PickupTime

Privacy Policy

Last updated: 2026-06-10

This Privacy Policy explains how personal data is processed in connection with the service provided by PickupTime (pickuptime.io) ("PickupTime", "we", "us") at pickuptime.io. This Policy is drafted to align with the EU General Data Protection Regulation (GDPR) and with Turkish Law No. 6698 (KVKK). For data subjects in Türkiye, our separate KVKK Disclosure Statement also applies.

1. Our Roles: Controller and Processor

PickupTime acts in two distinct capacities:

  • As a controller for Operator account data (name, email, business details, billing and subscription information) and for technical records relating to the operation of the service.
  • As a processor for guest, driver and trip data entered into the service by Operators. The controller of that data is the relevant Operator; PickupTime processes it solely on the Operator's documented instructions under our Data Processing Addendum (DPA). Guests should address requests concerning their data to the Operator from whom they received the transport service in the first instance; requests received by us will be forwarded to the relevant Operator.

2. Categories of Data We Process

  • Operator account data: name, email, phone, business name, billing details, session records.
  • Driver data: name, phone, assigned vehicle plate, and GPS location data transmitted from the driver's device only while a trip is active. No location data is collected outside of active trips.
  • Guest data: name (optional), hotel/pickup point, contact details (phone/email), booking and trip details.
  • Vehicle data: plate number, make/model and information extracted by OCR from the vehicle registration document.
  • Technical data: IP address, browser information, essential cookies and server logs.

3. Purposes of Processing

We process data to: provide the service and run pickup operations; give guests an estimated time of arrival (ETA) and a live tracking link; propagate delays to subsequent stops; produce agency reports and fleet statistics; create vehicle records automatically from registration documents; manage billing and subscriptions; ensure security and debugging; and comply with legal obligations. We do not process personal data for advertising and we do not sell personal data.

4. Legal Bases

Under the GDPR we rely on: performance of a contract (Art. 6(1)(b): account and service administration); legitimate interests (Art. 6(1)(f): service security, product improvement, fraud prevention); legal obligation (Art. 6(1)(c): tax and commercial record-keeping); and consent where required (Art. 6(1)(a)). For guest and driver data that we process as a processor, the applicable legal basis is determined by the relevant Operator as controller.

5. Retention

  • GPS location data: retained for a maximum of 90 days after a trip is completed; Operators may configure a shorter period. After expiry, location points are deleted or reduced to anonymous statistics.
  • Guest data: retained according to the Operator's configuration and instructions; deleted within the period set out in the DPA upon account closure.
  • Account and billing data: retained for the duration of the contract and thereafter for the limitation and statutory retention periods required by applicable law.

6. Recipients and Subprocessors

Your data is shared with the following service providers only to the extent necessary to deliver the service:

  • Supabase / AWS (EU region): database, authentication and hosting infrastructure.
  • Google Maps Platform: map rendering, routing and ETA calculations.
  • Resend: transactional email delivery.
  • OpenAI: OCR processing of vehicle registration documents (document content is processed solely for data extraction and is not permitted to be used for model training).

The current subprocessor list is annexed to the DPA. Lawful requests from public authorities remain reserved.

7. International Transfers

Our hosting infrastructure is primarily located in the EU region. Transfers outside the EU/EEA are carried out under the European Commission's Standard Contractual Clauses (SCCs), adequacy decisions where available, and supplementary safeguards as appropriate. Transfers out of Türkiye are subject to the mechanisms set out in Article 9 of the KVKK.

8. Your Rights

You have the right to access your data, to request rectification or erasure, to restrict processing, to receive your data in a portable format, to object to processing based on legitimate interests, and to withdraw any consent you have given at any time. You can exercise these rights by emailing business@pickuptime.io; we respond within 30 days at the latest. You also have the right to lodge a complaint with the data protection authority of your country of residence (in Türkiye, the Personal Data Protection Authority, KVKK).

9. Data Security

We apply appropriate technical and organisational measures, including per-tenant row-level security (RLS) isolation, TLS encryption in transit and encryption at rest, tokenized (unguessable) guest tracking links, role-based access control and regular access logging.

10. Children

The service is not directed at children under 16, and account holders must be at least 18. Where Operators enter guest records relating to children, the Operator is responsible for the lawfulness of that processing.

11. Changes and Contact

Material changes to this Policy will be announced on our website and, where appropriate, by email. For any questions:

PickupTime (pickuptime.io)Cumhuriyet Mahallesi, İstiklal Caddesi No 8, Ürgüp/Nevşehir, TürkiyeEmail: business@pickuptime.io

Privacy Policy · PickupTime