Privacy Policy of the Stride Application

Last updated: April 2026

1. Introduction

This Privacy Policy («Policy») describes in detail the way in which the Stride application («Application», «we», «us») collects, processes, stores, shares, and protects the personal data of its users («you», «your», «User»).

The Application operates in full compliance with the General Data Protection Regulation (EU) 2016/679 («GDPR»), Greek Law 4624/2019 on the Data Protection Authority, implementing measures of Regulation (EU) 2016/679, transposition of Directive (EU) 2016/680, as well as any other applicable national and European legislation on the protection of personal data.

By registering with the Application and using our services, you accept the terms of this Policy. If you do not agree with these terms, please do not register and do not use the Application.

We are committed to processing your personal data in accordance with the principles of Article 5 of the GDPR: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

2. Data Controller

The data controller of your personal data, within the meaning of Article 4(7) of the GDPR and Article 36 of Law 4624/2019, is:

Company Name: [Company Name] IKE
Tax ID (AFM): [Insert]
Address: [Insert]
Email: [Insert]
Phone: [Insert]

For any matter related to the processing of your personal data or for the exercise of your rights, you may contact us at the above contact details.

3. Data We Collect

3.1 Data You Provide Directly

a) Registration Data

Mobile phone number (required for OTP verification)
First name
Last name
Email address
Date of birth
Gender
Driver’s license possession (yes/no)

b) Profile Data (optional)

Profile photo
Bio / «About me»
Social media usernames: Instagram, TikTok, LinkedIn, Facebook

c) Vehicle Data

License plate number
Country of registration
Make
Model
Year of manufacture
Vehicle type
Color
Fuel type

d) Ride Data

Departure and destination location (geographic coordinates and address)
Date and time of departure
Number of available seats
Cost per seat
Intermediate stops
Ride preferences (pets, smoking, music, chatting, stops, tolls)
Ride message / comment
Deep link sharing links

e) Search Data

Departure and destination location
Date range
Number of passengers
Pet

f) Ride Alert Data

Search criteria you have set
Notification preferences

g) Booking Data

Selected ride
Number of seats
Pet
Message to the driver

h) Chat Data

Text messages between Driver and Passenger

i) Review Data

Rating (scale 1-5)
Review comments

j) Report Data

Report category (inappropriate behavior, harassment, fake profile, spam, other)
Report description

k) Feedback Data

Text of feedback and suggestions

3.2 Data Collected Automatically

a) Device Data

Device type and model
Operating system and version
Unique device identifier (device ID)
Device language
Timezone

b) Usage Data

Date and time of access
Screens you visit
Actions you perform
Time spent on each screen
Application errors

c) Location Data

Geographic location (only with your explicit consent)
Search addresses

d) Connection Data

IP address
Internet Service Provider (ISP)
Connection type

e) FCM Tokens

Firebase Cloud Messaging tokens for sending push notifications
Periodic token refresh

f) Deep Links

Unique identifiers of ride sharing links

3.3 Data from Third-Party Sources

a) Firebase Authentication

Phone number
Firebase UID (unique user identifier)
Verification status

b) Firebase Analytics

Aggregated usage data
Demographics (categorized, non-individual)

c) Firebase Crashlytics

Crash reports
Device information at the time of the crash
Stack trace

d) Google Maps / Google Places API

Geocoding (conversion of addresses to coordinates and vice versa)
Autocomplete location suggestions
Location details (name, address, coordinates)

4. Purposes of Processing

4.1 Service Provision

Creating and managing your account
Identity verification via OTP
Publishing and searching for rides
Matching drivers and passengers
Managing bookings
Chat functionality between users
Sending push notifications
Ride Alert functionality
Managing reviews
Sharing rides via deep links
Displaying user profile to other users

4.2 Security and Trust

Fraud prevention and detection
Managing user reports
Enforcing sanctions for violations
Verifying account authenticity
Detecting suspicious activity
Protecting platform integrity

4.3 Service Improvement

Usage analysis and user experience optimization
Bug detection and fixing
Development of new features
Statistical analysis (with anonymized/aggregated data)
A/B testing and interface optimization

4.4 Communication

Sending notifications about your activity (bookings, messages, reviews)
Informing you about changes to the Terms of Use or the Privacy Policy
Responding to support requests
Sending informational messages (with your consent)

