Policy sections
01
Roles of the Parties
The Controller determines the purposes and means of processing Personal Data. Tomcabs processes Personal Data solely on behalf of the Controller in connection with the Services and acts as a Data Processor under Article 28 GDPR.
02
Subject Matter and Duration
Subject matter: provision of the Tomcabs taxi fleet management platform. Duration: this DPA applies for the duration of the Services and remains in effect for as long as Tomcabs processes Personal Data on behalf of the Controller.
03
Nature and Purpose of Processing
Processing purposes include fleet and shift management, race and route tracking (start and end GPS coordinates only), road sheet generation, revenue and settlement calculation, expense tracking, compliance document storage, subscription billing management, account administration, and technical support and security. Processing activities include collection, recording, storage, organization, retrieval, consultation, transmission, and deletion. Tomcabs does not use Personal Data for advertising or AI training.
04
Categories of Data Subjects
Personal Data processed may relate to taxi drivers, fleet managers, company administrators, company representatives, and support contacts.
05
Categories of Personal Data
Personal Data may include name, email address, phone number, address, date of birth, profile picture, employment-related information, taxi details (plate number, model, and related details), GPS start and end coordinates of races, shift records, financial and settlement data, uploaded compliance documents, Stripe customer identifiers, and communication records. Special categories of data are not intentionally processed.
06
Controller Obligations
The Controller represents and warrants that it has a lawful GDPR basis for processing Personal Data, has provided appropriate privacy notices, has obtained necessary consents where required, complies with applicable taxi and employment laws regarding GPS tracking, and ensures that Personal Data provided to Tomcabs is accurate and lawful.
07
Processor Obligations
Tomcabs processes Personal Data only on documented Controller instructions, ensures personnel confidentiality obligations, implements appropriate technical and organizational security measures, does not sell or misuse Personal Data, does not engage in automated decision-making with legal effects, and assists the Controller in fulfilling GDPR obligations.
08
Security Measures
Tomcabs applies security measures including EU-based hosting (Supabase EU region), encrypted data storage, secure authentication mechanisms, role-based access controls, encrypted document storage, secure payment processing via Stripe, and infrastructure protection via Cloudflare. Absolute security cannot be guaranteed, but commercially reasonable safeguards are maintained.
09
Subprocessors
Authorized subprocessors include Supabase (database and storage hosting, European Union), Cloudflare (infrastructure and content delivery, EU and global), and Stripe (payment processing, EU and US). Tomcabs ensures subprocessors are bound by equivalent data protection obligations, and transfers outside the EEA rely on lawful safeguards such as Standard Contractual Clauses. Tomcabs will inform the Controller of intended subprocessor changes.
10
International Data Transfers
Primary processing occurs within the European Union. Where Personal Data is transferred outside the EEA (for example via Stripe), Tomcabs relies on European Commission adequacy decisions or Standard Contractual Clauses.
11
Data Subject Rights Assistance
Taking into account the nature of processing, Tomcabs assists the Controller in responding to access, rectification, erasure, restriction, portability, and objection requests. Requests must be submitted to support@tomcabs.com.
12
Data Breach Notification
In the event of a Personal Data breach, Tomcabs will notify the Controller without undue delay, provide available breach details, and assist in meeting GDPR breach notification obligations.
13
Data Retention and Deletion
Tomcabs retains operational and financial records for five years in accordance with regulatory and accounting obligations. Upon termination of Services, Tomcabs will delete or return Personal Data unless retention is required by law, and securely delete data after the applicable retention period.
14
Audits
Upon reasonable written request, Tomcabs provides information necessary to demonstrate compliance with this DPA. Formal audits may be conducted no more than once per year, during normal business hours, at the Controller's expense, and without disrupting service availability. Confidential information remains protected.
15
Liability
Liability under this DPA follows the limitations set out in the Terms of Service. Nothing in this DPA excludes liability where exclusion is prohibited by law.
16
Governing Law
This DPA is governed by the laws of Ireland. Any disputes are subject to the exclusive jurisdiction of Irish courts.
17
Order of Precedence
If there is a conflict, this DPA prevails over the Terms for data protection matters. The Terms continue to govern all other matters.
18
Signatures
This DPA is accepted electronically upon acceptance of the Terms of Service or execution of a written agreement.