Privacy Policy

Last Updated: February 14, 2026

1. INTRODUCTION

This Privacy Policy explains how Webito Future Tech s.r.o. ("TapCy", "we", "us", or "our") collects, uses, stores, and protects your personal data when you use our Platform.

Platform role notice: TapCy is a software platform that matches riders with independent drivers and transport partners. TapCy does not provide transportation services directly and does not act as a transport operator.

Company Details:

  • Legal Name: Webito Future Tech s.r.o.
  • Registration Number: 23240911
  • Registered Address: Plzeňská 3352/156, Smíchov, 150 00 Prague 5, Czech Republic
  • Email: privacy@tapcy.app
  • Website: tapcy.app

Data Controller: Webito Future Tech s.r.o. is the data controller responsible for your personal data.

GDPR Compliance: This policy complies with the EU General Data Protection Regulation (GDPR) and applicable Czech and Cyprus data protection laws.

2. SCOPE AND CONSENT

2.1 Who This Applies To

This Privacy Policy applies to:

  • Passengers who use the TapCy Platform to book rides
  • Drivers who use the Platform to receive booking requests
  • Business users (e.g., hotels/corporates) who use the Platform as a booking coordination tool
  • Provider/agency users who use the Platform to manage and present groups of independent drivers
  • Website visitors who browse tapcy.app

2.2 Consent

By using our Platform, you consent to:

  • Collection and processing of your personal data as described herein
  • Transfer of data to third parties as specified
  • Use of cookies and similar technologies
  • International data transfers (if applicable)

You may withdraw consent at any time by contacting privacy@tapcy.app, but this may affect your ability to use the Platform.

3. WHAT PERSONAL DATA WE COLLECT

3.1 Data We Collect from PASSENGERS

Account Information:

  • Full name
  • Email address
  • Phone number
  • Profile photo (optional)
  • Password (encrypted)
  • Date of birth (for age verification)
  • No payment card data is collected under the current model (TapCy does not process online passenger payments)

Trip Information:

  • Pickup and destination addresses
  • Trip route and distance
  • Trip date and time
  • Trip duration
  • Fare amount
  • Driver selected
  • Trip status

Location Data:

  • GPS location during trip (if you enable location services)
  • Pickup and destination coordinates
  • Real-time location tracking during active trips

Device Information:

  • Device type and model
  • Operating system
  • Mobile network information
  • IP address
  • Device identifiers (IMEI, advertising ID)
  • App version

Usage Data:

  • Platform activity and interactions
  • Search history
  • Booking history
  • Cancellation history
  • Preferences and settings

Communications:

  • Messages sent through Platform
  • Support inquiries and communications
  • Feedback and ratings you provide
  • Survey responses

3.2 Data We Collect from DRIVERS

Identity and Business Information:

  • Full legal name
  • Business/trading name
  • Email address
  • Phone number
  • Date of birth
  • Tax identification number
  • Bank account details (for settlements/payouts where applicable)
  • Profile photo

Professional Documents:

  • Driver's license number and copy
  • Taxi operator license number and copy
  • Vehicle registration
  • Insurance policy details and certificates
  • Any additional compliance documents submitted by the driver (if requested)
  • Professional certificates
  • Tax registration documents

Vehicle Information:

  • Vehicle make, model, and year
  • Vehicle registration number
  • Vehicle color
  • Number of seats
  • Vehicle photos

Location Data:

  • Real-time GPS location while Platform is active
  • Location history
  • Routes driven

Trip Information:

  • Trips completed
  • Trip routes and distances
  • Earnings per trip
  • Acceptance and cancellation rates
  • Online/offline status

Performance Data:

  • Passenger ratings and reviews
  • Response times
  • Completion rates
  • Reliability metrics

Communications:

  • Messages with passengers
  • Communications with TapCy support
  • Dispute-related information

3.3 Data from Third Parties

We may receive data from:

  • Mapping services (Google Maps): Route data, traffic information
  • No payment processor data in the current model (TapCy does not process online passenger payments)
  • Social media (if you connect accounts): Profile information
  • Insurance providers: Coverage verification (where provided by driver)

3.4 Automatically Collected Data

Cookies and Similar Technologies:

  • Session cookies
  • Persistent cookies
  • Analytics cookies
  • Advertising cookies (if applicable)

See our Cookie Policy for details.

