How personal data is handled across Wayszo services.
Version 1.0 — Effective date: 1 April 2026
This Privacy Policy explains how Wishie Technologies Limited, trading as Wayszo ("Wayszo", "we", "us", or "our"), collects, uses, stores, and shares personal data when you use our website, mobile application, and related services (together, the "Service").
The Service includes taxi and airport transfer bookings, driver onboarding and dashboards, Flight Companion matching, Travel Assist flight update features, the Okay safety check-in feature, support ticketing, in-app messaging, and payment flows.
This policy applies to customers, drivers, and anyone else who interacts with the Service. It is written to meet the requirements of the EU General Data Protection Regulation (GDPR), which applies across the European Union and the European Economic Area (EEA), and applicable Irish data protection law. If you are located in the United Kingdom, please also refer to the UK Addendum in Section 15 of this policy, which addresses additional requirements under the UK GDPR and the UK Data Protection Act 2018.
Please read this policy carefully. If you have any questions, contact us using the details at the end of this document.
This policy is written in plain, clear language so that it is accessible to all users, including younger users who may use the Okay safety check-in feature as part of a family group.
Data controller: Wishie Technologies Limited, 35, The Hazel, Elmfield, Ballyogan Road , Dublin 18, Ireland
Privacy contact: privacy@wayszo.com
[A Data Protection Officer has not yet been appointed. This section will be updated if and when a DPO is appointed.]
We collect personal data in different ways depending on how you use the Service. Below is a summary of the categories of data we may collect.
When you create or manage an account, we collect: full name, email address, phone number, and country code; county, or other location-related profile fields; profile image or selfie, which you may upload and remove at any time; authentication and session information; and policy acceptance records, including the version and timestamp of policies you have accepted.
When you make or manage a booking, we collect: booking details, including pickup location, destination, route, and travel date and time; flight details, including flight numbers, airports, and scheduled times; booking status, add-ons, and related correspondence; and your live location at the point of booking creation, during pickup, and throughout the ongoing trip, to identify your pickup location, suggest nearby addresses, facilitate accurate dispatch, and support trip coordination and safety. Customer location tracking ends when the trip is completed or cancelled.
When you use the Flight Companion matching feature, we collect: traveller identity and contact basics drawn from your account profile; origin, destination, and optional transit airport; travel date and time and flight number; whether flight ticket details are available, and, where you choose to upload them, copies of flight ticket files; matching preferences, request details, and messaging exchanged with matched travellers; and consent capture events, acceptance records, and any block or report actions you take.
When you use Travel Assist or flight tracking features, we may process: flight number and live or historical flight status information; push notification subscription data and preferences relating to flight alerts; and reminders and travel assistance content linked to your booking or subscription.
The Okay feature is a safety and wellbeing communication tool that lets families send one shared Calm Check so passengers can reply once and the whole group stays informed without duplicate noise. It is not a medical service and not an emergency-response service. The Okay feature may be used by children between the ages of 16 and 18 as part of a family group, where a parent or guardian has provided consent through an in-app consent checkbox when adding the child to the family group, in accordance with the digital age of consent under the Irish Data Protection Act 2018. When you or an authorised family member uses Okay, we may process: account-linked alert and subscription data and notification preferences; push notification subscription data needed to deliver check-in alerts and confirmations; feature settings, message and alert state, and related status history; limited device, app, browser, and session data needed to deliver and manage notifications; and operational logs required for reliability, troubleshooting, fraud prevention, and support.
Where the Okay feature involves sharing your status or alerts with selected contacts or family group members, this happens only as required by the feature workflow and as a result of your own actions and choices within the Service.
If you register or operate as a driver on the Service, we collect: driver profile and account data gathered during onboarding; driver documents uploaded as part of the onboarding or verification process; live location data from the point a booking is offered to you, continuing until the trip is completed or cancelled, used for dispatch matching, trip coordination, live trip visibility, and safety; and driver dashboard activity and booking-related communications with customers. Drivers using the Service operate as independent contractors or under fleet operators and are not employees of Wishie Technologies Limited.
