Privacy policy

1. Identity and contact details of the Data Controller

Within the meaning of Article 4(7) of the GDPR:

2. Personal data collected

We collect only the data strictly necessary to deliver our services and ensure the proper operation of the Site. The principle of data minimisation (Article 5(1)(c) of the GDPR) is applied.

2.1 Data collected via the booking / contact form

• Title (Mr/Mrs)
• Last and first name
• Email address
• Phone number
• Pick-up address (airport, train station, hotel, etc.)
• Drop-off address
• Date and time of the ride
• Number of passengers, quantity and type of luggage
• Vehicle type requested (Eco, Sedan, Van, Van VIP)
• Requested options (child seat, name-board meet-and-greet, pet, etc.)
• Free-text message / special instructions
• Billing data (last name, first name, address, company name and VAT number for businesses)

2.2 Data collected at payment time

Online payments are processed by Stripe (Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Dublin, Ireland), certified PCI-DSS Level 1.

We never store your card data (card number, CVV, expiry date) on our servers. Stripe only forwards us a payment confirmation and a transaction identifier.

2.3 Data collected via WhatsApp / phone

If you contact us via WhatsApp or by phone:

• Phone number (visible in the interface or via caller ID)
• Information you share during the exchange (name, itinerary, date, etc.)
• Conversation history WhatsApp, stored within the app

2.4 Data collected automatically — Cookies and trackers

2.4.1 Server logs

• IP address (potentially pseudonymised)
• Browser type and version, operating system
• Pages visited and referrer URL
• Session date, time and duration
• Screen resolution, browser language

2.4.2 Google Analytics 4 (GA4) — consent-based

Google Analytics 4 (Google LLC, United States) collects via cookies:

• Anonymised client identifier (_ga, _ga_XXXXXXXX)
• Page views, events, interactions
• Acquisition source and medium (organic, referrer, direct, social)
• Approximate geographic data (country, region, city — derived from IP)
• Bounce rate, session duration, pages per session
• Device data (category, brand, model)

The IP address is anonymised before any transmission to Google.

2.4.3 Google Tag Manager (GTM)

GTM (Google LLC) does not directly collect personal data but orchestrates the conditional firing of other scripts (Analytics, advertising pixels).

2.4.4 Cookies set by Webflow

Webflow Inc. (United States) sets technical cookies necessary for the Site to function (session management, CSRF protection).

2.4.5 Summary table

The full up-to-date list is available via our cookie-management banner at the bottom of the page.

2.5 Data collected within the commercial relationship

• Ride history (dates, itineraries, amounts)
• Billing and accounting data
• Email correspondence
• Complaints and disputes, if any
• Travel preferences (for regular clients)

3. Processing purposes and legal bases

Pursuant to Article 6 of the GDPR, every processing operation rests on an identified legal basis.

3.1 Booking management and contract performance

3.2 Invoicing and accounting obligations

3.3 Communication and customer relations

3.4 Commercial prospecting (existing customers)

3.5 Commercial prospecting (prospects)

3.6 Audience measurement (Google Analytics 4)

3.7 Security and fraud prevention

3.8 Dispute and litigation management

4. Retention periods

Pursuant to the principle of storage limitation (Art. 5(1)(e) GDPR):

Upon expiry, data is permanently deleted or irreversibly anonymised.

5. Recipients and processors

5.1 Authorised internal staff

Only Adrien Moreno (President + chauffeur) has access to the data, strictly within the scope of his duties.

5.2 Technical processors

Pursuant to Article 28 of the GDPR, we have concluded data-processing agreements with:

Webflow Inc. (hosting + CMS)

Google LLC — Google Analytics 4

Google LLC — Google Tag Manager

Stripe Payments Europe Ltd

Nebulea (booking interface)

5.3 Authorities and legally entitled third parties

Your data may be disclosed to the competent authorities (judicial, administrative, tax) upon lawful request.

5.4 Business transfer

In the event of a full or partial transfer of the business, your data may be passed on to the buyer, with prior notice.

6. Data transfers outside the EU

6.1 Legal framework

Since the Schrems II ruling (CJEU, 16 July 2020), transfers to the United States rely on the Standard Contractual Clauses (SCCs) (EU decision 2021/914).

The EU-US Data Privacy Framework (DPF), adopted on 10 July 2023, allows certified US companies to receive data from the EU.

6.2 Detail by processor

6.3 Your rights

You can obtain a copy of the transfer mechanisms (SCCs) by contacting us at contact@vtc-bordeaux-chauffeur.fr.

7. Your rights

Pursuant to Articles 15 to 22 of the GDPR, you have the following rights. Response time: 1 month (extendable by 2 months for complex requests).

7.1 Right of access (Art. 15)

Obtain confirmation that data concerning you is being processed, and access that data plus information on:

• Purposes, data categories, recipients
• Retention period
• Existence of your rights (rectification, erasure, etc.)
• Right to lodge a complaint with the CNIL
• Origin of data if collected indirectly
• Existence of automated decision-making

A copy is provided to you. Reasonable fees apply for additional copies.

