GoDriver
RO EN
Legal

Privacy Policy

Last updated: 05/06/2026

This Privacy Policy describes how GoDriver ("we", "the operator") collects, uses, and protects your personal data when you use our application and services. We comply with Regulation (EU) 2016/679 (GDPR) and applicable national legislation.

1. Who we are

Data controller: PAN EXPRESS SRL
Tax ID: RO14233022
Trade Register: J40/8626/2001
IBAN: RO24INGB0000999905753355 (ING Bank)
Registered office: Str. Zinca Golescu, Nr.1a, Ap.1 Sector 6
Contact email: support@godriver.app
Data Protection Officer (DPO): [TODO: name or "We have not appointed a DPO — data inquiries should be sent to the email above"]

2. What data we collect

2.1. From all users

  • Name, surname, email, phone number
  • Password (stored hashed, never in plain text)
  • IP address, access logs, device type
  • Push notification token (if you enable notifications)

2.2. Additional for customers

  • Pickup and drop-off addresses, ride history
  • Billing data (name, address, tax ID for legal entities)
  • Payment details (processed via Stripe — we do not store card numbers)

2.3. Additional for drivers/couriers

  • Personal ID number/tax ID, identification documents (ID card, driving license)
  • KYC documents: trade register certificate, transport license, vehicle insurance, vehicle inspection
  • IBAN and bank for payouts
  • Real-time GPS location (only during active rides)
  • Vehicle data (make, model, license plate, color)

3. Legal basis for processing

  • Contract performance (Art. 6(1)(b) GDPR) — for delivery of requested services.
  • Legal obligation (Art. 6(1)(c) GDPR) — for invoicing, tax reporting, driver KYC.
  • Legitimate interest (Art. 6(1)(f) GDPR) — for fraud prevention, platform security, service improvement.
  • Consent (Art. 6(1)(a) GDPR) — for push notifications, marketing communications.

4. Who we share data with

We do not sell your data. We share data strictly with:

  • Drivers and customers — minimal data to complete the ride (name, phone, location)
  • Payment processors (Stripe Payments Europe Ltd, Ireland)
  • Cloud service providers (hosting, email, SMS, push notifications)
  • Tax and competent authorities, upon legal request (ANAF, police, courts)
  • Accounting, legal and audit consultants (under confidentiality obligation)

5. How long we keep data

  • Active account: for as long as you maintain your account
  • Deleted account: maximum 30 days for personal data (after this period — anonymization)
  • Invoices, contracts, accounting records: 10 years (Art. 25 Romanian Accounting Law 82/1991)
  • Driver KYC data: 5 years from the end of the contractual relationship (anti-money laundering obligation)
  • Real-time GPS location: 90 days
  • Access and security logs: 12 months

6. Your GDPR rights

Under GDPR, you have the following rights:

  • Right of access (to find out what data we store about you)
  • Right to rectification (to correct inaccurate data)
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability (export in a structured format)
  • Right to object to processing
  • Right to withdraw consent at any time

To exercise these rights, send a request to support@godriver.app. We will respond within a maximum of 30 days. For account deletion, see Delete Account.

7. Cookies

We use essential cookies for the application to function (session, authentication, language preferences) and analytical cookies to improve services. You can manage cookies from your browser settings.

8. Data security

We apply appropriate technical and organizational measures: TLS encryption in transit, bcrypt hashing for passwords, role-based restricted access, audit logs, regular backups. In case of a security incident affecting your data, we will notify you within a maximum of 72 hours as required by GDPR.

9. International transfers

Your data is stored primarily in the EU/EEA. When we use providers outside the EEA (e.g., certain cloud services), we ensure adequate safeguards under GDPR (Standard Contractual Clauses or European Commission adequacy decisions).

10. Complaints and supervisory authority

If you believe your GDPR rights have been violated, you can file a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP): B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest — dataprotection.ro.

11. Policy changes

We reserve the right to update this policy. Significant changes will be communicated to you via email or an in-app notification at least 30 days before they take effect.