At Bolt, we are committed to building smart, people-centric cities by offering flexible and efficient mobility and business solutions. As part of this mission, we provide Bolt Business products that support companies in managing employee transport and mobility budgets. Your privacy and the security of your personal data are important to us, and this includes how we process your personal data when you use our Bolt Business products.
Date when this Privacy Notice was last updated: 13 June 2025
Table of Contents
1. About this Privacy Notice
2. How do you contact us?
3. What personal data do we process?
4. What purposes do we use your personal data for and what is our legal basis for processing?
5. Who do we share your personal data with?
6. Does Bolt transfer your personal data to other countries?
7. How do we keep your personal data safe?
8. How long do we retain your personal data for?
9. What are your rights?
10. How do we use your personal data for direct marketing?
11. How do we notify you of changes to this Notice?
1. About this Privacy Notice
This Bolt Business Privacy Notice (“Notice”) describes how Bolt Operations OÜ (“Bolt”, “we” or “us”) and its group companies and third party partners collect and process the personal data of authorised representatives of the Customer (“Representative”) when accessing and using Bolt Business products – including Card Admins and Users of the Bolt Business Card. More information about Bolt and its group companies, such as the relevant Bolt group company for your market, is set out here.
The terms “you” or “your” refers to a Representative. This Notice lets you know how we promise to look after your personal data and tells you about your privacy rights and the choices and controls available to you.
This Notice should be read in combination with the General Terms and Conditions for Bolt Business and all other terms and conditions, guidelines and policies made available for your market at https://bolt.eu/legal, with definitions not explicitly defined in this Notice having the same meanings as those in the referenced terms and policies.
2. How do you contact us?
Bolt (or the relevant Bolt group company for your market - as set out here in more detail) is the data controller of your personal data processed under this Notice.
We have appointed a Global Data Protection Officer (“DPO”) and an Office of the Data Protection Officer Team. You can contact our DPO by raising a data subject rights request via the Privacy Web Form available at https://bolt.eu/en/privacy/data-subject/ or raising any privacy-related questions in the Bolt Business Portal when you go to the main menu and tap ‘I need help’, our Customer Support Team will then escalate the issue internally to Bolt’s Privacy Legal Team. You can also email our Privacy Mailbox at [email protected] - please mark the subject line of the email ‘For the attention of Bolt’s Data Protection Officer'.
3. What personal data do we process?
We collect and process personal data:
- provided by you to Bolt;
- data generated through your use of the Bolt Business Portal; and
- from other sources such as other Representatives, governmental or public databases.
The table below sets out the different categories of personal data we process about you:
Your personal data provided by you or another Representative
Category of personal data | Description of personal data |
Account Data | We generate and collect information used to identify your specific Bolt account on our systems, as well as:
|
Profile Data | We collect personal data about you when you register to access the Bolt Business Portal:
|
Payment Data | If you connect your personal credit card or your personal bank account as a payment method, we will collect details of such payment methods including payment card type, bank name, bank account number, bank account sort code, related payment verification information and transaction history on the Bolt Business Business Portal. For the Bolt Business Card, this also includes Wallet funding details, payment receipts, and Business Card activation information. |
Survey / Interview Data | We collect the content of your replies or attachments you may send us, during the course of surveys and interviews that we conduct. |
Communications Data | We collect communication and correspondence data when you engage with our Customer Support Team via the chat function in the Business Portal, communicate via emails, web forms, or speak with our Customer Support agents. We record the date and time of the communications and its content and your phone number (where you use the call feature). We will record calls, only where you are notified in advance that the call may be recorded. |
Background Check Data | In countries where it is required by applicable laws or in accordance with market practices and requirements, we may collect personal data about you and your business after you submit your application to use Bolt Business services, in order to verify your identity and assess any compliance or financial risks. This may include:
|
Personal data we collect about you when you use the Bolt Business product
Category of personal data | Description of personal data |
