Privacy - RYDEPRO

1. INTRODUCTION & SCOPE

RYDEPRO, Inc. and its affiliates (“RYDEPRO,” “we,” “us,” or “our”) provides this Privacy Policy (“Policy”) to inform you about how we collect, use, disclose, and protect your Personal Information in connection with our ride-sharing platform, including our website, mobile applications, and related services (collectively, the “Service”).

This Policy is designed to comply with applicable data protection laws in the jurisdictions where we operate, including: the General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Illinois Biometric Information Privacy Act (BIPA), Children’s Online Privacy Protection Act (COPPA), and others as detailed in Appendix D.

2. DEFINITIONS & CORE PRINCIPLES

Personal Information (PI) / Personal Data: Any information that identifies, relates to, describes, or can be reasonably linked to an individual.
Sensitive Personal Information (SPI): Includes government identifiers, biometric data, precise geolocation, and financial account information.
Biometric Data: Physiological characteristics used for identification, such as a facial geometry template.
Sale/Sharing (CCPA): Disclosure of PI for monetary benefit or for cross-context behavioral advertising.

Core Principles:

Data Minimization: We collect only the PI that is reasonably necessary for the disclosed purposes.
Purpose Limitation: We process PI only for the specific, explicit, and legitimate purposes disclosed in this Policy and do not further process it in an incompatible manner.

3. DATA CONTROLLER AND PROCESSOR ROLES

RYDEPRO as Controller: For individual rider and driver services, RYDEPRO determines the purposes and means of processing and acts as the Data Controller.
RYDEPRO as Processor: For corporate/B2B services where we process data per a client’s instructions, we act as a Data Processor under a separate Data Processing Agreement (DPA).

4. CATEGORIES OF PERSONAL INFORMATION WE COLLECT

We collect information you provide, from your device, and from third parties. The CCPA/CPRA categories we collect are detailed in Appendix B.

4.1 Waitlist for Prospective Users

RYDEPRO may offer a waitlist for individuals interested in the Service before its launch in their area (“Waitlist”).

Information Collected: If you join the Waitlist, we collect only your email address, city/postal code, and stated interest (rider or driver). We do not collect SPI, payment details, identity documents, or biometric data for the Waitlist.
Use of Data: This information is used solely to notify you of Service availability and to analyze general demand.
Retention: Waitlist data is retained for five (5) years or until the Service launches in your area, after which it is deleted if you do not create an account. You may unsubscribe at any time via the link in waitlist emails or by contacting us.
Transition: Creating an active account subjects your data to the full terms of this Policy, not just this Waitlist section.

5. HOW WE USE PERSONAL INFORMATION & LEGAL BASES

5.1 Business & Commercial Purposes

We use PI to: provide and maintain the Service; verify identity and ensure security (including via biometrics); communicate with you (transactional messages, support); send marketing (with prior opt-in consent); conduct research and development; and comply with legal obligations.

5.2 Legal Bases for Processing (GDPR)

Processing Activity	Primary Legal Basis (GDPR)	Categories of Personal Data
Account Creation & Service Provision	Performance of a Contract (Article 6(1)(b))	Identifiers, Contact, Payment Data
Identity & Biometric Verification	Explicit Consent (Article 9(2)(a)) & Legitimate Interests (Art. 6(1)(f))	Government ID, Facial Geometry
Marketing Communications	Consent (Article 6(1)(a))	Contact Information, Usage History
Fraud Prevention & Security Monitoring	Legitimate Interests (Article 6(1)(f)) & Legal Obligation (Art. 6(1)(c))	Device Data, IP Address, Transactions
Service Improvement (Analytics)	Legitimate Interests (Article 6(1)(f))	De-identified Usage and Device Data
Compliance with Legal Requests	Legal Obligation (Article 6(1)(c))	Any relevant data as required by law

Note on Marketing: We rely on your prior consent as the legal basis for all direct electronic marketing communications.

5.3 Use of Sensitive Personal Information

We will not use or disclose your SPI for purposes other than those necessary to provide the Service or as permitted by law. California residents have the right to limit the use of their SPI to the purposes permitted by the CPRA.

6. HOW WE DISCLOSE PERSONAL INFORMATION

We do not “Sell” or “Share” your PI for cross-context behavioral advertising. We contractually prohibit service providers from using shared data for their own advertising purposes. RYDEPRO does not offer financial incentive programs tied to the collection or retention of PI.

