Privacy Policy
Last updated: 11 July 2026
1. Who we are
Upstart Forge Limited, trading as FairTaxi (registered business name RBN 786959), a private company limited by shares incorporated in Ireland on 28 May 2026 (company number 817002), registered office at 22 Drumnigh Wood, Portmarnock, Co Dublin, D13 P652, VAT number IE 4744030VH, holder of National Transport Authority (NTA) dispatch operator licence DH12674 (“FairTaxi”, “we”, “us”, “our”). Contact: complaints@fairtaxi.ie (general/complaints), privacy@fairtaxi.ie (privacy enquiries), support@fairtaxi.ie (support), +353 89 965 3357.
We operate a ride‑hailing platform connecting Riders and independent Drivers. We are the data controller for the personal data described in this policy.
We are not required to appoint, and have not appointed, a statutory data protection officer under Article 37 GDPR. For any privacy enquiry or to exercise your rights, contact our privacy contact at privacy@fairtaxi.ie.
2. What data we collect
We collect personal data from Riders and Drivers as follows.
2.1 Rider data
- Identity and contact: mobile phone number (verified by OTP), first name (optional), email address (optional, for receipts).
- Payment data: we do not store full card numbers. We access the last 4 digits and card brand via Stripe for display in the App.
- Ride data: pickup and destination addresses, route, trip times, fare amount, payment method.
- Location: while using the App for a ride or when location services are active, we collect precise GPS location.
- Dispute materials: photos and messages you submit through the dispute feature.
- Diagnostic logs: if you choose “Send diagnostic logs to support”, we receive logs that may contain technical device information.
- Safety data: if you use the emergency button or share trip, we process the associated signals and contact information.
2.2 Driver data
In addition to the above categories (where applicable to Drivers), we also collect:
- Full name, email address, mobile phone number (verified by OTP).
- SPSV driver’s licence number, and copies of:
- PSV driver licence document,
- Vehicle PSV licence,
- Motor insurance certificate,
- NCT certificate,
- Garda Vetting clearance evidence.
- Subscription payment details: we process subscription payments via Stripe; we do not store full card numbers.
3. How we use your data, and our lawful bases
We process personal data only where we have a lawful basis under GDPR:
| Purpose | Lawful basis |
|---|---|
| Providing the platform (matching Riders and Drivers, enabling ride booking, facilitating ride payments via Stripe Connect direct charges) | Performance of a contract (Rider Terms / Driver Terms) |
| Verifying Driver documents and monitoring expiry | Legal obligation (NTA regulations, Taxi Regulation Act 2013) and legitimate interest in ensuring platform safety |
| Collecting Driver subscription fees | Performance of a contract |
| Safety features (emergency button, trip sharing) | Legitimate interest in protecting users and providing safety tools |
| Customer support and dispute resolution | Legitimate interest in platform integrity and user satisfaction |
| Sending service-related messages (booking confirmations, receipts, account notices) | Performance of a contract |
| Analytics and app improvement (Firebase Analytics) | Consent (where required) for analytics; legitimate interest for crash reporting |
| Marketing communications | Consent (where required); you may opt out at any time |
| Compliance with legal obligations (tax, law enforcement requests) | Legal obligation |
| Defending legal claims | Legitimate interest in protecting our rights |
Where we rely on legitimate interests, the interests we actually rely on are: maintaining platform safety and integrity, preventing and detecting fraud and abuse, establishing, exercising or defending legal claims, and improving our service. We balance these interests against your rights and only rely on them where they are not overridden by those rights.
4. Whether you must provide data
Providing your identity, phone number and (where you pay by card) payment data is a contractual requirement: it is necessary to create an account and use the service, and without it we cannot provide the platform to you. For Drivers, providing licensing and vehicle documents is both a contractual requirement and a statutory or regulatory requirement under NTA rules and the Taxi Regulation Act 2013; if you do not provide them we cannot verify your eligibility or grant dispatch access.
5. How long we keep data
- Ride history: stored for as long as your account remains active. Upon account closure, ride history is anonymised or deleted after 7 years from the last ride (to satisfy potential legal claims and audit requirements).
- Terms acceptance evidence: the account identifier, document name, version, published URL, document hash, acceptance wording and server-recorded timestamp are retained with the account and thereafter for up to 7 years after closure. We use this record to administer the contract and establish, exercise or defend legal claims.
- Driver documents: kept while the Driver’s account is active and for 7 years after the driver relationship ends, on the legal-obligation basis (SPSV and NTA record-keeping). On account closure the licence-holder names and other identity fields are anonymised and access to the files is restricted; both the uploaded document files and their verification metadata are retained for that 7-year period, and a Data Deletion Certificate is issued. They are permanently deleted at the end of the period.
