Operating in the EU or serving European riders? Our platform is engineered from the ground up with privacy by design principles, giving you complete GDPR compliance out of the box — from consent management to data portability to the right to be forgotten.
The General Data Protection Regulation requires that privacy protections are embedded into the design of systems from the very beginning — not added as an afterthought. Our white label taxi app platform was architected with this principle at its core. Every feature, every data flow, and every user interaction has been evaluated through the lens of data minimization, purpose limitation, and user consent.
When a rider books a trip, we collect only the data necessary to fulfill that booking. Location data is retained only for the duration needed to provide the service and meet legal obligations. Payment information is tokenized and never stored on our servers. Every data field in the system has a documented purpose, a defined retention period, and an automated deletion workflow.
The GDPR grants individuals specific rights over their personal data. Our platform provides automated tools that enable your riders and drivers to exercise every one of these rights directly from their app — reducing your compliance burden and response times.
Users can request and download a complete copy of all personal data held about them directly from the app settings. Export is generated within 24 hours in machine-readable JSON format.
One-click account deletion that permanently removes all personal data, trip history, and payment tokens. Automated cascading deletion across all systems within 30 days.
Users can export their data in a structured, commonly used, machine-readable format (JSON/CSV) and transfer it to another service provider at any time.
Users can update or correct their personal information at any time through the app profile settings. Changes propagate immediately across all connected systems.
Users can request that their data processing be restricted while disputes are resolved. The system flags restricted accounts and halts all non-essential data processing.
Users can object to data processing for marketing purposes with a single toggle. Marketing consent withdrawal takes effect immediately and is logged for audit purposes.
Our platform implements a comprehensive consent management framework that captures, stores, and manages user consent at a granular level. When riders or drivers first open the app, they are presented with clear, jargon-free consent requests for each category of data processing — from essential service delivery to optional marketing communications and analytics.
Consent records are stored immutably with timestamps, version references, and the exact text presented to the user. If a user withdraws consent, the change takes effect immediately and all downstream processing is halted for that specific consent category. Your admin dashboard provides a complete consent audit trail for every user.
The web-based admin panel and any rider-facing web booking interfaces include a fully configurable cookie consent banner that complies with the ePrivacy Directive. Cookies are categorized as strictly necessary, functional, analytics, and marketing — with only strictly necessary cookies loaded before explicit consent is given for other categories.
We provide a pre-drafted DPA that meets Article 28 requirements. It covers processing scope, sub-processor lists, data security measures, breach notification obligations, and audit rights. Available for immediate signing during onboarding.
We maintain a publicly accessible list of all sub-processors (cloud hosting, payment providers, mapping services) with their processing purposes, data categories, and geographic locations. Clients are notified 30 days before any sub-processor changes.
Every data category has a defined retention period. Trip data is retained for 24 months for service quality and legal compliance. Location data is anonymized after 90 days. Marketing data is deleted upon consent withdrawal. All policies are configurable per client.
For data transfers outside the EEA, we rely on EU Standard Contractual Clauses (SCCs) and supplementary technical measures including encryption in transit and at rest. Transfer impact assessments are documented for each data flow.
Both riders and drivers have access to a built-in privacy dashboard within their app. This gives them full visibility and control over their personal data — reducing support tickets and demonstrating your commitment to transparency.
Users can see every category of data held about them — profile information, trip history, payment methods, location logs, and communication preferences — in a single, clear overview.
Granular toggles for each consent category — marketing emails, push notifications, analytics tracking, and data sharing with third parties. Changes take effect immediately.
One-click data export in JSON or CSV format. The export includes all personal data, trip records, ratings given and received, and communication history. Generated within 24 hours.
Self-service account deletion with a clear explanation of what data will be removed and what must be retained for legal compliance. A 14-day grace period allows users to reverse the request.
In-app access to your branded privacy policy with version history. Users are prompted to review and re-consent whenever the policy is updated with material changes.
A dedicated in-app contact channel for privacy inquiries routed directly to your designated Data Protection Officer. Response time SLAs are configurable per your GDPR obligations.
"We had our external DPO review the platform before we signed. They were impressed by the granularity of the consent management system and the automated data subject request handling. What would normally take us weeks of manual processing is now handled automatically in the app. Our GDPR compliance costs dropped by over 60% in the first year."
Director of Operations
Licensed Taxi Operator, Berlin, Germany — 340 Vehicles
Yes. We provide a comprehensive DPA that meets Article 28 GDPR requirements as part of our standard onboarding process. The DPA covers processing scope, security measures, sub-processor lists, breach notification timelines, data return and deletion obligations, and audit rights. It is available for review and signing before you go live.
Yes. Both riders and drivers can initiate account deletion directly from the app. The system permanently deletes all personal data, trip history, ratings, and payment tokens within 30 days. A 14-day grace period is provided in case of accidental deletion. Data that must be retained for legal or tax obligations is anonymized and retained only for the required period.
EU clients can choose to have their data hosted exclusively in our Frankfurt (eu-central-1) AWS region. No personal data leaves the EEA unless explicitly configured by you. For disaster recovery replication, we offer intra-EU options using the Paris or Ireland AWS regions. If any data must be transferred outside the EEA, we implement EU Standard Contractual Clauses with supplementary technical measures.
In the event of a confirmed personal data breach, we notify affected clients within 72 hours as required by Article 33 GDPR. The notification includes the nature of the breach, categories of data affected, approximate number of data subjects involved, likely consequences, and measures taken to mitigate the impact. We also provide template language to help you notify your supervisory authority and affected individuals if required.
The platform supports designating a Data Protection Officer in your admin settings. The DPO contact information is displayed in the app privacy dashboard, and all user privacy inquiries are routed directly to the designated DPO email. We also provide guidance on when a DPO appointment is mandatory under Article 37 and can recommend external DPO service providers for clients who need one.
You can configure retention periods for trip data, location logs, user communications, marketing consent records, and support tickets. Default retention periods align with GDPR best practices — for example, trip data is retained for 24 months and location data is anonymized after 90 days. Automated deletion workflows run daily to purge data that has exceeded its retention period.
Request our Data Processing Agreement template, schedule a compliance walkthrough with our privacy team, or see the user data dashboard in action during a live demo.