Our Global Coverage

Privacy Notice

Last Updated: 29th September, 2025

Previous version of the Privacy Notice

Lalamove Netherlands B.V. (hereafter: Lalamove, or we) is committed to protecting personal data of our Delivery Partner (as defined in the Delivery Partner Terms of Use and their substitutes, including all users of our website https://www.lalamove.eu/en-de and related services. We will be the “controller” of the information we hold about you. 

We operate web and mobile applications and website to act as a platform to connect users of our platform to Delivery Partners, including individuals using other modes of transportation, and to help facilitate such Delivery Partners to provide on-demand delivery services and purchasing services. This Privacy Notice explains how we collect, use, store, and protect your personal data when you use our services, visit our websites, or interact with us in any other way. It also describes your rights under applicable data protection laws and how you can exercise them.

 

1. Contacts Details

Controller:

Lalamove Netherlands B.V.

Laarderhoogtweg 25, 

1101EB Amsterdam

KvK-nummer: 98247557

Data Protection Officer (DPO):

Mr. Jiajun Liu
YK Law Munich Rechtsanwaltsgesellschaft mbH
Nymphenburger Straße 14
80335 München
Email: dpo.de@lalamove.eu

2. What Personal Data We Use and Why

We obtain data directly from you, automatically from your device or via our website and cookies/SDKs, and—in limited cases—from third parties or from service providers acting on our instructions (e.g., analytics, anti‑fraud providers, payment partners, or customers who submit feedback), consistent with your choices.

Based on our current features, we process the following categories of personal data about you for the purposes and on the legal bases as follows:

Delivery Partner-Registration. 

When you apply to become a Lalamove Delivery Partner, we collect and process certain personal data to verify your identity, confirm your eligibility, and set up your Delivery Partner account. The types of personal data we collect during the registration process and the reasons we use them are outlined below:

1. Identification and Contact Information
Full name, date of birth, address, phone number, email address
Why we use it: To create your account, verify your identity and age, communicate with you about your application.
Legal basis:
Performance of a contract (Art. 6(1)(b) GDPR)
Required? Yes – Without this information, we cannot process your application.

2. Government-Issued Documents

National ID, passport, driver’s license (front and back), trade license
Why we use it: To verify your driving eligibility and eligibility to do the business, and comply with regulatory obligations, including anti-fraud and anti-money laundering checks.
Legal basis:
Legal obligation (Art. 6(1)(c) GDPR)
Performance of a contract (Art. 6(1)(b) GDPR)
Required? Yes – Mandatory for contract and regulatory, safety compliance.

3. Profile and Vehicle Information

Delivery Partner profile with photo, vehicle details (license plate number, vehicle type), vehicle-related images
Why we use it: To confirm vehicle ownership, ensure compliance with local transport laws, and display correct details to users.
Legal basis:
Performance of a contract (Art. 6(1)(b) GDPR)
Required? Yes – Without this, you cannot be activated as a Delivery Partner.

Outside-of-Service-Area form.
You can tell us which city you’d like us to launch next; we use aggregated results to support our site-selection decision. You may optionally provide your email address so we can notify you if/when we launch in your selected city.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) in planning and improving our services.
Required? City preference is optional; email is optional.

Online identifiers & cookies.
When you visit our website, we (and, where you consent, our partners indicated in the consent) may process cookie IDs, device/advertising identifiers, and usage data for the following purposes: (1) site operation (technically necessary), (2) functional purposes, (3) performance measurement / analytics, and (4) personalized advertising. See Cookies and Related Technologies below for details and how to manage consent.
Legal basis: "Legitimate interests (Art. 6(1)(f) GDPR) in enabling the use of our website, inter alia by using Strictly necessary cookies that are required for the website to run securely; Consent (Art. 6(1)(a) GDPR) - We rely on your consent for functional analytics and advertising cookies.
Required?
Strictly necessary cookies: Yes – Without these, the website cannot operate correctly.
Functional, Analytics and advertising cookies: No – These are optional and only set with your freely given consent.

 

3. With Whom We Share Your Personal Data

We share your personal data with the recipients below for the purposes described. Where a provider acts on our instructions, it is our processor; where a provider determines purposes/means itself (e.g., major ad platforms), it acts as an independent controller (and in some cases, a joint controller). Further recipients (i.e. independent controllers) include: competent authorities, courts, law enforcement authorities (if required by law or to assert legal claims), external legal advisers, auditors and insurers. For tools that set cookies or similar technologies, we only activate them after you give consent via our cookie banner.

  • Amazon Web Services (AWS) (Amazon Web Services, Inc.) — cloud hosting and infrastructure. Processes data necessary to securely host and deliver our services (e.g., server logs, storage of application data) under a data processing agreement.

