1. About this policy
This Privacy Policy covers our website at safetyride.io, the contact form, the SafetyTag pre-order flow, and any transactional emails we send in response to your submissions. It does not yet cover the SafetyTag hardware or the SafetyRide service platform — both will be governed by additional notices and disclosures when they launch.
We aim to use plain language. Where a term has a specific legal meaning under the European General Data Protection Regulation (GDPR), we use it consistently with that meaning.
2. Who we are
SafetyRide is operated by FacilityFlow AS, a company registered in Norway. We are the data controller for the personal information described in this policy.
For privacy questions, requests, or to exercise your rights, contact us at pal@facilityflow.no or use the contact form at /contact. We will respond within 30 days.
3. What information we collect
We collect personal information directly from you when you submit our forms, and a limited amount of technical information automatically when you visit the site.
Contact form (/contact)
When you reach out to us through the contact form, we receive your name, email address, the organization or company you represent, the message you write, and optionally your country and role.
Pre-order form (/calculator)
When you reserve a SafetyTag at launch pricing, we additionally receive your country, optionally your phone number and role, and a snapshot of the calculator inputs you used (rides per month, average fare, commission percentage, plan choice). The calculator snapshot accompanies the reservation as sales context only — we use it to understand who is reserving and why, not to make decisions about you.
We do not yet operate any SafetyTag hardware or run the SafetyRide service platform. Once SafetyTag devices are deployed (Q1 2027), additional data flows will apply and this policy will be updated accordingly.
Automatically collected information
When you visit the website, our hosting provider Vercel logs limited technical information (IP address, browser type and version, the page you requested, and a timestamp) for security and operational purposes. This data is not used to identify you and is retained for short periods (see Section 5).
Cookies and tracking
We use a small number of cookies described in Section 8. We do not load analytics or session-recording tools until you give consent.
4. Why we collect it (purposes and legal basis)
We process personal information for the purposes below, each grounded in a legal basis under GDPR Article 6.
| Purpose | Legal basis | What we process |
|---|---|---|
| Respond to your contact-form message | Legitimate interests (Art. 6(1)(f)) | Contact form fields |
| Process your SafetyTag pre-order | Performance of a contract / pre-contractual steps (Art. 6(1)(b)) | Pre-order form fields, calculator snapshot |
| Send you transactional confirmation emails | Performance of a contract; legitimate interests | Email address, name |
| Comply with our legal obligations (e.g. Norwegian accounting and tax records for paid pre-orders) | Legal obligation (Art. 6(1)(c)) | Pre-order records |
| Understand site usage to improve content and structure | Consent (Art. 6(1)(a)) | Analytics events (only if consented) |
| Show relevant SafetyRide updates to past visitors via marketing or remarketing tags, when enabled | Consent (Art. 6(1)(a)) | Identifiers set by marketing pixels (only if consented and only when such pixels are configured) |
| Operate and secure the website | Legitimate interests | Server logs |
We do not process your information for marketing purposes without your explicit consent. We do not sell personal data, and we never have.
5. How long we keep it
We retain personal information only as long as needed for the purpose we collected it for, plus any period required by law.
- Contact-form submissions — 12 months from the date of your message, then deleted. Earlier deletion on request.
- Pre-order data — until your SafetyTag is delivered and activated, then for 6 years afterwards as required by Norwegian accounting and warranty law.
- Email correspondence — for the duration of the conversation and up to 24 months after.
- Analytics events — 14 months in our analytics provider, then aggregated or deleted (only if you have consented to analytics).
- Server logs — 30 days for security and operational purposes.
When the period expires, we either delete the data or anonymize it so that you can no longer be identified.
6. Who we share it with
We share your information only with the third parties listed below, each of whom is contractually bound to protect it under a Data Processing Agreement (DPA). We do not sell personal data.
- Resend — sends our transactional emails (contact-form notifications, pre-order confirmations). EU-based, GDPR-compliant.
- Vercel — hosts the website and processes server logs. Edge nodes in the EU; data primarily processed within the European Economic Area.
