HALEN: Comprehensive Privacy Policy

2.1 When Halen Is a Data Controller (or “Business”)

Halen acts as a data controller or “business” under applicable privacy law when it determines the purposes and means of processing personal information. This includes the processing of rider, customer, driver, host, and guest data for our own platform operations, safety, fraud prevention, marketing, and business analytics.

2.2 When Halen Is a Data Processor (or “Service Provider”)

Halen may act as a data processor or “service provider” when processing personal information on behalf of business customers, enterprise accounts, or third-party partners who direct how data is processed. In such cases, the business customer's privacy policy and instructions govern use of that data.

3.1 Information You Provide (All Services)

The following categories of information may be collected from all users:

3.2 Information Collected Automatically

3.3 Driver, Courier, and Service Provider Information

In addition to the general information above, drivers, couriers, and other service providers on our platform provide:

• Government-issued photo identification (e.g., driver's license, state ID, or passport)
• Social Security Number or Individual Taxpayer Identification Number (for tax reporting purposes)
• Vehicle information: make, model, year, color, license plate, vehicle identification number (VIN)
• Vehicle registration and title documents
• Commercial auto insurance documentation
• Background check results and consent (processed by authorized third-party providers)
• Motor vehicle record (MVR) information
• Selfies and facial photos used for real-time identity verification (liveness checks)
• Banking and direct deposit information for earnings payouts
• Earnings, trip history, delivery history, and performance metrics

3.4 Flight Booking Service Information

When you use our flight booking services, we collect:

• Passport number, passport expiration date, country of issuance, and nationality
• Full legal name as it appears on government-issued travel documents
• Date of birth (required for airline reservations)
• TSA Known Traveler Number (KTN) and/or Global Entry / NEXUS number
• Redress Number (for travelers who have experienced screening difficulties)
• Airline frequent flyer program membership numbers and tier status
• Seat preferences, meal preferences, and accessibility or special assistance requirements
• Co-traveler names and contact information
• Travel insurance selections and related health disclosures, if applicable
• Itinerary details including flight numbers, departure/arrival airports, and dates
• Loyalty program credentials if linked to your account

3.5 Vacation Rental Guest Information

When you book vacation rentals through Halen, we collect:

• Government-issued ID (in jurisdictions where required by law or requested by hosts for verification)
• Number of guests and names of accompanying travelers, including minors
• Check-in and check-out dates and times
• Purpose of stay (where provided)
• Guest verification information, which may include facial photo matching
• Communication with hosts through our platform messaging system
• Damage deposit information and associated payment details
• Review and rating of the property and host

4.1 Providing and Operating the Services

• Enable and manage rider trip requests, driver acceptances, and trip completion
• Enable and manage delivery orders, restaurant/merchant confirmations, and courier assignments
• Enable flight searches, fare comparisons, and airline reservations
• Enable vacation rental searches, host/guest matching, booking management, and check-in coordination
• Provide navigation, route optimization, and estimated times of arrival
• Facilitate payments, refunds, driver/host payouts, and financial reconciliation
• Provide in-app communication tools between riders, drivers, customers, couriers, hosts, and guests
• Process promotional codes, referral credits, and loyalty rewards

4.2 Safety, Security, and Trust

• Verify the identity and eligibility of riders, drivers, delivery customers, couriers, hosts, and guests
• Conduct background checks for drivers, couriers, and other service providers
• Perform real-time identity verification (liveness checks) for drivers and hosts
• Detect, investigate, and prevent fraud, abuse, unauthorized access, and other harmful or illegal activity
• Enable safety features such as real-time trip sharing, emergency assistance, and incident reporting
• Handle insurance claims, accident investigations, and platform policy enforcement
• Monitor for violations of our Terms of Use, community guidelines, and applicable law

4.3 Communications

• Send transactional notifications about your account, trips, orders, bookings, and policy updates
• Provide customer support and respond to inquiries and disputes
• Send marketing communications about new features, promotions, and services (you may opt out at any time)
• Send surveys and solicit feedback to improve our Services
• Notify hosts and guests about upcoming reservations, check-in instructions, and changes