  • Cloudflare (Cloudflare, Inc.) — security and content delivery. Processes data such as IP addresses and traffic patterns to protect against malicious activity (e.g., DDoS attacks) and accelerate content delivery.

  • hCaptcha (Intuition Machines, Inc.) — bot protection. Processes interaction data (e.g., mouse movements, form inputs) to distinguish humans from automated bots and secure forms and login areas.

  • HubSpot CMS Hub (HubSpot, Inc.) — website hosting and content management.
    Processes data necessary to build, host, and manage our main website (e.g., server logs, form submissions you send to us) under a data processing agreement.

  • OneTrust CMP (OneTrust, LLC) — consent management.
    Records and stores your cookie/SDK consent choices and related logs so we can honor them and demonstrate compliance.

  • Google Tag Manager (Google LLC) — tag management.
    A container used to deploy and control other measurement/marketing tags based on your consent state. GTM itself does not provide analytics; it governs whether other tags load.Firebase (Google LLC) — app analytics and performance monitoring. Processes app usage data (e.g., crash reports, performance metrics, authentication events) to improve stability and user experience.

  • Google Maps (Google LLC) — location and mapping services. Processes geolocation and device data to provide interactive maps and location-based features within our website or app.

  • SendGrid (Twilio Inc.) — email delivery. Processes contact details and message content to send transactional and marketing emails (e.g., confirmations, notifications).

  • Vonage (Vonage Holdings Corp.) — communication services. Processes phone numbers and message content to enable SMS, voice, and messaging communication with users.

  • Typeform (Typeform S.L.) — online forms and surveys. Processes responses and form submission data to collect feedback and information from users in an interactive format.

  • Easy Mobile Logistics Hong Kong Limited (Hong Kong) - operational support
    Provide support in service provision, such as account management,  technical troubleshooting, system development, testing, order fulfillment, and fraud prevention where necessary.

  • Hypthon Limited (Hong Kong) — website maintenance support.
    Provides operational support for the official website on a ticketed, least-privilege basis under our instructions.


How to control sharing for analytics and advertising.

Analytics and advertising tools (e.g., Google Analytics) only receive data after you consent through our cookie banner. You can adjust your choices anytime via Cookie Settings

Necessary services (e.g., hosting/CMS, consent management, tag container) operate to provide the website and honor your preferences.

 

4. Cookies and related technologies

We and our partners use cookies and other technologies on our apps, websites, and online ads for purposes described in this notice.

Analytics cookies and Advertising Cookies (e.g., Google Analytics, Google Ads, Meta Pixel) are only placed on your device and they only collect data after you consent through our cookie banner.

You can adjust your choices and withdraw or change your consent anytime via Cookie Settings without affecting the lawfulness of processing before withdrawal. Necessary services (e.g., hosting/CMS, consent management etc.) operate to provide the website and honor your preferences. Please see our Cookie Notice: https://www.lalamove.eu/en-de/cookie-notice for more information.

5. How Long We Store Your Personal Data

We retain your data for as long as necessary for the purposes described in this Privacy Notice. The specific retention period may vary based on the type of data, the user category to which the data relates, the purpose for which we collected it, and whether we must retain certain data after an account-deletion request for the purposes described below.

Relevant retention periods include:

  • Delivery Partner pre-registration data. We retain your identification details for the duration of the application/onboarding process and  delete this data after a 90-day grace period following the launch of the application for Delivery Partner. Uploaded images are retained for 7 days. If application unsuccessful/cancelled: deletion after 3 months, to manage enquiries/application timeline, provided there are no longer retention obligations.

  • Other Delivery Partner account data: for the duration of the contractual relationship and beyond, in accordance with statutory retention obligations or for the life of the account and up to 3 years after closure for limitation periods (longer if needed for legal claims until their final settlement) – whatever is longer.

  • Cookies: according to cookie duration / lifespan specified in the Cookie Notice.

  • Consent logs for Website/Cookies/Server-Logs/SDKs: Generally until consent is revoked and up to 1 years after revocation for limitation period (longer if needed for legal claims).

  • Site-selection survey, we retain identifiable survey responses only until we complete our city-launch decision, plus a short audit buffer (no more than 6 months), after which we delete or irreversibly anonymize them. If you provide an email address solely to be notified when we launch in your city, we retain it until we send the notification (plus up to 6 months to manage bounces and complaints), and then delete it or add it to a suppression list.

  • Records kept to meet legal obligations. We retain certain data for defined periods as necessary to meet tax, insurance, legal, or regulatory requirements (for example, we retain transaction information in the German market for 10 years).

  • Legal Proceedings. In the case of claims and legal proceedings, this generally means we retain your data until the dispute is resolved in the final instance. 

 

6. Automated Decision-Making 

We do not make decisions based solely on automated processing that produce legal or similarly significant effects about you (Art. 22 GDPR). If this changes, we will provide meaningful information about the logic involved and your related rights.

