Privacy Policy — Hype Taxi Driver Application

Version 2.0 – Effective date: 1 May 2026

Preamble

Hype is committed to protecting the personal data of the partner drivers who use the Hype Taxi Driver mobile application (the “Application”).

This privacy policy (the “Policy”) describes, in accordance with Regulation (EU) 2016/679 of 27 April 2016 (the “GDPR”) and French Act No. 78-17 of 6 January 1978, as amended (the “French Data Protection Act”), how Hype collects and processes personal data relating to drivers (the “Data”).

It is intended to provide drivers with clear and transparent information on the categories of Data collected, the purposes pursued, the legal bases relied upon, the recipients, the retention periods, and the rights they enjoy.

1. Data Controller and Application Publisher

1.1 Data Controller

Hype is a société anonyme (SA) with share capital of EUR 272,039.00.

Registered office: 84 avenue de la République, 75011 Paris, France.

Paris Trade and Companies Register (RCS) No. 519 003 115 – SIRET No. 519 003 115 00028.

Hype is the sole data controller within the meaning of Article 4(7) of the GDPR. Hype determines the purposes and means of all Data processing activities carried out through the Hype Taxi Driver Application.

1.2 Application Publisher

The Hype Taxi Driver Application is published on the App Store and Google Play by Fleetizen, an affiliate of Hype, with its registered office at 84 avenue de la République, 75011 Paris, France.

All Data processing activities described in this Policy are carried out by Hype, in its capacity as data controller. Any request relating to the Data must be addressed to Hype in accordance with section 12.

1.3 Data Protection Officer (DPO)

Hype has appointed a Data Protection Officer, who can be contacted:

  • by email: dpo@hype.taxi
  • by post: Hype – Data Protection Officer – 84 avenue de la République, 75011 Paris, France.

2. Scope

This Policy applies exclusively to the Hype Taxi Driver Application, which is intended for partner taxi drivers (the “Drivers”) who have entered into a contract with Hype and have completed the required training.

It does not cover the Application intended for passengers, nor the websites published by Hype, which are governed by separate privacy policies.

3. Data Collected

In connection with the use of the Application, the following categories of Data may be collected.

3.1 Identification and contact data
  • Last name, first name
  • Date and place of birth
  • Phone number
  • Email address
  • Postal address
3.2 KYC and professional data
  • ID photograph (used for identity verification and for display to passengers)
  • Identity document (national ID card, passport or residence permit)
  • Professional taxi driver card
  • Taxi operating licence – stationing authorisation (“ADS”) or equivalent
  • Driving licence
  • Vehicle registration certificate and proof of professional vehicle insurance
  • Vehicle information (registration plate, make, model, colour, equipment)
  • Any other regulatory document required to operate as a taxi driver
3.3 Payment and billing data
  • Bank account details (RIB / IBAN)
  • SIRET number and, where applicable, intra-EU VAT number
  • Billing and payment history
3.4 Ride data
  • History of rides performed
  • Date, time, pickup point and drop-off point
  • Distance travelled, duration and price
  • Ratings and comments left by passengers
  • Ride status (acceptance, refusal, cancellation, incident)
3.5 Location data
  • Real-time location of the vehicle while connected to the Application
  • Location collected in the background, when the Application is not in the foreground but the Driver is on duty
  • Location collected when the Application is closed, under the conditions set out in section 5

The exact methods of collection and use of geolocation data are described in section 5.

3.6 Technical and connection data
  • IP address
  • Unique device identifier (Device ID)
  • Device model, brand and operating system
  • Application version
  • Usage logs, diagnostic logs and crash reports
3.7 Support-related data
  • Exchanges with user support (email, phone, in-app)
  • Tickets and complaints

4. Purposes, legal bases and retention periods

The table below sets out, for each processing purpose, the legal basis under Article 6 of the GDPR and the retention period applied.

Purpose Legal basis Retention period
Creation and management of the Driver account Performance of the contract (Art. 6(1)(b) GDPR) Duration of the contractual relationship + 5 years
Identity verification (KYC), regulatory compliance and record-keeping Legal obligation (Art. 6(1)(c) GDPR) Duration of the contractual relationship + 5 years
Allocation and management of rides (dispatch) Performance of the contract (Art. 6(1)(b) GDPR) Period of active use of the Application
Real-time tracking of rides (safety, service quality, support) Legitimate interest of the controller and of the passengers (Art. 6(1)(f) GDPR) During the ride, then archived in line with the “Ride data” entry
Billing and payment of rides Performance of the contract / Legal obligation (accounting and tax) 10 years for accounting records (Art. L.123-22 of the French Commercial Code)
User support and assistance Performance of the contract (Art. 6(1)(b) GDPR) 3 years from the last contact
Fraud prevention and detection Legitimate interest (Art. 6(1)(f) GDPR) 5 years from detection, or until the proceedings are concluded
Application analytics and improvement (statistics, audience measurement) Legitimate interest or consent (depending on the trackers concerned – see section 9) Maximum of 13 months for trackers (CNIL guidelines)
Information system security (technical logs) Legitimate interest / Legal obligation 1 month
Operational communications (ride notifications, alerts, updates) Performance of the contract Duration of the contractual relationship
Commercial and promotional communications Consent (Art. 6(1)(a) GDPR) Until consent is withdrawn, and for a maximum of 3 years from the last contact

