Privacy policy

1. Who we are

This Privacy Policy explains how CircleLink, UAB, located at Dariaus ir Girėno g. 42A, LT-02189 Vilnius, Lithuania (“Circle Link”, “we”, “us” or “our”), collects, uses, stores and shares personal data when you use the Circle Link mobile application, website, charging services, account services, private charger features, DAEI benefit administration features and related support channels.

For the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), CircleLink, UAB acts as the data controller for the personal data described in this Privacy Policy, unless stated otherwise.

You can contact us regarding privacy matters at:

Email: [email protected]

2. Scope of this Privacy Policy

This Privacy Policy applies when you:

create or use a Circle Link account;
use the Circle Link app or website;
search for, view, navigate to or use public EV charging stations;
start, monitor, stop or pay for EV charging sessions through Circle Link;
connect or register a private, workplace, fleet or home charging point with Circle Link;
participate in Circle Link’s DAEI benefit administration, aggregation or related energy-data services, where such features are available;
contact customer support;
receive service, transactional or marketing communications from us.

This Privacy Policy does not replace the privacy policies of third-party charging operators, payment providers, app stores, roaming platforms or other third-party services. Where you use third-party services, those providers may process your data as separate controllers under their own privacy policies.

3. Personal data we collect

We collect only the personal data that is necessary for the purposes described in this Privacy Policy.

3.1 Account and registration data

When you create or use a Circle Link account, we may process:

name and surname;
email address;
phone number;
account credentials or authentication identifiers;
country, language and account settings;
user ID, customer ID or other internal identifiers;
information you provide voluntarily in your account or through forms.
3.2 App, device and technical data

When you use the app, website or services, we may process:

IP address;
device type, operating system, browser type and app version;
device identifiers and push notification tokens;
login events, access logs, error logs and diagnostic data;
cookie identifiers and similar online identifiers;
security, fraud-prevention and service-performance data.
3.3 Location, map and route data

If you use map, navigation or route-planning features, we may process:

approximate or precise location data, depending on your device settings and permissions;
charging station searches;
selected charging locations;
route-planning inputs;
favourites, recently viewed stations or saved locations, if such features are used.

You can control app location permissions through your device settings. Some map, routing or nearby-charger features may not work properly without location access.

3.4 Public charging session data

When you use public EV charging services through Circle Link, we may process:

selected charging station, connector and operator;
charging session start time, end time and duration;
kWh consumed;
meter values, charging status and technical session data;
charging session ID, transaction ID, token ID, RFID/card ID or app authorization ID;
pricing, fees, discounts, invoices, receipts and payment status;
charging errors, refunds, support cases and dispute information.

Where the charging station is operated by a third-party charging operator, charging session data may be exchanged with that operator or with roaming/interoperability platforms in order to authorize, perform, settle, troubleshoot and invoice the charging session.

3.5 Payment, purchase and billing data

We do not intentionally collect or store full payment card numbers in our own systems. Payments, subscriptions or in-app purchases may be processed by third-party payment providers, app stores or payment infrastructure providers, such as RevenueCat, Apple, Google, Stripe or other providers used by Circle Link from time to time.

We may process limited payment-related data necessary for service provision and accounting, including:

transaction identifiers;
purchase or subscription status;
payment confirmation data;
refund status;
invoice, receipt and billing information;
VAT, tax or accounting information where applicable.
3.6 Private charger, workplace charger, fleet charger and OCPP data

If you connect or register a private, home, workplace, fleet or parking-area charger with Circle Link, we may process:

charger owner or user contact details;
charger location or site information;
charger manufacturer, model, serial number, firmware version and technical identifiers;
OCPP identity, charger ID, connector ID and configuration data;
charging sessions performed on the charger;
meter values, kWh consumed, timestamps and technical logs;
connectivity status, error codes and diagnostic data;
RFID, user access or authorization data, where enabled;
information necessary to verify charger compatibility, data quality and service eligibility.

This data is required to connect, monitor, troubleshoot and administer charging services, private charging features and, where applicable, DAEI-related benefit calculations.

3.7 DAEI benefit administration and energy-data services

Where DAEI benefit administration, aggregation or energy-data features are available and you choose to participate, we may process:

identity and contact data of the participant;
contract acceptance records;
charger, site and metering data;
charging volumes and kWh calculations;
DAEI benefit calculations and allocation records;
payout, discount or benefit-use records;
bank account details, if direct payout is enabled;
tax residence, company details, VAT details or other tax/accounting data, where legally required;
documents or declarations required to verify eligibility, rights, representation or compliance;
communication and support records relating to DAEI participation.

We process this data to verify eligibility, calculate benefits, administer contractual rights, provide statements, make payouts or apply service credits/discounts where available, comply with legal obligations and prevent misuse.

