Terms of Use (EU)
Application Programming Interface Terms of Use
(Last Updated: February 2021)
¶ I. Contractual Relationship; Scope
These Application Programming Interface Terms of Use (“Terms of Use”) govern your access and use of the APIs provided by Uber B.V., its subsidiaries and affiliates (collectively, “Uber”). The guides, materials, references, software and other applications or services provided by Uber in association with the access and use of the Uber APIs, together with the Uber APIs themselves, are collectively referred to as a suite of “Uber API Services”.
By accessing or using the Uber API Services you confirm your agreement to be bound by these Terms of Use as well as Uber’s Community Guidelines. The Uber APIs may also be subject to any other agreements you have with Uber, including those related to your use of business-specific APIs (“Supplemental Agreements”). Additionally, if you use the Uber APIs as an interface to, or in conjunction with, other Uber products and services, then the terms of those products and services (“Uber Product Terms”) also apply to you and your end users. If there is a conflict between these Terms of Use and the terms of a Supplemental Agreement governing your use of an Uber API or Uber Product Terms governing your use of Uber’s products and services, those terms will control with respect to that conflict.
Collectively, we refer to these Terms of Use, the Community Guidelines, any additional applicable terms (including terms in any Supplemental Agreements and any Uber Product Terms) and any other applicable policies and guidelines as the “Terms.”
PLEASE READ THESE TERMS OF USE CAREFULLY, AS THEY CONSTITUTE A LEGAL AGREEMENT BETWEEN YOU AND UBER.
¶ II. Access to APIs
¶ A. General.
You may not use the Uber API Services if you are not of legal age to form a binding contract with Uber, you determine that you are unable to comply with these Terms of Use or you are prohibited by applicable law from accessing or using the Uber API Services.
¶ B. Entity Access.
If you are accessing Uber API Services on behalf of a company, entity, or organization (collectively “entity”), then you represent and warrant that you: (a) are an authorized representative of that entity with the authority to bind such entity to the Terms; (b) have read and understand the Terms; and (c) agree to these Terms of Use on behalf of such entity. All references to “you” in these Terms of Use shall also refer to that entity.
¶ C. Registration & Credentials.
To access the Uber API Services, you may be required to register. After an approved registration, you will be issued certain credentials, which may be required to access the Uber APIs. You may not make credentials available to others including by embedding them in open source projects and only you may access the Uber API Services with the credentials provided to you. You will not misrepresent or mask your identity or your credentials when accessing or using the Uber API Services.
¶ D. Access Revocation.
We reserve the right to revoke your access to the Uber API Services without prior notice if we determine your use violates the Terms or is otherwise objectionable as determined in Uber’s sole discretion.
¶ III. Use of APIs
¶ A. Your End Users.
If you offer your application for use by others outside of your entity, you must maintain a user agreement and a legally compliant privacy policy for your application that is prominently identified or located where users download or access your application. You must immediately notify us in writing of any breach of your user agreement or privacy policy that impacts, or may impact, customers or users of Uber’s products or services.
¶ B. Compliance.
Access, implementation and use of the Uber API Services must be in compliance with all applicable law, regulation, third party rights (including, without limitation, laws regarding the import or export of data or software, privacy, and local laws) as well as Uber’s instructions. You will only use the Uber API Services in connection with legally permissible activities and as described in the Terms.
Promptly upon request, you will be required to certify certain aspects of your compliance with these Terms, including without limitation, your compliance with the above paragraph, and your security and data use practices, including the details of any privacy or security incidents potentially involving data of Uber users. We will provide the form of certification which must be signed by an authorized officer of your entity.
¶ C. API Limitations.
Uber sets and enforces limitations on the use of Uber APIs. You will not circumvent, or attempt to circumvent, such limitations as they apply to each Uber API or as otherwise set forth in the Terms, except as approved in writing by Uber. Uber may limit the number or nature of network calls that you or your application may make. Uber may change such usage limits at any time with or without notice and may use any means to enforce its usage limitations or prevent overuse of the Uber APIs.
¶ D. Open Source.
To facilitate your Uber API integration, Uber may make certain Software Development Kit(s) (“SDK(s)”) and/or libraries available to you under a separate open source license. You agree that any Uber API integration facilitated with such open source SDK(s) and/or libraries remains subject to the Terms.
¶ E. API Monitoring; Audit; Review.