4.4 Legal, Compliance, and Business Purposes

• Comply with applicable laws, regulations, tax obligations, and governmental requests
• Comply with U.S. Department of Transportation (DOT) regulations governing air travel
• Comply with Transportation Security Administration (TSA) requirements for passenger name records and watchlist screening
• Comply with local short-term rental regulations, occupancy tax requirements, and licensing obligations
• Comply with Fair Credit Reporting Act (FCRA) requirements for background checks
• Comply with state-specific privacy laws (CCPA, CPRA, VCDPA, and others)
• Enforce our Terms of Use and other contractual agreements
• Defend against legal claims and protect the rights, safety, and property of Halen and our users

4.5 Flight Booking-Specific Uses

• Transmit passenger name records (PNR) and personally identifiable information (PII) to airlines, Global Distribution Systems (GDS), and relevant government bodies as required to complete bookings
• Submit Advance Passenger Information (API) and Passenger Name Records (PNR) to CBP/DHS for international flights, as required by law
• Process changes, cancellations, and refunds in accordance with airline fare rules
• Facilitate travel insurance claims and emergency travel assistance
• Store itinerary information for account trip history and customer support purposes

4.6 Vacation Rental Guest-Specific Uses

• Share necessary booking and identity information with hosts to complete reservations
• Process security deposits, damage claims, and resolution center disputes
• Verify guest eligibility based on host requirements and local regulations
• Facilitate check-in, access code delivery, and departure coordination

4.7 Vacation Rental Host-Specific Uses

• Verify host identity, property ownership or authorization, and regulatory compliance
• Process payout disbursements and maintain tax reporting records
• Provide performance analytics, occupancy metrics, and pricing recommendations
• Facilitate occupancy tax collection and remittance where Halen acts as a tax collection intermediary

6.1 Between Riders and Drivers

• Riders' first name, rating, profile photo, pick-up and drop-off locations, and trip details are shared with their matched driver to complete a trip
• Drivers' first name, vehicle make/model/color/plate, profile photo, rating, and real-time location are shared with matched riders
• Full addresses and contact details beyond masked in-app communication are not shared between riders and drivers without consent

6.2 Between Customers and Delivery Couriers

• Customer's first name, delivery address, and order instructions are shared with their assigned courier
• Couriers' first name, profile photo, real-time location, and vehicle information are shared with customers during active deliveries
• Specific dietary preferences or health-related order details are not shared with couriers beyond what is necessary to fulfill the order

6.3 With Merchants, Restaurants, and Retailers

• Order details, item selections, special instructions, and customer first name are shared with the merchant fulfilling a delivery order
• Customer dietary restrictions or allergen information provided in connection with an order are shared with the relevant merchant to fulfill the order
• Full customer addresses are provided to merchants only when operationally required

6.4 With Airlines and Flight Booking Partners

• Passenger Name Records (PNR), including full legal name, date of birth, passport details, and contact information, are transmitted to airlines and Global Distribution Systems (GDS) such as [Sabre / Amadeus / Travelport — INSERT APPLICABLE GDS] to complete bookings
• Advance Passenger Information (API), including passport and nationality data, is submitted to U.S. Customs and Border Protection (CBP) and foreign customs authorities for international travel, as required by law
• Frequent flyer numbers and loyalty program data are shared with airlines upon your request to earn or apply miles
• Travel insurance providers receive trip details and, where applicable, health or medical information necessary to process coverage or claims

6.5 Between Vacation Rental Guests and Hosts

• Upon confirmed booking, guests' first name, profile photo, and booking dates are shared with the host
• Hosts may receive guest identity verification status (verified/not verified) but do not receive raw government ID documents
• Guests receive the property address, host contact information, and access instructions only after booking is confirmed and payment has been processed
• Guest reviews are published on host profiles; host reviews are published on guest profiles
• In the event of a damage claim, relevant evidence including photos and documentation may be shared between parties through our resolution center

6.6 With Vacation Rental Hosts (Host Information)

• Host personal information is shared with Halen's payment processors to facilitate payouts
• Host tax identification information is shared with applicable tax authorities as required by law, and on IRS Form 1099-K where thresholds are met
• Local regulatory authorities may receive host listing information in jurisdictions where Halen is required to report short-term rental activity

6.7 With Service Providers and Business Partners

We share information with third parties that perform services on our behalf, including:

• Payment processing, fraud detection, and chargeback management
• Background check and identity verification providers
• Cloud hosting, data storage, and infrastructure providers
• Analytics, A/B testing, and performance monitoring tools
• Customer support platforms and ticketing systems
• Marketing, advertising, and email communication platforms
• Mapping, navigation, and geolocation service providers
• Insurance claims administrators

These service providers are authorized to use your information only as necessary to perform services for Halen or to comply with applicable law. They are bound by data processing agreements consistent with applicable privacy law.