7.2 Right to rectification (Art. 16)

Have inaccurate or incomplete data corrected.

7.3 Right to erasure / to be forgotten (Art. 17)

Erasure in the following cases:

• Data no longer needed
• Withdrawal of consent (with no other legal basis)
• Legitimate objection
• Unlawful processing
• Legal obligation

Exceptions : retention for legal obligation, legal defence, public interest.

7.4 Right to restriction (Art. 18)

Temporary suspension of processing (accuracy verification, unlawful processing, legal defence, objection verification).

7.5 Right to data portability (Art. 20)

Receive your data in a structured, commonly used, machine-readable format (CSV, JSON) and transmit it to another controller, where processing is based on consent or contract AND is automated.

7.6 Right to object (Art. 21)

For processing based on legitimate interest : you may object on grounds relating to your particular situation. We stop processing unless we have compelling legitimate grounds.

For commercial prospecting : absolute, immediate objection, no justification needed.

7.7 Right to withdraw consent (Art. 7(3))

At any time, with no retroactive effect:

• Analytics cookies : cookie banner at the bottom of the page
• Commercial prospecting : unsubscribe link in every email
• Other processing : contact@vtc-bordeaux-chauffeur.fr

7.8 Post-mortem directives (Art. 85 French Data Protection Act)

Define the fate of your data after your death (retention, erasure, transfer to a designated third party).

7.9 How to exercise your rights

By email : contact@vtc-bordeaux-chauffeur.fr By post : VTCBORDEAUX — For the attention of the GDPR Officer — 9 Quai des Mouettes, 33290 Parempuyre, France

What to provide : - Last and first name - Email used for your interactions with us - Nature of the right exercised - Any useful identifying information

Proof of identity : we may request a copy of an ID document (national ID or passport) — deleted once the request is processed.

Time limit : 1 month (extendable by 2 months, with notice).

8. Right to lodge a complaint with the CNIL

If your rights are not respected after contacting us, you can lodge a complaint with the CNIL:

You may also turn to the supervisory authority of your member state of residence if you live in another EU country.

9. Data security

Pursuant to Article 32 of the GDPR, we implement appropriate technical and organisational measures.

9.1 Technical measures

• HTTPS / TLS 1.2+ : encryption of all communications
• Encryption at rest : Webflow and Stripe encrypt stored data
• IP anonymisation : Google Analytics configured with anonymize_ip
• 2FA : two-factor authentication on admin accounts (Webflow, Google)
• Updates : software components kept up to date
• Backups : regular, via Webflow

9.2 Organisational measures

• Least privilege : data access limited to necessary personnel
• Awareness : of data-protection best practices
• Contracts : all processors have a DPA (Art. 28 GDPR)
• Incident management : in case of a breach likely to create a risk, notification to the CNIL within 72h (Art. 33) and information of the data subjects if high risk (Art. 34)

9.3 Limitations

No system is completely foolproof. In the event of an incident, we will take every necessary step to limit its consequences.

10. Cookies — additional information

10.1 What is a cookie?

A cookie is a small text file placed on your device when you visit a website. It allows information to be remembered (language, preferences, session identifier, etc.).

10.2 Categories used

Strictly necessary cookies (exempt from consent): session, CSRF security, consent storage.

Audience-measurement cookies (consent-based): Google Analytics 4. Set only with your prior approval.

10.3 Managing your preferences

Via our cookie banner : on your first visit. You can reopen it at any time via the “Manage my cookies” link at the bottom of the page.

Via your browser : Chrome, Firefox, Safari and Edge all provide management options.

Disabling GA via extension : https://tools.google.com/dlpage/gaoptout

For full detail, see our Cookie policy.

11. Automated decisions and profiling

Pursuant to Article 22 of the GDPR, we do not perform any fully automated decision-making producing legal effects or significantly affecting individuals.

GA4 data may generate aggregated, anonymous statistical profiles but is not used for automated individual decisions.

12. Minors' data

Our services are addressed to adults. We do not knowingly collect data from minors under 15 without the consent of their legal representatives.

If you are a parent and believe your child has provided us with data without your consent, contact contact@vtc-bordeaux-chauffeur.fr for immediate deletion.

13. Links to third-party sites

Our Site contains links to third-party websites (social networks, review platforms, etc.). We have no control over their data-protection practices. We invite you to consult their privacy policies.

14. Changes

We may amend this policy to comply with regulatory developments or reflect changes in our practices.

14.1 Notification procedure

• Update date updated at the top of the document
• Visible notice on the Site for a reasonable period
• Email to customers for major changes (if you have subscribed to our communications)

14.2 Archiving

Previous versions are archived and provided on request.

14.3 Entry into force

Any change takes effect upon publication, unless otherwise indicated.

15. GDPR contact

We are committed to processing your request within the regulatory time limits.

Privacy policy drafted in accordance with Regulation (EU) 2016/679 (GDPR) and amended French law no. 78-17 of 6 January 1978.

© 2026 VTCBORDEAUX (SAS, SIREN 924 992 605, RCS Bordeaux) — VTC Bordeaux Chauffeur — All rights reserved.