We have the right to inspect, monitor, and audit any records or activity related to your use of Uber API Services to, among other things, improve the Uber API Services, identify security issues, or ensure compliance with the Terms. You will cooperate with audit requests by providing Uber access to relevant knowledgeable personnel, physical premises, documentation, infrastructure, and application software.
We reserve the sole right to determine whether or not your use of the Uber API Services is acceptable including the manner in which the Uber APIs are integrated into Your Products (defined below). Uber may collect and use usage data and information related to your use of the Uber API Services.
You agree to reimburse us for the costs and expenses of any audit that reveals a material breach of these Terms of Use related to your use of the Uber API Services. You agree to promptly address and correct all deficiencies identified in any such audit.
Uber’s review, testing, or approval of your products or services does not constitute any representation or acknowledgement by Uber that Your Products and/or any content therein comply with the Terms, any laws, rules, or regulations, nor does it constitute any acceptance by Uber of any responsibility or liability in connection such products or services, or any content therein.
¶ F. Revocation.
If you do not comply with the Terms, or fail to timely evidence such compliance or if we believe that you have attempted to exceed, circumvent or failed to comply with any of the prohibited uses or the additional requirements or limitations described in the Terms, your ability to use the Uber API Services may be temporarily or permanently blocked or revoked.
¶ G. Certain Prohibited Uses.
Unless permitted by applicable law or any Supplemental Agreement(s) between you and Uber, you will not, and will not direct, encourage, or assist any other party to: (a) license, sublicense, sell, resell, transfer, assign, distribute or otherwise provide or make available to any other party the Uber API Services; (b) modify or make derivative works based upon the Uber API Services; (c) improperly use the Uber API Services, including (1) creating Internet “links” to any part of the Uber API Services, “framing” or “mirroring” any part of the Uber API Services on any other websites or systems, or “scraping” or otherwise improperly obtaining data from the Uber APIs, (2) transmitting any viruses or other code that may damage, detrimentally interfere with, surreptitiously intercept or expropriate any system or data; (d) reverse engineer, decompile, or disassemble the Uber API Services; (e) send spam or otherwise duplicative or unsolicited messages with the Uber APIs; or (f) use the Uber APIs to (1) display any offensive content or any content for which you do not have the right to share with Uber or to display or (2) distribute unsolicited advertising or promotions, or (3) engage in fraudulent or unauthorized activity including phishing, pharming, spidering, harvesting, or other similar activities.
In addition, you shall not, and shall not direct, encourage, or assist any other party to, access or use the Uber API Services to: (a) design or develop a competitive or substantially similar product or service; (b) copy or extract any features or functionality thereof; (c) launch or cause to be launched on or in connection with the Uber API Services a malicious automated program or script, including web spiders, crawlers, robots, indexers, bots, viruses or worms, or any program intended to overburden or hinder the operation and/or performance of the Uber API Services; (d) attempt to gain unauthorized access to the Uber API Services or its related systems or networks; (e) include any underlying Uber platform or product with competitors in any aggregated view i.e. webpage, app, software, etc.; (f) aggregate Uber’s data with competitors’ data; or (g) parse or scrape any of Uber’s data; in each case other than as explicitly permitted by Uber in writing. You will not share with a third party (or enable a third party to use) any operational, technical or other data obtained through the use of the Uber API Services in any manner that is competitive to Uber, including, without limitation, in connection with any application, website or other product or service that also includes, features, endorses, or otherwise supports in any way a third party that provides services competitive to Uber’s products and services.
¶ IV. Ownership; License
¶ A. Ownership.
Uber owns all right, title and interest, including without limitation all intellectual property rights and other rights in and to its software applications (including but not limited to the Uber API Services), any intellectual property rights used in connection with the software applications, and other proprietary technology, including any data structures therein, accompanying documentation, and any updates or revisions to the foregoing. All rights not specifically conveyed are retained by Uber.
You agree that you will not use Uber’s trademarks, service marks, or trade dress or any similar names, marks, or trade dress (“Uber’s Marks”) without express, written permission from Uber. This prohibition on using Uber’s Marks includes, but is not limited to, use in domain names, on websites or social media accounts, or as the names or titles of software applications or software features or functions.
¶ B. Licenses.
Subject to your compliance with the Terms, Uber hereby grants you a limited, revocable, non-exclusive, non-transferable, non-assignable, non-sublicensable license to access and use the Uber API Services for sole purposes of developing, testing, using, and maintaining an integration of your application with the Uber API Services, and to refer to Uber for the sole purpose of identifying Uber as the source of the Uber API Services.
Uber may produce and distribute incidental depictions, including screenshots, video, or other content from your API client, and may use your company or product name, trademarks, and trade dress in the course of Uber’s worldwide promotion, marketing, or demonstration of the Uber API Services you are using; you hereby grant Uber a worldwide, perpetual, irrevocable, transferable, royalty-free license, with the right to sublicense, to use, copy, modify, create derivative works of, distribute, publicly display, publicly perform, and otherwise exploit in any manner such incidental depictions, company names, product names, trademarks, and trade dress for the aforementioned purposes without further notice to or consent from you.
Subject to the rights granted to Uber and limitations herein, you reserve and retain sole and exclusive ownership of all right, title, and interest in, to, and under (a) your extensions and applications, and (b) all modifications, corrections, repairs, translations, enhancements, and other derivative works and improvements of your extensions and applications, including all intellectual property rights arising therefrom or relating thereto (collectively, (a) and (b) are “Your Products”), to the extent Your Products do not infringe any of Uber’s intellectual property rights. You are solely responsible for all costs incurred by you in the creation and maintenance of Your Products.
¶ V. Content
You are solely responsible for selecting all content made available through and contained in Your Products and for ensuring that such content complies with the Terms and any other requirements applicable to such content. You are fully responsible for any information you provide to Uber via the Uber APIs.
The Uber API Services may contain content owned by a third party. This content is the sole responsibility of the third party that makes it available. Additionally, content accessible through Uber APIs and Uber products may be subject to the intellectual property rights of third parties. User-generated content obtained by Uber will be governed by Uber’s user generated content policy.
¶ VI. Feedback; Attribution
¶ A. Feedback.
If you provide feedback or suggestions about Uber API Services, such information may be used for any purpose without obligation to you. Any feedback or suggestions provided by you will be governed by Uber’s Feedback Policy.
¶ B. Attribution.
Except for and subject to the license granted in Section IV. B. of this agreement and except where otherwise expressly stated, neither party grants the other party any right, title, or interest in or to the other party’s trade names, trademarks, service marks, logos, domain names, and other distinctive brand features (“Brand Attributes”). You shall not make any statement regarding your use of the Uber API Services which disparages Uber or its business partners.
The documentation for the Uber API you use may include guidelines for providing attribution to Uber. You agree to provide any attribution in accordance with the guidelines and as further described in our Design Guidelines, which may be updated from time to time. You can use these resources but you must not make any changes or modifications to them.
¶ VII. Privacy
¶ A. Uber Data.
Except for third party content described herein, “Uber Data” includes all data received from Uber through an Uber API. Where such data includes Personal Data (as defined below) and/or other non-public content relating to a user, such content must not be exposed to other users or to third parties without proper consent from that user.
¶ B. Personal Information.
If your use of the Uber API Services or access to Uber Data requires or will likely result in the provision of personal information directly to Uber, you agree to adequately inform and obtain all necessary consents and authorizations from the applicable users to provide such personal information to Uber and retain written records of such consents. Uber will treat personal information obtained from you through your use of Uber APIs in accordance with the applicable privacy and data protection laws and its posted privacy notice.
¶ C. Confidentiality.
You may be given access to information that is confidential to Uber (“Uber Confidential Information”), which may include your credentials as well as any materials, communications or other information that is marked confidential or that would reasonably be considered confidential under the circumstances. You agree to use Uber Confidential Information only for the purpose of using the Uber API Services in accordance with the Terms, and, unless compelled by a court of applicable jurisdiction (and you gave Uber written notice and a reasonable chance to defend its interests prior to such court compelled disclosure), you agree to not disclose any Uber Confidential Information to any third party without Uber’s prior written consent.
Uber Confidential Information does not include information that you independently developed, that was rightfully given to you by a third party without any confidentiality obligation, or that becomes public through no fault of your own or any party under your control.
¶ D. Security.
You agree to implement and maintain appropriate technical, physical, and organizational measures to protect Uber Data and Uber Confidential Information against unauthorized or unlawful processing and against unauthorized loss, destruction, damage, alteration, or disclosure in the same manner that you would protect your own confidential and proprietary information but in no event using less than a reasonable degree of care.