Usage Data | This includes information collected about how the services are accessed and used. This can encompass details like the dates and times of access, the interactions with the service, technical data like IP addresses, system crashes, and other system activity. For the Bolt Business Card, this also includes data related to the use of the Card Admin Dashboard and Card User Dashboard such as transaction authorisations, spending limits, and declined transactions. |
User Generated Data | We collect personal data when you use the Business Portal. This may include:
|
Cookies, SDKs, Analytics, and Third-Party Technologies Data | We collect information through the use of cookies, tracking pixels, data analytics tools, SDKs, and other third-party technologies like advertising IDs to understand how you navigate through the Bolt Business Portal, to make your experience safer, to improve your experience with the Bolt Business Portal, to serve you better ads on other sites (according to your marketing preferences), and to save your preferences. For more information about cookies, see our Cookie Declaration. |
Device Data | We collect data about the devices you use to access the Bolt Business products, including the hardware model, device IP address and other unique device identifiers (such as your UUID and advertising identifiers), device operating system, browser version, device vendor name, manufacturer, and preferred languages. |
Security Data | This includes security logs, authentication data, and data generated during Business Card issuance and activation (such as activation timestamps). It also includes data collected for security monitoring and fraud prevention, such as flagged IP addresses, unusual login attempts, and high-risk transaction patterns. |
Personal data we collect about you from other sources
Category of personal data | Description of personal data |
Profile Data | We collect contact data about you when you connect to the Bolt Business Portal via a third party service such as Google or when another Customer’s Representative creates your account. In this case, we will process your:
|
Security Data | We may additionally collect Security Data from third-party security monitoring services, e-money and debit card issuers, payment processors, and financial institutions regarding potentially fraudulent activities, chargebacks, or suspicious transactions related to the use of the Bolt Business Card. |
Background Check Data | In countries where it is required by applicable laws, we may obtain background check data about you and your business from publicly available sources and third-party service providers. This may include:
|
Business Development Data | We may collect personal data about you from publicly available professional sources, business directories, or third-party business contact databases to understand your potential interest in Bolt Business products and services. This may include:
|
4. What purposes do we use your personal data for and what is our legal basis for processing?
The table below sets out:
- our purpose for processing your personal data;
- our legal grounds (known as a 'legal basis') under data protection law, for each purpose; and
- the categories of personal data we use for each purpose. Learn more about what personal data these categories include in Section 3 “What personal data do we process?” above.
Here is a general explanation of each 'legal basis' that may Bolt rely on to process your personal data in order to help you understand the table below:
- Performance of a Contract: When it is necessary for Bolt (or a third party) to process your personal data to provide you with the Bolt services we promised you and meet our obligations under the General Terms and Conditions for Bolt Business. Where the legal basis for processing your personal data is performance of a contract, and you choose not to provide the information, you may be unable to use the Bolt Business products.
- Legitimate Interests: When we process your personal data relying on legitimate interest grounds. This includes our commercial and non-commercial interests in providing an innovative, personalised and safe service to you and other third parties. Where the table below states that we rely on legitimate interests, we have provided a brief description of the legitimate interest. If you would like more information about this (including the balancing test), please contact us using the methods set out in Section 2 “How do you contact us?” above. In countries where legitimate interest is not an available lawful basis for Bolt’s processing activities, we will instead rely on an alternative valid legal basis.
- Consent: When we ask you to actively indicate your agreement to our use of your personal data for a certain purpose of which you have been informed of. Where we rely on consent to process your personal data, you can withdraw your consent to such activities at any time. Withdrawal of the consent does not affect the lawfulness of any processing which took place prior to you withdrawing your consent.
- Compliance with Legal Obligations: When we must process your personal data to comply with a law or regulation in the markets we operate in, such as to comply with our obligations under KYC laws. Where the legal basis for processing your personal data is compliance with legal obligations, and you choose not to provide the information, you may be unable to use the Bolt services.
- Vital Interests: When we process your personal data where it is necessary to protect your vital interests or those of others, for example in the event of an emergency or an imminent threat to life.
