RideAtrium

Legal

Privacy Policy

Effective May 1, 2026 · Version v2.0.0

RideAtrium ("we", "us", or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains what information we collect, why we collect it, how we use and share it, and the rights you have with respect to that information. It applies to rideatrium.com and all associated mobile applications (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.

Data We Collect

We collect the following categories of personal information, consistent with the California Consumer Privacy Act (CCPA) and Utah Consumer Privacy Act (UCPA) disclosure requirements:

  • Identifiers. Name, email address, username, display name, phone number, and profile photo. Collected when you create an account or update your profile.
  • Age Verification. At signup we ask for your date of birth to confirm you are at least 18 years old. We do not retain the raw date; we store only an ageVerifiedAt timestamp and the minimum-age result.
  • Geolocation Data. GPS coordinates for drivers during active rides (opt-in only — you may stop GPS sharing at any time), and pickup and drop-off addresses entered by riders when booking a ride. GPS pings are retained on the schedule described in § “Data Retention” below.
  • Financial Information. Payment card details are collected directly by Stripe via Stripe Elements — we never store, process, or have access to full card numbers. We do retain Stripe customer IDs and a record of payment methods on file (card brand and last four digits) for booking purposes. For drivers, we also retain a Stripe subscription ID and the identifier of the Stripe-managed volume-tiered metered Price for the Driver’s market, so that their monthly bill can be reconciled with Stripe.
  • Driver Compliance Data. For drivers only, we retain scans or PDFs of driver’s license, vehicle registration, and insurance declarations pages, and TNC / for-hire permits where required by the driver’s jurisdiction. We also retain the driver’s signed eligibility representations and any re-certifications of them. These documents are stored in private Supabase Storage buckets accessible only to the driver and authorized compliance reviewers.
  • Commercial Information. Ride history, booking details, scheduled times, fare amounts, and payment methods selected. For drivers, we additionally retain the sum of completed-ride earnings in the current billing period (used to select the Stripe subscription tier).
  • Communications. Chat messages exchanged between riders and drivers through the Service, and support tickets submitted to our team.
  • Device and Usage Data. IP address, browser type, device type, operating system, page views, click events, and access timestamps. Collected automatically as you interact with the Service.
  • Authentication Data. Bcrypt-hashed passwords for email/password accounts, and OAuth tokens for users who sign in via Google or Apple.
  • Legal Consent Records. Each time you accept one of our versioned legal documents (Terms of Service, Privacy Policy, Driver Agreement, or Cookie Policy) we record the document name, the exact version you accepted, the effective date, a SHA-256 hash of the rendered document body, a timestamp, the IP address you accepted from, and your user agent. See § “Consent Records” below for full detail.

How We Use Your Data

We use your information to:

  • Operate the Service and provide the features you request.
  • Process bookings and payments.
  • Bill drivers for the monthly platform-access subscription described in the Terms of Service § 13 and the Pricing Disclosure, and reconcile subscription state with Stripe.
  • Enable real-time communication between riders and drivers.
  • Send transactional notifications — booking confirmations, ride status updates, payment receipts, subscription renewal and trial-ending reminders, and post-ride feedback requests — via email, SMS, and push notifications. SMS is sent only to riders who provide a phone number at booking, and is subject to the consent, frequency, and opt-out terms described in our Terms of Service.
  • Detect fraud, prevent abuse, and enforce our Terms of Service.
  • Comply with applicable legal obligations.
  • Improve the product using aggregate, de-identified analytics data.
  • Provide customer support and resolve disputes.

We do not use your personal information for targeted advertising or cross-context behavioral advertising.

How We Share Your Data

We do not sell your personal information. We share data only as described below:

  • Riders and Drivers. Riders see a driver's public profile information (name, photo, rating). Drivers see the booking details submitted by a rider (name, contact information, pickup and drop-off addresses).
  • Stripe. We share payment-related data with Stripe, Inc. for payment processing, fraud prevention, and driver subscription billing (including periodic usage records that drive the volume-tiered metered Price). Stripe's use of your information is governed by Stripe's Privacy Policy.
  • Google Maps Platform. We share location data (pickup and drop-off addresses) with Google for route calculation and map display.
  • Push Notification Services. Notification content and device tokens are shared with Firebase Cloud Messaging (Android) and Apple Push Notification Service (iOS) solely to deliver notifications you have opted into.
  • Twilio. For riders who provide a phone number at booking, we share the phone number and message content with Twilio, Inc. for the limited purpose of delivering post-ride feedback SMS messages. Twilio's use of this information is governed by its own privacy policy.
  • Supabase. We use Supabase for database hosting, file storage (driver compliance documents), and authentication infrastructure. Your data is stored on Supabase servers in the United States in accordance with their data processing agreements.
  • Law Enforcement and Legal Process. We may disclose personal information when required to do so by valid legal process, including a subpoena, court order, or other governmental request. Where permitted by law, we will notify you of such requests.