Uber Confidential Information does not include information that you independently developed, that was rightfully given to you by a third party without any confidentiality obligation, or that becomes public through no fault of your own or any party under your control.
¶ VIII. Term; Termination and Survival
¶ A. Term; Termination.
These Terms of Use will apply for as long as you access and use the Uber API Services. You may terminate these Terms of Use at any time by giving us notice and ceasing to access and use the Uber API Services. Uber at its sole discretion may terminate these Terms of Use at any time, including if it determines that you have violated or attempted to violate the Terms. These Terms of Use will terminate automatically in the event the Uber APIs you use are no longer made available to you, if your Supplemental Agreement with Uber is terminated or expires, or if any representations you make herein are deemed or found to be untrue.
Upon termination of these Terms of Use, you will immediately stop using the Uber APIs, cease all use of the Uber intellectual property and delete any cached or stored content and any Uber Data (including any Uber Confidential Information). Uber reserves the right to contact your end users to notify them of the termination of your right to use the Uber APIs and the Uber API Services.
¶ B. Survival.
The provisions set forth in these Terms of Use that, by their nature, should survive termination or expiration of these Terms of Use, will survive any expiration or termination of these Terms of Use.
¶ IX. Relationship of Parties.
The relationship of the parties is that of independent contractors. These Terms of Use do not create a partnership, joint venture, franchisee or other similar relationship. Neither party will make a public statement that suggests partnership with or sponsorship or endorsement by the other party without such party’s prior written approval.
The parties’ obligations under these Terms of Use are non-exclusive. Unless otherwise agreed upon separately in writing, neither party is precluded from marketing, licensing, positioning, providing and distributing its own products and services through other alliances, programs or partners. Nothing in these Terms of Use prohibits or restricts either party’s right to develop, make, use, market, license, position, provide and distribute products or services similar to or competitive with those of the other party as long as it does not breach, or attempt to breach, these Terms of Use.
¶ X. Representations; Indemnification; Disclaimer; Limitation of Liability.
¶ A. Representations.
You hereby represent and warrant that you have all authority necessary to bind yourself (including your entity) to these Terms of Use and that you are not prohibited from accessing or using the Uber API Services in the country in which you reside. If, at any time, you do not have authority, are legally prohibited, or do not agree to these Terms of Use, then these Terms of Use are automatically terminated, and you must discontinue all access and use of the Uber API Services immediately.
You further represent and warrant that (a) you have the right to distribute, or otherwise make available Your Products to your end users, (b) such products comply with all applicable local, state, federal and international laws and regulations as well as applicable terms of service and privacy notices and (c) Your Products do not and will not infringe the rights of any third party.
¶ B. Indemnification.
You agree to indemnify and hold Uber and its officers, directors, employees, and agents harmless from and against any and all claims, demands, losses, liabilities, and expenses (including legal fees), arising out of or in connection with: (a) your use of the Uber API Services or information obtained through your use of the Uber API Services; (b) your breach or violation of the Terms or (c) your violation of the rights of any third party, including with respect to any third party content.
¶ C. Disclaimer.
THE UBER API SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE”. UBER DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, NOT EXPRESSLY SET OUT IN THESE TERMS OF USE, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. IN ADDITION, UBER MAKES NO REPRESENTATION, WARRANTY, OR GUARANTEE REGARDING THE RELIABILITY, TIMELINESS, QUALITY, SUITABILITY, OR AVAILABILITY OF THE UBER API SERVICES OR ANY INFORMATION REQUESTED OR OBTAINED THROUGH THE USE OF THE UBER API SERVICES, OR THAT SUCH SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE. YOU AGREE THAT THE ENTIRE RISK ARISING OUT OF YOUR USE OF THE UBER API SERVICES, AND ANY INFORMATION REQUESTED OR OBTAINED IN CONNECTION THEREWITH, REMAINS SOLELY WITH YOU, TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW.
¶ D. Limitations.
