Data Protection Policy

We process your personal data under the following legal grounds: Consent: • Marketing communications • Optional features (such as location sharing for trip optimization) Contractual Necessity: • Account creation and management • Facilitating carpooling connections • Payment processing • Customer support Legal Obligations: • Compliance with tax and financial regulations • Responding to law enforcement requests • Fulfilling regulatory requirements Legitimate Interests: • Fraud prevention and platform security • Service improvement through analytics • Protecting the rights and safety of users

Under GDPR and PIPEDA, you have the following rights: Right to Access: • Request a copy of all personal data we hold about you • Understand how your data is being used Right to Rectification: • Correct inaccurate or incomplete personal information • Update your profile details at any time Right to Erasure ("Right to be Forgotten"): • Request deletion of your personal data • Subject to legal retention requirements (e.g., tax records) Right to Restrict Processing: • Limit how we use your data in certain circumstances • Applicable when you contest data accuracy or object to processing Right to Data Portability: • Receive your data in a structured, commonly used, machine-readable format • Transfer your data to another service provider Right to Object: • Object to processing based on legitimate interests • Opt out of direct marketing at any time Rights Related to Automated Decision-Making: • RideEco does not use fully automated decision-making or profiling that significantly affects users • Our rating system involves human oversight and review

To exercise any of your data protection rights: 1. Submit a Request: • Email us at [email protected] with your request • Specify which right you wish to exercise • Provide sufficient information to verify your identity 2. Identity Verification: • For security purposes, we will verify your identity before processing requests • You may be asked to provide government-issued ID or answer security questions 3. Response Timeframe: • We will respond to your request within 30 days • If we need additional time (up to 60 days), we will inform you and explain the reason • Requests are generally processed free of charge 4. Exceptions: • We may deny requests that are manifestly unfounded, excessive, or would compromise the privacy of others • Legal retention requirements may prevent immediate deletion of certain data

We implement comprehensive security measures to protect your personal data: Technical Safeguards: • Encryption of data in transit (TLS/SSL) and at rest (AES-256) • Secure authentication protocols and multi-factor authentication options • Regular security audits and penetration testing • Intrusion detection and prevention systems Organizational Safeguards: • Restricted access to personal data on a need-to-know basis • Employee training on data protection and privacy practices • Confidentiality agreements with employees and contractors • Vendor due diligence and data processing agreements Incident Response: • Monitoring for security incidents and data breaches • Incident response plan to address breaches promptly • Notification procedures in compliance with legal requirements

RideEco may transfer your data to countries outside of Canada and the European Economic Area (EEA) for processing and storage. When we do so, we ensure appropriate safeguards are in place: • Standard Contractual Clauses (SCCs) approved by the European Commission • Adequacy decisions recognizing equivalent data protection standards • Privacy Shield frameworks (where applicable) • Binding corporate rules for intra-group transfers You have the right to request information about the safeguards we use for international data transfers.

In the event of a data breach that poses a risk to your rights and freedoms: • We will notify affected users within 72 hours of becoming aware of the breach • Notification will include the nature of the breach, potential consequences, and measures taken • We will report the breach to relevant supervisory authorities as required by law • We will take immediate steps to mitigate harm and prevent further unauthorized access

We retain personal data only as long as necessary for the purposes outlined in our Privacy Policy: • Active account data: Retained while your account is active • Transaction records: 7 years (tax and financial compliance) • Safety and security reports: Up to 7 years or as required by law • Marketing data: Until you withdraw consent or unsubscribe • Anonymized analytics data: Indefinitely (no longer identifiable to you) After the retention period, data is securely deleted or anonymized.

For questions about data protection or to exercise your rights, you may contact our Data Protection Officer: Email: [email protected] Subject Line: "Data Protection Inquiry" Our Data Protection Officer will respond to your inquiry promptly and ensure your rights are respected.

If you believe your data protection rights have been violated, you have the right to lodge a complaint: Internal Complaint: • Contact us at [email protected] to resolve the issue directly • We will investigate and respond within 30 days Supervisory Authority (Canada): • Office of the Privacy Commissioner of Canada • Website: www.priv.gc.ca • Email: [email protected] Supervisory Authority (EU/EEA): • You may contact the data protection authority in your country of residence • List of EU supervisory authorities: https://edpb.europa.eu/about-edpb/board/members_en