- PostHog (EU) — receives anonymized analytics events only if you have consented to analytics. Servers in Frankfurt, Germany.
- Microsoft Clarity — receives anonymized session-recording data only if you have consented to session recording. Recordings are anonymized by default.
- Google Tag Manager — when enabled, coordinates marketing or remarketing pixels (e.g. Meta Pixel, LinkedIn Insight Tag, Google Ads). Only loads after you consent to marketing cookies. No marketing tags are active today; this paragraph describes the architecture for future use.
We may also disclose information when required by law (court order, regulatory request) or to protect the rights, property, or safety of SafetyRide, our users, or the public. Where lawfully permitted, we will inform you of such disclosure.
7. International data transfers
Our primary data processors operate within the European Union or the European Economic Area. Some third parties (notably Microsoft Clarity and Google Tag Manager) may transfer data outside the EEA, including to the United States.
When this happens, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or on adequacy decisions for jurisdictions recognised as providing equivalent data protection. If you have questions about the safeguards in place for any specific transfer, contact us.
8. Cookies and tracking technologies
We use cookies in four categories. The first appears automatically; the other three require your separate, granular consent.
- Essential — needed for the site to work, including the cookie that records your consent preference. Always on.
- Analytics — measures anonymous usage patterns (PostHog, Vercel Analytics). Off by default; loads only after you consent.
- Session recording — anonymized session replays via Microsoft Clarity. Off by default; separate opt-in due to higher privacy weight.
- Marketing — supports remarketing and conversion attribution for past visitors. May include Meta Pixel, LinkedIn Insight Tag, or Google Ads remarketing tags when enabled. Off by default; separate opt-in. No marketing tags are active today; this category is reserved for future use, and nothing loads until you opt in.
Analytics events do not contain direct identifiers. We do not send your name, email address, phone number, message text, or raw organization name to PostHog or any other analytics tool. Analytics events carry only behavioural signals (sections you read, time spent, scroll depth) and metadata (your selected role, country, and selected pre-order plan) — never the contact details you provide on a form. The contact details you submit on /contact and /calculator go only to our transactional email provider (Resend) so we can respond to you.
You can change your cookie preferences at any time by clicking "Cookie preferences" in the site footer.
9. Your rights
Under the GDPR, you have the following rights over your personal information:
- Right of access (Art. 15) — ask what data we hold about you.
- Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — ask us to delete your data, subject to legal retention requirements.
- Right to restriction of processing (Art. 18) — limit how we process your data while a question is being resolved.
- Right to data portability (Art. 20) — receive your data in a structured, commonly-used, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)) — for any processing based on consent. Withdrawal does not affect the lawfulness of past processing.
- Right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no, or with the supervisory authority in your EU country of residence.
To exercise any of these rights, email pal@facilityflow.no or use the contact form at /contact. We will respond within 30 days. If we cannot fulfil a request (for example because of overriding legal obligations), we will explain why.
10. Security
We protect personal information using administrative, technical, and physical safeguards proportionate to the sensitivity of the data — including TLS encryption in transit, encrypted storage at rest, role-based access controls, and regular security reviews.
No system is perfectly secure. If a data breach affecting your personal information occurs, we will notify you and the relevant supervisory authority without undue delay, and within 72 hours where required, in accordance with Article 33 of the GDPR.
11. Children
Our website is not directed at children under 16, and we do not knowingly collect personal information from children. If you believe a child has submitted information through the site, please contact us so we can delete it.
12. Changes to this policy
We may update this policy as our service evolves or as legal requirements change. The "last updated" date at the top reflects the most recent version. Significant changes will be communicated through a banner on the website or by email if we have your address.
Your continued use of the site after a change constitutes acceptance of the updated policy. If you object to a change, you may exercise your rights described above.
13. Contact
For privacy questions, requests, or complaints:
- Email: pal@facilityflow.no
- Form: /contact
You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet, datatilsynet.no) or with the supervisory authority in your EU country of residence.