WHERE PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL UBER OR ANY OF ITS SERVICE PROVIDERS, SUPPLIERS OR REPRESENTATIVES (INCLUDING OFFICERS OR DIRECTORS) BE LIABLE TO YOU OR ANY THIRD PARTY UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY AND OTHERWISE, FOR ANY: (A) LOSS OF PRODUCTION, USE, BUSINESS, REVENUE OR PROFIT, OR LOSS OF DATA OR DIMINUTION IN VALUE, OR (B) CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED OR PUNITIVE DAMAGES, ARISING FROM YOUR USE OF THE UBER API SERVICES, REGARDLESS OF WHETHER YOU OR SUCH PERSONS WERE ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE. THE FOREGOING LIMITATIONS WILL SURVIVE AND APPLY EVEN IF ANY LIMITED REMEDY SPECIFIED IN THESE TERMS OF USE IS FOUND TO HAVE FAILED ITS ESSENTIAL PURPOSE. UBER’S AGGREGATE LIABILITY UNDER THESE TERMS OF USE WILL NOT EXCEED ONE HUNDRED DOLLARS ($100).
¶ XI. Support and Maintenance
Uber may provide documentation, functional and technical design documents, and other documents that may be relevant or useful in using Uber API Services. Uber has no obligation to provide any maintenance, support, or training for set-up or use of any Uber API Services.
¶ XII. Modifications
Uber in its sole discretion may modify, update or discontinue the Uber API Services. Uber may also impose additional limits on certain features and services or restrict your access to parts or all of the Uber API Services without prior notice or liability. While we can provide no guarantee, we will try to ensure that future versions of the Uber APIs are backwards compatible to the immediately preceding version.
Uber may amend these Terms of Use from time to time. Amendments will be effective upon Uber’s posting of such updated Terms of Use at this location or in the amended policies or documentation related to the Uber APIs. Your continued access or use of the Uber API Services after such posting confirms your consent to be bound by these Terms of Use, as amended.
¶ XIII. Miscellaneous
If you are using the Uber APIs or Uber API Services in Europe, these Terms of Use will be governed by the laws of the Netherlands, without regard to conflicts of law principles, and all claims arising out of or relating to these Terms of Use will be brought exclusively in the court of Amsterdam, the Netherlands. These Terms of Use were drafted in English and the English-language version shall control in the event of a conflict with any translated version. You may not assign any of the rights or obligations under these Terms of Use, by operation of law or otherwise, without the prior written consent of Uber. Any attempted assignment in violation of this paragraph is void. Uber may exercise its rights herein in its sole discretion and without prior notice. The Terms constitute the entire agreement among the parties with respect to the subject matter and supersede and merge all prior proposals, understandings and contemporaneous communications. Any delay by Uber in enforcing any of its rights under these Terms of Use, including with regard to your non-compliance, shall not constitute a waiver of Uber’s rights to future enforcement of its rights under these Terms of Use. If any part of these Terms of Use are determined to be invalid or unenforceable by a court of competent jurisdiction, that provision will be restated and enforced to the maximum extent permissible and the remaining provisions of these Terms of Use will remain in full force and effect.
¶ ADDENDUM A - DATA PROCESSING AGREEMENT
Uber and Customer have entered into this agreement (Agreement) for the provision of Uber API Services which forms part of the Terms of Use and all further agreements executed under it (collectively, the Main Agreement).
- DEFINITIONS
The following terms shall have the following meanings, and cognate terms shall be construed accordingly. Capitalized terms not defined herein shall have the same meaning set forth in the Main Agreement.
a. Affiliate means an entity that owns or controls, is owned or controlled by or is or under common control or ownership of a Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
b. Controller Data Subject means a data subject to whom Controller Personal Data relates.
c. Controller Personal Data means any personal data that is processed by a Party under this Agreement in connection with its provision or use (as applicable) of the Uber API Services.
d. Data Protection Law means all laws and regulations applicable to the Controller Personal Data under the Agreement, including, as applicable, the laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, including the GDPR.
e. GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
f. Information Security Incident means any unauthorized or accidental access to, or collection, loss, destruction, damage, or alteration of Controller Personal Data, including those resulting from an actual or attempted breach of security measures used to secure Controller Personal Data.
g. Party means Uber and Customer individually.
h. Parties means Uber and Customer collectively.
The terms “controller”, “data subject”, “personal data”, “processing” and “processor” as used in this Agreement have the meaning given to such terms in article 4 of the GDPR.
-
ROLES AND RESPONSIBILITIES
2.1. Roles of Parties. Each Party:
2.1.1. is an independent controller of Controller Personal Data under the Data Protection Law;
2.1.2. individually determines the purposes and means of its processing of Controller Personal Data;
2.1.3. will individually inform data subjects about its processing of Controller Personal Data and allow data subjects to exercise their rights under the GDPR (if applicable);
2.1.4. will promptly inform the other Party of an Information Security Incident; and
2.1.5. will comply with the obligations applicable to it under the Data Protection Law with respect to the processing of Controller Personal Data.
