1. Introduction
Welcome to Dojo. This Privacy Policy explains how Hello Dojo Inc ("Dojo", "we", "us", or "our"), together with its Spanish affiliate Samachi Ibiza SL, collects, uses, shares, and protects your personal data when you use our ride-hailing and concierge services platform, including our mobile applications ("Dojo User App" and "Dojo Driver App") and related services (collectively, the "Services").
Dojo operates in Ibiza, Spain and is committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR) (EU Regulation 2016/679), the Spanish Organic Law 3/2018 on Personal Data Protection and Digital Rights Guarantee (LOPDGDD), and other applicable data protection laws.
By using our Services, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller Information
Data Controller: Hello Dojo Inc, together with its Spanish affiliate Samachi Ibiza SL Ibiza, Balearic Islands Spain
Contact email (including Data Protection Officer): privacy@hellodojo.ai
For any questions regarding this Privacy Policy or to exercise your data protection rights, please contact us at privacy@hellodojo.ai.
3. Categories of Personal Data We Collect
We collect different categories of personal data depending on whether you use Dojo as a Rider (passenger) or a Driver.
3.1 Data Collected from All Users
| Category | Data Types | Purpose |
|---|---|---|
| Identity Data | Full name, phone number, email address (optional), profile photo (optional) | Account creation and identification |
| Authentication Data | Password (encrypted), verification codes | Secure access to your account |
| Device Data | Device type, operating system, unique device identifiers, IP address | Security, fraud prevention, service optimization |
| Usage Data | App interactions, features used, session duration, screens viewed | Service improvement and analytics |
| Communication Data | Messages with support, ratings, reviews, feedback | Customer service and quality assurance |
3.2 Additional Data Collected from Riders
| Category | Data Types | Purpose |
|---|---|---|
| Location Data | Pickup and dropoff addresses, real-time location during rides | Matching with drivers, navigation, ride tracking |
| Trip Data | Ride history, routes taken, trip timestamps, fare amounts | Service provision and billing |
| Payment Data | Payment method details (processed by Stripe), transaction history | Payment processing |
| Booking Data | Service preferences, special requests, group information | Concierge and booking services |
| Referral Data | Referral codes, referred users | Referral program management |
3.3 Additional Data Collected from Drivers
| Category | Data Types | Purpose |
|---|---|---|
| Precise Location Data | Real-time GPS coordinates (latitude, longitude), speed, heading, accuracy | Ride matching, navigation, trip tracking, safety |
| Background Location Data | Location when app is in background (while online) | Continuous availability for ride requests |
| Location History | Historical location data during trips and while online | Route verification, dispute resolution, analytics |
| Vehicle Data | Make, model, year, color, license plate number | Service provision and identification |
| Identity Documents | Driver's license, ID card, vehicle registration (for verification) | Regulatory compliance and safety |
| Financial Data | Bank account details for payouts, tax identification | Driver payments |
| Performance Data | Acceptance rate, completion rate, ratings, reviews | Quality assurance |
3.4 Special Categories of Data
We do not intentionally collect special categories of personal data (such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data). If such data is incidentally provided through communications or feedback, we will not process it for any purpose other than responding to your inquiry.
4. How We Collect Your Data
We collect personal data through:
- Direct collection — Information you provide when creating an account, booking rides, or contacting support
- Automated collection — Data collected automatically through our apps (location, device data, usage analytics)
- Third-party sources — Data from payment processors (Stripe), analytics providers, and mapping services
- Driver verification — Identity and vehicle documents submitted during onboarding
5. Legal Basis for Processing
Under GDPR, we process your personal data based on the following legal grounds:
| Processing Activity | Legal Basis (GDPR Art. 6) | Explanation |
|---|---|---|
| Account creation and management | Contract (Art. 6(1)(b)) | Necessary to provide our Services |
| Ride matching and navigation | Contract (Art. 6(1)(b)) | Core service functionality |
| Real-time location tracking (during rides) | Contract (Art. 6(1)(b)) | Essential for ride services |
| Background location (drivers while online) | Consent (Art. 6(1)(a)) | You can disable this in app settings |
| Location history retention (90 days) | Legitimate Interest (Art. 6(1)(f)) | Dispute resolution, fraud prevention, safety |
| Payment processing | Contract (Art. 6(1)(b)) | Necessary to complete transactions |
| Safety and fraud prevention | Legitimate Interest (Art. 6(1)(f)) | Protecting users and the platform |
| Analytics and service improvement | Legitimate Interest (Art. 6(1)(f)) | Improving our Services |
| Marketing communications | Consent (Art. 6(1)(a)) | Only with your explicit consent |
| Legal compliance | Legal Obligation (Art. 6(1)(c)) | Tax records, regulatory requirements |
| Push notifications | Consent (Art. 6(1)(a)) | You can disable in device settings |
5.1 Legitimate Interest Assessment
Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interests (see Section 11).
