Privacy Policy

1. Data Controller

RideAgo OÜ ("RideAgo", "we", "us", or "our") is the data controller responsible for processing your personal data in connection with our airport transfer coordination services. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our website, mobile application, or any related services.

2. Information We Collect

2.1 Information You Provide

• Driver registration: Full name, email address, phone number, date of birth, national ID or passport number, driver's license details, vehicle registration, insurance documentation, city of operation, bank/payment account details.
• Partner & agency registration: Company name, contact person name, business email, phone number, company website, business registration number, fleet size, and vehicle classifications.
• Corporate client registration: Company name, contact person, business email, phone, role/position, company website, estimated transfer volume.
• Communication: Any information you share when contacting our support team, including messages, attachments, and feedback.

2.2 Information Collected Automatically

• Device & technical data: IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.
• Usage data: Pages visited, time spent on pages, click patterns, referral sources, and navigation paths.
• Cookies and similar technologies: We use cookies, pixels, and local storage to enable website functionality, remember preferences, and analyze usage patterns. See Section 9 for details.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under the EU General Data Protection Regulation (GDPR):

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to fulfill our contractual obligations — for example, registering you as a driver, matching you with transfer assignments, or processing partner applications.
• Legitimate interest (Art. 6(1)(f) GDPR): Processing necessary for our legitimate business interests, such as fraud prevention, service improvement, platform security, and internal analytics — provided these interests do not override your fundamental rights.
• Legal obligation (Art. 6(1)(c) GDPR): Processing required to comply with applicable laws, including tax regulations, anti-money laundering requirements, and transportation authority obligations.
• Consent (Art. 6(1)(a) GDPR): Where we rely on your explicit consent — for example, for marketing communications or non-essential cookies. You may withdraw consent at any time.

4. How We Use Your Information

We use the information we collect for the following purposes:

• To register and verify driver, partner, and corporate accounts
• To coordinate and facilitate airport transfer services
• To communicate with you regarding your account, assignments, or inquiries
• To process payments and generate invoices (where applicable)
• To prevent fraud, unauthorized access, and other illegal activities
• To improve our platform, services, and user experience through analytics
• To comply with legal and regulatory requirements
• To send marketing communications (only with your explicit consent)

5. Data Sharing & Recipients

We do not sell your personal data. We may share your information with the following categories of recipients, only to the extent necessary:

• Drivers and passengers: Limited information necessary to complete a transfer (e.g., name, pickup location, flight number).
• Payment processors: We work with Checkout.com and other PCI-compliant payment providers to process transactions securely.
• Cloud hosting providers: Our platform infrastructure is hosted on secure, GDPR-compliant servers.
• Analytics providers: We use analytics tools to understand how our platform is used. Data is anonymized where possible.
• Legal & regulatory authorities: We may disclose data when required by law, court order, or to protect our legal rights.
• Insurance providers: In the event of an incident or claim related to a transfer.

All third-party recipients are bound by data processing agreements that ensure appropriate safeguards for your personal data.

6. International Data Transfers

RideAgo operates across 14 countries, including EU member states (Greece, Netherlands, Sweden, Romania, Bulgaria, Cyprus, Poland) and non-EU countries (Turkey, Russia, Egypt, Georgia, Morocco, Saudi Arabia, Montenegro). When your data is transferred outside the European Economic Area (EEA), we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where the European Commission has determined that a country provides adequate data protection
• Additional technical and organizational measures such as encryption and access controls

For transfers to countries without adequacy decisions (e.g., Turkey under KVKK, Russia under Federal Law No. 152-FZ), we implement supplementary safeguards to protect your data in accordance with GDPR requirements.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law:

• Driver accounts: Duration of active partnership plus 3 years after termination
• Partner/agency accounts: Duration of active partnership plus 3 years
• Corporate client accounts: Duration of active relationship plus 3 years
• Financial and payment records: 7 years (as required by Estonian and EU tax legislation)
• Communication records: 2 years from last interaction
• Website analytics and logs: 12 months
• Marketing consent records: Until withdrawal of consent, plus 90 days

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
• Right not to be subject to automated decision-making: You have the right not to be subject to decisions based solely on automated processing that significantly affect you.

To exercise any of these rights, contact us at privacy@rideago.com. We will respond within 30 days of receiving your request.

9. Cookies & Tracking Technologies

9.1 Types of Cookies We Use

• Essential cookies: Required for basic website functionality (session management, language preferences, security). Cannot be disabled.
• Analytics cookies: Help us understand how visitors interact with our website (page views, navigation patterns). Data is anonymized.
• Functional cookies: Remember your preferences and settings to enhance your experience.

9.2 Managing Cookies

You can manage or disable cookies through your browser settings. Please note that disabling essential cookies may impair website functionality. We do not use advertising or third-party marketing cookies.

10. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit using TLS/HTTPS protocols
• Encryption of sensitive data at rest
• Strict access controls based on the principle of least privilege
• Regular security assessments and vulnerability testing
• Employee training on data protection and security practices
• Secure development practices for our platform and applications

Despite our efforts, no method of transmission or storage is 100% secure. If you become aware of any security vulnerability, please notify us immediately at privacy@rideago.com.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
• Document the breach, its effects, and the remedial actions taken

12. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under 16, we will take immediate steps to delete such data. If you believe a child has provided us with personal data, please contact us at privacy@rideago.com.

13. Third-Party Links

Our website and application may contain links to third-party websites or services that are not operated by RideAgo. We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party services before providing your personal information.

14. Limitation of Liability

RideAgo shall not be held liable for:

• Unauthorized access to your data resulting from your own negligence (e.g., sharing login credentials, using unsecured networks)
• Data breaches caused by sophisticated cyberattacks despite our implementation of industry-standard security measures
• Actions of third-party service providers that violate their contractual data processing obligations
• Loss or corruption of data due to circumstances beyond our reasonable control (force majeure)

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify registered users via email for significant changes
• Display a prominent notice on our website

We encourage you to review this policy periodically. Your continued use of our services after any changes constitutes acceptance of the updated policy.

16. Complaints & Dispute Resolution

If you have concerns about how we handle your personal data, you may:

1. Contact us directly at privacy@rideago.com — we aim to resolve all complaints within 30 days.
2. Lodge a complaint with a supervisory authority. As a company registered in Estonia, our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon). You also have the right to lodge a complaint with the data protection authority in your country of residence.
3. Seek legal remedies. You have the right to an effective judicial remedy if you believe your rights under the GDPR have been infringed.