This Privacy Policy explains how ShuttleSub ("we") processes personal data. We comply with the EU General Data Protection Regulation (GDPR) and other applicable laws.

1. Definitions

2. Who this applies to

Website visitors, Users with a ShuttleSub account, business contacts and Passengers whose data is processed within ShuttleSub.

3. Roles and responsibilities

Controller: we act as controller for our own operations (accounts, billing, support, security, marketing).

Processor: we act as processor for passenger and booking data we process on behalf of the Hotel. We sign a Data Processing Agreement (DPA) with each Hotel.

4. What personal data we process

• Account & contact data: name, email, phone, role, hotel/company, language preference, hashed login credentials, SSO identifier, invitation code.
• Hotel & company data: company name, address, VAT/KvK numbers, subscription/plan, contacts.
• Booking & passenger data (processor): passenger name, pick‑up/drop‑off locations, times, ride/shuttle, references, flight/train info (if entered), notes, status.
• Usage & log data: IP address, device and browser data, login/activity logs, error logs, timestamps, cookies.
• Billing & payments: Stripe customer ID, payment tokens, invoices, payment status (card/IBAN data handled by provider; we do not store full payment details).
• Support & communications: email and in‑app chat (Intercom), attachments, feedback.
• Uploads/input: logos, CSV imports, attachments (please avoid uploading unnecessary special category data).
• Identity verification (admins only): verification outcome (pass/fail) and timestamps; Stripe Identity may process ID images/video and related signals on our behalf (we do not store ID images).

We do not process criminal data and only process special category data where necessary and lawful (e.g., explicit consent or contract performance, such as mobility needs).

5. How we obtain personal data

• Provided by you (account creation, bookings, support).
• Generated through your use of the platform (logs/analytics).
• Received from your Hotel or authorised integrations (e.g., SSO, payment provider).

6. Purposes and legal bases

• Relationship & service delivery – accounts, shuttles, bookings, access. Legal basis: contract; legitimate interests.
• Security & abuse prevention – authentication, logging, audits. Legal basis: legitimate interests; legal obligation where applicable.
• Support & communications – assistance via chat/email, service notices. Legal basis: contract; legitimate interests.
• Billing & administration – subscriptions, payments, tax. Legal basis: contract; legal obligation.
• Product development & improvement – analytics, testing, feedback. Legal basis: legitimate interests; consent where required.
• Marketing & relationship management – newsletters/product updates (opt‑out). Legal basis: legitimate interests or consent.

If we intend to use data for a purpose incompatible with the original one, we will seek consent or identify another lawful basis first.

6a. Identity verification (Stripe Identity)

We may require certain Users (e.g., “Hotel Admins”) to complete identity verification before they can manage a hotel account. Identity verification is provided by Stripe (“Stripe Identity”). When you start verification, you are redirected to Stripe, which collects and processes your information on our behalf.

Data processed by Stripe Identity. Government ID images or video, selfie images or video, extracted ID data (e.g., name, date of birth, document number, expiry), device and network signals, and verification results (pass/fail, risk signals). ShuttleSub only stores the result and minimal metadata in our system (e.g., identity_verified, identity_verified_at, identity_last_status, identity_last_session). We do not store ID images on our servers.

Purpose. Secure administrator access, prevent fraud and unauthorized account control, and meet compliance obligations.

Legal bases (EEA/UK). Performance of a contract and our legitimate interests in platform security and fraud prevention; in some contexts, compliance with legal obligations. Where required for biometric processing, we rely on your consent (see §6b).

Service provider/processor. Stripe acts as our service provider (processor) for Identity data and processes it under our instructions. See Stripe’s privacy notices for details.

International transfers. Stripe operates globally. Your information may be processed outside your country (e.g., the US or EU). Where required, appropriate safeguards (such as the EU Standard Contractual Clauses) are used.

Your rights. You can request access, correction, or deletion of the verification outcome we store. Deletion of Stripe-held images may be limited where required by law or necessary for fraud prevention. Contact support@shuttlesub.com and we will coordinate with Stripe as needed.

Consequences of refusal. If you decline verification, you may not be able to use features that require a verified admin account.

Learn more: Stripe Identity · Stripe Privacy Policy

6b. Biometric information & consent (where required)

Stripe Identity may create and use biometric identifiers/biometric information (e.g., facial geometry extracted from selfie images/video) to verify your identity and prevent fraud, and to share the verification result with us. Where required by law, we will present a clear consent notice before starting verification. If you do not consent, you cannot complete verification and may not access features that require a verified administrator.

US notice (e.g., IL/WA/TX). We will request destruction of biometric information when the purpose has been satisfied or within three (3) years of your last interaction with us—whichever occurs first—unless a longer period is legally required.

7. Sharing and international transfers

We only share data where necessary and with appropriate safeguards:

• Sub-processors (selection): Hostinger (hosting, EU), Microsoft Entra ID/Office 365 (SSO/email), Stripe (payments & identity verification), Intercom (support), Cookie Information (cookie consent). We sign DPAs with our sub-processors.
• Transfers outside the EEA: based on the European Commission’s Standard Contractual Clauses (SCCs) and supplementary measures where needed.
• Legal requests: disclosures to competent authorities where required by law.

We do not sell personal data.

8. Retention

• Account/contract: for the duration of the customer relationship and up to 24 months thereafter.
• Bookings/passenger data (processor): 24 months after ride date (adjustable in consultation with the Hotel).
• Logs/security: 12 months, or longer for incidents.
• Financial/tax: 7 years (statutory).
• Support/communications: 24 months after closure.
• Identity verification outcome (we store): for the duration of the account and up to 24 months after closure (security/audit).
• Identity artifacts (Stripe stores): images/video and templates retained by Stripe per its policy and applicable law; see Stripe’s privacy notices.
• Back‑ups: rotating schedules, typically 30–60 days.

9. Security

• TLS in transit; encryption at rest where feasible.
• Strict access control on a need‑to‑know basis; MFA for internal accounts.
• SSO support; hashed passwords (no plaintext storage).
• Monitoring, logging and periodic back‑ups.
• Personal data breach procedures in line with GDPR.

10. Automated decision‑making

We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you.

11. Your rights

You may exercise the rights of access, rectification, erasure, restriction, data portability, and objection (including to direct marketing), and withdraw consent where applicable. Email support@shuttlesub.com. Where we act as processor, we will forward your request to the relevant Hotel (controller).

12. Cookies

We use functional and analytics cookies. See our Cookie Policy for details, retention times and your choices.

13. Minors

Our services are not directed at children. Hotels may book rides for minors; the Hotel is responsible for having a valid legal basis.

14. Questions or complaints

Contact us at support@shuttlesub.com. You may also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

15. Changes

We may update this Privacy Policy. The most recent version is always available on our website. For material changes, we will notify you appropriately (e.g., in‑app or by email).

16. Data Processing Agreement (DPA)

A DPA is available for Hotels, covering security, sub‑processors, breach notifications, retention, international transfers and audit rights. Contact support@shuttlesub.com for the latest version.