Log Data:

  • Access times
  • Pages viewed
  • Links clicked
  • Errors and crashes
  • Referral sources

4. HOW WE USE YOUR PERSONAL DATA

4.1 Purposes and Legal Bases

We process your data for the following purposes under the following legal bases:

A. Service Provision (Contractual Necessity)

To provide Platform services:

  • Create and manage your account
  • Process booking requests
  • Facilitate connections between passengers and drivers
  • Calculate trip distances and fares
  • Display available drivers to passengers
  • Send trip notifications and updates
  • Record trip-related fare and payment-status information (without processing online payments)
  • Provide customer support

Legal Basis: Performance of contract

B. Safety and Security (Legitimate Interest)

To ensure safety:

  • Collect and store driver-submitted compliance documents (e.g., license/insurance copies)
  • Monitor for fraudulent activity
  • Investigate safety incidents
  • Respond to emergencies
  • Share information with law enforcement when required by law
  • Prevent account abuse

Legal Basis: Legitimate interest in safety and security

C. Platform Improvement (Legitimate Interest)

To improve services:

  • Analyze Platform usage patterns
  • Develop new features
  • Fix bugs and technical issues
  • Conduct research and analytics
  • Optimize user experience
  • A/B testing

Legal Basis: Legitimate interest in service improvement

D. Marketing and Communications (Consent/Legitimate Interest)

To communicate with you:

  • Send service-related notifications
  • Promotional emails about new features
  • Special offers and discounts (with consent)
  • Surveys and feedback requests
  • Platform updates and announcements

Legal Basis:

  • Service communications: Contractual necessity
  • Marketing: Consent (you can opt out anytime)

E. Legal Compliance (Legal Obligation)

To comply with laws:

  • Tax reporting and record-keeping
  • Responding to legal requests (court orders, subpoenas)
  • Regulatory compliance
  • Dispute resolution
  • Enforcing our Terms and Conditions

Legal Basis: Legal obligation / Legitimate interest

F. Business Operations (Legitimate Interest)

To operate our business:

  • Financial reporting and accounting
  • Business planning and strategy
  • Risk assessment
  • Mergers, acquisitions, or business transfers
  • Insurance claims

Legal Basis: Legitimate interest

G. Role Boundaries (Legitimate Interest / Contractual Necessity)

To operate the Platform as an intermediary service:

  • Support business users in coordinating bookings for their guests/clients
  • Support provider/agency users in managing and presenting groups of independent drivers
  • Maintain records that clarify TapCy does not provide transportation services directly

Legal Basis: Contractual necessity and legitimate interest

4.2 Legitimate Interest Balancing

Where we rely on legitimate interest, we have balanced our interests against your rights and determined that:

  • Processing is necessary for stated purpose
  • Impact on you is minimal and expected
  • You have control over your data
  • Benefits to you outweigh any privacy impact

You may object to processing based on legitimate interest (see Section 9).

5. HOW WE SHARE YOUR PERSONAL DATA

5.1 Sharing Between Passengers and Drivers

When a booking is made:

Passenger receives Driver's:

  • Name
  • Photo
  • Vehicle information (make, model, color, registration)
  • License plate number
  • Phone number (for trip coordination)
  • Location during trip
  • Ratings

Driver receives Passenger's:

  • First name
  • Phone number (for trip coordination)
  • Pickup location
  • Destination (after accepting booking)
  • Ratings

Purpose: To facilitate the transportation service

Legal Basis: Contractual necessity

5.2 Service Providers (Processors)

We share data with third-party service providers who process data on our behalf:

Mapping and Navigation:

  • Google Maps API - Route calculation, location services
  • Data shared: Origin, destination, GPS coordinates

Cloud Hosting:

  • Cloud hosting providers - Platform hosting and data storage
  • Data shared: All Platform data (encrypted)

Communications:

  • Email service providers - Transactional emails and notifications
  • SMS providers - Text message notifications
  • Data shared: Name, email, phone number, message content

Analytics:

  • Google Analytics - Platform usage analytics (anonymized where possible)
  • Data shared: Usage patterns, device info (may be pseudonymized)

Customer Support:

  • Customer support tools/providers - Support ticket management
  • Data shared: Name, email, support inquiries

Payment Processing: Not applicable in the current model (TapCy does not process online passenger payments).

Background Screening Providers: TapCy does not currently perform formal background checks via third-party screening providers.

All processors:

  • Are contractually required to protect your data
  • May only process data for specified purposes
  • Are GDPR-compliant
  • Are bound by data processing agreements

5.3 Legal and Regulatory Authorities

We may share data with:

Law Enforcement:

  • Police, courts, regulatory authorities
  • When required by law or legal process
  • To protect rights, property, or safety
  • In response to valid legal requests

Tax Authorities:

  • For tax reporting and compliance (drivers' earnings data)

Regulatory Bodies:

  • Transport regulators
  • Data protection authorities

Legal Basis: Legal obligation / Legitimate interest

5.4 Business Transfers

In the event of:

  • Merger or acquisition
  • Sale of assets
  • Bankruptcy or reorganization

Your data may be transferred to successor entity. You will be notified of any such transfer.

5.5 With Your Consent

We may share data with other third parties if you explicitly consent.

