name, e-mail address, telephone number, data related to the booking and the transport contract, messages sent for assistance, and data used for sending surveys and feedback via Trustpilot.
• Purchase data: Information relating to requested routes, travel codes, and completed purchases.
• Browsing data: IP addresses, domain names, and other parameters relating to the browser and the operating system used.
• Usage Data: Information generated by visiting the site (logs, interaction processes, transactions, browsing flows) and data related to monitoring service quality, including audio recordings of telephone calls with Customer Service.
• Billing and payment data: Fiscal data (VAT number, tax code, billing address, company name) and bank details for wire transfers. Sensitive payment card data is handled in an encrypted format directly by external banking gateways.

4. Purposes of Processing and Legal Bases

A. Purposes Related to the Contract and Legal Obligations

Site browsing; account registration and management; activities necessary for the conclusion and execution of the brokerage contract and the Transport Contract; order processing; assistance, customer care, and handling of complaints; managing requests via e-mail, chat, or phone; fulfillment of obligations deriving from current laws, regulations, or Swiss fiscal and accounting laws (maintenance of accounting records and issuance of commercial invoices).

Legal basis: The necessity to execute pre-contractual and contractual obligations to which the User is a party, or to fulfill legal obligations to which the Controller is subject. Providing data is mandatory for the provision of the transfer.

B. Purposes of Analysis, Statistics, and Legitimate Interest

Carrying out aggregate statistical analysis regarding Site usage to improve the offer; service quality control purposes (recording of telephone calls with Customer Service); ensuring compliance with the Controller’s contractual rights or preventing fraudulent actions; sending transactional e-mails (e.g., abandoned cart reminders).

Legal basis: The legitimate interest of the Data Controller aimed at the proper performance and optimization of business activities.

C. Purposes of Direct Marketing and Profiling

With the User’s express consent, sending commercial e-mails to display novelties, offers, and promotions via newsletters, or processing Data to send personalized communications based on the browsing profile (retargeting or placement in homogeneous commercial clusters).

Legal basis: The explicit, free, and revocable consent of the User. Providing data is optional, and refusal does not affect the possibility of making purchases on the Site.

D. Commercial Information to Existing Customers (Soft-Spam)

Sending commercial communications to the e-mail address provided during a purchase on the Site to propose the direct sale of similar services. This activity does not require prior express consent as it is exercised on the legal basis of legitimate commercial interest provided by Swiss law (FADP) and international regulations, provided that the user can object to such use (Opt-Out) initially or during any subsequent communication.

E. Geolocalizzazione Data

Detection of geographical location necessary for identifying the pick-up spot, confirming the start of the trip (*customer on board*), and recording the completion of the ride (*customer dropped off*). In OnDemand services, real-time geolocalizzazione is indispensable for both the driver and the customer. For pre-booked (scheduled) services, tracking is mandatory for drivers, while for customers it remains optional.

Legal basis: Express consent of the User granted through device settings or the Blacklux® mobile application. In the absence of consent, features based on geolocalizzazione will not be active, but it will remain possible to make standard manual bookings.

5. Data Retention Periods

Personal Data will be stored for the time strictly necessary to achieve the purposes for which they were collected:

• Contractual data: Processed for the duration of the mandate and stored for the timeframes required by regulations. In case of voluntary account closure, profile data will be retained for only 3 months for administrative purposes.
• Fiscal, administrative, and accounting data: Retained for a minimum period of 10 years, in accordance with the safekeeping obligations provided by the Swiss Code of Obligations.
• Data based on legitimate interest / Legal defense: Retained for 10 years following the termination of the service (in line with the ordinary limitation periods under Swiss law) to perform any protection activities in the event of litigation or complaints.
• Marketing and profiling data: Retained until consent is revoked and in any case for a maximum period of 24 months for marketing and 12 months for profiling since the last active contact (e.g., opening the newsletter).
• GPS geolocalizzazione data: Retained for a maximum period of 4 months from collection, for handling potential complaints or commercial verifications on the executed routes.

6. Communication and Data Recipients

Data will not be disclosed to the public. The following entities may have access to the Data: authorized internal personnel of Vip limousine (administration, sales, marketing, IT); third parties operating on behalf of the Controller (payment services, legal, accounting, system administrators, IT or newsletter service providers); partner Carriers and assigned chauffeurs strictly limited to the information necessary for the execution of the transport; public entities in compliance with current laws or competent Swiss and international authorities.

