Privacy policy

01

Introduction

Desert Odes Ltd. ("we", "us", "our"), operator of TOMCABS at https://tomcabs.com, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data for company managers, fleet administrators, and drivers. It should be read with our Terms and Conditions and Cookie Policy. Processing is carried out in line with GDPR, the Irish Data Protection Act 2018, and other applicable data protection law.

02

Who We Are (Data Controller)

Data controller: Desert Odes Ltd., Company Registration Number 782985, Pod 2, The Old Station House, 15a Main Street, Blackrock, Dublin, Ireland, A94T8P8. Contact: support@tomcabs.com. Our lead supervisory authority under GDPR is the Irish Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28 (www.dataprotection.ie).

03

Data We Collect

We collect account/profile data (name, email, phone, address, date of birth, avatar, role), company data (legal name, VAT/tax number, company contacts and address, company roles), fleet/vehicle data (license plate, model, fuel/category, terminal identifier, status), operational data (shift, race/trip, road sheet, and shift-request records), location data during active shifts for Premium subscribers, billing metadata from Stripe (not full card data), OCR/document data via Google Vision for receipts/tickets and compliance documents, technical/usage data (IP, browser/OS, pages/features used, timestamps, logs, device identifiers), and cookie/session data.

04

How We Use Your Data

We use personal data to provide core platform functionality, secure authentication and fraud prevention, communications (confirmations, invitations, shift notifications, billing receipts), service improvement and debugging, legal/compliance obligations including Brussels road-sheet requirements, customer support, and billing/subscription management.

05

Legal Basis for Processing (GDPR)

We rely on: performance of contract (Article 6(1)(b)) for account and service delivery; legitimate interests (Article 6(1)(f)) for security, fraud prevention, analytics, and customer communications; legal obligation (Article 6(1)(c)) for statutory records and lawful authority requests; and consent (Article 6(1)(a)) for non-essential cookies/analytics, which can be withdrawn at any time.

06

Data Sharing and Third Parties

We do not sell personal data. We share data with processors under data processing agreements: Supabase (database/auth/storage), Stripe (payments), Google (Maps and Vision APIs), Vercel (hosting/CDN/analytics), Sentry (error/performance monitoring), and Resend (transactional email). Within an organization, access is role-based by company scope. We may disclose data where legally required and may transfer data in connection with merger, acquisition, or asset sale subject to equivalent protections.

07

International Data Transfers

Some processors are in the United States. For transfers outside the EEA, we apply appropriate safeguards including Standard Contractual Clauses, adequacy decisions where available, and supplementary technical measures where needed. You can request details of applicable safeguards at support@tomcabs.com.

08

Data Retention

Data is retained only as long as needed or required by law: account/profile data for account duration plus up to 90 days after deletion; company/fleet/operational data for at least 5 years to meet Brussels and Belgian obligations; payment records for 7 years under Irish tax law; location data during active shifts then aggregated/anonymized; technical/usage logs up to 12 months; cookie retention as set out in the Cookie Policy. Data is securely deleted or anonymized when no longer required.

09

Your GDPR Rights

You may request access, rectification, erasure (subject to legal obligations), restriction, portability, objection, and withdrawal of consent where processing is consent-based. You may lodge a complaint with the Irish Data Protection Commission (www.dataprotection.ie) or your local EU supervisory authority. To exercise rights, email support@tomcabs.com; we aim to respond within one month and may verify identity first.

10

Data Security

We implement technical and organizational safeguards including TLS/HTTPS in transit, encryption at rest, row-level security, secure Supabase Auth session handling, role-based access controls, Sentry monitoring/alerting, and regular security/dependency reviews. No system is fully risk-free; when a reportable breach occurs, we notify affected users and the Data Protection Commission as required by GDPR.

11

Children's Privacy

The Service is not intended for individuals under 18, and we do not knowingly collect personal data from children under 18. If such collection is identified, contact support@tomcabs.com and we will promptly delete the data.

12

Cookies

We use cookies and similar tracking technologies in connection with the Service. Detailed information is available in our Cookie Policy.

13

Changes to This Privacy Policy

We may update this Policy to reflect changes in practices, technology, legal obligations, or other factors. Updates are posted on our website with an updated Last Updated date. For material changes, we provide email or in-app notice at least 15 days before changes take effect.