Astra Self Drive Cars Ltd
(“Astra”, “we”, “us”, “our”)

 

• Short-term car rental
• Long-term leasing and fleet management
• Corporate and individual vehicle solutions
• Car sales and transportation services

 
3. What personal data we collect

We collect personal data that you voluntarily provide to us, or which we receive in the context of our relationship with you (or with the organisation you represent). This may occur, for example, when you:

• Make a booking enquiry (online, by phone, or in person)
• Rent or lease a vehicle from us
• Add an additional driver to a rental or leasing agreement
• Communicate with us regarding any of our services
• Subscribe to our newsletter or marketing communications
• Visit our website(s) or use our online tools and forms
• Interact with us in the context of fleet management services

Depending on the service, we may collect the following types of personal data:
Identification and contact details

• Title, full name
• Residential / contact address
• Country of residence
• Telephone number(s)
• Email address

Official documents and driving details

• ID card / passport details (number, issuing country, expiry date)
• Driving license details (number, issuing country, categories, validity dates)
• Date of birth and age (to verify eligibility to drive and/or rent)

Contract and payment details

• Rental or leasing contract details
• Vehicle details (registration number, model, group, etc.)
• Payment information (e.g., method of payment, partial bank card details where applicable, billing information)

Telematics / vehicle usage data (where applicable)
If a vehicle is equipped with a GPS-based telematics system, we may collect certain data generated by the device, such as:

• Vehicle location and movement data (e.g., GPS coordinates, speed, direction)
• Mileage and odometer readings
• Fuel level and consumption estimates
• Technical data relevant to maintenance (e.g., warnings, fault codes)
• Date, time and duration of trips
  We use this data strictly for the purposes described in Section 4 and Section 5 below.

Communications and feedback

• Records of your correspondence with us (emails, letters, contact forms, complaints, requests)
• Feedback, surveys and reviews regarding our services

We do not intentionally collect special categories of personal data (such as health data or data revealing racial or ethnic origin) unless this is strictly necessary for a specific purpose, and only where permitted by law and subject to appropriate safeguards (for example, information about an accident or injury in an insurance claim context).
 
4. How we use your personal data and legal basis

We take your privacy seriously and will only process your personal data where we have a lawful basis under GDPR. Depending on the context, we may process your data for the following purposes and on the following bases:
4.1 To perform a contract with you or take steps at your request before entering into a contract
(e.g. Article 6(1)(b) GDPR)

• To process booking enquiries and confirm reservations
• To conclude and manage rental or leasing agreements
• To manage your account and our ongoing business relationship
• To provide customer support and respond to your requests

4.2 To comply with a legal obligation
(e.g. Article 6(1)(c) GDPR)

• To comply with tax, accounting and corporate obligations
• To comply with road traffic, insurance and public authority requirements
• To respond to lawful requests from authorities, courts or regulators
• To maintain records as required by applicable legislation

4.3 For our legitimate interests
(e.g. Article 6(1)(f) GDPR), provided those interests are not overridden by your rights

• To manage and improve our services, operations and vehicles
• To protect our assets, vehicles and business (for example, prevention and investigation of theft, misuse, damage or fraud)
• To manage and optimise fleet operations (including telematics – see Section 5)
• To ensure network and information security
• To handle and resolve any disputes, complaints or claims
• To obtain feedback to improve our facilities, products and customer experience

4.4 Based on your consent
(e.g. Article 6(1)(a) GDPR), where required

• To send you newsletters, promotional offers and information about our services that may be of interest to you
• To use certain telematics features for non-essential purposes where required by law (e.g. detailed driver behaviour analytics solely for marketing or non-safety purposes)
• Any other purpose specifically requested and/or agreed by you

Where we rely on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
We do not carry out decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you.
 
5. Telematics and GPS-based vehicle data

Some of our vehicles, particularly in our leasing and fleet management services, may be equipped with a GPS-based telematics device. Where installed, we may use telematics data for the following purposes:

• Vehicle safety and security: locating a stolen or missing vehicle; assisting in recovery; investigating suspected theft, misuse or damage.
• Contract and mileage management: monitoring mileage and usage to manage contracts, invoicing, and any agreed kilometre limits.
• Maintenance and servicing: receiving technical alerts and mileage data to plan maintenance, servicing and repairs, ensuring safe and reliable operation of the vehicle.
• Accident and incident handling: investigating accidents or incidents involving our vehicles, supporting insurance claims and determining what happened.
• Fleet management and optimisation (B2B): providing corporate clients with fleet reports (e.g. utilisation, mileage, route efficiency) in line with our agreement with them.

Where telematics devices are used in vehicles driven by employees of our corporate customers, those employers are responsible for informing their employees and ensuring that their own use of such data complies with applicable labour and privacy laws.
Telematics data is accessed only by authorised Astra personnel and trusted service providers under strict confidentiality and security obligations. We do not use telematics data to make decisions solely by automated means that produce legal effects for you (for example, we do not automatically terminate contracts based purely on telematics data without human review).
 
6. Who can access your personal data

Your personal data is principally processed and stored at our central offices in Nicosia and, where appropriate, at our branches and operational locations in Cyprus.
Access to personal data is strictly limited to:

• Our employees who need the information to perform their duties and are subject to confidentiality obligations; and
• Selected third parties acting as data processors on our behalf, such as:
  • IT and cloud service providers
  • Telematics platform providers and technical support
  • Payment service providers and banks
  • Professional advisers (lawyers, auditors, accountants)
  • Insurance companies and claims handlers

These third parties process personal data only following our instructions and under contracts that require them to implement appropriate technical and organisational measures to protect the data.
 
