Data Storage Policy

1. Where your data is stored

Muuva primarily stores data in secure cloud data centres located in Switzerland (Zürich region) operated by tier-1 cloud providers (AWS, Google Cloud).

Limited operational data may be processed in other regions by sub-processors (e.g., crash reporting, support tooling) under appropriate data-transfer safeguards.

2. How long we keep your data

• Account profile: for the lifetime of your account
• Order history: up to 7 years (tax and accounting law)
• Payment records: up to 7 years (regulatory)
• Live location: deleted within 24 hours of trip completion
• Support chats: 24 months
• Marketing analytics: 26 months, anonymised
• Crash logs: 90 days

3. Security controls

• TLS 1.2+ for data in transit
• AES-256 encryption at rest
• Hardware-backed secrets management
• Principle-of-least-privilege access for staff
• Quarterly third-party penetration testing
• 24/7 monitoring and incident-response runbook
• Encrypted, geo-redundant backups

4. Deletion requests

You can delete your account from Settings → Privacy → Delete Account. Once requested:

• Profile and preferences are removed within 30 days
• Order and payment records are retained for tax compliance, then deleted
• Backups are purged within 90 days

5. Breach notification

In the unlikely event of a personal data breach affecting you, we will notify you and the relevant authorities within 72 hours of discovery, as required by applicable law.

6. Sub-processors and vendor management

Delivering a global mobility and commerce platform requires us to work with a carefully vetted ecosystem of cloud infrastructure providers, security tooling vendors and specialised SaaS partners. We refer to these companies as "sub-processors" because they handle personal data on our instructions and under our contractual control.

Every sub-processor is reviewed before onboarding against a documented checklist:

• Information security certifications such as ISO 27001, SOC 2 Type II or equivalent
• Data residency commitments compatible with our Swiss-first architecture
• Signed Data Processing Agreement incorporating the latest Standard Contractual Clauses
• Documented breach-notification commitments of 48 hours or less
• Annual security questionnaire and right-to-audit clause

We maintain a public sub-processor register that lists each vendor, the category of data they process, and the country in which processing occurs. The register is updated within 14 days of any change, and customers with active enterprise agreements receive proactive notice before a new sub-processor is engaged.

7. Encryption and key management

Encryption is the backbone of Muuva's data-protection strategy. Every layer of the stack — from mobile apps to database backups — is designed so that personal data is unreadable to anyone without the appropriate cryptographic key.

• Transport encryption: all traffic between client apps and our servers uses TLS 1.2 or higher, with HSTS, certificate pinning on mobile, and modern cipher suites only
• Storage encryption: databases, object storage and message queues use AES-256-GCM with envelope encryption
• Key custody: master keys are managed by hardware security modules (HSMs) operated by our cloud providers; Muuva engineers cannot export raw key material
• Key rotation: data-encryption keys rotate every 90 days, and key access is audited in real time with anomaly alerts
• Field-level encryption: exceptionally sensitive fields such as government IDs and bank account numbers are additionally encrypted with per-tenant keys before being written to the database

If a key is suspected to be compromised, our incident-response team can re-wrap all affected data with a fresh key without any customer-visible downtime.

8. Data portability and export

You can request a copy of the personal data we hold about you in a structured, commonly used and machine-readable format. Exports include your profile information, order history, saved addresses, payment metadata (excluding sensitive card details), in-app messages and review content.

To request an export, open Settings → Privacy → Download my data inside the Muuva app, or email support@muuva.com. We aim to deliver the file as a downloadable, password-protected archive within 14 days. For larger accounts — typically vendors and fleet operators — we can also push the data directly to your S3 bucket or SFTP endpoint under a Data Processing Agreement.

9. Contact

Security questions? Email support@muuva.com or write to Muuva Technologies AG, Bahnhofstrasse 21, 8001 Zürich, Switzerland.