5.6 Anonymized and Aggregated Data

We may share anonymized, aggregated data that does not identify you personally:

  • Industry statistics
  • Research purposes
  • Business analytics

This is not considered personal data sharing.

6. INTERNATIONAL DATA TRANSFERS

6.1 Transfers Outside EU/EEA

Your data may be transferred to and processed in countries outside the EU/EEA, including:

  • United States (cloud hosting, analytics providers)
  • Other countries where our service providers operate

Safeguards: When data is transferred outside EU/EEA, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by EU Commission
  • Adequacy decisions (for countries deemed adequate by EU Commission)
  • Privacy Shield (if applicable and valid)
  • Other approved transfer mechanisms

6.2 Your Rights

You have the right to object to international transfers and request information about safeguards in place.

7. DATA RETENTION

7.1 Retention Periods

We retain your data for as long as necessary for the purposes described:

Active Accounts:

  • Account data: For duration of account
  • Trip history: While account is active + 3 years after account closure
  • Communications: 2 years

After Account Deletion:

  • Some data retained for legal and compliance purposes:
    • Financial records: 7 years (tax law requirement)
    • Dispute-related data: Until resolved + 2 years
    • Legal claims: Until expiry of limitation period

Driver Documents:

  • License and insurance records: 5 years after relationship ends
  • Verification/compliance records (if collected): 3 years

Location Data:

  • Real-time location: Deleted after trip completion
  • Historical trip routes: 1 year

Analytics Data:

  • Anonymized usage data: Indefinitely

7.2 Deletion

After retention period expires, we:

  • Permanently delete data, or
  • Anonymize data so it no longer identifies you

You may request earlier deletion (see Section 9).

8. DATA SECURITY

8.1 Security Measures

We implement appropriate technical and organizational measures to protect your data:

Technical Measures:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of data at rest
  • Secure authentication (hashed passwords)
  • Firewall protection
  • Regular security updates and patches
  • Access controls and user authentication
  • Intrusion detection systems
  • Regular security audits

Organizational Measures:

  • Staff training on data protection
  • Confidentiality agreements
  • Access limited to authorized personnel only
  • Regular security reviews
  • Incident response procedures
  • Data protection impact assessments

8.2 Your Responsibility

You are responsible for:

  • Keeping your password confidential
  • Using secure internet connections
  • Logging out after use
  • Reporting suspected breaches

8.3 Data Breach Notification

In the event of a data breach:

  • We will notify supervisory authority within 72 hours (if required)
  • We will notify you if the breach poses high risk to your rights
  • We will take steps to mitigate harm

9. YOUR RIGHTS UNDER GDPR

As an EU data subject, you have the following rights:

9.1 Right of Access (Article 15)

You have the right to:

  • Confirm whether we process your data
  • Obtain a copy of your data
  • Information about how we process your data

How to exercise: Email privacy@tapcy.app with "Access Request" subject

Response time: Within 1 month (may be extended to 3 months for complex requests)

Fee: Free for first request; reasonable fee for additional copies

9.2 Right to Rectification (Article 16)

You have the right to:

  • Correct inaccurate personal data
  • Complete incomplete data

How to exercise:

  • Update directly in your account settings, or
  • Email privacy@tapcy.app with "Rectification Request"

Response time: Within 1 month

9.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your data when:

  • Data no longer necessary for original purpose
  • You withdraw consent (where consent was the legal basis)
  • You object to processing (and no overriding legitimate grounds)
  • Data was unlawfully processed
  • Required by legal obligation

Exceptions: We may retain data if required for:

  • Compliance with legal obligations
  • Establishment, exercise, or defense of legal claims
  • Public interest

How to exercise:

Response time: Within 1 month

9.4 Right to Restriction of Processing (Article 18)

You have the right to restrict processing when:

  • You contest accuracy of data (during verification)
  • Processing is unlawful but you don't want erasure
  • We no longer need data but you need it for legal claims
  • You've objected to processing (pending verification)

Effect: We may store data but not actively process it

How to exercise: Email privacy@tapcy.app with "Restriction Request"

9.5 Right to Data Portability (Article 20)

You have the right to:

  • Receive your data in structured, commonly used, machine-readable format
  • Transmit data to another controller

Applies to:

  • Data processed by automated means
  • Data processed based on consent or contract

How to exercise: Email privacy@tapcy.app with "Portability Request"

Format: We will provide data in JSON or CSV format

9.6 Right to Object (Article 21)

You have the right to object to processing based on:

  • Legitimate interests (unless we demonstrate compelling grounds)
  • Direct marketing (absolute right - we must stop)
  • Profiling for marketing

How to exercise:

9.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

Current Status: We currently do NOT engage in automated decision-making that produces legal effects.

