1. Introduction
This Privacy Policy explains how Travomate collects, uses, shares, and protects your personal data, and the choices you have. Travomate is a peer-to-peer parcel delivery platform: travellers carry parcels along routes they are already taking, and senders pay for the delivery. This policy applies to everyone who uses Travomate, whether you are a traveller or a sender.
It covers the Travomate iOS app, the Travomate Android app, and the travomate.com.pl website (together, the "Service"). We follow the EU General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable Polish data protection law. Throughout this policy, "we", "us", and "our" mean Travomate, and "you" means the person using the Service.
2. Who We Are
Travomate is the controller of your personal data. That means we decide what data is collected and how it is used.
Company: Travomate SP Z.O.O
Registered address: UL. NOWOGRODZKA 31, 00-511 Warsaw, Poland
Company numbers: NIP 7011239205, REGON 540531181, KRS 0001146347
Email for privacy questions: info@travomate.com.pl
Phone: +48 506 762 423
Data Protection Officer: We have not appointed a Data Protection Officer. One is not required under GDPR Article 37 unless we expand to large-scale processing of personal data. If that changes, we will update this policy and publish the contact details here. In the meantime, you can reach us about any privacy matter at info@travomate.com.pl.
3. Data We Collect
We only collect the data we need to run the Service, match travellers with senders, process payments, and keep the platform safe. The table below is a summary that matches the App Privacy information we file with the Apple App Store. "Linked to identity" means the data is connected to your account.
| Data type | What it is | Linked to identity | Used for |
|---|---|---|---|
| Name | First and last name | Yes | App Functionality, Analytics |
| Email Address | Account login email | Yes | App Functionality, Analytics |
| Phone Number | Contact number (optional) | Yes | App Functionality, Analytics |
| Physical Address | Pickup and delivery addresses | Yes | App Functionality, Analytics |
| Payment Info | Payment method details, processed via a third-party processor | Yes | App Functionality |
| Other Financial Info | Transaction history, payouts to travellers | Yes | App Functionality |
| User ID | Internal account identifier | Yes | App Functionality, Analytics |
| Device ID | iOS/Android device identifier | Yes | Analytics, App Functionality |
| Coarse Location | Approximate location for route matching | Yes | App Functionality, Analytics |
| Photos or Videos | Parcel photos uploaded for delivery verification | Yes | App Functionality |
| Performance Data | App crashes, load times, anonymous diagnostics | No | Analytics, App Functionality |
Here is what each item means and why we collect it:
Name. Your first and last name. We collect it when you sign up so travellers and senders know who they are coordinating a delivery with, and so we can verify identities and keep the platform trustworthy.
Email address. The email you use to log in. We collect it at sign-up to create and secure your account, send you delivery and account notifications, and respond to support requests.
Phone number. An optional contact number. If you add it, we use it to help travellers and senders coordinate a pickup or delivery and, where you choose, to send service messages.
Physical address. The pickup and delivery addresses for a parcel. We collect these when you post or accept a delivery so the parcel can get from one place to the other.
Payment info. Details of your payment method. Payments are handled by a third-party payment processor; we do not store full card numbers. We collect this when you make a payment so we can charge for a delivery and hold funds securely until delivery is confirmed.
Other financial info. Your transaction history and, for travellers, payouts. This is created as you use the Service and lets us manage payments, payouts, refunds, and the records we are legally required to keep.
User ID. An internal identifier we assign to your account at sign-up. It lets our systems recognise your account and link your activity to you in a consistent way.
Device ID. An identifier for the iOS or Android device you use. We collect it automatically while you use the app to keep your session secure, run analytics, and diagnose problems.
Coarse location. Your approximate location. We use it during use to match you with relevant routes and nearby deliveries. This is approximate location only — we do not track your precise GPS position. You can turn location access off in your device settings.
Photos or videos. Parcel photos you upload. We collect these when you take or attach them so deliveries can be verified and disputes resolved.
Performance data. Crash reports, load times, and anonymous diagnostics. We collect this automatically while you use the Service to find and fix bugs and improve reliability. It is not linked to your identity.
4. Data We Do Not Collect
To be clear about what we leave out, we do not collect any of the following:
- Gender
- Date of birth or country of birth
- Marital status
- Religious or political affiliation
- Biometric data — our identity-verification partner Authologic may process face-match data during verification, but we never receive or store it (see Section 6)
- Health data
- Data from children (the Service is for users aged 18 and over)
5. Legal Bases for Processing
Under GDPR Article 6, we must have a legal basis for using your data. We rely on the following:
- Performance of a contract (Art. 6(1)(b)): To facilitate deliveries, process payments, and manage your account — in other words, to provide the Service you signed up for.
- Legitimate interests (Art. 6(1)(f)): To prevent fraud, keep the platform and our users secure, and improve the Service. We only rely on this where our interest does not override your rights and freedoms.