7. Place of Processing and International Transfers

Data processing takes place primarily in Switzerland (a third country recognized internationally as providing an adequate and secure level of protection) and in European Union countries. If there is a need to transfer data to Third Countries that do not benefit from an adequacy decision (e.g., the United States), Vip limousine undertakes to ensure that the transfer is regulated and protected on the basis of Standard Contractual Clauses (SCC) approved by the European Commission and recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC), ensuring the total protection of the data subjects’ rights.

8. Software Tools and Third-Party Services

• WhatsApp Business (Meta Platforms Ireland Limited): Used to provide the chauffeur’s contact number and name to the passenger in real time. It may use cookies or tracking tools. *Place of processing:* Ireland.
• Twilio (Twilio Inc.): Channel used for automated delivery of operational SMS notifications containing transfer logistics. *Place of processing:* Ireland / USA (protected by SCC).
• Intercom (Intercom R&D Unlimited Company): Used both for managing the Live Chat for customer assistance and for the infrastructure to send promotional Newsletters to users who have consented. It monitors usage data, e-mails, and interactions. *Place of processing:* Ireland.
• Cookies: The Site uses technical, analytical, and profiling cookies to make the browsing experience more efficient. For further details, please consult the official Cookie Policy.
• Secure Payment Gateways: For processing secure online payments, the platform utilizes Checkout.com (Checkout Ltd.), PayPal (PayPal Europe S.à.r.l.), Apple Pay (Apple Inc.), and Google Pay (Google Ireland Limited), which manage transactions on their own secure servers in accordance with their respective privacy policies.
• Google reCAPTCHA (Google Ireland Limited): A security tool protecting the Site from spam and abusive activities by automated bots, analyzing interaction flows and user behavior. *Place of processing:* Ireland / USA.
• Google Analytics with Anonymized IP (Google Ireland Limited): A web analytics service used to monitor and analyze traffic data in an aggregate form. The IP address anonymization feature is active: the IP address is truncated before being stored, preventing visitor identification. The User can deactivate tracking via the Opt-Out component provided by Google. *Place of processing:* Ireland / USA (protected by SCC).
• Google Tag Manager & Google ADS Remarketing (Google Ireland Limited): Services used respectively for centralized tag management and for delivering personalized advertisements based on the user’s past browsing sessions, deactivatable via Google account settings. *Place of processing:* Ireland / USA.

9. Rights of Data Subjects

In full compliance with the Swiss Federal Act on Data Protection (FADP) and the provisions of the GDPR, Users have the right at any time to exercise the following rights against the Data Controller. Users have the right to obtain:

• Right of Access and Information: Obtain confirmation as to whether or not personal data concerning them exists, an indication of their origin, purposes, processing modalities, and the logic applied to electronic tools.
• Rectification and Integration: Request the updating, rectification, or, where there is an interest, integration of their inaccurate or incomplete information.
• Erasure and Oblivion: Request the permanent deletion, transformation into anonymous form, or blocking of data processed in violation of the law or no longer necessary for the purposes for which they were collected.
• Restriction and Objection: Request the restriction of data processing or object entirely to processing for the purposes of sending advertising material, soft-spam, direct sales, or for carrying out market research.
• Data Portability: Request to receive their personal data in a structured, commonly used, and machine-readable format, to transfer them to another controller.
• Withdrawal of Consent: Withdraw at any time the consent given for purposes that require it (marketing, profiling, geolocalizzazione), without affecting the lawfulness of the processing performed before the withdrawal.

Data subjects may exercise their rights by sending a formal written and signed communication, attaching an identity document, to the Controller via e-mail at the official address: info@blackluxt.com.

If users believe that the data processing violates current regulations, they have the right to lodge a formal complaint with the competent supervisory authority. For Switzerland, the reference authority is the Federal Data Protection and Information Commissioner (FDPIC), located in Bern (www.edoeb.admin.ch).

10. Amendments to this Privacy Policy

The Data Controller reserves the right to make changes to this Privacy Policy at any time, giving publicity to Users on this web page. Please therefore consult this section often, taking as reference the last modification date indicated at the top. In case of non-acceptance of the changes made, the User is required to cease browsing the platform and mobile application and can request the Controller to remove their Personal Data from corporate servers. Unless otherwise specified, the previous Privacy Policy will continue to apply to Personal Data collected up to that moment.