6. How We Use Your Data
6.1 Primary Purposes
- Providing ride-hailing services — Matching riders with drivers, navigation, trip tracking
- Processing payments — Charging riders, paying drivers, managing refunds
- Safety and security — Verifying identities, detecting fraud, investigating incidents
- Customer support — Responding to inquiries, resolving disputes
- Legal compliance — Meeting tax, regulatory, and law enforcement obligations
6.2 Secondary Purposes
- Service improvement — Analyzing usage patterns to enhance features
- Personalization — Remembering preferences, saved places, frequent destinations
- Communications — Sending trip updates, receipts, service notifications
- Marketing — Promotional offers (only with consent)
- Research and analytics — Understanding market trends (using aggregated/anonymized data)
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.
| Data Type | Retention Period | Justification |
|---|---|---|
| Account data | Duration of account + 3 years after deletion | Legal claims limitation period |
| Trip/ride data | 7 years | Tax and regulatory requirements |
| Location history | 90 days | Dispute resolution, fraud investigation |
| Payment records | 7 years | Spanish tax law requirements |
| Driver documents | Duration of driver status + 5 years | Regulatory compliance |
| Support communications | 3 years | Quality assurance and legal claims |
| Analytics data | 26 months | Service improvement |
| Marketing consent records | Duration of consent + 3 years | Proof of consent |
After the retention period expires, data is securely deleted or anonymized for statistical purposes.
8. Data Sharing and Recipients
We share your personal data with the following categories of recipients:
8.1 Service Providers (Data Processors)
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Payment details, transaction data | USA (EU-US DPF certified) |
| Supabase | Authentication and backend infrastructure | Account data, authentication credentials | EU (Frankfurt) |
| Amazon Web Services | Cloud hosting (ECS, RDS, S3, SES, ElastiCache, CloudFront) | All platform data | EU (Spain, Ireland) |
| PostHog | Product analytics | Usage data, device data | EU |
| Sentry | Error tracking and performance monitoring | Crash reports, device data | EU |
| OneSignal | Push notifications | Device tokens, user IDs | USA (SCCs) |
| Mapbox | Maps, navigation, and reverse geocoding | Location data | USA (SCCs) |
| Google Maps | Place search and forward geocoding | Search queries, location data | USA (EU-US DPF certified) |
| 360dialog | WhatsApp Business messaging | Phone numbers, message content, booking details | EU (Germany) |
| OpenAI | AI-powered chat and voice assistant | Chat transcripts, booking context, voice audio | USA (SCCs) |
| Google Gemini | AI-powered chat and voice assistant | Chat transcripts, booking context | USA (EU-US DPF certified) |
| Deepgram | Speech-to-text for voice assistant | Voice audio | USA (SCCs) |
| Tavily | Web search for AI assistant context | Search queries | USA (SCCs) |
| Vercel | Web hosting for portals | Web traffic, logs | USA (SCCs) |
| Expo (EAS) | Mobile app build and distribution | Build artifacts, app metadata | USA (SCCs) |
All processors are bound by Data Processing Agreements (DPAs) that comply with GDPR requirements.
