Privacy Policy

HALO is a community carpooling platform. We connect parents, drivers, and children inside trusted communities (schools, sports clubs, neighbourhoods). This policy explains what personal information we collect, how we use it, and the rights you have over it.

[REVIEW: name + registered address of data controller, jurisdiction of incorporation, registered ICO/CNIL/etc. number where applicable.]

We collect information in three categories:

2.1 Account information

• Name, email address, role (parent / driver / passenger / child)
• Profile photo (optional)
• Authentication metadata (sign-in time, second-factor enrolment)

2.2 Activity information

• Communities you belong to and your role in each
• Rides you driven or joined, including pickup, destination, and timestamps
• Carpool participation and ride state changes
• Ratings you give and receive (1–5 stars + optional comments)
• SOS incidents you trigger or are involved in
• Feedback you submit via the in-app problem reporter

2.3 Driver information (drivers only)

• Driving licence and insurance documents you upload for verification
• Vehicle make, model, and registration details

2.4 Children's information

For children under the age of digital consent in your jurisdiction, we collect this information only after a parent or guardian has provided verifiable consent through the email-confirmation flow described in section 6:

• Display name and date of birth (used to determine age category)
• Communities the child is permitted to ride in
• Parent / guardian relationship (linked via your account)

[REVIEW: jurisdictional table — UK 13, EU 13–16 by member state, US 13 (COPPA), California 13 (CCPA child carve-out). Confirm cut-off ages used in ageCategoryAtConsent computation match.]

We use the information above to:

• Provide the carpooling service: matching drivers and passengers, calculating capacity, optimising pickup order, and sending ride notifications
• Show driver verification documents to your community admin for manual review — HALO does not perform automated background checks
• Operate the SOS and incident-resolution flows during active rides
• Maintain reputation signals (ratings, no-show counts) within your community
• Stream driver location to participating passengers during an active ride only — the live location is cleared the moment the ride ends
• Detect fraud and abuse, suspend accounts that violate our terms
• Comply with legal obligations and respond to lawful requests

[REVIEW: lawful basis per processing purpose under UK/EU GDPR Article 6 — most will be Article 6(1)(b) contract, with safety / fraud / audit being 6(1)(f) legitimate interests. Children's processing relies on Article 6(1)(a) + Article 8 verifiable parental consent.]

We do not sell personal information. We share it with the following categories of recipients only as needed to operate the service:

• Other members of your community — your displayName and role are visible to active members; ride participation is visible to participants and drivers; ratings are visible per the community's rating threshold.
• Your community administrator — your community admin can see membership and approval state, driver applications they review, SOS incidents in their community, and aggregate stats.
• Service providers (sub-processors): Google Firebase (authentication, database, file storage, push notifications) hosted on Google Cloud Platform. [REVIEW: list any other sub-processors — email transactional provider, SMS, mapping, analytics — once finalised.]
• Authorities — when compelled by lawful request (subpoena, court order, regulatory inquiry).

[REVIEW: international transfer language — Google Cloud regions used, Standard Contractual Clauses if EU/UK data leaves region, adequacy decisions relied on.]

We keep personal information only as long as needed for the purposes listed above. Specific retention windows are operator-flippable values published in our Remote Config and currently set to:

• Inactive accounts: erased after 24 months of inactivity
• Completed rides: anonymised after 18 months
• Cancelled / no-show rides: hard-deleted after 6 months
• Resolved SOS incidents: anonymised after 36 months
• Feedback messages: anonymised (userId removed) after 24 months
• Audit log entries: hard-deleted after 36 months
• Email-delivery logs: 30 days for successful sends, 90 days for failures

[REVIEW: confirm these windows align with statutory retention duties (e.g. tax, road-traffic incident reporting). Legal-hold flag overrides all schedules; coordinate with retention engineering before publishing.]

HALO is designed to be used by children only with verifiable parental consent. The flow:

1. A parent submits the child's name, date of birth, and the community they will ride in.
2. HALO emails the parent a one-time consent link valid for 24 hours.
3. The parent taps the link while signed in to confirm consent. Confirmation is recorded with the policy version, method (email double opt-in), and timestamp.
4. Only after confirmation is the child profile activated.

A parent can suspend the child's account at any time, and may request deletion of all child data via the contact channel below.

[REVIEW: COPPA Section 312.5 verifiable-consent method — confirm email-with-credit-card or alternative is satisfied; current flow is email double opt-in to a verified parent address. UK ICO age-appropriate-design code implications.]

You have the right to:

• Access the personal information we hold about you (data export)
• Correct inaccurate information
• Delete your account and the data we hold about you
• Object to or restrict certain processing
• Receive your data in a portable, machine-readable format
• Withdraw consent for processing that relies on it (including child consent)
• Lodge a complaint with your supervisory authority

You can exercise the access and deletion rights from inside the HALO app at any time — Settings → Privacy lets you request a JSON export of your profile, child profiles, ride history, ratings, and consent records (link expires after 7 days). Deletion is available from the same screen. For other requests, write to us at the address in section 10.

[REVIEW: response-time commitments — UK/EU GDPR is 1 month extendable to 3; California CCPA is 45 days. Confirm contact routing meets §15 GDPR information request requirements.]

The HALO admin web portal uses a single essential cookie (the authentication session) so that platform admins stay signed in. We do not currently use analytics, advertising, or any non-essential cookies on the public site. [REVIEW: revisit if Plausible / GA4 / Hotjar etc. are introduced — UK/EU ePrivacy requires consent banner before non-essential cookies are set.]

HALO uses industry-standard technical and organisational measures including: encryption in transit and at rest via Google Cloud Platform, role-based access control with multi-factor authentication for platform administrators, append-only audit logging of privileged actions, and step-up re-authentication on destructive operations.

No method of transmission over the internet or electronic storage is 100% secure. Where a breach is likely to result in risk to your rights and freedoms we will notify the relevant supervisory authority and, where required, you, in accordance with applicable law.

For any privacy question, data-subject request, or complaint, please contact us via the contact page.

[REVIEW: postal address of controller, DPO contact if appointed, EU/UK Representative contact if controller is outside the territory but processes EU/UK personal data.]

We will update this policy when our practices change. Material changes will be announced by raising the policy version and emailing account holders. The version and last-updated date are shown at the top of this page.