For the provision of the Bolt Business products
Purpose of processing | Legal Basis | Categories of Personal Data |
To create, update and maintain your account and manage your Business Card |
|
|
To make sure the Bolt Business Portal and the Card Admin Dashboard work optimally We use your Profile Data to notify you of updates to the Bolt Business products so you can keep using them. We also use Device Data and Usage Data to ensure you can connect to the Bolt Business Portal and to help keep your account safe through authentication and verification checks. |
|
|
To calculate and facilitate payments, refunds, Wallet funding, and Business Card transactions We process personal and transaction data to calculate and execute payments, issue refunds, fund Wallet balances, and facilitate Bolt Business Card transactions. |
|
|
To get your feedback on your level of satisfaction with Bolt services through surveys and interviews |
|
|
To reach out with instructions on how to use the Bolt Business Portal and the Bolt Business Card, including via calls/messengers |
|
|
For logistics and Business Card delivery |
|
|
To set and change spending limits on Business Cards, suspend or cancel Business Cards, and decline transactions |
|
|
To improve our websites and Bolt Business products We collect and may use your Usage Data to improve our websites and Bolt Business products (including their security features) by analysing it to better understand our business and services. |
|
|
For Customer relationship management
Purpose of processing | Legal Basis | Categories of Personal Data |
To provide customer support services and receive and process feedback We process your personal data to investigate and address your queries including reported safety incidents/alleged criminal acts and complaints. We also use the data you share to address quality issues and to improve our services. We may use automated processes for complaint resolution purposes via our automated chat function. For further information regarding how to object to the above activities, please see Section 9 “What are your rights?” below. |
|
|
For safety and security, including the safety of financial transactions
Purpose of processing | Legal Basis | Categories of Personal Data |
To ensure compliance with our General Terms and Conditions for Bolt Business and issue temporary suspensions In order to provide a safe and reliable service, we monitor Customer’ compliance with our General Terms and Conditions for Bolt Business and may temporarily suspend access to the Bolt Business Portal for Representatives and/or Customers:
|
|
|
To manage risks of financial transactions, ensure compliance with sanctions, and prevent, detect and investigate fraud or other unlawful acts Our automated anti-fraud system will identify fraudulent accounts, payments, abuse of Bolt’s services and other malicious activity on the Bolt Business Portal. To enable us to investigate, a temporary suspension may be applied to Representatives and/or Customers. While Bolt may use automated processes for fraud detection purposes, decisions on the blocking are taken following human review by our staff, and no account is blocked automatically without first undergoing a verification process. For further information regarding how to object to the above activities, please see Section 9 “What are your rights?” below. |
|
|
To monitor financial transactions and account activity for security threats, such as unusual spending behavior, unauthorised login attempts, or high-risk transactions |
|
|
To ensure the security of the Bolt services Depending on the issue, All Data may be used for technical and cyber security reasons: for example measures for combating piracy and ensuring the security of the service, website, Bolt Business Portal as well as for making and storing back-up copies and preventing/repairing technical issues. |
|
|
For marketing and advertising
To market and advertise Bolt services and those of partners according to your preferences and measure the effectiveness of Bolt’s ads This includes using your personal data to send and personalise emails, text messages (including WhatsApp messages), and other communications marketing Bolt’s products, services, features, offers, promotions, sweepstakes, news, and events of Bolt and our partners. We use pixels and similar technologies to track which emails are opened and which links are clicked by you, to help us measure the results of our campaigns. We may also share your personal data with third parties, or collect data regarding your visits and actions on third-party apps or websites, for the purposes of personalised ads. |
|
|
For business development and informational outreach To inform you about Bolt Business products and services that may be relevant to your role or organisation, and to invite you to participate in informational sessions such as webinars or product briefings. This may include contacting you through publicly available professional channels or business contact databases, where appropriate. |
|
|
For research and improvement of the Bolt Business products
To perform research, testing, and analytics to better understand and improve our business and services For example, we use Usage Data, Security Data, and Communication Data to conduct research to develop or improve our products, services, technology, algorithms, machine learning, and other modelling. We use Communication Data related to incidents to monitor our security practices and improve our operations and processes. |
|
|
To develop new products, features, partnerships and services |
|
|
To prevent, find, and resolve software or hardware bugs and issues |
|
|
For service communications
Purpose of processing | Legal Basis | Categories of Personal Data |
To communicate with you, including sending you service-related communications and to keep you informed Your name, phone number and email address will be used to communicate with you to send you reports, to let you know that an order or a transaction has been completed, and to inform you about important service updates. |
|
|
For legal proceedings and compliance with the law
Purpose of processing | Legal Basis | Categories of Personal Data |
To investigate and respond to claims and disputes relating to the use of Bolt services, and/or necessary for compliance with applicable legal requirements or with requests from government/law enforcement bodies Depending on the claim, All Data may be processed for establishing, exercising or defending legal claims, including:
In some circumstances, we are legally obliged to share information with external recipients. For example, under a Court Order or where we cooperate with a data protection supervisory authority in handling complaints or investigations. We also respond to requests, such as those from law enforcement agencies, when the response is required by law or furthers a public interest task such as an emergency situation or where someone’s life is at risk. We will take steps to ensure that we have a lawful basis on which to share the information, and we’ll make sure that we document our decision. |
|
|
To fulfil our tax obligations and comply with tax legislation |
|
|
To reorganise or make changes to our business |
|
|
When we process your personal data for a new purpose different from the purpose your personal data was originally collected for and we haven't asked for your consent, we will have to ensure that this new purpose is compatible with the initial purpose we collected it for. We will take into account any link between the two purposes and decide if the personal data can be used for this new purpose. Otherwise, we will take appropriate steps to ask for your consent or refrain from processing your personal data.