Beyond the periods indicated, Data may be archived for the time strictly necessary to comply with applicable legal obligations or to establish, exercise or defend a legal claim (see section 13).

5. Geolocation

Geolocation of the Driver is central to the operation of the Application. It is used in particular to:

  • allocate rides to the most appropriate Driver near the pickup point (dispatch);
  • enable passengers to track the approach and the course of their ride;
  • enable the support team and safety services to locate a Driver in the event of an incident or emergency;
  • calculate and verify the billing of the ride (distance and route);
  • detect potential anomalies or fraudulent behaviour.
5.1 Collection methods

Geolocation data is collected as soon as the Driver switches to “on duty” status from within the Application. Collection may take place:

  • in the foreground, when the Application is open and active;
  • in the background, when the Application is minimised but the session is still active;
  • where applicable, when the Application is closed but the Driver remains on duty. This situation is explicitly disclosed to the user through the iOS and Android system permission prompts.
5.2 Driver controls

The Driver may, at any time:

  • switch to “off duty” status to interrupt the collection of geolocation data;
  • revoke location permissions from the device settings.

Because geolocation is essential to the operation of the Application, refusing or revoking these permissions will prevent rides from being assigned and, more generally, render the Application unusable.

6. Automated decision-making and profiling – dispatch algorithm

The allocation of rides relies on an automated algorithm. In accordance with Article 22 of the GDPR, Hype provides Drivers with the following information.

6.1 Underlying logic

The dispatch algorithm allocates a ride to a Driver based, in particular, on:

  • the Driver’s GPS position relative to the pickup point;
  • the Driver’s availability (“on duty” status, no other ride in progress);
  • the characteristics of the ride (vehicle type required, passenger options, payment method);
  • recent history (acceptance rate, refusals, cancellations);
  • where applicable, the Driver’s average rating.
6.2 Consequences for the Driver

The algorithm determines which Driver is offered which ride. It does not assess the personality of the Driver and does not produce legal effects or other significant effects within the meaning of Article 22 of the GDPR.

Decisions liable to affect the contractual relationship (suspension, termination, sanctions) are not taken on a fully automated basis and always involve human review.

6.3 Safeguards available to the Driver

The Driver may:

  • challenge a ride allocation or non-allocation with the support team;
  • request human intervention to review an automated decision;
  • express their point of view and obtain an explanation.

7. Recipients and Processors

7.1 Internal recipients

The Data is accessible to authorised Hype personnel (Operations, Support, Finance, IT and Compliance teams), strictly within the limits of their duties.

7.2 Passengers

While a ride is in progress, passengers have access to the strictly necessary information:

  • Driver’s first name
  • Driver’s photograph
  • Vehicle registration plate, make, model and colour
  • Vehicle’s GPS position during the ride (from approach to drop-off)
  • Driver’s average rating
7.3 Business clients (B2B offers)

For rides performed for the benefit of a business client subscribed to a Hype B2B offer, the Data strictly necessary for usage tracking, reporting and billing is shared with that client. Unless otherwise agreed by the Driver, this Data does not contain information enabling the Driver to be identified beyond what is strictly necessary to perform the service.

7.4 Processors

Hype engages processors for technical services. Each processor is bound by a contract that complies with Article 28 of the GDPR and imposes equivalent confidentiality and security obligations. The main categories of processors used are:

  • Cloud hosting and infrastructure (data hosted within the European Union)
  • ERP and billing
  • Payment service provider(s)
  • Mapping and route calculation
  • Push notifications and in-app messaging
  • Audience measurement, crash reporting and usage analytics tools
  • Customer support and communication tools

A detailed and up-to-date list of processors may be provided on request to the DPO.

7.5 Administrative and judicial authorities

Hype may transmit Data to administrative or judicial authorities upon legal request, within the conditions and limits set by law.

8. Transfers of data outside the European Union

The Data is hosted and processed within the European Union.

