Privacy Policy

1. Our Commitment to GDPR Compliance

RideAgo OÜ ("RideAgo", "we", "us", or "our") is committed to protecting the personal data of all individuals who interact with our Platform. This Data Protection Notice explains how we comply with the European Union General Data Protection Regulation (Regulation (EU) 2016/679), commonly known as the GDPR, which became enforceable on 25 May 2018.

This document complements our Privacy Policy and provides specific information about your rights under the GDPR and how we exercise our responsibilities as a Data Controller.

2. Data Controller

RideAgo OÜ is registered as a legal entity in the Republic of Estonia, an EU member state, and is the Data Controller responsible for processing personal data in connection with our airport transfer coordination services. As an Estonia-based company, our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

3. Scope of This Notice

This Data Protection Notice applies to all personal data we collect from individuals located in the European Economic Area (EEA), as well as to any personal data subject to the GDPR regardless of the data subject's location. The EEA includes all 27 EU member states plus Iceland, Liechtenstein, and Norway.

RideAgo operates in 14 countries, including the following EU member states: Greece, Netherlands, Sweden, Romania, Bulgaria, Cyprus, and Poland. Personal data collected in these countries is fully protected under the GDPR.

4. Legal Basis for Processing (Article 6 GDPR)

Under Article 6(1) of the GDPR, we may process personal data only when at least one of the following legal bases applies:

4.1 Contract Performance — Article 6(1)(b)

We process personal data when it is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. For example, registering you as a driver, processing partner applications, and facilitating transfer assignments.

4.2 Legal Obligation — Article 6(1)(c)

We process personal data to comply with our legal obligations under Estonian and EU law, including tax legislation, anti-money laundering regulations, and transportation authority requirements.

4.3 Legitimate Interests — Article 6(1)(f)

We process personal data when it is necessary for our legitimate business interests, provided these interests do not override your fundamental rights and freedoms. Examples include fraud prevention, platform security, service improvement, and internal analytics. We have conducted Legitimate Interests Assessments (LIAs) for all processing activities relying on this legal basis.

4.4 Consent — Article 6(1)(a)

Where we rely on consent (for example, for marketing communications or non-essential cookies), we ensure that consent is freely given, specific, informed, and unambiguous. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

5. Principles of Processing (Article 5 GDPR)

We process personal data in accordance with the seven core principles set out in Article 5 of the GDPR:

• Lawfulness, fairness, and transparency — We process data lawfully, fairly, and in a transparent manner
• Purpose limitation — We collect data only for specified, explicit, and legitimate purposes
• Data minimisation — We collect only the data that is adequate, relevant, and limited to what is necessary
• Accuracy — We keep personal data accurate and up to date
• Storage limitation — We retain data only for as long as necessary
• Integrity and confidentiality — We process data securely using appropriate technical and organisational measures
• Accountability — We are responsible for, and able to demonstrate, compliance with all GDPR principles

6. Your Rights as a Data Subject (Articles 15–22 GDPR)

The GDPR grants you the following rights regarding your personal data:

6.1 Right of Access — Article 15

You have the right to obtain confirmation of whether we are processing your personal data, and if so, to access that data and receive information about how it is processed.

6.2 Right to Rectification — Article 16

You have the right to have inaccurate personal data corrected, and incomplete data completed, without undue delay.

6.3 Right to Erasure ("Right to be Forgotten") — Article 17

You have the right to request the deletion of your personal data when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis
• The data has been unlawfully processed
• Erasure is required to comply with a legal obligation

This right is not absolute. We may refuse erasure if processing is necessary to comply with a legal obligation, for the establishment, exercise, or defense of legal claims, or for other reasons set out in Article 17(3).

6.4 Right to Restriction of Processing — Article 18

You have the right to request the restriction of processing in certain circumstances, such as when you contest the accuracy of the data or have objected to processing.

6.5 Right to Data Portability — Article 20

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller without hindrance.

6.6 Right to Object — Article 21

You have the right to object, on grounds relating to your particular situation, to the processing of your personal data based on legitimate interests. You also have an absolute right to object to processing for direct marketing purposes at any time.

6.7 Rights Related to Automated Decision-Making — Article 22

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. RideAgo does not use solely automated decision-making for matters that produce legal or similarly significant effects on individuals.