If we implement such processing in the future, we will:

  • Notify you clearly
  • Obtain explicit consent if required
  • Provide meaningful information about the logic involved
  • Allow you to contest the decision

9.8 Right to Withdraw Consent

Where processing is based on consent, you may withdraw that consent at any time.

Withdrawal does not affect the lawfulness of processing carried out before the withdrawal took effect.

How to exercise:

  • Update preferences in account settings
  • Click "Unsubscribe" in marketing emails
  • Email privacy@tapcy.app and request consent withdrawal

9.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your personal data is being processed unlawfully.

Primary supervisory authority (Czech Republic):

  • Office for Personal Data Protection (Úřad pro ochranu osobních údajů)
  • Website: https://www.uoou.cz
  • Email: posta@uoou.cz
  • Address: Pplk. Sochora 27, 170 00 Prague 7, Czech Republic

Cyprus supervisory authority (for Cyprus-based users):

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 What Are Cookies

Cookies are small text files placed on your device to enable core platform functions, remember preferences, and improve service performance.

10.2 Types of Cookies We Use

Strictly Necessary Cookies

  • Required for platform operation and security
  • Enable core features such as authentication and session protection
  • Cannot be disabled without affecting core service functionality

Performance and Analytics Cookies

  • Help us understand platform usage and performance
  • Collect aggregated or pseudonymized usage metrics
  • May include analytics tools such as Google Analytics

Functional Cookies

  • Store preferences such as language and non-essential UI settings
  • Improve usability and continuity of your experience

10.3 Managing Cookies

You can control cookies through:

  • Browser settings (block all cookies or specific cookies)
  • Our cookie consent banner
  • Third-party opt-out tools (e.g., Google Analytics opt-out)

Note: Disabling necessary cookies may affect Platform functionality.

10.4 Third-Party Cookies

Some cookies are placed by third-party services:

  • Google Maps (mapping services)
  • Google Analytics (analytics)
  • No other third-party cookies are currently used by us beyond mapping/analytics tools listed above

These third parties have their own privacy policies.

10.5 Do Not Track

We currently do not respond to "Do Not Track" browser signals, but you can control tracking through other means.

11. CHILDREN'S PRIVACY

11.1 Age Restriction

Our Platform is NOT intended for children under 18 years of age.

We do not knowingly collect personal data from children under 18.

11.2 Parental Notice

If you believe we have collected data from a child under 18, please contact us immediately at privacy@tapcy.app and we will delete it.

12. CHANGES TO THIS PRIVACY POLICY

12.1 Updates

We may update this Privacy Policy to reflect:

  • Changes in our practices
  • Legal requirements
  • New features or services

12.2 Notification

We will notify you of material changes by:

  • Email to your registered address
  • Notification in Platform
  • Posting updated policy with new "Last Updated" date

12.3 Continued Use

Continued use after changes constitutes acceptance of updated policy.

13. CONTACT US

13.1 Data Protection Officer (DPO)

While we are not currently required to appoint a DPO, you can contact us about data protection matters:

General Privacy Inquiries: Email: privacy@tapcy.app

Data Subject Rights Requests: Email: privacy@tapcy.app Subject: [Type of Request - e.g., "Access Request", "Erasure Request"]

Data Protection Officer (if appointed): Email: dpo@tapcy.app

Postal Address: Webito Future Tech s.r.o. Attention: Privacy Team Plzeňská 3352/156, Smíchov 150 00 Prague 5 Czech Republic

13.2 Response Time

We aim to respond to all inquiries within:

  • Simple inquiries: 5 business days
  • Data subject rights requests: 1 month (extendable to 3 months for complex requests)

14. SPECIAL PROVISIONS FOR DRIVERS, BUSINESS USERS, AND PROVIDER/AGENCY USERS

14.1 Business Data

As a driver operating an independent business, some of your data constitutes business data rather than purely personal data.

This may affect certain rights (e.g., data portability may not apply to all business-related data).

14.2 Earnings and Tax Data

We retain earnings and tax-related data for legal compliance periods (up to 7 years) even after account closure.

14.3 Public Profile

Your driver profile (name, photo, ratings) is publicly visible on the Platform to passengers.

By creating a driver account, you consent to this public display.

14.4 Business Users

Business users (e.g., hotels/corporates) use TapCy as a digital coordination tool for booking requests.

Business users are responsible for their own legal obligations toward their guests/clients.

14.5 Provider/Agency Users

Provider/agency users may manage and present groups of independent drivers through the Platform.

TapCy remains an intermediary technology platform and does not become a transportation operator by facilitating these listings.

This Privacy Policy is issued by Webito Future Tech s.r.o. (Czech Republic) for TapCy platform operations, including services offered to users in Cyprus.

For any data protection request, contact privacy@tapcy.app.