We disclose PI in the following limited circumstances:

To Service Providers: Vendors who process data on our behalf under strict contractual obligations (e.g., cloud hosting, payment processors like Stripe, mapping services like Google Maps, communications via Twilio).
To Other Users: As necessary to facilitate a ride (e.g., rider name to driver).
For Legal & Safety Reasons: To comply with law or protect rights and safety.
In a Business Transfer: In connection with a merger or sale of assets.
With Your Consent: For any other purpose disclosed with your permission.

7. YOUR PRIVACY RIGHTS & HOW TO EXERCISE THEM

A. Summary of Rights by Jurisdiction

California (CCPA/CPRA): Right to Know, Delete, Correct, Opt-Out of Sale/Sharing, Limit Use of SPI, and Non-Discrimination.
Virginia, Colorado, Connecticut, Utah: Similar rights to access, delete, correct, and opt-out of targeted advertising and profiling.
EU/UK (GDPR): Right to access, rectification, erasure, restriction, portability, and to object to processing.

B. How to Submit a Verifiable Request

To exercise any right, please submit a request via:

Email: Legal@rydepro.com

California residents may use an authorized agent. We will verify both the agent’s authority and your identity. We will acknowledge your request and respond within the timeframes required by applicable law.

8. BIOMETRIC INFORMATION POLICY (U.S. USERS)

For users in jurisdictions with biometric laws (e.g., Illinois BIPA, Texas CUBI):

Collection & Use: We collect a facial geometry template solely for identity verification and fraud prevention.
Consent: We provide a separate notice and obtain your affirmative written consent before collection.
Retention & Destruction: Data is retained for a maximum of one (1) year from the date of last verification and then securely destroyed. Our public retention schedule is at [Link to Standalone Biometric Policy].
Disclosure: We do not sell, lease, or trade biometric data. Disclosure is limited to service providers under contract or as required by law.

9. CHILDREN’S PRIVACY

Our Service is not directed to children under 18. We use age-screening at registration. If we learn we have collected PI from a child under 16 without parental consent, we will delete it promptly. Parents may contact us at Legal@rydepro.com.

10. COOKIES & TRACKING TECHNOLOGIES

We use cookies and similar technologies. Essential cookies are required for the Service to function. You can manage non-essential cookies via our Cookie Banner. For details, see our Cookie Policy. We honor the Global Privacy Control (GPC) browser signal.

11. DATA SECURITY MEASURES

We implement administrative, technical, and physical safeguards, including:

Encryption: AES-256 for data at rest; TLS 1.3+ for data in transit.
Access Controls: Role-based access control (RBAC), zero-trust architecture, and mandatory multi-factor authentication for internal systems.
Monitoring & Testing: Comprehensive audit logging, regular vulnerability scans, and annual independent penetration testing.
Incident Response: A formal plan to address data breaches, including timely notification to affected individuals and authorities as required by law (e.g., within 72 hours under GDPR, per state laws like NY SHIELD).

12. DATA RETENTION

We retain PI only as long as necessary for the purposes in this Policy or to meet legal obligations. Some retention periods may be extended by specific statutory requirements (e.g., local transport, tax, or financial regulations). See Appendix A for our retention schedule.

13. AUTOMATED DECISION-MAKING & PROFILING

Our Service uses automated processing (algorithms) for:

Matching riders and drivers.
Calculating dynamic pricing.
Assessing fraud and safety risks.

These processes affect the matches, prices, or options presented to you. You have the right to obtain human intervention, express your view, and contest significant automated decisions.

14. INTERNATIONAL DATA TRANSFERS

When transferring PI across borders (e.g., from the EEA/UK to the U.S.), we use lawful mechanisms like the EU-U.S. Data Privacy Framework (DPF), UK International Data Transfer Addendum, and Standard Contractual Clauses (SCCs).

15. DATA PROTECTION ASSESSMENTS

Where required by law (e.g., GDPR Article 35), RYDEPRO conducts Data Protection Impact Assessments (DPIAs) for processing activities that present a high risk to individuals, such as the large-scale or systematic processing of biometric data.

16. NOTICES FOR INTERNATIONAL USERS OUTSIDE EU/UK

Canada: We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).
Australia: We adhere to the Australian Privacy Principles (APPs) under the Privacy Act 1988.
UAE: We observe UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.
Philippines: We respect rights under the Philippines Data Privacy Act of 2012.