- Consent (Art. 6(1)(a)): For optional features and, where applicable, marketing communications. You can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)): To meet tax, accounting, and other regulatory requirements that apply to us.
6. How We Share Data
We do not sell your personal data to anyone. We share it only where it is needed to run the Service, and only with parties that are bound to protect it. These include:
- Payment processing (Stripe) — to process payments and traveller payouts securely.
- Cloud hosting (Amazon Web Services and Google Cloud) — to store data and run the Service.
- Analytics (Google Analytics and Firebase) — to understand how the Service is used so we can improve it.
- Identity verification (Authologic) — to verify user identities and keep the platform safe.
- Crash reporting (Firebase Crashlytics) — to detect and fix crashes and performance issues.
- Other users of the platform — when a traveller and sender are matched, we share the information needed to coordinate the delivery, such as name, profile photo, and ratings.
A note on identity verification. When you verify your identity, you submit your ID document and a selfie directly to Authologic through its own secure flow. Authologic processes and holds the document image, the selfie, the biometric face-match data, and the details read from your document — these never reach Travomate's servers. Authologic returns only the result to us, and we store just your verification status (verified, pending, or failed), the date and time, a verification reference ID, and, where applicable, the verification level (basic or enhanced). This is why the document and biometric data are not listed among the data we collect in Section 3, and why biometric data appears in Section 4 as data we do not collect.
We may also disclose data where required by law, court order, or a lawful request from public authorities, or in connection with a merger, acquisition, or sale of assets.
Some of our providers are based outside the EU/EEA (for example, in the United States). When we transfer your data internationally, we protect it using an appropriate safeguard under GDPR — either the European Commission's Standard Contractual Clauses (SCCs) or a transfer to a country covered by an adequacy decision.
7. Data Retention
We keep your data only as long as we need it, then delete or anonymise it. Specific periods are:
- Active account data: Kept for as long as your account is active.
- Account data after deletion: Deleted within 30 days of your deletion request, except where we are legally required to keep it.
- Transaction and accounting records: Kept for 5 years, as required by the Polish Accounting Act of 1994 and the Polish Tax Ordinance.
- Customer support correspondence: Kept for 2 years.
- Marketing consents and preferences: Kept until you withdraw them.
- Crash logs and performance data: Kept for 90 days.
- Backups: Removed from backups within 30 days of a deletion request.
8. Your GDPR Rights
You have the following rights over your personal data:
- Right of access (Art. 15): Request a copy of the data we hold about you.
- Right to rectification (Art. 16): Correct data that is inaccurate or incomplete — you can also edit much of this yourself in the app's Account Details screen.
- Right to erasure / right to be forgotten (Art. 17): Delete your account and personal data.
- Right to restriction of processing (Art. 18): Ask us to pause our use of your data.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing that is based on our legitimate interests.
- Right to withdraw consent (Art. 7(3)): Withdraw any consent you gave, at any time, without affecting processing that already happened.
- Right to lodge a complaint: Complain to the Polish Data Protection Authority (UODO), ul. Stawki 2, 00-193 Warszawa, www.uodo.gov.pl.
To exercise any of these rights, email us at info@travomate.com.pl. We will respond within 30 days, as required by GDPR Article 12.
9. Account Deletion
You can delete your Travomate account and personal data at any time, in any of these ways:
- In the Travomate iOS or Android app: Open the app, go to Profile, tap "Delete Account", and confirm. Your account and personal data will be deleted within 30 days, subject to the legal retention requirements for financial records described below.
- On the website: Log into travomate.com.pl, go to Profile, click "Delete Account", and confirm.
- By email: Send a request to info@travomate.com.pl from the email address linked to your account. We may need to verify your identity before we act on the request.
Deletion is permanent. Some data — in particular financial and accounting records — must be kept for 5 years under Polish law, so we retain it for that period and anonymise it wherever possible.
10. Children's Privacy
Travomate is intended for users aged 18 and older. We do not knowingly collect data from anyone under 18. If we discover that a minor has registered, we will delete their account and data.
11. Cookies and Tracking
On the travomate.com.pl website we use essential cookies that are needed for the site to work, and, where applicable, analytics cookies that help us understand how the site is used. You can manage or block cookies through your browser settings. For full details, see our Cookie Policy.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will let you know by email or with an in-app notice. The "Last updated" date at the top of this page always shows when the policy last changed, so please check back from time to time.
13. Contact
If you have any questions about this policy or how we handle your data, please contact us:
Company: Travomate SP Z.O.O
Address: UL. NOWOGRODZKA 31, 00-511 Warsaw, Poland
Email: info@travomate.com.pl
Phone: +48 506 762 423 / +49 175 443 1 672
You also have the right to complain to the Polish Data Protection Authority:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
Website: www.uodo.gov.pl