3.8 Support and communications data

When you contact us, we may process:

your contact details;
message content;
support request details;
attachments or screenshots you provide;
internal notes, resolution status and correspondence history.
3.9 Marketing and communication preferences

Where permitted by law, we may process:

email address and phone number;
communication preferences;
consent records;
newsletter subscription status;
campaign engagement data, such as opens, clicks and unsubscribe actions.

You can opt out of marketing communications at any time by using the unsubscribe link or contacting us at [email protected].

4. Purposes and legal bases of processing

We process personal data only where we have a valid legal basis under the GDPR.

Purpose Legal basis
Creating and managing your account Performance of contract — GDPR Article 6(1)(b)
Providing app, website and charging services Performance of contract — GDPR Article 6(1)(b)
Authorizing, performing, settling and invoicing charging sessions Performance of contract — GDPR Article 6(1)(b); legal obligation — GDPR Article 6(1)(c)
Processing payments, purchases, refunds and subscriptions Performance of contract — GDPR Article 6(1)(b); legal obligation — GDPR Article 6(1)(c)
Connecting and administering private chargers, OCPP integrations and technical diagnostics Performance of contract — GDPR Article 6(1)(b); legitimate interests — GDPR Article 6(1)(f)
Administering DAEI participation, benefit calculations, discounts, payouts and related statements Performance of contract — GDPR Article 6(1)(b); legal obligation — GDPR Article 6(1)(c); legitimate interests — GDPR Article 6(1)(f)
Customer support and dispute handling Performance of contract — GDPR Article 6(1)(b); legitimate interests — GDPR Article 6(1)(f)
Security, fraud prevention, service monitoring and abuse prevention Legitimate interests — GDPR Article 6(1)(f)
Accounting, tax, legal compliance and regulatory obligations Legal obligation — GDPR Article 6(1)(c)
Establishing, exercising or defending legal claims Legitimate interests — GDPR Article 6(1)(f)
Essential cookies and technical service operation Legitimate interests — GDPR Article 6(1)(f)
Non-essential analytics cookies, session analytics and similar tracking Consent — GDPR Article 6(1)(a), where required
Direct marketing, newsletters and promotional communications Consent — GDPR Article 6(1)(a), or legitimate interests — GDPR Article 6(1)(f), where permitted by applicable law
Push notifications Consent or device-level permission, depending on the notification type and applicable law

Where we rely on legitimate interests, our interests include maintaining service security, improving product functionality, preventing fraud, ensuring correct charging and billing, communicating with existing users, resolving disputes and protecting our legal and business interests. You may object to processing based on legitimate interests as described in Section 11.

Where we rely on consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

5. Cookies and similar technologies

We use cookies, SDKs and similar technologies to operate, secure and improve our website, app and services.

Cookies and similar technologies may be used for:

essential service operation;
authentication and session management;
fraud prevention and security;
performance monitoring;
analytics;
user feedback and product improvement;
marketing and campaign measurement, where enabled.

Non-essential cookies and similar tracking technologies are used only where permitted by law and, where required, after your consent. You can manage cookies through your browser settings, app settings or our cookie consent tools where available.

6. Push notifications

If you enable push notifications, we may send you service notifications, charging-session notifications, security alerts, account messages, DAEI-related updates and, where permitted, promotional notifications.

You can disable push notifications at any time in your device settings. Disabling push notifications may prevent you from receiving real-time service or charging-session updates.

7. Data received from third parties

We may receive personal data from third parties where necessary to provide our services, including:

charging station operators;
roaming and interoperability platforms;
app stores and payment providers;
charger manufacturers or charger-management systems;
OCPP-connected chargers;
fleet, employer or site administrators, where they manage charging access;
analytics, infrastructure, support or communication providers;
public authorities, where legally required.

We process such data only for the purposes described in this Privacy Policy and in accordance with applicable law.

8. Sharing of personal data

We may share personal data with the following categories of recipients where necessary:

charging station operators and roaming partners, to authorize, provide, settle and troubleshoot charging sessions;
payment providers, app stores and subscription infrastructure providers, to process purchases, payments, refunds and subscriptions;
hosting and cloud infrastructure providers;
security, anti-fraud and performance providers;
analytics and user-feedback providers, where enabled and legally permitted;
email, messaging and customer support providers;
accounting, legal, audit and tax advisers;
banks, payment institutions or payout providers, where payouts are enabled;
public authorities, courts, regulators or law-enforcement bodies where required by law;
business partners only where necessary for service delivery or where you have consented.

We do not sell your personal data.

Where a service provider processes personal data on our behalf, we require it to process personal data only under our instructions and to apply appropriate data protection and security measures.