When you contact support or use in-app messaging, we collect: support request details and free-text messages; files or images you upload as evidence in support flows; and correspondence between you and our team or between you and other users in booking or Flight Companion messaging contexts.
When you make a payment or complete a checkout flow, we collect: payment status, transaction reference, and related metadata.
Payments are processed by third-party payment service providers, including Stripe. We do not store full card numbers. Wayszo receives only the limited transaction and payment metadata necessary to administer your account and bookings.
You may upload: a profile image or selfie; evidence files, such as images or PDFs, in support flows; and flight ticket files in Flight Companion flows. Uploaded content is processed to provide the relevant feature, verify information where necessary, support dispute resolution, and maintain trust and safety on the platform.
When you use the Service, we may automatically collect: device and browser type and settings; IP address and related request metadata; session and authentication cookies; cookie consent preferences; push notification subscription data where you have enabled notifications; and localStorage and sessionStorage data used for product preferences and UI state.
Some features of the Service involve the processing of location data.
Live driver location is processed from the point a booking is offered to a driver, to enable dispatch matching and driver assignment, and continues until the trip is completed or cancelled. Live location data is collected for two primary purposes: (a) dispatch and trip fulfilment — to enable booking offers to nearby drivers, route coordination, estimated arrival times, and efficient trip management; and (b) safety — to support passenger and driver safety, and to assist with dispute resolution or support queries if needed. The customer can see the driver's live location in the app from the moment the driver begins travelling to the pickup location until the trip ends. Live location data is also accessible to our support and operations team where necessary for operational coordination, safety, or dispute resolution. Live location data is not shared with any other users or third parties beyond what is described above.
Customer live location is processed at the point of booking creation to identify your pickup location, suggest nearby addresses, and facilitate accurate dispatch. Customer live location is also tracked during the pickup phase and throughout the ongoing trip to support trip coordination, estimated arrival updates, safety, and operational support. Customer live location tracking ends when the trip is completed or cancelled and is not used for continuous background tracking outside of these contexts.
You may disable location sharing at any time through your device settings. However, if you disable location services during an active trip, certain features such as live pickup coordination, estimated arrival updates, and real-time trip tracking may not function correctly. Disabling location services does not affect your ability to make bookings manually by entering a pickup address.
Pickup and destination data provided when making a booking is stored as part of your booking record.
Flight Companion, Travel Assist, and Okay features may process location data where relevant to the feature, for example to identify origin and destination airports, coordinate travel arrangements, deliver location-aware flight alerts, or facilitate safety check-in notifications. Location data in these contexts is used only as necessary to operate the feature and is not used for continuous background tracking.
Map and routing features are powered by mapping and location service providers whose libraries and services are integrated into the Service, including OpenStreetMap, Mapbox, and Google Maps. When you use map-enabled features, technical request data — including location coordinates, route context, device and browser metadata, and IP address — may be transmitted to those providers to serve map tiles, geocoding, routing, or related services. Google Maps may process data as an independent data controller in accordance with its own privacy policy, which is available at https://policies.google.com/privacy. We recommend that you review Google's privacy policy for further information on how your data may be used.
We do not carry out continuous background location tracking beyond what is necessary for active trips, operational coordination, safety, support, or map-based service features. Customer location tracking during an active trip (from booking creation through to trip completion) is distinct from background tracking — it occurs only within the context of a specific trip and ends automatically when the trip is completed or cancelled.
Under the GDPR, we must have a lawful basis for each use of your personal data. The following sets out our main purposes and the legal bases we rely on.
Creating and managing your account — Performance of a contract.
Processing and fulfilling bookings and transport services — Performance of a contract.
Processing live location data during bookings — Performance of a contract; legitimate interests (passenger and driver safety, dispatch coordination, trip coordination, and dispute resolution). This applies to driver live location from the point of booking offer through trip completion, and customer live location at the point of booking creation, during pickup, and throughout the ongoing trip.
Driver onboarding and account management — Performance of a contract.
Processing payments — Performance of a contract.
Operating Flight Companion matching and related checkout flows — Performance of a contract; consent where required for traveller introductions.