6.8 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@rideago.com. We will respond to your request within one month of receipt, as required by Article 12(3) of the GDPR. In complex cases, this period may be extended by a further two months, and we will notify you of any extension within the first month.

There is no fee for exercising your rights. However, we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive, particularly if they are repetitive.

7. International Data Transfers (Chapter V GDPR)

RideAgo operates in 14 countries, including non-EU jurisdictions such as Turkey, Russia, Egypt, Georgia, Morocco, Saudi Arabia, and Montenegro. When personal data is transferred outside the European Economic Area, we ensure that adequate safeguards are in place as required by Articles 44–50 of the GDPR.

7.1 Adequacy Decisions — Article 45

We rely on European Commission adequacy decisions for transfers to countries deemed to provide an adequate level of data protection.

7.2 Standard Contractual Clauses — Article 46(2)(c)

For transfers to countries without an adequacy decision, we implement the European Commission's Standard Contractual Clauses (SCCs) approved under Implementing Decision (EU) 2021/914 of 4 June 2021.

7.3 Supplementary Measures

Following the Court of Justice of the European Union's Schrems II judgment (Case C-311/18), we apply supplementary technical, organisational, and contractual measures to ensure that data transferred outside the EEA receives essentially equivalent protection. These measures include encryption, access controls, contractual confidentiality obligations, and ongoing monitoring.

8. Data Protection by Design and by Default (Article 25)

In accordance with Article 25 of the GDPR, we implement data protection principles into the design of our systems and services from the outset. Examples include:

• Pseudonymisation and minimisation of data wherever possible
• Granular access controls and audit logging
• Default settings that limit data collection to what is strictly necessary
• Regular Data Protection Impact Assessments (DPIAs) for high-risk processing

9. Data Breach Notification (Articles 33–34)

In the event of a personal data breach, we will:

• Notify the Estonian Data Protection Inspectorate within 72 hours of becoming aware of the breach, as required by Article 33, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals
• Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34
• Document all personal data breaches, regardless of whether notification is required, in our internal breach register
• Take immediate steps to contain and remediate the breach

10. Children's Data (Article 8)

Under Article 8 of the GDPR, the processing of personal data of a child below the age of 16 (or younger, as set by individual EU member states, but not below 13) requires the consent of the holder of parental responsibility. RideAgo does not knowingly collect or process personal data from individuals under the age of 16. If we become aware that we have inadvertently collected data from a minor, we will take immediate steps to delete such data.

11. Records of Processing Activities (Article 30)

In compliance with Article 30 of the GDPR, RideAgo maintains a comprehensive Record of Processing Activities (ROPA) documenting all data processing operations carried out as a controller. These records include the purposes of processing, categories of data subjects and personal data, recipients, retention periods, and security measures applied.

12. Data Protection Impact Assessments (Article 35)

Where processing is likely to result in a high risk to the rights and freedoms of individuals — particularly when using new technologies — we conduct Data Protection Impact Assessments (DPIAs) in accordance with Article 35 of the GDPR. DPIAs evaluate the necessity, proportionality, and risks of processing operations and identify mitigation measures.

13. Data Protection Officer

RideAgo's core activities do not require the mandatory appointment of a Data Protection Officer (DPO) under Article 37 of the GDPR. However, we have designated a privacy contact responsible for handling all data protection matters and inquiries from data subjects and supervisory authorities.

14. Right to Lodge a Complaint (Article 77)

Under Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes the GDPR. You may lodge a complaint with:

• The Estonian Data Protection Inspectorate — our lead supervisory authority
  Andmekaitse Inspektsioon
  Tatari 39, 10134 Tallinn, Estonia
  Website: www.aki.ee
• The supervisory authority in your country of habitual residence, your place of work, or the place of the alleged infringement

You also have the right to an effective judicial remedy under Articles 78 and 79 of the GDPR.

15. EU Representative (Article 27)

As RideAgo OÜ is established within the European Union (Estonia), we are not required to designate a representative in the EU under Article 27 of the GDPR. Our Estonian establishment serves as our principal place of business for GDPR purposes.

16. Updates to This Notice

We may update this Data Protection Notice to reflect changes in our practices, regulatory developments, or guidance from supervisory authorities. We will publish any updates on this page and update the "Last updated" date at the top.

17. Contact Information

If you have any questions about this Data Protection Notice or wish to exercise your rights under the GDPR, please contact us using the details above. We are committed to addressing all inquiries promptly and transparently.