Privacy Policy
1. Who are we?
Mbrella SA/NV (‘Mbrella’) is the owner of the website (Mbrella: the flexible corporate mobility solution)
(the ‘Website’) and of the Mbrella platform (the ‘Platform’). All references to ‘we’, ‘us’ or ‘our’ in this
policy refer to Mbrella.
Mbrella specialises in managing mobility and benefits for companies and their employees.
2. To whom does this privacy policy apply and what does it cover?
Protecting your personal data is paramount to us at Mbrella and we make every effort to protect and
process the personal data entrusted to us in a way that ensures compliance and transparency in
accordance with the applicable law, including the General Data Protection Regulation 2016/679 of 27
April 2016, (‘GDPR’) and the Belgian Law of 30 July 2018, on the protection of natural persons with
regard to the processing of personal data (‘Privacy Law’).
This policy (‘Policy’) applies to all persons whose personal data we process (‘Data Subjects’ or ‘you’),
such as customers, visitors to the Website and users of the Platform.
Personal data includes any information that enables Mbrella to identify you as a natural person. The
aim of this Policy is to inform you about how we process your personal data when we carry out our
activities, when you visit this Website or use the Platform, as well as the purpose for the processing and
the parties to whom we transfer the data, as well as to inform you of your rights and who to contact if
you would like more information.
3. Is Mbrella data controller or data processor?
Mbrella’s role in data protection depends on the context in which the data are processed:
• Mbrella acts as the data controller for the personal data collected via its Website and for the
data of its own customers (the users/administrators of the companies that use Mbrella’s
services). This means that Mbrella determines the purposes and method for processing this
data.
Mbrella may also be considered to be a data controller when it uses personal data for its own
purposes, which are not strictly governed by the customer’s contractual instructions. For
example, Mbrella acts as the data controller if it analyses the Platform’s usage data with the
aim of improving its services or developing new features.
• Mbrella acts as a data processor with regard to the personal data of the employees of
customers who use the Platform. In this case, Mbrella processes personal data on behalf of
and on the instructions of its customers, who remain responsible for processing the data of their
employees.
4. How is your data collected?
We obtain your personal data directly from you when you register on the Website or Platform and fill in
the fields that require certain personal data, making this data immediately available to Mbrella.
We may also obtain your personal data when you use our services, Website or Platform or when you
contact our customer service department.
5. What data do we collect?
Mbrella may collect and process the following categories of personal data:
• Identification and contact details: surname, first name, email address (business or personal),
telephone number, postal address, language, gender, date of birth, nationality, company
number, profession, job title.
• Professional data: information relating to the employer, employment contract, remuneration,
benefits, absences (type of absence: sickness, holidays, etc.), performance appraisals,
employee payroll ID, mobility budget, employee groups, management of subscriptions and
benefits, as well as information provided by candidates during the recruitment process (CV, LinkedIn profile, interview notes, etc.).
• Financial data: bank details (IBAN, credit card number), amount of expenses, receipts,
invoicing details, transaction and reimbursement details.
• Mobility and transport data: departure and arrival addresses, distances travelled, modes of
transport used, dates and types of journeys (commutes, business trips, teleworking), vehicle
information (make, model, odometer, number plate), electric vehicle charging data, MOBIB card
number.
• Data relating to the use of services: login details, Platform usage history, preferences,
communication with support services, requests for assistance, participation in events or
webinars.
• Communication data: content of exchanges with customer service or support (by email, chat,
telephone), discussion notes, contact forms, requests for information or support.
• Sensitive or special data (in certain specific cases): national registration number (for certain
mobility services, if legally required), information relating to health or the family situation if
required by law or the service used.
• Technical data: information relating to the applications or software used, IP addresses,
connection logs, data relating to navigating the Platform or Website.
The exact nature of the data collected depends on the service used, your relationship with Mbrella
(customer, employee of a customer, potential customer, etc.) and the legal obligations that apply.
6. Why do we collect your data and on what legal basis?
We collect your data in order to provide you with our services, to manage our relationship with you and
to comply with our legal obligations. The processing purposes vary depending on the service used, but
they always have an underlying legal basis in accordance with the GDPR.