4.5 Legal Compliance

Compliance with tax and accounting obligations
Responding to public authority requests
Maintaining records in accordance with legislation
Establishing, exercising, or defending legal claims

5. Legal Basis for Processing

The processing of your personal data is based on the following legal bases, in accordance with Article 6 of the GDPR and Articles 5 and 25 of Law 4624/2019:

5.1 Performance of a Contract (Article 6(1)(b) GDPR)

Creating and managing a user account
Identity verification via OTP
Publishing and searching for rides
Managing bookings
Chat functionality between drivers and passengers
Sending push notifications regarding bookings and activity
Ride Alert functionality
Managing reviews
Displaying user profile to other users of the platform

5.2 Consent (Article 6(1)(a) GDPR)

Access to your device’s location data
Sending informational / promotional messages
Collecting analytics data through Firebase Analytics
Optional profile data (photo, bio, social media)

You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Withdrawal of consent is as easy as granting it.

5.3 Legitimate Interests (Article 6(1)(f) GDPR)

Fraud prevention and detection
Platform and user security
Improvement and optimization of the Application
Detection and correction of technical errors
Usage analysis for experience improvement
Management of user reports and complaints
Establishing, exercising, or defending legal claims

In every case, we carry out a balancing test between our legitimate interests and your rights and freedoms, in accordance with the guidelines of the Hellenic Data Protection Authority (HDPA), ensuring that the processing does not exceed your reasonable expectations.

5.4 Legal Obligation (Article 6(1)(c) GDPR)

Compliance with tax and accounting obligations
Responding to court decisions and warrants
Cooperation with supervisory and regulatory authorities
Fulfilling archiving obligations in accordance with applicable legislation

6. Data Sharing

6.1 Other Users

Depending on your role on the platform, certain data is visible to other users at three levels of visibility:

Public profile: Name, profile photo, bio, age category, average rating, number of rides, registration date, social media links (if you have provided them).
Data visible as a Driver: Vehicle details, published ride details, ride preferences.
Data visible as a Passenger: Number of booked seats, pet, booking message.
Chat Data: Chat messages are visible only to the participants of the conversation (Driver and Passenger).

6.2 Service Providers

We work with trusted third-party service providers for the operation of the Application:

Provider Category	Purpose	Data Shared
Cloud – Firebase / Google	Database hosting, file storage, authentication	All account, ride, booking, and chat data
Cloud – Azure	Backend services, data processing	Data required for the operation of backend services
OTP	Sending verification codes via SMS	Mobile phone number
Push Notifications	Sending push notifications	FCM tokens, notification content
Analytics	Application usage analysis	Usage data, device data (anonymized/aggregated)
Crash Reporting	Error reporting and analysis	Crash reports, device information, stack traces
Maps	Geocoding, autocomplete, map display	Location data, address search queries

6.3 Public Authorities

Judicial authorities upon court decision or warrant
Tax authorities in the context of tax audits
Police authorities in the context of criminal investigations
Hellenic Data Protection Authority (HDPA)
Other competent authorities when required by law

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the new entity
You will be notified in advance of any such transfer
The new entity will be bound by the same or stricter data protection terms

6.5 International Transfers

Your data is stored and processed primarily within the European Economic Area (EEA). In the event of data transfer outside the EEA, we ensure appropriate safeguards through the following mechanisms:

Adequacy Decisions: Transfer to countries for which the European Commission has issued an adequacy decision, including the EU-US Data Privacy Framework
Standard Contractual Clauses (SCCs): In accordance with Article 46 of the GDPR, we use standard contractual clauses approved by the European Commission
Binding Corporate Rules (BCRs): In accordance with Article 47 of the GDPR, where applicable

7. Data Retention

7.1 General Principles

The retention period for each data category is determined based on the following criteria:

The purpose for which the data was collected
Legal retention obligations
Security and fraud prevention needs
Legitimate interests in establishing, exercising, or defending legal claims
Technical needs for the operation of the Application

7.2 Retention Periods

Data Category	Retention Period
Account data	For as long as the account is active + 30 days after deletion
Ride history	3 years from the date of the ride
Reviews	Until account deletion, then anonymized
Chat messages	1 year from sending
Usage data	2 years
Logs	90 days
Support requests	3 years from resolution
Tax data	5 years in accordance with tax legislation
Minor violations	2 years
Severe violations	10 years

