Last updated: 03/11/2025

1. Scope of application
   This Privacy Policy provides relevant information about the processing of personal data carried out through the Catcher Marketplace Platform (hereinafter, the “Platform”), operated by Catcher Marketplace Portugal, Unipessoal LDA (hereinafter, “Catcher”) via the website https://catcher.delivery/pt/ (hereinafter, the “Website”) and the Catcher Driver mobile application (hereinafter, the “Application”). Users of the Platform (both data subjects and persons involved in data processing) are advised to read it carefully before accepting it. If you have any questions regarding this Privacy Policy, you can contact us at [email protected].

When registering on the Platform, restaurants (hereinafter, the “Businesses”) and couriers (hereinafter, the “Couriers”) must read and accept this Privacy Policy. If they do not agree, Businesses and Couriers must refrain from registering.

2. Who is the Data Controller
   The Data Controller for the personal data of Businesses and Couriers collected through the Platform in accordance with this Privacy Policy (hereinafter, the “Data Controller”) is Catcher, whose address is António Augusto de Aguiar, 19-4º, Right, room B, 1050-012 Lisbon, registered under NIPC 980821703.

Catcher will not be responsible for the processing of final consumers’ personal data provided by Businesses, in respect of which Catcher acts as data processor in accordance with section 3.2.3.

3. Data collected, purpose of processing and legal basis
   1. Processing of Businesses’ personal data

3.1.1. Type of personal data collected in the context of Catcher’s provision of services via the Platform

Registration data: To use the Platform, Businesses must provide the following personal data in the “Register your business” form: first name and surname, email address, telephone number, type of business, name of the establishment, number of establishments and number of monthly orders.

Administrative management data: In addition to the registration data, Businesses must provide information for administrative management as the contact person for the Business record.

Payment information: When registering on the Platform, the Business must add a payment method linked to its account on the Platform. When adding the Payment Method, the Platform will ask the Business to provide Catcher or third-party payment processors (the “Payment Service Providers”) with certain information for billing purposes, including: (i) name, (ii) billing address and (iii) details of the financial instrument used. The Business authorises Catcher and its Payment Service Providers to collect and store information relating to its Payment Method. The Payment Methods added by the Business may involve the use of third-party technology-based payment service providers (for example, STRIPE or Revolut), which will also have access to the data.

Service preferences: Businesses may indicate on the Platform the conditions Couriers must meet in order to provide the delivery service (being within a maximum distance from the pick-up location, having a specific type of vehicle, etc.).

Information provided in the context of communications with Catcher: Likewise, during the provision of the service, Businesses may provide personal data in order to resolve any query or complaint regarding use of the Platform, service provision, delivery incidents, payments, etc.

3.1.2. Purposes of processing and legal basis
The data of Businesses indicated in the previous section, and any other personal data that Businesses may provide during the course of the contractual relationship between the parties, will be processed by Catcher for the following purposes:

• Purpose: Provision of the service, including payment management, management of incidents relating to the Platform or orders, resolution of queries, communication of changes to service conditions, legal texts of the Platform, etc.
  Legal basis: Existence of a contractual relationship and Catcher’s legitimate interest in complying with legal obligations and in the correct provision of the service.
• Purpose: Ensuring compliance with applicable legislation, responding to possible requests from authorities, detecting and investigating possible fraud or breaches by users, taking legal action, etc.
  Legal basis: Catcher’s legitimate interest in complying with legal obligations and guaranteeing the safety and protection of users.
• Purpose: Carrying out marketing activities and managing the sending of commercial communications.
  Legal basis: Consent of Platform users to receive commercial communications.
• Purpose: Statistical and research purposes.
  Legal basis: Catcher processes statistical and research data in accordance with its legitimate interest in understanding how users interact on the Platform.

3.1.3. Data processing within the framework of Catcher’s service provision
In the context of the provision of services through the Platform, Catcher, acting as data processor, will have access to and process personal data of the final customers of the Businesses that are necessary for Couriers to carry out deliveries and in respect of which Businesses act as Data Controllers. The obligations of each of the Parties in relation to this data processing are regulated in the data access agreement included in the Platform Terms and Conditions of use for Businesses.