5. Who do we share your personal data with?
We may share your personal data with the following categories of recipients.
Category of Recipients | Description |
Bolt Group Companies and partners | We may share your personal data with our Bolt Group Companies (including Bolt local subsidiaries), third party partners, their affiliates and representatives, who may use your personal data in the manner described in this Notice. If Bolt local subsidiaries are responsible for processing your personal data, they may share your personal data with Bolt Operations OU as the main data controller for Bolt. |
Third-party service providers | Our third-party vendors and other service providers and contractors have access to your personal data to help carry out the services they are performing for us or on behalf of us. This may include vendors and providers who provide email or electronic communication services, tax, legal services, product fulfilment, credit checks, payment processing, customer relationship management, fraud prevention and detection, web hosting and cloud storage, research, including surveys, analytics, crash reporting, performance monitoring and artificial intelligence, machine learning and statistical services. For the Bolt Business Card product, this also includes third parties such as payment processors, e-money and debit card issuers, card schemes, financial institutions, and risk management service providers who assist with card issuance, card delivery and courier services, transaction processing, Wallet funding, security monitoring, and regulatory compliance. We may also use providers to support our business development and outreach activities. |
Promotional, marketing and strategic partners | We may share limited data like your email address with our promotional, marketing and strategic partners so that they can inform you about promotional events and provide you with information and marketing messages about products or services that may interest you. In addition, we may share your personal data with marketing platform providers, including social media advertising services, advertising networks, third-party data providers, to reach or better understand our users and measure the effectiveness of our ads on other platforms and with social media platforms, including Facebook and Google, for sign-in purposes. |
Other third parties | In the event of a likely change of control of the business (or a part of the business) such as negotiations for a sale, an actual sell, a merger, and acquisition, or any transaction, or reorganisation, we may share your personal data with interested parties, including as part of any due diligence process with new or prospective business owners and their respective professional advisers. We may also need to transfer your personal data to that third party or re-organised entity after the sale or reorganisation for them to use for the same purposes as set out in this Notice. |
Public authorities and law enforcement | We may disclose information under a court order or where we cooperate with a data protection supervisory authority in handling complaints or investigations. For example, we may also share your personal data with law enforcement or other public authorities, including responding to requests when the information is required by law or furthers a public interest task. In any scenario, we will take steps to ensure that we have a lawful basis on which to share the information, and we’ll make sure that we document our decision. |
Please note, that our websites and apps may contain links to other third-party websites. If you follow a link to any of those third-party websites, please be aware that those websites may have their own privacy notices and that we do not accept any responsibility or liability for their notices or their processing of your personal data. Please check these notices before you submit any personal data to such third-party websites.
6. Does Bolt transfer your personal data to other countries?
We operate internationally and as a result, your personal data may be transferred to, stored and/or processed by Bolt Group Companies, subcontractors and partners when undertaking the activities described in this Notice outside the country where you are located. Please see our Bolt Group Companies table for details of the countries where your personal data may be transferred to within the Bolt Group.