A. Managing contractual relationships and the services provided
We use your data to:
• Create and manage customer and user accounts on the Platform;
• Manage subscriptions, mobility budgets, associated benefits and services;
• Process expenses, reimbursements, commutes, teleworking days and other mobility aspects;
• Activate and manage public transport services, electric vehicle charging and other mobility-
related services.
Legal basis:
• To execute the contract.
B. Communication and support
We use your data to:
• Respond to your requests via customer support or the contact form;
• Assist you in using the Platform;
• Improve our services and resolve technical problems.
Legal basis:
• To execute the contract.
C. Managing our social network accounts
Certain data may be processed when you interact with Mbrella via its social network accounts (i.e.
LinkedIn, Instagram, Facebook).
We use your data to:
• Reply to your messages or comments;
• Analyse audiences and engagement on our pages;
• Promote our services and events;
• Improve our online communication;
• Ensure follow-up of interactions and communication campaigns.
Legal basis:
• Legitimate interest: Mbrella has a legitimate interest in ensuring its online presence, interacting
with users and obtaining anonymised statistics about visitors to its pages.
• Consent: for the use of cookies and other trackers on our Website, in accordance with the
applicable legislation.
Platform responsibility:
When you interact with our pages on social networks, the platforms concerned (LinkedIn, Instagram,
Facebook) may also process your data as joint or independent data controllers. The processing carried
out by these platforms, in particular for the purpose of improving their advertising system or collecting
visitor statistics, is subject to their own privacy policy. If you would like more information, please consult
the privacy policies of each social network.
D. Marketing and events
We use your data to:
• Register you for webinars and events;
• Send you marketing communication or information about our services, if you have given your
consent;
• Manage interactions with our sales team.
Legal basis:
• Consent.
E. Legal compliance and regulatory obligations
We use your data to:
• Comply with our accounting, tax, social and regulatory obligations.
Legal basis:
• Legal obligation (this processing is required by law and does not need your consent).
7. Who do we share your data with?
Your personal data may be shared with external service providers who act as subcontractors on behalf
of Mbrella. These partners only intervene for the purposes described in this Policy and in accordance
with Mbrella’s strict instructions.
The main subcontractor categories are:
• Our cloud hosting provider: for the secure storage of your data (e.g.: AWS).
• Our customer relationship management (CRM) tools: to manage sales and marketing
interaction (e.g.: HubSpot).
• Our support and communication tools: to respond to your requests and improve the user
experience (e.g.: Intercom, Google Workspace).
• Our invoicing and payment tools: to manage transactions and subscriptions (e.g.: Stripe).
• Our analysis and automated processing tools: to facilitate certain activities such as
analysing receipts or approving expenses (e.g.: OpenAI) (see point 8 below).
• Our mapping tools: to calculate travel distances and mobility allowances (e.g.: Google Maps).
These subcontractors are contractually bound to guarantee the security, confidentiality and compliance
of the personal data they process. A subcontracting agreement is systematically signed in accordance
with Article 28 of the GDPR.
In some cases, your data may also be transferred to third parties acting as independent or joint data
controllers, such as:
• Our mobility partners: to activate public transport or electric charging services (e.g.: De Lijn,
TEC, STIB/MIVB, SNCB/NMBS, LMS, Deftpower).
• The social secretariats with which Mbrella’s customers have a contract, for administrative and
payroll management.
• Our legal advisers or bailiffs, in the event of a dispute or legal proceedings.
• The competent public authorities, in the event of a legal obligation or official request.
• Social networks and advertising platforms, when you interact with our content or campaigns
(e.g.: LinkedIn, Facebook, Instagram). In this context, Mbrella and these platforms may act as
joint controllers with regard to certain audience targeting or measurement activities, in
accordance with Article 26 of the GDPR.
8. Do we use artificial intelligence?
We may use artificial intelligence to facilitate certain activities such as content analysis or for pre-filled
forms. In this context, we use artificial intelligence without autonomous decision-making.
The employee retains full control of the extracted data, which he or she can check, modify or delete
before any registration or transfer.