2.2. Consents. If your use of the Uber API Services or access to Uber Data requires or will likely result in the provision of personal data directly to Uber, you agree to adequately inform and obtain all necessary consents and authorizations from the applicable users to provide such personal information to Uber and retain written records of such consents. Uber will treat personal data obtained from you through your use of Uber APIs in accordance with the applicable privacy and data protection laws and its posted privacy notice.
2.3. Restrictions. Section 2.1 will not affect any restrictions on either Party’s rights to use or otherwise process Controller Personal Data under this Agreement.
-
SCOPE
3.1. Applicable Law. With the exception of Section 2.3, this Agreement only applies to the extent that the Data Protection Law applies to the processing of Controller Personal Data.
3.2. Uber API Services. This Agreement will only apply to Uber API Services (as defined in the Main Agreement).
3.3. Controller Personal Data. The Processing of Controller Personal Data is further specified in Annex 1, which may be amended by the Parties from time to time.
3.4. Data Processing Agreement. This Agreement will not affect any separate terms applicable between Uber and Customer reflecting a controller-processor relationship for any other services than the Uber API Services.
3.5. Communications. Customer will send any communications or notices required under this Agreement in writing and the designated contact person under the Main Agreement (if any).
-
DATA TRANSFERS
Data Transfers. To the extent this Agreement involves the transfer by Uber of Controller Personal Data to Customer outside the EEA the standard contractual clauses, included as Annex 2 to this Agreement, shall apply.
- LIABILITY
The liability of the Parties under or in connection with this Agreement will be subject to the exclusions and limitations of liability in the Main Agreement.
- PRIORITY
Effect of these Controller Terms. If there is any conflict or inconsistency between this Agreement and the Main Agreement then, subject to Sections 2.3 and 3.4, the terms of this Agreement will govern.
- CONSEQUENCES OF TERMINATION
Unless otherwise required by applicable law or agreement with the applicable data subject to retain personal data, if a data subject revokes the authorization previously granted to Customer to access their personal data, Customer must ensure that all personal data pertaining to that data subject is deleted from its products and related networks, systems and servers. If Customer stops using the Uber API Services partly or in whole or if Customer’s Uber API Services access is revoked, Customer must promptly delete all associated personal data in the same way.
¶ Annex 1 - Uber Personal Data
- Subject Matter
The Uber API Services as specified in the Terms.
- Nature and purpose of processing
Providing the Uber API Services as specified in the Terms.
- Data categories
As specified in the API Services, including but not limited to:
- Profile Information - Name, email, phone number, email address.
- Location information - Precise or approximate location, including trip information
- Usage information - Information about an Uber user’s use of Uber’s app(s) or other products or service
- Other - other information, as described in the API Services and the Uber privacy policy https://privacy.uber.com/policy
- Categories of Uber Data subjects
The API Services cover the following categories of Uber data subjects, as further detailed in the API:
- Riders - Uber users who receive on-demand transportation through Uber’s app(s)
- Drivers - Uber users who provide on-demand transportation through Uber’s app(s)
- Delivery Recipients - Uber users who receive on-demand delivery of food or other products through Uber’s app(s)
- Delivery Partners - Uber users who provide on-demand delivery services through Uber’s app(s)
- Other - other data subjects, which may be described in the API Services and the Uber privacy policy https://privacy.uber.com/policy
¶ Annex 2 - Standard Contractual Clauses
Commission Decision C(2004)5721
SET II
Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers)
Data transfer agreement between
- Uber B.V., located at Mr. Treublaan 7, 1097 DP Amsterdam, The Netherlands (the “data exporter”)
And
- Customer, identified within the Main Agreement, as accepting these Clauses (the “data importer”),
each a “party”; together the “parties”.
The parties have agreed on the following Standard Contractual Clauses (the “clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Annex A.
The clauses (including Annex A and B) are effective from the date the data importer entity has clicked to accept these clauses. If you are accepting on behalf of the data importer, you represent and warrant that: (i) you have full legal authority to bind your employer, or the applicable entity, to these terms and conditions; (ii) you have read and understand the clauses; and (iii) you agree, on behalf of the party that you represent, to the clauses. The parties agree that where data importer has been presented with these clauses and clicked to accept these terms electronically, such acceptance shall constitute execution of the entirety of the clauses by both parties, subject to the effective date described above.
