Privacy Policy

1. Introduction

ecoTriver ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform for eco-friendly ride sharing to music events and festivals.

By using ecoTriver, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

2. Information We Collect

2.1 Personal Information You Provide

When you create an account or use our services, we collect:

• Account Information: Name, email address, password (encrypted)
• Profile Information: Profile photo, bio, city, music preferences, favorite genres
• Gender: Your gender (männlich / weiblich / divers) is stored to enable safety features such as Female-Only rides. You can update this at any time in your profile settings.
• Ride Information: Pickup/dropoff locations, departure times, available seats, safety preferences (Female-Only, LGBTQ+ Friendly flags)
• Booking Information: Ride bookings, event attendance, communication with other users
• Payment Information: Payment details processed through Stripe (we do not store full credit card numbers)
• Communication Data: Messages sent through our platform, organizer inquiries, support requests

2.2 Location Data

We collect and process location data to enable our core ride-sharing functionality:

• Your home city and preferred pickup locations
• Event and venue locations (coordinates)
• Route calculations and distance estimates
• Nearby ride matching based on geographic proximity

2.3 Automatically Collected Information

We automatically collect certain information when you use ecoTriver:

• Usage Data: Pages viewed, features used, time spent on platform
• Device Information: Browser type, operating system, device identifiers
• Analytics Data: Through Vercel Analytics and Speed Insights for performance monitoring
• Cookies: Authentication tokens, preferences, session data

2.4 Third-Party Authentication

If you sign up using Facebook or Google OAuth, we receive basic profile information including your name, email address, and profile photo from these providers.

3. How We Use Your Information

We use your information for the following purposes:

• Service Delivery: Facilitate ride sharing, match drivers and passengers, display event information
• Safety Features: Gender data is used exclusively to enforce Female-Only ride restrictions, ensuring only passengers with gender set to female can book such rides. This data is not used for profiling or targeted advertising.
• Communication: Send booking confirmations, ride updates, event reminders, and respond to inquiries
• Safety & Security: Verify user identities, prevent fraud, ensure platform security
• Improvement: Analyze usage patterns to improve features, optimize performance, and enhance user experience
• Legal Compliance: Comply with legal obligations, enforce our terms, and protect user rights
• Marketing: Send promotional emails about new features and events (you can opt out anytime)

3.1 Legal Basis for Processing (GDPR Art. 6)

Every processing activity has a specific legal basis under the GDPR:

4. Third-Party Services & Data Sharing

We use trusted third-party services to operate our platform. Your data may be shared with:

4.1 Infrastructure & Authentication

• Supabase: Database hosting, authentication, file storage for profile photos and event images
• Facebook/Google OAuth: Third-party login authentication (optional)
• Vercel: Website hosting, analytics, and performance monitoring

4.2 Payment Processing

• Stripe: Secure payment processing for ride bookings and event tickets. Stripe handles all sensitive payment data in compliance with PCI-DSS standards. We never store full credit card numbers.

4.3 Maps & Location Services

• OpenStreetMap / Leaflet: Interactive maps for displaying event locations, venues, and ride routes
• Open-Meteo: Weather forecasts for events (public API, no personal data shared)

4.4 Content & Accommodation

• Spotify API: Retrieve artist information, images, and music data (no personal data shared)
• Ticketmaster API: Import event data and details (no personal data shared)
• Stay22: Embedded accommodation widget showing nearby hotels (event location data only)

All third-party services are carefully selected and required to maintain appropriate data protection standards. We do not sell your personal information to third parties.

5. Environmental Data & Anonymized Reporting

As part of our environmental mission, ecoTriver produces anonymized, aggregate reports from ride data. These reports contain only: event name, city, date, total number of rides, total CO₂ saved, and distance ranges. They contain no personal data — no names, email addresses, home addresses, or GPS traces.

Aggregate data has a minimum threshold of 5 rides per data point to prevent any possibility of re-identification. Because this data is genuinely anonymous and cannot be linked to any individual, it falls outside the scope of the GDPR (Recital 26 — anonymous information).

This anonymized data may be shared with:

• Academic climate research institutions — for studies on sustainable urban mobility and CO₂ reduction
• Event organizers — free access to their own event's aggregate CO₂ impact data
• Corporate sustainability partners — organizations using verifiable CO₂ impact reports for Scope 3 emission auditing and EU sustainability reporting requirements

This is core to how ecoTriver works: every shared ride contributes to a measurable, verifiable picture of collective environmental impact. This use is described in our Terms of Service (Section 14) and is a standard condition of the service.

6. Data Storage & Security

We implement industry-standard security measures to protect your data:

• Passwords are encrypted using bcrypt hashing
• Data transmission is secured with HTTPS/TLS encryption
• Database access is restricted and monitored
• Regular security audits and updates
• Data is stored on secure servers within the EU (Supabase EU region)

While we strive to protect your personal information, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy. Specific retention periods by category:

When data is no longer needed, it is securely deleted or anonymized.

8. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right to Access (Art. 15): Request a copy of all personal data we hold about you
• Right to Rectification (Art. 16): Correct inaccurate or incomplete data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restriction (Art. 18): Limit how we use your data in certain circumstances
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format — use the "Download my data" feature in your account settings
• Right to Object (Art. 21): Object to processing of your data for direct marketing
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at support@ecotriver.com or visit our Data Deletion Instructions page.

9. Cookies & Tracking

9.1 Essential Cookies

These cookies are required for the platform to function and cannot be disabled:

• Authentication (sb-*): Keep you logged in securely via Supabase
• Theme preference: Remember your light/dark mode choice
• Locale: Remember your language preference (en/de)
• Geolocation: IP-based city detection for nearby events
• Cookie consent: Remember your cookie preference choice

9.2 Analytics Cookies

These cookies help us understand how the platform is used and improve performance. They are only activated if you explicitly consent:

• Vercel Analytics: Anonymous page view and interaction data
• Vercel Speed Insights: Performance metrics (load times, web vitals)

9.3 Managing Your Preferences

When you first visit ecoTriver, a banner asks you to choose between "Accept All" (enables analytics) or "Essential Only" (no analytics). You can change your choice at any time using the "Cookie Preferences" link in the footer.

10. Children's Privacy

ecoTriver is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will take steps to delete such information.

11. International Data Transfers

Your data is primarily stored in the European Union (Supabase EU region). Some third-party processors (Stripe for payments, Google OAuth, Vercel for hosting) may process data outside the EU. These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the EU Commission (Decision 2021/914). You can request copies of the applicable SCCs by contacting us at support@ecotriver.com.

12. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority at any time, without prejudice to any other administrative or judicial remedy. In Germany, you may contact the supervisory authority in your state of residence, or the authority responsible for ecoTriver:

Users in other EU member states may contact their national supervisory authority. A list of all EU supervisory authorities is available at the European Data Protection Board website.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last Updated" date. Continued use of ecoTriver after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: