Privacy Policy

1. Who We Are

SameFare ehf. is the data controller for personal data processed through samefare.com. We are subject to Icelandic data protection law (Act no. 90/2018) and the General Data Protection Regulation (GDPR) as incorporated into Icelandic law through the EEA Agreement.

2. Data We Collect

Account data

Full name, email address, phone number, and hashed password when you register.

Verification documents

Government-issued photo ID and driver's licence images uploaded for verification. These are stored securely and accessed only by our verification team.

Profile data

Profile photo, bio text, and vehicle information you choose to add.

Trip & booking data

Routes, dates, seats, prices, messages, and booking history.

Payment data

We store transaction amounts and references. Full card details are processed by our payment provider and are never stored on SameFare servers.

Usage data

Log data including IP address, browser type, pages visited, and timestamps, collected automatically when you use the Platform.

3. How We Use Your Data

• To provide the service — matching drivers with passengers, processing bookings and payments.
• To verify identity — reviewing ID and licence documents as required by our Terms.
• To facilitate trips — sharing your first name and contact details with the other party after a booking is confirmed.
• To improve the Platform — analysing usage patterns to fix issues and build new features.
• To communicate with you — sending booking confirmations, trip reminders, and important account notices.
• To enforce our Terms — investigating and acting on reported breaches, fraud, or disputes.
• Legal compliance — retaining records as required by Icelandic tax and consumer law.

4. Who We Share Data With

We share your data only in the following circumstances:

• With trip participants — your first name and contact details are shared with the driver/passenger of a confirmed booking.
• Payment processors — we use third-party payment services to handle transactions; only necessary data is transmitted.
• Legal authorities — where required by Icelandic law, court order, or to protect the safety of our members.

We do not sell your personal data to third parties.

5. Data Retention

We retain your account data for as long as your account is active. Verification documents are deleted within 90 days of approval or rejection. Trip and payment records are kept for 6 years for legal and tax compliance purposes. You may request deletion of your account and associated data at any time (see section 6).

6. Your Rights

Under GDPR / Icelandic data protection law, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data, subject to legal retention requirements.
• Restriction — ask us to limit processing of your data in certain circumstances.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Lodge a complaint — with the Icelandic Data Protection Authority (Persónuvernd).

To exercise any of these rights, contact privacy@samefare.com. We will respond within 30 days.

7. Cookies

We use a single session cookie to keep you logged in. We do not use advertising or tracking cookies. No third-party analytics scripts are loaded on the Platform.

8. Security

Passwords are stored using bcrypt hashing. Authentication tokens are stored in HTTP-only cookies. Verification documents are stored in a non-public directory. We use HTTPS for all data transmission. Despite these measures, no system is completely secure and we cannot guarantee absolute security.

9. Contact

Data protection enquiries: