Skip to main content
SendAlong

Privacy Policy

Last updated: May 2026

1. Data Controller

SendAlong is the data controller for personal data collected through this platform. We comply with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Company registration details are listed on our Imprint page.

2. Data We Collect

  • Account data: Name, email address, phone number (optional), city, country, password hash (for credentials sign-in only)
  • OAuth data: If you sign in with Google, we receive your email, name, and profile picture from Google. We do not receive your Google password.
  • Profile data: Avatar, bio, preferred language
  • Listing data: Trips and send requests you create, item descriptions, photos, weights, prices
  • Communication data: Messages exchanged between users (including any photos shared in chat)
  • Reputation data: Reviews, ratings, cancellation count, derived trust score
  • Usage data: Pages visited, basic analytics events, IP address (used for rate-limiting and abuse prevention only — not stored for marketing)

SendAlong currently does not process payments and does not collect or store payment-card information. Payments between users happen outside the platform.

3. Legal Bases (GDPR Art. 6)

  • Contract — to provide you the service you signed up for (account, listings, messaging)
  • Legitimate interest — fraud prevention, abuse moderation, platform safety
  • Consent — marketing emails (only if you opt in), non-essential cookies
  • Legal obligation — responding to lawful requests from authorities

4. How We Use Your Data

  • To provide and improve the SendAlong platform
  • To match senders with travelers based on routes and dates
  • To facilitate communication between users
  • To send service-related notifications and verification emails
  • To compute reputation signals (review scores, reliability badges)
  • To ensure platform safety and prevent fraud or abuse

We do not sell, rent, or share your personal data with advertisers.

5. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (“right to be forgotten”)
  • Export your data in a portable format (Profile > Settings > Export My Data)
  • Object to certain processing activities
  • Withdraw consent at any time, including for marketing emails and non-essential cookies
  • Lodge a complaint with your local supervisory authority

To exercise these rights, email privacy@sendalong.app. You can also delete your account directly from Profile > Settings.

6. Third-Party Processors

We rely on a small number of trusted infrastructure providers to run the service. Each is bound by a data-processing agreement and may only process data on our behalf:

  • Hetzner Online GmbH — application server and uploaded photo storage (servers in Germany / EU)
  • Supabase — managed PostgreSQL database (EU region)
  • Resend — transactional email delivery (verification, account notifications)
  • Hostinger — DNS management for our domain
  • Google — optional OAuth sign-in (only if you choose to use it)

We do not currently use third-party analytics, advertising trackers, or AI training pipelines.

7. Data Retention

We retain your personal data for as long as your account is active. When you delete your account, we erase or anonymise your data within 30 days, except where:

  • retention is required by law (e.g. tax records, where applicable)
  • data is needed to preserve the integrity of other users' review history (anonymised)
  • data is part of an active fraud or safety investigation

8. International Transfers

Our primary infrastructure (Hetzner application server, Supabase EU-region database) is hosted in the European Union. Resend operates internationally; emails routed through it may be processed outside the EU under appropriate safeguards (Standard Contractual Clauses).

9. Security

We protect your data with HTTPS/TLS in transit, hashed passwords (bcrypt), CSRF protection, rate-limited authentication, signed session tokens, and access controls on production systems. No system is 100% secure, so we encourage strong unique passwords and promptly reporting any suspicious activity to privacy@sendalong.app.

10. Children

SendAlong is not directed to children under 18. We do not knowingly collect personal data from minors. If you believe a child has signed up, contact us and we will delete the account.

11. Contact

For privacy-related inquiries, contact us at privacy@sendalong.app.