6.8 For Legal Reasons

We may disclose personal information to law enforcement, regulatory agencies, or other third parties when we have a good-faith belief that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable government request
• Enforce our Terms of Use and other agreements
• Detect, prevent, or address fraud, security, or technical issues
• Protect the rights, property, or safety of Halen, our users, or the public

6.9 Business Transfers

In connection with any merger, acquisition, financing, restructuring, bankruptcy, or sale of all or a portion of our business or assets, personal information may be shared or transferred as part of the transaction. We will notify you via email or prominent notice on our Services prior to information becoming subject to a different privacy policy as a result of such a transaction.

7.1 Biometric Data

Halen may collect facial images and conduct liveness checks for driver identity verification. In states with specific biometric privacy laws (including Illinois BIPA, Texas CUBI, and Washington's biometric law), Halen will:

• Provide a separate biometric data consent disclosure prior to collection
• Obtain explicit written consent before collecting biometric identifiers
• Not sell, lease, trade, or profit from biometric data
• Establish and maintain a publicly available retention schedule and destruction guidelines
• Destroy biometric data within the timeframes required by applicable law

8.1 General Rights (All Users)

• Access: Request a copy of the personal information we hold about you
• Correction: Request that we correct inaccurate or incomplete personal information
• Deletion: Request that we delete your personal information, subject to legal retention requirements
• Data Portability: Receive your personal information in a structured, commonly used format
• Opt-Out of Marketing: Unsubscribe from marketing emails or adjust notification preferences in your account

8.2 California Residents (CCPA / CPRA)

California residents have the following additional rights:

• Right to Know: Request the specific pieces and categories of personal information we have collected, used, disclosed, or sold about you in the past 12 months
• Right to Delete: Request deletion of personal information we collected from you (subject to exceptions)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt Out: Opt out of the sale or sharing of personal information for cross-context behavioral advertising
• Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information to necessary purposes
• Right to Non-Discrimination: We will not deny service, charge different prices, or provide a different quality of service because you exercised your rights
• Shine the Light (Cal. Civil Code § 1798.83): California residents may request information about disclosures of personal information to third parties for direct marketing purposes

8.3 Other State-Specific Rights

Residents of the following states may have additional rights under their respective privacy laws:

• Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Montana (MCDPA), Oregon (OCPA), and other states with comprehensive privacy laws: Rights to access, correct, delete, obtain a portable copy, opt out of targeted advertising, opt out of profiling with significant effects, and appeal decisions

To exercise state-specific rights, contact us using the methods in Section 14 and specify your state of residence.

8.4 How to Submit a Privacy Rights Request

• Online: Submit a request through our Privacy Portal
• Email: Send your request to [email protected] with the subject line “Privacy Rights Request”

We will verify your identity before processing your request. Response times comply with applicable law (generally 45 days for CCPA, with a possible 45-day extension). We will not fulfill requests where we cannot verify your identity.

11.1 Technical Safeguards

• Encryption of personal information in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
• Tokenization of payment card data; raw card numbers are not stored on Halen systems
• Encryption of sensitive fields including passport numbers, Social Security Numbers, and government IDs
• Secure key management practices using industry-standard key management systems
• Multi-factor authentication for internal systems and user accounts
• Regular penetration testing and vulnerability assessments
• Real-time fraud detection and anomaly monitoring systems

11.2 Administrative Safeguards

• Access controls limiting employee access to personal information on a need-to-know basis
• Background checks for employees with access to sensitive data
• Annual privacy and security training for all employees
• Data processing agreements with all vendors and service providers
• Incident response procedures and breach notification protocols compliant with applicable law

12.1 Transfers to the United States

If you access our Services from outside the United States, your information will be transferred to and processed in the United States, which may have data protection standards different from those of your jurisdiction.

12.2 International Flight Booking Data

For international flight bookings, passenger data (including passport information) is required to be transmitted to foreign airlines, Global Distribution Systems, and government authorities in destination and transit countries as required by law. These transfers are mandatory and cannot be avoided for international travel.

12.3 Safeguards for International Transfers

Where required by applicable law, Halen implements appropriate safeguards for international transfers of personal data, which may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission, for transfers involving EU/EEA personal data
• Data processing agreements with international service providers
• Adequacy decisions where applicable