Carpil

Privacy Policy

How we collect, use, and protect your personal information

Last updated: November 24, 2025

Introduction

This Privacy Policy governs the processing of personal data of users of the mobile application and associated services of Carpil (hereinafter, “Carpil”, “we”, “us”, or “the Platform”).

By creating an account, using the app, posting or booking rides, you declare that you have read and accepted this Privacy Policy.

1. Data Controller and Contact Information

Legal Controller:

Carpil, LLC

A company incorporated in Delaware, United States.

Official contact channels for personal data matters:

These are the only official channels for inquiries related to privacy and personal data.

2. Scope of Application

This Policy applies to:

  • The Carpil mobile application (drivers and passengers).
  • Any other digital channel operated by Carpil related to the carpooling service.

It does not apply to third-party services that you use independently (e.g., WhatsApp, banks, SINPE, etc.), which are governed by their own policies.

3. Personal Data We Collect

Carpil collects and processes the following categories of data:

3.1 Registration and Profile Data

  • First and last name.
  • Email address.
  • Phone number.
  • Profile photo (when provided by the user).
  • Language and country configured in the app (when applicable).

3.2 Ride Data (carpooling)

  • Information about rides created or booked:
    • Origin and destination of the ride.
    • Scheduled departure and arrival date and time.
    • Number of seats offered and booked.
    • Price per seat.
  • History of completed, canceled, and pending rides.

Note: The location used by Carpil refers to the ride (origin and destination)

In the future, Carpil may incorporate approximate (not precise) location to improve the experience; this will be regulated in accordance with this Policy and its eventual updates.

3.3 Technical and Usage Data

Automatically, we may collect:

  • Device and app identifiers.
  • Operating system, app version, device model.
  • Usage logs and technical events (crashes, errors, performance).

For this purpose, we use analytics and error logging tools, such as Crashlytics and Sentry, or other similar services.

3.4 Payment and Transaction Data

  • Payment information processed through external providers (e.g., Stripe or others).
  • Transaction identifiers and payment statuses.
  • Payment receipt related to SINPE móvil when provided by the user or integrated as part of the payment flow.

Carpil does not directly store complete payment card data; this is managed by third-party payment processors in accordance with their own policies.

3.5 Identity Verification Data (future)

In the future, Carpil may integrate external services to verify user identity, for example:

  • Veriff or other similar services:
    • Data to be processed: copy of identity document (ID card, passport, license) and metadata associated with verification.
  • World or other iris biometric verification providers:
    • Carpil will not store photos, videos, or biometric iris templates.
    • It will only retain the result of the verification process (e.g., “verified/not verified” or a validation token).

Carpil does not directly process or store biometric data; it only retains the results or tokens issued by verification providers.

3.6 Communications and Support

  • Information contained in messages sent to our official support channels (email and WhatsApp).
  • Any files or screenshots voluntarily sent by the user to report issues, disputes, or incidents.

3.7 In-App Chat Messages

Carpil offers a chat system between drivers and passengers:

  • Message content is designed to be fully encrypted and not routinely accessible by Carpil.
  • Carpil does not proactively review or moderate the content of such messages.
  • In case of a dispute, Carpil can only act based on:
    • Information voluntarily provided by the user (e.g., screenshots).
    • Strictly necessary metadata (e.g., existence of a conversation, send time, etc.), if available.

Carpil processes personal data for the following purposes and with the following legal bases (as applicable):

4.1 Provision of Carpil Service (contract performance)

  • Create and manage user accounts.
  • Allow drivers to post rides and passengers to book seats.
  • Connect drivers and passengers to share seats and ride costs.
  • Manage payments and collections related to rides.

Legal basis:

  • Performance of the contractual relationship with the user.

4.2 Security and Fraud Prevention

  • Verify the authenticity of accounts to the extent possible.
  • Detect and prevent suspicious, fraudulent, or rule-violating activities.
  • Temporarily or permanently retain payments when there are reasonable indications of fraud or serious breach.

Legal bases:

  • Carpil’s legitimate interest in the security of the Platform and its users.
  • Compliance with legal obligations, when applicable.
  • Respond to requests from competent authorities.
  • Comply with accounting, tax, fraud prevention, and other applicable obligations.

Legal basis:

  • Compliance with legal obligations.

4.4 App Improvement and Internal Analysis

  • Analyze app functionality, performance, errors, and system crashes.
  • Improve features and user experience.
  • Obtain aggregate usage statistics (e.g., number of rides, most-used routes, etc.).

Legal bases:

  • Carpil’s legitimate interest in improving its service.
  • Consent, when required by applicable regulations.

4.5 Functional Notifications

  • Sending emails, push notifications, or messages related to:
    • Registration confirmation.
    • Ride confirmation/cancellation.
    • Relevant changes to bookings.
    • Security or account alerts.

Legal bases:

  • Contract performance.
  • Carpil’s legitimate interest in keeping the user informed about its service.

4.6 Promotional Communications and Marketing

  • Send information about app updates, promotions, surveys, or Carpil-related campaigns.

Legal bases:

  • User consent when required by regulations.
  • Legitimate interest, to the extent permitted by law, with the ability to opt out at any time.

4.7 Dispute and Incident Resolution

  • Analyze reports and complaints between users.
  • Resolve disputes over rides, cancellations, payments, or other incidents.
  • Take action on accounts that seriously violate Carpil’s rules.

