Privacy Policy
1. Who We Are
Wellfare ehf. is the data controller for personal data processed through samefare.com. We are subject to Icelandic data protection law (Act no. 90/2018) and the General Data Protection Regulation (GDPR) as incorporated into Icelandic law through the EEA Agreement.
2. Data We Collect
Account data
Full name, email address, phone number, and hashed password when you register.
Identity & verification data
When you verify your identity or driver's licence, you are directed to our identity verification provider's secure, hosted flow. Your government-issued document (passport, national ID card, or driver's licence) is captured and stored on the provider's infrastructure — not on SameFare servers. SameFare stores only the verification session reference and the outcome (approved, declined, or pending).
Biometric data
As part of the identity verification process, our provider performs a liveness check (confirming you are a real person present during verification) and a biometric face match (comparing the face in your document to your liveness capture). This constitutes processing of biometric data as defined under GDPR Article 4(14). The processing is carried out by our verification provider on our behalf and is necessary for identity authentication and fraud prevention. See section 3 for the applicable legal basis.
Profile data
Profile photo, bio text, and vehicle information you choose to add.
Trip & booking data
Routes, dates, seats, prices, messages, and booking history.
Payment data
We store transaction amounts, references, masked card details (last 4 digits and card brand only), and pre-authorisation records. Full card numbers and CVV codes are processed exclusively by our licensed payment processor and are never stored on SameFare servers.
AML screening data
As part of our anti-money laundering obligations, our verification provider performs automated sanctions and watchlist screening against your identity data during the verification process. Screening results (match, no-match, or flagged for review) are retained as required by law.
Usage data
Log data including IP address, browser type, pages visited, and timestamps, collected automatically when you use the Platform.
3. How We Use Your Data & Legal Basis
We only process personal data where we have a lawful basis under GDPR Article 6:
| Purpose | Legal basis (Art. 6) |
|---|---|
| Creating and managing your account | Contract (6(1)(b)) |
| Processing bookings and payments | Contract (6(1)(b)) |
| Reviewing ID and driver's licence documents; confirming document authenticity | Contract (6(1)(b)); Legal obligation (6(1)(c)) |
| Biometric processing — liveness verification and face matching to authenticate identity | Substantial public interest (Art. 9(2)(g)) in conjunction with Icelandic Act no. 140/2018 on Measures against Money Laundering and Terrorist Financing; Legal obligation (6(1)(c)) |
| AML / sanctions screening against identity data | Legal obligation (6(1)(c)) — Icelandic Act no. 140/2018; Substantial public interest (Art. 9(2)(g)) |
| Sharing contact details with trip participants | Contract (6(1)(b)) |
| Sending transactional messages (booking confirmation, trip reminders) | Contract (6(1)(b)) |
| Sending marketing and newsletter messages | Consent (6(1)(a)) — you may withdraw at any time |
| Retaining payment and trip records for tax/audit purposes | Legal obligation (6(1)(c)) — Icelandic Act no. 145/1994 |
| Fraud detection, AML screening, dispute investigation | Legal obligation (6(1)(c)); Legitimate interests (6(1)(f)) |
| Improving Platform features and fixing bugs | Legitimate interests (6(1)(f)) |
4. Who We Share Data With
We share your data only in the following circumstances:
- With trip participants — your first name and contact details are shared with the driver/passenger of a confirmed booking.
- Sub-processors — we use the third-party services listed below to operate the Platform. Each is bound by a data processing agreement and processes only the data necessary for their service.
- Legal authorities — where required by Icelandic law, court order, AML reporting obligations, or to protect the safety of our members.
4.1 Sub-processors
| Service | Provider | Purpose | Data location |
|---|---|---|---|
| Payment processing & driver sub-merchant registration | Licensed payment service provider (name to be disclosed on engagement) | Card tokenisation, SCA authentication, pre-authorisation, payment capture, split routing to driver sub-merchant accounts. SameFare never receives or stores raw card data. | EEA — subject to the provider's transfer safeguards and DPA |
| Identity & licence verification | Didit Technologies (identity verification provider) | Automated document authenticity check, liveness detection, biometric face matching, and AML/sanctions screening. Documents are captured and stored on Didit's infrastructure; SameFare receives only the session reference and verification outcome. | EEA — subject to Didit's transfer safeguards and DPA |
| Transactional email | Resend Inc. (USA) | Booking confirmations, trip reminders, account notifications | USA — transfer under EU Standard Contractual Clauses |
| SMS notifications | Twilio Inc. (USA) | Phone number verification (OTP), trip reminders, payment alerts | USA — transfer under EU Standard Contractual Clauses |
| Application hosting | Railway Corp. (USA) | Platform infrastructure and database hosting | USA — transfer under EU Standard Contractual Clauses |
4.2 International Transfers
Some sub-processors listed above are located outside the EEA. Where personal data is transferred to a third country, we ensure an adequate level of protection through one of the following mechanisms:
- EU Standard Contractual Clauses (SCCs) — adopted under Commission Decision 2021/914.
- Adequacy decision — where the European Commission has determined the destination country provides adequate protection.
You may request a copy of the applicable transfer safeguards by contacting samefare@samefare.com.
We do not sell your personal data to third parties.
For full details of our identity verification and anti-money laundering procedures, see our KYC & AML Policy.
5. Data Retention
We retain your account data for as long as your account is active. Verification session records (session ID and outcome) held by SameFare are retained for 5 years from account closure as required by Icelandic Act no. 140/2018 Art. 24 — this AML retention obligation applies regardless of account deletion requests and takes precedence over any right to erasure. The underlying document images and biometric data captured during verification are held by our provider Didit in accordance with Didit's own data retention policy; you may contact Didit directly regarding their retention periods. AML screening records are retained for 5 years from the date of screening as required by Icelandic Act no. 140/2018. Trip and payment records are kept for 6 years for legal and tax compliance purposes. You may request deletion of your account and associated data at any time (see section 6), subject to legally mandated retention obligations.
6. Your Rights
Under GDPR / Icelandic data protection law, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — request deletion of your data, subject to legal retention requirements.
- Restriction — ask us to limit processing of your data in certain circumstances.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interests.
- Lodge a complaint — with the Icelandic Data Protection Authority (Persónuvernd).
To exercise any of these rights, contact samefare@samefare.com. We will respond within 30 days.
7. Cookies
We use a single session cookie to keep you logged in. We do not use advertising or tracking cookies. No third-party analytics scripts are loaded on the Platform.
8. Security
Passwords are stored using bcrypt hashing. Authentication tokens are stored in HTTP-only cookies. Verification documents and biometric data are stored exclusively on our identity verification provider's infrastructure and are subject to their security controls. SameFare stores only the verification session reference and outcome in a secure, non-public database. We use HTTPS for all data transmission. Despite these measures, no system is completely secure and we cannot guarantee absolute security.
9. Contact
Data protection enquiries:
Wellfare ehf. — PrivacyReykjavík, Iceland
Email: samefare@samefare.com