We may also share your data where required by law or where necessary to protect our rights, such as with:

• Police, regulatory or governmental authorities
• Courts and legal bodies
• Insurance companies and their representatives

We do not sell or rent your personal data to third parties.
 
7. International transfers

As a general rule, we aim to keep your personal data within the European Economic Area (EEA). If we need to transfer your personal data to a country outside the EEA which does not offer an equivalent level of data protection, we will ensure that appropriate safeguards are in place, such as:

• An adequacy decision by the European Commission; or
• Standard contractual clauses approved by the European Commission; or
• Any other appropriate safeguard recognised under GDPR.

You may contact us if you would like more information about the safeguards in place for international transfers.
 
8. How long we keep your personal data

We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with our legal, regulatory and contractual obligations, in line with our Data Retention Policy.
In particular:

• Data related to rental or leasing agreements is typically kept for the duration of the contract and for a period thereafter as required by law (for example, for tax and accounting obligations, limitation periods for legal claims, etc.).
• Telematics data is retained for a period that is necessary and proportionate to the purposes described in Section 5 (e.g. contract management, maintenance planning, incident investigation), after which it is securely deleted or anonymised.
• Personal data used for marketing and service update notifications will be kept until you opt out or object to such communications, or we otherwise determine that the information is no longer up to date or relevant.

After the applicable retention periods have expired, your personal data will be irreversibly destroyed, anonymised or otherwise rendered unusable, unless destruction is prohibited for legal, regulatory or technical reasons.
Any requests for further information about the retention of specific categories of data, or requests for deletion, should be addressed to:
📧 info@astragroup.com.cy
 
9. How we protect your data

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include, where appropriate:

• Access controls and authentication
• Physical security of premises and equipment
• Encryption and secure communication technologies
• Regular backups and system resilience measures
• Staff training and confidentiality obligations
• Incident detection, management and response procedures

While we take reasonable steps to protect your personal data, no system or transmission over the internet can be guaranteed as 100% secure.
 
10. Marketing communications

We may use your contact details to send you information about our services, special offers, promotions, news or events that we believe may be of interest to you.
You can opt out of marketing communications at any time by:

• Clicking the “unsubscribe” link (where available) in any marketing email you receive from us; or
• Contacting us at info@astragroup.com.cy and stating that you no longer wish to receive marketing communications.

Even if you opt out of marketing, we may still contact you with non-marketing messages, for example regarding your current contracts, bookings, invoices, or important service notifications.
 
11. Cookies and website usage

When you visit our websites (including, for example, www.astracarrentals.com and any Astra Group web pages), we may collect certain information automatically through cookies and similar technologies, such as:

• IP address and approximate location
• Device and browser type
• Pages visited and time spent
• Referring websites

We use this information to operate and improve our websites, understand usage patterns and enhance user experience. Where cookies are not strictly necessary for the functioning of the site, we will obtain your consent where required by applicable law. For more detailed information, please refer to the cookie information or banner provided on our websites.
 
12. Your rights

Under GDPR and applicable data protection laws, you have certain rights in relation to your personal data. Subject to specific conditions and exceptions, these include:

• Right of access – to obtain confirmation as to whether we process your personal data and, if so, to receive a copy and certain information about the processing.
• Right to rectification – to request correction of inaccurate or incomplete personal data.
• Right to erasure (“right to be forgotten”) – to request deletion of your personal data where there is no lawful reason for us to continue processing it.
• Right to restriction of processing – to request that we limit the processing of your personal data in certain circumstances.
• Right to data portability – to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller, where technically feasible and where the processing is based on consent or contract and carried out by automated means.
• Right to object – to object to processing based on our legitimate interests, including profiling related to such interests, and to object at any time to the processing of your personal data for direct marketing purposes.
• Right to withdraw consent – where processing is based on your consent, you have the right to withdraw that consent at any time.

You can exercise your rights by contacting us through any of the channels below (see Section 13).
If you make a request, we may need to verify your identity before responding. We will respond within the timeframes set by law.
 
13. How to contact us

If you wish to exercise any of your rights, or if you have any questions, comments or complaints about this Privacy Notice or our processing of your personal data, you can contact us at:
Astra Self Drive Cars Ltd
📍 1 Metochiou Street, 1101 Nicosia
P.O. Box 24264, 1703 Nicosia, Cyprus
📧 info@astragroup.com.cy
You may also contact us via the contact forms available on our website(s).
 
14. Right to lodge a complaint with the supervisory authority

If you believe that your personal data has not been handled in accordance with the law and our efforts to resolve the matter with you have not been satisfactory, you have the right to lodge a complaint with the competent supervisory authority:
Office of the Commissioner for Personal Data Protection
1 Iasonos Street
1082 Nicosia
P.O. Box 23378
1682 Nicosia
Tel: +357 22818456
Fax: +357 22304565
Website: (search “Office of the Commissioner for Personal Data Protection Cyprus”)
 
15. Changes to this Privacy Notice

We may update this Privacy Notice from time to time in order to reflect changes in our practices, services, or applicable laws. Any updates will be published on our website(s) and will take effect from the date of publication.
This Privacy Notice was last updated on 13 November 2025
 
Constantinos Kontos
Managing Director
Astra Self Drive Cars Limited