17. FINANCIAL INFORMATION & PCI-DSS COMPLIANCE

We use accredited third-party payment processors. We are PCI-DSS compliant and do not store full payment card numbers on our servers, using tokenization instead.

18. THIRD-PARTY LINKS & PLUG-INS

Our Service may contain links to or integrations with third-party services (e.g., Google Maps, social media buttons). Their data practices are governed by their own privacy policies, which we encourage you to review.

19. CHANGES TO THIS POLICY

We reserve the right to amend or update this Privacy Policy at any time at our sole discretion to reflect changes in our practices, technology, legal requirements, or business purposes.

We will notify you of Material Changes—defined as changes that reduce your rights, expand our data collection, or significantly alter how we use your Personal Information—before they become effective. We will provide notice through one or more of the following methods:

Sending an email to the address associated with your account.
Posting a prominent in-app notification or banner.
Updating the “Last Updated” date at the top of this Policy.

The updated Policy will be effective immediately upon posting unless otherwise stated. Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of its terms.

20. POLICY GOVERNANCE & LEGAL STATUS

This Privacy Policy is a core component of RYDEPRO’s corporate governance and data protection program. It has been developed in consultation with, and reviewed for legal adequacy by, our qualified legal counsel specializing in data privacy and security law.

The policy is subject to ongoing review to ensure it remains current with evolving legal requirements, regulatory guidance, industry best practices, and our operational practices. Any material amendments to this policy will be made in accordance with Section 19, “Changes to this Policy.”

This document is provided for informational purposes to inform users of our data practices and does not create a contractual obligation beyond the terms of service, nor does it constitute legal advice to the reader.

APPENDICES

Appendix A: Detailed Data Retention Schedule

Data Category	Retention Period	Legal Basis / Purpose
Account Profile Information	7 years after account deactivation	Contract & Legal Obligation (Tax/Audit). GDPR: Art. 6(1)(b), (c)
Trip Transaction Records	6 years after trip completion	Legal Obligation & Dispute Resolution. GDPR: Art. 6(1)(c), (f)
Biometric Verification Template	1 year from last successful verification	Consent & Security. GDPR: Art. 6(1)(a), (f); Art. 9(2)(a)
Customer Support Communications	3 years from date of interaction	Legitimate Interests. GDPR: Art. 6(1)(f)
Marketing Preference Data	Until opt-out or account deletion	Consent. GDPR: Art. 6(1)(a)
Waitlist Information	5 years or until service launch	Legitimate Interests (Service Launch Operations)
Website Log & Analytic Data	13 months	Legitimate Interests. GDPR: Art. 6(1)(f)

Appendix B: CCPA/CPRA Disclosure Metrics (Last 12 Months)

CCPA PI Category	Collected?	Sold?	Shared for Cross-Context Behavioral Advertising?	Disclosed for a Business Purpose?
Identifiers (name, email, etc.)	YES	NO	NO	YES
Personal Records (ID, payment info)	YES	NO	NO	YES
Commercial Information (trip history)	YES	NO	NO	YES
Biometric Information	YES	NO	NO	YES
Internet/Network Activity	YES	NO	NO	YES
Geolocation Data	YES	NO	NO	YES
Inferences (profile)	YES (Derived)	NO	NO	YES

Appendix C: Key Definitions

Controller: The entity that determines the purposes and means of processing personal data.
Processor: An entity that processes personal data on behalf of a Controller.
Data Subject: The individual to whom personal data relates.
Data Protection Impact Assessment (DPIA): A process to identify and mitigate high-risk processing.

Appendix D: Legal Frameworks Observed

This Policy is intended to satisfy requirements under: General Data Protection Regulation (GDPR); UK GDPR & Data Protection Act 2018; California Consumer Privacy Act (CCPA) & CPRA; Virginia CDPA; Colorado CPA; Connecticut Data Privacy Act (CTDPA); Utah Consumer Privacy Act (UCPA); New York SHIELD Act; Illinois Biometric Information Privacy Act (BIPA); Texas Capture or Use of Biometric Identifier Act (CUBI); Washington My Health My Data Act; Children’s Online Privacy Protection Act (COPPA); and other applicable U.S. federal and state laws.

RYDEPRO PRIVACY POLICY