Privacy Policy
Last updated: April 30, 2026
Data Controller
Odyrides is the data controller for the personal data processed through our platform. We are based in Greece and operate in accordance with the EU General Data Protection Regulation (GDPR). For any privacy-related inquiries, you can reach us at privacy@odyrides.com.
Data We Collect - Web Dashboard
When you use the Odyrides web dashboard, we collect the following data: account information (name, email address) provided through our authentication provider; organization data (business name, settings); hotel data (name, address, geographic coordinates); driver data (name, phone number); transfer and booking data (guest name, guest phone number, pickup and dropoff details, pricing information); activity logs (IP address, actions performed); SMS delivery logs; and invitation data for team members.
Data We Collect - Mobile Driver App
When drivers use the Odyrides mobile app, we collect: phone number (used for OTP-based login), device identifier, push notification token, and session data. We do not collect location data, camera access, contacts, or third-party analytics from the mobile app. Drivers can delete their account at any time from the app's Settings screen. Deletion is immediate and removes the driver's profile from all organizations; transfer records are preserved in anonymized form for business continuity.
How and Why We Process Your Data
We process your data under the following lawful bases as defined by GDPR Article 6: Contract performance -- to deliver the transfer coordination service you signed up for, process bookings, send SMS notifications, and manage your account. Legitimate interest -- to maintain platform security, prevent fraud, monitor for abuse, and improve service reliability. Consent -- for optional analytics tracking (PostHog), which you can opt into or out of at any time. We never sell your personal data to third parties.
Third-Party Processors
We share data with the following processors to operate our service. Clerk (US): authentication, email, name, and profile data. Stripe (US): payment processing and billing information. Twilio (US): SMS and OTP delivery, phone numbers. Resend (US): transactional email delivery. PostHog (EU instance): web analytics, opt-in only, respects Do Not Track. Supabase (AWS EU): database hosting and realtime functionality. Upstash (US): rate limiting, IP addresses. Geoapify (Germany): address autocomplete queries. Expo (US): push notifications and over-the-air updates for the mobile app. Vercel (US/global): web hosting and edge analytics. Each processor is bound by a data processing agreement and handles data in accordance with applicable regulations.
Data Security
We implement industry-standard security measures including encryption for data in transit (TLS) and at rest. Authentication is handled by Clerk with secure session management. Access to production systems is restricted and monitored. We conduct regular security reviews of our infrastructure and codebase.
Data Retention
We retain data only as long as necessary for its purpose. OTP verification codes are deleted immediately after use or after a 10-minute expiry. User sessions expire after 90 days. SMS delivery logs are retained for 90 days. Dismissed notifications are removed after 30 days. When a user account is deleted, all associated data is hard-deleted after 7 days. When an organization is deleted, its data is retained for 30 days before permanent deletion. Active account data is retained for the duration of your account.
International Data Transfers
Some of our processors are based in the United States. For transfers of personal data outside the European Economic Area, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, as well as any additional safeguards provided by each processor. Where available, we use EU-based instances of our processors (such as PostHog EU and Supabase AWS EU).
Cookies and Tracking
We use three categories of cookies. Essential cookies: required for the platform to function, including Clerk authentication tokens, cookie consent preferences, and locale settings -- these cannot be disabled. Analytics cookies: PostHog analytics, enabled only with your explicit opt-in consent and respecting the Do Not Track browser signal. Third-party cookies: set by Stripe during checkout and by Vercel for edge analytics. You can manage your cookie preferences at any time through the cookie settings on our platform.
Your Rights Under GDPR
You have the following rights regarding your personal data: the right to access your data and obtain a copy; the right to rectification of inaccurate data; the right to erasure (right to be forgotten); the right to restrict processing; the right to data portability; the right to object to processing based on legitimate interest; and the right to withdraw consent at any time for consent-based processing. Data export and account deletion are available directly through the platform. To exercise any of these rights, contact us at privacy@odyrides.com.
Children's Privacy
Odyrides is a business-to-business platform and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
Changes to This Policy
We may update this privacy policy from time to time. For material changes, we will provide at least 30 days notice via email or through a prominent notice on our platform before the changes take effect. Continued use of the platform after changes become effective constitutes acceptance of the updated policy.
Contact and Complaints
If you have questions about this privacy policy or how we handle your data, contact our privacy team at privacy@odyrides.com. If you are unsatisfied with our response, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) at www.dpa.gr.