Effective date: 1 March 2026
This Privacy Policy explains how Vamigo ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the Vamigo mobile application and related services (collectively, the "Service"). It applies to all users of the Service, including drivers and passengers.
By using the Service you acknowledge that you have read and understood this Privacy Policy. If you do not agree with it, please do not use the Service.
1. Data Controller
The data controller responsible for your personal data is:
- Operator: Marek Kwiatkowski
- Email: [email protected]
- Website: https://vamigo.app
2. Personal Data We Collect
2.1 Account & Profile Data
When you register or sign in, we collect:
- Email address
- Password (stored only as a bcrypt hash; we never store or see your plaintext password)
- Display name
- Phone number (optional, provided by you)
- Profile photo / avatar (optional, uploaded by you)
- Short biography (optional)
2.2 Google Sign-In Data
If you choose to sign in with Google, we receive the following from Google via OAuth:
- Email address
- Display name
- Profile photo URL
- Google account identifier (used solely to link your Google account to your Vamigo account)
We do not access your Google contacts, calendar, Drive, or any data beyond the basic
profile scopes (email and profile). We do not sell or share
Google-derived data with third parties for advertising or marketing purposes.
2.3 Ride & Booking Data
- Ride details: origin, destination, intermediate stops, departure times, available seats, price
- Seat requests: origin, destination, departure time, number of seats needed, offered price
- Booking records: which ride you booked, boarding and alighting stops, seat count, proposed price, booking status
2.4 Location Data
We process location data (city names and geographic coordinates) that you provide when creating or searching for rides. This data comes from the Photon geocoding service (based on OpenStreetMap) and is used to match riders with drivers.
We do not collect background location data from your device. Location data is only processed when you actively search for or create a ride within the app.
2.5 Messages
When you use in-app messaging, we store the content of your messages, delivery status, and read receipts to provide the chat functionality.
2.6 Reviews & Reports
- Reviews: Star ratings (1–5), text comments, and descriptive tags you leave after a completed ride.
- Reports: If you report another user or content, we store the report reason, your comment, and the reference to the reported content.
2.7 Vehicle Data
If you offer rides as a driver, you may add vehicle information: make, model, production year, color, and license plate number.
2.8 Device & Technical Data
- Push notification token: A Firebase Cloud Messaging (FCM) device token used to deliver push notifications. We store the token and your device platform (Android/iOS).
- Authentication tokens: JWT access and refresh tokens stored securely on your device (Keychain / Keystore).
3. Purposes and Legal Bases for Processing
We process your personal data for the following purposes:
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Account creation and authentication | Email, password hash, Google ID, name | Contract performance (Art. 6(1)(b)) |
| Providing the ride-sharing service (ride matching, bookings) | Ride details, locations, booking data | Contract performance (Art. 6(1)(b)) |
| In-app messaging between users | Message content, delivery/read status | Contract performance (Art. 6(1)(b)) |
| Push notifications (booking updates, new messages, reminders) | FCM device token, notification content | Legitimate interest (Art. 6(1)(f)) |
| Email notifications (email verification, ride reminders) | Email address, name | Contract performance / Legitimate interest |
| Trust and safety (reviews, ratings, reports) | Reviews, reports, user statistics | Legitimate interest (Art. 6(1)(f)) |
| Fraud prevention and account security | Google ID, email, authentication logs | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Any data as required by law | Legal obligation (Art. 6(1)(c)) |
4. Third-Party Services & Data Recipients
We use the following third-party services to operate Vamigo:
| Service | Provider | Purpose | Data Shared |
|---|---|---|---|
| Google Sign-In (OAuth) | Google LLC (USA) | User authentication | Google ID token (email, name, photo) |
| Firebase Cloud Messaging | Google LLC (USA) | Push notifications | Device token, notification payload |
| Brevo (formerly Sendinblue) | Brevo SAS (France) | Transactional email delivery | Email address, name |
| S3-compatible storage | Self-hosted | Avatar / profile photo storage | Uploaded image files |
We do not sell your personal data to any third party. We do not share your data with third parties for their own marketing or advertising purposes.
5. International Data Transfers
Some of our third-party providers (Google LLC) are based in the United States. When your data is transferred outside the European Economic Area (EEA), it is protected by appropriate safeguards, including the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) as applicable.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account & profile data | Until you delete your account |
| Ride, seat, and booking data | Until you delete your account |
| Messages | Until you delete your account |
| Reviews you authored | Retained after account deletion for community trust and safety |
| Reports | Retained for moderation and legal compliance |
| Read notifications | Automatically deleted 90 days after being read |
| Email verification tokens | Expire and are deleted after 24 hours |
| FCM device tokens | Deleted on logout or when the token becomes invalid |
| Vehicle data | Until you delete your account |
7. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit: All communication between the app and our servers is encrypted using TLS/SSL (HTTPS).
- Password hashing: Passwords are hashed with bcrypt before storage. We never store plaintext passwords.
- Token security: Authentication tokens are stored in your device's secure storage (Keychain on iOS, Keystore on Android).
- Access control: Role-based access controls limit who can access your data within our systems.
- Stateless authentication: We use short-lived JWT tokens to minimize the impact of token compromise.
8. Your Rights (GDPR)
If you are located in the European Economic Area (EEA), you have the following rights under the GDPR:
- Right of access — You can request a copy of the personal data we hold about you.
- Right to rectification — You can ask us to correct inaccurate or incomplete data. You can also update most of your data directly within the app.
- Right to erasure ("right to be forgotten") — You can request deletion of your account and associated data (see Section 9).
- Right to restriction of processing — You can ask us to temporarily limit how we use your data.
- Right to data portability — You can request your data in a structured, commonly used, machine-readable format.
- Right to object — You can object to processing based on legitimate interest.
- Right to withdraw consent — Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection supervisory authority.
9. Account & Data Deletion
You can delete your account at any time from within the app (Settings → Delete Account) or by contacting us at [email protected].
When you delete your account, we permanently delete:
- Your profile data (name, email, phone number, avatar, bio)
- Your authentication credentials and linked Google account data
- All rides and seat requests you created
- All bookings where you were a passenger
- All your conversations and messages
- All your vehicles
- All your notifications
- All email verification tokens
- All registered device tokens
Exceptions: Published reviews and moderation reports may be retained in anonymized form for community safety and legal compliance purposes.
10. Children's Privacy
The Service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the app or by email before the changes take effect. The "Effective date" at the top of this page indicates when this policy was last revised.
We encourage you to review this page periodically to stay informed about how we protect your data.
12. Contact Us
If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us:
- Email: [email protected]