Privacy Policy

Jaime Méndez (self-employed taxi driver), NIF (Spanish tax identification number) [[PENDIENTE: NIF]], with business address at [[PENDIENTE: dirección postal completa]], Caldas de Reis (Pontevedra), Spain. Taxi licence no. [[PENDIENTE: nº de licencia municipal]], granted by the Concello de Caldas de Reis (Municipal Council), under whose supervision — and that of the department of the Xunta de Galicia (Regional Government of Galicia) with competence for transport — the activity is carried out.

Contact for privacy matters: [[PENDIENTE: email de contacto]] · Telephone: +34 608 27 42 00.

Data you provide when booking:

• Identification and contact data: name, telephone number and, optionally, email address.
• Trip data: origin, destination, date and time, number of passengers, luggage, child seats and any notes you choose to include (for example, a flight number).
• Preferred language, so that we can communicate with you in your language.

Data generated by the service:

• Booking code, booking status, history of transactional communications and an audit log of the operations performed on each booking.
• Geographic coordinates and place identifiers (Google Place ID) of the origin and destination, together with the estimated distance and duration of the route, obtained from Google services.
• Evidence of your acceptance of the Terms and Conditions: the version accepted, the date and time, the IP address and user agent (browser) from which you confirmed the booking, together with the language in which you made the booking.
• If you pay the deposit: the payment transaction reference. Your full card details are processed exclusively by Stripe; they never reach our systems.

We do not request special categories of data, and we ask you not to include data of that nature (for example, health data) in the notes field. If you include in the notes health information that is necessary for us to provide the service to you (for example, a reduced-mobility situation), we will only process it after asking you to expressly confirm your consent (art. 9(2)(a) GDPR) through the contact channel of your booking, and exclusively for the provision of the service; if we do not obtain that express confirmation, we will delete that information. You may withdraw your consent at any time by writing to [[PENDIENTE: email de contacto]], and we will erase those data as soon as they are no longer necessary.

• Managing your booking and providing the transport service (including email/SMS communications about your booking, in your language): performance of the contract (art. 6(1)(b) GDPR).
• Collecting the deposit and, where applicable, managing refunds: performance of the contract (art. 6(1)(b) GDPR).
• Evidencing the conclusion of the contract and the acceptance of the terms (record of the version, language, date and time, IP address and user agent), including the defence against claims and payment disputes: performance of the contract (art. 6(1)(b) GDPR) and legitimate interest in the defence of our rights (art. 6(1)(f) GDPR).
• Compliance with tax and accounting obligations: legal obligation (art. 6(1)(c) GDPR).
• Handling the exercise of your rights and your enquiries: legal obligation (art. 6(1)(c) GDPR) and performance of the contract.

The identification data, the telephone number and the trip data are necessary to manage the booking: if you do not provide them, we will not be able to provide the service to you. The email address and the notes are optional.

We do not use your data for advertising, nor do we build profiles. The form automatically validates that the pick-up point lies within the published service area and calculates an estimated price; these automated functions produce no legal effects concerning you: the estimate is always reviewed and confirmed by the taxi driver, and you can always request the service by telephone or WhatsApp.

We do not sell or transfer your data to third parties for commercial purposes.

Data processors (providers that process data on our behalf and under our instructions, under contracts in accordance with art. 28 GDPR):

• Twilio Inc. (USA): sending of transactional SMS messages.
• Twilio Inc. / SendGrid (USA): sending of transactional email.
• Vercel Inc. (USA): hosting of the website.
• DigitalOcean LLC (USA): hosting of the application and the database.
• The provider responsible for the development, operation and maintenance of the booking platform.

Independent controllers to whom we disclose data in order to perform the contract (art. 6(1)(b) GDPR) and who process them in accordance with their own privacy policies:

• Stripe Payments Europe, Ltd. (Ireland) and, as part of its group, Stripe, Inc. (USA): a regulated payment institution that processes your payment data as an independent controller in order to process the deposit, prevent fraud and comply with its own legal obligations.
• Google Ireland Ltd. / Google LLC: when you use the address autocomplete feature, your browser connects directly to Google (Maps Platform), which receives your IP address and the addresses you type and processes them as an independent controller. We also send the origin and destination addresses to Google's geocoding and route-calculation services to obtain the estimated distance.
• WhatsApp Ireland Ltd. / Meta Platforms: only if you choose to communicate with us via WhatsApp or ask to receive the communications relating to your booking through that channel; those messages are additionally governed by WhatsApp's terms and privacy policy.
• Other authorised taxi drivers: only if you agree to your service being provided by another taxi driver (section 8 of the Terms and Conditions), we will provide them with the booking details that are strictly necessary (name, telephone number, origin, destination, date and time).

In the event of a payment dispute (chargeback), we will provide Stripe and, through it, the issuer of your card with the evidence relevant to our defence: the booking details, the record of acceptance of the terms, the communications history and the documentation of the no-show or the cancellation (art. 6(1)(f) GDPR).

In addition, we may disclose data to public authorities, judges and courts where required by law.