When we transfer your personal data outside of a country or region, such as the European Economic Area (“EEA”), we will make sure that we take steps necessary to comply with applicable legal requirements and rely on the following transfer mechanisms:
- Adequacy Decisions: We will rely on decisions from the European Commission where they recognise that certain countries and territories outside of the European Economic Area ensure an adequate level of protection for personal information. Please click here to see the list of countries deemed ‘adequate’ by the European Commission and click here to see the list of countries deemed ‘adequate’ by the UK Government. We rely on these adequacy decisions when we transfer personal data we collect from the EEA and the United Kingdom to the United States (where some of our third party service providers are based).
- Standard Contractual Clauses (SCCs): We will utilise standard contractual clauses approved by the European Commission for transfers outside the EEA and by the UK Government for transfers outside of the United Kingdom. Please click here to see the EEA SCCs and click here to see the UK SCCs. We will rely on SCCs when we transfer personal data we collect from the EEA and the United Kingdom to the United States, Singapore and Nigeria where some of our third party service providers are based.
There may be certain situations (such as responding to law enforcement requests - see Section 4 “What purposes do we use your personal data for and what is our legal basis for processing?” above) where a transfer of personal data will take place on the basis of exemptions provided for under applicable data protection legislation. In these circumstances, we will take steps to minimise and protect the personal data transferred.
7. How do we keep your personal data safe?
The security of your personal data is very important to us, and we have implemented appropriate technical and organisational controls to protect your personal data against unauthorised processing and against accidental loss, damage or destruction. We have implemented data encryption in transit and at rest, data privacy and security training, information security policies and controls around the confidentiality, integrity and availability of our data/systems.
Any personal data collected in the course of providing Bolt services is transferred to and stored in our data centres which are located within the EEA. Only authorised employees of Bolt Group companies and partners have access to the personal data and they may access the data only for the purpose of resolving issues associated with the use of the services (including disputes regarding transportation services and customer support services in the respective countries https://bolt.eu/cities/).
For our research and scientific purposes, all data is anonymised so you can never be identified from it. Regarding anonymised data, we will not attempt to re-identify your personal data that has been deidentified, in the course of sharing your data with other organisations.
You are responsible though for choosing a secure password when we ask you to set up a password to access parts of our sites or apps. You should keep this password confidential and you should choose a password that you do not use on any other site.
8. How long do we retain your personal data for?
We keep your personal data only as long as necessary to provide you with our services and for the purposes described above in Section 4 “What purposes do we use your personal data for and what is our legal basis for processing?”.
This means that the retention periods will vary according to the type, the amount and sensitivity of your personal data, the potential risk of harm from unauthorised use or disclosure of your personal data and the reason that we have collected the personal data in the first place.
Here are the key criteria we use for determining our retention periods:
Retention Periods Criteria | Description |
Personal data retained until you remove/delete it | It's your right to request that we delete your personal data. See Section 9 “What are your rights?” below for more information. |
Personal data that expires after a specific period of time | We have set certain retention periods so that some data is not retained after a specific period of time. See table below for further details. After a retention period has lapsed, the personal data is securely deleted, unless it is necessary for the establishment, exercise or defence of legal claims. |
Personal data retained until the Customer deletes its account. | We keep your data until the Bolt Business account is deleted unless further retention of certain personal data are required for the purposes described in the second table below. |
We have listed below the specific retention periods that apply to the personal data we process about you:
Category of Retention Periods | Description |
Tax, accounting and financial reporting purposes | We retain data for up to 10 years after the last order if your personal data is necessary for tax, accounting and financial reporting purposes. |
Provision of services purposes | We retain your data as long as you have an active account. If your account is deleted, personal data will be deleted (according to our retention schedule and rules), unless such data is still required to meet any legal obligation, or for accounting, dispute resolution or fraud prevention purposes. You may request deletion of your account at any time via the Bolt Business Portal or by contacting our Customer Support Team. See Section 9 “What are your rights?” below for more information. |
Formal investigations of a criminal offence, fraud or false information | We retain data for as long as necessary according to the internal, legal, and regulatory requirements, in the event that there are formal investigations of a criminal offence, fraud or false information having been provided. |
Disputes | We retain data for the purpose of exercising or defending legal claims, including supporting our own internal investigations, including claims related to the unlawful processing or collection of user’s consent, until the claim is satisfied or the expiry date of such claims. |
Complaints | We retain a record of all complaints which we make available to an authorised officer of the licensing authority on request in the case of an investigation for 12 months. |
Customer Support | We retain data in relation to support tickets submitted via the Bolt Business Portal, phone calls, web forms, and emails for 3 years from the last communication. For data related to the Bolt Business Card product, this retention period is extended to 5 years in accordance with regulatory requirements. |