¶ Definitions
For the purposes of the clauses:
-
“personal data”, “special categories of data/sensitive data”, “process/processing”, “controller”, “processor”, “data subject” and “supervisory authority/authority” shall have the same meaning as in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (whereby “the authority” shall mean the competent data protection authority in the territory in which the data exporter is established);
-
“the data exporter” shall mean the controller who transfers the personal data;
-
“the data importer” shall mean the controller who agrees to receive from the data exporter personal data for further processing in accordance with the terms of these clauses and who is not subject to a third country’s system ensuring adequate protection;
-
“clauses” shall mean these contractual clauses, which are a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
The details of the transfer (as well as the personal data covered) are specified in Annex B, which forms an integral part of the clauses.
¶ I. Obligations of the data exporter
The data exporter warrants and undertakes that:
-
The personal data have been collected, processed and transferred in accordance with the laws applicable to the data exporter.
-
It has used reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses.
-
It will provide the data importer, when so requested, with copies of relevant data protection laws or references to them (where relevant, and not including legal advice) of the country in which the data exporter is established.
-
It will respond to enquiries from data subjects and the authority concerning processing of the personal data by the data importer, unless the parties have agreed that the data importer will so respond, in which case the data exporter will still respond to the extent reasonably possible and with the information reasonably available to it if the data importer is unwilling or unable to respond. Responses will be made within a reasonable time.
-
It will make available, upon request, a copy of the clauses to data subjects who are third party beneficiaries under clause III, unless the clauses contain confidential information, in which case it may remove such information. Where information is removed, the data exporter shall inform data subjects in writing of the reason for removal and of their right to draw the removal to the attention of the authority. However, the data exporter shall abide by a decision of the authority regarding access to the full text of the clauses by data subjects, as long as data subjects have agreed to respect the confidentiality of the confidential information removed. The data exporter shall also provide a copy of the clauses to the authority where required.
¶ II. Obligations of the data importer
The data importer warrants and undertakes that:
-
It will have in place appropriate technical and organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
-
It will have in place procedures so that any third party it authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorised or required by law or regulation to have access to the personal data.
-
It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws.
-
It will process the personal data for the purposes described in Annex B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses.
-
It will identify to the data exporter a contact point within its organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e).
-
At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under clause III (which may include insurance coverage).
-
Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion.
-
It will process the personal data, at its option, in accordance with:
a. the data protection laws of the country in which the data exporter is established, or
b. the relevant provisions of any Commission decision pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data, or the data processing principles set forth in Annex A.
- Data importer to indicate which option it selects: the data processing principles set forth in Annex A
Data importer accepts by virtue of accepting these clauses.
-
It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area (EEA) unless it notifies the data exporter about the transfer and
-
the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or
-
the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or
-
data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or
-
with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer
¶ III. Liability and third party rights
-
Each party shall be liable to the other parties for damages it causes by any breach of these clauses. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party shall be liable to data subjects for damages it causes by any breach of third party rights under these clauses. This does not affect the liability of the data exporter under its data protection law.
-
The parties agree that a data subject shall have the right to enforce as a third party beneficiary this clause and clauses I(b), I(d), I(e), II(a), II(c), II(d), II(e), II(h), II(i), III(a), V, VI(d) and VII against the data importer or the data exporter, for their respective breach of their contractual obligations, with regard to his personal data, and accept jurisdiction for this purpose in the data exporter’s country of establishment. In cases involving allegations of breach by the data importer, the data subject must first request the data exporter to take appropriate action to enforce his rights against the data importer; if the data exporter does not take such action within a reasonable period (which under normal circumstances would be one month), the data subject may then enforce his rights against the data importer directly. A data subject is entitled to proceed directly against a data exporter that has failed to use reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses (the data exporter shall have the burden to prove that it took reasonable efforts).
¶ IV. Law applicable to the clauses
These clauses shall be governed by the laws of the country in which the data exporter is established, with the exception of the laws and regulations relating to processing of the personal data by the data importer under clause II(h), which shall apply only if so selected by the data importer under that clause.
