Privacy Policy

The ROAD App, a Cyprus-registered private limited company, is the data controller responsible for your personal data. We are subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Cyprus Data Protection Law (Law 125(I)/2018).

Contact: admin@theroadapp.com · Nicosia, Republic of Cyprus

Account data: Full name, email address, phone number, role (driver or advertiser), city, profile photo (optional).

Driver-specific data: Vehicle make, model, year, colour, licence plate number, copy of driving licence, copy of vehicle registration certificate, Stripe Connect account details (managed by Stripe), Expo push notification token.

Advertiser-specific data: Company name, VAT number, registered address, website, company logo, Stripe payment method (managed by Stripe).

GPS and driving data: Latitude, longitude, speed, km delta, battery level, timestamp — collected every 2 minutes while the ROAD app is active during driving hours (05:00–24:00).

Photo data: Timestamped photos of your vehicle with the advertising material fitted ("wrap photos"), including the GPS coordinates at the time of capture. Pre-campaign vehicle inspection photos (6 angles).

Payment data: Transaction amounts, invoice IDs, Stripe payment intent IDs. We do not store full card numbers — all card data is processed and stored by Stripe under their own PCI-DSS compliance.

Usage data: Pages visited, actions taken, device type, IP address, browser type — collected automatically via standard server logs.

We process your personal data on the following legal bases under GDPR Article 6:

• Contract performance (Art. 6(1)(b)): GPS data, driving km, photos, vehicle details, and payment data — necessary to operate the ROAD platform and pay Drivers.
• Legitimate interests (Art. 6(1)(f)): Usage analytics, fraud detection, platform security, and campaign impression reporting to Advertisers.
• Legal obligation (Art. 6(1)(c)): VAT records, invoices, and anti-money-laundering checks required by Cyprus and EU law.
• Consent (Art. 6(1)(a)): Marketing emails (you may withdraw consent at any time).

• Matching Drivers to campaigns based on city and vehicle type;
• Calculating monthly km driven and releasing payouts accordingly;
• Verifying that advertising materials remain correctly installed on vehicles;
• Generating monthly impression reports for Advertisers;
• Detecting and investigating fraud (GPS anomalies, fake photos);
• Sending payout confirmations, spot-check alerts, and service notifications via email and SMS;
• Complying with tax and financial reporting obligations in Cyprus.

We share data only with the following third-party processors, each under appropriate data processing agreements:

• Supabase Inc. (database and authentication) — EU data residency selected;
• Stripe Inc. (payment processing, Stripe Connect for driver payouts) — processes under EU Standard Contractual Clauses;
• Twilio Inc. (SMS notifications) — EU data processing agreement;
• Resend Inc. (transactional email) — EU data processing agreement;
• Cloudinary Inc. (campaign design image hosting) — EU data processing agreement;
• Vercel Inc. (web hosting) — EU data processing agreement.

We do not sell, rent, or share your personal data with third parties for marketing purposes. Aggregate, anonymised impression statistics may be shared with Advertisers.

• GPS logs: Retained for 13 months (to cover one full annual reporting cycle), then permanently deleted.
• Wrap photos: Retained for the duration of the campaign plus 6 months, then deleted.
• Vehicle inspection photos: Retained for 3 years as legal records.
• Account data: Retained while your account is active. If you request deletion, data is purged within 30 days except where retention is required by law.
• Financial records (invoices, payouts): Retained for 7 years as required by Cyprus tax law.

As a data subject in the EU/EEA, you have the right to:

• Access — request a copy of all personal data we hold about you;
• Rectification — correct inaccurate data;
• Erasure ("right to be forgotten") — request deletion of your data (subject to legal retention requirements);
• Restriction — ask us to stop processing your data in certain circumstances;
• Data portability — receive your data in a machine-readable format;
• Objection — object to processing based on legitimate interests; and
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email admin@theroadapp.com with the subject line "Data Request". We will respond within 30 days. You also have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection of Cyprus (www.dataprotection.gov.cy).

We use only strictly necessary session cookies for authentication. We do not use advertising or analytics cookies. No cookie consent banner is required for strictly necessary cookies under ePrivacy regulations.

ROAD is not intended for persons under 18. We do not knowingly collect data from minors. If you believe we have inadvertently collected data from a minor, contact us immediately at admin@theroadapp.com.

We will notify you of material changes to this policy by email at least 14 days before they take effect. The latest version is always published at theroadapp.com/privacy.