3.2. Processing of Couriers’ personal data

3.2.1. Type of personal data collected in the context of Catcher’s provision of services via the Platform

Registration data: To use the Platform, Couriers must provide the following personal data in the registration form “Send your details and start invoicing”: first name and surname, email address, telephone number, ID number, photos of it, city of residence, billing address, certificate of compliance with Social Security obligations and bank account ownership certificate. Catcher will also use this data to verify the identity of Couriers and confirm that they are authorised to provide the services. For this purpose, Catcher may ask Couriers to send updated documentation from time to time.

Payment information: When registering on the Platform, the Courier must add the information necessary for payment of their services. When creating the account, the Platform will ask the Courier to provide Catcher or third-party payment processors (the “Payment Service Providers”) with certain information for payment purposes, including: (i) DNI/N.I.E., (ii) the bank account ownership certificate, and (iii) form 036 or 037 – Self-employed. The Courier authorises Catcher and its Payment Service Providers to collect and store information relating to the remuneration of their services, which may involve the use of third-party technology-based payment service providers (for example, STRIPE or Revolut), which will also have access to the data.

Information provided in the context of communications with Catcher: Likewise, during the provision of the service, Couriers may provide personal data in order to resolve any query or complaint regarding use of the Platform, service provision, delivery incidents, payments, etc.

Geolocation data: Catcher will collect geolocation data in order to know the Courier’s location while providing services to Businesses. This information is necessary for the Courier to be able to provide the service, since without its activation Business notices, or notifications relating to those notices, cannot be filtered by distance and price. The Courier therefore agrees to be geolocated when using the Catcher Application, for the purpose of providing distance information to the Business and to the Platform. This makes it possible to calculate the final price of the service, parameterised by the Courier, by setting the amount they wish to charge per kilometre for a service (which is a variable amount) in addition to their base fee. Likewise, geolocation is necessary to confirm to the Business that an order has been collected at the specific establishment address, and to confirm delivery of an order at the delivery address and thus prove completion of a billed service. Furthermore, the final customer will be able to know the Courier’s location via the link that the Business will send them through the Platform when placing the order. Geolocation will only take place in real time and this information will not be stored. Likewise, Couriers can only be geolocated when they are providing a service or when they activate it to receive order notifications in the area where they are located.

3.2.2. Purposes of processing and legal basis
The data of Couriers indicated in the previous section, and any other personal data that Couriers may provide during the course of the contractual relationship between the parties, will be processed by Catcher for the following purposes:

• Purpose: Provision of the service, including payment management, management of incidents relating to the Platform or orders, resolution of queries, communication of changes to service conditions, legal texts of the Platform, etc.
  Legal basis: Existence of a contractual relationship and Catcher’s legitimate interest in complying with legal obligations and in the correct provision of the service.
• Purpose: Ensuring compliance with applicable legislation, responding to possible requests from authorities, detecting and investigating possible fraud or breaches by users, taking legal action, etc.
  Legal basis: Catcher’s legitimate interest in complying with legal obligations and guaranteeing the safety and protection of users.
• Purpose: Geolocating Couriers to manage deliveries and manage possible delays or incidents in the transport of orders.
  Legal basis: Consent of Couriers / Data necessary for the correct provision of the service and price calculation.
• Purpose: Carrying out marketing activities and managing the sending of commercial communications.
  Legal basis: Consent of Platform users to receive commercial communications.
• Purpose: Statistical and research purposes.
  Legal basis: Catcher processes statistical and research data in accordance with its legitimate interest in understanding how users interact on the Platform.

3.3. Processing of biometric data during Courier identity verification

3.3.1. Purposes of processing
The purposes of biometric data processing are:

• To verify the Courier’s identity during the registration process, ensuring that the person registering is the same as the holder of the documentation provided.
• To authenticate the Courier in a unique and secure way through facial recognition, preventing identity theft.
• To verify the authenticity of official documents submitted during the registration process.
• To prevent and detect potential fraudulent activities that may compromise the security of the Platform, its users or third parties.