Where certain features provided by processors involve an occasional transfer outside the European Union (for example, technical support from a vendor established outside the EU), such transfer is governed by the appropriate safeguards provided for by the GDPR: an adequacy decision of the European Commission, standard contractual clauses, or other safeguards within the meaning of Articles 46 and 47 of the GDPR. A copy of these safeguards may be obtained from the DPO.

9. Cookies, SDKs and trackers within the Application

The Application embeds third-party software components (Software Development Kits, or “SDKs”) that may collect information relating to the use, performance and stability of the Application. These components include, in particular:

  • Firebase SDK (notifications, crash reporting)
  • Google Analytics SDK (audience measurement)
  • Mapping SDK
9.1 Strictly necessary trackers

Trackers strictly necessary for the operation of the Application (authentication, security, fraud prevention, storage of technical preferences) are activated by default on the basis of Hype’s legitimate interest, in line with the recommendations of the CNIL (the French data protection authority).

9.2 Trackers subject to consent

Trackers that are not strictly necessary (non-anonymised audience measurement, content personalisation, behavioural analytics) are deployed only after the user’s free, informed and specific consent has been obtained. This consent may be withdrawn at any time from the Application settings.

The retention period of trackers and of the information collected through them does not exceed thirteen (13) months, in line with CNIL guidelines.

10. Data security

Hype implements appropriate technical and organisational measures to protect the Data against loss, alteration, disclosure or unauthorised access, including in particular:

  • encryption of data in transit (TLS) and at rest (storage disk encryption);
  • strict access control, application of the least-privilege principle and strong authentication of authorised employees;
  • segregation of environments (production, staging, development);
  • regular backups and restoration testing;
  • access logging and detection of abnormal activity;
  • documented procedure for managing data breaches;
  • ongoing awareness and training of employees;
  • periodic security reviews and audits;
  • hosting within the European Union on a certified infrastructure (Google Cloud).

In the event of a Data breach likely to result in a risk to the rights and freedoms of the persons concerned, Hype will notify the CNIL within seventy-two (72) hours and, where applicable, will inform the Drivers concerned, in accordance with Articles 33 and 34 of the GDPR.

11. Driver rights

In accordance with Articles 15 to 22 of the GDPR and the French Data Protection Act, each Driver has the following rights:

  • Right of access: to obtain confirmation as to whether Data concerning them is being processed and to receive a copy of such Data.
  • Right to rectification: to have inaccurate or incomplete Data corrected.
  • Right to erasure (“right to be forgotten”): to request the deletion of their Data under the conditions provided for by the GDPR.
  • Right to restriction of processing: to request the temporary suspension of a processing activity.
  • Right to object, in particular to processing based on legitimate interest, subject to the compelling legitimate grounds that Hype may invoke.
  • Right to data portability: to receive their Data in a structured, commonly used and machine-readable format, and to transmit it to another data controller.
  • Right to withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing carried out before such withdrawal.
  • Right to set post-mortem instructions regarding the retention, deletion and communication of their Data after death.
  • Right not to be subject to a fully automated decision producing legal effects or significant effects (see section 6).
  • Right to lodge a complaint with the CNIL: 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France – www.cnil.fr.

12. How to exercise these rights

To exercise these rights, the Driver may contact Hype’s DPO:

  • by email: dpo@hype.taxi
  • by post: Hype – Data Protection Officer – 84 avenue de la République, 75011 Paris, France
  • via the Application’s support service

Hype may request proof of identity in case of reasonable doubt as to the identity of the requester.

A response will be provided within one (1) month of receipt of the request. This period may be extended by two (2) further months in the case of complex or numerous requests, in accordance with Article 12(3) of the GDPR. Where the period is extended, the Driver will be informed within the initial one-month period.

13. Retention of Data after account deletion

Some Data may be retained beyond the deletion of the Driver’s account in order to allow Hype to comply with its legal obligations (in particular accounting, tax, social security and anti-fraud obligations) or to establish, exercise or defend a legal claim.

Such Data is then archived with strictly restricted access, limited to authorised personnel, and retained for the applicable statutory period.

14. Updates to this Policy

This Policy may be amended to reflect changes in processing activities or in applicable regulations. The version in force is the one accessible from within the Application and on the associated website.

In the event of a substantial change, Drivers will be notified by email. Drivers are encouraged to review this Policy on a regular basis.

Version history
  • Version 1.0 – 24 January 2018: initial version.
  • Version 2.0 – 1 May 2026: full overhaul – clarification of the data controller, addition of legal bases for each processing purpose, strengthening of Driver rights, framework for the dispatch algorithm, framework for SDKs and trackers.

15. Contact

Any question relating to this Policy or to the processing of the Data may be sent:

Copyright © Copyright © 2020 Fleetizen. All rights reserved