Privacy Policy — CrossRide
Version: 1.3
Effective date: May 1, 2026
Last updated: May 7, 2026
1. Data Controller
CrossRide OÜ
Lõkke tn 4, 10122 Tallinn, Kesklinna linnaosa, Harju maakond, Estonia
Registration number: 17500416
Email: contact@crossride.eu
Data Protection Officer (DPO): For any questions relating to the protection of your personal data, you may contact our DPO at: contact@crossride.eu
2. Data We Collect
2.1 Data You Provide Directly
- Identity: first name, last name, date of birth, profile photo
- Contact: email address, phone number
- Identity document: collected and verified by Stripe Identity. CrossRide never stores the document image, which is processed securely by Stripe in accordance with its own retention policy.
- Payment information: handled exclusively by Stripe (we never store your card data)
- Preferences: language, notifications, driving settings
2.2 Data Collected Automatically
- Trip data: origin, destination, time, distance
- GPS data: collected during the trip on the driver's device (see section 5)
- Usage data: connection logs, platform interactions
- Device data: device type, operating system, push notification identifier
2.3 Data Generated by the Platform
- Trip and transaction history
- Ratings and reviews received
- Reliability score
- Refund data and audit log
3. Legal Bases for Processing (GDPR)
| Purpose | Legal basis |
|---|---|
| Executing the matching contract | Art. 6(1)(b) GDPR — contract performance |
| Identity verification (KYC) | Art. 6(1)(f) GDPR — legitimate interest (user safety and fraud prevention) |
| Payment processing | Art. 6(1)(b) GDPR — contract performance |
| Fraud detection and security | Art. 6(1)(f) GDPR — legitimate interest |
| Marketing communications | Art. 6(1)(a) GDPR — consent |
| Service improvement | Art. 6(1)(f) GDPR — legitimate interest |
| Audit log retention | Art. 6(1)(c) GDPR — legal obligation |
| Dynamic pricing calculation | Art. 6(1)(f) GDPR — legitimate interest (platform optimisation) |
| GPS data collection | Art. 6(1)(f) GDPR — legitimate interest (passenger safety and fraud prevention) |
4. Purposes of Processing
Your data is used to:
- Create and manage your account
- Verify your identity before your first trip
- Match drivers and passengers
- Process payments and refunds
- Ensure platform security and detect fraud
- Calculate dynamic pricing and fare suggestions
- Provide customer support in French and English, and in other European languages as the platform expands
- Send trip-related notifications
- Send marketing communications (with your consent)
- Comply with our legal and regulatory obligations
5. GPS Data
GPS data is collected during the trip on the driver's device to:
- Serve as secondary evidence in refund decisions
- Confirm the route taken in case of dispute
Retention: GPS data is retained for 90 days after the trip, then permanently deleted (GDPR obligation).
In the event of a refund dispute, GPS data constitutes secondary evidence. Both parties are contacted to provide their account of events. The final decision is made fairly, taking into account all available evidence (GPS, statements, driver and passenger history).
6. Data Sharing
We never sell your personal data. We share it only with:
| Recipient | Purpose | Data transmitted | Location |
|---|---|---|---|
| Stripe | Payments, KYC (Stripe Identity) | Payment and identity data | EU |
| Anthropic | AI agents (support, matching, pricing, fraud) | Pseudonymised data only (no names, no complete contact details) — requests are anonymised before transmission to ensure confidentiality | USA (SCC) |
| Mapbox | Mapping and routing | Trip GPS coordinates | USA (SCC) |
| ElevenLabs | Voice synthesis (urgent dispatch) | Anonymised call script | USA (SCC) |
| Twilio | Phone calls (urgent dispatch) | Driver phone number | USA (SCC) |
| Sentry | Error monitoring | Anonymised technical logs | USA (SCC) |
| AWS/GCP | Hosting — EU regions only | All hosted data | EU |
All providers established outside the EU have signed Standard Contractual Clauses (SCCs) in compliance with GDPR.
7. International Transfers
Some of our providers (Anthropic, Mapbox, ElevenLabs, Twilio, Sentry) are based in the United States. These transfers are governed by the Standard Contractual Clauses adopted by the European Commission, in accordance with Article 46(2)(c) of the GDPR.
Important: Due to US legislation (including the CLOUD Act), data held by US-based providers may, under specific legal circumstances, be accessible to US authorities even where SCCs are in place. CrossRide limits to the strict minimum the data transferred to these providers and never shares unnecessary sensitive data with them.
8. Data Retention Periods
| Data | Retention period |
|---|---|
| Account data | Duration of account + 3 years after termination |
| Trip data | 5 years (legal and tax obligations) |
| GPS data | 90 days |
| Refund audit log | 5 years after closure of the last related refund, then anonymised archiving |
| Payment data (Stripe) | Per Stripe's policy (legal minimum) |
| Security logs | 12 months |
| Marketing data (with consent) | Until consent is withdrawn |
9. Your GDPR Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15): obtain a copy of your personal data
- Right to rectification (Art. 16): correct inaccurate data
- Right to erasure (Art. 17): request deletion of your data under certain conditions
- Right to restriction (Art. 18): limit the processing of your data
- Right to data portability (Art. 20): receive your data in a structured format
- Right to object (Art. 21): object to processing based on legitimate interest
- Withdrawal of consent: at any time for consent-based processing
To exercise your rights: contact@crossride.eu
We respond to all requests within 30 days.
9.1 Right to Erasure — Limitations
The right to erasure does not apply to data retained for:
- Legal obligations (tax and accounting data)
- Platform integrity (refund audit log)
- Establishing or defending legal claims
10. Data Security
CrossRide implements the following technical and organisational measures:
- Data encryption in transit (TLS 1.3) and at rest
- JWT authentication + bcrypt password hashing
- Data access restricted to authorised personnel
- Pseudonymisation of data before transmission to AI providers
- Regular security audits and dependency analysis (pip-audit)
- Hosting exclusively on servers within the European Union
- No storage of banking data (delegated to Stripe)
11. Cookies
CrossRide uses cookies essential to platform operation (authentication, language preferences). Analytics cookies and third-party cookies may be used with your explicit consent.
You can manage your cookie preferences via the banner displayed on your first visit or in your account settings. For full details, see our Cookie Policy.
12. Minors
CrossRide is intended for users aged 16 and over (18 for drivers). We do not knowingly collect personal data from children under 16. If you believe a child has created an account, please contact us at contact@crossride.eu.
13. Changes to This Policy
CrossRide may update this Privacy Policy. In the event of material changes, you will be notified by email at least 15 days before the changes take effect. The current version is always available at https://crossride.eu/legal/privacy.
14. Right to Lodge a Complaint
If you believe that the processing of your data violates the GDPR, you have the right to lodge a complaint with the competent data protection authority:
- Belgium: Data Protection Authority (APD) — www.autoriteprotectiondonnees.be
- Estonia: Data Protection Inspectorate (AKI) — www.aki.ee
- France: CNIL — www.cnil.fr
- European portal: Find the authority in your country — https://ec.europa.eu/info/law/law-making-process/your-rights-eu/your-rights-eu-protecting-your-personal-data/data-protection-authorities_fr
Contact for GDPR questions / DPO: contact@crossride.eu