9. What are your rights?
As a data subject you have following rights:
- Access your personal data (known as “Right of Access”): you have the right to access and to request copies of your personal data by contacting our Customer Support Team.
- Update/correct your personal data (known as “Right of Rectification”): you have the right to request us to correct personal data that is inaccurate or incomplete. You can change and correct certain personal data yourself within the Bolt Business Portal or by contacting our Customer Support Team.
- Delete your personal data (known as “Right of Erasure”): you have the right to request that we erase your personal data, under certain conditions (e.g., we are processing your personal data under your consent). Personal data that is processed pursuant to a legal obligation or where we have an overriding legitimate interest may not be deleted upon request. You can request erasure of your personal data by contacting our Customer Support Team.
- Restrict use of your personal data (known as “Right to Restrict Processing”): you have the right to request that we restrict the processing of your personal data, under certain conditions (e.g., we are processing your personal data under consent). You can request restriction of the use of your personal data by contacting our Customer Support Team.
- Object to use of your personal data (known as “Right to Object”): you have the right to object to our processing of your personal data, under certain conditions (e.g., we are processing your personal data under legitimate interests). You may submit an objection to the use of your personal data by contacting our Customer Support Team.
- Object to solely automated decisions being made about you which has legal or similarly significant effect on you (known as “Right to object to automated decision making”): you have the right, under certain circumstances, to object to any solely automated decisions we have made which have a legal effect or similarly significant effect which does not involve human review. You can ask that a person review the decision, obtain an explanation of the decision reached after such assessment and challenge the decision by contacting our Customer Support Team. Please note that certain exceptions and limitations may apply to your right to object to automated decision-making, as permitted by applicable laws and regulations. We will provide you with clear information regarding the implications of exercising your rights and the processes involved in objecting to solely automated decision-making.
- Port your personal data (known as “Right to Data Portability”): you have the right to request that we transfer the personal data that you have given us to another organisation, or directly to you, under certain conditions. This only applies to information you have given us. You can request for your personal data to be ported by contacting our Customer Support Team.
- Withdraw your consent: If we process your personal data using consent as legal basis, then you have the right to withdraw your consent at any time. Withdrawing your consent won’t change the legality of processing undertaken by Bolt before you withdraw your consent.
- File a complaint: If you have any concerns regarding the processing of your personal data, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (“AKI”) who is our lead supervisory authority or your local data protection authority. You can find their contact details on their websites. You may also have a right to seek a judicial remedy.
You can raise any privacy-related questions by contacting us via the Privacy Web Form available at https://bolt.eu/en/privacy/data-subject/ or raising any privacy-related questions in the Bolt Business Portal when you go to the main menu and tap ‘I need help’, our Customer Support Team will then escalate the issue internally to Bolt’s Privacy Legal Team.
10. How do we use your personal data for direct marketing?
Please be aware that you may from time to time receive updates about special offers and promotions related to our services. We send these communications based on our legitimate interests (soft opt-in) in providing you with information about opportunities that could be beneficial to you. In countries where soft opt-in is not an available lawful basis for Bolt’s processing activities, we will instead rely on an alternative valid legal basis. You have complete control over these communications, and if you decide at any time that you do not wish to receive them, you can stop them by clicking the “unsubscribe” link at the bottom of our emails, or typing “STOP” for messages and SMS.
Additionally, we may seek your opt-in consent for specific direct marketing activities where this is required by law. For example, we might request your consent to send you information regarding third-party promotions and offers that we think might be of interest to you. We also personalise direct marketing messages using information about how you use the services.
11. How do we notify you of changes to this Notice?
We may make changes to this Notice from time to time. If we make significant changes, we will notify you (as required) via the Bolt Business Portal, website or via another method such as email.