9. Where is your personal data stored?
Your personal data is mainly stored in databases hosted by our cloud service providers located in the
European Economic Area (EEA), such as in Ireland, Belgium and the Netherlands. This includes AWS,
Google Workspace, Hubspot, and Intercom. These providers implement technical and organisational
measures that comply with recognised security standards (e.g.: SOC 2, ISO 27001).
When we work with partners located in third countries, your data may be transferred and stored outside
the EEA. Such transfers may involve for example, hosting, payment, communication or mobility
services.
The transfers are governed by appropriate protection mechanisms recognised by European legislation,
such as
• Compliance with the EU-US Data Privacy Framework;
• The use of standard contract clauses (SCC);
• Or other guarantees recognised by European legislation.
We ensure all our subcontractors adhere to the requirements of the GDPR in terms of security,
confidentiality and compliance.
10. How do we protect your data?
We implement appropriate technical and organisational measures to guarantee the security,
confidentiality and integrity of your personal data. These measures are designed to protect your data
against unauthorised access, loss, alteration or disclosure.
11. How long do we keep your data?
The retention period that applies to your personal data depends on the purpose of the processing and
the type of data concerned. Mbrella applies proportionate retention periods that comply with legal and
contractual requirements.
The retention periods applied are outlined below:
• Data linked to use of the Platform (accounts, budgets, journeys, expenses, benefits)
As a data processor, Mbrella stores data in accordance with the instructions of its customers,
who are responsible for processing the data of their employees. These periods are defined by
customers in accordance with their legal, contractual and operational obligations.
• Data facilitating support and communication with the employees of customers who use
the Platform (chat, emails, requests for assistance)
Retained for as long as the customer has a contract with Mbrella and the user (employee) has
an account on the Platform.
• Marketing and sales data (forms, event registration, interaction with the sales team)
Retained for three years after the last interaction.
• Invoicing and accounting data
Retained for ten years in accordance with legal requirements.
• Technical data relating to visits to our social network accounts
Retained for as long as our accounts on these social networks exist and for as long as you
visit them.
12. What are your rights?
In accordance with the GDPR, you have a number of rights concerning your personal data. These rights
allow you to retain control of your data. However, the way you exercise these rights depends on the role
Mbrella plays in processing your data:
• If Mbrella acts as data controller, you contact Mbrella directly to exercise your rights.
• If Mbrella acts as data processor on behalf of its customers (e.g. in relation to the data of
employees of a corporate customer), your rights must be exercised with the data controller, i.e.
your employer or the corporate customer. Mbrella will assist the data controller in managing
your request, in accordance with Article 28 of the GDPR.
These rights include:
• The right to information: you can obtain information about the processing of your data. This
right is exercised through this document. If the data processed includes that of your employees,
you undertake to provide them with this document.
• The right of access: you can access your personal data and obtain a copy.
• The right to rectification: you may request that inaccurate or incomplete data be corrected.
• The right to erasure or restriction: you may request that your data be erased or that the way
in which we use it is restricted, if you believe that we do not or no longer have a legal basis for
processing it.
• The right to object: you can object to the processing of your data for direct marketing purposes
or that we perform on the basis of legitimate interest.
• The right to portability: you can request that your data be provided to you in a structured and
commonly used format, or to have it transferred directly to another data controller.
• The right to withdraw your consent: when processing is based on your consent, you may
withdraw it at any time, without this affecting the legality of the processing carried out prior to
you withdrawing your consent.
• The right to lodge a complaint: you may lodge a complaint with the competent Data Protection
Authority if you believe that your rights have not been respected.
To exercise your rights, you can contact us using the details provided in the ‘How to contact us’ section.
13. How to contact us
If you have any questions about this Policy, exercising your rights or the way in which Mbrella processes
your personal data, you can contact us using the following details:
Mbrella SA/NV
Address: 12 Cantersteen, 1000 Brussels
Company number: 0776.753.432
General email: hello@mbrella.eu
Email of the Data Protection Officer (DPO): dpo@dieteren.be
We undertake to respond to your request as quickly as possible and to assist you in exercising your
rights.