Privacy policy

The controller of personal data processed through the Platform is TransferGeorgia LLC, registration number [ID/N], registered office at [Tbilisi, Georgia — legal address]. Questions about this policy and requests to exercise your rights go to [support@transfergeorgia.com].

When a Carrier — an independent driver, guide or operator listed on the Platform — collects your data after a booking is confirmed (for example, recording your pickup address, phone number, or vehicle preferences in their own notebook), that Carrier is a separate controller for that data and acts under the obligations set out in our Terms of use, section 8.12. We require Carriers to delete trip-specific personal data within 30 days of the trip and to use it only for fulfilling that trip.

We group the data by the purpose for which we collect it, rather than as one long list. Each category lists the data items, the purpose, and the legal basis under Georgian / GDPR data-protection law.

a) Account and contact data

Items: name, email address, mobile phone number, optional profile photo, language preference, account creation timestamp.
Purpose: creating and authenticating your account, sending booking confirmations and trip-related notifications, contacting you about issues that affect your trip.
Legal basis: performance of the contract with you (the Terms of use), and our legitimate interest in operating a usable booking service.

b) Booking data

Items: pickup and drop-off addresses, date and time, number of passengers, luggage notes, child-seat or pet requests, special requirements, the Carrier you booked, the agreed price, the chat messages exchanged with the Carrier.
Purpose: setting up the trip, sharing the necessary subset with the Carrier so they can pick you up, supporting you and the Carrier if anything goes wrong.
Legal basis: performance of contract; for chat history, legitimate interest in being able to investigate disputes.

c) Carrier verification data

Items applicable to Carriers only: copy of national ID or passport, driving licence, vehicle registration certificate, insurance policy, tax registration where required, biographical info shown on the public profile (name, languages, years of driving experience, vehicle photos).
Purpose: confirming that the Carrier meets the legal requirements for commercial passenger transport in Georgia, and that the public profile shown to Travellers is accurate.
Legal basis: legal obligation under Georgian transport law; performance of contract with the Carrier.

d) Reviews and ratings

Items: star rating you leave for a Carrier, the optional comment text, your first name and the first letter of your last name as shown on the public review card.
Purpose: helping future Travellers compare Carriers, helping us moderate the marketplace.
Legal basis: legitimate interest in maintaining a transparent rating system; you opt in by submitting the review.

e) Technical and usage data

Items: IP address, approximate location derived from IP, browser and device fingerprint (user agent, screen size, timezone), pages you viewed, search filters you applied, the search results you clicked, error events.
Purpose: keeping the Platform secure (rate-limiting, fraud detection, blocking bots), making the product better (which features get used, where users drop out), routing you to the right locale.
Legal basis: legitimate interest, narrowly scoped to the operational and security purposes above. We do not sell technical data to advertisers.

f) Communications with our support team

Items: the content of emails or chat messages you send to support, the email address from which you wrote, screenshots you attach.
Purpose: answering your question, investigating an issue, training our team on edge cases.
Legal basis: legitimate interest in providing reliable support; performance of contract.

g) Marketing data (only if you opt in)

Items: the email address you provided, your engagement with our newsletters (open / click).
Purpose: sending you occasional product or destination news. We send marketing emails only if you separately opted in. Every marketing email contains a one-click unsubscribe link.
Legal basis: your consent, which you can withdraw at any time.

3.1. Directly from you — when you fill in a booking form, register as a Carrier, send us an email, leave a review, or use the chat.

3.2. Automatically as you browse — pages you view, the device you use, your IP address, behaviour signals such as time spent on a page (see section 9 on cookies).

3.3. From third parties when relevant — payment-processing partners (only for the Carrier-side commission settlement, not for any traveller payment); fraud-screening vendors that operate on the technical signals already in section 2(e); the Georgian state when we are legally required to confirm a Carrier’s registration. We do not buy or rent personal data from data brokers.

We share personal data only in the situations below, and only to the extent each situation requires.

• With your booked Carrier. When you confirm a booking, the Carrier sees: your first name, mobile number, pickup and drop-off, time, passenger count, special requests. The Carrier does not see your email or your full account history.
• With our hosting and infrastructure providers (cloud hosting, email-delivery service, image storage). They process data on our written instructions, under contractual data-processing agreements, and only to deliver the technical service.
• With professional advisors (lawyers, accountants, auditors) when defending a claim or completing a statutory audit, under their professional duty of confidentiality.
• With the Georgian Personal Data Protection Service or other competent authority when we receive a lawful request and have to comply.
• In a corporate transaction — if the Platform is acquired, merged or restructured, personal data may be transferred to the successor under the same protections as set out here, with prior notice to users.

We do not sell personal data. We do not share personal data with advertising networks for behavioural targeting.

5.1. Some of our hosting and email-delivery providers operate from servers located outside Georgia (typically the European Union and the United States). When data is transferred to such a provider, we rely on standard contractual clauses or an equivalent safeguard recognised by the data-protection law applicable to you, and we limit the data shared to what the provider needs to deliver the service.

