Privacy Policy

1. Data Controller

The data controller responsible for your personal data is KAHA ELECTRO MOBILITY LTD, a company registered in the Republic of Cyprus (Registration No: HE 462511), with registered office in Nicosia, Cyprus.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the CyprusRide platform ("Platform"), in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Cyprus Processing of Personal Data (Protection of the Individual) Law of 2001 (Law 138(I)/2001), as amended.

2. Data We Collect

We collect the following categories of personal data:

2.1 Information you provide directly:

• Account data: Full name, email address, phone number, password (encrypted).
• Profile data: Profile photo, vehicle details (make, model, colour, registration).
• Verification documents: Driving licence, ID document (for driver verification).
• Ride data: Origin, destination, date, time, price, available seats.
• Communications: Messages sent through the in-app chat system.

2.2 Information collected automatically:

• Usage data: Pages visited, features used, ride searches, booking activity.
• Device data: IP address, browser type, operating system, device identifiers.
• Analytics data: Collected via Google Analytics (see Section 8).

2.3 Payment data:

Payment processing is handled by Stripe, Inc. We do not store your full credit/debit card numbers on our servers. Stripe processes your payment data in accordance with PCI DSS standards. Please refer to Stripe's Privacy Policy for details.

3. Legal Basis for Processing

We process your personal data under the following legal bases (Article 6 GDPR):

• Contract performance (Art. 6(1)(b)): To provide our carpooling service, process bookings, and facilitate payments.
• Legitimate interest (Art. 6(1)(f)): To improve our services, prevent fraud, ensure platform safety, and send service-related communications.
• Legal obligation (Art. 6(1)(c)): To comply with applicable laws and regulations of the Republic of Cyprus and the EU.
• Consent (Art. 6(1)(a)): For marketing communications and non-essential analytics cookies (where applicable).

4. How We Use Your Data

• To create and manage your account.
• To facilitate ride matching, bookings, and communications between Users.
• To process payments and issue receipts.
• To verify driver identity and driving credentials.
• To send transactional emails (booking confirmations, receipts, status updates).
• To display reviews and ratings to build community trust.
• To improve the Platform, analyse usage patterns, and fix issues.
• To prevent fraud, abuse, and ensure compliance with our Terms and Conditions.
• To comply with legal obligations.

5. Data Sharing

We share your personal data only in the following circumstances:

• With other Users: Your name, profile photo, rating, and vehicle details are visible to other Users when you post or book a ride. Phone numbers are shared only after a booking is confirmed.
• Payment processor: Stripe processes payment transactions on our behalf.
• Cloud services: We use Amazon Web Services (AWS) for secure file storage and hosting.
• Analytics: Google Analytics collects anonymised usage data.
• Legal authorities: When required by law, court order, or to protect our legal rights.

We do not sell your personal data to third parties.

6. International Data Transfers

Some of our service providers (e.g., AWS, Stripe, Google) may process data outside the European Economic Area (EEA). Where such transfers occur, we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs).
• Adequacy decisions by the European Commission.
• The EU-US Data Privacy Framework (where applicable).

7. Data Retention

We retain your personal data for as long as necessary to provide our services:

• Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Ride and booking data: Retained for 3 years after the ride date for dispute resolution and legal compliance.
• Payment records: Retained for 6 years as required by Cyprus tax law.
• Verification documents: Retained for the duration of active verification status, then deleted within 90 days.
• Chat messages: Retained for 1 year after the associated ride.

8. Cookies and Analytics

The Platform uses Google Analytics (Measurement ID: G-Y1R940DPVE) to collect anonymised usage statistics. Google Analytics uses cookies to track page views and user interactions.

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

We also use essential cookies required for authentication and session management. These cannot be disabled as they are necessary for the Platform to function. You can manage your cookie preferences at any time using the cookie settings banner at the bottom of the page, or by clearing your browser's local storage.

9. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of your personal data.
• Right to rectification (Art. 16): Request correction of inaccurate data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18): Request limitation of processing in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days as required by law.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS/SSL) and at rest.
• Bcrypt hashing for password storage.
• Secure cloud infrastructure (AWS) with access controls.
• Regular security reviews and monitoring.

While we take all reasonable precautions, no system is 100% secure. In the event of a data breach, we will notify affected users and the Office of the Commissioner for Personal Data Protection within 72 hours as required by the GDPR.

11. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

12. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on the Platform. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact Us