Delivering Travel Assist, flight updates, and related notifications — Performance of a contract; legitimate interests.
Delivering the Okay safety check-in feature and related notifications — Performance of a contract; legitimate interests; consent of a parent or guardian where the user is a child between 16 and 18.
Providing customer support and resolving disputes — Performance of a contract; legitimate interests.
Sending account, service, booking, and support communications — Performance of a contract; legitimate interests.
Sending optional marketing or promotional communications — Consent.
Sending push notifications where you have subscribed — Consent.
Security, fraud prevention, anti-abuse, and rate limiting — Legitimate interests; legal obligation.
Verifying identity and processing uploaded documents — Performance of a contract; legitimate interests.
Maintaining policy acceptance and audit records — Legal obligation; legitimate interests.
Complying with legal and regulatory obligations — Legal obligation.
Improving and developing the Service (analytics where enabled) — Legitimate interests; consent where required.
Operating cookies and similar technologies beyond essential use — Consent.
Automated decision-making and profiling — We do not carry out any automated decision-making or profiling that produces legal effects or similarly significant effects on you, as described in Article 22 of the GDPR. While the Service uses automated processes to match drivers to bookings based on factors such as location and availability, these processes do not produce decisions with legal or similarly significant effects and are subject to human oversight.
Where we rely on legitimate interests, we have considered whether those interests are overridden by your rights and interests. You may contact us at privacy@Wayszo.com to request further information about our legitimate interests assessments relevant to a specific processing activity.
Where we rely on consent, you may withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing carried out before you withdrew consent.
The Service uses cookies and similar storage technologies.
Essential cookies are required for the Service to function, including session and authentication cookies and OAuth state cookies. These cannot be disabled.
Functional / UI cookies are used to store your preferences and convenience settings, such as message view state and UI choices.
Analytics cookies are used, where enabled and where you have consented, to help us understand how the Service is used.
Marketing cookies are used, where enabled and where you have consented, to support relevant advertising or promotional activities.
The following table sets out the specific cookies and similar technologies used by the Service:
Session cookie — Type: Cookie (first-party) — Purpose: Keeps users signed in and maintains secure authenticated sessions across customer, driver, admin, and related service areas — Legal basis: Necessary for performance of the service contract and our legitimate interests in security and account protection — Duration: Up to 14 days from issue, unless cleared earlier on logout or session invalidation
OAuth state cookie — Type: Cookie (first-party) — Purpose: Temporary security cookie used during Google sign-in / OAuth flows to validate the login request and prevent forgery or misuse — Legal basis: Necessary for security and authentication — Duration: Up to 10 minutes
Cookie consent — Type: Local storage (first-party) — Purpose: Stores the user's cookie preference choices so the banner does not reappear on every visit and preferences can be respected — Legal basis: Consent recordkeeping / legitimate interests in preference management — Duration: Up to 6 months, then refreshed
Messaging / UI preference keys — Type: Local storage / session storage (first-party) — Purpose: Stores convenience settings such as message view state, focus/open state, seen markers, and similar interface preferences — Legal basis: Legitimate interests in providing expected website functionality and user experience — Duration: Session-based or until cleared by the browser/user, depending on the feature
Push / debug preference keys — Type: Local storage (first-party) — Purpose: Stores push-notification debug or preview state and similar operational preferences where enabled — Legal basis: Legitimate interests in service functionality, testing, and troubleshooting — Duration: Until cleared or replaced
You can manage your cookie preferences through the cookie consent banner displayed when you first visit the Service, or by updating your preferences at any time through our cookie settings. A cookie consent banner is implemented on the Service in accordance with applicable Irish ePrivacy Regulations (SI 336/2011, as amended). Note that disabling non-essential cookies may affect some features.
We also use localStorage and sessionStorage for product preferences and UI state. This data remains on your device and is not transmitted to our servers except where part of a normal service interaction.
We operate standard account security measures including: signup, login, and password reset flows with session management; Google OAuth / OpenID-based sign-in where you choose to use it; Cloudflare Turnstile bot-verification checks on certain forms; rate limiting and anti-abuse controls to protect accounts and infrastructure; and session cookie management with appropriate expiry and security settings.