8.2 Other Users
- Riders see: Driver's name, photo, vehicle details, rating, real-time location during trips
- Drivers see: Rider's name, pickup/dropoff locations, ride details
8.3 Business Partners
- Fleet management companies (for drivers affiliated with fleets)
- Venue partners (for concierge bookings, with your consent)
8.4 Legal and Regulatory Authorities
We may disclose your data when required by law or to:
- Comply with legal obligations
- Respond to valid legal requests (court orders, subpoenas)
- Protect our rights, safety, or property
- Prevent fraud or illegal activities
- Respond to emergencies involving personal safety
9. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA). When we transfer your data outside the EEA, we ensure appropriate safeguards are in place:
| Transfer Mechanism | Providers |
|---|---|
| EU-US Data Privacy Framework | Stripe, Google (Maps, Gemini) |
| Standard Contractual Clauses (SCCs) | OneSignal, Mapbox, OpenAI, Deepgram, Tavily, Vercel, Expo |
| Data stored in EU | Supabase, PostHog, Sentry, AWS, 360dialog |
You may request a copy of the relevant safeguards by contacting privacy@hellodojo.ai.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
Technical Measures:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Secure password hashing (bcrypt)
- Regular security audits and penetration testing
- Network firewalls and intrusion detection
- Access controls and authentication
Organizational Measures:
- Staff training on data protection
- Access limited to authorized personnel on a need-to-know basis
- Incident response procedures
- Regular review of security practices
Despite our efforts, no method of transmission over the Internet is 100% secure. If you believe your data has been compromised, please contact us immediately at privacy@hellodojo.ai.
11. Your Rights Under GDPR
As a data subject in the EU, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of your personal data | Email privacy@hellodojo.ai or use in-app settings |
| Rectification (Art. 16) | Correct inaccurate data | Update in app or contact support |
| Erasure (Art. 17) | Request deletion of your data ("right to be forgotten") | In-App: Settings → Account → Delete Account, or email privacy@hellodojo.ai |
| Restriction (Art. 18) | Limit how we process your data | Email privacy@hellodojo.ai |
| Data Portability (Art. 20) | Receive your data in a machine-readable format | Email privacy@hellodojo.ai |
| Object (Art. 21) | Object to processing based on legitimate interests | Email privacy@hellodojo.ai |
| Withdraw Consent (Art. 7) | Withdraw consent at any time | Email or in-app settings |
| Automated Decisions (Art. 22) | Not be subject to purely automated decisions | Contact us for human review |
11.1 Account Deletion
You can delete your account and request erasure of your personal data at any time:
- In-App: Settings → Account → Delete Account
- Email: Send a deletion request to privacy@hellodojo.ai
When you delete your account, we will:
- Permanently deactivate your account and remove your profile
- Delete your personal data from our active systems within 30 days
- Remove your data from third-party processors (Supabase, Stripe, OneSignal, etc.)
- Retain only data required by law (e.g., financial records for 7 years per Spanish tax law, trip data for regulatory compliance)
Data retained for legal obligations will be isolated, access-restricted, and automatically deleted when the retention period expires.
11.2 How to Exercise Your Rights
- Email: privacy@hellodojo.ai
- In-App: Settings → Privacy → Data Rights
- Post: Hello Dojo Inc, c/o Samachi Ibiza SL, Ibiza, Balearic Islands, Spain
We will respond to your request within 30 days. In complex cases, we may extend this by an additional 60 days, with notification.
11.3 Right to Lodge a Complaint
If you believe we have violated your data protection rights, you have the right to lodge a complaint with the Spanish Data Protection Agency:
Agencia Española de Protección de Datos (AEPD) C/ Jorge Juan, 6 28001 Madrid, Spain Website: www.aepd.es Phone: +34 912 663 517
12. Location Data and Tracking
12.1 Types of Location Tracking
| Feature | User Type | When Active | Can Be Disabled? |
|---|---|---|---|
| Real-time location (foreground) | Riders & Drivers | During active rides | No (required for service) |
| Background location | Drivers only | While "online" in app | Yes (in app settings) |
| Pickup/dropoff addresses | Riders | When booking rides | No (required for service) |
| Location history | Drivers | When online | Retained 90 days |
12.2 How to Control Location Permissions
On iOS: Settings → Privacy & Security → Location Services → Dojo → Choose "While Using" or "Never"
On Android: Settings → Apps → Dojo → Permissions → Location → Choose preference
Note: Disabling location will prevent core features from functioning. Drivers cannot receive ride requests without location enabled.
