Privacy Policy | GP Drive

1. Introduction

GP Way, Lda (doing business as "GP Drive") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your information in accordance with the General Data Protection Regulation (GDPR) and other applicable European data protection laws.

Data Controller:
GP Way, Lda
Tax Number: 517778467
Rua Conde Ferreira, 16
2900-123 Setúbal, Portugal
Email: dpo

Data Protection Officer:
Eduardo Pereira
Email: dpo

2. What Information We Collect

2.1 Information You Provide to Us

When you use our booking, contact, or inquiry forms, we collect:

Contact Information: Full name, email address, phone number
Booking Details: Pickup/drop-off locations, dates and times, number of passengers, special requirements (child seats, accessibility needs, dietary preferences)
Payment Information: Processed securely through our payment processor (Revolut). We do not store complete credit card details on our servers
Communication Content: Any messages, questions, or feedback you send us via our contact forms, email or other communication channels

2.2 Information Collected Automatically

When you visit our website, we automatically collect certain technical information:

Analytics Data: Through our self-hosted and internally managed Matomo analytics platform, we collect: IP address (anonymized), browser type and version, device type, operating system, pages visited, time spent on pages, referral source, and general geographic location (country/city level)
Technical Data: Log files containing IP addresses, browser information, and access times

2.3 Information We Do NOT Collect

We do not use third-party tracking tools (no Google Analytics, Facebook Pixel, or similar)
We do not share your data with advertising networks or marketing platforms
We do not use third-party cookies

3. How We Use Your Information

We use your personal data for the following purposes:

3.1 Service Delivery (Legal Basis: Contract Performance)

Processing and confirming your transfer or tour bookings
Communicating with you about your reservation
Coordinating pickup times, locations, and special requirements
Providing you with chauffeur and vehicle details
Processing payments through our secure payment processor

3.2 Customer Support (Legal Basis: Contract Performance & Legitimate Interest)

Responding to your inquiries, questions, and feedback
Resolving issues or concerns with your service
Providing assistance before, during, and after your journey

3.3 Website Improvement (Legal Basis: Legitimate Interest)

Analyzing website usage through our self-hosted Matomo analytics
Understanding how visitors interact with our site
Improving website functionality, content, and user experience
Identifying and fixing technical issues

3.4 Legal Compliance (Legal Basis: Legal Obligation)

Complying with Portuguese and European legal requirements
Maintaining records for tax and accounting purposes
Responding to legal requests from authorities when required

4. How We Share Your Information

We respect your privacy and only share your personal data when absolutely necessary:

4.1 Service Providers (Data Processors)

We work with carefully selected European-based service providers who process data on our behalf:

Payment Processing: Revolut (UK/EU-based) - processes your payment information securely
Email Services: Sweego (European provider) - sends booking confirmations and communications
Hosting Services: OVH and UpCloud (EU-based data centers) - host our website, databases and analytics platform

All service providers are bound by data processing agreements and GDPR compliance requirements. Your data remains within the European Union.

4.2 Internal Operations

Your booking details are shared internally with our chauffeurs to provide your service
Our customer support team may access your information to assist you

4.3 Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or to protect our legal rights.

4.4 What We Do NOT Do

We do not sell, rent, or trade your personal data to third parties
We do not share your data with marketing or advertising companies
We do not send marketing emails unless you explicitly opt in
We do not transfer your data outside the European Union

5. Cookies and Tracking Technologies

5.1 Cookies We Use

Our website uses minimal cookies:

Matomo Analytics Cookies: Self-hosted analytics that track website usage to help us improve our service. These cookies store anonymized data and remain on your device for up to 13 months.

5.2 What We Don't Use

No third-party tracking cookies (Google Analytics, Facebook, etc.)
No advertising or marketing cookies
No social media tracking pixels
Our CAPTCHA solution (Altcha) is completely cookie-less

5.3 Managing Cookies

You can manage your consent settings for our website at any time by clicking the button below:

Alternatively, you can control and delete cookies through your browser settings. Please note that disabling cookies may affect website functionality. For more information on managing cookies, visit www.allaboutcookies.org.

6. Data Retention

We retain your personal data for the following periods:

Booking and Transaction Data: Retained indefinitely for business operations, tax compliance, and legal requirements unless you request deletion
Contact Form Submissions: Email correspondence is kept indefinitely unless you request deletion
Analytics Data: Matomo analytics data is retained for up to 12 months
Payment Information: Not stored on our servers; handled securely by Revolut according to their retention policies

You have the right to request deletion of your data at any time by contacting our Data Protection Officer at dpo.

7. Data Security

We take the security of your personal data seriously and implement appropriate technical and organizational measures:

Encryption: All data transmitted between your browser and our website is encrypted using SSL/TLS (HTTPS)
Secure Hosting: Our servers are hosted in secure, EU-based data centers (OVH and UpCloud) with robust physical and network security
Access Controls: Only authorized personnel have access to personal data, limited to what is necessary for their role
Payment Security: Payment information is processed through PCI-DSS compliant payment processors; we do not store complete card details
Regular Updates: We keep our systems updated with the latest security patches
Data Backups: Regular encrypted backups are maintained to prevent data loss

While we implement strong security measures, no method of transmission over the internet is 100% secure. We continuously monitor and improve our security practices.

8. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

8.1 Right of Access

You have the right to request a copy of the personal data we hold about you.

8.2 Right to Rectification

You can request that we correct inaccurate or incomplete personal data.

8.3 Right to Erasure ("Right to be Forgotten")

You can request that we delete your personal data, subject to certain legal exceptions (e.g., tax and accounting obligations).

8.4 Right to Restriction of Processing

You can request that we temporarily suspend processing of your data in certain circumstances.

8.5 Right to Data Portability

You can request a copy of your data in a structured, commonly used, machine-readable format.

8.6 Right to Object

You can object to processing of your personal data based on legitimate interests or for direct marketing purposes.

8.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw your consent at any time.

8.8 How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer:

Email: dpo
Subject Line: "Data Subject Request - [Your Name]"

We will respond to your request within one month. If your request is complex, we may extend this period by two additional months and will inform you accordingly.

8.9 Right to Lodge a Complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the Portuguese Data Protection Authority:

CNPD - Comissão Nacional de Proteção de Dados
Website: www.cnpd.pt
Email: geral@cnpd.pt
Phone: +351 21 392 84 00

9. International Data Transfers

All your personal data is stored and processed exclusively within the European Union:

Our servers are located in EU data centers (OVH and UpCloud)
All service providers we use are EU-based or GDPR-compliant
We do not transfer your data to countries outside the EU/EEA

This ensures your data benefits from the strong protections provided by European data protection laws.

10. Children's Privacy

Our services are not directed to children under the age of 16. We do not knowingly collect personal data from children under 16 without parental consent. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at dpo, and we will delete such information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will:

Update the "Last Updated" date at the top of this policy
Notify you via email if you have an active booking or inquiry with us
Post a prominent notice on our website

We encourage you to review this Privacy Policy periodically. Your continued use of our services after changes are posted constitutes your acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

GP Way, Lda (GP Drive)
Data Protection Officer: Eduardo Pereira
Email: dpo
General Inquiries: info
Address: Rua Conde Ferreira, 16, 2900-123 Setúbal, Portugal
Tax Number: 517778467

We are committed to working with you to obtain a fair resolution of any privacy concern.