¶ V. Resolution of disputes with data subjects or the authority
-
In the event of a dispute or claim brought by a data subject or the authority concerning the processing of the personal data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
-
The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
-
Each party shall abide by a decision of a competent court of the data exporter’s country of establishment or of the authority which is final and against which no further appeal is possible.
¶ VI. Termination
-
In the event that the data importer is in breach of its obligations under these clauses, then the data exporter may temporarily suspend the transfer of personal data to the data importer until the breach is repaired or the contract is terminated.
-
In the event that:
a. the transfer of personal data to the data importer has been temporarily suspended by the data exporter for longer than one month pursuant to paragraph (a);
b. compliance by the data importer with these clauses would put it in breach of its legal or regulatory obligations in the country of import;
c. the data importer is in substantial or persistent breach of any warranties or undertakings given by it under these clauses;
d. a final decision against which no further appeal is possible of a competent court of the data exporter’s country of establishment or of the authority rules that there has been a breach of the clauses by the data importer or the data exporter; or
e. a petition is presented for the administration or winding up of the data importer, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed, if the data importer is an individual; a company voluntary arrangement is commenced by it; or any equivalent event in any jurisdiction occur;
then the data exporter, without prejudice to any other rights which it may have against the data importer, shall be entitled to terminate these clauses, in which case the authority shall be informed where required. In cases covered by (i), (ii), or (iv) above the data importer may also terminate these clauses.
-
Either party may terminate these clauses if (i) any Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC (or any superseding text) is issued in relation to the country (or a sector thereof) to which the data is transferred and processed by the data importer, or (ii) Directive 95/46/EC (or any superseding text) becomes directly applicable in such country.
-
The parties agree that the termination of these clauses at any time, in any circumstances and for whatever reason (except for termination under clause VI(c)) does not exempt them from the obligations and/or conditions under the clauses as regards the processing of the personal data transferred.
¶ VII. Variation of these clauses
The parties may not modify these clauses except to update any information in Annex B, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required.
¶ VIII. Description of the Transfer
The details of the transfer and of the personal data are specified in Annex B. The parties agree that Annex B may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required under clause I(e). The parties may execute additional annexes to cover additional transfers, which will be submitted to the authority where required. Annex B may, in the alternative, be drafted to cover multiple transfers.
¶ ANNEX A - DATA PROCESSING PRINCIPLES
-
Purpose limitation: Personal data may be processed and subsequently used or further communicated only for purposes described in Annex B or subsequently authorised by the data subject.
-
Data quality and proportionality: Personal data must be accurate and, where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.
-
Transparency: Data subjects must be provided with information necessary to ensure fair processing (such as information about the purposes of processing and about the transfer), unless such information has already been given by the data exporter.
-
Security and confidentiality: Technical and organisational security measures must be taken by the data controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the data controller.
-
Rights of access, rectification, deletion and objection: As provided in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), data subjects must, whether directly or via a third party, be provided with the personal information about them that an organisation holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the data exporter. Provided that the authority has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the data importer or other organisations dealing with the data importer and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. Data subjects must be able to have the personal information about them rectified, amended, or deleted where it is inaccurate or processed against these principles. If there are compelling grounds to doubt the legitimacy of the request, the organisation may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed need not be made when this involves a disproportionate effort. A data subject must also be able to object to the processing of the personal data relating to him if there are compelling legitimate grounds relating to his particular situation. The burden of proof for any refusal rests on the data importer, and the data subject may always challenge a refusal before the authority.
-
Sensitive data: The data importer shall take such additional measures (e.g. relating to security) as are necessary to protect such sensitive data in accordance with its obligations under clause II.
-
Data used for marketing purposes: Where data are processed for the purposes of direct marketing, effective procedures should exist allowing the data subject at any time to “opt-out” from having his data used for such purposes.
-
Automated decisions: For purposes hereof “automated decision” shall mean a decision by the data exporter or the data importer which produces legal effects concerning a data subject or significantly affects a data subject and which is based solely on automated processing of personal data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. The data importer shall not make any automated decisions concerning data subjects, except when:
a. such decisions are made by the data importer in entering into or performing a contract with the data subject, and
b. the data subject is given an opportunity to discuss the results of a relevant automated decision with a representative of the parties making such decision or otherwise to make representations to that parties, or
c. where otherwise provided by the law of the data exporter.
¶ ANNEX B
Parties refer to Annex 1 to the Agreement for the purposes of this Annex B