5.2. You can ask us for a list of the providers we currently use and the safeguards in place by writing to [support@transfergeorgia.com].

We keep each category only as long as we have a clear reason to keep it.

• Account and contact data: for as long as the account is active, plus 12 months after closure to handle late disputes.
• Booking data: for 5 years from the date of the trip — this is the standard limitation period under Georgian civil law for service-contract claims.
• Carrier verification documents: for 5 years from the date the Carrier’s account is closed, to satisfy tax and licensing requirements.
• Reviews: kept indefinitely as part of the public marketplace history, but linked to the reviewer only as a first name + initial.
• Technical and usage data: aggregated server logs for 12 months; raw error events for 30 days.
• Marketing data: kept until you unsubscribe.
• Support correspondence: 24 months from the last reply.

After the retention period, data is either deleted or irreversibly anonymised. Backups containing your data are overwritten on the regular backup-rotation schedule; we do not selectively delete inside backups, but we ensure that data restored from a backup carries forward the deletion you requested.

7.1. In transit: all traffic between your browser and the Platform is encrypted with TLS. Internal traffic between our application and the database goes over a private network.

7.2. At rest: databases are encrypted; backups are encrypted; uploaded files are stored in object storage with restricted access keys and signed URLs.

7.3. Access controls: only a narrow set of internal roles can read user data, and access is audited. Carriers can see a Traveller’s data only for their own bookings. Travellers see their own data plus the public Carrier profile.

7.4. Account security on your side: we use one-time email codes (no password to leak) for travellers and strong-password hashing for Carrier accounts that have a password. You can sign out from the dashboard, and we recommend doing so on a shared computer.

7.5. Breach notification. If a data breach affects your data and is likely to harm you, we will notify you and the Personal Data Protection Service within the deadlines required by Georgian law (and within 72 hours where GDPR applies).

You have the following rights, regardless of where you are located:

• Right of access — ask us for a copy of the personal data we hold about you.
• Right of rectification — ask us to correct inaccurate or incomplete data.
• Right of erasure ("right to be forgotten") — ask us to delete data we no longer need; we may keep some items if a legal obligation requires it.
• Right to restrict processing — ask us to pause processing certain data while we investigate a request.
• Right to data portability — ask us to provide your data in a structured, machine-readable format so you can transfer it to another service.
• Right to object — object to processing based on our legitimate interest, including any profiling we may carry out.
• Right to withdraw consent — at any time, where we relied on your consent (for example, for marketing emails), without affecting the lawfulness of past processing.
• Right to complain — see section 12 below for the supervisory authority.

To exercise any of these rights, write to [support@transfergeorgia.com] from the email address tied to your account, or open a support ticket from your dashboard. We respond within 10 working days under Georgian law (and within one month under GDPR), free of charge for the first request in any 12-month period. We may ask you to confirm your identity if the request looks unusual.

9.1. A cookie is a small text file that the Platform places on your device so it can remember things between page loads.

9.2. We use four buckets of cookies, no more:

• Strictly necessary — sign-in session, locale preference, anti-CSRF token. These cannot be turned off without breaking the site.
• Functional — remembering search filters, recent routes you viewed, the language you picked in the switcher.
• Analytics — anonymous, aggregate counters that tell us how many visitors looked at a given route or how many drop off at the booking step. We do not link these to a specific person.
• Referral attribution — the optional `tg-ref` cookie is set when you arrive via a referral link; it is short-lived (30 days) and only carries the referral code itself.

9.3. We do not run third-party advertising cookies. We do not sell behavioural data to ad networks.

9.4. You can clear cookies in your browser at any time. If you clear strictly-necessary cookies, you will be signed out and may need to re-pick the locale.

10.1. The Platform is not intended for use by people under the age of 18. We do not knowingly collect personal data of children. If a Traveller travels with children, the booking is made by an adult and the children’s details (such as the number of child seats) are recorded as part of the booking, not as a separate child profile.

10.2. If you believe a child has registered an account, contact [support@transfergeorgia.com] and we will close the account and delete the data.

11.1. We may update this Privacy policy. The most recent version always lives at this URL with the effective date at the top.

11.2. Material changes (a new category of data, a new sharing partner, a longer retention period) are announced by email to active users and / or by an in-dashboard notice at least 7 calendar days before they take effect.

Privacy contact at the Platform:

TransferGeorgia LLC
Registration number: [ID/N]
Registered office: [Tbilisi, Georgia — legal address]
Email: [support@transfergeorgia.com]

Supervisory authority in Georgia — the Personal Data Protection Service. If you believe we have not handled your data properly and we have not resolved your concern, you may complain to:

Personal Data Protection Service of Georgia
7 N. Vachnadze St., 0105 Tbilisi, Georgia
Phone: +995 32 242 1000
Email: office@pdps.ge