7.3 After Deletion

Your personally identifiable data is deleted or anonymized within 30 days
Reviews you have received are anonymized and remain on the platform
Aggregated statistical data (non-identifiable) may be retained
Backup copies are deleted according to their rotation cycle
Data required to be retained by law remains for the corresponding period

7.4 Retention in Cases of Fraud

In cases of violations or fraud, we may retain certain data for a longer period in order to protect the platform and our users. This data includes:

Identification details of the violator (phone number, device ID)
Details of the violation (category, description, evidence)
History of actions related to the violation

The retention periods for violations are:

Minor violations: 2 years from the date of the violation
Severe violations: 10 years from the date of the violation

The legal basis for retaining this data is our legitimate interests (Article 6(1)(f) GDPR) for fraud prevention, platform security, and the establishment, exercise, or defense of legal claims.

8. Your Rights

In accordance with Articles 15-22 of the GDPR and Articles 34-42 of Law 4624/2019, you have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether your personal data is being processed and, in that case, to access it. You may request the following information:

The purposes of the processing
The categories of personal data being processed
The recipients or categories of recipients
The envisaged storage period
Your rights (rectification, erasure, restriction, objection)
The right to lodge a complaint with the HDPA
The source of the data (if not collected from you)
The existence of automated decision-making, including profiling

8.2 Right to Rectification (Article 16)

You have the right to request the rectification of inaccurate personal data concerning you as well as the completion of incomplete data. You can update most of your details directly through the Application (profile settings).

8.3 Right to Erasure (Article 17)

You have the right to request the erasure of your personal data («right to be forgotten») when one of the following applies:

The data is no longer necessary in relation to the purposes for which it was collected
You withdraw your consent and there is no other legal basis for processing
You exercise the right to object and there are no overriding legitimate interests
The data has been unlawfully processed
The data must be erased for compliance with a legal obligation

You can exercise the right to erasure through the «Delete Account» function in the Application settings or by contacting us.

Exceptions

The right to erasure does not apply in the following cases:

Compliance with a legal obligation (e.g., tax records)
Establishing, exercising, or defending legal claims
Reasons of public interest
Fraud prevention and security protection (violation data)

8.4 Right to Restriction (Article 18)

You have the right to request the restriction of processing of your data in the following cases:

You contest the accuracy of the data (for the duration of verification)
The processing is unlawful and you prefer restriction instead of erasure
We no longer need the data, but you need it for legal claims
You have exercised the right to object and verification is pending

During the restriction, your data will be stored but will not be subject to further processing, unless you give your consent or for the establishment, exercise, or defense of legal claims.

8.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used and machine-readable format (JSON or CSV), as well as to transmit it to another controller, provided that:

The processing is based on consent or performance of a contract
The processing is carried out by automated means

8.6 Right to Object (Article 21)

You have the right to object at any time to the processing of your data that is based on legitimate interests (Article 6(1)(f)), on grounds relating to your particular situation.

In the event that your data is processed for direct marketing purposes, you have an absolute right to object, without the need for justification.

8.7 Right Regarding Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The Application does not make automated decisions concerning you.

8.8 Right to Withdraw Consent (Article 7(3))

Where processing is based on your consent, you may withdraw it at any time through:

The Application settings (e.g., disabling location access, notifications)
Your device settings (application permissions)
Contacting us at the contact details mentioned in Section 13

8.9 Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA):

Website: www.dpa.gr
Postal Address: Kifissias 1-3, 115 23, Athens
Phone: +30 210 6475600
Fax: +30 210 6475628
Email: contact@dpa.gr

How to Exercise Your Rights

You may exercise your rights by contacting us at the details mentioned in Section 13. We will respond to your request within one (1) month from receipt. In cases of complexity or a large number of requests, the deadline may be extended by two (2) additional months, notifying you accordingly. The exercise of your rights is free of charge, unless the requests are manifestly unfounded or excessive, in which case a reasonable fee may be charged in accordance with Article 12(5) of the GDPR. We may ask you to verify your identity before processing your request, in accordance with Article 12(6) of the GDPR.