9. Main third-party service providers

We may use the following providers, among others, to operate and improve our services:

RevenueCat — subscription and in-app purchase infrastructure;
Contabo — server hosting and infrastructure;
Cloudflare — security, content delivery and performance services;
Hotjar — user behaviour analytics and feedback tools, where enabled and legally permitted;
Mailjet — email communications and transactional email delivery;
Apple App Store and Google Play — app distribution, in-app purchases or subscription handling where applicable;
Stripe or other payment/payout providers — payment or payout processing, where enabled.

The exact providers may change as our services develop. We assess service providers before use and apply contractual, technical and organisational safeguards where required.

10. International data transfers

Some of our service providers or their infrastructure may be located outside the European Economic Area (“EEA”), including in countries that may not provide the same level of data protection as the EEA.

Where personal data is transferred outside the EEA, we rely on appropriate safeguards, such as:

an adequacy decision by the European Commission;
Standard Contractual Clauses approved by the European Commission;
supplementary technical and organisational measures where required;
another lawful transfer mechanism under Chapter V of the GDPR.
11. Data retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy and as required by applicable law.

As a general rule:

account data is kept while your account is active and for a reasonable period after account closure, unless longer retention is required;
technical logs are kept for a limited period necessary for security, diagnostics and service integrity;
charging session, billing, invoice, payment and accounting data may be kept for the period required by tax, accounting and legal obligations;
DAEI participation, benefit calculation, payout, discount and contract records may be kept for the duration of participation and for the applicable legal, tax, accounting and limitation periods;
support correspondence is kept for as long as necessary to resolve the issue and protect our legal interests;
marketing data is kept until you unsubscribe, withdraw consent or the data is no longer necessary;
backup copies may remain for a limited period until overwritten or deleted according to our backup cycle.

When personal data is no longer required, we delete it, anonymise it or securely restrict access to it.

12. Your rights

Subject to the conditions and limits set out in the GDPR, you have the following rights:

12.1 Right of access

You have the right to request confirmation whether we process your personal data and to receive a copy of the personal data we process about you.

12.2 Right to rectification

You have the right to request correction of inaccurate or incomplete personal data.

12.3 Right to erasure

You have the right to request deletion of your personal data where the GDPR allows this. We may need to retain certain data where required for legal, accounting, tax, contractual, security or legal-claim purposes.

12.4 Right to restriction of processing

You have the right to request restriction of processing in certain circumstances, for example where you contest the accuracy of the data or object to processing.

12.5 Right to data portability

Where processing is based on consent or contract and carried out by automated means, you may have the right to receive personal data you provided to us in a structured, commonly used and machine-readable format.

12.6 Right to object

You have the right to object to processing based on our legitimate interests. If you object, we will stop processing the relevant data unless we demonstrate compelling legitimate grounds or need the data for legal claims.

You may object to direct marketing at any time. If you object to direct marketing, we will stop using your data for that purpose.

12.7 Right to withdraw consent

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect processing carried out before withdrawal.

12.8 Right to complain

You have the right to lodge a complaint with a supervisory authority. In Lithuania, the supervisory authority is:

Valstybinė duomenų apsaugos inspekcija
L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania
Website: https://vdai.lrv.lt

Before submitting a complaint, you are encouraged to contact us first at [email protected] so that we can try to resolve the issue.

13. How to exercise your rights

To exercise your rights, contact us at:

[email protected]

For security reasons, we may need to verify your identity before responding to a request. We will respond within the period required by applicable law.

14. Data security

We apply appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

These measures may include, where appropriate:

access controls;
encryption in transit;
secure hosting and infrastructure controls;
logging and monitoring;
role-based access management;
backup and recovery procedures;
service-provider due diligence;
internal confidentiality obligations.

No electronic service can be guaranteed to be completely secure. If you believe your account or personal data has been compromised, contact us immediately at [email protected].

15. Automated decision-making

We may use automated calculations to operate the service, including charging price calculations, charging-session validation, benefit calculations, technical monitoring, fraud prevention and DAEI-related calculations where such features are available.

We do not intentionally use solely automated decision-making that produces legal effects or similarly significant effects on you, unless this is necessary for entering into or performing a contract, authorised by law, or based on your explicit consent. Where required by law, you may request human intervention and contest the decision.

16. Children

Circle Link services are not intended for children. We do not knowingly collect personal data from children. If we become aware that a child has provided personal data without appropriate legal basis or consent, we will take reasonable steps to delete it.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, technology, legal requirements or business operations.

If changes are material, we will take reasonable steps to notify users, for example through the app, website or email. The updated Privacy Policy will apply from the date stated at the top of the document, unless otherwise required by law.

Continued availability of the Privacy Policy does not limit your rights under applicable data protection law.

18. Contact

For privacy-related questions, requests or complaints, contact:

CircleLink, UAB
Dariaus ir Girėno g. 42A
LT-02189 Vilnius
Lithuania

Email: [email protected]