3.3.2. Description of processing
The verification process is carried out through the WebID (AutoID) platform, which captures a real-time facial image of the data subject (selfie with identity proof), as well as the facial image contained in their official identity document. Both images are automatically compared in order to calculate a similarity index and verify that they match.

This system does not generate or store permanent biometric templates; processing is strictly limited to the timely comparison of facial biometric patterns during the verification process.

3.3.3. Legal basis for processing
The legal basis for this processing is:

• The data subject’s explicit consent, in accordance with Articles 6.1(a) and 9.2(a) of the GDPR.
• The Data Controller’s legitimate interest, under Article 6.1(f) of the GDPR, in preventing fraud in the registration process and in authenticating drivers. This legitimate interest is recognised in Recital 47 of the GDPR, which states that processing strictly necessary to prevent fraud constitutes a legitimate interest.

3.3.4. Data processor
WebID acts as data processor within the meaning of Article 28 of the GDPR and has concluded a corresponding contract with the Data Controller, ensuring the implementation of appropriate technical and organisational measures to guarantee a level of security appropriate to the identified risks.

3.3.5. Data Subject rights
The User may exercise, at any time, the rights guaranteed by current data protection legislation, namely:

• Right of access
• Right to rectification
• Right to erasure
• Right to object
• Right to restriction of processing
• Right to data portability
• Right not to be subject to automated individual decision-making, including profiling, under Articles 15 to 22 of the GDPR. Accordingly, the User may request an alternative identity verification system involving human intervention if they do not wish to use automated facial recognition.

To exercise these rights, or for any questions related to the processing of their personal data, the User may contact our Data Protection Officer (DPO) at [email protected].

4. How we share information
   In the context of service provision, Catcher may share the personal data of Businesses and Couriers exclusively for the purposes indicated in the previous section with the following recipients:

• Third parties that provide services to Catcher or Businesses to the extent necessary for the provision of services through the Platform. For example, payment service providers.
• Law enforcement agencies, government authorities, courts, etc., when such disclosure is in accordance with applicable regulations.
• Potential investors, sellers or buyers in the context of corporate transactions of any nature, including but not limited to mergers, demergers, transfer of assets and liabilities as a whole, contribution or transfer of a business or branch of activity, or any similar corporate restructuring transaction contemplated in commercial regulations. Data subjects consent to the disclosure and availability of their data to such third parties (who will act as the new Data Controller).
• Group companies.

Likewise, Businesses accept that their information may be accessible to registered Couriers and vice versa for the purpose of offering, contracting and managing order deliveries.

Businesses will be responsible for the personal data (identification or contact data or data provided for the purpose of service execution) that Couriers may share with them through the Platform, and undertake to use them in accordance with applicable regulations. The Business may not contact the Courier beyond what is necessary to obtain information on execution of the service or to clarify queries.

Couriers will act as Data Controllers in respect of the personal data that Businesses may provide to them via the Platform relating to the final customer, and undertake to use them in accordance with applicable regulations and strictly for the purpose of providing the service to Businesses, that is, for the delivery of orders, excluding any other processing. The data must be deleted after completion of the service.

Catcher assumes no responsibility for the processing of personal data carried out by Businesses and Couriers.

5. Data Subject rights
   Data subjects may exercise the following rights in relation to the personal data that Catcher processes as Data Controller. Although some of these rights apply generally, others only apply in specific circumstances.

5.1. Access and data portability
Data subjects have the right to request certain copies of their personal data held by Catcher. In certain cases, they may also request copies of the personal data they have provided in a structured, commonly used and machine-readable format, or request that they be provided to another service provider (to the extent technically feasible).

5.2. Rectification
Data subjects have the right to request that Catcher correct inaccurate or incomplete personal data provided about them (and which they cannot modify in their Catcher account).