- Diagnostic logs: kept while your account is active and deleted when you close or erase your account.
- Audit logs (system events): 7 years.
- Payment metadata (last 4 digits): for 7 years after the associated transaction, in line with financial record‑keeping requirements.
- Location data: a Driver’s precise location history is held as a separate record while their account is active and is deleted when the account is closed or erased. Each ride’s route is stored with that ride’s record and kept for the same period as ride history (7 years). The live position used for dispatch is held only briefly in an in-memory store and is removed when the Driver goes offline.
- Dispute photos: kept with the associated ride and payment record and retained for 7 years, in line with the retention of ride and payment records, to address any subsequent complaint or claim.
6. Who we share your data with
We use carefully selected third‑party processors, all contractually bound to process data only on our instructions:
- Stripe - payment processing. Ride fare payments are processed as direct charges on the Driver’s Stripe Connect account (the Driver is the merchant of record). Driver subscription payments are processed on FairTaxi’s Stripe account (FairTaxi is the merchant of record). Stripe acts as a data processor for our purposes; for ride transactions they also act as a controller for their own compliance. Data is stored in the EU and, where Stripe transfers data outside the EEA, they rely on Standard Contractual Clauses (SCCs).
- Firebase / Google - phone-number verification by SMS one-time code at sign-in, authentication, analytics, crash reporting, and push notifications (FCM). Data is processed in the EU and under Google’s SCCs where applicable.
- Cloudflare - three purposes. (a) DNS, CDN, and cookieless web analytics for our marketing website: Cloudflare processes minimal data (e.g. IP addresses) for security and performance, and the analytics use no cookies and collect no personal data. (b) Cloudflare Workers AI: when a Driver uploads a licensing or vehicle document (PSV driver licence, SPSV vehicle licence, insurance certificate, motor tax), we send the document image to Cloudflare Workers AI to read and extract the printed fields (such as name, licence / registration / policy numbers and expiry dates) so our team can verify them. Cloudflare runs open-weight models on its own infrastructure: the model developers do not receive your data, and Cloudflare does not use these inputs to train models or retain them after the request. This extraction only pre-fills what a human reviewer sees; the decision to approve a document is always made by a person (see section 8). Cloudflare acts as our data processor under its Data Processing Addendum; where it processes data outside the EEA this is covered by the EU Standard Contractual Clauses and Cloudflare’s EU-US Data Privacy Framework certification. (c) Cloudflare RealtimeKit: in-app voice calls between Riders and Drivers run over Cloudflare RealtimeKit (WebRTC) with masked numbers, so no phone numbers are exchanged. We store only call metadata (initiator, join and leave times, duration and outcome), and no call recording is configured; your stored display name is shared with Cloudflare as the call participant name.
- HERE - route, travel-time and fare-estimate computation. The pickup, drop-off and any intermediate coordinates of a ride are sent to HERE (router.hereapi.com) to calculate the route and duration. HERE acts as our processor and, where it processes data outside the EEA, relies on the EU Standard Contractual Clauses.
- MapTiler - map tiles for the in-app map. Map-tile requests, which include the map area being viewed, are served to the apps through our server-side proxy from MapTiler. MapTiler acts as our processor and relies on the EU Standard Contractual Clauses where it processes data outside the EEA.
- Amazon Web Services (AWS) - hosting, databases, file storage, transactional email, and push-notification fan-out (Amazon SNS delivers our push notifications to Apple and Google). All personal data is stored in AWS eu-west-1 (Ireland). Uploaded Driver document images are additionally screened by AWS Rekognition for image moderation as part of the verification workflow.
We may also share data when required by law or to enforce our Terms, including with the NTA, An Garda Síochána, or other regulators.
Safety incident notification currently uses a generic webhook to our safety team; a dedicated incident-paging processor (PagerDuty) is planned but not yet active. We will update this policy before activating it.
When a Driver uses the App’s in-App “Navigate” feature, the pickup or destination of the current ride is passed to the third-party navigation app the Driver chooses (for example Google Maps or Waze, or the app the device selects). Those apps are independent controllers, not our processors: their handling of that location is governed by their own privacy policies, and we pass them only the coordinates needed to route the trip, never Rider identity.
6.1 Driver referral programme
If you are a Driver, you can invite other Drivers with a personal referral code, and you can join using another Driver’s code. When you take part, we process data as follows.
-
What your inviter can see about you. If you sign up using another Driver’s referral code, that inviting Driver sees a short entry for you on their referrals screen: your first name, the date you joined, and your progress toward your first 10 rides. That progress counter is capped at 10 and stops there. Once you have completed 10 rides, the counter is replaced for good by an “Activated” badge and freezes: your inviter never sees the actual number after that, and within the referral programme your inviter never sees anything beyond this. Your inviter does not see your phone number, your photograph, your surname, your earnings, or any of your ride details, at any stage.