 

7. Your Rights

You have the following rights with respect to your personal data (Arts. 15–21 GDPR):

  • Right of access (Art. 15 GDPR). You can request confirmation of whether we process your personal data and obtain a copy of such data, along with related information.

  • Right to rectification (Art. 16 GDPR). You can ask us to correct inaccurate data and to complete incomplete data.

  • Right to erasure (Art. 17 GDPR). You can ask us to delete your data in certain circumstances (for example, when it is no longer needed for the purposes for which it was collected or you withdraw consent and there is no other legal basis), subject to legal retention duties and our need to establish, exercise, or defend legal claims.

  • Right to restriction (Art. 18 GDPR). You can ask us to limit the processing of your data in certain cases (e.g., while we verify accuracy or assess an objection).

  • Right to data portability (Art. 20 GDPR). For data you provided to us, which we process by automated means and on the basis of consent or a contract, you can request a copy in a structured, commonly used, machine-readable format, and/or ask us to transmit it to another controller where technically feasible.

  • Right to object (Art. 21 GDPR). You can object at any time to processing based on our legitimate interests. You have an absolute right to object to processing for direct marketing, including related profiling.

  • Right to withdraw consent (Art. 7(3) GDPR). Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal (e.g., update preferences via Cookie Settings).

You can exercise these rights by contacting our DPO or per our DSR Form  https://llm-dsr-portal-web.van.lalamove.eu/?language=en_de . We may need to verify your identity before acting on your request and will respond within one month of receipt of the request. If the request is complex or we receive a high volume of requests, this period may be extended by up to two additional months and we will inform you of the extension and reasons (Art. 12(3) GDPR). 

Exercising your rights is free of charge; however, we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive (Art. 12(5) GDPR).

These rights are not absolute and may be limited, for example, where fulfilling your request would adversely affect the rights and freedoms of others, conflict with legal obligations (e.g., tax, accounting, or regulatory retention), interfere with ongoing fraud-prevention or security measures, or where we need to keep certain data to establish, exercise, or defend legal claims.

You also have a right to lodge a complaint with a data protection supervisory authority (see below).

8. International Transfer of Personal Data 

Where we store data.
 We primarily host and process personal data in the European Economic Area (EEA). In limited cases, we share data with recipients outside the EEA/UK/Switzerland for the purposes described in this notice. When we do so, we ensure an adequate level of protection as required by Chapter V GDPR.

Legal mechanisms we use.
Depending on the destination and recipient, we rely on one or more of the following safeguards:

  • Adequacy decisions (Art. 45 GDPR). Where the European Commission has recognized a country as providing adequate protection, we may transfer data to that country on this basis. 

  • EU Standard Contractual Clauses (Art. 46 GDPR). For transfers to countries or jurisdictions without an adequacy decision (e.g., Hong Kong), we enter into the applicable EU Standard Contractual Clauses (SCCs) with the recipient. The EU Standard Contractual Clauses can be found here, for example: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj. We also carry out transfer impact assessments (TIAs) and implement additional technical and organizational measures where appropriate.

  • EU–U.S. Data Privacy Framework (DPF). For participating U.S. providers, we may rely on their DPF certification. If a provider is not (or no longer) certified, we use SCCs and supplementary measures.

Supplementary technical and organizational measures.

To strengthen international transfers, we apply measures such as encryption in transit and at rest, EU-region pinning, EU-controlled key management (KMS), pseudonymization/tokenization, role-based and purpose-bound access controls, just-in-time unmasking with MFA and ticketing, and comprehensive access logging and auditing. Where feasible, we share aggregated or de-identified outputs instead of raw personal data.

Remote access support from outside the EEA.
 Certain support activities may involve case-by-case, ticketed remote access by service providers in Hong Kong acting under our instructions. In such cases, data remains stored in the EEA; access is time-limited, masked by default, and allowed only after purpose, necessity, and legal basis are verified. These accesses are governed by SCCs and the supplementary measures above and are fully logged.

 

9. How to Complain 

  1. Start with us. If you have concerns about how we handle your personal data, please contact us first so we can try to resolve the issue:

We will acknowledge your complaint and investigate it. We aim to respond within one month of receipt. For complex or numerous requests, we may extend this by up to two additional months, and we will let you know if we do so.

  1. Your right to lodge a complaint with a supervisory authority (Art. 77 GDPR).
    You also have the right to lodge a complaint with your local supervisory authority or any other supervisory authority. Contact details for EU supervisory authorities are available on the European Data Protection Board’s website. Lodging a complaint is without prejudice to any other administrative or judicial remedies you may have.

 

10. Changes to This Notice 

We may update this notice from time to time. We will post the updated version with a new “Last updated” date and, where appropriate, notify you of material changes. We encourage you to periodically review this notice.