12.3 Location Data Retention
- Real-time location: Not stored beyond immediate use
- Trip route data: 7 years (regulatory requirement)
- Driver location history: 90 days (then automatically deleted)
- Pickup/dropoff addresses: 7 years (tax records)
13. Cookies and Similar Technologies
Our mobile apps use similar technologies to cookies for analytics and functionality:
| Technology | Purpose | Provider |
|---|---|---|
| Device identifiers | Fraud prevention, analytics | Internal |
| Analytics SDK | Usage analytics | PostHog |
| Crash reporting SDK | Error tracking | Sentry |
| Push notification tokens | Sending notifications | OneSignal |
For our web services, please refer to our Cookie Policy.
14. Children's Privacy
Dojo is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact us at privacy@hellodojo.ai, and we will delete such data promptly.
15. Automated Decision-Making
We use automated processing in the following areas:
| Process | Description | Human Oversight |
|---|---|---|
| Driver-rider matching | Automatic matching based on location, availability, preferences | Riders can cancel; support available |
| Pricing calculation | Automatic fare calculation based on distance, time, demand | Transparent breakdown provided |
| Fraud detection | Automated screening for suspicious activity | Human review before account action |
You have the right to request human intervention for decisions that significantly affect you. Contact support@hellodojo.ai for review.
16. AI-Powered Features and Data Processing
16.1 AI Assistant Services
Dojo offers optional AI-powered features including a chat assistant and voice assistant to help with bookings and recommendations. When you use these features:
| Data Processed | Purpose | Processors |
|---|---|---|
| Chat messages | Understanding your requests, providing recommendations, facilitating bookings | OpenAI (GPT-4o), Google Gemini |
| Voice audio | Speech-to-text transcription, real-time conversation | Deepgram (transcription) |
| Booking context | Personalizing responses with your preferences and history | OpenAI, Google Gemini |
| Web search queries | Providing real-time information about venues, events, availability | Tavily |
16.2 AI Data Retention
- Chat and voice interactions are not stored by AI processors beyond the active session, except for abuse prevention and as required by their terms of service
- You can opt out of AI features at any time by not using the chat or voice assistant
16.3 Your Control Over AI Features
- AI assistant features are entirely optional — core ride-hailing and booking services work without them
- You may request deletion of AI interaction data by contacting privacy@hellodojo.ai
- AI features do not make automated decisions that significantly affect you — they provide suggestions and facilitate bookings that you confirm
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last Updated" date at the top
- We will notify you via email or in-app notification
- For significant changes, we may request renewed consent
We encourage you to review this Privacy Policy periodically.
18. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data:
Privacy (including DPO): privacy@hellodojo.ai
Customer support: support@hellodojo.ai In-App: Help & Support section
Postal Address: Hello Dojo Inc c/o Samachi Ibiza SL Ibiza, Balearic Islands Spain
19. Additional Information for Spanish Users
Under the LOPDGDD (Ley Orgánica 3/2018), you have additional rights including:
- Right to digital disconnection (for drivers)
- Enhanced protection for deceased persons' data (heirs may exercise rights)
- Specific protections for minors in the digital environment
For complaints, you may also contact:
- Regional data protection authorities in your autonomous community
- Consumer arbitration boards (Juntas Arbitrales de Consumo)
19.1 Balearic Islands Users
For users in the Balearic Islands, you may also direct complaints to:
Direcció General de Consum (Govern de les Illes Balears) Conselleria de Turisme, Cultura i Esports Palma de Mallorca
Oficina de Atención al Consumidor de Ibiza (OMIC) Consell Insular d'Eivissa
Our services in the Balearic Islands comply with Ley 4/2014, de 20 de junio, de transportes terrestres y movilidad sostenible de las Illes Balears, and applicable Consell Insular ordinances regarding data handling in transportation services.