You can consult these providers' privacy policies at: Stripe (stripe.com/es/privacy), Google (policies.google.com/privacy), Twilio/SendGrid (twilio.com/legal/privacy), Vercel (vercel.com/legal/privacy-policy), DigitalOcean (digitalocean.com/legal/privacy-policy) and WhatsApp (whatsapp.com/legal).

Your data are hosted on servers of DigitalOcean LLC in the United States; this transfer is covered by the EU–U.S. Data Privacy Framework (DPF). Stripe, Inc., Google LLC, Twilio Inc. and Vercel Inc. are also certified under the DPF. Where a specific transfer is not covered by the DPF, the Standard Contractual Clauses approved by the European Commission (Implementing Decision (EU) 2021/914) apply, with a prior assessment of the transfer and supplementary measures where appropriate. You may obtain a copy of, or further information about, these safeguards by writing to [[PENDIENTE: email de contacto]].

• Data of tax relevance and proof of payment and refund: 4 years (art. 66 of the Ley General Tributaria, the Spanish General Tax Act) and, for commercial documentation, up to 6 years (art. 30 of the Código de Comercio, the Spanish Commercial Code), duly blocked.
• Contractual booking data, the associated audit log and the evidence of acceptance of the terms (version, language, date and time, IP address, user agent): 5 years (the general limitation period for actions, art. 1964 of the Código Civil, the Spanish Civil Code), blocked. The period runs from the provision of the service or, if the service was never provided (rejection of the request, cancellation or no-show), from the scheduled pick-up date or from the cancellation.
• Free-text notes, coordinates and place identifiers: erased or anonymised 12 months after the date of the trip.
• Transactional communications (SMS/email): 12 months from the date of the trip, except for those documenting a cancellation, a no-show or any other incident with effects on the deposit, which are kept blocked for the same 5-year period as the contractual booking data.
• Bookings that were not confirmed or that were cancelled with a full refund: 12 months from the rejection or the cancellation, except for the proof of collection and refund of the deposit and other data of tax or accounting relevance, which are kept blocked for the tax and commercial periods indicated in the first point.

Once these periods have elapsed, the data are securely erased or anonymised.

You may at any time exercise your rights of access, rectification, erasure, objection (including objection to processing based on legitimate interest), restriction of processing and portability by any means that allows your identity to be verified: by writing to [[PENDIENTE: email de contacto]] or by calling or writing to +34 608 27 42 00, stating your booking code and the telephone number you used to book. We will only ask you for additional information if there are reasonable doubts as to your identity. We will respond within a maximum of one month.

If you consider that we have not properly handled the exercise of your rights, you may lodge a complaint with the Agencia Española de Protección de Datos (AEPD, the Spanish Data Protection Authority), C/ Jorge Juan 6, 28001 Madrid · www.aepd.es.

We apply appropriate technical and organisational measures: TLS encryption on all communications, access control with authentication for the management panel, an audit log of the operations on each booking, data minimisation, and providers holding recognised security certifications. No system is infallible, but we review and improve our measures on an ongoing basis.

The online booking service is intended for persons aged 18 or over. The transport of unaccompanied minors requires prior agreement by telephone with the person holding parental authority or guardianship, who assumes the position of contracting party. Data relating to minors that are included in a booking (for example, the need for a child seat) are processed exclusively in order to provide the service (art. 6(1)(b) GDPR) and are erased in accordance with section 6.

If you provide the data of a third party (for example, you book a taxi for a family member), you warrant that you have their authorisation and that you have informed them of this policy. In such cases, we will provide the passenger with the basic information about the processing (controller, purpose and a link to this policy) in the first communication we send them, for example in the confirmation SMS or email (art. 14 GDPR).

This site does not use advertising or analytics cookies.

• Administration panel: a session token is stored in the administrator's browser, which is essential for authentication. As it is strictly necessary to provide the service requested, it does not require prior consent (art. 22.2 LSSI, the Spanish Information Society Services Act).
• Deposit payment (Stripe): when the payment form is displayed, Stripe sets its own strictly necessary cookies to process the payment securely and prevent fraud: __stripe_mid (approximate duration of 1 year) and __stripe_sid (around 30 minutes). Stripe processes them as an independent controller in accordance with its cookie policy (stripe.com/legal/cookies-policy). As they are necessary for the payment service that you request, they do not require prior consent (art. 22.2 LSSI), but we hereby inform you of their use.
• Language preference: if you change the language of the site, a cookie (NEXT_LOCALE) is stored to remember your choice. It is a personalisation cookie requested by you and does not require prior consent (art. 22.2 LSSI).
• Google Maps: the Google service is loaded when you access the booking page; at that moment your browser connects directly to Google, which receives your IP address and the addresses you type and processes them as an independent controller in accordance with its own privacy policy (policies.google.com/privacy). See also sections 4 and 5.

If you prefer not to use the Google service, you can book by telephone or WhatsApp on +34 608 27 42 00.

We will publish any relevant change here, updating the version date. Substantial changes will be announced prominently on the site.

This policy is offered in several languages as a courtesy. In the event of any discrepancy, the Spanish version, which is the only binding one, shall prevail. Nevertheless, translation discrepancies attributable to us shall not be construed to your detriment.