9. Data Security

In accordance with Article 32 of the GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

9.1 Technical Measures

Data encryption in transit via TLS (Transport Layer Security)
Data encryption at rest
Hosting on secure cloud infrastructure with SOC 2 and ISO 27001 certifications
Role-Based Access Control (RBAC)
Secure authentication via Firebase Authentication and OTP
Regular security updates and patch application
Access monitoring & logging
Regular encrypted backups

9.2 Organizational Measures

Principle of least privilege – access only to necessary data
Confidentiality obligation for all team members
Staff training on data protection matters
Third-party vendor security assessment
Execution of Data Processing Agreements (DPAs) in accordance with Article 28 of the GDPR with all data processors

9.3 Security Incidents

In the event of a personal data breach, we commit to:

Notifying the HDPA within 72 hours of becoming aware, in accordance with Article 33 of the GDPR
Notifying affected users without undue delay, in accordance with Article 34 of the GDPR, where the breach is likely to result in a high risk to their rights and freedoms
Taking immediate measures to mitigate the impact
Documenting every breach incident, in accordance with Article 33(5) of the GDPR

Despite the security measures we implement, no method of data transmission or storage over the Internet is 100% secure. We cannot guarantee the absolute security of your data, but we make every effort to protect it.

10. Children’s Data

The Application is intended exclusively for users aged 18 and over. Although Law 4624/2019 (Article 21) sets the minimum age at 15 years for information society services, the nature of our service (carpooling) requires a minimum age of 18 years.

We do not knowingly collect data from minors. If we discover that we have collected data from a person under 18, we will delete it immediately and terminate the corresponding account. If you know that a minor is using the Application, please notify us immediately.

11. Cookies and Similar Technologies

11.1 Usage

As a mobile application, we do not use traditional cookies. However, we use the following similar technologies:

Firebase Authentication tokens: For maintaining your account session
FCM tokens: For sending push notifications to your device
Device IDs: For identifying your device
Local storage: For storing local settings and preferences
Firebase Analytics SDKs: For collecting usage data and analytics
Crashlytics SDKs: For recording and reporting errors

11.2 Third-Party Technologies

Google Maps / Google Places SDK: Temporarily stores data (cache) to improve map and location search performance
Firebase SDKs: Store local data on your device for authentication, analytics, and crash reporting functionality

11.3 Management

You can manage these technologies in the following ways:

Application settings: Enable/disable specific features (e.g., notifications, location)
Device settings: Manage application permissions (location, notifications, storage)
Uninstallation: Uninstalling the Application deletes all locally stored data from your device

12. Changes to This Policy

We reserve the right to modify this Privacy Policy at any time
In the event of material changes, we will notify you via push notification and/or in-app message before the changes take effect
The «Last updated» date at the top of this page reflects the most recent revision
We encourage you to periodically check this page for any changes

13. Contact and Complaints

13.1 Contact the Data Controller

For any matter related to the processing of your personal data, you may contact us:

Company Name: [Company Name] IKE
Address: [Insert]
Email: [Insert]
Phone: [Insert]

13.2 Submitting Requests

When submitting requests regarding your rights, please include:

Your full name and contact details
A clear description of your request
Identification details for identity verification

We will respond to your request within one (1) month. In exceptional cases, the deadline may be extended by two (2) additional months, notifying you accordingly within the first month.

14. Special Provisions

14.1 Applicable Law

This Privacy Policy is governed by:

The General Data Protection Regulation (EU) 2016/679 (GDPR)
Greek Law 4624/2019
Any other applicable national and European legislation on the protection of personal data

14.2 Profiling

The Application does not engage in profiling within the meaning of Article 4(4) of the GDPR. We do not use your data for the automated evaluation of personal aspects, such as economic situation, personal preferences, interests, reliability, behavior, location, or movements.

14.3 No Transfer to Third Parties

We do not sell, rent, or trade your personal data to third parties for their own commercial purposes. Data sharing is carried out exclusively within the scope described in Section 6 of this Policy.

14.4 Data Minimization Principle

In accordance with Article 5(1)(c) of the GDPR, we collect and process only the data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. We do not collect more data than we need.

14.5 Data Protection by Design and by Default

In accordance with Article 25 of the GDPR, we apply the principles of data protection by design and data protection by default. This means that data protection is integrated into the design of every feature of the Application and that, by default, only the data necessary for each specific purpose is processed.

14.6 Third-Party Links

The Application may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of each third-party website or service you visit or use.

[Company Name] IKE — Last updated: April 2026