We take reasonable technical and organisational measures to protect personal data against unauthorised access, loss, or misuse. No system is completely secure, and we cannot guarantee absolute security.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, as required by Article 34 of the GDPR.
We may send you the following types of communications:
Account and service emails — such as registration confirmations, password resets, and policy updates.
Booking-related messages — such as booking confirmations, driver updates, and trip reminders.
Support communications — in response to support requests or ongoing queries.
Flight Companion messages — between matched travellers within the Service.
Okay feature notifications — check-in alerts, confirmations, and reminders as configured by you.
Push notifications — where you have subscribed to receive them, including flight updates and booking alerts.
You can manage or disable push notifications at any time through your device settings or within the notification preferences in the Service. If you disable push notifications, features that rely on them — such as Travel Assist flight alerts, Okay safety check-in notifications, and booking updates — may not function correctly or may not be delivered to you in real time.
Marketing or promotional communications — only where you have given consent, and you may opt out at any time. Electronic direct marketing communications are sent in accordance with the Irish ePrivacy Regulations (SI 336/2011, as amended). We will only send such communications where we have obtained your prior consent, or where a valid soft opt-in applies (i.e. where we obtained your contact details in the course of providing the Service to you, the marketing relates to similar services, and you have not opted out). You may opt out at any time by using the unsubscribe link in any marketing email or by contacting us at privacy@Wayszo.com.
We do not sell your personal data. We may share your data only where necessary and on a proportionate basis, as described below.
Drivers and operational staff — booking details, including pickup and destination, are shared with the driver assigned to your trip. Operational staff may access account and booking data to provide support and manage the Service.
Matched travellers in Flight Companion — where the feature requires it, limited profile and travel information may be shared with a matched traveller, subject to the workflow, your consent, and the feature's terms.
Payment service providers — such as Stripe, to process payments and checkout flows.
Email, messaging, and push notification providers — to deliver account, booking, support, and operational communications.
Hosting, cloud, and infrastructure providers — to host and operate the Service securely. Your data is primarily stored on servers located within the European Union.
Mapping and location service providers — to power map display, routing, geocoding, and location-enabled features, as described in Section 3.
Analytics and marketing providers — only where such services are enabled and where your consent has been obtained where required under applicable law.
Regulators, law enforcement, courts, insurers, and legal advisers — where we are legally required to do so, or where necessary to protect the rights, safety, or property of Wayszo, our users, or others.
Where we share data with third-party service providers, we take reasonable steps to ensure they handle your data appropriately and in accordance with applicable law. We have entered into Data Processing Agreements (DPAs) with our processors where required under Article 28 of the GDPR, ensuring that appropriate contractual safeguards are in place for all third-party processing of personal data on our behalf.
The Service may contain links to third-party websites, applications, or services that are not operated by Wayszo. We are not responsible for the privacy practices or content of those third-party services. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Service.
Your personal data is primarily stored within the European Union. However, some of our service providers may be located outside the European Economic Area (EEA). Where personal data is transferred to countries that do not provide an equivalent level of data protection, we take appropriate steps to ensure suitable safeguards are in place, such as the use of Standard Contractual Clauses approved by the European Commission or other lawful transfer mechanisms. You may contact us for further information about the safeguards applicable to a specific transfer.
We keep personal data only for as long as is necessary for the purposes for which it was collected, unless a longer retention period is required by law. Our retention decisions are guided by the following:
Account data — retained for as long as your account is active. Upon account deletion, your account data is deleted or anonymised, subject to any overriding legal retention obligations.
Trip history — retained for 12 months from the date of the trip, for the purposes of dispute resolution, customer support, tax compliance, and compliance with any applicable National Transport Authority (NTA) record-keeping obligations.
Live location data — for drivers, processed in real time from the point a booking is offered until the trip is completed or cancelled. For customers, processed at the point of booking creation, during pickup, and throughout the ongoing trip until the trip is completed or cancelled. Live location data is not stored after the trip ends and is used solely for dispatch, trip coordination, safety, and operational support.
Payment records — retained for 6 years from the date of the transaction, as required by applicable Irish financial, tax, and accounting obligations.
Support logs — retained for 12 months from the date the support matter is resolved, for the purposes of customer service quality and dispute resolution.
Flight Companion data — retained for 12 months from the date of the relevant travel, for the purposes of dispute resolution, customer support, and service integrity.
Travel Assist and flight update data — retained for 12 months from the date of the relevant flight or notification, for the purposes of service delivery, support, and troubleshooting.
Okay (safety check-in) data — retained for 12 months from the date of the relevant check-in activity, for the purposes of feature delivery, support, and safety.
Policy acceptance and audit records — retained for the duration of your account plus 6 years after account deletion, to demonstrate compliance with legal and regulatory obligations, including evidence of consent and policy acceptance under the GDPR.
Driver data — retained for the duration of the driver's engagement with the Service, plus 24 months after the engagement ends, for legal and administrative purposes, including compliance with any applicable National Transport Authority (NTA) record-keeping requirements.
Operational logs and backups — retained for limited periods as required for system reliability, troubleshooting, and security.
Where we no longer need your data, we will delete or anonymise it. Where this is not immediately possible, for example because data is held in backup systems, we will isolate it from further processing until deletion is possible.
If you are based in the EU or EEA, you have the following rights in relation to your personal data:
Right of access — you may request a copy of the personal data we hold about you.
Right to rectification — you may ask us to correct inaccurate or incomplete data.
Right to erasure — you may ask us to delete your personal data in certain circumstances. The Service includes an account deletion flow you can use directly.
Right to restriction — you may ask us to restrict our processing of your data in certain circumstances.
Right to object — you may object to processing based on legitimate interests, including where that processing relates to profiling. You also have an absolute right to object to the processing of your personal data for direct marketing purposes at any time, in accordance with Article 21(2) of the GDPR. Where you exercise this right, we will stop processing your data for direct marketing without delay.
Right to data portability — where processing is based on contract or consent and is carried out by automated means, you may request a machine-readable copy of the data you have provided to us. The Service includes a data export feature to assist with this.
Right to withdraw consent — where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of earlier processing.
Right to complain — if you are unhappy with how we handle your personal data, we encourage you to contact us first by raising a support ticket through the Service or by emailing privacy@Wayszo.com so that we can try to resolve your concern. If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority. In Ireland, the relevant authority is the Data Protection Commission (www.dataprotection.ie). If you are based in another EU or EEA member state, you also have the right to lodge a complaint with your local supervisory authority.
To exercise any of these rights, please contact us at privacy@Wayszo.com. We will respond within one month of receiving your request, as required by the GDPR. We may need to verify your identity before processing certain requests.
The Service is generally not intended for use by children under the age of 18. However, the Okay safety check-in feature may be used by children between the ages of 16 and 18 as part of a family group, where a parent or guardian has provided consent and authorised their participation. This is consistent with the digital age of consent of 16 set under the Irish Data Protection Act 2018. Parental consent for children between 16 and 18 is obtained through an in-app consent checkbox which the parent or guardian must complete when adding a child to their family group within the Service. Children under the age of 16 are not permitted to use any part of the Service. In all cases where a child between 16 and 18 uses the Okay feature, we process only the minimum data necessary to operate the feature, such as notification preferences, alert status, and limited device data needed to deliver notifications. We do not knowingly collect personal data from children for any other purpose. If you believe we have inadvertently collected data from a child outside the scope of the Okay feature, or from a child under 16, please contact us and we will take prompt steps to delete it.
A parent or guardian may at any time request access to, correction of, or deletion of their child's personal data processed through the Okay feature by contacting us at privacy@Wayszo.com. We will respond to such requests within one month, as required by the GDPR.
We may update this Privacy Policy from time to time to reflect changes to our practices, the Service, or applicable law. Where we make material changes, we will notify you at least 7 days in advance through the Service or by email and update the effective date and version number at the top of this page. Your continued use of the Service after the updated policy takes effect constitutes your acknowledgement of the revised policy.