-
You are told this before you confirm. The screen where you enter a referral code shows you your inviter’s first name and tells you, before you accept, that your inviter will see that you joined with their code and your progress to your first 10 rides, and never anything after that, and that you can hide this from them at any time in Settings. Using a referral code is your choice.
-
You can hide your progress. You can switch on “Hide my progress from my inviter” at any time. Your entry on your inviter’s screen then collapses to a generic “a driver joined” line, shown without your name or your progress. Your activation still counts toward your inviter’s reward, so hiding your progress never reduces your inviter’s rewards, and your own rewards are unaffected by hiding. Because we share this information on the basis of our legitimate interest in running a transparent referral programme, this toggle is also how you exercise your right to object under Article 21 (see section 11); you may also object by emailing privacy@fairtaxi.ie.
-
Counting rides for rewards. The referral programme rewards completed rides, so we count them. When a Driver you invited completes 10 rides that referral becomes “activated”, and every three activated referrals adds 30 days of subscription credit to your account, with no upper limit. Separately, when you as an invited Driver reach your 30th ride you receive a one-time addition of 30 days of subscription credit. We process these ride counts on the basis of our legitimate interest (Article 6(1)(f)) in operating the referral programme you chose to join; there is no separate contract you sign up to for this.
-
A minimal record kept after account deletion (fraud prevention). Some benefits can be claimed only once: the one-time 30 days of credit you receive on your 30th ride, being counted as an activation for the Driver who invited you, and the founding-members free period. To stop the same person deleting their account and registering again to claim a one-time benefit again, when a Driver deletes their account we keep a single minimal record: a salted, one-way hash of the SPSV driver licence number (not the licence number itself), a few yes/no flags recording which one-time benefits were already used, and the deletion date. We keep nothing else from the deleted account for this purpose, no name and no contact details; the record is designed so that it does not reveal the licence number and is used only to check whether a licence number presented later matches. We rely on our legitimate interest in preventing fraud (Article 6(1)(f)). We keep this record for 7 years, in line with our financial record-keeping retention, and then delete it, and we review the period periodically.
7. International transfers
We do not routinely transfer personal data outside the European Economic Area (EEA). Where processors transfer data internationally (e.g. Stripe, Cloudflare, HERE), we ensure adequate safeguards are in place, typically the EU Standard Contractual Clauses (and, for Cloudflare, its EU-US Data Privacy Framework certification), and we carry out transfer impact assessments as required. Please contact our privacy contact at privacy@fairtaxi.ie for more information.
8. Automated decision-making and profiling
We do not make solely-automated decisions that produce legal effects concerning you, or similarly significantly affect you, without human review. Ride-matching and our fraud and mock-location detection are automated signals, but any adverse outcome (for example reversing a fee or suspending an account) involves human review under our dispute process before it takes effect. We do not profile you for marketing purposes.
9. Security of your data
We apply technical and organisational measures appropriate to the risk, including encryption of data in transit and at rest, access controls on a least-privilege basis, and hosting in AWS eu-west-1 (Ireland). If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission, and affected users where required, in line with our legal obligations.
10. Children
The service is not directed at, and is not intended for, anyone under 18. We do not knowingly collect personal data from children. Riders must be at least 18, consistent with our Rider Terms. If we become aware that we have collected a child’s data, we will delete it.
11. Your rights
Under the GDPR and the Irish Data Protection Act 2018, you have the following rights:
- Access - obtain a copy of your personal data.
- Rectification - have inaccurate data corrected.
- Erasure - request deletion of your data, subject to legal retention requirements.
- Restriction - limit processing in certain circumstances.
- Portability - receive your data in a structured, machine‑readable format.
- Objection - object to processing based on legitimate interests.
- Withdraw consent - where processing is based on consent, you can withdraw it at any time.
- Complaint - lodge a complaint with the Data Protection Commission (www.dataprotection.ie).
How to exercise your rights
To exercise any of these rights, email our privacy contact at privacy@fairtaxi.ie. We will respond within one month. We may need to verify your identity before acting on a request. If you are not satisfied with how we handle your data, you may lodge a complaint with the Data Protection Commission:
- Email: info@dataprotection.ie
- Phone: +353 0761 104 800
- Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28
- Website: dataprotection.ie
12. Cookies and similar technologies
Our marketing website uses cookieless Cloudflare Web Analytics, which does not track individual visitors. Details are in our Cookie Policy.
13. Changes to this policy
We may update this Privacy Policy. Material changes will be notified via the App or email.