Legal bases:

  • Contract performance.
  • Legitimate interest in protecting users and the Platform’s operation.

5. Recipients and Data Sharing

Carpil may share personal data with the following categories of recipients, always under confidentiality agreements and in compliance with applicable regulations:

  1. Technology and Hosting Service Providers
    • Servers, storage, maintenance, and technical support services.
  2. Analytics and Error Logging Providers
    • For example, Crashlytics and Sentry, or other equivalent services.
  3. Payment Processors and Financial Services
    • For example, Stripe or other processors to manage payments and collections.
    • Banks or financial institutions related to payment flow (including SINPE móvil, when applicable).
  4. Identity Verification Providers (future)
    • For example, Veriff and World or other similar services, for the purpose of verifying identity and preventing fraud, under the conditions described in this Policy.
  5. Support and Communication Providers
    • Platforms for sending emails, notifications, and messaging associated with the service.
  6. Competent Authorities
    • Only when there is a legal requirement, court order, or regulation that obligates Carpil to cooperate.

Carpil does not sell personal data to third parties.

Any transfer to third parties is made solely for the purposes described in this Policy and under the corresponding legal basis.

6. International Data Transfers

Since Carpil, LLC is incorporated in the United States and uses third-party services located in various countries (such as hosting, payment, and analytics providers), your data may be transferred and processed outside your country of residence.

In such cases, Carpil will ensure that adequate protection guarantees exist, such as:

  • Contracts incorporating standard data protection clauses, when applicable.
  • Privacy policies and internationally recognized certifications by providers.

7. Retention Periods

Carpil will retain personal data for the following periods:

  • Account and profile data: while the account remains active.
  • Ride history and transactions: as long as necessary for:
    • The contractual relationship.
    • Compliance with legal obligations (e.g., tax or accounting).
    • Defense against potential claims.
  • Identity verification data (when enabled): for the time strictly necessary for verification and fraud protection, and as agreed with verification providers.
  • Support and dispute data: as long as necessary to manage the case and during applicable legal limitation periods.

Once the retention period has concluded, Carpil will proceed with deletion or irreversible anonymization of the data, unless there is a legal obligation to retain it longer.

8. Information Security

Carpil adopts reasonable technical, organizational, and administrative measures to protect personal data against:

  • Unauthorized access.
  • Accidental or unlawful loss, destruction, or alteration.
  • Misuse or unauthorized disclosure.

However, no system is completely secure. Carpil cannot guarantee absolute security against all possible external threats. Users must also adopt reasonable protection measures, such as:

  • Not sharing their password.
  • Keeping their device and operating system updated.
  • Verifying the identity of users with whom they coordinate a ride.

9. Data from Minors

Use of Carpil is limited to persons over 18 years of age for account creation.

  • Carpil does not allow account registration directly by minors.
  • If a minor travels accompanied by a responsible adult, data processing is conducted through that adult’s account.

Carpil does not wish to collect or process personal data from minors independently without the consent of the responsible adult. If Carpil detects that it has collected data from a minor without such consent, it will proceed to delete it reasonably promptly.

10. User Rights

In accordance with applicable data protection regulations, users may exercise, to the extent applicable, the following rights:

  • Access: know what personal data we process.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure (“right to be forgotten”): request deletion of your data, when applicable.
  • Restriction of processing: request that we restrict processing in certain cases.
  • Objection: object to certain processing based on legitimate interest (e.g., certain commercial communications).
  • Portability: request delivery of your data in a structured, commonly used format, when applicable.
  • Withdrawal of consent: when processing is based on consent.

To exercise your rights, users may contact:

Carpil may request additional information to verify the identity of the requester before responding to the request. In some cases, for legal or contractual reasons, Carpil may not be obligated to fully comply with the request (e.g., if there are pending rides or transactions, legal retention obligations, or need to defend against claims).

11. Email and WhatsApp Communications

Carpil will primarily use:

  • Email and
  • WhatsApp (+506 8448 1439)

as official communication channels, both for:

  • Functional service information (rides, changes, account notices).
  • Support and incident handling.
  • Commercial or promotional communications, when applicable.

Users may request to stop receiving promotional communications at any time, without affecting communications strictly necessary for service provision.

12. Relationship with Terms of Use (T&C)

This Privacy Policy complements the Carpil Terms and Conditions.

In particular, it is recalled that:

  • Carpil acts solely as a facilitator or intermediary connecting drivers and passengers; it does not provide transportation services nor guarantee the identity, conduct, punctuality, or safety of users.
  • Carpil is not responsible for incidents arising from physical interaction between users (including inappropriate behavior, harassment, crimes, lost items), without prejudice to cooperating in good faith with the victim and authorities within what is legally permitted.

To understand the limits of liability and Platform usage rules, users must carefully review the Terms and Conditions.

13. Modifications to the Privacy Policy

Carpil reserves the right to modify this Privacy Policy at any time, without prior notice, to:

  • Adapt it to legislative or regulatory changes.
  • Adjust it to modifications in Carpil’s services.
  • Incorporate improvements or clarifications.

The current version will always be available through the application or Carpil’s official channels.

Continued use of the Platform after publication of a new version implies acceptance of the updated Privacy Policy.

14. Contact and Complaints

For any inquiries, exercise of rights, or complaints related to the processing of your personal data, you may contact:

Without prejudice to the foregoing, users retain the right to file complaints with the data protection or consumer authorities that are competent in their jurisdiction.