If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your personal data, please contact us:
Wishie Technologies Limited, 35, The Hazel, Elmfield, Ballyogan Road , Dublin 18, Ireland
Email: privacy@wayszo.com
[Data Protection Officer details will be added here if and when a DPO is appointed.]
You may also contact the Data Protection Commission (Ireland) if you have concerns about how we handle your data: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland, www.dataprotection.ie.
This section applies to you if you are located in the United Kingdom. It supplements the main body of this Privacy Policy and addresses additional requirements under the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018. Where this section conflicts with the main body of the policy, this section takes precedence for UK users.
Where you access or use the Service from the United Kingdom, the processing of your personal data is subject to the UK GDPR (as retained under the European Union (Withdrawal) Act 2018) and the UK Data Protection Act 2018, in addition to any applicable provisions of the main body of this policy.
15.2 UK representative
Wayszo does not currently maintain an establishment in the United Kingdom. Given the nature and scale of our processing of UK users' data, which arises incidentally from UK-based individuals using the Service rather than from active targeting of the UK market, we have determined that the appointment of a UK representative under Article 27 of the UK GDPR is not required at this time. This position will be reviewed periodically, and in any event at least annually, particularly if the volume of UK-based users increases or if Wayszo begins to actively offer or market the Service to individuals in the United Kingdom. This section will be updated if a UK representative is appointed.
15.3 Legal bases
The legal bases for processing your personal data as set out in Section 4 of this policy apply equally under the UK GDPR. References to the EU GDPR in Section 4 should be read as references to the corresponding provisions of the UK GDPR for UK users.
15.4 International data transfers
Your personal data is primarily stored within the European Union. We do not currently use any sub-processors located in the United Kingdom. Transfers of personal data from the UK to the EEA are permitted under the UK adequacy regulations, which recognise EEA countries as providing an adequate level of data protection. Where personal data is transferred to countries outside the UK and EEA that do not benefit from an adequacy decision, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the Information Commissioner's Office (ICO), or other lawful transfer mechanisms.
15.5 Your rights under UK GDPR
If you are located in the United Kingdom, you have the same data protection rights as set out in Section 11 of this policy. References to the EU GDPR in that section should be read as references to the corresponding provisions of the UK GDPR. You also have an absolute right to object to the processing of your personal data for direct marketing purposes at any time under Article 21(2) of the UK GDPR.
15.6 Automated decision-making
As stated in Section 4 of this policy, we do not carry out automated decision-making or profiling that produces legal or similarly significant effects on you. This applies equally under Article 22 of the UK GDPR.
15.7 Cookies and electronic communications — UK
Where you access the Service from the United Kingdom, the use of cookies and similar technologies is also subject to the Privacy and Electronic Communications Regulations 2003 (PECR), as amended. Non-essential cookies will only be placed on your device with your prior consent, in accordance with PECR. You can manage your cookie preferences through the cookie consent banner or cookie settings within the Service. For further details on the cookies we use, please refer to Section 5 of this policy. PECR also governs electronic direct marketing to UK users. We will only send marketing emails or other electronic marketing communications to UK-based users where we have obtained your prior consent, or where a valid soft opt-in applies (i.e. where we obtained your contact details in the course of providing the Service to you, the marketing relates to similar services, and you have not opted out). You may opt out of marketing communications at any time by using the unsubscribe link in any marketing email or by contacting us at privacy@wayszo.com.
15.8 Children and the Okay feature — UK
Under the UK Data Protection Act 2018, the digital age of consent is 13. However, the Okay safety check-in feature is available only to children aged 16 and over as part of a family group, with parental consent obtained through an in-app consent checkbox when adding the child to the family group. This threshold of 16 applies to all users regardless of jurisdiction. We have also had regard to the ICO's Age Appropriate Design Code (Children's Code) in the design of the Okay feature. We process only the minimum data necessary to operate the feature for children and do not use children's data for marketing, profiling, or any purpose beyond the delivery of the Okay safety check-in service.
15.9 UK supervisory authority
If you are located in the United Kingdom and wish to raise a concern about how we handle your personal data, we encourage you to contact us first by raising a support ticket or emailing privacy@Wayszo.com. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom, www.ico.org.uk.