5.3. Erasure of data
In general, Catcher will retain personal data for as long as is necessary for performance of the contract between the data subject and Catcher, and for compliance with legal obligations, to the extent permitted by applicable regulations.

Subject to certain limitations and restrictions, data subjects have the right to request that Catcher delete their personal data. When signing up, it should be borne in mind that:

• Catcher may retain some of your personal data to the extent necessary for its legitimate business interests, such as anti-money laundering, fraud detection and prevention, and improving security. For example, if Catcher suspends an account for fraud or security reasons, Catcher may retain information from that account to prevent the User from opening another account in future.
• Catcher may retain and use your personal data to the extent necessary to comply with its legal obligations. For example, Catcher may retain your data in accordance with its tax, legal reporting and auditing obligations.
• Information that data subjects have shared with other persons (for example, reviews or posts in forums) will remain publicly available on Catcher even after their account has been closed. However, such information will no longer be linked to the data subject.
• Some copies of the data subject’s information (for example, log records) may remain in Catcher’s database, but will be removed from personally identifiable information.
• Because we ensure that Catcher is protected against accidental or malicious data loss or destruction, your personal data cannot be removed from Catcher’s backup systems for a limited period of time.

5.4. Withdrawal of consent
If Catcher is processing your personal data based on the data subject’s consent, the data subject may withdraw their consent at any time by changing their account settings or by sending a communication to Catcher specifying the consent they wish to withdraw. The data subject should note that this action does not affect the lawfulness of data processing activities carried out prior to such withdrawal in accordance with their consent.

5.5. Restriction of processing
Data subjects have the right to restrict how Catcher uses their personal data, in particular where: (i) they contest the accuracy of the data; (ii) processing is unlawful and the data subject objects to the erasure of their personal data; (iii) Catcher no longer needs the data for processing purposes, but the data subject requires them for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to processing under Article 5.6 (below), in which case it will be verified whether Catcher has compelling legitimate grounds that override those of the data subject.

5.6. Objection to processing
Data subjects have the right to object to the processing of their personal data, citing their particular circumstances, where such processing is for direct marketing purposes or for a purpose based on a legitimate or public interest. Where the data subject exercises their right to object on the basis of a public or legitimate interest, Catcher will cease processing their personal data for those purposes, unless it can demonstrate compelling legitimate grounds for processing or where processing is necessary for the establishment, exercise or defence of legal claims.

Where personal data of data subjects are processed for direct marketing purposes, they may request Catcher to stop such processing at any time by sending an email to [email protected].

5.7. Lodging complaints
Data subjects have the right to lodge a complaint about Catcher’s data processing activities with the competent supervisory authority.

6. Obligations of Businesses and Couriers
   Catcher is not responsible for the processing by Businesses and Couriers of personal data exchanged via the Platform.

Businesses and Couriers must notify Catcher of any changes to the data they have provided and are, in any case, responsible for the lawfulness, accuracy and truthfulness of the data provided at all times.

Both Businesses and Couriers declare and warrant that they have informed, and where necessary obtained the consent of, the data subjects whose personal data they provide via the Platform.

7. Retention periods for personal data
   Personal data will be kept for as long as necessary or permitted depending on the purposes for which they were obtained and in accordance with applicable legislation. The criteria used to determine retention periods are as follows:

• The length of time during which there is an ongoing contractual relationship and Catcher provides the services (for example, while you have an account or continue to use the Platform);
• Whether there is a legal obligation to retain data (for example, certain laws require transaction records to be kept for a specific period before they can be deleted); or
• Whether retention is advisable in view of the legal situation (for example, taking into account applicable limitation periods, legal proceedings or regulatory investigations).

In particular, registration data of Businesses and Couriers will be kept for the duration of the contractual relationship and will be erased six (6) months after its termination. By contrast, data relating to complaints submitted to Catcher will be kept for six months.

8. Changes to this Privacy Policy
   Catcher may update this Privacy Policy in future due to legal requirements or changes to the Platform or the service provided. Catcher will notify data subjects in advance in the event of substantial changes or modifications to the Privacy Policy by email or by any other means that ensures receipt.