GMsPoneja Oy
Legal
EN FI

Privacy Notice

Effective Date: July 24, 2025

This Privacy Policy explains how sPoneja Oy (“sPoneja”, “we”, “us”, or “our”) collects and processes personal data in connection with our taxi services and the GoMeter mobile application (mileage tracker & taxi meter), in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

1) Data Controller

  • sPoneja Oy
  • Business ID: 3555121-6
  • Address: Katumantie 11 C 24, 13250 Hämeenlinna, Finland
  • Email: privacy@sponeja.com
  • Phone: +358 46 545 7751

2) What data we collect

  • Identification & contact – name, email address, phone number, company (if applicable).
  • Trip & booking – pickup and drop-off locations, planned/actual times, route/notes, fare/fees, extras and receipts.
  • Location – GPS location while a trip is being tracked/operated in the app (foreground and, with your consent, background).
  • Device & technical – IP address, device model & OS, app version, language, crash/diagnostics logs.
  • Payments – tokenized payment references returned by our payment processors; we do not store raw card numbers.
  • Account & usage – settings, roles (admin/employer/driver), login timestamps, feature interactions.
  • Support – messages you send to us (e.g., email, web forms).

3) Where the data comes from

  • You – when you create an account, book a ride, or contact support.
  • Your device/sensors – GPS and device info when you use GoMeter.
  • Service partners – mapping, routing, payment providers (only data needed to provide the service).
  • Company admins – where an employer sets up business accounts for drivers.

4) Why we process data (purposes) & legal bases

  • Provide the services – trip calculation, pricing, metering, receipts, mileage reports, account management. Legal basis: performance of a contract (Art. 6(1)(b)).
  • Safety, security & fraud prevention – detect misuse, secure accounts, prevent chargeback abuse. Legal basis: legitimate interests (Art. 6(1)(f)).
  • Compliance – tax and accounting obligations, responding to lawful requests. Legal basis: legal obligation (Art. 6(1)(c)).
  • Improvements & analytics – product development, diagnostics. Legal basis: legitimate interests or consent (for non-essential analytics cookies).
  • Marketing – only with your consent (e.g., newsletters). Legal basis: consent (Art. 6(1)(a)).

5) Retention

We keep personal data only as long as necessary for the purposes above or as required by law. Typical periods:

  • Bookings, trip & receipt data: up to 6 years (tax/accounting).
  • Account info: for the life of the account, then deleted or anonymised within a reasonable period.
  • Diagnostics & analytics: the shortest period that supports troubleshooting and trends (usually 3–24 months), or earlier if you withdraw consent.

6) Sharing & international transfers

  • Processors – cloud hosting, analytics (if you consent), email delivery, payments. Each is bound by a data processing agreement.
  • Authorities – only where required by applicable law.
  • No selling of personal data.
  • If data is transferred outside the EEA, we use safeguards such as the EU Standard Contractual Clauses (SCCs) and technical/organisational measures.

7) Your GDPR rights

  • Right to be informed – about how and why we process your data.
  • Right of access (Art. 15) – request a copy of your personal data. We respond within one month (extendable by up to two months for complex requests). We may need to verify your identity.
  • Right to rectification (Art. 16) – correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) – request deletion in certain cases (e.g., consent withdrawal, no overriding reason to keep data).
  • Right to restrict processing (Art. 18) – in specific situations (e.g., contesting accuracy).
  • Right to data portability (Art. 20) – receive data you provided in a machine-readable format and/or transmit to another controller where technically feasible.
  • Right to object (Art. 21) – to processing based on legitimate interests or to direct marketing. We will stop unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent – at any time, for processing that relies on consent.
  • Automated decisions / profiling (Art. 22) – we do not make decisions with legal or similarly significant effects solely by automated means. If such features are introduced, you can request human review.
  • Right to lodge a complaint – with your local Data Protection Authority. In Finland, this is the Office of the Data Protection Ombudsman.
  • Post-mortem instructions – you may give us instructions on the handling of your data after death, where allowed by law.

8) Security

We apply appropriate technical and organisational measures including access controls, encryption in transit, hardened infrastructure, and regular security reviews. No system is perfectly secure; please protect your account credentials and notify us of any suspected misuse.

9) Children

Our services are not directed to children and we do not knowingly collect personal data from children. If you believe a child has provided data, please contact us so we can delete it.

10) Cookies & similar technologies

What are cookies? Cookies are small text files stored on your device by a website or app. They help remember your settings, keep you signed in, or measure how the service is used. Similar technologies include local storage, SDK storage (in apps), and pixels.

Types we use:

  • Strictly necessary – required for the site/app to function (e.g., session, language, security). These run without consent.
  • Analytics – help us understand usage (e.g., which features are used) to improve the service. Used only if you consent.
  • Marketing – measure campaigns and show relevant messages. Used only if you consent.

You will see a cookie banner when you first visit. You can give or withdraw consent by category at any time via Cookie settings. You can also set your browser to block or delete cookies (note: essential features may break).

11) How to exercise your rights

Contact us at privacy@sponeja.com. For access/erasure/portability requests, please specify the scope (e.g., dates, booking IDs) so we can locate the data efficiently. We may charge a reasonable fee or refuse repetitive or manifestly unfounded requests as permitted by law.

12) Changes to this Policy

We may update this Policy from time to time. We will post the new version with a new effective date. If changes are material, we will provide additional notice (e.g., in-app or by email).

13) Contact

  • Email: privacy@sponeja.com
  • Mail: sPoneja Oy, GDPR Compliance, Katumantie 11 C 24, 13250 Hämeenlinna, Finland
  • Supervisory Authority (Finland): Office of the Data Protection Ombudsman