Payments

Card details are collected directly and securely by Stripe via Stripe Elements. RideAtrium never stores, processes, or has access to full card numbers or CVV codes at any point. When you save a card for future bookings, Stripe stores the card and provides us with a token. For card-on-file bookings, payment is authorized at the time of booking and captured when the ride is completed.

Off-platform payments — including Zelle, CashApp, Venmo, and cash — occur directly between the rider and driver outside our systems. We only record that a particular payment mode was selected for a given booking; we do not process or have visibility into those transactions.

Driver subscriptions (see Terms of Service § 13 and Pricing Disclosure) are billed monthly by Stripe against the payment method the driver added during Stripe Checkout. Stripe stores those card details; RideAtrium does not.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know. You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.
  • Right to Delete. You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Correct. You have the right to request correction of inaccurate personal information we maintain about you.
  • Right to Opt-Out of Sale or Sharing. You have the right to opt out of the sale or sharing of your personal information. We do not sell your personal information and do not share it for cross-context behavioral advertising.
  • Right to Non-Discrimination. We will not discriminate against you for exercising any of your privacy rights.
  • Global Privacy Control (GPC). We honor GPC browser signals. Because we do not sell personal data or engage in cross-context behavioral advertising, a GPC signal results in no change to our current data practices.

To exercise your California privacy rights, email us at privacy@rideatrium.com. We will respond within 45 days of receiving your request. We may extend this period by an additional 45 days when reasonably necessary, with prior notice.

Utah Consumer Privacy Act (UCPA)

If you are a Utah resident, you have the following rights under the Utah Consumer Privacy Act:

  • Right to Access. You have the right to confirm whether we are processing your personal data and to access that data.
  • Right to Delete. You have the right to request deletion of personal data you provided to us.
  • Right to Data Portability. You have the right to obtain a copy of your personal data in a portable and, to the extent technically feasible, readily usable format.
  • Right to Opt-Out of Targeted Advertising. You have the right to opt out of targeted advertising. We do not engage in targeted advertising.
  • Right to Opt-Out of Sale of Personal Data. You have the right to opt out of the sale of your personal data. We do not sell personal data.

To exercise your Utah privacy rights, email us at privacy@rideatrium.com.

International Users — GDPR, UK GDPR, and India DPDPA

RideAtrium is currently offered only to users located in the United States. At signup, we detect country of origin from the requesting IP address and block registrations from outside the United States; users outside the U.S. are redirected to a waitlist where they may leave an email address. We do not market or actively solicit users in the European Economic Area, the United Kingdom, India, or any other jurisdiction outside the United States.

If you are incidentally located in the EEA, the United Kingdom, or India. You may nonetheless end up using the Service — for example, a U.S. driver may travel abroad and open the app, or a U.S. rider’s emergency contact may receive a safety notification. If we do process personal data about you from one of these regions, the following legal bases apply:

  • Contract. Processing necessary to perform the Service you requested (e.g., completing a ride you booked). GDPR / UK GDPR Art. 6(1)(b); DPDPA § 7(a).
  • Legitimate interests. Fraud prevention, safety, dispute resolution, and Service security — balanced against your fundamental rights. GDPR / UK GDPR Art. 6(1)(f); DPDPA § 7(e).
  • Consent. Optional features you opt into, such as marketing emails. GDPR / UK GDPR Art. 6(1)(a); DPDPA § 6. Withdrawable at any time by emailing privacy@rideatrium.com.
  • Legal obligation. Retention for tax or AML compliance. GDPR / UK GDPR Art. 6(1)(c); DPDPA § 7(g).

Data subject rights. Whether or not we are formally established in your jurisdiction, we honor, upon a good-faith request sent to privacy@rideatrium.com, the following rights for users whose personal data we process from the EEA, the UK, or India: (a) access; (b) rectification; (c) erasure; (d) restriction of processing; (e) objection to processing; (f) data portability; and (g) withdrawal of consent. We will respond within 30 days (GDPR / UK GDPR) or the statutory window under DPDPA, whichever applies. Because we do not currently maintain an Article 27 representative in the EU or UK, you may also lodge a complaint with your local supervisory authority.

International transfers. Personal data processed through the Service is stored on servers located in the United States. Transfers of EEA, UK, or Indian personal data to the United States occur, where applicable, under the EU-U.S. Data Privacy Framework (or its UK extension) to the extent we or our processors are certified, or under standard contractual clauses or your explicit consent.

