Who we are
“Rovora”, “we”, “us” means the operator of the Rovora platform at rovora.eu. Rovora provides a dashboard and driver app that taxi and cab fleets use to manage drivers, vehicles, shifts, rosters and weekly settlements.
We are based in the European Union and our service is hosted in the EU. For any privacy matter you can reach our team at privacy@rovora.eu, or by post at [registered business address — to be filled in].
Controller vs. processor — who is responsible
Rovora is used in two distinct ways, and the law treats them differently:
- Data about a fleet’s drivers, vehicles and operations. When a fleet operator (our customer) adds their drivers, uploads documents, records shifts or runs settlements, the fleet operator is the data controller and Rovora acts as a data processor — we process that data only on the operator’s instructions, to provide the service.
- Account holders and website visitors. For the personal data of the people who sign up for and administer a Rovora account, and for visitors to our marketing site, Rovora is the data controller.
If you are a driver and want to know how your data is used, your employer or fleet operator is the first point of contact, as they decide what is collected and why.
What data we collect
We only collect data needed to run a fleet. Depending on how Rovora is used, this can include:
| Category | Examples | Why we hold it |
|---|---|---|
| Account & identity | Name, email address, password (stored only as a salted hash), role and fleet membership | To create accounts, authenticate users and control access |
| Driver records | Full name, phone number, email, employment type, vehicle assignments | So operators can manage and contact their drivers |
| Driver documents | Driving licence, ID card, insurance, logbook and roadworthiness/NCT documents (including front/back images and the identifiers shown on them) | To track validity and expiry of legally-required documents |
| Vehicle data | Registration, make/model, odometer/mileage readings, service and maintenance history, damage records and diagrams | To schedule servicing and keep a per-vehicle history |
| Location data | GPS position (latitude/longitude), speed, heading, accuracy and timestamps, collected while a driver has location sharing switched on | So the fleet operator can see live driver positions and shift routes (see Location data) |
| Operational & financial | Shifts, rosters, check-in mileage, earnings, settlements (fares, tips, campaigns, fees and tax deductions such as FSS), adjustments and weekly bookkeeping | To run rosters and reconcile each driver’s weekly pay |
| Billing | Subscription plan, billing status and a Stripe customer reference. Card details are entered directly with Stripe — Rovora never sees or stores card numbers. | To manage subscriptions and process payments |
| Communications | Notification preferences and the in-app, push and email alerts we send you | To deliver document-expiry, shift and platform notices |
| Technical & security | Session cookies, audit-log entries, IP address and device/browser information, error diagnostics, and password-reset rate-limit records | To keep accounts secure, prevent abuse and diagnose faults |
Some driver documents may reveal information that the GDPR treats as sensitive (for example, a date of birth or a photograph on an ID). We only hold these because they are necessary to comply with transport-licensing and employment obligations, and we restrict access to them tightly (see Security).
Location data and the driver app
The Rovora driver app (and the “Share Location” feature of the driver web portal) can collect a driver’s device location — GPS position, speed, heading and accuracy — and share it with their fleet operator. This is how it works:
- Sharing is always started by the driver. Nothing is collected until the driver taps “Start sharing”, and the driver can stop at any time. The app shows a clear disclosure before the first use and a visible indicator (including a persistent notification on Android) while sharing is active.
- Background collection. When the driver grants background location permission, the app continues to collect location while it is closed or the screen is off, so the fleet can see the driver’s position throughout the shift. Sharing ends when the driver taps “Stop sharing”.
- Who can see it. Live positions and route history are visible only to the authorised staff of the driver’s own fleet, inside that fleet’s dashboard. Location data is never sold, never used for advertising, and never shared with other fleets or third parties.
- Controller and purpose. The fleet operator decides whether and why to use location sharing (typically live operations and duty-of-care during shifts) and is the data controller for it; Rovora processes the data on the operator’s behalf.
- Retention. The latest position is overwritten continuously; route history is retained as operational data under the fleet’s account (see How long we keep it) and is deleted with it.
Why we use it, and our legal basis
Under the GDPR we rely on the following legal bases:
- Performance of a contract — to provide the platform to the fleet that has subscribed, and to give drivers and staff their accounts.
- Legitimate interests — to secure the service, prevent fraud and abuse, diagnose errors, and improve the product. We balance these against your rights.
- Legal obligation — to retain tax, payroll and licensing records where the law requires it, and to respond to lawful requests.
- Consent — for optional marketing emails, which you can withdraw at any time. Withdrawing consent does not affect the lawfulness of earlier processing.
We do not sell personal data, and we do not use it for advertising or automated decision-making that produces legal effects.
Who we share it with
We share data only with the service providers (sub-processors) that help us run Rovora. Each is bound by a data-processing agreement and may only use the data to provide their service to us:
- Supabase — our database, authentication and document storage, hosted in the EU.
- Stripe — subscription billing and card payment processing.
- Resend — delivery of transactional and notification emails.
- Sentry — error and performance monitoring so we can find and fix faults.
We may also disclose data where we are legally required to (for example, to a court or regulator), or to a successor entity in the event of a merger or acquisition, in which case we will notify affected customers.
International transfers
Rovora and its primary database are hosted in the European Union. Where a sub-processor processes data outside the EU/EEA, that transfer is protected by an adequacy decision or by the European Commission’s Standard Contractual Clauses, together with additional safeguards where appropriate.
How long we keep it
We keep personal data only for as long as it is needed for the purpose it was collected:
- While your fleet’s account is active — operational data is retained so the fleet can run day to day.
- Financial and tax records — retained for the period required by applicable tax and accounting law, even after a driver leaves or an account closes.
- After account closure — we delete or anonymise personal data within a reasonable period once it is no longer needed, unless the law requires us to keep it longer.
Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased, where there is no overriding legal reason to keep it;
- restrict or object to certain processing;
- receive your data in a portable, machine-readable format; and
- withdraw consent at any time where processing is based on consent.
To exercise any of these rights, email privacy@rovora.eu. If you are a driver, note that much of your data is controlled by your fleet operator — we will help route your request to them where needed. We respond within one month.
You also have the right to lodge a complaint with your data-protection authority. In Malta this is the Information and Data Protection Commissioner (IDPC) — idpc.org.mt.
Children
Rovora is a business tool intended for licensed drivers and fleet staff. It is not directed at children and we do not knowingly collect data from anyone under 16.
Changes to this policy
We may update this policy as the product and the law evolve. We will revise the “last updated” date above and, for material changes, notify account administrators by email or in-app.
