This privacy policy describes how PrivateDrive (MHIRA PRIV8DRIVE SASU, RCS Paris 989 823 802) collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (GDPR, EU Regulation 2016/679) and applicable French data protection laws. Last updated: 20 May 2026.
When using our service, we collect the following data: first and last name, email address, phone number, pickup and destination addresses, payment information (securely processed by Stripe, never stored on our servers), flight number (optional), passenger preferences (child seat, accessibility), browsing data (cookies — see dedicated section), booking history, and WhatsApp/SMS conversations within the scope of customer support.
Your data is used to: process and manage your transportation bookings, send you confirmations and updates via email and SMS, assign a chauffeur and monitor your flight, improve our services and your user experience, prevent fraud (anti-bot analysis, payment validation), and comply with our legal and accounting obligations.
The processing of your data is based on: the performance of the transportation contract (Article 6.1.b of GDPR) for operational booking data, your consent (Article 6.1.a) for non-essential cookies and marketing communications, legitimate interest (Article 6.1.f) for fraud prevention and service security, and our legal obligations (Article 6.1.c) for accounting and tax retention.
Your personal data is retained according to the following durations: accounting data (invoices, payments) — 10 years in accordance with Article L.123-22 of the French Commercial Code; booking data (chauffeur PII, addresses, flights) — 5 years after last service, then anonymisation; browsing data and funnel analytics — 90 days, then anonymisation; WhatsApp/SMS conversations — 3 years for customer service traceability; security logs — 6 months. Upon expiry of these durations, your data is permanently deleted or anonymised.
Under Articles 15 to 22 of GDPR, you have the following rights: access, rectification, erasure (right to be forgotten), restriction of processing, data portability, objection, and right to withdraw consent at any time. To exercise these rights, from your logged-in client area at /ride/dashboard use the "Export my data" and "Delete my account" functions. Otherwise contact us at contact@privatedrive.co. Response within 30 days maximum. You may also lodge a complaint with the CNIL, the French data protection authority (3 Place de Fontenoy, 75007 Paris — www.cnil.fr).
To provide our service, we rely on the following subprocessors, selected for their technical and organisational guarantees: Stripe Payments Europe Ltd (Ireland) for payment processing; Twilio Inc. (United States, Standard Contractual Clauses) for SMS and WhatsApp Business; Google Ireland Limited / Google LLC (United States, DPF + SCC) for Google Tag Manager, Google Analytics 4, Google Maps Platform, and Google Ads; Sentry Inc. (United States, Standard Contractual Clauses) for error monitoring; Sendinblue/Brevo (France) for transactional email; Cloudflare Inc. (United States, DPF) for CDN and DDoS protection; MongoDB Atlas hosted at OVH (Roubaix, France) for the database; OVH SAS (France) for application hosting. The full list can be provided upon request at contact@privatedrive.co.
Some subprocessors process your data from the United States (Twilio, Google, Sentry, Cloudflare). These transfers are governed by the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) and, where applicable, by the Data Privacy Framework (DPF) to which these companies have adhered. We do not authorise any transfer to a third country lacking adequate safeguards within the meaning of Articles 44 to 49 of GDPR.
Our website uses several categories of cookies. Strictly necessary cookies (authentication, language preferences, consent state, CSRF security) do not require your consent. Audience measurement and marketing cookies (Google Analytics 4, Google Ads, Google Tag Manager) are only triggered after your explicit consent via the banner at the bottom of the page. Until you accept, we use Google Consent Mode v2 with a "denied" default mode (analytics_storage, ad_storage, ad_user_data, ad_personalization) and enable the "ads_data_redaction" option to anonymise the limited signals that are transmitted. You can change your choice at any time by clearing the "cookie_consent" cookie in your browser — the banner will reappear on your next visit.
We implement appropriate technical and organisational measures (TLS 1.3 encryption in transit, bcrypt hashing for credentials, network isolation, encrypted backups, access logs, principle of least privilege, regular security audits). In the event of a data breach likely to affect your rights and freedoms, we commit to notifying the CNIL within 72 hours and informing you in the shortest possible timeframe in accordance with Articles 33 and 34 of GDPR.
For any question regarding the protection of your personal data, you can contact us at: contact@privatedrive.co — Response within 30 days maximum.