Unconditional delete. Until we formally launch in a jurisdiction outside the United States, any user whose account was created from the EEA, the UK, or India may request unconditional deletion of their personal data by emailing privacy@rideatrium.com. We will comply within 30 days and retain only what is strictly required by U.S. law (e.g., financial records subject to the 7-year retention described below).

Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law. Specific retention periods are as follows:

  • Account data: Retained while your account is active, plus 1 year after account deletion.
  • Ride and booking data: 3 years after ride completion, for dispute resolution and legal compliance.
  • Chat messages: 1 year after the last message in a conversation.
  • GPS location pings: Automatically deleted 30 days after the ride that generated them is marked completed. Pings not associated with a completed ride are deleted 7 days after creation. A nightly scheduled job enforces this retention; you can audit the last run via our published compliance reports.
  • Driver compliance documents: Retained while the driver’s account is active plus 3 years after the driver is deactivated or the document expires, for response to negligent-hiring claims.
  • Driver eligibility representations: Retained while the driver’s account is active, plus three (3) additional years after account closure, to preserve the audit trail of the representations the driver made to RideAtrium and to Riders.
  • Legal consent records: Retained for the life of the account plus 7 years. See § “Consent Records”.
  • Usage analytics: Aggregated and de-identified data is retained indefinitely.
  • Payment records: 7 years, for tax and financial compliance.

Consent Records

Every time you accept one of our versioned legal documents — Terms of Service, Privacy Policy, Driver Agreement (drivers only), or Cookie Policy — we record an audit row containing:

  • The document type and the exact semantic version accepted.
  • The effective date of the version accepted.
  • A SHA-256 hash of the rendered document body at the moment of acceptance.
  • The UTC timestamp of the acceptance.
  • The IP address the acceptance was submitted from.
  • Your browser user-agent string.
  • Whether acceptance was via the web, the iOS app, or the Android app.

These rows are append-only; we do not overwrite or delete them except in response to a verified Right-to-Delete request by the account owner. To request a copy of your own consent records, email privacy@rideatrium.com. We will respond within 45 days. This record exists both to protect users (you can prove what you agreed to) and to protect the Service (we can demonstrate that you affirmatively agreed to the version in force at the time of each action).

Children's Privacy

The Service is not directed at minors under the age of 18 and requires users to be at least 18 years old. We do not knowingly collect personal information from any person under 18. If we learn that we have collected personal information from a person under 18, we will delete that information promptly. If you believe a minor has provided us with personal information, please contact us at privacy@rideatrium.com.

Cookies and Tracking Technologies

We use essential cookies required to operate the Service, including session cookies and CSRF protection tokens. We also use cookies set by Stripe for payment fraud detection purposes. We do not use advertising trackers, third-party analytics cookies (such as Google Analytics), or social media pixels (such as Meta Pixel). On first visit we ask you to choose between “Accept all”, “Essential only”, and a custom configuration; your choice is recorded with a version pointer so you can see, at any later time, which version of the policy you agreed to. For more detail, see our Cookie Policy.

Security

We implement industry-standard security practices to protect your personal information, including bcrypt-hashed passwords, HTTPS/TLS encryption for all data in transit, signed Stripe webhook verification, server-side handling of all third-party API tokens, and role-based access controls. No system is perfectly secure. If you discover a potential security vulnerability, please report it via our contact page and we will investigate promptly.

Do Not Track / Global Privacy Control

We honor Do Not Track (DNT) browser settings and Global Privacy Control (GPC) signals. Because we do not engage in cross-site tracking or targeted advertising, these signals result in no change to our existing data practices — we are already not conducting the activities these signals are designed to prevent.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via email or in-app notice at least 30 days before taking effect, so you have the opportunity to review the changes before they apply to you. Each new version receives its own semantic version number in the registry above. Your continued use of the Service after the effective date of a new version constitutes your acceptance; on next login, we will require affirmative re-acceptance and create a new consent record. Prior versions are archived at /legal/privacy/archive.

PostHog Analytics

We use PostHog (PostHog Inc., 2261 Market St, San Francisco, CA 94114) to collect product analytics — page views, click events, and feature usage. PostHog data is hosted in the United States. PostHog's privacy notice is available at posthog.com/privacy.

PostHog never receives your full email address, phone number, full name, or postal address. The only personal data we send is your account ID and email domain (for example, "gmail.com").

You can opt out of PostHog tracking at any time using the cookie banner, or by enabling Global Privacy Control in your browser. To delete all PostHog data tied to your account, email support@rideatrium.com with the subject "PostHog deletion request" — we will purge it within 7 days.

Contact Us

For privacy-related inquiries, requests to exercise your rights, or questions about this policy, please contact us: