Privacy Policy

1. Who we are

This Privacy Policy describes how George Lorentzos ("GoFast", "we", "us", "our") processes personal data in connection with the GoFast app, the GoFast Driver app, and the GoFast admin web panel (together, the "Service").

Operator: George Lorentzos (natural person, sole operator)
Country: Greece
Email: georgelorentzos@icloud.com
Phone: +30 694 599 5603

We comply with Regulation (EU) 2016/679 (GDPR) and Greek Law 4624/2019. For the purposes of GDPR, the data controller is George Lorentzos.

2. About the Service

The Service has two distinct user groups, treated very differently:

• Passengers — use the GoFast passenger app without registering or creating an account. The app simply shows nearby drivers and lets the passenger contact a driver directly by phone.
• Drivers — have accounts created and managed by an administrator. They sign in with their email and a 6-digit one-time code, then go online to share their location with nearby passengers.

3. What data we collect

a) Passengers (no account)

The passenger app does not require registration. We do not collect, store, or persist any personal data about passengers on our servers. Specifically:

• No name, email, phone number or account is collected from passengers.
• Your GPS coordinates (latitude/longitude) never leave your device. The matching of the nearest driver happens entirely on your phone — we do not receive, process, or store your location at any time.
• Our server only provides the app with the list of currently online drivers and their published locations, first names, and phone numbers. Your device then selects the nearest driver locally so you can call them directly.
• Standard server logs (IP address, request path, timestamp, user-agent) are kept temporarily for security and abuse prevention, and rotated regularly.

b) Drivers

For each driver account we store the following in our database:

• Username (used to recognize drivers)
• Email address (used to send the 6-digit sign-in code)
• Phone number (shown to a passenger after a ride request, so they can call you)
• Account flags: paid status, admin status, account creation date, account expiry date
• Driving licence expiry date (Δίπλωμα οδήγησης — expiry date only; we do not store the licence number, a scan, or any other detail)
• Special Taxi Driving Permit expiry date (Ειδική Άδεια Οδήγησης Ταξί / ΕΔΧ — expiry date only; we do not store the permit number, a scan, or any other detail)
• One-time passcodes (OTPs) — temporarily stored, expire after 3 minutes, deleted immediately after use
• Authentication tokens (JWTs) — issued on successful sign-in, stored locally on the driver's device (in secure on-device storage), not stored on our servers

While a driver is online in the Driver app, the device transmits GPS data (latitude, longitude, speed, heading) to our server every few seconds, including in the background while driving. This is necessary so passengers can see nearby drivers in real time. This location data is held only in volatile server memory with a 20-second time-to-live and is never written to a database, file, or log. When the driver goes offline, swipes the app away, or stops sending updates, the location is removed automatically.

c) Admin web panel

The admin panel is used by authorised administrators (currently only the operator) to create and manage driver accounts. Admins see the same driver fields listed above. There is no separate data collected for admin users — they are also drivers with the admin flag.

d) Driver document expiry tracking

When a driver is registered, the operator records only the expiry dates of the driver's driving licence (Δίπλωμα οδήγησης) and Special Taxi Driving Permit (Ειδική Άδεια Οδήγησης Ταξί / ΕΔΧ). These two expiry dates are used to know when a driver's documents are about to lapse so the account can be deactivated in time. We do not request, upload, scan, photograph, or otherwise store copies of the licence, the ΕΔΧ, the identity card, the vehicle registration, the insurance certificate, or the ΚΤΕΟ. Drivers remain personally responsible for holding all such valid documents under Greek law (see the Terms of Service).

4. Why we process this data (legal bases under GDPR Art. 6)

5. Where data is stored and who we share it with

• Server hosting: Amazon Web Services, EU region (Stockholm — eu-north-1). The PostgreSQL database storing driver accounts and the Go application server run there.
• Email delivery: Google (Gmail SMTP), used to send the 6-digit sign-in codes to drivers. Google receives the recipient's email address and the message contents.
• Other users: when a passenger requests a ride, the passenger's app receives the matched driver's phone number. The driver's app receives no information about the passenger (the passenger then calls the driver from their own phone).
• Authorities: we may share data with law enforcement, tax authorities, or courts when legally required.

We do not sell personal data. We do not run advertising. There are no analytics or tracking SDKs in the apps.

6. International transfers

Server infrastructure is in the EU (Stockholm). However, our email provider (Google) and certain Apple/Google push-notification services may transfer data to the United States. These transfers are covered by the EU–US Data Privacy Framework and/or Standard Contractual Clauses approved by the European Commission.

7. How long we keep data

• Driver account data — kept for as long as the account is active. After account deletion, kept up to 5 years if needed to satisfy Greek tax or legal record-keeping obligations, otherwise erased.
• OTP codes — deleted immediately after use, or after 3 minutes if unused.
• JWT tokens — held only on the driver's device; cleared when the driver logs out or uninstalls the app.
• Driver live location — held in server memory only, deleted automatically after some time without an update.
• Passenger location coordinates sent during a ride request — used to find the nearest driver and discarded; never written to disk.
• Driving-licence and ΕΔΧ expiry dates — kept while the driver account is active, deleted together with the account.
• Server access logs — typically rotated within 30 days unless needed for incident investigation.

8. Your rights (GDPR)

You can, at any time:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase your data — right to be forgotten (Art. 17)
• Restrict processing (Art. 18)
• Port your data to another provider (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time, where processing is based on consent
• Lodge a complaint with the Hellenic Data Protection Authority — www.dpa.gr, Kifissias 1-3, 11523 Athens, +30 210 6475600

To exercise any right, email georgelorentzos@icloud.com. We respond within 30 days at no cost.

9. Security

• All connections between the apps and the server use HTTPS/TLS.
• Authentication is by short-lived signed tokens (JWT, HS256).
• The PostgreSQL database is hosted in a private network, not exposed to the public internet.

No system is 100% secure. If a personal-data breach occurs, we will notify the Hellenic DPA and affected users within 72 hours, as required by GDPR Art. 33–34.

10. Children

The Service is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a minor's data has been collected, contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy as the Service evolves (for example, when payments are added or when the operator forms a legal entity). Material changes will be communicated in-app or by email at least 30 days in advance.

12. Contact

George Lorentzos · Greece
Email: georgelorentzos@icloud.com · Phone: +30 694 599 5603