Privacy Policy

Sisu Software is the data controller for personal data processed through the Pasabay platform. • Legal entity — Sisu Software • Business ID — 3602239-1 (Finnish Y-tunnus) • Address — Sorakatu 9 A 75, 20730 Turku, Finland • Privacy contact — legal@pasabay.eu

We collect only what is necessary to operate the platform: • Account data — name, email address, phone number, home country • Identity verification data (optional) — government ID photo and selfie, submitted only if you voluntarily complete identity verification (KYC). KYC is not required to post trips, post delivery requests, match, or send messages • Transaction data — trip and request details, match history • Communication data — in-app messages • Device and usage data — app version, device type, session logs • Location data — only when you provide it (e.g., origin/destination fields) We do not collect financial data such as bank account or card details directly.

Your data is used to: • Create and maintain your account • Connect senders and travelers through the matching system • Confirm your email address (required before posting, matching, or messaging) • If you choose to complete optional KYC, review your submitted ID document and selfie to display a verified-ID trust badge on your profile. Submissions are reviewed manually by authorized Pasabay personnel; we do not perform automated face-matching or liveness checks. The ID document and selfie are deleted as soon as the review is complete (whether approved or rejected) — we do not keep them on file • Detect and prevent fraud, abuse, and prohibited items • Comply with legal and regulatory obligations • Improve platform performance and safety • Send essential service communications (not marketing without consent)

We process your data under the following GDPR legal bases: • Contract (Art. 6(1)(b)) — to provide your account and facilitate transactions • Legal obligation (Art. 6(1)(c)) — to meet tax, customs, and regulatory requirements • Legitimate interests (Art. 6(1)(f)) — to prevent fraud, abuse, and security incidents • Consent (Art. 6(1)(a)) — for non-essential cookies or marketing communications

We share personal data only when necessary: • Matched users — limited profile information is visible to your matched counterpart • Authorized Pasabay personnel — staff designated as KYC reviewers may access your submitted ID document and selfie for the sole purpose of issuing the verified-ID trust badge and for fraud-prevention reviews. Reviewers are bound by confidentiality and act under the controller (Sisu Software) • Infrastructure providers — Google Cloud / Firebase for hosting, authentication, database, and storage, under data processing agreements • Authorities — where required by applicable law, court order, or regulatory obligation We never sell your personal data, and we do not share it with advertisers or data brokers.

• Active accounts — data is retained while your account is active • Completed transactions — retained for up to 7 years to comply with tax and accounting requirements • KYC documents (if you chose to verify) — your ID document and selfie are deleted as soon as the review is complete (approved or rejected); we do not retain them after that point. The only data that stays on your account is the resulting verification status and the legal name and date of birth captured from the ID • Support messages — retained for a limited period to resolve your inquiry • Deleted accounts — data is removed or anonymised as soon as legally permissible

If we transfer your data outside the European Economic Area, we ensure appropriate safeguards are in place — such as EU Standard Contractual Clauses or adequacy decisions — to protect your data to the same standard as within the EEA.

Under GDPR you have the right to: • Access — obtain a copy of the data we hold about you • Rectification — correct inaccurate or incomplete data • Erasure — request deletion of your data where no legal basis remains • Portability — receive your data in a machine-readable format • Restriction — ask us to limit processing in certain circumstances • Objection — object to processing based on legitimate interests • Withdraw consent — at any time, without affecting prior processing • Lodge a complaint — with your national supervisory authority To exercise any right, contact legal@pasabay.eu or use the data controls in your account settings.

Pasabay uses essential cookies required for the platform to function. We may use analytics cookies with your consent. You can manage cookie preferences in your privacy settings at any time.

We may update this Privacy Policy. When we make material changes, we will notify you through the app or by email before the changes take effect. Continued use of the platform after the effective date constitutes acceptance.